一个查ASP木马的小东东
程序员文章站
2023-01-29 12:08:50
关于查asp木马的程序,记得半年前在八进制发了一个测试版(具体的url:http://forum.eviloctal.com/read-htm-tid-19665.html...
关于查asp木马的程序,记得半年前在八进制发了一个测试版(具体的url:http://forum.eviloctal.com/read-htm-tid-19665.html),得到很多朋友的指导,学到了很多东西,非常感谢他们。现在我发的这个升级版,修补了以前的bug,加入了对一些组件写文件函数的检测,更加趋于完美了,个人认为想绕过去有点难度哦。
这回的默认密码是security
当然啦,哈哈,lake2“比武招亲”,欢迎各位朋友提出绕过检测的马马来,一经证实,lake2将把我自己写的某asp木马“嫁”给他^_^ 特别有创意的,送你一个我最新弄出来的脚本,具体嘛,嘿嘿,到时候就知道啦。
战书已下,谁来迎战?
源码,另存为asp文件即可使用:
<%@language="vbscript" codepage="936"%>
<%
'设置密码
password = "security"
dim report
if request.querystring("act")="login" then
if request.form("pwd") = password then session("pig")=1
end if
%>
<!doctype html public "-//w3c//dtd html 4.01 transitional//en" "http://www.w3.org/tr/html4/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=gb2312">
<title>scan webshell -- aspsecurity for hacking</title>
<style type="text/css">
<!--
body,td,th {
font-size: 12px;
}
-->
</style>
</head>
<body>
<%if session("pig") <> 1 then%>
<form name="form1" method="post" action="?act=login">
<div align="center">password:
<input name="pwd" type="password" size="15">
<input type="submit" name="submit" value="提交">
</div>
</form>
<%
else
if request.querystring("act")<>"scan" then
%>
<form action="?act=scan" method="post" name="form1">
<p><b>填入你要检查的路径:</b>
<input name="path" type="text" style="border:1px solid #999" value="." size="30" />
<br>
* 网站根目录的相对路径,填“\”即检查整个网站;“.”为程序所在目录<br>
<br>
你要干什么:
<input name="radiobutton" type="radio" value="sws" checked>
查asp木马
<input type="radio" name="radiobutton" value="sf">
搜索符合条件之文件<br>
<br>
-------------- 如果搜索文件需将以下内容填写完整 ------------------<br>
<br>
查找内容:
<input name="search_content" type="text" id="search_content" style="border:1px solid #999" size="20">
* 要查找的字符串,不填就只进行日期检查<br/>
修改日期:
<input name="search_date" type="text" style="border:1px solid #999" value="<%=left(now(),instr(now()," ")-1)%>" size="20">
* 多个日期用;隔开,任意日期填写<a href="#" onclick="javascript:form1.search_date.value='all'">all</a><br/>
文件类型:
<input name="search_fileext" type="text" style="border:1px solid #999" value="*" size="20">
* 类型之间用,隔开,*表示所有类型 <br>
<br>
<input type="submit" value=" 开始扫描 " style="background:#fff;border:1px solid #999;padding:2px 2px 0px 2px;margin:4px;border-width:1px 3px 1px 3px" />
</p>
</form>
<%
else
server.scripttimeout = 600
if request.form("path")="" then
response.write("no hack")
response.end()
end if
if request.form("path")="\" then
tmppath = server.mappath("\")
elseif request.form("path")="." then
tmppath = server.mappath(".")
