一个查ASP木马的小东东

2016-02-19 11:12 14 1 收藏

get新技能是需要付出行动的，即使看得再多也还是要动手试一试。今天图老师小编跟大家分享的是一个查ASP木马的小东东，一起来学习了解下吧！

【 tulaoshi.com - Web开发】

关于查ASP木马的程序，记得半年前在八进制发了一个测试版（具体的URL:http://forum.eviloctal.com/read-htm-tid-19665.html），得到很多朋友的指导，学到了很多东西，非常感谢他们。现在我发的这个升级版，修补了以前的bug，加入了对一些组件写文件函数的检测，更加趋于完美了，个人认为想绕过去有点难度哦。
这回的默认密码是security
当然啦，哈哈，lake2“比武招亲”，欢迎各位朋友提出绕过检测的马马来，一经证实，lake2将把我自己写的某ASP木马“嫁”给他^_^ 特别有创意的，送你一个我最新弄出来的脚本，具体嘛，嘿嘿，到时候就知道啦。
战书已下，谁来迎战？
源码,另存为asp文件即可使用:

%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%
%
'设置密码
PASSWORD = "security"

dim Report

if request.QueryString("act")="login" then
  if request.Form("pwd") = PASSWORD then session("pig")=1
end if
%
!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"
html
head
meta http-equiv="Content-Type" content="text/html; charset=gb2312"
titleScan WebShell -- ASPSecurity For Hacking/title
style type="text/css"
!--
body,td,th {
  font-size: 12px;
}
--
/style
/head
body
%If Session("pig")  1 then%
form name="form1" method="post" action="?act=login"
div style="text-align:center"Password:
input name="pwd" type="password" size="15"
input type="submit" name="Submit" value="提交"
/div
/form
%
else
  if request.QueryString("act")"scan" then
%
        form action="?act=scan" method="post" name="form1"
         pb填入你要检查的路径：/b
         input name="path" type="text" style="border:1px solid #999" value="." size="30" /
         br
        * 网站根目录的相对路径，填“”即检查整个网站；“.”为程序所在目录br
        br
        你要干什么:
        input name="radiobutton" type="radio" value="sws" checked
        查ASP木马
        input type="radio" name="radiobutton" value="sf"

        搜索符合条件之文件br
        br
        -------------- 如果搜索文件需将以下内容填写完整 ------------------br
        br
        查找内容：
input name="Search_Content" type="text" id="Search_Content" style="border:1px solid #999" size="20"
* 要查找的字符串，不填就只进行日期检查br/
修改日期：
input name="Search_Date" type="text" style="border:1px solid #999" value="%=Left(Now(),InStr(now()," ")-1)%" size="20"
* 多个日期用;隔开，任意日期填写a href="#" onClick="javascript:form1.Search_Date.value='ALL'"ALL/abr/
文件类型：
input name="Search_FileExt" type="text" style="border:1px solid #999" value="*" size="20"
* 类型之间用,隔开，*表示所有类型        br
       br
       input type="submit" value=" 开始扫描 " style="background:#fff;border:1px solid #999;padding:2px 2px 0px 2px;margin:4px;border-width:1px 3px 1px 3px" /
     /p
/form
%
  else
    server.ScriptTimeout = 600
    if request.Form("path")="" then
      response.Write("No Hack")
      response.End()
    end if
    if request.Form("path")="" then
      TmpPath = Server.MapPath("")
    elseif request.Form("path")="." then
      TmpPath = Server.MapPath(".")
    else
      TmpPath = Server.MapPath("")&""&request.Form("path")
    end if
    timer1 = timer
    Sun = 0
    SumFiles = 0
    SumFolders = 1
    If request.Form("radiobutton") = "sws" Then
      DimFileExt = "asp,cer,asa,cdx"
      Call ShowAllFile(TmpPath)
    Else
      If request.Form("path") = "" or request.Form("Search_Date") = "" or request.Form("Search_FileExt") = "" Then
        response.Write("缉捕条件不完全，恕难从命brbra href='javascript:history.go(-1);'请返回重新输入/a")
        response.End()
      End If
      DimFileExt = request.Form("Search_fileExt")
      Call ShowAllFile2(TmpPath)
    End If
%
table width="100%" border="0" cellpadding="0" cellspacing="0" class="CContent"
tr
th Scan WebShell -- ASPSecurity For Hacking
/tr
tr
td class="CPanel" style="padding:5px;line-height:170%;clear:both;font-size:12px"
div id="updateInfo" style="background:ffffe1;border:1px solid #89441f;padding:4px;display:none"/div
扫描完毕！一共检查文件夹font color="#FF0000"%=SumFolders%/font个，文件font color="#FF0000"%=SumFiles%/font个，发现可疑点font color="#FF0000"%=Sun%/font个
  table width="100%" border="0" cellpadding="0" cellspacing="0"
   tr
     td valign="top"
       table width="100%" border="1" cellpadding="0" cellspacing="0" style="padding:5px;line-height:170%;clear:both;font-size:12px"
       tr
%If request.Form("radiobutton") = "sws" Then%
       td width="20%"文件相对路径/td
       td width="20%"特征码/td
       td width="40%"描述/td
       td width="20%"创建/修改时间/td
%else%
       td width="50%"文件相对路径/td
       td width="25%"文件创建时间/td
       td width="25%"修改时间/td
%end if%
       /tr
     p
       %=Report%
       br//p
       /table/td
   /tr
  /table
/td/tr/table
%
timer2 = timer
thetime=cstr(int(((timer2-timer1)*10000 )+0.5)/10)
response.write "brfont size=""2""本页执行共用了"&thetime&"毫秒/font"
  end if
end if

