by hash3liZer . 02 August 2018
Getting backdoor access means to have another way in, usually a hidden way from where you can come and go out without anyone else noticing. Backdoors are normally installed through some sort of uploading functionality where the uploaded data doesn't get validated. This allows an attacker to simply put a malicious file in the field and submit the forms. Most PHP based websites are vulnerable to these kinds of attacks.
There is various kind of backdoor shells you can find out the internet. For now, we are going to see the usage of the weevely shell, the simplest type of shell which you can control from the command line. Further, it is comprised of a few lines which make it a lot less heavy than most of the traditional backdoor shells. This gives it the credibility of bypassing the file size filter.
Let's put it all together. We are going to upload a backdoor shell generated by weevely to gain backdoor access to a target site. To comply with the rules, I've set up a DVWA application on a server for demonstration. Well, finding PHP vulnerable applications is not much of a difficult task. You just have the put the right query in and the results will be in front of you.
First, we would need the shell. The syntax of weevely is pretty simple. Weevely encodes the payload with a key phrase, so no one else can use it in order to access the target system. Further, it is a PHP shell which would require PHP to be installed on the target system.
Remember, you can not always execute a Python shell on a PHP application or a PHP shell on a Python application, because the environment would be different for both of the applications.
Generate a shell with the commands:
$ weevely generate [password] [path]
The next thing you have to do is to upload the shell which is not going to be a handy process. You've to find a way in your application. I have got the DVWA application hosted on a server and we are going to try out some of the tweaks to upload the shell.
The simplest type is where there is no validity at all. Upload the file and you are good to go:
And then intercept and manipulate the request using a proxy:
Remember that while uploading a shell, you've to take care of two things:
In our case the full path to our PHP payload is http://target.com/dvwa/hackable/uploads/shell.php
The last phase is to establish connection with payload and interact with the target. To generate a session between server and the client, execute the command:
$ weevely http://target/dvwa/hackable/uploads/shell.php [password]
If everything goes right and the shell was successfully executed on the server, you will be able to get a prompt on your terminal:
We used weevely to generate and execute a shell on a vulnerable target application and use it in order to have a backdoor access to the target system. Weevely shells are quite good at a stealthy execution and their payload size. Note that it is a good practice to use a respective payload for the target like ASP shells for ASP.net applications etc.