雷客图ASP站长安全助手是一个基于ASP的帮助站长维护网站安全的程序。这个版本(vbs测试版)主要用于服务器本地运行以查找ASP木马。此版本为测试版,希望大家提供反馈意见,谢谢。另,正式版将整合到雷客图ASP站长安全助手的下个版本。
使用说明:
在命令提示符下:
#用法:CScriptscan.vbs[扫描路径][结果HTM文件路径]
#例子:CScriptscan.vbsd:Webf:myreport.html
复制代码 代码如下:
'-----------------------
'ScanASPWebShellinvbs
'Author:lake2(http://lake2.0x54.org)
'Date:2006-11-30
'Version:1.0Beta
'-----------------------
DimFileExt="asp,cer,asa,cdx"
DimReport,Report2,Sun,SumFiles,SumFolders
CallShowInfo()
IfWScript.Arguments.Count=2Then
CallCheckArg()
Sun=0
SumFiles=0
SumFolders=1
IfRight(WScript.Arguments.Item(0),1)=""Then
thePath=Mid(WScript.Arguments.Item(0),1,Len(WScript.Arguments.Item(0))-1)
Else
thePath=WScript.Arguments.Item(0)
EndIf
WScript.Echo"开始扫描,请稍候……"
WScript.Sleep(1000)
StartTime=now()
CallShowAllFile(thePath)
EndTime=now()
WScript.Echovbcrlf&"扫描完成!"&vbcrlf
report2=report2&"<html><head><title>雷客图ASP站长安全助手vbs版扫描报告</title>"
report2=report2&"<metahttp-equiv=""Content-Type""content=""text/html;charset=gb2312""></head>"
report2=report2&"<body><b><fontsize=4>雷客图ASP站长安全助手vbs版扫描报告</font></b><br><br>"
report2=report2&"<body><fontsize=2>开始时间:"&StartTime&"</font><br>"
report2=report2&"<body><fontsize=2>结束时间:"&EndTime&"</font><br>"
report2=report2&"<fontsize=2>扫描完毕!一共检查文件夹<fontcolor=""#FF0000"">"&SumFolders&"</font>个,文件<fontcolor=""#FF0000"">"&SumFiles&"</font>个,发现可疑点<fontcolor=""#FF0000"">"&Sun&"</font>个(<fontcolor=""#FF0000"">红字</font>显示的为严重可疑)</font><br/>"
report2=report2&"<tablewidth=""100%""border=""0""style=""padding:5px;line-height:170%;clear:both;font-size:12px;word-break:break-all"">"
report2=report2&"<tr>"
report2=report2&"<tdwidth=""20%"">文件路径</td>"
report2=report2&"<tdwidth=""20%"">特征码</td>"
report2=report2&"<tdwidth=""40%"">描述</td>"
report2=report2&"<tdwidth=""20%"">创建/修改时间</td>"
report2=report2&"</tr>"
report2=report2&"<p>"
report2=report2&report
report2=report2&"</p>"
report2=report2&"</table><hr><scriptsrc=http://www.0x54.org/announce.js></script>"
report2=report2&"<divalign=center>poweredby<ahref=""http://www.0x54.org""target=_blank>0x54.org</a></div>"
report2=report2&"</body></html>"
CallWriteToFile()
Else
CallShowHelp()
EndIf
SubShowInfo()
HelpStr=HelpStr&"=============================="&vbcrlf
HelpStr=HelpStr&"=====欢迎使用雷客图ASP站长安全助手vbs版====="&vbcrlf
HelpStr=HelpStr&"=====Author:lake2====="&vbcrlf
HelpStr=HelpStr&"=====Email:lake2@mail.csdn.net====="&vbcrlf
HelpStr=HelpStr&"=====欢迎访问www.0x54.org得到更多信息====="&vbcrlf
HelpStr=HelpStr&"=============================="&vbcrlf
HelpStr=HelpStr&vbcrlf
WScript.EchoHelpStr
EndSub
SubShowHelp()
HelpStr=HelpStr&"#用法:CScriptscan.vbs[扫描路径][结果HTM文件路径]"&vbcrlf
HelpStr=HelpStr&"#例子:CScriptscan.vbsd:Webf:myreport.html"&vbcrlf
HelpStr=HelpStr&vbcrlf
WScript.EchoHelpStr
EndSub
SubCheckArg()
tmpPath=Left(WScript.Arguments.Item(1),InStrRev(WScript.Arguments.Item(1),"")-1)
SetobjFSO=WScript.CreateObject("Scripting.FileSystemObject")
IfNotobjFSO.FolderExists(WScript.Arguments.Item(0))Then
WScript.Echo"Error:错误的路径“"&WScript.Arguments.Item(0)&"”!"
WScript.Quit
ElseIfNotobjFSO.FolderExists(tmpPath)Then
WScript.Echo"Error:错误的文件路径“"&tmpPath&"”!"
