一个查ASP木马的小东东
2018-09-06 11:32
关于查ASP木马的程序,记得半年前在八进制发了一个测试版(具体的URL:),得到很多朋友的指导,学到了很多东西,非常感谢他们。现在我发的这个升级版,修补了以前的bug,加入了对一些组件写文件函数的检测,更加趋于完美了,个人认为想绕过去有点难度哦。
这回的默认密码是security
当然啦,哈哈,lake2“比武招亲”,欢迎各位朋友提出绕过检测的马马来,一经证实,lake2将把我自己写的某ASP木马“嫁”给他^_^特别有创意的,送你一个我最新弄出来的脚本,具体嘛,嘿嘿,到时候就知道啦。
战书已下,谁来迎战?
源码,另存为asp文件即可使用:
<%@LANGUAGE=VBSCRIPTCODEPAGE=936%>
<%
设置密码
PASSWORD=security
dimReport
ifrequest.QueryString(act)=loginthen
ifrequest.Form(pwd)=PASSWORDthensession(pig)=1
endif
%>
<!DOCTYPEHTMLPUBLIC-//W3C//DTDHTML4.01Transitional//EN
<html>
<head>
<metahttp-equiv=Content-Typecontent=text/html;charset=gb2312>
<title>ScanWebShell--ASPSecurityForHacking</title>
<styletype=text/css>
<!--
body,td,th{
font-size:12px;
}
-->
</style>
</head>
<body>
<%IfSession(pig)<>1then%>
<formname=form1method=postaction=?act=login>
<divalign=center>Password:
<inputname=pwdtype=passwordsize=15>
<inputtype=submitname=Submitvalue=提交>
</div>
</form>
<%
else
ifrequest.QueryString(act)<>scanthen
%>
<formaction=?act=scanmethod=postname=form1>
<p><b>填入你要检查的路径:</b>
<inputname=pathtype=textstyle=border:1pxsolid#999value=.size=30/>
<br>
*网站根目录的相对路径,填“\”即检查整个网站;“.”为程序所在目录<br>
<br>
你要干什么:
<inputname=radiobuttontype=radiovalue=swschecked>
查ASP木马
<inputtype=radioname=radiobuttonvalue=sf>
搜索符合条件之文件<br>
<br>
--------------如果搜索文件需将以下内容填写完整------------------<br>
<br>
查找内容:
<inputname=Search_Contenttype=textid=Search_Contentstyle=border:1pxsolid#999size=20>
*要查找的字符串,不填就只进行日期检查<br/>
修改日期:
<inputname=Search_Datetype=textstyle=border:1pxsolid#999value=<%=Left(Now(),InStr(now(),)-1)%>size=20>
*多个日期用;隔开,任意日期填写<ahref=#onClick=javascript:form1.Search_Date.value=ALL>ALL</a><br/>
文件类型:
<inputname=Search_FileExttype=textstyle=border:1pxsolid#999value=*size=20>
*类型之间用,隔开,*表示所有类型<br>
<br>
<inputtype=submitvalue=开始扫描style=background:#fff;border:1pxsolid#999;padding:2px2px0px2px;margin:4px;border-width:1px3px1px3px/>
</p>
</form>
<%
else
server.ScriptTimeout=600
ifrequest.Form(path)=then
response.Write(NoHack)
response.End()
endif
ifrequest.Form(path)=\then
TmpPath=Server.MapPath(\)
elseifrequest.Form(path)=.then
TmpPath=Server.MapPath(.)