else
tmppath = server.mappath("\")&"\"&request.form("path")
end if
timer1 = timer
sun = 0
sumfiles = 0
sumfolders = 1
if request.form("radiobutton") = "sws" then
dimfileext = "asp,cer,asa,cdx"
call showallfile(tmppath)
else
if request.form("path") = "" or request.form("search_date") = "" or request.form("search_fileext") = "" then
response.write("缉捕条件不完全,恕难从命<br><br><a href='javascript:history.go(-1);'>请返回重新输入</a>")
response.end()
end if
dimfileext = request.form("search_fileext")
call showallfile2(tmppath)
end if
%>
<table width="100%" border="0" cellpadding="0" cellspacing="0" class="ccontent">
<tr>
<th> scan webshell -- aspsecurity for hacking
</tr>
<tr>
<td class="cpanel" style="padding:5px;line-height:170%;clear:both;font-size:12px">
<div id="updateinfo" style="background:ffffe1;border:1px solid #89441f;padding:4px;display:none"></div>
扫描完毕!一共检查文件夹<font color="#ff0000"><%=sumfolders%></font>个,文件<font color="#ff0000"><%=sumfiles%></font>个,发现可疑点<font color="#ff0000"><%=sun%></font>个
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td valign="top">
<table width="100%" border="1" cellpadding="0" cellspacing="0" style="padding:5px;line-height:170%;clear:both;font-size:12px">
<tr>
<%if request.form("radiobutton") = "sws" then%>
<td width="20%">文件相对路径</td>
<td width="20%">特征码</td>
<td width="40%">描述</td>
<td width="20%">创建/修改时间</td>
<%else%>
<td width="50%">文件相对路径</td>
<td width="25%">文件创建时间</td>
<td width="25%">修改时间</td>
<%end if%>
</tr>
<p>
<%=report%>
<br/></p>
</table></td>
</tr>
</table>
</td></tr></table>
<%
timer2 = timer
thetime=cstr(int(((timer2-timer1)*10000 )+0.5)/10)
response.write "<br><font size=""2"">本页执行共用了"&thetime&"毫秒</font>"
end if
end if
%>
<hr>
<div align="center">本程序取自<a href="http://www.0x54.org" target="_blank">雷客图asp站长安全助手</a>的asp木马查找和可疑文件搜索功能<br>
powered by <a href="http://lake2.0x54.org" target=_blank>lake2</a> ( build 20060615 ) </div>
</body>
</html>
<%
'遍历处理path及其子目录所有文件
sub showallfile(path)
set fso = createobject("scripting.filesystemobject")
if not fso.folderexists(path) then exit sub
set f = fso.getfolder(path)
set fc2 = f.files
for each myfile in fc2
if checkext(fso.getextensionname(path&"\"&myfile.name)) then
call scanfile(path&temp&"\"&myfile.name, "")
sumfiles = sumfiles + 1
end if
next
set fc = f.subfolders
for each f1 in fc
showallfile path&"\"&f1.name
sumfolders = sumfolders + 1
next
set fso = nothing
end sub
'检测文件
sub scanfile(filepath, infile)
if infile <> "" then
infiles = "<font color=red>该文件被<a href=""http://"&request.servervariables("server_name")&"/"&turlencode(infile)&""" target=_blank>"& infile & "</a>文件包含执行</font>"
end if
set fsos = createobject("scripting.filesystemobject")
on error resume next
set ofile = fsos.opentextfile(filepath)
filetxt = lcase(ofile.readall())
if err then exit sub end if
if len(filetxt)>0 then
'特征码检查
filetxt = vbcrlf & filetxt
temp = "<a href=""http://"&request.servervariables("server_name")&"/"&turlencode(replace(replace(filepath,server.mappath("\")&"\","",1,1,1),"\","/"))&""" target=_blank>"&replace(filepath,server.mappath("\")&"\","",1,1,1)&"</a>"
'check "wscr"&domybest&"ipt.shell"
if instr( filetxt, lcase("wscr"&domybest&"ipt.shell") ) or instr( filetxt, lcase("clsid:72c24dd5-d70a"&domybest&"-438b-8a42-98424b88afb8") ) then
report = report&"<tr><td>"&temp&"</td><td>wscr"&domybest&"ipt.shell 或者 clsid:72c24dd5-d70a"&domybest&"-438b-8a42-98424b88afb8</td><td><font color=red>危险组件,一般被asp木马利用</font>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check "she"&domybest&"ll.application"
if instr( filetxt, lcase("she"&domybest&"ll.application") ) or instr( filetxt, lcase("clsid:13709620-c27"&domybest&"9-11ce-a49e-444553540000") ) then
report = report&"<tr><td>"&temp&"</td><td>she"&domybest&"ll.application 或者 clsid:13709620-c27"&domybest&"9-11ce-a49e-444553540000</td><td><font color=red>危险组件,一般被asp木马利用</font>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check .encode
