id: antsword-backdoor
info:
name: AntSword Backdoor Detection
author: ffffffff0x
severity: critical
description: An AntSword application backdoor shell was discovered.
reference:
- https://github.com/AntSwordProject/AntSword-Labs/tree/master/bypass_disable_functions/9
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-553
remediation: Reinstall AnstSword on a new system due to the target system's compromise. Follow best practices for securing PHP servers/applications via the php.ini and other mechanisms.
tags: backdoor,antsword
metadata:
max-request: 1
http:
- method: POST
path:
- "{{BaseURL}}/.antproxy.php"
headers:
Content-Type: application/x-www-form-urlencoded
body: 'ant=echo md5("antproxy.php");'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "951d11e51392117311602d0c25435d7f"
- type: status
status:
- 200