一个查asp木马的小东东
来源:
中文源码网 浏览:363 次 日期:2024-04-19 05:29:55
【下载文档: 一个查asp木马的小东东.txt 】
一个查ASP木马的小东东
关于查ASP木马的程序,记得半年前在八进制发了一个测试版(具体的URL:http://forum.eviloctal.com/read-htm-tid-19665.html),得到很多朋友的指导,学到了很多东西,非常感谢他们。现在我发的这个升级版,修补了以前的bug,加入了对一些组件写文件函数的检测,更加趋于完美了,个人认为想绕过去有点难度哦。 这回的默认密码是security 当然啦,哈哈,lake2“比武招亲”,欢迎各位朋友提出绕过检测的马马来,一经证实,lake2将把我自己写的某ASP木马“嫁”给他^_^ 特别有创意的,送你一个我最新弄出来的脚本,具体嘛,嘿嘿,到时候就知道啦。 战书已下,谁来迎战? 源码,另存为asp文件即可使用: <%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%> <% '设置密码 PASSWORD = "security" dim Report if request.QueryString("act")="login" then if request.Form("pwd") = PASSWORD then session("pig")=1 end if %>
Scan WebShell -- ASPSecurity For Hacking <%If Session("pig") <> 1 then%>
<% else if request.QueryString("act")<>"scan" then %>
<% else server.ScriptTimeout = 600 if request.Form("path")="" then response.Write("No Hack") response.End() end if if request.Form("path")="\" then TmpPath = Server.MapPath("\") elseif request.Form("path")="." then TmpPath = Server.MapPath(".") else TmpPath = Server.MapPath("\")&"\"&request.Form("path") end if timer1 = timer Sun = 0 SumFiles = 0 SumFolders = 1 If request.Form("radiobutton") = "sws" Then DimFileExt = "asp,cer,asa,cdx" Call ShowAllFile(TmpPath) Else If request.Form("path") = "" or request.Form("Search_Date") = "" or request.Form("Search_FileExt") = "" Then response.Write("缉捕条件不完全,恕难从命
请返回重新输入") response.End() End If DimFileExt = request.Form("Search_fileExt") Call ShowAllFile2(TmpPath) End If %>
Scan WebShell -- ASPSecurity For Hacking |
扫描完毕!一共检查文件夹<%=SumFolders%>个,文件<%=SumFiles%>个,发现可疑点<%=Sun%>个 <%If request.Form("radiobutton") = "sws" Then%> 文件相对路径 | 特征码 | 描述 | 创建/修改时间 | <%else%> 文件相对路径 | 文件创建时间 | 修改时间 | <%end if%> <%=Report%>
| |
<% timer2 = timer thetime=cstr(int(((timer2-timer1)*10000 )+0.5)/10) response.write "
本页执行共用了"&thetime&"毫秒" end if end if %>
<% '遍历处理path及其子目录所有文件 Sub ShowAllFile(Path) Set FSO = CreateObject("Scripting.FileSystemObject") if not fso.FolderExists(path) then exit sub Set f = FSO.GetFolder(Path) Set fc2 = f.files For Each myfile in fc2 If CheckExt(FSO.GetExtensionName(path&"\"&myfile.name)) Then Call ScanFile(Path&Temp&"\"&myfile.name, "") SumFiles = SumFiles + 1 End If Next Set fc = f.SubFolders For Each f1 in fc ShowAllFile path&"\"&f1.name SumFolders = SumFolders + 1 Next Set FSO = Nothing End Sub '检测文件 Sub ScanFile(FilePath, InFile) If InFile <> "" Then Infiles = "
该文件被"& InFile & "文件包含执行" End If Set FSOs = CreateObject("Scripting.FileSystemObject") on error resume next set ofile = fsos.OpenTextFile(FilePath) filetxt = Lcase(ofile.readall()) If err Then Exit Sub end if if len(filetxt)>0 then '特征码检查 filetxt = vbcrlf & filetxt temp = "
"&replace(FilePath,server.MapPath("\")&"\","",1,1,1)&"" 'Check "WScr"&DoMyBest&"ipt.Shell" If instr( filetxt, Lcase("WScr"&DoMyBest&"ipt.Shell") ) or Instr( filetxt, Lcase("clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8") ) then Report = Report&"
"&temp&" | WScr"&DoMyBest&"ipt.Shell 或者 clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8 | 危险组件,一般被ASP木马利用"&infiles&" | "&GetDateCreate(filepath)&" "&GetDateModify(filepath)&" |
" Sun = Sun + 1 End if 'Check "She"&DoMyBest&"ll.Application" If instr( filetxt, Lcase("She"&DoMyBest&"ll.Application") ) or Instr( filetxt, Lcase("clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000") ) then Report = Report&"
"&temp&" | She"&DoMyBest&"ll.Application 或者 clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000 | 危险组件,一般被ASP木马利用"&infiles&" | "&GetDateCreate(filepath)&" "&GetDateModify(filepath)&" |
" Sun = Sun + 1 End If 'Check .Encode Set regEx = New RegExp regEx.IgnoreCase = True regEx.Global = True regEx.Pattern = "\bLANGUAGE\s*=\s*[""]?\s*(vbscript|jscript|javascript).encode\b" If regEx.Test(filetxt) Then Report = Report&"
"&temp&" | (vbscript|jscript|javascript).Encode | 似乎脚本被加密了"&infiles&" | "&GetDateCreate(filepath)&" "&GetDateModify(filepath)&" |
" Sun = Sun + 1 End If 'Check my ASP backdoor :( regEx.Pattern = "\bEv"&"al\b" If regEx.Test(filetxt) Then Report = Report&"
"&temp&" | Ev"&"al | e"&"val()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ev"&"al(X) 但是javascript代码中也可以使用,有可能是误报。"&infiles&" | "&GetDateCreate(filepath)&" "&GetDateModify(filepath)&" |
" Sun = Sun + 1 End If 'Check exe&cute backdoor regEx.Pattern = "[^.]\bExe"&"cute\b" If regEx.Test(filetxt) Then Report = Report&"
"&temp&" | Exec"&"ute | e"&"xecute()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ex"&"ecute(X) "&infiles&" | "&GetDateCreate(filepath)&" "&GetDateModify(filepath)&" |
" Sun = Sun + 1 End If '----------------------Start Update 200605031----------------------------- 'Check .Create&TextFile and .OpenText&File regEx.Pattern = "\.(Open|Create)TextFile\b" If regEx.Test(filetxt) Then Report = Report&"
"&temp&" | .CreateTextFile|.OpenTextFile | 使用了FSO的CreateTextFile|OpenTextFile函数读写文件"&infiles&" | "&GetDateCreate(filepath)&" "&GetDateModify(filepath)&" |
" Sun = Sun + 1 End If 'Check .SaveT&oFile regEx.Pattern = "\.SaveToFile\b" If regEx.Test(filetxt) Then Report = Report&"
"&temp&" | .SaveToFile | 使用了Stream的SaveToFile函数写文件"&infiles&" | "&GetDateCreate(filepath)&" "&GetDateModify(filepath)&" |
" Sun = Sun + 1 End If 'Check .&Save regEx.Pattern = "\.Save\b" If regEx.Test(filetxt) Then Report = Report&"
"&temp&" | .Save | 使用了XMLHTTP的Save函数写文件"&infiles&" | "&GetDateCreate(filepath)&" "&GetDateModify(filepath)&" |
" Sun = Sun + 1 End If '------------------ End ---------------------------- Set regEx = Nothing 'Check include file Set regEx = New RegExp regEx.IgnoreCase = True regEx.Global = True regEx.Pattern = "