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "\blanguage\s*=\s*[""]?\s*(vbscript|jscript|javascript).encode\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>(vbscript|jscript|javascript).encode</td><td><font color=red>似乎脚本被加密了</font>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check my asp backdoor :(
regex.pattern = "\bev"&"al\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>ev"&"al</td><td>e"&"val()函数可以执行任意asp代码,被一些后门利用。其形式一般是:ev"&"al(x)<br>但是javascript代码中也可以使用,有可能是误报。"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check exe&cute backdoor
regex.pattern = "[^.]\bexe"&"cute\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>exec"&"ute</td><td><font color=red>e"&"xecute()函数可以执行任意asp代码,被一些后门利用。其形式一般是:ex"&"ecute(x)</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'----------------------start update 200605031-----------------------------
'check .create&textfile and .opentext&file
regex.pattern = "\.(open|create)textfile\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>.createtextfile|.opentextfile</td><td>使用了fso的createtextfile|opentextfile函数读写文件"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check .savet&ofile
regex.pattern = "\.savetofile\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>.savetofile</td><td>使用了stream的savetofile函数写文件"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check .&save
regex.pattern = "\.save\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>.save</td><td>使用了xmlhttp的save函数写文件"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'------------------ end ----------------------------
set regex = nothing
'check include file
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "<!--\s*#include\s*file\s*=\s*"".*"""
set matches = regex.execute(filetxt)
for each match in matches
tfile = replace(mid(match.value, instr(match.value, """") + 1, len(match.value) - instr(match.value, """") - 1),"/","\")
if not checkext(fsos.getextensionname(tfile)) then
call scanfile( mid(filepath,1,instrrev(filepath,"\"))&tfile, replace(filepath,server.mappath("\")&"\","",1,1,1) )
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
'check include virtual
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "<!--\s*#include\s*virtual\s*=\s*"".*"""
set matches = regex.execute(filetxt)
for each match in matches
tfile = replace(mid(match.value, instr(match.value, """") + 1, len(match.value) - instr(match.value, """") - 1),"/","\")
if not checkext(fsos.getextensionname(tfile)) then
call scanfile( server.mappath("\")&"\"&tfile, replace(filepath,server.mappath("\")&"\","",1,1,1) )
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
'check server&.execute|transfer
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "server.(exec"&"ute|transfer)([ \t]*|\()"".*"""
set matches = regex.execute(filetxt)
for each match in matches
tfile = replace(mid(match.value, instr(match.value, """") + 1, len(match.value) - instr(match.value, """") - 1),"/","\")
if not checkext(fsos.getextensionname(tfile)) then
call scanfile( mid(filepath,1,instrrev(filepath,"\"))&tfile, replace(filepath,server.mappath("\")&"\","",1,1,1) )
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
'check server&.execute|transfer
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "server.(exec"&"ute|transfer)([ \t]*|\()[^""]\)"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>server.exec"&"ute</td><td><font color=red>不能跟踪检查server.e"&"xecute()函数执行的文件。请管理员自行检查</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
set matches = nothing
set regex = nothing
'check runatscript
set xregex = new regexp
xregex.ignorecase = true
xregex.global = true
xregex.pattern = "<scr"&"ipt\s*(.|\n)*?runat\s*=\s*""?server""?(.|\n)*?>"
set xmatches = xregex.execute(filetxt)
for each match in xmatches
tmplake2 = mid(match.value, 1, instr(match.value, ">"))
srcseek = instr(1, tmplake2, "src", 1)
if srcseek > 0 then
srcseek2 = instr(srcseek, tmplake2, "=")
for i = 1 to 50
tmp = mid(tmplake2, srcseek2 + i, 1)
if tmp <> " " and tmp <> chr(9) and tmp <> vbcrlf then
exit for
end if
next
if tmp = """" then