else
TmpPath=Server.MapPath(\)&\&request.Form(path)
endif
timer1=timer
Sun=0
SumFiles=0
SumFolders=1
Ifrequest.Form(radiobutton)=swsThen
DimFileExt=asp,cer,asa,cdx
CallShowAllFile(TmpPath)
Else
Ifrequest.Form(path)=orrequest.Form(Search_Date)=orrequest.Form(Search_FileExt)=Then
response.Write(缉捕条件不完全,恕难从命<br><br><ahref=javascript:history.go(-1);>请返回重新输入</a>)
response.End()
EndIf
DimFileExt=request.Form(Search_fileExt)
CallShowAllFile2(TmpPath)
EndIf
%>
<tablewidth=100%border=0cellpadding=0cellspacing=0class=CContent>
<tr>
<th>ScanWebShell--ASPSecurityForHacking
</tr>
<tr>
<tdclass=CPanelstyle=padding:5px;line-height:170%;clear:both;font-size:12px>
<divid=updateInfostyle=background:ffffe1;border:1pxsolid#89441f;padding:4px;display:none></div>
扫描完毕!一共检查文件夹<fontcolor=#FF0000><%=SumFolders%></font>个,文件<fontcolor=#FF0000><%=SumFiles%></font>个,发现可疑点<fontcolor=#FF0000><%=Sun%></font>个
<tablewidth=100%border=0cellpadding=0cellspacing=0>
<tr>
<tdvalign=top>
<tablewidth=100%border=1cellpadding=0cellspacing=0style=padding:5px;line-height:170%;clear:both;font-size:12px>
<tr>
<%Ifrequest.Form(radiobutton)=swsThen%>
<tdwidth=20%>文件相对路径</td>
<tdwidth=20%>特征码</td>
<tdwidth=40%>描述</td>
<tdwidth=20%>创建/修改时间</td>
<%else%>
<tdwidth=50%>文件相对路径</td>
<tdwidth=25%>文件创建时间</td>
<tdwidth=25%>修改时间</td>
<%endif%>
</tr>
<p>
<%=Report%>
<br/></p>
</table></td>
</tr>
</table>
</td></tr></table>
<%
timer2=timer
thetime=cstr(int(((timer2-timer1)*10000)+0.5)/10)
response.write<br><fontsize=2>本页执行共用了&thetime&毫秒</font>
endif
endif
%>
<hr>
<divalign=center>本程序取自<ahref=雷客图ASP站长安全助手</a>的ASP木马查找和可疑文件搜索功能<br>
poweredby<ahref=
</body>
</html>
<%
遍历处理path及其子目录所有文件
SubShowAllFile(Path)
SetFSO=CreateObject(Scripting.FileSystemObject)
ifnotfso.FolderExists(path)thenexitsub
Setf=FSO.GetFolder(Path)
Setfc2=f.files
ForEachmyfileinfc2
CallScanFile(Path&Temp&\&myfile.name,)
SumFiles=SumFiles+1
EndIf
Next
Setfc=f.SubFolders
ForEachf1infc
ShowAllFilepath&\&f1.name
SumFolders=SumFolders+1
Next
SetFSO=Nothing
EndSub
检测文件
SubScanFile(FilePath,InFile)
IfInFile<>Then
Infiles=<fontcolor=red>该文件被<ahref=文件包含执行</font>
EndIf
SetFSOs=CreateObject(Scripting.FileSystemObject)
onerrorresumenext
setofile=fsos.OpenTextFile(FilePath)
filetxt=Lcase(ofile.readall())
IferrThenExitSubendif
iflen(filetxt)>0then
特征码检查
filetxt=vbcrlf&filetxt
temp=<ahref=
CheckWScr&DoMyBest&ipt.Shell
Ifinstr(filetxt,Lcase(WScr&DoMyBest&ipt.Shell))orInstr(filetxt,Lcase(clsid:72C24DD5-D70A&DoMyBest&-438B-8A42-98424B88AFB8))then
Report=Report&<tr><td>&temp&</td><td>WScr&DoMyBest&ipt.Shell或者clsid:72C24DD5-D70A&DoMyBest&-438B-8A42-98424B88AFB8</td><td><fontcolor=red>危险组件,一般被ASP木马利用</font>&infiles&</td><td>&GetDateCreate(filepath)&<br>&GetDateModify(filepath)&</td></tr>
Sun=Sun+1
Endif
CheckShe&DoMyBest&ll.Application
Ifinstr(filetxt,Lcase(She&DoMyBest&ll.Application))orInstr(filetxt,Lcase(clsid:13709620-C27&DoMyBest&9-11CE-A49E-444553540000))then
Report=Report&<tr><td>&temp&</td><td>She&DoMyBest&ll.Application或者clsid:13709620-C27&DoMyBest&9-11CE-A49E-444553540000</td><td><fontcolor=red>危险组件,一般被ASP木马利用</font>&infiles&</td><td>&GetDateCreate(filepath)&<br>&GetDateModify(filepath)&</td></tr>
Sun=Sun+1
EndIf
Check.Encode
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern=\bLANGUAGE\s*=\s*[]?\s*(vbscriptjscriptjavascript).encode\b
IfregEx.Test(filetxt)Then
Report=Report&<tr><td>&temp&</td><td>(vbscriptjscriptjavascript).Encode</td><td><fontcolor=red>似乎脚本被加密了</font>&infiles&</td><td>&GetDateCreate(filepath)&<br>&GetDateModify(filepath)&</td></tr>
Sun=Sun+1
EndIf
CheckmyASPbackdoor:(
regEx.Pattern=\bEv&al\b
IfregEx.Test(filetxt)Then
Report=Report&<tr><td>&temp&</td><td>Ev&al</td><td>e&val()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ev&al(X)<br>但是javascript代码中也可以使用,有可能是误报。&infiles&</td><td>&GetDateCreate(filepath)&<br>&GetDateModify(filepath)&</td></tr>
Sun=Sun+1
EndIf
Checkexe&cutebackdoor
regEx.Pattern=[^.]\bExe&cute\b
IfregEx.Test(filetxt)Then
Report=Report&<tr><td>&temp&</td><td>Exec&ute</td><td><fontcolor=red>e&xecute()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ex&ecute(X)</font><br>&infiles&</td><td>&GetDateCreate(filepath)&<br>&GetDateModify(filepath)&</td></tr>
Sun=Sun+1
EndIf
----------------------StartUpdate200605031-----------------------------
Check.Create&TextFileand.OpenText&File
regEx.Pattern=\.(OpenCreate)TextFile\b
IfregEx.Test(filetxt)Then
Report=Report&<tr><td>&temp&</td><td>.CreateTextFile.OpenTextFile</td><td>使用了FSO的CreateTextFileOpenTextFile函数读写文件&infiles&</td><td>&GetDateCreate(filepath)&<br>&GetDateModify(filepath)&</td></tr>
Sun=Sun+1
EndIf
Check.SaveT&oFile
regEx.Pattern=\.SaveToFile\b
IfregEx.Test(filetxt)Then
Report=Report&<tr><td>&temp&</td><td>.SaveToFile</td><td>使用了Stream的SaveToFile函数写文件&infiles&</td><td>&GetDateCreate(filepath)&<br>&GetDateModify(filepath)&</td></tr>
Sun=Sun+1
EndIf
Check.&Save
regEx.Pattern=\.Save\b
IfregEx.Test(filetxt)Then
Report=Report&<tr><td>&temp&</td><td>.Save</td><td>使用了XMLHTTP的Save函数写文件&infiles&</td><td>&GetDateCreate(filepath)&<br>&GetDateModify(filepath)&</td></tr>
Sun=Sun+1
EndIf
------------------End----------------------------
SetregEx=Nothing
Checkincludefile
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern=<!--\s*#include\s*file\s*=\s*.*
SetMatches=regEx.Execute(filetxt)
ForEachMatchinMatches
tFile=Replace(Mid(Match.Value,Instr(Match.Value,)+1,Len(Match.Value)-Instr(Match.Value,)-1),/,\)
IfNotCheckExt(FSOs.GetExtensionName(tFile))Then
CallScanFile(Mid(FilePath,1,InStrRev(FilePath,\))&tFile,replace(FilePath,server.MapPath(\)&\,,1,1,1))
SumFiles=SumFiles+1
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing
Checkincludevirtual
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern=<!--\s*#include\s*virtual\s*=\s*.*
SetMatches=regEx.Execute(filetxt)
ForEachMatchinMatches
tFile=Replace(Mid(Match.Value,Instr(Match.Value,)+1,Len(Match.Value)-Instr(Match.Value,)-1),/,\)
IfNotCheckExt(FSOs.GetExtensionName(tFile))Then
CallScanFile(Server.MapPath(\)&\&tFile,replace(FilePath,server.MapPath(\)&\,,1,1,1))
SumFiles=SumFiles+1
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing
CheckServer&.ExecuteTransfer
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern=Server.(Exec&uteTransfer)([\t]*\().*
SetMatches=regEx.Execute(filetxt)
ForEachMatchinMatches
tFile=Replace(Mid(Match.Value,Instr(Match.Value,)+1,Len(Match.Value)-Instr(Match.Value,)-1),/,\)
IfNotCheckExt(FSOs.GetExtensionName(tFile))Then
CallScanFile(Mid(FilePath,1,InStrRev(FilePath,\))&tFile,replace(FilePath,server.MapPath(\)&\,,1,1,1))
SumFiles=SumFiles+1
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing
CheckServer&.ExecuteTransfer
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern=Server.(Exec&uteTransfer)([\t]*\()[^]\)
IfregEx.Test(filetxt)Then
Report=Report&<tr><td>&temp&</td><td>Server.Exec&ute</td><td><fontcolor=red>不能跟踪检查Server.e&xecute()函数执行的文件。请管理员自行检查</font><br>&infiles&</td><td>&GetDateCreate(filepath)&<br>&GetDateModify(filepath)&</td></tr>
Sun=Sun+1
EndIf
SetMatches=Nothing
SetregEx=Nothing
CheckRunatScript
SetXregEx=NewRegExp