%
hr
div style="text-align:center"本程序取自a href="http://www.0x54.org" target="_blank"雷客图ASP站长安全助手/a的ASP木马查找和可疑文件搜索功能br
powered by a href="http://lake2.0x54.org" target=_blanklake2/a ( Build 20060615 ) /div
/body
/html
%

'遍历处理path及其子目录所有文件
Sub ShowAllFile(Path)
  Set FSO = CreateObject("Scripting.FileSystemObject")
  if not fso.FolderExists(path) then exit sub
  Set f = FSO.GetFolder(Path)
  Set fc2 = f.files
  For Each myfile in fc2
    If CheckExt(FSO.GetExtensionName(path&""&myfile.name)) Then
      Call ScanFile(Path&Temp&""&myfile.name, "")
      SumFiles = SumFiles + 1
    End If
  Next
  Set fc = f.SubFolders
  For Each f1 in fc
    ShowAllFile path&""&f1.name
    SumFolders = SumFolders + 1
Next
  Set FSO = Nothing
End Sub

'检测文件
Sub ScanFile(FilePath, InFile)
  If InFile  "" Then
    Infiles = "font color=red该文件被a href=""http://"&Request.Servervariables("server_name")&"/"&tURLEncode(InFile)&""" target=_blank"& InFile & "/a文件包含执行/font"
  End If
  Set FSOs = CreateObject("Scripting.FileSystemObject")
  on error resume next
  set ofile = fsos.OpenTextFile(FilePath)
  filetxt = Lcase(ofile.readall())
  If err Then Exit Sub end if
  if len(filetxt)0 then
    '特征码检查
    filetxt = vbcrlf & filetxt
    temp = "a href=""http://"&Request.Servervariables("server_name")&"/"&tURLEncode(replace(replace(FilePath,server.MapPath("")&"","",1,1,1),"","/"))&""" target=_blank"&replace(FilePath,server.MapPath("")&"","",1,1,1)&"/a"
      'Check "WScr"&DoMyBest&"ipt.Shell"
      If instr( filetxt, Lcase("WScr"&DoMyBest&"ipt.Shell") ) or Instr( filetxt, Lcase("clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8") ) then
        Report = Report&"trtd"&temp&"/tdtdWScr"&DoMyBest&"ipt.Shell 或者 clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8/tdtdfont color=red危险组件，一般被ASP木马利用/font"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
        Sun = Sun + 1
      End if
      'Check "She"&DoMyBest&"ll.Application"
      If instr( filetxt, Lcase("She"&DoMyBest&"ll.Application") ) or Instr( filetxt, Lcase("clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000") ) then
        Report = Report&"trtd"&temp&"/tdtdShe"&DoMyBest&"ll.Application 或者 clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000/tdtdfont color=red危险组件，一般被ASP木马利用/font"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
        Sun = Sun + 1
      End If
      'Check .Encode
      Set regEx = New RegExp
      regEx.IgnoreCase = True
      regEx.Global = True
      regEx.Pattern = "bLANGUAGEs*=s*[""]?s*(vbscript|jscript|javascript).encodeb"
      If regEx.Test(filetxt) Then
        Report = Report&"trtd"&temp&"/tdtd(vbscript|jscript|javascript).Encode/tdtdfont color=red似乎脚本被加密了/font"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
        Sun = Sun + 1
      End If
      'Check my ASP backdoor :(
      regEx.Pattern = "bEv"&"alb"
      If regEx.Test(filetxt) Then
        Report = Report&"trtd"&temp&"/tdtdEv"&"al/tdtde"&"val()函数可以执行任意ASP代码，被一些后门利用。其形式一般是：ev"&"al(X)br但是javascript代码中也可以使用，有可能是误报。"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
        Sun = Sun + 1
      End If
      'Check exe&cute backdoor
      regEx.Pattern = "[^.]bExe"&"cuteb"
      If regEx.Test(filetxt) Then
        Report = Report&"trtd"&temp&"/tdtdExec"&"ute/tdtdfont color=rede"&"xecute()函数可以执行任意ASP代码，被一些后门利用。其形式一般是：ex"&"ecute(X)/fontbr"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
        Sun = Sun + 1
      End If
      '----------------------Start Update 200605031-----------------------------
      'Check .Create&TextFile and .OpenText&File
      regEx.Pattern = ".(Open|Create)TextFileb"
      If regEx.Test(filetxt) Then
        Report = Report&"trtd"&temp&"/tdtd.CreateTextFile|.OpenTextFile/tdtd使用了FSO的CreateTextFile|OpenTextFile函数读写文件"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
        Sun = Sun + 1
      End If
      'Check .SaveT&oFile
      regEx.Pattern = ".SaveToFileb"
      If regEx.Test(filetxt) Then
        Report = Report&"trtd"&temp&"/tdtd.SaveToFile/tdtd使用了Stream的SaveToFile函数写文件"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
        Sun = Sun + 1
      End If
      'Check .&Save
      regEx.Pattern = ".Saveb"
      If regEx.Test(filetxt) Then
        Report = Report&"trtd"&temp&"/tdtd.Save/tdtd使用了XMLHTTP的Save函数写文件"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
        Sun = Sun + 1
      End If
      '------------------ End ----------------------------
      Set regEx = Nothing

