I have been to emphasize one thing, the network is the most important offensive and defensive thinking. This article was inspired by the security team 365 days a chapter manuscript, the manuscript referred to a type of backdoor software AspxSpy of Asp.net in the security sector has recently been popular back door in the back door, which includes the back door by giving a Webshell procedures, many black are out of work Kengchihangchi, and gives the owner the back door, but in the back unawares few Webshell, such a back door in the back door there are two general types, one is directly linked to horse bring direct benefits; Another is to capture black under the Webshell address, user name and password all give back, another way is that black control of the server, which is my server. This article is inspired by the start of this study, through the study found that this method can also get a lot of the back door, and some can directly control the server.
(A) first met AspxSpy
AspxSpy out has been a long time, the program is the 2008-02-02 release of, Oh, have long seen the program, but had no time to use it.
1.AspxSpy Introduction
AspxSpy is written by a back door friends Bin tool, you can download the source code to http://www.ixpub.net/thread-898531-1-1.html for tools I generally like to go where the original author download, this should be relatively safer to avoid the hand through Erdaofanzi increased insecurity. Its main features and functions are as follows:
(1) development environment VS2005 + C #, is compatible FrameWork1.1/2.0, basically the code separation;
(2) 32-bit MD5 encrypted password (lower case) default is admin;
(3) using POST method to submit data, enhanced concealment;
(4) Add the IIS detection feature, traverse the IIS site information;
(5) enhanced the modification of file attributes;
(6) added in SQLTools, SA permission to perform system commands, functions, SQL_DIR function, can back up the log / database, to the specified directory for the file named bin.asp Shell
Code highlighting produced by Actipro CodeHighlighter (freeware)
http://www.CodeHighlighter.com/
->
(7) increased by Serv-u mention the right to function;
(8) can achieve single-threaded port scanner;
(9) can be a simple reading of the registry.
2. Download the source code
From the authors website to download the source code files aspxspy.rar to the local, the first to use anti-virus software, avast! Killing about compression package, all normal, it appears that the code has not yet widespread, at least not to include anti-virus software, Black list.
(B) of the source code
1. View source
Source code files on a file aspxspy.rar aspxspy.aspx, very brief direct use UltraEdit to open the source code file, shown in Figure 1, the code is written in asp.net, in line 12 is the backdoor The admin password md5 encrypted 32-bit value "21232f297a57a5a743894a0e4a801fc3".
Figure 1 View aspxspy.aspx source code
Description:
Usually through a text editor such as UltraEdit to view Webshell other program source code.
2. Decrypt the password aspxspy
The password's md5 value "21232f297a57a5a743894a0e4a801fc3" into www.cmd5.com query, the results for the "admin", shown in Figure 2, if the black had not changed the value, then by default password "admin" we pass search engine can get some of unmodified Webshell.
Figure 2, the administrator password to decrypt aspxspy
Description:
Although the process of publishing in its pages shows its administrator password, but in order to better use the program, it is necessary to process some of the key point for analysis. Aware of the manner in which encryption is used, easy to build your own Webshell.
3. Hands to create their own Webshell
In cmd5 enter the original password page to get an md5 value, the original password must be set a bit more complex, such as in this case "7a49107b5ce9067e35ff8de161ebb12d", copy it to cmd5 site, query no results, shown in Figure 3 said that it was someone else even if Webshell search, because no password, and therefore no alternative! to "7a49107b5ce9067e35ff8de161ebb12d" replace the md5 password value of "21232f297a57a5a743894a0e4a801fc3", so that the basic Webshell be part of our own, and after that there are a number of areas need to modify the can be carried out according to their hobby that changes do not affect the basic use of the program.
Figure 3 using anti-cmd5 site password security check
Description: aspxspy also can modify the SessionName, cookiePass equivalent, to prevent the adoption of SessionName and cookiePass value to achieve the purpose of bypassing the validation.
4. Webshell features for identification
Continue to view the source code, in 1479 found a clear line of identity, "Copyright (C) 2008 Bin -> WwW.RoOTkIt.NeT.Cn", shown in Figure 4, the logo will be displayed directly in the Webshell .
