ModSecurity Backdoor: PoC of malicious software running inside of ModSecurity WAF
This is a proof-of-concept of malicious software running inside of ModSecurity WAF.
The software has two main functions:
- Retrieving the content of files.
- Running commands and retrieving output (remote shell).
Additionally, it includes these functions:
- Dynamic setting of control POST arguments names for harder detection.
- Logging disabling for harder detection (only for attacker’s requests identified by POST arguments names).
- All other rules disabling (only for attacker’s requests identified by POST arguments names).
- ModSecurity compiled with Lua support
- ModSecurity directives SecStreamOutBodyInspection and SecContentInjection are set to On
Get files backdoor.conf and backdoor.lua and load the first one into the web server.
Configuration can be done in the first rule in file backdoor.conf.
This setting can be used to set the name of the POST argument used for retrieving file content. Set it to anything random like koomem6Shmog.
This setting can be used to set the name of the POST argument used for running commands. Set it to anything random like tys4Olhuibves.
Commands can be run on any address (domain) on the target server which is behind the ModSecurity WAF. Output from commands is appended to the standard server response.
Retrieving file content:
curl -X POST -d “koomem6Shmog=/etc/passwd” “http://example.com/”
Running command and getting output:
curl -X POST -d “tys4Olhuibves=/bin/ps aux” “http://example.com/”
Copyright (c) 2022 Jozef Sudolsky. All rights reserved.