Web App Hacking, Part 7: Injecting a Backdoor into a Website with weevely

Hacking

Welcome back my rookie Web App Hackers!

Often, you will have the opportunity to upload a file to website such a Word Doc, a PDF or a picture such as a .jpg or .png. You have probably uploaded pictures to Facebook or Twitter and maybe uploaded DOC or PDF documents to your company’s or school’s website. These uploads may be a key weakness in these sites, if you can upload malware that will be executed on the site and provide you a backdoor to the website and underlying server.

Weevely is designed to provide you a PHP web shell that can be uploaded to a website and excuted giving you a backdoor. Of course, it only works with web sites that employ PHP, but there are very large number of web sites employing PHP. Before attempted to use weevely, you want to do proper reconnaissance on the site to make certain it runs PHP or else you will be wasting your effort.

weevely is built into Kali, but if you are running another OS, you can get it at github.com using git clone like below.

kali > git clone https://github.com/eppina/weevely3

Step #1 Fire up Kali and Open weevely

The first step, of course, is to fire up Kali. Then open a terminal and type “weevely”;

kali > weevely

As you can see, weevely throws and error, but does give you some basic info on weevely. To get even more information, enter weevely with –help option

kali > weevely –help

As you can see from the help screen, weevely operates in three modes;

1. terminal

2. session

3. generate

Step #2 Generate a Backdoor

Next, we will generate a weevely backdoor. To do so, we will simply use the following syntax;

kali > weevely generate <backdoor’s password> <path and name of the backdoor file>

So, to generate a backdoor to use on a web site named hackers-arise-backdoor, with a super secure password of “password” and place it in the /root users directory, we could simply type;

kali > weevely generate password /root/hackers-arise-backdoor.php

Step #3 Fire Up our Metasploitable with the Damn Vulnerable Web Application (DVWA)

To test our backdoor, let’s try to use it on our intentionally vulnerable DVWA. DVWA is built into Metasploitable, but you can install it on nearly any OS.

Open a browser and navigate to DVWA. If you are using Metasploitable, navigate to the IP address of your Metasploitable system and select DVWA. When you do, a login screen like below will appear.

The credentials for DVWA are “admin” and “password”.

Next, click on the Upload tab on the left side of the screen

This will a open a familiar upload screen. Click on the Browse button and select your backdoor that your created in weevely above.

Next, Click on the Upload button.

When you do, it will display the path where the backdoor has been uploaded to. Obviously, in the real world the application will not tell you where the file has been uploaded to. You will need to understand the architectire of the application to know where it uploads files, but DVWA makes it easy for the beginner hacker.

Step #4 Surf to the Location of the Backdoor

Now that we have uploaded the backdoor, we need to execute it. We do that typing the command weevely, then the exact URL of the location of the backdoor followed by the password. In our case here, it would be;

kali > weevely http://192.168.1.109/dvwa/hackable/uploads/hackers-arise-backdoor.php password

This will execute and open our PHP shell and give us a weevely interactive shell like above.

Step #5 Using weevely

Now that we have our weevely backdoor on the web server, let’s take a look at what we can do. Unlike a generic shell, weevely has some built in commands that can assist our exploitation of the web server and the network it is on. Let’s start by entering help to see what weevely can do. Please note that weevely commands all begin with a colon (:).

weevely > :help

I have only displayed the first few commands above and the final system shell commands below.

Let’s begin by getting some information on the system we just compromised by typing :system_info

weevely > :system_info

As you can see, weevely pulls key information on the target with just one command making reconnaissance simpler and faster.

Next, let’s see if we can get the contents of /etc/pass

As you can see, we were able to display every user account on the system!

Next, let’s see if we can find those files that have either the SUID or SGID bit set. This is important as this can often lead to privilege escalation on a Linux system. In other words, we likely came into this system with the privileges of a average user which are limited, but we want to escalate our privileges to root. These files can often be a path to the privilege escalation.

As you can see above, we found numerous files with either the SUID or SGID bit set.

In addition to the commands I have demonstrated here, weevely has tens of other commands you can use on the target system. One that might be useful is :file_upload. This command would enable you to upload a file from your system to the target system. You could ten upload just about any malware to the target!

Summary

Web sites often enable their users to upload files to their system and this can be a major vulnerability as it might allow the attacker to upload a backdoor such as weevely. Once the backdoor is uploaded to the system, we can very quickly and easily take total control of the server!