    'Check include file
    Set regEx = New RegExp
    regEx.IgnoreCase = True
    regEx.Global = True
    regEx.Pattern = "!--s*#includes*files*=s*"".*"""
    Set Matches = regEx.Execute(filetxt)
    For Each Match in Matches
      tFile = Replace(Mid(Match.Value, Instr(Match.Value, """") + 1, Len(Match.Value) - Instr(Match.Value, """") - 1),"/","")
      If Not CheckExt(FSOs.GetExtensionName(tFile)) Then
        Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,""))&tFile, replace(FilePath,server.MapPath("")&"","",1,1,1) )
        SumFiles = SumFiles + 1
      End If
    Next
    Set Matches = Nothing
    Set regEx = Nothing

    'Check include virtual
    Set regEx = New RegExp
    regEx.IgnoreCase = True
    regEx.Global = True
    regEx.Pattern = "!--s*#includes*virtuals*=s*"".*"""
    Set Matches = regEx.Execute(filetxt)
    For Each Match in Matches
      tFile = Replace(Mid(Match.Value, Instr(Match.Value, """") + 1, Len(Match.Value) - Instr(Match.Value, """") - 1),"/","")
      If Not CheckExt(FSOs.GetExtensionName(tFile)) Then
        Call ScanFile( Server.MapPath("")&""&tFile, replace(FilePath,server.MapPath("")&"","",1,1,1) )
        SumFiles = SumFiles + 1
      End If
    Next
    Set Matches = Nothing
    Set regEx = Nothing

    'Check Server&.Execute|Transfer
    Set regEx = New RegExp
    regEx.IgnoreCase = True
    regEx.Global = True
    regEx.Pattern = "Server.(Exec"&"ute|Transfer)([ t]*|()"".*"""
    Set Matches = regEx.Execute(filetxt)
    For Each Match in Matches
      tFile = Replace(Mid(Match.Value, Instr(Match.Value, """") + 1, Len(Match.Value) - Instr(Match.Value, """") - 1),"/","")
      If Not CheckExt(FSOs.GetExtensionName(tFile)) Then
        Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,""))&tFile, replace(FilePath,server.MapPath("")&"","",1,1,1) )
        SumFiles = SumFiles + 1
      End If
    Next
    Set Matches = Nothing
    Set regEx = Nothing

