【 tulaoshi.com - Web开发 】
关于查ASP木马的程序,记得半年前在八进制发了一个测试版(具体的URL:http://forum.eviloctal.com/read-htm-tid-19665.html),得到很多朋友的指导,学到了很多东西,非常感谢他们。现在我发的这个升级版,修补了以前的bug,加入了对一些组件写文件函数的检测,更加趋于完美了,个人认为想绕过去有点难度哦。
这回的默认密码是security
当然啦,哈哈,lake2“比武招亲”,欢迎各位朋友提出绕过检测的马马来,一经证实,lake2将把我自己写的某ASP木马“嫁”给他^_^ 特别有创意的,送你一个我最新弄出来的脚本,具体嘛,嘿嘿,到时候就知道啦。
战书已下,谁来迎战?
源码,另存为asp文件即可使用:
%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%
%
'设置密码
PASSWORD = "security"
dim Report
if request.QueryString("act")="login" then
if request.Form("pwd") = PASSWORD then session("pig")=1
end if
%
!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"
html
head
meta http-equiv="Content-Type" content="text/html; charset=gb2312"
titleScan WebShell -- ASPSecurity For Hacking/title
style type="text/css"
!--
body,td,th {
font-size: 12px;
}
--
/style
/head
body
%If Session("pig") 1 then%
form name="form1" method="post" action="?act=login"
div style="text-align:center"Password:
input name="pwd" type="password" size="15"
input type="submit" name="Submit" value="提交"
/div
/form
%
else
if request.QueryString("act")"scan" then
%
form action="?act=scan" method="post" name="form1"
pb填入你要检查的路径:/b
input name="path" type="text" style="border:1px solid #999" value="." size="30" /
br
* 网站根目录的相对路径,填“”即检查整个网站;“.”为程序所在目录br
br
你要干什么:
input name="radiobutton" type="radio" value="sws" checked
查ASP木马
input type="radio" name="radiobutton" value="sf"
搜索符合条件之文件br
br
-------------- 如果搜索文件需将以下内容填写完整 ------------------br
br
查找内容:
input name="Search_Content" type="text" id="Search_Content" style="border:1px solid #999" size="20"
* 要查找的字符串,不填就只进行日期检查br/
修改日期:
input name="Search_Date" type="text" style="border:1px solid #999" value="%=Left(Now(),InStr(now()," ")-1)%" size="20"
* 多个日期用;隔开,任意日期填写a href="#" onClick="javascript:form1.Search_Date.value='ALL'"ALL/abr/
文件类型:
input name="Search_FileExt" type="text" style="border:1px solid #999" value="*" size="20"
* 类型之间用,隔开,*表示所有类型 br
br
input type="submit" value=" 开始扫描 " style="background:#fff;border:1px solid #999;padding:2px 2px 0px 2px;margin:4px;border-width:1px 3px 1px 3px" /
/p
/form
%
else
server.ScriptTimeout = 600
if request.Form("path")="" then
response.Write("No Hack")
response.End()
end if
if request.Form("path")="" then
TmpPath = Server.MapPath("")
elseif request.Form("path")="." then
TmpPath = Server.MapPath(".")
else
TmpPath = Server.MapPath("")&""&request.Form("path")
end if
timer1 = timer
Sun = 0
SumFiles = 0
SumFolders = 1
If request.Form("radiobutton") = "sws" Then
DimFileExt = "asp,cer,asa,cdx"
Call ShowAllFile(TmpPath)
Else
If request.Form("path") = "" or request.Form("Search_Date") = "" or request.Form("Search_FileExt") = "" Then
response.Write("缉捕条件不完全,恕难从命brbra href='javascript:history.go(-1);'请返回重新输入/a")
response.End()
End If
DimFileExt = request.Form("Search_fileExt")
Call ShowAllFile2(TmpPath)
End If
%
table width="100%" border="0" cellpadding="0" cellspacing="0" class="CContent"
tr
th Scan WebShell -- ASPSecurity For Hacking
/tr
tr
td class="CPanel" style="padding:5px;line-height:170%;clear:both;font-size:12px"
div id="updateInfo" style="background:ffffe1;border:1px solid #89441f;padding:4px;display:none"/div
扫描完毕!一共检查文件夹font color="#FF0000"%=SumFolders%/font个,文件font color="#FF0000"%=SumFiles%/font个,发现可疑点font color="#FF0000"%=Sun%/font个
table width="100%" border="0" cellpadding="0" cellspacing="0"
tr