tmpname = mid(tmplake2, srcseek2 + i + 1, instr(srcseek2 + i + 1, tmplake2, """") - srcseek2 - i - 1)
else
if instr(srcseek2 + i + 1, tmplake2, " ") > 0 then tmpname = mid(tmplake2, srcseek2 + i, instr(srcseek2 + i + 1, tmplake2, " ") - srcseek2 - i) else tmpname = tmplake2
if instr(tmpname, chr(9)) > 0 then tmpname = mid(tmpname, 1, instr(1, tmpname, chr(9)) - 1)
if instr(tmpname, vbcrlf) > 0 then tmpname = mid(tmpname, 1, instr(1, tmpname, vbcrlf) - 1)
if instr(tmpname, ">") > 0 then tmpname = mid(tmpname, 1, instr(1, tmpname, ">") - 1)
end if
call scanfile( mid(filepath,1,instrrev(filepath,"\"))&tmpname , replace(filepath,server.mappath("\")&"\","",1,1,1))
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
'check crea"&"teobject
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "createo"&"bject[ |\t]*\(.*\)"
set matches = regex.execute(filetxt)
for each match in matches
if instr(match.value, "&") or instr(match.value, "+") or instr(match.value, """") = 0 or instr(match.value, "(") <> instrrev(match.value, "(") then
report = report&"<tr><td>"&temp&"</td><td>creat"&"eobject</td><td>crea"&"teobject函数使用了变形技术。可能是误报"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
exit sub
end if
next
set matches = nothing
set regex = nothing
end if
set ofile = nothing
set fsos = nothing
end sub
'检查文件后缀,如果与预定的匹配即返回true
function checkext(fileext)
if dimfileext = "*" then checkext = true
ext = split(dimfileext,",")
for i = 0 to ubound(ext)
if lcase(fileext) = ext(i) then
checkext = true
exit function
end if
next
end function
function getdatemodify(filepath)
set fso = createobject("scripting.filesystemobject")
set f = fso.getfile(filepath)
s = f.datelastmodified
set f = nothing
set fso = nothing
getdatemodify = s
end function
function getdatecreate(filepath)
set fso = createobject("scripting.filesystemobject")
set f = fso.getfile(filepath)
s = f.datecreated
set f = nothing
set fso = nothing
getdatecreate = s
end function
function turlencode(str)
temp = replace(str, "%", "%25")
temp = replace(temp, "#", "%23")
temp = replace(temp, "&", "%26")
turlencode = temp
end function
sub showallfile2(path)
set fso = createobject("scripting.filesystemobject")
if not fso.folderexists(path) then exit sub
set f = fso.getfolder(path)
set fc2 = f.files
for each myfile in fc2
if checkext(fso.getextensionname(path&"\"&myfile.name)) then
call isfind(path&"\"&myfile.name)
sumfiles = sumfiles + 1
end if
next
set fc = f.subfolders
for each f1 in fc
showallfile2 path&"\"&f1.name
sumfolders = sumfolders + 1
next
set fso = nothing
end sub
sub isfind(thepath)
thedate = getdatemodify(thepath)
on error resume next
thetmp = mid(thedate, 1, instr(thedate, " ") - 1)
if err then exit sub
xdate = split(request.form("search_date"),";")
if request.form("search_date") = "all" then alltime = true
for i = 0 to ubound(xdate)
if thetmp = xdate(i) or alltime = true then
if request("search_content") <> "" then
set fsos = createobject("scripting.filesystemobject")
set ofile = fsos.opentextfile(thepath, 1, false, -2)
filetxt = lcase(ofile.readall())
if instr( filetxt, lcase(request.form("search_content"))) > 0 then
temp = "<a href=""http://"&request.servervariables("server_name")&"/"&turlencode(replace(replace(thepath,server.mappath("\")&"\","",1,1,1),"\","/"))&""" target=_blank>"&replace(thepath,server.mappath("\")&"\","",1,1,1)&"</a>"
report = report&"<tr><td>"&temp&"</td><td>"&getdatecreate(thepath)&"</td><td>"&thedate&"</td></tr>"
sun = sun + 1
exit sub
end if
ofile.close()
set ofile = nothing
set fsos = nothing
else
temp = "<a href=""http://"&request.servervariables("server_name")&"/"&turlencode(replace(replace(thepath,server.mappath("\")&"\","",1,1,1),"\","/"))&""" target=_blank>"&replace(thepath,server.mappath("\")&"\","",1,1,1)&"</a>"
report = report&"<tr><td>"&temp&"</td><td>"&getdatecreate(thepath)&"</td><td>"&thedate&"</td></tr>"
sun = sun + 1
exit sub
end if
end if
next
end sub
%>
这回的默认密码是security
当然啦,哈哈,lake2“比武招亲”,欢迎各位朋友提出绕过检测的马马来,一经证实,lake2将把我自己写的某asp木马“嫁”给他^_^ 特别有创意的,送你一个我最新弄出来的脚本,具体嘛,嘿嘿,到时候就知道啦。
战书已下,谁来迎战?
