关于查asp木马的程序,记得半年前在八进制发了一个测试版(具体的url:http://forum.eviloctal.com/read-htm-tid-19665.html),得到很多朋友的指导,学到了很多东西,非常感谢他们。现在我发的这个升级版,修补了以前的bug,加入了对一些组件写文件函数的检测,更加趋于完美了,个人认为想绕过去有点难度哦。 这回的默认密码是security 当然啦,哈哈,lake2“比武招亲”,欢迎各位朋友提出绕过检测的马马来,一经证实,lake2将把我自己写的某asp木马“嫁”给他^_^ 特别有创意的,送你一个我最新弄出来的脚本,具体嘛,嘿嘿,到时候就知道啦。 战书已下,谁来迎战? 源码,另存为asp文件即可使用:
<%@language="vbscript" codepage="936"%> <% '设置密码 password = "security"
dim report
if request.querystring("act")="login" then if request.form("pwd") = password then session("pig")=1 end if %> <!doctype html public "-//w3c//dtd html 4.01 transitional//en" "http://www.w3.org/tr/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=gb2312"> <title>scan webshell -- aspsecurity for hacking</title> <style type="text/css"> <!-- body,td,th { font-size: 12px; } --> </style> </head> <body> <%if session("pig") <> 1 then%> <form name="form1" method="post" action="?act=login"> <div align="center">password: <input name="pwd" type="password" size="15"> <input type="submit" name="submit" value="提交"> </div> </form> <% else if request.querystring("act")<>"scan" then %> <form action="?act=scan" method="post" name="form1"> <p><b>填入你要检查的路径:</b> <input name="path" type="text" style="border:1px solid #999" value="." size="30" /> <br> * 网站根目录的相对路径,填“\”即检查整个网站;“.”为程序所在目录<br> <br> 你要干什么: <input name="radiobutton" type="radio" value="sws" checked> 查asp木马 <input type="radio" name="radiobutton" value="sf">
搜索符合条件之文件<br> <br> -------------- 如果搜索文件需将以下内容填写完整 ------------------<br> <br> 查找内容: <input name="search_content" type="text" id="search_content" style="border:1px solid #999" size="20"> * 要查找的字符串,不填就只进行日期检查<br/> 修改日期: <input name="search_date" type="text" style="border:1px solid #999" value="<%=left(now(),instr(now()," ")-1)%>" size="20"> * 多个日期用;隔开,任意日期填写<a href="#" onclick="javascript:form1.search_date.value='all'">all</a><br/> 文件类型: <input name="search_fileext" type="text" style="border:1px solid #999" value="*" size="20"> * 类型之间用,隔开,*表示所有类型 <br> <br> <input type="submit" value=" 开始扫描 " style="background:#fff;border:1px solid #999;padding:2px 2px 0px 2px;margin:4px;border-width:1px 3px 1px 3px" /> </p> </form> <% else server.scripttimeout = 600 if request.form("path")="" then response.write("no hack") response.end() end if if request.form("path")="\" then tmppath = server.mappath("\") elseif request.form("path")="." then tmppath = server.mappath(".") else tmppath = server.mappath("\")&"\"&request.form("path") end if timer1 = timer sun = 0 sumfiles = 0 sumfolders = 1 if request.form("radiobutton") = "sws" then dimfileext = "asp,cer,asa,cdx" call showallfile(tmppath) else if request.form("path") = "" or request.form("search_date") = "" or request.form("search_fileext") = "" then response.write("缉捕条件不完全,恕难从命<br><br><a href='javascript:history.go(-1);'>请返回重新输入</a>") response.end() end if dimfileext = request.form("search_fileext") call showallfile2(tmppath) end if %> <table width="100%" border="0" cellpadding="0" cellspacing="0" class="ccontent"> <tr> <th> scan webshell -- aspsecurity for hacking </tr> <tr> <td class="cpanel" style="padding:5px;line-height:170%;clear:both;font-size:12px"> <div id="updateinfo" style="background:ffffe1;border:1px solid #89441f;padding:4px;display:none"></div> 扫描完毕!一共检查文件夹<font color="#ff0000"><%=sumfolders%></font>个,文件<font color="#ff0000"><%=sumfiles%></font>个,发现可疑点<font color="#ff0000"><%=sun%></font>个 <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td valign="top"> <table width="100%" border="1" cellpadding="0" cellspacing="0" style="padding:5px;line-height:170%;clear:both;font-size:12px"> <tr> <%if request.form("radiobutton") = "sws" then%> <td width="20%">文件相对路径</td> <td width="20%">特征码</td> <td width="40%">描述</td> <td width="20%">创建/修改时间</td> <%else%> <td width="50%">文件相对路径</td> <td width="25%">文件创建时间</td> <td width="25%">修改时间</td> <%end if%> </tr> <p> <%=report%> <br/></p> </table></td> </tr> </table> </td></tr></table> <% timer2 = timer thetime=cstr(int(((timer2-timer1)*10000 )+0.5)/10) response.write "<br><font size=""2"">本页执行共用了"&thetime&"毫秒</font>" end if end if
