Weevely is a PHP command line web shell usually used as a backdoor while performing the post exploitation phase of a penetration test. By default in Kali Linux, the installed version 1.1 isn’t supported anymore but version 3 is available on GitHub.

Generate the backdoor:

weevely generate.<mode> <password> <path>

The password is optionnal but it’s important to protect your customer from other users because an unwanted access can easily lead to a full access on the server with privileges escalation. There is three kinds of backdoor available but this functionnality seems to have been removed in version 3.

  • htaccess: a single .htaccess file is created containing the malicious code and the right Apache directive so that all .htaccess files are considered as regular PHP script
  • img: giving an existing image, Weevely will concatenate the binary datas and the malicious code, plus it also creates an .htaccess to tell Apache that the image should be considered as a regular PHP script (that means both files should be uploaded on the target server)
  • php: this is the default, a single PHP script is generated

Recently reported by Claudio Viviani, there is an SQL Injection available in this plugin who has been downloaded more than 100k. Developped by Apptha (again), the current version 2.7 still vulnerable and downloadable from the official Wordpress Plugin Directory.

The hole comes from the lack of filter on the GET parameter vid in /wp-content/plugins/contus-video-gallery/videogalleryrss.php (the plugin must be enable to perform the injection):

case 'video':
  $thumbImageorder = 'w.vid ASC';
  $vid             = filter_input(INPUT_GET,'vid');
  $where           = 'AND w.vid ='.$vid;
  $TypeOFvideos    = $contusOBJ->home_thumbdata( $thumbImageorder , $where , $dataLimit );

Since there is no filter specified when calling filter_input, the default value is used which is unsafe_raw. According to the PHP documentation, FILTER_UNSAFE_RAW deletes chars under 32 and over 127 and converts & to &amp;.


A very useful aspect of PHP is the ability to manage file uploads. Allowing users to send a file opens a whole can of worms, so be careful when allowing this fonctionnality. If wrong protected it could result of a full control of the server. With DVWA you can learn effective defense.


if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
    $html .= '<pre>';
    $html .= 'Your image was not uploaded.';
    $html .= '</pre>';
} else {
    $html .= '<pre>';
    $html .= $target_path . ' succesfully uploaded!';
    $html .= '</pre>';

The first level is the easiest because it has absolutly no protection against malicious file upload. Choose a file - in my case a PHP shell - and submit the form:

DVWA file upload


The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted.  All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

The OWASP Top 10 project references the most security issues and widespread on the web. Most safety audits and specialized tools are based on the Top 10. The primary aim is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 also provides basic techniques to protect against these high risk problem areas.

For each risks, OWASP provides generic information about likelihood and technical impact using the following simple ratings scheme, which is based on the Rating Methodology:

OWASP top10 risk


As an ethical hacker when you perform a pentest, you must follow some rules and process step by step to be efficient, below the different phases shortly explained.


The first step of a penetration test is to write an agreement, a kind of pre-engagement about the legal requirements and the rules of the test. It must be signed by both parties before starting the analysis. Some important informations have to be defined with your client:

  • the scope: ip range, URL, server…
  • the method used: white/grey/black box
  • the start date and the end date
  • the forbidden techniques: denial of service, social engineering…

> Read the agreement example by TrueSec