源码,另存为asp文件即可使用:
<%@language="vbscript" codepage="936"%>
<%
'设置密码
password = "security"
dim report
if request.querystring("act")="login" then
if request.form("pwd") = password then session("pig")=1
end if
%>
<!doctype html public "-//w3c//dtd html 4.01 transitional//en" "http://www.w3.org/tr/html4/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=gb2312">
<title>scan webshell -- aspsecurity for hacking</title>
<style type="text/css">
<!--
body,td,th {
font-size: 12px;
}
-->
</style>
</head>
<body>
<%if session("pig") <> 1 then%>
<form name="form1" method="post" action="?act=login">
<div align="center">password:
<input name="pwd" type="password" size="15">
<input type="submit" name="submit" value="提交">
</div>
</form>
<%
else
if request.querystring("act")<>"scan" then
%>
<form action="?act=scan" method="post" name="form1">
<p><b>填入你要检查的路径:</b>
<input name="path" type="text" style="border:1px solid #999" value="." size="30" />
<br>
* 网站根目录的相对路径,填“\”即检查整个网站;“.”为程序所在目录<br>
<br>
你要干什么:
<input name="radiobutton" type="radio" value="sws" checked>
查asp木马
<input type="radio" name="radiobutton" value="sf">
搜索符合条件之文件<br>
<br>
-------------- 如果搜索文件需将以下内容填写完整 ------------------<br>
<br>
查找内容:
<input name="search_content" type="text" id="search_content" style="border:1px solid #999" size="20">
* 要查找的字符串,不填就只进行日期检查<br/>
修改日期:
<input name="search_date" type="text" style="border:1px solid #999" value="<%=left(now(),instr(now()," ")-1)%>" size="20">
* 多个日期用;隔开,任意日期填写<a href="#" onclick="javascript:form1.search_date.value='all'">all</a><br/>
文件类型:
<input name="search_fileext" type="text" style="border:1px solid #999" value="*" size="20">
* 类型之间用,隔开,*表示所有类型 <br>
<br>
<input type="submit" value=" 开始扫描 " style="background:#fff;border:1px solid #999;padding:2px 2px 0px 2px;margin:4px;border-width:1px 3px 1px 3px" />
</p>
</form>
<%
else
server.scripttimeout = 600
if request.form("path")="" then
response.write("no hack")
response.end()
end if
if request.form("path")="\" then
tmppath = server.mappath("\")
elseif request.form("path")="." then
tmppath = server.mappath(".")
else
tmppath = server.mappath("\")&"\"&request.form("path")
end if
timer1 = timer
sun = 0
sumfiles = 0
sumfolders = 1
if request.form("radiobutton") = "sws" then
dimfileext = "asp,cer,asa,cdx"
call showallfile(tmppath)
else
if request.form("path") = "" or request.form("search_date") = "" or request.form("search_fileext") = "" then
response.write("缉捕条件不完全,恕难从命<br><br><a href='javascript:history.go(-1);'>请返回重新输入</a>")
response.end()
end if
dimfileext = request.form("search_fileext")
call showallfile2(tmppath)
end if
%>
<table width="100%" border="0" cellpadding="0" cellspacing="0" class="ccontent">
<tr>
<th> scan webshell -- aspsecurity for hacking
</tr>
<tr>
<td class="cpanel" style="padding:5px;line-height:170%;clear:both;font-size:12px">
<div id="updateinfo" style="background:ffffe1;border:1px solid #89441f;padding:4px;display:none"></div>
扫描完毕!一共检查文件夹<font color="#ff0000"><%=sumfolders%></font>个,文件<font color="#ff0000"><%=sumfiles%></font>个,发现可疑点<font color="#ff0000"><%=sun%></font>个
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td valign="top">
<table width="100%" border="1" cellpadding="0" cellspacing="0" style="padding:5px;line-height:170%;clear:both;font-size:12px">
<tr>
<%if request.form("radiobutton") = "sws" then%>
<td width="20%">文件相对路径</td>
<td width="20%">特征码</td>
<td width="40%">描述</td>
<td width="20%">创建/修改时间</td>
<%else%>
<td width="50%">文件相对路径</td>
<td width="25%">文件创建时间</td>
<td width="25%">修改时间</td>
<%end if%>
</tr>
<p>
<%=report%>
<br/></p>
</table></td>
</tr>
</table>
</td></tr></table>
<%
timer2 = timer
thetime=cstr(int(((timer2-timer1)*10000 )+0.5)/10)
response.write "<br><font size=""2"">本页执行共用了"&thetime&"毫秒</font>"
end if
end if
%>
<hr>
<div align="center">本程序取自<a href="http://www.0x54.org" target="_blank">雷客图asp站长安全助手</a>的asp木马查找和可疑文件搜索功能<br>
powered by <a href="http://lake2.0x54.org" target=_blank>lake2</a> ( build 20060615 ) </div>
</body>
</html>
<%
'遍历处理path及其子目录所有文件
sub showallfile(path)
