Experts teach you to use the Yi ASP Trojan to hunt down the invasion site

Trojan Horse | site

Friends of the site has been hacked several times, and is always changed pages, let me help to see where the problem is. So I found that can find a Trojan horse to look for easy ASP Trojan Hunt, uploaded to the site to check ASP Trojan. It works, it can list all the directories and files within the site, where the ASP Web page to invoke FSO, write (delete, build) and upload functions, it can be found, and it is better than other ASP Trojan Hunt is able to check the key words, I used it to find a friend did not detect the ice fox back door. However, this is used for Web site security maintenance of the auxiliary tools, incredibly no password authentication. Some careless administrator may not think of the deletion after use, or for later use, it is likely to put it on the site-I decided to search.

In Baidu on the Web page to find the word, the key word is "think easy ASP Trojan Hunt", to find the relevant web page about 1,260, from the file with these keywords in the extension look, most of which are provided under this file, only a small number of this ASP file.

Swap "written by Blueeyes", found 17 records, except 3 is related to the introduction of the code, the other is an ASP chasing this file itself, that is, can be used. It looks like the hit rate is pretty high.

Tips: Compared to two different search results, you can send some sites in front of the site has been searched, and there is no, that the Web site to put this document far more than these, transform search keywords, should be able to find more.

OK, let's try to hack into these sites. True to click on the query to the page can be opened on the ASP Trojan hunt. I casually ordered an address, this seems to be a virtual host, I was thinking of the virtual host agent, I chose it.

Through the website of the easy ASP Trojan hunt files, the site's directory, documents all out. This thinking can only see, do not download or open the file is not, how to do? Look for a database, of course. If you can download, the password is clear, hum, that would be fun! Find the database directory, see the database is ASP, try to download, but they did the download processing, download not-but there is an MDB in the corner of the database, is estimated to be used for backup, maybe there is also a password information, download. After downloading, open to discover unexpectedly need password.

Had to come up with broken password software broken password, find out after the password information found. And then according to think easy to find backstage, see can use "' or ' = '" "Enter, no; Find upload file to see if there is a loophole, the results of the forum is not common, there is no upload file; it seems that the virtual host is not so good to take.

In the frustration of the ASP on the point selected "back to the Superior directory" point of view, God, the sky fell into the cake? Incredibly can go back to the root directory, see other sites, it seems that the administrator has not set access permissions, a chance Oh! As shown in Figure 6.

To look at the various directories, into an FTP download directory, there are a lot of movies, first put aside. Several directories have been transferred, some unknown tools have been downloaded, and a Web.rar file has been downloaded to take a look at the website system. This on the website can not see, finally let me down, a little harvest!

Continue to find a place can be invaded, go to another access to the Web site, look at the database, the extension is an MDB, after downloading smoothly open, password or plaintext, the success of half. Immediately login backstage, with the user and password to enter smoothly. Have added software bar, but a bit disappointing, can only fill in the address, can not upload directly, the article did not upload the image function. There is a picture bar, you can upload pictures.

Since it is a special picture bar, it is estimated that the upload type to do a strict filter, you can only try to upload the vulnerability is available. With the veteran's Upload tool test, the results were unsuccessful, and the extension changed to JPG. Sure enough, to fill the hole?!

Can only look at the computer in a daze, decided to grab a bag to see, directly in the Web site ASP when the picture upload, hint file type illegal, this is expected. Before I see the bag, the sight makes me believe: a set of numbers appears in the image Address bar, followed by asp!

Really can't believe, not me to copy the previous file address here, change to ASP? Recall that you didn't do this, and then look at it differently than the file name you uploaded earlier. What's going on, give it a try. Days! The miracle really appeared, the ASP executes!

Later went in and looked at the code, the front desk does not have any filtering, the background only filtered ASP, and because of the code error, it is just a warning, and did not stop execution, the file continues to upload.

Script Kid: The relevant code is as follows:

Fileext=lcase (Right (file.filename,3))
If fileext= "ASP" then
Response.Write "File type illegal"
End If
End If
Randomize
Rannum=int (90000*RND) +10000

So it can actually upload any file, warning hints just scare people.

With this ASP backdoor, the other is good to do. Upload a control back door, it is easy to enter the previous target site. Open coon.asp, the database password out, through the backdoor program will be used by the extension of the ASP database download, changed to MDB, with the password open, the administrator's password is clear. With the administrator name and password, finally entered the target site backstage. This intrusion can be said not to use hacking tools, there is not much technology to say, but the idea and method of intrusion is still very unique. There are a few places can be inspired, the site's security tools into a tool to find chickens, in the direct not when the circuitous combat, and finally achieve the goal. It can be said that hackers are not only technology, sometimes the idea is also very important. In addition, the intrusion process also shows that the Web site management software is a double-edged sword, it must take the necessary security measures, or password authentication, or upload, use after deletion. （