td valign="top"
table width="100%" border="1" cellpadding="0" cellspacing="0" style="padding:5px;line-height:170%;clear:both;font-size:12px"
tr
%If request.Form("radiobutton") = "sws" Then%
td width="20%"文件相对路径/td
td width="20%"特征码/td
td width="40%"描述/td
td width="20%"创建/修改时间/td
%else%
td width="50%"文件相对路径/td
td width="25%"文件创建时间/td
td width="25%"修改时间/td
%end if%
/tr
p
%=Report%
br//p
/table/td
/tr
/table
/td/tr/table
%
timer2 = timer
thetime=cstr(int(((timer2-timer1)*10000 )+0.5)/10)
response.write "brfont size=""2""本页执行共用了"&thetime&"毫秒/font"
end if
end if
%
hr
div style="text-align:center"本程序取自a href="http://www.0x54.org" target="_blank"雷客图ASP站长安全助手/a的ASP木马查找和可疑文件搜索功能br
powered by a href="http://lake2.0x54.org" target=_blanklake2/a ( Build 20060615 ) /div
/body
/html
%
'遍历处理path及其子目录所有文件
Sub ShowAllFile(Path)
Set FSO = CreateObject("Scripting.FileSystemObject")
if not fso.FolderExists(path) then exit sub
Set f = FSO.GetFolder(Path)
Set fc2 = f.files
For Each myfile in fc2
If CheckExt(FSO.GetExtensionName(path&""&myfile.name)) Then
Call ScanFile(Path&Temp&""&myfile.name, "")
SumFiles = SumFiles + 1
End If
Next
Set fc = f.SubFolders
For Each f1 in fc
ShowAllFile path&""&f1.name
SumFolders = SumFolders + 1
Next
Set FSO = Nothing
End Sub
'检测文件
Sub ScanFile(FilePath, InFile)
If InFile "" Then
Infiles = "font color=red该文件被a href=""http://"&Request.Servervariables("server_name")&"/"&tURLEncode(InFile)&""" target=_blank"& InFile & "/a文件包含执行/font"
End If
Set FSOs = CreateObject("Scripting.FileSystemObject")
on error resume next
set ofile = fsos.OpenTextFile(FilePath)
filetxt = Lcase(ofile.readall())
If err Then Exit Sub end if
if len(filetxt)0 then
'特征码检查
filetxt = vbcrlf & filetxt
temp = "a href=""http://"&Request.Servervariables("server_name")&"/"&tURLEncode(replace(replace(FilePath,server.MapPath("")&"","",1,1,1),"","/"))&""" target=_blank"&replace(FilePath,server.MapPath("")&"","",1,1,1)&"/a"
'Check "WScr"&DoMyBest&"ipt.Shell"
If instr( filetxt, Lcase("WScr"&DoMyBest&"ipt.Shell") ) or Instr( filetxt, Lcase("clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8") ) then
Report = Report&"trtd"&temp&"/tdtdWScr"&DoMyBest&"ipt.Shell 或者 clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8/tdtdfont color=red危险组件,一般被ASP木马利用/font"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
Sun = Sun + 1
End if
'Check "She"&DoMyBest&"ll.Application"
If instr( filetxt, Lcase("She"&DoMyBest&"ll.Application") ) or Instr( filetxt, Lcase("clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000") ) then
Report = Report&"trtd"&temp&"/tdtdShe"&DoMyBest&"ll.Application 或者 clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000/tdtdfont color=red危险组件,一般被ASP木马利用/font"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
Sun = Sun + 1
End If
'Check .Encode
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "bLANGUAGEs*=s*[""]?s*(vbscript|jscript|javascript).encodeb"
If regEx.Test(filetxt) Then
Report = Report&"trtd"&temp&"/tdtd(vbscript|jscript|javascript).Encode/tdtdfont color=red似乎脚本被加密了/font"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
Sun = Sun + 1
End If
'Check my ASP backdoor :(
regEx.Pattern = "bEv"&"alb"
If regEx.Test(filetxt) Then
Report = Report&"trtd"&temp&"/tdtdEv"&"al/tdtde"&"val()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ev"&"al(X)br但是javascript代码中也可以使用,有可能是误报。"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