set fso = createobject("scripting.filesystemobject")
if not fso.folderexists(path) then exit sub
set f = fso.getfolder(path)
set fc2 = f.files
for each myfile in fc2
if checkext(fso.getextensionname(path&"\"&myfile.name)) then
call scanfile(path&temp&"\"&myfile.name, "")
sumfiles = sumfiles + 1
end if
next
set fc = f.subfolders
for each f1 in fc
showallfile path&"\"&f1.name
sumfolders = sumfolders + 1
next
set fso = nothing
end sub
'检测文件
sub scanfile(filepath, infile)
if infile <> "" then
infiles = "<font color=red>该文件被<a href=""http://"&request.servervariables("server_name")&"/"&turlencode(infile)&""" target=_blank>"& infile & "</a>文件包含执行</font>"
end if
set fsos = createobject("scripting.filesystemobject")
on error resume next
set ofile = fsos.opentextfile(filepath)
filetxt = lcase(ofile.readall())
if err then exit sub end if
if len(filetxt)>0 then
'特征码检查
filetxt = vbcrlf & filetxt
temp = "<a href=""http://"&request.servervariables("server_name")&"/"&turlencode(replace(replace(filepath,server.mappath("\")&"\","",1,1,1),"\","/"))&""" target=_blank>"&replace(filepath,server.mappath("\")&"\","",1,1,1)&"</a>"
'check "wscr"&domybest&"ipt.shell"
if instr( filetxt, lcase("wscr"&domybest&"ipt.shell") ) or instr( filetxt, lcase("clsid:72c24dd5-d70a"&domybest&"-438b-8a42-98424b88afb8") ) then
report = report&"<tr><td>"&temp&"</td><td>wscr"&domybest&"ipt.shell 或者 clsid:72c24dd5-d70a"&domybest&"-438b-8a42-98424b88afb8</td><td><font color=red>危险组件,一般被asp木马利用</font>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check "she"&domybest&"ll.application"
if instr( filetxt, lcase("she"&domybest&"ll.application") ) or instr( filetxt, lcase("clsid:13709620-c27"&domybest&"9-11ce-a49e-444553540000") ) then
report = report&"<tr><td>"&temp&"</td><td>she"&domybest&"ll.application 或者 clsid:13709620-c27"&domybest&"9-11ce-a49e-444553540000</td><td><font color=red>危险组件,一般被asp木马利用</font>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check .encode
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "\blanguage\s*=\s*[""]?\s*(vbscript|jscript|javascript).encode\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>(vbscript|jscript|javascript).encode</td><td><font color=red>似乎脚本被加密了</font>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check my asp backdoor :(
regex.pattern = "\bev"&"al\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>ev"&"al</td><td>e"&"val()函数可以执行任意asp代码,被一些后门利用。其形式一般是:ev"&"al(x)<br>但是javascript代码中也可以使用,有可能是误报。"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check exe&cute backdoor
regex.pattern = "[^.]\bexe"&"cute\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>exec"&"ute</td><td><font color=red>e"&"xecute()函数可以执行任意asp代码,被一些后门利用。其形式一般是:ex"&"ecute(x)</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'----------------------start update 200605031-----------------------------
'check .create&textfile and .opentext&file
regex.pattern = "\.(open|create)textfile\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>.createtextfile|.opentextfile</td><td>使用了fso的createtextfile|opentextfile函数读写文件"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check .savet&ofile
regex.pattern = "\.savetofile\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>.savetofile</td><td>使用了stream的savetofile函数写文件"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check .&save
regex.pattern = "\.save\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>.save</td><td>使用了xmlhttp的save函数写文件"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'------------------ end ----------------------------
set regex = nothing
'check include file
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "<!--\s*#include\s*file\s*=\s*"".*"""
set matches = regex.execute(filetxt)
for each match in matches
tfile = replace(mid(match.value, instr(match.value, """") + 1, len(match.value) - instr(match.value, """") - 1),"/","\")
if not checkext(fsos.getextensionname(tfile)) then
call scanfile( mid(filepath,1,instrrev(filepath,"\"))&tfile, replace(filepath,server.mappath("\")&"\","",1,1,1) )