    'Check Server&.Execute|Transfer
    Set regEx = New RegExp
    regEx.IgnoreCase = True
    regEx.Global = True
    regEx.Pattern = "Server.(Exec"&"ute|Transfer)([ t]*|()[^""])"
    If regEx.Test(filetxt) Then
      Report = Report&"trtd"&temp&"/tdtdServer.Exec"&"ute/tdtdfont color=red不能跟踪检查Server.e"&"xecute()函数执行的文件。请管理员自行检查/fontbr"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
      Sun = Sun + 1
    End If
    Set Matches = Nothing
    Set regEx = Nothing

    'Check RunatScript
    Set XregEx = New RegExp
    XregEx.IgnoreCase = True
    XregEx.Global = True
    XregEx.Pattern = "scr"&"ipts*(.|n)*?runats*=s*""?server""?(.|n)*?"
    Set XMatches = XregEx.Execute(filetxt)
    For Each Match in XMatches
      tmpLake2 = Mid(Match.Value, 1, InStr(Match.Value, ""))
      srcSeek = InStr(1, tmpLake2, "src", 1)
      If srcSeek  0 Then
        srcSeek2 = instr(srcSeek, tmpLake2, "=")
        For i = 1 To 50
          tmp = Mid(tmpLake2, srcSeek2 + i, 1)
          If tmp  " " and tmp  chr(9) and tmp  vbCrLf Then
            Exit For
          End If
        Next
        If tmp = """" Then
          tmpName = Mid(tmpLake2, srcSeek2 + i + 1, Instr(srcSeek2 + i + 1, tmpLake2, """") - srcSeek2 - i - 1)
        Else
          If InStr(srcSeek2 + i + 1, tmpLake2, " ")  0 Then tmpName = Mid(tmpLake2, srcSeek2 + i, Instr(srcSeek2 + i + 1, tmpLake2, " ") - srcSeek2 - i) Else tmpName = tmpLake2
          If InStr(tmpName, chr(9))  0 Then tmpName = Mid(tmpName, 1, Instr(1, tmpName, chr(9)) - 1)
          If InStr(tmpName, vbCrLf)  0 Then tmpName = Mid(tmpName, 1, Instr(1, tmpName, vbcrlf) - 1)
          If InStr(tmpName, "")  0 Then tmpName = Mid(tmpName, 1, Instr(1, tmpName, "") - 1)
        End If
        Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,""))&tmpName , replace(FilePath,server.MapPath("")&"","",1,1,1))
        SumFiles = SumFiles + 1
      End If
    Next
    Set Matches = Nothing
    Set regEx = Nothing

    'Check Crea"&"teObject
    Set regEx = New RegExp
    regEx.IgnoreCase = True
    regEx.Global = True
    regEx.Pattern = "CreateO"&"bject[ |t]*(.*)"
    Set Matches = regEx.Execute(filetxt)
    For Each Match in Matches
      If Instr(Match.Value, "&") or Instr(Match.Value, "+") or Instr(Match.Value, """") = 0 or Instr(Match.Value, "(")  InStrRev(Match.Value, "(") Then
        Report = Report&"trtd"&temp&"/tdtdCreat"&"eObject/tdtdCrea"&"teObject函数使用了变形技术。可能是误报"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
        Sun = Sun + 1
        exit sub
      End If
    Next
    Set Matches = Nothing
    Set regEx = Nothing
  end if
  set ofile = nothing
  set fsos = nothing
End Sub

'检查文件后缀，如果与预定的匹配即返回TRUE
Function CheckExt(FileExt)
  If DimFileExt = "*" Then CheckExt = True
  Ext = Split(DimFileExt,",")
  For i = 0 To Ubound(Ext)
    If Lcase(FileExt) = Ext(i) Then
      CheckExt = True
      Exit Function
    End If
  Next
End Function

Function GetDateModify(filepath)
  Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFile(filepath)
  s = f.DateLastModified
  set f = nothing
  set fso = nothing
  GetDateModify = s
End Function

Function GetDateCreate(filepath)
  Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFile(filepath)
  s = f.DateCreated
  set f = nothing
  set fso = nothing
  GetDateCreate = s
End Function

Function tURLEncode(Str)
  temp = Replace(Str, "%", "%25")
  temp = Replace(temp, "#", "%23")
  temp = Replace(temp, "&", "%26")
  tURLEncode = temp
End Function