Sun = Sun + 1
End If
'Check exe&cute backdoor
regEx.Pattern = "[^.]bExe"&"cuteb"
If regEx.Test(filetxt) Then
Report = Report&"trtd"&temp&"/tdtdExec"&"ute/tdtdfont color=rede"&"xecute()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ex"&"ecute(X)/fontbr"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
Sun = Sun + 1
End If
'----------------------Start Update 200605031-----------------------------
'Check .Create&TextFile and .OpenText&File
regEx.Pattern = ".(Open|Create)TextFileb"
If regEx.Test(filetxt) Then
Report = Report&"trtd"&temp&"/tdtd.CreateTextFile|.OpenTextFile/tdtd使用了FSO的CreateTextFile|OpenTextFile函数读写文件"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
Sun = Sun + 1
End If
'Check .SaveT&oFile
regEx.Pattern = ".SaveToFileb"
If regEx.Test(filetxt) Then
Report = Report&"trtd"&temp&"/tdtd.SaveToFile/tdtd使用了Stream的SaveToFile函数写文件"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
Sun = Sun + 1
End If
'Check .&Save
regEx.Pattern = ".Saveb"
If regEx.Test(filetxt) Then
Report = Report&"trtd"&temp&"/tdtd.Save/tdtd使用了XMLHTTP的Save函数写文件"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
Sun = Sun + 1
End If
'------------------ End ----------------------------
Set regEx = Nothing
'Check include file
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "!--s*#includes*files*=s*"".*"""
Set Matches = regEx.Execute(filetxt)
For Each Match in Matches
tFile = Replace(Mid(Match.Value, Instr(Match.Value, """") + 1, Len(Match.Value) - Instr(Match.Value, """") - 1),"/","")
If Not CheckExt(FSOs.GetExtensionName(tFile)) Then
Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,""))&tFile, replace(FilePath,server.MapPath("")&"","",1,1,1) )
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing
'Check include virtual
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "!--s*#includes*virtuals*=s*"".*"""
Set Matches = regEx.Execute(filetxt)
For Each Match in Matches
tFile = Replace(Mid(Match.Value, Instr(Match.Value, """") + 1, Len(Match.Value) - Instr(Match.Value, """") - 1),"/","")
If Not CheckExt(FSOs.GetExtensionName(tFile)) Then
Call ScanFile( Server.MapPath("")&""&tFile, replace(FilePath,server.MapPath("")&"","",1,1,1) )
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing
'Check Server&.Execute|Transfer
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "Server.(Exec"&"ute|Transfer)([ t]*|()"".*"""
Set Matches = regEx.Execute(filetxt)
For Each Match in Matches
tFile = Replace(Mid(Match.Value, Instr(Match.Value, """") + 1, Len(Match.Value) - Instr(Match.Value, """") - 1),"/","")
If Not CheckExt(FSOs.GetExtensionName(tFile)) Then
Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,""))&tFile, replace(FilePath,server.MapPath("")&"","",1,1,1) )
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing
'Check Server&.Execute|Transfer
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "Server.(Exec"&"ute|Transfer)([ t]*|()[^""])"
If regEx.Test(filetxt) Then
Report = Report&"trtd"&temp&"/tdtdServer.Exec"&"ute/tdtdfont color=red不能跟踪检查Server.e"&"xecute()函数执行的文件。请管理员自行检查/fontbr"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
Sun = Sun + 1
End If
Set Matches = Nothing
Set regEx = Nothing
'Check RunatScript
Set XregEx = New RegExp
XregEx.IgnoreCase = True
XregEx.Global = True
XregEx.Pattern = "scr"&"ipts*(.|n)*?runats*=s*""?server""?(.|n)*?"
Set XMatches = XregEx.Execute(filetxt)
For Each Match in XMatches
tmpLake2 = Mid(Match.Value, 1, InStr(Match.Value, ""))
srcSeek = InStr(1, tmpLake2, "src", 1)
If srcSeek 0 Then
srcSeek2 = instr(srcSeek, tmpLake2, "=")
For i = 1 To 50
tmp = Mid(tmpLake2, srcSeek2 + i, 1)
If tmp " " and tmp chr(9) and tmp vbCrLf Then
Exit For
End If
Next
If tmp = """" Then
tmpName = Mid(tmpLake2, srcSeek2 + i + 1, Instr(srcSeek2 + i + 1, tmpLake2, """") - srcSeek2 - i - 1)
Else
If InStr(srcSeek2 + i + 1, tmpLake2, " ") 0 Then tmpName = Mid(tmpLake2, srcSeek2 + i, Instr(srcSeek2 + i + 1, tmpLake2, " ") - srcSeek2 - i) Else tmpName = tmpLake2
If InStr(tmpName, chr(9)) 0 Then tmpName = Mid(tmpName, 1, Instr(1, tmpName, chr(9)) - 1)
If InStr(tmpName, vbCrLf) 0 Then tmpName = Mid(tmpName, 1, Instr(1, tmpName, vbcrlf) - 1)
If InStr(tmpName, "") 0 Then tmpName = Mid(tmpName, 1, Instr(1, tmpName, "") - 1)
End If
Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,""))&tmpName , replace(FilePath,server.MapPath("")&"","",1,1,1))
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing
'Check Crea"&"teObject
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "CreateO"&"bject[ |t]*(.*)"
Set Matches = regEx.Execute(filetxt)
For Each Match in Matches
If Instr(Match.Value, "&") or Instr(Match.Value, "+") or Instr(Match.Value, """") = 0 or Instr(Match.Value, "(") InStrRev(Match.Value, "(") Then
Report = Report&"trtd"&temp&"/tdtdCreat"&"eObject/tdtdCrea"&"teObject函数使用了变形技术。可能是误报"&infiles&"/tdtd"&GetDateCreate(filepath)&"br"&GetDateModify(filepath)&"/td/tr"
Sun = Sun + 1
exit sub
End If
Next
Set Matches = Nothing
Set regEx = Nothing
end if
set ofile = nothing
set fsos = nothing
End Sub
'检查文件后缀,如果与预定的匹配即返回TRUE
Function CheckExt(FileExt)
If DimFileExt = "*" Then CheckExt = True
Ext = Split(DimFileExt,",")
For i = 0 To Ubound(Ext)
If Lcase(FileExt) = Ext(i) Then
CheckExt = True
Exit Function
End If
Next
End Function
Function GetDateModify(filepath)
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFile(filepath)
s = f.DateLastModified
set f = nothing
set fso = nothing
GetDateModify = s
End Function
Function GetDateCreate(filepath)
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFile(filepath)
s = f.DateCreated
set f = nothing
set fso = nothing
GetDateCreate = s
End Function
Function tURLEncode(Str)
temp = Replace(Str, "%", "%25")
temp = Replace(temp, "#", "%23")
temp = Replace(temp, "&", "%26")
tURLEncode = temp
End Function
Sub ShowAllFile2(Path)
Set FSO = CreateObject("Scripting.FileSystemObject")
if not fso.FolderExists(path) then exit sub
Set f = FSO.GetFolder(Path)
Set fc2 = f.files
For Each myfile in fc2
If CheckExt(FSO.GetExtensionName(path&""&myfile.name)) Then
Call IsFind(Path&""&myfile.name)
SumFiles = SumFiles + 1
End If
Next
Set fc = f.SubFolders
For Each f1 in fc
ShowAllFile2 path&""&f1.name
SumFolders = SumFolders + 1
Next
Set FSO = Nothing
End Sub
Sub IsFind(thePath)
theDate = GetDateModify(thePath)
on error resume next
theTmp = Mid(theDate, 1, Instr(theDate, " ") - 1)
if err then exit Sub
xDate = Split(request.Form("Search_Date"),";")
If request.Form("Search_Date") = "ALL" Then ALLTime = True
For i = 0 To Ubound(xDate)
If theTmp = xDate(i) or ALLTime = True Then
If request("Search_Content") "" Then
Set FSOs = CreateObject("Scripting.FileSystemObject")
set ofile = fsos.OpenTextFile(thePath, 1, false, -2)
filetxt = Lcase(ofile.readall())
If Instr( filetxt, LCase(request.Form("Search_Content"))) 0 Then
temp = "a href=""http://"&Request.Servervariables("server_name")&"/"&tURLEncode(Replace(replace(thePath,server.MapPath("")&"","",1,1,1),"","/"))&""" target=_blank"&replace(thePath,server.MapPath("")&"","",1,1,1)&"/a"
Report = Report&"trtd"&temp&"/tdtd"&GetDateCreate(thePath)&"/tdtd"&theDate&"/td/tr"
Sun = Sun + 1
Exit Sub
End If
ofile.close()
Set ofile = Nothing
Set FSOs = Nothing
Else
temp = "a href=""http://"&Request.Servervariables("server_name")&"/"&tURLEncode(Replace(replace(thePath,server.MapPath("")&"","",1,1,1),"","/"))&""" target=_blank"&replace(thePath,server.MapPath("")&"","",1,1,1)&"/a"
Report = Report&"trtd"&temp&"/tdtd"&GetDateCreate(thePath)&"/tdtd"&theDate&"/td/tr"
Sun = Sun + 1
Exit Sub
End If
End If
Next
End Sub
%