# frozen_string_literal: true ## # This file is part of WhatWeb and may be subject to # redistribution and commercial restrictions. Please see the WhatWeb # web site for more information on licensing and terms of use. # http://www.morningstarsecurity.com/research/whatweb ## ## setting passive might produce a lot of false positives WhatWeb::Plugin.define "webbackdoor" do @author = "Aung Khant, http://yehg.net" @version = "0.1" @description = "Detect common web doors (asp,jsp,php,jsp,pl,cgi) using fuzz-db list and others" @matches = [ # generic { string: 'michaeldaw.org backdoor collection', text: "" }, { string: 'backdoor kit collection', text: "" }, # jsp # passive { string: 'jsp-reverse.jsp', regexp: /

JSP Backdoor Reverse Shell<\/h1>/ }, # agressive { string: 'browser.jsp', url: 'browser.jsp', regexp: /|jsp File Browser version/ }, { string: 'cmd.jsp', url: 'cmd.jsp', tag_pattern: "html,body,form,input,input,/form,pre,/pre,/body,/html" }, { string: 'cmd.jsp', url: 'cmd.jsp', regexp: /
(\r\n|\n)(\r\n|\n)/ }, { string: 'cmdjsp.jsp', url: 'cmdjsp.jsp', regexp: /(\r\n|\n)(\r\n|\n)(\r\n|\n)<\/FORM>/ }, { string: 'jsp-reverse.jsp', url: 'jsp-reverse.jsp', regexp: /

JSP Backdoor Reverse Shell<\/h1>/ }, { string: 'jsp-reverse.jsp', url: 'jsp-reverse.jsp', regexp: /(\r\n|\n)IP Address(\r\n|\n)(\r\n|\n)Port(\r\n|\n)(\r\n|\n)(\r\n|\n)/ }, { string: 'list.jsp', url: 'list.jsp', regexp: /(\r\n|\n)\t(\r\n|\n)\t(\r\n|\n)\t(\r\n|\n)\t<\/FORM>/ }, { string: 'up.jsp', url: 'up.jsp', regexp: /(\r\n|\n)(\r\n|\n)(\r\n|\n)(\r\n|\n)<\/form>/ }, { string: 'cmd_win32.jsp', url: 'cmd_win32.jsp', regexp: /(\r\n|\n)(\r\n|\n)(\r\n|\n)(\r\n|\n)<\/FORM>(\r\n|\n)
/ },
    { string: 'up_win32.jsp', url: 'up_win32.jsp', regexp: /(\r\n|\n)(\r\n|\n)(\r\n|\n)(\r\n|\n)<\/form>(\r\n|\n)<\/html>/ },
    { string: 'CmdServlet', url: 'CmdServlet', tag_pattern: 'html,body,hr,p,form,input,input,/form,hr,/pre,/body,/html' },
    { string: 'ListServlet', url: 'ListServlet', regexp: /\n\nDirectory Listing<\/TITLE>\n<\/HEAD>\n<BODY>\n<FONT Face=\"Courier New, Helvetica\" Color=\"Black\">\n/ },
    { string: 'UpServlet', url: 'UpServlet', tag_pattern: 'html,body,br,form,input,input,/form,/body,/html' },
    { string: 'UpServlet', url: 'UpServlet', regexp: /<html><body><br><form method="POST" action="" enctype="multipart\/form-data">UPLOAD <input type="file" name="file" size="60"><input type="submit" value="Upload">/ },
    # cfm
    # passive
    # agressive
    { string: 'cfexec.cfm', url: 'cfexec.cfm', regexp: /Notes:<br><br>(\r\n|\n)<ul>(\r\n|\n)<li>Prefix DOS commands with/ },
    { string: 'cmd.cfm', url: 'cmd.cfm', regexp: /<table>(\r\n|\n)<form method="POST" action="">(\r\n|\n) <tr>(\r\n|\n)  <td>Command:<\/td>(\r\n|\n)  <td> < input type=text name="cmd"/ },

    # cgi

    # passive
    { string: 'perlcmd.cgi', text: '<!-- Simple CGI backdoor by DK (http://michaeldaw.org) -->' },
    { string: 'perlcmd.cgi', text: '# <!--    http://michaeldaw.org   2006    -->' },
    { string: 'up.pl', text: '<a href="http://www.muquit.com/muquit/">Muhammad A Muquit' },

    # agressive

    # cgi, pl
    { string: 'cmd.pl', url: 'cmd.pl', tag_pattern: 'html,body,form,input,input,/form,pre,/pre' },
    { string: 'cmd.pl', url: 'cmd.pl', regexp: /<input type="submit" value="Run">(\r\n|\n)<\/form>(\r\n|\n)<pre>/ },
    { string: 'list.pl', url: 'list.pl', regexp: /<input type="submit" value="List">(\r\n|\n)<\/form>(\r\n|\n)Directory/ },
    { string: 'perlcmd.cgi', url: 'perlcmd.cgi', text: '<!-- Simple CGI backdoor by DK (http://michaeldaw.org) -->' },
    { string: 'perlcmd.cgi', url: 'perlcmd.cgi', text: '# <!--    http://michaeldaw.org   2006    -->' },
    { string: 'up.pl', url: 'up.pl', text: '<a href="http://www.muquit.com/muquit/">Muhammad A Muquit' },
    { string: 'cmd.cgi', url: 'cmd.cgi', regexp: /<input type="text" name="cmd">(\r\n|\n)<input type="submit" value="Send">/ },
    { string: 'cmdexe.cgi', url: 'cmdexe.cgi', regexp: /<input type="text" name="cmd">(\r\n|\n)<input type="submit" value="Send">/ },

  ]
end