WScript.Quit
EndIf
SetobjFSO=Nothing
EndSub
'遍历处理path及其子目录所有文件
SubShowAllFile(Path)
WScript.Echo"正在检查目录"&path
SetFSO=CreateObject("Scripting.FileSystemObject")
Setf=FSO.GetFolder(Path)
Setfc2=f.files
ForEachmyfileinfc2
IfCheckExt(FSO.GetExtensionName(path&""&myfile.name))Then
'WScript.Echo"正在检查文件"&path&""&myfile.name
CallScanFile(Path&Temp&""&myfile.name,"")
SumFiles=SumFiles+1
EndIf
Next
Setfc=f.SubFolders
ForEachf1infc
ShowAllFilepath&""&f1.name
SumFolders=SumFolders+1
Next
SetFSO=Nothing
EndSub
'检查文件后缀,如果与预定的匹配即返回TRUE
FunctionCheckExt(FileExt)
IfDimFileExt="*"ThenCheckExt=True
Ext=Split(DimFileExt,",")
Fori=0ToUbound(Ext)
IfLcase(FileExt)=Ext(i)Then
CheckExt=True
ExitFunction
EndIf
Next
EndFunction
'检测文件
SubScanFile(FilePath,InFile)
IfInFile<>""Then
Infiles="<fontcolor=red>该文件被"&InFile&"文件包含执行</font>"
EndIf
temp=FilePath
OnErrorResumeNext
SettStream=WScript.CreateObject("ADODB.Stream")
tStream.type=1
tStream.mode=3
tStream.open
tStream.Position=0
tStream.LoadFromFileFilePath
IferrThenExitSubendif
tStream.type=2
tStream.charset="GB2312"
DoUntiltStream.EOS
filetxt=filetxt&LCase(replace(tStream.ReadText(102400),Chr(0),""))
Loop
tStream.close()
SettStream=Nothing
SetFSOs=WScript.CreateObject("Scripting.FileSystemObject")
iflen(filetxt)>0then
'特征码检查
filetxt=vbcrlf&filetxt
'Check"WScr"&DoMyBest&"ipt.Shell"
IfInstr(filetxt,Lcase("WScr"&DoMyBest&"ipt.Shell"))orInstr(filetxt,Lcase("clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8"))then
Report=Report&"<tr><td>"&temp&"</td><td>WScr"&DoMyBest&"ipt.Shell或者clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8</td><td><fontcolor=red>危险组件,一般被ASP木马利用</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
Endif
'Check"She"&DoMyBest&"ll.Application"
IfInstr(filetxt,Lcase("She"&DoMyBest&"ll.Application"))orInstr(filetxt,Lcase("clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000"))then
Report=Report&"<tr><td>"&temp&"</td><td>She"&DoMyBest&"ll.Application或者clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000</td><td><fontcolor=red>危险组件,一般被ASP木马利用</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'CheckUnicode
Ifinstr(filetxt,chr(-22048))then
Report=Report&"<tr><td>"&temp&"</td><td>无</td><td><fontcolor=red>使用Unicode编码ASP代码</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'Check.Encode
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern="bLANGUAGEs*=s*[""]?s*(vbscript|jscript|javascript).encodeb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>(vbscript|jscript|javascript).Encode</td><td><fontcolor=red>似乎脚本被加密了,一般ASP文件是不会加密的</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'CheckmyASPbackdoor:(
regEx.Pattern="bEv"&"alb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>Ev"&"al</td><td>e"&"val()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ev"&"al(X)<br>但是javascript代码中也可以使用,有可能是误报。"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'Checkexe&cutebackdoor
regEx.Pattern="[^.]bExe"&"cuteb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>Exec"&"ute</td><td><fontcolor=red>e"&"xecute()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ex"&"ecute(X)</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'Check.(Open|Create)TextFile
regEx.Pattern=".(Open|Create)TextFileb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>.Crea"&"teTextFile|.O"&"penTextFile</td><td>使用了FSO的CreateTextFile|OpenTextFile函数读写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'Check.SaveT&oFile
regEx.Pattern=".SaveT"&"oFileb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>.Sa"&"veToFile</td><td>使用了Stream或者JMail的SaveToFile函数写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'Check.&Save
regEx.Pattern=".Sa"&"veb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>.Sa"&"ve</td><td>使用了XMLHTTP的Save函数写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'ChecksetServer
regEx.Pattern="sets*.*s*=s*servers"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>Setxxx=Se"&"rver</td><td><fontcolor=red>发现Setxxx=Ser"&jj&"ver,请管理员仔细检查是否调用.execute</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'CheckServer.(Transfer|Ex&ecute)
