Weevely3: The Simple File Upload That's a Full Backdoor

You know that moment in a penetration test or security assessment where you get a file upload on a target server? It feels like a win, but then you're stuck with a basic shell or limited functionality. What if that humble upload could become your complete, stealthy control center?

That's exactly what Weevely3 is built for. It's a tool that disguises a powerful web shell as a harmless PHP file. Once uploaded, it gives you a remote administration backdoor with a suite of features that go far beyond a simple command prompt. It turns a minor foothold into a major advantage.

What It Does

Weevely3 is a weaponized web shell. At its core, it's a small, obfuscated PHP agent that you upload to a vulnerable server. Once in place, you connect to it from your local machine using the Weevely client. This creates a channel that looks like normal web traffic, allowing you to interact with the server as if you had a proper terminal, but routed through HTTP/HTTPS requests.

It's more than just a shell. It includes modules for common post-exploitation tasks: browsing the filesystem, tunneling your traffic through the target, performing SQL injections, scanning for common vulnerabilities on the internal network, and even escalating privileges. It's a full toolkit packaged into a single PHP file.

Why It's Cool

The cleverness is in its design and stealth. The generated PHP agent is intentionally tiny and obfuscated to evade simple signature-based detection. Communication is hidden within regular-looking POST requests, making it harder to spot in logs compared to noisier tools.

Its modular architecture is a standout feature. You're not just typing shell commands. You can load specific modules like :audit_suidsgid to find privilege escalation vectors, or :backdoor_reversetcp to plant a more persistent backdoor. It turns the shell into an extensible platform, letting you adapt to the environment you find yourself in.

For developers and security engineers, it's a powerful demonstration of how a seemingly low-risk vulnerability (a file upload with weak validation) can lead to total system compromise. It's also an invaluable tool for authorized security testing, allowing you to thoroughly demonstrate the impact of a found weakness.

How to Try It

First, you'll need to clone the repository and install its dependencies. It's a Python tool.

git clone https://github.com/epinna/weevely3.git
cd weevely3
pip install -r requirements.txt

To use it, you generate an agent PHP file with a password of your choice:

./weevely.py generate <your_password> agent.php

You then find a way to upload agent.php to your target server (this is for legal, authorized testing on systems you own or have explicit permission to test!). Once it's there, connect to it:

./weevely.py <target_url>/agent.php <your_password>

If successful, you'll be dropped into a Weevely terminal. Type help to see all available modules.

Final Thoughts

Weevely3 is a sobering and impressive tool. For developers, it's a masterclass in why input validation and file upload hardening are non-negotiable. A single overlooked endpoint can lead to this level of access.

For security folks, it's an incredibly efficient Swiss Army knife for post-exploitation during legitimate assessments. It consolidates what would otherwise be a bag of separate scripts into a cohesive, stealthy framework.

Whether you're testing your own applications or studying offensive security techniques, Weevely3 is a project worth understanding. It blurs the line between a simple shell and a full administration platform, all from a single file upload.

@githubprojects