%> <hr> <div align="center">本程序取自<a href="http://www.0x54.org" target="_blank">雷客图asp站长安全助手</a>的asp木马查找和可疑文件搜索功能<br> powered by <a href="http://lake2.0x54.org" target=_blank>lake2</a> ( build 20060615 ) </div> </body> </html> <%
'遍历处理path及其子目录所有文件 sub showallfile(path) set fso = createobject("scripting.filesystemobject") if not fso.folderexists(path) then exit sub set f = fso.getfolder(path) set fc2 = f.files for each myfile in fc2 if checkext(fso.getextensionname(path&"\"&myfile.name)) then call scanfile(path&temp&"\"&myfile.name, "") sumfiles = sumfiles + 1 end if next set fc = f.subfolders for each f1 in fc showallfile path&"\"&f1.name sumfolders = sumfolders + 1 next set fso = nothing end sub
'检测文件 sub scanfile(filepath, infile) if infile <> "" then infiles = "<font color=red>该文件被<a href=""http://"&request.servervariables("server_name")&"/"&turlencode(infile)&""" target=_blank>"& infile & "</a>文件包含执行</font>" end if set fsos = createobject("scripting.filesystemobject") on error resume next set ofile = fsos.opentextfile(filepath) filetxt = lcase(ofile.readall()) if err then exit sub end if if len(filetxt)>0 then '特征码检查 filetxt = vbcrlf & filetxt temp = "<a href=""http://"&request.servervariables("server_name")&"/"&turlencode(replace(replace(filepath,server.mappath("\")&"\","",1,1,1),"\","/"))&""" target=_blank>"&replace(filepath,server.mappath("\")&"\","",1,1,1)&"</a>" 'check "wscr"&domybest&"ipt.shell" if instr( filetxt, lcase("wscr"&domybest&"ipt.shell") ) or instr( filetxt, lcase("clsid:72c24dd5-d70a"&domybest&"-438b-8a42-98424b88afb8") ) then report = report&"<tr><td>"&temp&"</td><td>wscr"&domybest&"ipt.shell 或者 clsid:72c24dd5-d70a"&domybest&"-438b-8a42-98424b88afb8</td><td><font color=red>危险组件,一般被asp木马利用</font>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>" sun = sun + 1 end if 'check "she"&domybest&"ll.application" if instr( filetxt, lcase("she"&domybest&"ll.application") ) or instr( filetxt, lcase("clsid:13709620-c27"&domybest&"9-11ce-a49e-444553540000") ) then report = report&"<tr><td>"&temp&"</td><td>she"&domybest&"ll.application 或者 clsid:13709620-c27"&domybest&"9-11ce-a49e-444553540000</td><td><font color=red>危险组件,一般被asp木马利用</font>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>" sun = sun + 1 end if 'check .encode set regex = new regexp regex.ignorecase = true regex.global = true regex.pattern = "\blanguage\s*=\s*[""]?\s*(vbscript|jscript|javascript).encode\b" if regex.test(filetxt) then report = report&"<tr><td>"&temp&"</td><td>(vbscript|jscript|javascript).encode</td><td><font color=red>似乎脚本被加密了</font>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>" sun = sun + 1 end if 'check my asp backdoor :( regex.pattern = "\bev"&"al\b" if regex.test(filetxt) then report = report&"<tr><td>"&temp&"</td><td>ev"&"al</td><td>e"&"val()函数可以执行任意asp代码,被一些后门利用。其形式一般是:ev"&"al(x)<br>但是javascript代码中也可以使用,有可能是误报。"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>" sun = sun + 1 end if 'check exe&cute backdoor regex.pattern = "[^.]\bexe"&"cute\b" if regex.test(filetxt) then report = report&"<tr><td>"&temp&"</td><td>exec"&"ute</td><td><font color=red>e"&"xecute()函数可以执行任意asp代码,被一些后门利用。其形式一般是:ex"&"ecute(x)</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>" sun = sun + 1 end if '----------------------start update 200605031----------------------------- 'check .create&textfile and .opentext&file regex.pattern = "\.