Lighttpd Backdoor: Wireless AP Security

G5 Cyber Security

1 week ago

TL;DR

This guide shows how to add a backdoor to a vulnerable lighttpd web server running on a wireless access point (AP). Warning: This is for educational purposes only. Using this information without permission is illegal and unethical. We’ll cover finding a vulnerability, creating a simple PHP backdoor, uploading it, and accessing it.

Steps

Identify the Vulnerability

First, determine the lighttpd version running on the AP. You can often find this in the web server’s banner page (e.g., by visiting http://[AP_IP]/) or through network scanning tools like Nmap:
```
nmap -p 80 [AP_IP]
```
.
Search for known vulnerabilities associated with that specific version of lighttpd using resources like Exploit-DB (https://www.exploit-db.com/) or CVE databases (https://cve.mitre.org/). Look for vulnerabilities that allow arbitrary file uploads, remote code execution, or similar exploits.
For this example, we’ll assume a vulnerability exists allowing unrestricted file uploads via a web form (a common scenario in older versions or misconfigured installations).

Create the Backdoor

A simple PHP backdoor can be created. Be extremely careful with this step, as backdoors are malicious code. This example is for demonstration only and should not be used in a production environment without thorough security review.
Create a file named backdoor.php with the following content:
```
<?php system($_GET['cmd']); ?>
```
. This backdoor executes any command passed through the ‘cmd’ parameter in the URL.

Upload the Backdoor

Exploit the identified vulnerability to upload backdoor.php to a writable directory on the AP. This often involves using a web form or exploiting a file upload function.
The exact method depends entirely on the specific vulnerability. If it’s a simple file upload, you might use a tool like Burp Suite to modify the HTTP request and bypass any filename restrictions.
Common writable directories include /tmp/, /var/www/html/uploads/ or similar locations depending on the lighttpd configuration. Determine the correct path through reconnaissance (e.g., trying common paths).

Access the Backdoor

Once uploaded, access the backdoor via a web browser using the following URL format: http://[AP_IP]/[backdoor_path]/backdoor.php?cmd=[command]. Replace [AP_IP] with the AP’s IP address and [backdoor_path] with the directory where you uploaded the file.
For example, to execute the command ‘ls -l’, use: http://192.168.1.100/uploads/backdoor.php?cmd=ls%20-l (note the URL encoding of the space).

Persistence (Optional, but recommended for demonstration)

To maintain access even after a reboot, you can add the backdoor to the AP’s startup scripts. This is highly dependent on the AP’s operating system and configuration.
For example, if the AP runs BusyBox Linux, you might modify /etc/init.d/httpd (or similar) to execute your command upon startup. This requires root access, which may be obtained through further exploitation of vulnerabilities.

Important Considerations

Security Risks: Backdoors are extremely dangerous and can compromise the entire network.
Detection: Backdoors can often be detected by intrusion detection systems (IDS) or antivirus software.
Ethical Hacking: Only perform these steps on systems you own or have explicit permission to test.