In-depth discussion on executing *. exe files in a browser

I. Can I really execute a command file in a browser?
The answer is yes. (Wow, cool! Yes...) but don't be happy, you can only execute the server, and it must be authorized. Otherwise, it is too easy for the server to be hacked. I will format anyone who dares to see me. (I really hope you can. It's always a hacking server, and it's also a hacking server. Haha !)
Ii. How is it implemented. Does it rely on asp files?
The execution file on the server is implemented by SSI. The server contains the meaning (not SSL) in SSI. We often use # include as one of the commands contained on the server. However, this time we will introduce --------- # exec. That is, it can execute commands on the server.
However, this time it cannot be used for. asp files. Only. stm,. shtm, And. shtml extensions can be used. (Familiar with it) What can be explained and executed is Ssinc. dll. Therefore, the code you wrote must be saved in. stm and other formats to ensure that the server can execute the code.
Iii. How to implement it?
Finally, we began to discuss substantive issues.
Its syntax is: "lt ;! -- # Exec CommandType = CommandDescription -- "gt;
CommandType is a parameter. It has two optional types:
The CommandDescription parameter is a string. This string contains the virtual path of the application, followed by a question mark and any parameter sent to the application. parameters are separated by the plus sign ().
It is the most useful parameter of the # exec command and is also the reason for the existence of the # exec command. It can process authorized CGI scripts or Isapi applications. Microsoft created this command to be backward compatible with some early ISAPI applications. We know that Microsoft's early WEB applications were explained by ISAPI and compatible with CGI programs. Now you can also find the CGI-BIN directory in your WEB root directory.
Here is an example.
"Lt ;! -- # Exec cgi = "quot; // CGI-BIN/chat.exe? User passw "quot; --" gt;
This command is often seen on some UNIX hosts. Now, we can also use it in your .shtml. Of course, if the server permits.
There is also a type of program:
"Lt ;! -- # Exec cgi = "quot;/CGI-BIN/login. dll? Name "quot; --" gt;
This command starts a program outside the process to explain and dynamically output information to the web page. This method is not common. But you can still see it on some websites.
It is the most terrible parameter in the # exec command and is also the reason why the # exec command is not allowed to be used. He is also a powerful tool for some of our netizens to realize their ultimate fantasies. Unfortunately. It is difficult to get the imaginary tricks (such as de..., fo ....). It is almost impossible.
The following is Microsoft's CMD parameter description. You must read and understand it!
Run the shell command in CMD. The CommandDescription parameter is a string that contains the full physical path of the shell command program, followed by any command line parameters separated by spaces. If no path is specified, the Web server searches for the system path. By default, this command is disabled because it poses security risks to the Web site. For example, you may use the format command to format your hard disk.
I personally suggest disabling it, because Microsoft does not recommend this command.
However, if you are the server administrator, try it.
You can create a new test.shtml file.
Set a command in the first line.
"Lt ;! -- # Exec cmd = "quot; c: winntsystem32help.exe" quot; -- "gt; a Help File in NT (no danger ).
Or try it!
"Lt ;! -- # Exec cmd = "quot; c: windowscommandmem.exe" quot; -- "gt; a command for displaying memory under window98. (No danger)
Then you can set the permission to script or execute in the virtual directory.
Finally, you can enter the address http: // localhost/xxx/test.shtml in your browser.
If your browser displays their screen input information. Congratulations. You have tried it.
Iv. ultimate fantasy! (It is best not to try. If a problem occurs, it has nothing to do with me! I am not answering the corresponding questions)
What if we want to execute more commands? Close your eyes and look down.
First, open the Registry Editor (remember to back up the Registry first), and then find
KEY_LOCAL_MACHINESYSTEM
CurrentControlSet
Services
W3SVC4 may also be w3svc
Parameters
Select a New Dword Value
Ssienablecmdctive
Its two values are 0, 1. The following is a description of Microsoft.
The # exec cmd command on the server side includes executable shell commands. Websites with high security awareness want to disable the # exec cmd command by setting this value to 0 and use it as an additional security precaution, this is especially true when untrusted users are allowed to place files on the server. This value does not exist in the Registry by default. To allow this command to run shell commands, you must first create this value and set it to 1.
You can also add a Dwordd value.
AllowSpecialCharsInShell
Its two values are 0, 1. The following is a description of Microsoft.
Value Range: 0, 1
Default Value: 0 (disabled)
This value is controlled in the running batch file (. bat and. whether to use special characters such as [| (,; % "lt;" gt;] and Cmd.exe in the command line. These special characters may cause serious security risks. If the value is set to 1, the user in the test can execute the command on the server at will. Therefore, we strongly recommend that you retain the default value 0. By default, these special characters cannot be passed to the script ing CGI program. If it is set to 1, except the pipe sign | and the standard I/O redirection character ("lt; and" gt;) (these two types of characters have special meanings in the command processor ), these special characters can be passed to the script ing CGI program.
Haha, I will not go into detail below.
But it's not that simple to execute some commands you want.
(For example, "lt ;! -- # Exec cmd = "quot; c: winntsystem32format.com/y a:" quot; -- "gt ;)
You won't succeed. If you quit, don't blame me.