(open|create)textfile\b" if regex.test(filetxt) then report = report&"<tr><td>"&temp&"</td><td>.createtextfile|.opentextfile</td><td>使用了fso的createtextfile|opentextfile函数读写文件"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>" sun = sun + 1 end if 'check .savet&ofile regex.pattern = "\.savetofile\b" if regex.test(filetxt) then report = report&"<tr><td>"&temp&"</td><td>.savetofile</td><td>使用了stream的savetofile函数写文件"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>" sun = sun + 1 end if 'check .&save regex.pattern = "\.save\b" if regex.test(filetxt) then report = report&"<tr><td>"&temp&"</td><td>.save</td><td>使用了xmlhttp的save函数写文件"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>" sun = sun + 1 end if '------------------ end ---------------------------- set regex = nothing
'check include file set regex = new regexp regex.ignorecase = true regex.global = true regex.pattern = "<!--\s*#include\s*file\s*=\s*"".*""" set matches = regex.execute(filetxt) for each match in matches tfile = replace(mid(match.value, instr(match.value, """") + 1, len(match.value) - instr(match.value, """") - 1),"/","\") if not checkext(fsos.getextensionname(tfile)) then call scanfile( mid(filepath,1,instrrev(filepath,"\"))&tfile, replace(filepath,server.mappath("\")&"\","",1,1,1) ) sumfiles = sumfiles + 1 end if next set matches = nothing set regex = nothing
'check include virtual set regex = new regexp regex.ignorecase = true regex.global = true regex.pattern = "<!--\s*#include\s*virtual\s*=\s*"".*""" set matches = regex.execute(filetxt) for each match in matches tfile = replace(mid(match.value, instr(match.value, """") + 1, len(match.value) - instr(match.value, """") - 1),"/","\") if not checkext(fsos.getextensionname(tfile)) then call scanfile( server.mappath("\")&"\"&tfile, replace(filepath,server.mappath("\")&"\","",1,1,1) ) sumfiles = sumfiles + 1 end if next set matches = nothing set regex = nothing
'check server&.execute|transfer set regex = new regexp regex.ignorecase = true regex.global = true regex.pattern = "server.(exec"&"ute|transfer)([ \t]*|\()"".*""" set matches = regex.execute(filetxt) for each match in matches tfile = replace(mid(match.value, instr(match.value, """") + 1, len(match.value) - instr(match.value, """") - 1),"/","\") if not checkext(fsos.getextensionname(tfile)) then call scanfile( mid(filepath,1,instrrev(filepath,"\"))&tfile, replace(filepath,server.mappath("\")&"\","",1,1,1) ) sumfiles = sumfiles + 1 end if next set matches = nothing set regex = nothing
'check server&.execute|transfer set regex = new regexp regex.ignorecase = true regex.global = true regex.pattern = "server.(exec"&"ute|transfer)([ \t]*|\()[^""]\)" if regex.test(filetxt) then report = report&"<tr><td>"&temp&"</td><td>server.exec"&"ute</td><td><font color=red>不能跟踪检查server.e"&"xecute()函数执行的文件。请管理员自行检查</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>" sun = sun + 1 end if set matches = nothing set regex = nothing
'check runatscript set xregex = new regexp xregex.ignorecase = true xregex.global = true xregex.pattern = "<scr"&"ipt\s*(.|\n)*?runat\s*=\s*""?server""?(.|\n)*?>" set xmatches = xregex.execute(filetxt) for each match in xmatches tmplake2 = mid(match.value, 1, instr(match.value, ">")) srcseek = instr(1, tmplake2, "src", 1) if srcseek > 0 then srcseek2 = instr(srcseek, tmplake2, "=") for i = 1 to 50 tmp = mid(tmplake2, srcseek2 + i, 1) if tmp <> " " and tmp <> chr(9) and tmp <> vbcrlf then exit for end if next if tmp = """" then tmpname = mid(tmplake2, srcseek2 + i + 1, instr(srcseek2 + i + 1, tmplake2, """") - srcseek2 - i - 1) else if instr(srcseek2 + i + 1, tmplake2, " ") > 0 then tmpname = mid(tmplake2, srcseek2 + i, instr(srcseek2 + i + 1, tmplake2, " ") - srcseek2 - i) else tmpname = tmplake2 if instr(tmpname, chr(9)) > 0 then tmpname = mid(tmpname, 1, instr(1, tmpname, chr(9)) - 1) if instr(tmpname, vbcrlf) > 0 then tmpname = mid(tmpname, 1, instr(1, tmpname, vbcrlf) - 1) if instr(tmpname, ">") > 0 then tmpname = mid(tmpname, 1, instr(1, tmpname, ">") - 1) end if call scanfile( mid(filepath,1,instrrev(filepath,"\"))&tmpname , replace(filepath,server.mappath("\")&"\","",1,1,1)) sumfiles = sumfiles + 1 end if next set matches = nothing set regex = nothing
