关于查ASP木马的程序,记得半年前在八进制发了一个测试版(具体的URL:http://forum.eviloctal.com/read-htm-tid-19665.html),得到很多朋友的指导,学到了很多东西,非常感谢他们。现在我发的这个升级版,修补了以前的bug,加入了对一些组件写文件函数的检测,更加趋于完美了,个人认为想绕过去有点难度哦。
这回的默认密码是security
当然啦,哈哈,lake2“比武招亲”,欢迎各位朋友提出绕过检测的马马来,一经证实,lake2将把我自己写的某ASP木马“嫁”给他^_^特别有创意的,送你一个我最新弄出来的脚本,具体嘛,嘿嘿,到时候就知道啦。
战书已下,谁来迎战?
源码,另存为asp文件即可使用:
<%@LANGUAGE="VBSCRIPT"CODEPAGE="936"%>
<%
'设置密码
PASSWORD="security"
dimReport
ifrequest.QueryString("act")="login"then
ifrequest.Form("pwd")=PASSWORDthensession("pig")=1
endif
%>
<!DOCTYPEHTMLPUBLIC"-//W3C//DTDHTML4.01Transitional//EN""http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<metahttp-equiv="Content-Type"content="text/html;charset=gb2312">
<title>ScanWebShell--ASPSecurityForHacking</title>
<styletype="text/css">
<>
</style>
</head>
<body>
<%IfSession("pig")<>1then%>
<formname="form1"method="post"action="?act=login">
<divalign="center">Password:
<inputname="pwd"type="password"size="15">
<inputtype="submit"name="Submit"value="提交">
</div>
</form>
<%
else
ifrequest.QueryString("act")<>"scan"then
%>
<formaction="?act=scan"method="post"name="form1">
<p><b>填入你要检查的路径:</b>
<inputname="path"type="text"style="border:1pxsolid#999"value="."size="30"/>
<br>
*网站根目录的相对路径,填“”即检查整个网站;“.”为程序所在目录<br>
<br>
你要干什么:
<inputname="radiobutton"type="radio"value="sws"checked>
查ASP木马
<inputtype="radio"name="radiobutton"value="sf">
搜索符合条件之文件<br>
<br>
--------------如果搜索文件需将以下内容填写完整------------------<br>
<br>
查找内容:
<inputname="Search_Content"type="text"id="Search_Content"style="border:1pxsolid#999"size="20">
*要查找的字符串,不填就只进行日期检查<br/>
修改日期:
<inputname="Search_Date"type="text"style="border:1pxsolid#999"value="<%=Left(Now(),InStr(now(),"")-1)%>"size="20">
*多个日期用;隔开,任意日期填写<ahref="#"onClick="javascript:form1.Search_Date.value='ALL'">ALL</a><br/>
文件类型:
<inputname="Search_FileExt"type="text"style="border:1pxsolid#999"value="*"size="20">
*类型之间用,隔开,*表示所有类型<br>
<br>
<inputtype="submit"value="开始扫描"style="background:#fff;border:1pxsolid#999;padding:2px2px0px2px;margin:4px;border-width:1px3px1px3px"/>
</p>
</form>
<%
else
server.ScriptTimeout=600
ifrequest.Form("path")=""then
response.Write("NoHack")
response.End()
endif
ifrequest.Form("path")=""then
TmpPath=Server.MapPath("")
elseifrequest.Form("path")="."then
TmpPath=Server.MapPath(".")
else
TmpPath=Server.MapPath("")&""&request.Form("path")
endif
timer1=timer
Sun=0
SumFiles=0
SumFolders=1
Ifrequest.Form("radiobutton")="sws"Then
DimFileExt="asp,cer,asa,cdx"
CallShowAllFile(TmpPath)
Else
Ifrequest.Form("path")=""orrequest.Form("Search_Date")=""orrequest.Form("Search_FileExt")=""Then
response.Write("缉捕条件不完全,恕难从命<br><br><ahref='javascript:history.go(-1);'>请返回重新输入</a>")
response.End()
EndIf
DimFileExt=request.Form("Search_fileExt")
CallShowAllFile2(TmpPath)
EndIf
%>
<tablewidth="100%"border="0"cellpadding="0"cellspacing="0"class="CContent">
<tr>
<th>ScanWebShell--ASPSecurityForHacking
</tr>
<tr>
<tdclass="CPanel"style="padding:5px;line-height:170%;clear:both;font-size:12px">
<divid="updateInfo"style="background:ffffe1;border:1pxsolid#89441f;padding:4px;display:none"></div>
扫描完毕!一共检查文件夹<fontcolor="#FF0000"><%=SumFolders%></font>个,文件<fontcolor="#FF0000"><%=SumFiles%></font>个,发现可疑点<fontcolor="#FF0000"><%=Sun%></font>个
<tablewidth="100%"border="0"cellpadding="0"cellspacing="0">
<tr>
<tdvalign="top">
<tablewidth="100%"border="1"cellpadding="0"cellspacing="0"style="padding:5px;line-height:170%;clear:both;font-size:12px">
<tr>
<%Ifrequest.Form("radiobutton")="sws"Then%>
<tdwidth="20%">文件相对路径</td>
<tdwidth="20%">特征码</td>
<tdwidth="40%">描述</td>
<tdwidth="20%">创建/修改时间</td>
<%else%>
<tdwidth="50%">文件相对路径</td>
<tdwidth="25%">文件创建时间</td>
<tdwidth="25%">修改时间</td>
<%endif%>
</tr>
<p>
<%=Report%>
<br/></p>
</table></td>
</tr>
</table>
</td></tr></table>
<%
timer2=timer
thetime=cstr(int(((timer2-timer1)*10000)+0.5)/10)
response.write"<br><fontsize=""2"">本页执行共用了"&thetime&"毫秒</font>"
endif
endif
%>
<hr>
<divalign="center">本程序取自<ahref="http://www.0x54.org"target="_blank">雷客图ASP站长安全助手</a>的ASP木马查找和可疑文件搜索功能<br>
poweredby<ahref="http://lake2.0x54.org"target=_blank>lake2</a>(Build20060615)</div>
</body>
</html>
<%
'遍历处理path及其子目录所有文件
SubShowAllFile(Path)
SetFSO=CreateObject("Scripting.FileSystemObject")
ifnotfso.FolderExists(path)thenexitsub
Setf=FSO.GetFolder(Path)
Setfc2=f.files
ForEachmyfileinfc2
IfCheckExt(FSO.GetExtensionName(path&""&myfile.name))Then
CallScanFile(Path&Temp&""&myfile.name,"")
SumFiles=SumFiles+1
EndIf
Next
Setfc=f.SubFolders
ForEachf1infc
ShowAllFilepath&""&f1.name
SumFolders=SumFolders+1
Next
SetFSO=Nothing
EndSub
'检测文件
SubScanFile(FilePath,InFile)
IfInFile<>""Then
Infiles="<fontcolor=red>该文件被<ahref=""http://"&Request.Servervariables("server_name")&"/"&tURLEncode(InFile)&"""target=_blank>"&InFile&"</a>文件包含执行</font>"
EndIf
SetFSOs=CreateObject("Scripting.FileSystemObject")
onerrorresumenext
setofile=fsos.OpenTextFile(FilePath)
filetxt=Lcase(ofile.readall())
IferrThenExitSubendif
iflen(filetxt)>0then
'特征码检查
filetxt=vbcrlf&filetxt
temp="<ahref=""http://"&Request.Servervariables("server_name")&"/"&tURLEncode(replace(replace(FilePath,server.MapPath("")&"","",1,1,1),"","/"))&"""target=_blank>"&replace(FilePath,server.MapPath("")&"","",1,1,1)&"</a>"
'Check"WScr"&DoMyBest&"ipt.Shell"
Ifinstr(filetxt,Lcase("WScr"&DoMyBest&"ipt.Shell"))orInstr(filetxt,Lcase("clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8"))then
Report=Report&"<tr><td>"&temp&"</td><td>WScr"&DoMyBest&"ipt.Shell或者clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8</td><td><fontcolor=red>危险组件,一般被ASP木马利用</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
Endif
'Check"She"&DoMyBest&"ll.Application"
Ifinstr(filetxt,Lcase("She"&DoMyBest&"ll.Application"))orInstr(filetxt,Lcase("clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000"))then
Report=Report&"<tr><td>"&temp&"</td><td>She"&DoMyBest&"ll.Application或者clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000</td><td><fontcolor=red>危险组件,一般被ASP木马利用</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'Check.Encode
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern="bLANGUAGEs*=s*[""]?s*(vbscript|jscript|javascript).encodeb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>(vbscript|jscript|javascript).Encode</td><td><fontcolor=red>似乎脚本被加密了</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'CheckmyASPbackdoor:(
regEx.Pattern="bEv"&"alb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>Ev"&"al</td><td>e"&"val()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ev"&"al(X)<br>但是javascript代码中也可以使用,有可能是误报。"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'Checkexe&cutebackdoor
regEx.Pattern="[^.]bExe"&"cuteb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>Exec"&"ute</td><td><fontcolor=red>e"&"xecute()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ex"&"ecute(X)</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'----------------------StartUpdate200605031-----------------------------
'Check.Create&TextFileand.OpenText&File
regEx.Pattern=".(Open|Create)TextFileb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>.CreateTextFile|.OpenTextFile</td><td>使用了FSO的CreateTextFile|OpenTextFile函数读写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'Check.SaveT&oFile
regEx.Pattern=".SaveToFileb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>.SaveToFile</td><td>使用了Stream的SaveToFile函数写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'Check.&Save
regEx.Pattern=".Saveb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>.Save</td><td>使用了XMLHTTP的Save函数写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'------------------End----------------------------
SetregEx=Nothing
'Checkincludefile
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern="<s*#includes*virtuals*=s*"".*"""
SetMatches=regEx.Execute(filetxt)
ForEachMatchinMatches
tFile=Replace(Mid(Match.Value,Instr(Match.Value,"""")+1,Len(Match.Value)-Instr(Match.Value,"""")-1),"/","")
IfNotCheckExt(FSOs.GetExtensionName(tFile))Then
CallScanFile(Server.MapPath("")&""&tFile,replace(FilePath,server.MapPath("")&"","",1,1,1))
SumFiles=SumFiles+1
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing
'CheckServer&.Execute|Transfer
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern="Server.(Exec"&"ute|Transfer)([t]*|()"".*"""
SetMatches=regEx.Execute(filetxt)
ForEachMatchinMatches
tFile=Replace(Mid(Match.Value,Instr(Match.Value,"""")+1,Len(Match.Value)-Instr(Match.Value,"""")-1),"/","")
IfNotCheckExt(FSOs.GetExtensionName(tFile))Then
CallScanFile(Mid(FilePath,1,InStrRev(FilePath,""))&tFile,replace(FilePath,server.MapPath("")&"","",1,1,1))
SumFiles=SumFiles+1
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing
'CheckServer&.Execute|Transfer
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern="Server.(Exec"&"ute|Transfer)([t]*|()[^""])"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>Server.Exec"&"ute</td><td><fontcolor=red>不能跟踪检查Server.e"&"xecute()函数执行的文件。请管理员自行检查</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
SetMatches=Nothing
SetregEx=Nothing
'CheckRunatScript
SetXregEx=NewRegExp
XregEx.IgnoreCase=True
XregEx.Global=True
XregEx.Pattern="<scr"&"ipts*(.|n)*?runats*=s*""?server""?(.|n)*?>"
SetXMatches=XregEx.Execute(filetxt)
ForEachMatchinXMatches
tmpLake2=Mid(Match.Value,1,InStr(Match.Value,">"))
srcSeek=InStr(1,tmpLake2,"src",1)
IfsrcSeek>0Then
srcSeek2=instr(srcSeek,tmpLake2,"=")
Fori=1To50
tmp=Mid(tmpLake2,srcSeek2+i,1)
Iftmp<>""andtmp<>chr(9)andtmp<>vbCrLfThen
ExitFor
EndIf
Next
Iftmp=""""Then
tmpName=Mid(tmpLake2,srcSeek2+i+1,Instr(srcSeek2+i+1,tmpLake2,"""")-srcSeek2-i-1)
Else
IfInStr(srcSeek2+i+1,tmpLake2,"")>0ThentmpName=Mid(tmpLake2,srcSeek2+i,Instr(srcSeek2+i+1,tmpLake2,"")-srcSeek2-i)ElsetmpName=tmpLake2
IfInStr(tmpName,chr(9))>0ThentmpName=Mid(tmpName,1,Instr(1,tmpName,chr(9))-1)
IfInStr(tmpName,vbCrLf)>0ThentmpName=Mid(tmpName,1,Instr(1,tmpName,vbcrlf)-1)
IfInStr(tmpName,">")>0ThentmpName=Mid(tmpName,1,Instr(1,tmpName,">")-1)
EndIf
CallScanFile(Mid(FilePath,1,InStrRev(FilePath,""))&tmpName,replace(FilePath,server.MapPath("")&"","",1,1,1))
SumFiles=SumFiles+1
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing
'CheckCrea"&"teObject
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern="CreateO"&"bject[|t]*(.*)"
SetMatches=regEx.Execute(filetxt)
ForEachMatchinMatches
IfInstr(Match.Value,"&")orInstr(Match.Value,"+")orInstr(Match.Value,"""")=0orInstr(Match.Value,"(")<>InStrRev(Match.Value,"(")Then
Report=Report&"<tr><td>"&temp&"</td><td>Creat"&"eObject</td><td>Crea"&"teObject函数使用了变形技术。可能是误报"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
exitsub
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing
endif
setofile=nothing
setfsos=nothing
EndSub
'检查文件后缀,如果与预定的匹配即返回TRUE
FunctionCheckExt(FileExt)
IfDimFileExt="*"ThenCheckExt=True
Ext=Split(DimFileExt,",")
Fori=0ToUbound(Ext)
IfLcase(FileExt)=Ext(i)Then
CheckExt=True
ExitFunction
EndIf
Next
EndFunction
FunctionGetDateModify(filepath)
Setfso=CreateObject("Scripting.FileSystemObject")
Setf=fso.GetFile(filepath)
s=f.DateLastModified
setf=nothing
setfso=nothing
GetDateModify=s
EndFunction
FunctionGetDateCreate(filepath)
Setfso=CreateObject("Scripting.FileSystemObject")
Setf=fso.GetFile(filepath)
s=f.DateCreated
setf=nothing
setfso=nothing
GetDateCreate=s
EndFunction
FunctiontURLEncode(Str)
temp=Replace(Str,"%","%25")
temp=Replace(temp,"#","%23")
temp=Replace(temp,"&","%26")
tURLEncode=temp
EndFunction
SubShowAllFile2(Path)
SetFSO=CreateObject("Scripting.FileSystemObject")
ifnotfso.FolderExists(path)thenexitsub
Setf=FSO.GetFolder(Path)
Setfc2=f.files
ForEachmyfileinfc2
IfCheckExt(FSO.GetExtensionName(path&""&myfile.name))Then
CallIsFind(Path&""&myfile.name)
SumFiles=SumFiles+1
EndIf
Next
Setfc=f.SubFolders
ForEachf1infc
ShowAllFile2path&""&f1.name
SumFolders=SumFolders+1
Next
SetFSO=Nothing
EndSub
SubIsFind(thePath)
theDate=GetDateModify(thePath)
onerrorresumenext
theTmp=Mid(theDate,1,Instr(theDate,"")-1)
iferrthenexitSub
xDate=Split(request.Form("Search_Date"),";")
Ifrequest.Form("Search_Date")="ALL"ThenALLTime=True
Fori=0ToUbound(xDate)
IftheTmp=xDate(i)orALLTime=TrueThen
Ifrequest("Search_Content")<>""Then
SetFSOs=CreateObject("Scripting.FileSystemObject")
setofile=fsos.OpenTextFile(thePath,1,false,-2)
filetxt=Lcase(ofile.readall())
IfInstr(filetxt,LCase(request.Form("Search_Content")))>0Then
temp="<ahref=""http://"&Request.Servervariables("server_name")&"/"&tURLEncode(Replace(replace(thePath,server.MapPath("")&"","",1,1,1),"","/"))&"""target=_blank>"&replace(thePath,server.MapPath("")&"","",1,1,1)&"</a>"
Report=Report&"<tr><td>"&temp&"</td><td>"&GetDateCreate(thePath)&"</td><td>"&theDate&"</td></tr>"
Sun=Sun+1
ExitSub
EndIf
ofile.close()
Setofile=Nothing
SetFSOs=Nothing
Else
temp="<ahref=""http://"&Request.Servervariables("server_name")&"/"&tURLEncode(Replace(replace(thePath,server.MapPath("")&"","",1,1,1),"","/"))&"""target=_blank>"&replace(thePath,server.MapPath("")&"","",1,1,1)&"</a>"
Report=Report&"<tr><td>"&temp&"</td><td>"&GetDateCreate(thePath)&"</td><td>"&theDate&"</td></tr>"
Sun=Sun+1
ExitSub
EndIf
EndIf
Next
EndSub
%>
【一个查ASP木马的小东东】相关文章:
★ 一个ASP小马