regEx.Pattern="Server.(Ex"&"ecute|Transfer)([t]*|()[^""])"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>Server.Ex"&"ecute</td><td><fontcolor=red>不能跟踪检查Server.e"&"xecute()函数执行的文件。请管理员自行检查</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'Check.Ru&n
regEx.Pattern=".R"&"unb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>.Ru"&"n</td><td><fontcolor=red>发现WScript的Run函数</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'Check.Exe&c
regEx.Pattern=".Ex"&"ecb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>.Ex"&"ec</td><td><fontcolor=red>发现WScript的Exec函数</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'Check.Shel&lExecute
regEx.Pattern=".Shel"&"lExecuteb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>.ShellE"&"xecute</td><td><fontcolor=red>发现Application的ShellExecute函数</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
SetregEx=Nothing
'Checkincludefilenotwith"&'
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern="<>"
SetMatches=regEx.Execute(filetxt)
ForEachMatchinMatches
tFile=Replace(Trim(Mid(Match.Value,Instr(Match.Value,"=")+1,Len(Match.Value)-Instr(Match.Value,"=")-1)),"/","")
IfLeft(tFile,1)="'"Then
tFile=Mid(tFile,2,InStr(2,tFile,"'",1)-2)
ElseIfLeft(tFile,1)=""""Then
tFile=Mid(tFile,2,InStr(2,tFile,"""",1)-2)
Else
tFile=Replace(tFile,Chr(9),"")
IfInStr(tFile,"")<>0Then
tFile=Left(tFile,InStr(tFile,"")-1)
Else
tFile=Left(tFile,InStr(tFile,"-")-1)
EndIf
EndIf
IfNotCheckExt(FSOs.GetExtensionName(tFile))Then
CallScanFile(Mid(FilePath,1,InStrRev(FilePath,""))&tFile,FilePath)
SumFiles=SumFiles+1
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing
'CheckServer&.Execute|Transfer
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern="Server.(Exec"&"ute|Transfer)([t]*|()"".*?"""
SetMatches=regEx.Execute(filetxt)
ForEachMatchinMatches
tFile=Replace(Mid(Match.Value,Instr(Match.Value,"""")+1,Len(Match.Value)-Instr(Match.Value,"""")-1),"/","")
IfNotCheckExt(FSOs.GetExtensionName(tFile))Then
CallScanFile(Mid(FilePath,1,InStrRev(FilePath,""))&tFile,FilePath)
SumFiles=SumFiles+1
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing
'CheckRunatScript
SetXregEx=NewRegExp
XregEx.IgnoreCase=True
XregEx.Global=True
XregEx.Pattern="<scr"&"ipts*(.|n)*?runats*=s*""?server""?(.|n)*?>"
SetXMatches=XregEx.Execute(filetxt)
ForEachMatchinXMatches
tmpLake2=Mid(Match.Value,1,InStr(Match.Value,">"))
srcSeek=InStr(1,tmpLake2,"src",1)
IfsrcSeek>0Then
srcSeek2=instr(srcSeek,tmpLake2,"=")
Fori=1To50
tmp=Mid(tmpLake2,srcSeek2+i,1)
Iftmp<>""andtmp<>chr(9)andtmp<>vbCrLfThen
ExitFor
EndIf
Next
Iftmp=""""Then
tmpName=Mid(tmpLake2,srcSeek2+i+1,Instr(srcSeek2+i+1,tmpLake2,"""")-srcSeek2-i-1)
Else
IfInStr(srcSeek2+i+1,tmpLake2,"")>0ThentmpName=Mid(tmpLake2,srcSeek2+i,Instr(srcSeek2+i+1,tmpLake2,"")-srcSeek2-i)ElsetmpName=tmpLake2
IfInStr(tmpName,chr(9))>0ThentmpName=Mid(tmpName,1,Instr(1,tmpName,chr(9))-1)
IfInStr(tmpName,vbCrLf)>0ThentmpName=Mid(tmpName,1,Instr(1,tmpName,vbcrlf)-1)
IfInStr(tmpName,">")>0ThentmpName=Mid(tmpName,1,Instr(1,tmpName,">")-1)
EndIf
CallScanFile(Mid(FilePath,1,InStrRev(FilePath,""))&tmpName,FilePath)
SumFiles=SumFiles+1
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing
endif
setfsos=nothing
EndSub
FunctionGetDateModify(filepath)
Setfso=CreateObject("Scripting.FileSystemObject")
Setf=fso.GetFile(filepath)
s=f.DateLastModified
setf=nothing
setfso=nothing
GetDateModify=s
EndFunction
FunctionGetDateCreate(filepath)
Setfso=CreateObject("Scripting.FileSystemObject")
Setf=fso.GetFile(filepath)
s=f.DateCreated
setf=nothing
setfso=nothing
GetDateCreate=s
EndFunction
SubWriteToFile()
SetFSO=CreateObject("Scripting.FileSystemObject")
SettheFile=FSO.OpenTextFile(WScript.Arguments.Item(1),2,True)
theFile.Write(Report2)
theFile.Close
SetFSO=Nothing
WScript.Echo"扫描结果已经写入文件“"&WScript.Arguments.Item(1)&"”,请查看之!"
EndSub
【雷客图ASP站长安全助手vbs测试版代码】相关文章: