ASP写的查ASP***的小东东,在肉鸡上使用,拿来把其他同行的webshell给接管掉~
说明:查asp、cer、cdx、asa及其嵌套调用的任意格式文件(图片asp***之类格查无论)
说明:查asp、cer、cdx、asa及其嵌套调用的任意格式文件(图片asp***之类格查无论)
ASP写的查ASP***的小东东,在肉鸡上使用,拿来把其他同行的webshell给接管掉~
说明:查asp、cer、cdx、asa及其嵌套调用的任意格式文件(图片asp***之类格查无论)密码为pass!下载后,存为asp文件,上传至肉鸡上的web目录,然后访问此文件!
说明:查asp、cer、cdx、asa及其嵌套调用的任意格式文件(图片asp***之类格查无论)密码为pass!下载后,存为asp文件,上传至肉鸡上的web目录,然后访问此文件!
<
%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<%
'设置密码
PASSWORD = "pass"
<%
'设置密码
PASSWORD = "pass"
dim Report
if request.QueryString("act")="login" then
if request.Form("pwd") = PASSWORD then session("pig")=1
end if
%>
[url]http://www.w3.org/TR/html4/loose.dtd[/url]">
ASPSecurity for Hacking
if request.Form("pwd") = PASSWORD then session("pig")=1
end if
%>
[url]http://www.w3.org/TR/html4/loose.dtd[/url]">
<%If Session("pig") <> 1 then%>
<%
else
if request.QueryString("act")<>"scan" then
%>
<%
else
server.ScriptTimeout = 600
DimFileExt = "asp,cer,asa,cdx"
Sun = 0
SumFiles = 0
SumFolders = 1
if request.Form("path")="" then
response.Write("No Hack")
response.End()
end if
timer1 = timer
if request.Form("path")="" then
TmpPath = Server.MapPath("")
elseif request.Form("path")="." then
TmpPath = Server.MapPath(".")
else
TmpPath = Server.MapPath("")&""&request.Form("path")
end if
Call ShowAllFile(TmpPath)
%>
| ASPSecurity For Hacking
| |||||
|---|---|---|---|---|---|
|
扫描完毕!一共检查文件夹<%=SumFolders%>个,文件<%=SumFiles%>个,发现可疑点<%=Sun%>个
|
<%
timer2 = timer
thetime=cstr(int(((timer2-timer1)*10000 )+0.5)/10)
response.write "
本页执行共用了"&thetime&"毫秒"
end if
end if
%>
<%
本程序取自[url]http://www.0x54.org[/url]" target="_blank">雷客图ASP站长安全助手的ASP***查找功能
powered by [url]http://lake2.0x54.org[/url]" target=_blank>lake2
powered by [url]http://lake2.0x54.org[/url]" target=_blank>lake2
<%
'遍历处理path及其子目录所有文件
Sub ShowAllFile(Path)
Set FSO = CreateObject("Scripting.FileSystemObject")
if not fso.FolderExists(path) then exit sub
Set f = FSO.GetFolder(Path)
Set fc2 = f.files
For Each myfile in fc2
If CheckExt(FSO.GetExtensionName(path&""&myfile.name)) Then
Call ScanFile(Path&Temp&""&myfile.name, "")
SumFiles = SumFiles + 1
End If
Next
Set fc = f.SubFolders
For Each f1 in fc
ShowAllFile path&""&f1.name
SumFolders = SumFolders + 1
Next
Set FSO = Nothing
End Sub
Sub ShowAllFile(Path)
Set FSO = CreateObject("Scripting.FileSystemObject")
if not fso.FolderExists(path) then exit sub
Set f = FSO.GetFolder(Path)
Set fc2 = f.files
For Each myfile in fc2
If CheckExt(FSO.GetExtensionName(path&""&myfile.name)) Then
Call ScanFile(Path&Temp&""&myfile.name, "")
SumFiles = SumFiles + 1
End If
Next
Set fc = f.SubFolders
For Each f1 in fc
ShowAllFile path&""&f1.name
SumFolders = SumFolders + 1
Next
Set FSO = Nothing
End Sub
'检测文件
Sub ScanFile(FilePath, InFile)
If InFile <> "" Then
Infiles = "该文件被http://"&Request.Servervariables("server_name")&""&InFile&""" target=_blank>"& InFile & "文件包含执行"
End If
Set FSOs = CreateObject("Scripting.FileSystemObject")
on error resume next
set ofile = fsos.OpenTextFile(FilePath)
filetxt = Lcase(ofile.readall())
If err Then Exit Sub end if
if len(filetxt)>0 then
'特征码检查
temp = "http://"&Request.Servervariables("server_name")&""&replace(FilePath,server.MapPath("")&"","",1,1,1)&""" target=_blank>"&replace(FilePath,server.MapPath("")&"","",1,1,1)&""
'Check "WScr"&DoMyBest&"ipt.Shell"
If instr( filetxt, Lcase("WScr"&DoMyBest&"ipt.Shell") ) or Instr( filetxt, Lcase("clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8") ) then
Report = Report&""&temp&" WScr"&DoMyBest&"ipt.Shell 或者 clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8 危险组件,一般被ASP***利用。"&infiles&" "&GetDateCreate(filepath)&"
"&GetDateModify(filepath)&"
Sun = Sun + 1
End if
'Check "She"&DoMyBest&"ll.Application"
If instr( filetxt, Lcase("She"&DoMyBest&"ll.Application") ) or Instr( filetxt, Lcase("clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000") ) then
Report = Report&""&temp&" She"&DoMyBest&"ll.Application 或者 clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000 危险组件,一般被ASP***利用。"&infiles&" "&GetDateCreate(filepath)&"
"&GetDateModify(filepath)&"
Sun = Sun + 1
End If
'Check .Encode
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "@\s*LANGUAGE\s*=\s*[""]?\s*(vbscript|jscript|javascript).encode\b"
If regEx.Test(filetxt) Then
Report = Report&""&temp&" (vbscript|jscript|javascript).Encode 似乎脚本被加密了,一般ASP文件是不会加密的。"&infiles&" "&GetDateCreate(filepath)&"
"&GetDateModify(filepath)&"
Sun = Sun + 1
End If
'Check my ASP backdoor :(
regEx.Pattern = "\bEv"&"al\b"
If regEx.Test(filetxt) Then
Report = Report&""&temp&" Ev"&"al e"&"val()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ev"&"al(X)
但是javascript代码中也可以使用,有可能是误报。"&infiles&" "&GetDateCreate(filepath)&"
"&GetDateModify(filepath)&"
Sun = Sun + 1
End If
'Check exe&cute backdoor
regEx.Pattern = "[^.]\bExe"&"cute\b"
If regEx.Test(filetxt) Then
Report = Report&""&temp&" Exec"&"ute e"&"xecute()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ex"&"ecute(X)。
"&infiles&" "&GetDateCreate(filepath)&"
"&GetDateModify(filepath)&"
Sun = Sun + 1
End If
Set regEx = Nothing
'Check include file
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "
Sub ScanFile(FilePath, InFile)
If InFile <> "" Then
Infiles = "该文件被http://"&Request.Servervariables("server_name")&""&InFile&""" target=_blank>"& InFile & "文件包含执行"
End If
Set FSOs = CreateObject("Scripting.FileSystemObject")
on error resume next
set ofile = fsos.OpenTextFile(FilePath)
filetxt = Lcase(ofile.readall())
If err Then Exit Sub end if
if len(filetxt)>0 then
'特征码检查
temp = "http://"&Request.Servervariables("server_name")&""&replace(FilePath,server.MapPath("")&"","",1,1,1)&""" target=_blank>"&replace(FilePath,server.MapPath("")&"","",1,1,1)&""
'Check "WScr"&DoMyBest&"ipt.Shell"
If instr( filetxt, Lcase("WScr"&DoMyBest&"ipt.Shell") ) or Instr( filetxt, Lcase("clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8") ) then
Report = Report&"
"&GetDateModify(filepath)&"
Sun = Sun + 1
End if
'Check "She"&DoMyBest&"ll.Application"
If instr( filetxt, Lcase("She"&DoMyBest&"ll.Application") ) or Instr( filetxt, Lcase("clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000") ) then
Report = Report&"
"&GetDateModify(filepath)&"
Sun = Sun + 1
End If
'Check .Encode
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "@\s*LANGUAGE\s*=\s*[""]?\s*(vbscript|jscript|javascript).encode\b"
If regEx.Test(filetxt) Then
Report = Report&"
"&GetDateModify(filepath)&"
Sun = Sun + 1
End If
'Check my ASP backdoor :(
regEx.Pattern = "\bEv"&"al\b"
If regEx.Test(filetxt) Then
Report = Report&"
但是javascript代码中也可以使用,有可能是误报。"&infiles&"
"&GetDateModify(filepath)&"
Sun = Sun + 1
End If
'Check exe&cute backdoor
regEx.Pattern = "[^.]\bExe"&"cute\b"
If regEx.Test(filetxt) Then
Report = Report&"
"&infiles&"
"&GetDateModify(filepath)&"
Sun = Sun + 1
End If
Set regEx = Nothing
'Check include file
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "