Back door the back door from webshell to the broiler-vulnerability warning-the black bar safety net

ID MYHACK58:62200922155
Type myhack58
Reporter 佚名
Modified 2009-02-13T00:00:00


The author has been stressing one thing, in the network attack and Defense the most important thing is thinking. This article was inspired by Ann day 3 6 5 team of a manuscript in the manuscript mentioned in a AspxSpy Asp. net type of Backdoor software in the security community in recent the ever popular back door the back door, i.e., given by a contains a backdoor Webshell program, numerous small black are on the outside stopped, and panted heavily of the work, and given the back door of boss, but later stole and count the Webshell, this back door the back door in General there are two types, one is to directly hang horse, bring a direct benefit;another is the small black overcome under the Webshell address, username, and password all to the back, in other words, the little black control of the server, i.e. my server. This article which is the subject of this inspired study, through the study found, using this method you can also get a lot of backdoors, and some can also directly control the server.

(A)early identification AspxSpy

1. AspxSpy introduction

AspxSpy is a users Bin to write a back door tool software, The can to http://bbs. ctocio. com. cn/thread-7 8 3 9 5 6 5-1-1. html download the source code for the software tools I generally prefer to the original author where to go to download, so to the relative safety of some, to avoid through the 二道贩子 hand, the increased insecurity. Its main features and functions are as follows:

(1)Development Environment VS2005 + C#, compatible with FrameWork1. 1/2. 0, the basic realization of the code separation;

(2)password 3 2-bit MD5 encryption(lower case) the default is admin;

(3)The use of the POST method to submit data, and enhance the concealment;

(4)add the IIS detection function, to traverse the IIS site information;

(5)enhanced for file attribute modification;

(6)in SQLTools increases, the SA permission to execute a system command function, SQL_DIR function, you can directly backup the log/database to the specified directory a file named bin. asp Shell to

(7)increased Serv-u provide the right functionality;

(8)can Port to achieve single-thread scanning;

(9)can be the registry simple to read.

2. Download the source code

From the author website, the source code file aspxspy. rar download to a local after the first use of antivirus software, avast! Killing a bit of the compression Pack, everything is normal, it seems that the code is also not widely spread, at least antivirus software and also not blacklisted. (II)analysis of the source code

1. View the source code

The source code file aspxspy. rar is a file aspxspy. aspx, very Introduction, The direct use UltraEdit to open the source code file, as shown in Figure 1, The code is using asp. net is written in the 1st 2 rows is the backdoor password is a 3 2-bit md5 encrypted value“21232f297a57a5a743894a0e4a801fc3”in.


Figure 1 view aspxspy. aspx program source code


Generally by UltraEdit and other text editor to view the Webshell and other program source code.

2. Decryption aspxspy in the password

The password md5 value“21232f297a57a5a743894a0e4a801fc3”into the www. cmd5. com query, the result is“admin”, as shown in Figure 2, If the small black are not modify the value, then by default password“admin”through our search engine you can get some without modification of the Webshell is.


Figure 2 decryption aspxspy the administrator password


Although the authors in its publishing program of the page description of their administrator password, but in order to better use the program, it is necessary to program some of the key analysis. Be aware the author is using what kind of encryption, the ease of creating your own Webshell。

3. Hands-on build your own Webshell

In cmd5 page directly input the original password to get an md5 value, which is the original password be sure to set a little more complicated, for example, in this case the“7a49107b5ce9067e35ff8de161ebb12d”, copy it to the cmd5 website query, query without result, as shown in Figure 3, so that even if the Webshell is someone to search, due to no password, and therefore Willy-nilly! The“7a49107b5ce9067e35ff8de161ebb12d”replace password with the md5 value“21232f297a57a5a743894a0e4a801fc3”, so that the Webshell basic sort of belong to our own, there's some need to modify the place, you can according to own hobby that modifications not substantially affect the program's use.


Figure 3 Using the cmd5 website reverse lookup set password security


In aspxspy can also modify SessionName, the cookiePass equivalent, to prevent through the SessionName and cookiePass value to achieve the bypass validation purposes.

4. Get the Webshell feature identification

Continue at source code view in the 1 4 7 9 line found a clear identity,“Copyright(C)2 0 0 8 Bin ->WwW.RoOTkIt.NeT.Cn”as shown in Figure 4, The logo will be displayed directly in the Webshell.