Figure 4 identifies the characteristics of access Webshell
Description: Find Webshell feature identification, he is the process of writing the main program is used to describe copyright and other information that the program was so complete and so the information can access through Google.
(C) find Webshell
1. Through the features of the Google query Webshell
Google first, type "Copyright (C) 2008 Bin -> WwW.RoOTkIt.NeT.Cn" query, as shown in Figure 5, up two results. Note that the input query should be: "Copyright (C) 2008 Bin -> WwW.RoOTkIt.NeT.Cn", use double quotes, is the designated keywords, or out will include those keyword collection records.
Figure 5, the characteristics through the Google keyword search Webshell
2. By features in the query Webshell Baidu
In the Baidu search engine, enter "Copyright (C) 2008 Bin -> WwW.RoOTkIt.NeT.Cn" query, the effect is not satisfactory, as shown in Figure 6, without regard to the precise characteristics of the search results.
Figure 6, the characteristics through the Baidu search Webshell keywords
3. Directly open the first Webshell
Open the first Webshell address "http://www.xi ********. com/ads/20081224160466.aspx", the results came out aspxspy of webshell, as shown in Figure 7, guess some general solution password, are not, it seems the authors modified the default password, have had to give up.
Figure 7 access to a primary and secondary schools Webshell Taiwan
Note: Since there are black invaded the site, unless the intruder have patched the vulnerabilities of the system, or by testing the system as you can get Webshell. There are three ways this Webshell to break, a guess solution is to write a machine, by repeatedly enter the password value to judge, and the second is the direct detection site, the implementation of infiltration; third is to try to forge public string SessionName = " ; ASPXSpy "; public string cookiePass =" ASPXSpyCookiePass "; to break through.
4. View the rest of the Webshell
Directly open a second search record, shown in Figure 8, hey, is the government website, Webshell also hidden quite deep.
Figure 8 Webshell access to government websites
5. Notify the webmaster
Taiwan's website on the matter, and remove webshell address, open the Web site address directly "http://www .*****. gov.cn / SISYSTEM / Web / OACMS_WWW / default.aspx", opened, I saw a " Price information network development and reform a city "or a big guy, huh, huh, quickly notifying managers, looking for a long time finally found a Secretary-mail, as shown in Figure 9, on the problems in the us, the proposed comprehensive safety testing.
Figure 9 Friendly reminder
6. Continue to look for Webshell
In Google, type "Copyright (C) 2008 Bin -> WwW.RoOTkIt.NeT.Cn" search, shown in Figure 10, out of 41 results, shown in Figure 10, the results for each view, focusing on See website address in the address contains aspx, for example, "www.ipo.gansu.gov.cn / Ashkan.aspx", which Figure 10 in the second search results.
Figure 10 Eigenvalue search again Webshell
(1) for not implementing the Webshell
Directly open the "http://www.ipo .*****. gov.cn / Ashkan.aspx", as shown in Figure 11, the site http://www.ipo .*****. gov . cn is displayed as text format, indicates that the site may not support the aspx.
Figure 11 does not support the aspx for the webshell
(2) to obtain an incomplete Webshell Arab sites
Continue to see the results, were found by looking at other Webshell: www.ktvc.ac.ir/LoadDynamicForm.aspx?FormCode=0, as shown in Figure 12, the text shows that the Arab countries, a webshell, because insertion is not complete reasons, webshell content displayed, and they can not perform.
Figure 12 for an incomplete Webshell Arab sites
(3) continued access to other Webshell
Were found by searching the two can be used Webshell Address: http://www.northforkran ******. com / files / admin.aspx
http://www.ic **. ir / Files / Galleries / SecurityRole.aspx
Shown in Figure 13, directly open the two Webshell, by entering some simple code to test, test results show that the intruder modified the default administrator password.
Figure 13 again search out the two Webshell
(D) Summary and Experience
This paper considered the use of GoogleHacking one of the ways this method if you are lucky, you can directly Webshell. Obtained by this method even if no real Webshell, but the side can be Webshell the website should be aware of security problems, then the next step is to dig their own Web site vulnerabilities, upgrade their skills.