Weaseling in with Weevely

Weevely creates a PHP backdoor on webservers running PHP. It is pretty straightforward to use, and pretty easy to get onto a webserver. You get to it through Applications | PostExploitation | Weevely:

When you first launch Weevely from the menu, it opens a terminal window and gently chides you about using the script improperly:

This is actually a more helpful doc string than the weevely --help command gives:

We know now that we can generate an agent, which can be dropped on a webserver. We can run a terminal to the target, and we can load an existing session file.

Preparing to use Weevely

Weevely is a Python script, and there are a couple of improvements you will have to make to Python to use Weevely:

root@kali:~# apt-get install python-pip libyaml-dev
root@kali:~# pip install prettytable Mako pyaml dateutils –upgrade
root@kali:~# pip install pysocks --upgrade

If you get in a hurry and skip this step, you might get the following error message:

Creating an agent

To create an agent, all we have to do is decide on an innocuous name, and a password:

We save malware files in their own folder in the Kali /root/ directory, so we can find them again when needed. A better name for this directory might be as follows:

Testing Weevely locally

Weevely is cross-platform, and should work wherever you are serving PHP pages. Here's an example of running Weevely against a webserver on the Kali Linux host:

Testing Weevely on a Windows server

It is just as simple to test Weevely on a Windows server if the Windows server is running PHP – for instance, if it is a web server running WordPress or some other PHP-based script. The server we are using for this test is Windows Server 2012 with PHP running. If you were just inside the Windows server using Metasploit, it is possible to drop our metrics01.php file, made by Weevely, into the webroot folder:

Once you have the file in place, you can do a lot of things with it. We have chosen just a few actions, though there are fifty commands you might be able to do. First, you contact your agent by using the following code:

weevely http://192.168.56.103/metrics01.php evilHacker

The same kind of entry success output appears as when we tested it on the Kali webserver:

Getting help in Weevely

To find out what Weevely can do, we will run the help command to see what is available for you to run on the Windows server:

weevely> :help

The help file reads out as in the following table. Note that there is a colon ":" at the beginning of each of the commands:

Command	Description
`:audit_suidsgid`	Find files with SUID or SGID flags.
`:audit_phpconf`	Audit PHP configuration.
`:audit_etcpasswd`	Get `/etc/passwd` with different techniques.
`:audit_filesystem`	Audit system files for wrong permissions.
`:shell_php`	Execute PHP commands.
`:shell_sh`	Execute Shell commands.
`:shell_su`	Elevate privileges with su command.
`:system_extensions`	Collect PHP and webserver extension list.
`:system_info`	Collect system information.
`:backdoor_reversetcp`	Execute a reverse TCP shell.
`:backdoor_tcp`	Spawn a shell on a TCP port.
`:bruteforce_sql`	Brute-force SQL database.
`:file_cd`	Change current working directory.
`:file_grep`	Print lines matching a pattern in multiple files.
`:file_find`	Find files with given names and attributes.
`:file_rm`	Remove remote file.
`:file_cp`	Copy single file.
`:file_zip`	Compress or expand zip files.
`:file_enum`	Check existence and permissions of a list of paths.
`:file_check`	Get remote file information.
`:file_edit`	Edit remote file on a local editor.
`:file_upload2web`	Upload file automatically to a web folder and get corresponding URL.
`:file_gzip`	Compress or expand gzip files.
`:file_download`	Download file to remote filesystem.
`:file_touch`	Change file timestamp.
`:file_webdownload`	Download URL to the filesystem.
`:file_ls`	List directory content.
`:file_read`	Read remote file from the remote filesystem.
`:file_mount`	Mount remote filesystem using HTTPfs.
`:file_bzip2`	Compress or expand `bzip2` files.
`:file_tar`	Compress or expand tar archives.
`:file_upload`	Upload file to remote filesystem.
`:sql_console`	Execute SQL query or run console.
`:sql_dump`	Multi dbms mysqldump replacement.
`:net_scan`	TCP Port scan.
`:net_curl`	Perform a curl-like HTTP request.
`:net_proxy`	Proxify local HTTP traffic passing through the target.
`:net_ifconfig`	Get network interface addresses.
`:net_phpproxy`	Install PHP proxy on the target.

The next section of the help file shows you the commands you can use to simulate an unrestricted shell. For some inscrutable reason, the command and description are reversed in this section:

Description, or Internal Command	Weevely Command
`zip, unzip`	`file_zip`
`touch`	`file_touch`
`gzip, gunzip`	`file_gzip`
`curl`	`net_curl`
`nmap`	`net_scan`
`cd`	`file_cd`
whoami, hostname, pwd, uname	system_info
rm	file_rm
cat	file_read

file_edit default.aspx

This opens the file in vi by default in Kali Linux, so let's try and edit the file:

On some servers, this will result in another directive being added to the CMS, which could do anything at all that the webserver user has the right to do. Let's try and write a totally new file to the server:

As it happens, our victim server doesn't let us upload this file. Since we have gotten system-level access in another action, we could well have made sure we had that ability before beginning the Weevely work:

Just for fun, let's see if the webroot has the same careful permissions as the CMS directory. We will change to the upper directory, and see if we can add a line of code to the index file there:

We have a successful page breach, based on changing the permissions for the page previously using Metasploit. Weevely can be very useful for attacking sites that do not have proper permissions set: