Once a web server and its services have been compromised, it is important to ensure that secure access can be maintained. This is usually accomplished with the aid of a web shell—a small program that provides stealth backdoor access and allows the use of system commands to facilitate post-exploitation activities.
Kali comes with several web shells; here we will use a popular PHP web shell called Weevely.
Weevely simulates a Telnet session and allows the tester or attacker to take advantage of more than 30 modules for post-exploitation tasks, including the following:
- Browsing the target filesystem
- File transfer to and from the compromised system
- Performing audits for common server misconfigurations
- Brute-forcing SQL accounts through the target system
- Spawning reverse TCP shells
- Executing commands on remote systems that have been compromised, even if PHP security restrictions have been applied
Finally, Weevely endeavors to hide communications in HTTP cookies to avoid detection. To create Weevely, issue the following command from the terminal:
Command: weevely generate <password> <path>
This will create the file weevely.php in the Desktop directory. Executing commands on remote systems that have been compromised, even if PHP security restrictions have been applied:
Using a file upload vulnerability or any other compromise, including ones that give access to the meterpreter file upload functions, upload weevely.php onto the compromised website.
To communicate with the web shell, issue the following command from the terminal, ensuring that the target IP address, directory, and password variables are changed to reflect those of the compromised system:
Command: weevely http://<target IP address>/<path> <password>
In the example shown in the above screenshot, we have verified that we are connected to the web shell using the uname -a command (which identifies the correct directory) and the pwd command in order to see the present working directory (which again confirms the source of the connection as weevely.php).
The cat /etc/password command was used to view passwords.