Generate and manage hardly detectable PHP backdoor

Download Weevely 0.5.1 as archive or Backbox/Ubuntu package

Weevely is a stealth PHP web shell that simulate telnet-like connection. It is an essential tool for web application post exploitation, and could be used like an hidden backdoor and as a useful telnet-like console replacement to manage web accounts, even if hosted in free hosting services. Just generate and upload the "server" PHP code on the target web server, and run Weevely client locally to transmit shell commands.

• Backdoor communications are hidden in Cookie requests
• Communications are encoded using NIDS evasion techniques (any request is randomly obfuscated to bypass signature detection)
• Backdoor PHP code is polymorphic to obfuscate common backdoor methods (NO base64_decode, rot13, gzinflate, strrev, ...)
• Modular architecture have more than 20 modules for every kind of maintain access/post exploit task
• Modules implement different techniques to accomplish single tasks to mitigate disabled_functions, safe_mode and other PHP restrictions

Weevely is included in BackBox, BackTrack, Blackbuntu penetration testing Linux distributions. A brief article about version 0.5.1 changes is available on dissecting blog.

Main modules

• :shell.* System/PHP command execution
• :file.upload Upload files to the target filesystem
• :file.download Download files from the target filesystem
• :sql.console Console to browse remote SQL database
• :sql.dump Utility to dump remote SQL database to recreate locally
• :audit.user_files Enumerate common restricted user files
• :audit.users Enumerate /etc/passwd entries using different techniques
• :find.* Find files by name, permissions, suid/sgid flag
• :backdoor.reverse_tcp Reverse TCP shell
• :enum.users Enumerate users or /etc/passwd content
• :system.info Collect system informations

PHP backdoor does not require additional library. Do not use this program on third part servers.