Figure 4 to obtain the Webshell feature identification


Looking for Webshell feature identification, he is the author of the program when writing a program for explaining the copyright and other information, indicating that the program is so complete, etc., these information can be directly through the Google acquisition. (III)find the Webshell

1. By the feature in the Google query Webshell

First, in Google enter“Copyright(C)2 0 0 8 Bin ->WwW.RoOTkIt.NeT.Cn”query, as shown in Figure 5, out of two results. Note that the input query should be:"Copyright(C)2 0 0 8 Bin ->WwW.RoOTkIt.NeT.Cn"use a double quotation mark, is to specify the keywords to search, otherwise, out will contain these keywords in the collection of records.


Figure 5 through Google search Webshell feature keywords

2. By the feature in the Baidu query Webshell

In Baidu search engine input"Copyright(C)2 0 0 8 Bin ->WwW.RoOTkIt.NeT.Cn"query, the effect is not ideal, as shown in Figure 6, regardless of the precise characteristics of the search results.


Figure 6 through Baidu search Webshell feature keywords

3. Directly open the first Webshell

Open the first Webshell address“http://www.xi**. com/ads/2 0 0 8 1 2 2 4 1 6 0 4 6 6. aspx”, the results out of for aspxspy the webshell, as shown in Figure 7, guess some common passwords, are not, it seems that the authors have modified the default password, had to temporarily give up.


Figure 7 acquisition of Taiwan a primary school Webshell


Since there is a small black invaded the site, unless the intruder on the system vulnerability is patched, otherwise by the detection of the same can obtain the system of Webshell is. The Webshell there are three ways to break one is to write a guessing machine, through repeated input of the password value to be judged, the second is the direct detection of the site, the implementation of the permeate;the third is to try to pass forged public string SessionName="ASPXSpy";public string cookiePass="ASPXSpyCookiePass";to break.

4. See the rest of the Webshell

Directly open a second search for records, as shown in Figure 8, Hey, is the government website, the Webshell is also hidden pretty deep.


Figure 8 access to government websites the Webshell

5. Notify the site administrator

Taiwan website on the matter, remove webshell address, directly open the web address“http://www.*. gov. cn/SISYSTEM/Web/OACMS_WWW/default. aspx”, after opening a look is“a city development and reform the price information network”, or a big guy, and Oh, hurry up and notify the relevant managers, looking for a half-day finally found a Director of the mailbox, as shown in Figure 9, the presence of the issue friendly reminder, the recommendation to conduct a comprehensivesecurity testing.


Figure 9 friendly reminder

6. Continue to look for Webshell

In Google, enter“Copyright (C) 2 0 0 8 Bin -> WwW.RoOTkIt.NeT.Cn”search, as shown in Figure 10, out 4 1 results, as shown in Figure 1 0 shows, for each result to view, the focus view the website address contained in the aspx to the address, for example“”that Figure 1 0 in the second search results.


Figure 1 0 again to search Webshell eigenvalues

(1)Get the can not execute the Webshell

Open directly“http://www.ipo.*. gov. cn/Ashkan. aspx”, as shown in Figure 1 1, The in the website http://www. ipo.***. gov. cn the display is in text format, indicates that the site may not be supported aspx.


Figure 1 1 to obtain not support aspx webshell

(2)to obtain a Arab website torn Webshell

Continue to view the results, by view, respectively, found in other Webshell: the as shown in Figure 1 2, The text shows that for the Arab States of a webshell, since the Insert does not complete reason, the webshell of the content displayed, but not executed.


Figure 1 2 to obtain a Arab website torn Webshell(3)continue to acquire other Webshell

Search through respectively to find the two you can use the Webshell address: http://www.northforkran**. com/files/admin. aspx

http://www.ic**. i r/Files/Galleries/SecurityRole. aspx

As shown in Figure 1 3 as shown, directly open the two Webshell, by entering some simple password for testing, test results show that, the intruder modifies the default administrator password.


Figure 1 3 once again search out the two Webshell

(IV)summary and experience

This article was GoogleHacking the use of one way, using this method if you are lucky, you can directly get Webshell on. By the present method even without obtaining the real Webshell, but from the side you can know the Get Webshell website, there should be a security problem, then the next step is to go to the excavation site vulnerability, enhance their technical level.