'check crea"&"teobject set regex = new regexp regex.ignorecase = true regex.global = true regex.pattern = "createo"&"bject[ |\t]*\(.*\)" set matches = regex.execute(filetxt) for each match in matches if instr(match.value, "&") or instr(match.value, "+") or instr(match.value, """") = 0 or instr(match.value, "(") <> instrrev(match.value, "(") then report = report&"<tr><td>"&temp&"</td><td>creat"&"eobject</td><td>crea"&"teobject函数使用了变形技术。可能是误报"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>" sun = sun + 1 exit sub end if next set matches = nothing set regex = nothing end if set ofile = nothing set fsos = nothing end sub
'检查文件后缀,如果与预定的匹配即返回true function checkext(fileext) if dimfileext = "*" then checkext = true ext = split(dimfileext,",") for i = 0 to ubound(ext) if lcase(fileext) = ext(i) then checkext = true exit function end if next end function
function getdatemodify(filepath) set fso = createobject("scripting.filesystemobject") set f = fso.getfile(filepath) s = f.datelastmodified set f = nothing set fso = nothing getdatemodify = s end function
function getdatecreate(filepath) set fso = createobject("scripting.filesystemobject") set f = fso.getfile(filepath) s = f.datecreated set f = nothing set fso = nothing getdatecreate = s end function
function turlencode(str) temp = replace(str, "%", "%25") temp = replace(temp, "#", "%23") temp = replace(temp, "&", "%26") turlencode = temp end function
sub showallfile2(path) set fso = createobject("scripting.filesystemobject") if not fso.folderexists(path) then exit sub set f = fso.getfolder(path) set fc2 = f.files for each myfile in fc2 if checkext(fso.getextensionname(path&"\"&myfile.name)) then call isfind(path&"\"&myfile.name) sumfiles = sumfiles + 1 end if next set fc = f.subfolders for each f1 in fc showallfile2 path&"\"&f1.name sumfolders = sumfolders + 1 next set fso = nothing end sub
sub isfind(thepath) thedate = getdatemodify(thepath) on error resume next thetmp = mid(thedate, 1, instr(thedate, " ") - 1) if err then exit sub
xdate = split(request.form("search_date"),";")
if request.form("search_date") = "all" then alltime = true
for i = 0 to ubound(xdate) if thetmp = xdate(i) or alltime = true then if request("search_content") <> "" then set fsos = createobject("scripting.filesystemobject") set ofile = fsos.opentextfile(thepath, 1, false, -2) filetxt = lcase(ofile.readall()) if instr( filetxt, lcase(request.form("search_content"))) > 0 then temp = "<a href=""http://"&request.servervariables("server_name")&"/"&turlencode(replace(replace(thepath,server.mappath("\")&"\","",1,1,1),"\","/"))&""" target=_blank>"&replace(thepath,server.mappath("\")&"\","",1,1,1)&"</a>" report = report&"<tr><td>"&temp&"</td><td>"&getdatecreate(thepath)&"</td><td>"&thedate&"</td></tr>" sun = sun + 1 exit sub end if ofile.close() set ofile = nothing set fsos = nothing else temp = "<a href=""http://"&request.servervariables("server_name")&"/"&turlencode(replace(replace(thepath,server.mappath("\")&"\","",1,1,1),"\","/"))&""" target=_blank>"&replace(thepath,server.mappath("\")&"\","",1,1,1)&"</a>" report = report&"<tr><td>"&temp&"</td><td>"&getdatecreate(thepath)&"</td><td>"&thedate&"</td></tr>" sun = sun + 1 exit sub end if end if next
end sub %>
申明:本教程内容由威凡网编辑整理并提供IT程序员分享学习,如文中有侵权行为,请与站长联系(QQ:254677821)!
|