The Perfect Web Backdoor

I’m sure most pentesters have had cause to use the likes of cmdasp.asp, or cobble together a simple PHP script based around “passthru” or “system”.  There’s loads more functionality that would be useful in such backdoors, though.  They could be made less dangerous by building in authentication, and more functional by building in database client functionality, file browsers and reverse shells.

There are a couple of projects out there working on backdoor collections.  But I don’t think the quest for the perfect backdoor is over yet…

David Kierznowski collected together a bunch of web backdoors a while back:

These tools allow pentesters who have found a way of uploading files to web servers to more easily execute commands, explore the file system, download files, map the internal network, etc.  The idea of the web backoor compilation is that no matter what scripting languages are supported by the web server (php, perl, asp, aspx, jsp etc.), you’ve got something in your tool bag that’ll help you exploit the host more easily.

The compilation is very much a work in progress.  Some great feature have been suggested but not all have been implemented for each language.

Suggestions include:

  • Database clients, so you script can connect databases on the internal network.
  • Authentication, so no one else can use your backdoor.
  • Self desctruct, so if someone runs your backdoor after a certain date, the backdoor is deleted.
  • Reverse shell, so you can throw back a proper interactive shell which will allow the user of interactive commands such as telnet, ssh and su.
  • File management, so you can explore the file system and upload / download files.
  • Ensuring the backdoor isn’t detected by current AV products

This is a lofty goal and I hope the project is a success.  Being from a network-based pentesting background, I was most inspired by the idea of getting a reverse shell.  I’ve written working prototypes for PERL and PHP:

Tags: ,

Posted in Blog