Sub ShowAllFile2(Path)
  Set FSO = CreateObject("Scripting.FileSystemObject")
  if not fso.FolderExists(path) then exit sub
  Set f = FSO.GetFolder(Path)
  Set fc2 = f.files
  For Each myfile in fc2
    If CheckExt(FSO.GetExtensionName(path&""&myfile.name)) Then
      Call IsFind(Path&""&myfile.name)
      SumFiles = SumFiles + 1
    End If
  Next
  Set fc = f.SubFolders
  For Each f1 in fc
    ShowAllFile2 path&""&f1.name
    SumFolders = SumFolders + 1
Next
  Set FSO = Nothing
End Sub

Sub IsFind(thePath)
  theDate = GetDateModify(thePath)
  on error resume next
  theTmp = Mid(theDate, 1, Instr(theDate, " ") - 1)
  if err then exit Sub

  xDate = Split(request.Form("Search_Date"),";")

  If request.Form("Search_Date") = "ALL" Then ALLTime = True

  For i = 0 To Ubound(xDate)
    If theTmp = xDate(i) or ALLTime = True Then
      If request("Search_Content")  "" Then
        Set FSOs = CreateObject("Scripting.FileSystemObject")
        set ofile = fsos.OpenTextFile(thePath, 1, false, -2)
        filetxt = Lcase(ofile.readall())
        If Instr( filetxt, LCase(request.Form("Search_Content")))  0 Then
          temp = "a href=""http://"&Request.Servervariables("server_name")&"/"&tURLEncode(Replace(replace(thePath,server.MapPath("")&"","",1,1,1),"","/"))&""" target=_blank"&replace(thePath,server.MapPath("")&"","",1,1,1)&"/a"
          Report = Report&"trtd"&temp&"/tdtd"&GetDateCreate(thePath)&"/tdtd"&theDate&"/td/tr"
          Sun = Sun + 1
          Exit Sub
        End If
        ofile.close()
        Set ofile = Nothing
        Set FSOs = Nothing
      Else
        temp = "a href=""http://"&Request.Servervariables("server_name")&"/"&tURLEncode(Replace(replace(thePath,server.MapPath("")&"","",1,1,1),"","/"))&""" target=_blank"&replace(thePath,server.MapPath("")&"","",1,1,1)&"/a"
        Report = Report&"trtd"&temp&"/tdtd"&GetDateCreate(thePath)&"/tdtd"&theDate&"/td/tr"
        Sun = Sun + 1
        Exit Sub
      End If
    End If
  Next

End Sub
%

来源:https://www.tulaoshi.com/n/20160219/1596768.html

看过《一个查ASP木马的小东东》的人还看了以下文章更多>>

一个基于ASP的标题广告管理系统（一）

标签： ASP

标题广告是Web上最常见的广告形式。本文介绍了一个基于IIS和ASP的标题广告管理系统，该系统支持广告客户和广告的管理，能够随机选择广告并生成显示广告的HTML代码（但参考广告的等级、显示次数限制、点击次数限制），并能够记录广告显示、点击的历史纪录。一、数据库表结构标题广告也就是Banner Ad，是Web上最常见的...

一个的无组件上传的ASP代码

标签： ASP

<!--#include file="../lib/filelib.asp"-- <% Response.write "<title上传文件至当前文件夹</title" Response.Write "<body bgcolor=""#D6D3CE"" leftmargin=""0"" topmargin=""0"&...

一个通用的保护ASP系统的方法

标签： ASP

研究了漏洞，我就想解决的方法，我总结一下，里面有我想的一个不成熟的想法。是给高手看的，看看是不是一种解决已知和未知SQL注入漏洞的好方法。这个是我想的不成熟的方法，我认为能解决大部分以知和未知的SQL注入漏洞，让入侵者弄不到密码！首先我先分析大多数的SQL注入，原理无非就是对管理员敏感的信息进行猜测，因此都需...

用ASP设计一个留言薄

标签： Web开发

首先，我们在做留言薄之前，先做出一个输入屏的界面效果，也就是生成留言部输入屏幕的htmL页，然后在这些htmL源代码中加入ASP脚本，我这里得到的htmL代码如下。 *文件名：book.htm ＜html＞＜head＞＜title＞留言薄＜/title＞＜/head＞＜body bgcolor="#BED9FC" background="images/bg.gif"＞＜p al...

ASP向NT域中加一个用户

标签： ASP

问题：在ASP中如何添加NT域用户？俟名于1999-03-08 提出答案：可以使用微软的活动目录服务接口（ADSI），例如： Set DomainObj=GetObject("WinNT://Domain") Set UserObj=DomainObj.Create("user","white") UserObj.SetInfo Set UserObj=Nothing 要在ASP中使用上面这段代码，你得有权限...

查看更多精彩>>