XregEx.IgnoreCase=True
XregEx.Global=True
XregEx.Pattern=<scr&ipt\s*(.\n)*?runat\s*=\s*?server?(.\n)*?>
SetXMatches=XregEx.Execute(filetxt)
ForEachMatchinXMatches
tmpLake2=Mid(Match.Value,1,InStr(Match.Value,>))
srcSeek=InStr(1,tmpLake2,src,1)
IfsrcSeek>0Then
srcSeek2=instr(srcSeek,tmpLake2,=)
Fori=1To50
tmp=Mid(tmpLake2,srcSeek2+i,1)
Iftmp<>andtmp<>chr(9)andtmp<>vbCrLfThen
ExitFor
EndIf
Next
Iftmp=Then
tmpName=Mid(tmpLake2,srcSeek2+i+1,Instr(srcSeek2+i+1,tmpLake2,)-srcSeek2-i-1)
Else
IfInStr(srcSeek2+i+1,tmpLake2,)>0ThentmpName=Mid(tmpLake2,srcSeek2+i,Instr(srcSeek2+i+1,tmpLake2,)-srcSeek2-i)ElsetmpName=tmpLake2
IfInStr(tmpName,chr(9))>0ThentmpName=Mid(tmpName,1,Instr(1,tmpName,chr(9))-1)
IfInStr(tmpName,vbCrLf)>0ThentmpName=Mid(tmpName,1,Instr(1,tmpName,vbcrlf)-1)
IfInStr(tmpName,>)>0ThentmpName=Mid(tmpName,1,Instr(1,tmpName,>)-1)
EndIf
CallScanFile(Mid(FilePath,1,InStrRev(FilePath,\))&tmpName,replace(FilePath,server.MapPath(\)&\,,1,1,1))
SumFiles=SumFiles+1
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing
CheckCrea&teObject
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern=CreateO&bject[\t]*\(.*\)
SetMatches=regEx.Execute(filetxt)
ForEachMatchinMatches
IfInstr(Match.Value,&)orInstr(Match.Value,+)orInstr(Match.Value,)=0orInstr(Match.Value,()<>InStrRev(Match.Value,()Then
Report=Report&<tr><td>&temp&</td><td>Creat&eObject</td><td>Crea&teObject函数使用了变形技术。可能是误报&infiles&</td><td>&GetDateCreate(filepath)&<br>&GetDateModify(filepath)&</td></tr>
Sun=Sun+1
exitsub
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing
endif
setofile=nothing
setfsos=nothing
EndSub
检查文件后缀,如果与预定的匹配即返回TRUE
FunctionCheckExt(FileExt)
IfDimFileExt=*ThenCheckExt=True
Ext=Split(DimFileExt,,)
Fori=0ToUbound(Ext)
IfLcase(FileExt)=Ext(i)Then
CheckExt=True
ExitFunction
EndIf
Next
EndFunction
FunctionGetDateModify(filepath)
Setfso=CreateObject(Scripting.FileSystemObject)
Setf=fso.GetFile(filepath)
s=f.DateLastModified
setf=nothing
setfso=nothing
GetDateModify=s
EndFunction
FunctionGetDateCreate(filepath)
Setfso=CreateObject(Scripting.FileSystemObject)
Setf=fso.GetFile(filepath)
s=f.DateCreated
setf=nothing
setfso=nothing
GetDateCreate=s
EndFunction
FunctiontURLEncode(Str)
temp=Replace(Str,%,%25)
temp=Replace(temp,#,%23)
temp=Replace(temp,&,%26)
tURLEncode=temp
EndFunction
SubShowAllFile2(Path)
SetFSO=CreateObject(Scripting.FileSystemObject)
ifnotfso.FolderExists(path)thenexitsub
Setf=FSO.GetFolder(Path)
Setfc2=f.files
ForEachmyfileinfc2
IfCheckExt(FSO.GetExtensionName(path&\&myfile.name))Then
CallIsFind(Path&\&myfile.name)
SumFiles=SumFiles+1
EndIf
Next
Setfc=f.SubFolders
ForEachf1infc
ShowAllFile2path&\&f1.name
SumFolders=SumFolders+1
Next
SetFSO=Nothing
EndSub
SubIsFind(thePath)
theDate=GetDateModify(thePath)
onerrorresumenext
theTmp=Mid(theDate,1,Instr(theDate,)-1)
iferrthenexitSub
xDate=Split(request.Form(Search_Date),;)
Ifrequest.Form(Search_Date)=ALLThenALLTime=True
Fori=0ToUbound(xDate)
IftheTmp=xDate(i)orALLTime=TrueThen
Ifrequest(Search_Content)<>Then
SetFSOs=CreateObject(Scripting.FileSystemObject)
setofile=fsos.OpenTextFile(thePath,1,false,-2)
filetxt=Lcase(ofile.readall())
IfInstr(filetxt,LCase(request.Form(Search_Content)))>0Then
temp=<ahref=
Report=Report&<tr><td>&temp&</td><td>&GetDateCreate(thePath)&</td><td>&theDate&</td></tr>
Sun=Sun+1
ExitSub
EndIf
ofile.close()
Setofile=Nothing
SetFSOs=Nothing
Else
temp=<ahref=
Report=Report&<tr><td>&temp&</td><td>&GetDateCreate(thePath)&</td><td>&theDate&</td></tr>
Sun=Sun+1
ExitSub
EndIf
EndIf
Next
EndSub
%>