An in-depth discussion of executing *.exe files in a browser! [Traditional Chinese] | Article Category:ASP Tips| Article rank: | Release Date: 2000-10-16 Monday
[counter|Wonderful blog|Magic Expression|Blog Application|Source Download|IP Query|Font Download|Polling Survey|Html2js]
From: Dynamic Network production guide www.knowsky.com: Can you really execute a command file in a browser? The answer is yes. (Wow, cool!) OK...... But don't be happy, you can only perform server-side, and must be authorized. otherwise service It's too easy for you to think black. Anyone who dares to look at me will be formatted. (I wish I could, always hacking black server, also the server black others.) Ha ha! )
Two: how he achieved it. Are you relying on ASP files? The server-side execution file is implemented by SSI, and the server-side contains the meaning (not SSL) of the SSI, and the #include we often use is the service One of the instructions contained in the device end. However, this time to introduce the---------#exec. Is that he can implement the server-side execution instructions. This time, however, he could not use the. asp files. Instead, you can use. stm,. shtm and. shtml extensions. (well acquainted) and able to explain the execution of their Is Ssinc.dll. So, the code you write must be stored in the. stm format to ensure that the server executes.
Three: How to implement it? Finally began to discuss the substantive issues. Its grammar is:<!--#exec commandtype = CommandDescription--> CommandType is a parameter, and he has two optional types: 1.CGI run an application. such as CGI scripts, ASP, or ISAPI applications. The CommandDescription parameter is a string. This string contains the virtual path of the application followed by a question mark and any A parameter, separated by a plus sign (+).
He is the most useful parameter of the #exec command, and is also the reason why the #exec command exists. He can handle an authorized CGI script, or an ISAPI application. Microsoft created the command for backward compatibility with some of the earlier ISAPI applications. As we know, Microsoft's early Web applications were explained by ISAPI , but also compatible with CGI programs. You can now also find the Cgi-bin directory in your Web root directory. We can use the example to illustrate. <!--#exec cgi= "/CGI-BIN/CHAT.EXE?USER+PASSW"--> This kind of command we can often see on some UNIX hosts. Now, we can also use him in our own. shtml. Of course, if the server allows Words. There is also a type of program: <!--#exec cgi= "/cgi-bin/login.dll?name"--> This command will start an out-of-process program to interpret and dynamically output information to the Web page. This approach is uncommon. But you can still be in some websites See.
2.CMD parameters. He is the most frightening parameter in the #exec order and is also the reason why the #exec order is prohibited. He is also some of our friends to achieve the ultimate fantasy weapon. Pity. There are some difficulties in getting our fancy tricks (e.g. de...,fo ...). )。 is almost impossible. It is Microsoft's instructions on CMD parameters, you must read and understand in the test! CMD to run the shell command. The CommandDescription parameter is a string that contains the full physical path of the shell command program followed by the A space-delimited command line argument. If the full path is not specified, the WEB server searches the system path. By default, the directive is disabled, which is Because it poses a security risk to the Web site; For example, a user may use the Format command to format your hard disk. I propose to close myself because now Microsoft does not recommend this command. However, if you are the administrator of the server, you can give it a try. You can create a new test.shtml file. Then set a command on the first line. <!--#exec cmd= "C:\winnt\system32\help.exe" a Help file in--> nt (no danger). Or give it a try! <!--#exec cmd= "C:\windows\command\mem.exe"--> "a command that shows memory under the window98. (No danger)
You can then set its permissions to script or execute in the virtual directory.
Finally, you can enter the address in the browser http://localhost/xxx/test.shtml If you see the browser display their screen input information. Well, congratulations. You have tried to succeed.
Four: Final Fantasy! (It's best not to try.) If there is a problem and I have nothing to do! I also do not answer the corresponding question)
What if we want to execute more orders? So close your eyes and look down First, you open Registry Editor (remember to back up first), and then find Key_local_machine\system \CurrentControlSet \services \w3svc4 ' may also be w3svc \parameters Select a new DWORD value SSIEnableCmdDirective Its two values are 0, 1. Here is Microsoft's instructions. The server-side #exec cmd command includes executable shell commands. Security-conscious sites want to close #exec cmd command by setting this value to 0来. This is used as an added security precaution, especially when an untrusted user is allowed to place files on the server. In the default state, the registry does not This value exists; To allow the command to execute the shell command, you must first create this value and set the value to 1.
You can also add a Dwordd value Allowspecialcharsinshell Its two values are 0, 1. Here is Microsoft's instructions. Range: 0, 1 Default value: 0 (Disabled) This value controls whether a batch file (. bat and. cmd file) is allowed to be used at the command line when the [| (,;% < >] etc Cmd.exe Special words Character. These special characters can cause serious security risks. If the key value is set to 1, has evil intentions users can execute commands at will on the server. Because This strongly recommends that users retain their default setting of 0. By default, these special characters cannot be passed to the script-mapped CGI program. If set to 1, in addition to the tube Road Sign | and standard I/O redirects (< and >), which have special meaning in the command processor, that can be passed To the script to map the CGI program.
Haha, I will not go into detail below. But it's not that easy to execute some of the commands you want. (such as:<!--#exec cmd= "c:\winnt\system32\format.com/y A:"-->) You will not succeed, if the crash do not blame me.
|