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
'check include virtual
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "<!--\s*#include\s*virtual\s*=\s*"".*"""
set matches = regex.execute(filetxt)
for each match in matches
tfile = replace(mid(match.value, instr(match.value, """") + 1, len(match.value) - instr(match.value, """") - 1),"/","\")
if not checkext(fsos.getextensionname(tfile)) then
call scanfile( server.mappath("\")&"\"&tfile, replace(filepath,server.mappath("\")&"\","",1,1,1) )
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
'check server&.execute|transfer
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "server.(exec"&"ute|transfer)([ \t]*|\()"".*"""
set matches = regex.execute(filetxt)
for each match in matches
tfile = replace(mid(match.value, instr(match.value, """") + 1, len(match.value) - instr(match.value, """") - 1),"/","\")
if not checkext(fsos.getextensionname(tfile)) then
call scanfile( mid(filepath,1,instrrev(filepath,"\"))&tfile, replace(filepath,server.mappath("\")&"\","",1,1,1) )
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
'check server&.execute|transfer
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "server.(exec"&"ute|transfer)([ \t]*|\()[^""]\)"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>server.exec"&"ute</td><td><font color=red>不能跟踪检查server.e"&"xecute()函数执行的文件。请管理员自行检查</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
set matches = nothing
set regex = nothing
'check runatscript
set xregex = new regexp
xregex.ignorecase = true
xregex.global = true
xregex.pattern = "<scr"&"ipt\s*(.|\n)*?runat\s*=\s*""?server""?(.|\n)*?>"
set xmatches = xregex.execute(filetxt)
for each match in xmatches
tmplake2 = mid(match.value, 1, instr(match.value, ">"))
srcseek = instr(1, tmplake2, "src", 1)
if srcseek > 0 then
srcseek2 = instr(srcseek, tmplake2, "=")
for i = 1 to 50
tmp = mid(tmplake2, srcseek2 + i, 1)
if tmp <> " " and tmp <> chr(9) and tmp <> vbcrlf then
exit for
end if
next
if tmp = """" then
tmpname = mid(tmplake2, srcseek2 + i + 1, instr(srcseek2 + i + 1, tmplake2, """") - srcseek2 - i - 1)
else
if instr(srcseek2 + i + 1, tmplake2, " ") > 0 then tmpname = mid(tmplake2, srcseek2 + i, instr(srcseek2 + i + 1, tmplake2, " ") - srcseek2 - i) else tmpname = tmplake2
if instr(tmpname, chr(9)) > 0 then tmpname = mid(tmpname, 1, instr(1, tmpname, chr(9)) - 1)
if instr(tmpname, vbcrlf) > 0 then tmpname = mid(tmpname, 1, instr(1, tmpname, vbcrlf) - 1)
if instr(tmpname, ">") > 0 then tmpname = mid(tmpname, 1, instr(1, tmpname, ">") - 1)
end if
call scanfile( mid(filepath,1,instrrev(filepath,"\"))&tmpname , replace(filepath,server.mappath("\")&"\","",1,1,1))
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
'check crea"&"teobject
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "createo"&"bject[ |\t]*\(.*\)"
set matches = regex.execute(filetxt)
for each match in matches
if instr(match.value, "&") or instr(match.value, "+") or instr(match.value, """") = 0 or instr(match.value, "(") <> instrrev(match.value, "(") then
report = report&"<tr><td>"&temp&"</td><td>creat"&"eobject</td><td>crea"&"teobject函数使用了变形技术。可能是误报"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
exit sub
end if
next
set matches = nothing
set regex = nothing
end if
set ofile = nothing
set fsos = nothing
end sub
'检查文件后缀,如果与预定的匹配即返回true
function checkext(fileext)
if dimfileext = "*" then checkext = true
ext = split(dimfileext,",")
for i = 0 to ubound(ext)
if lcase(fileext) = ext(i) then
checkext = true
exit function
end if
next
end function
function getdatemodify(filepath)
set fso = createobject("scripting.filesystemobject")
set f = fso.getfile(filepath)
s = f.datelastmodified
set f = nothing
set fso = nothing
getdatemodify = s
end function
function getdatecreate(filepath)
set fso = createobject("scripting.filesystemobject")
set f = fso.getfile(filepath)
s = f.datecreated
set f = nothing
set fso = nothing
getdatecreate = s
end function
function turlencode(str)
temp = replace(str, "%", "%25")
temp = replace(temp, "#", "%23")
temp = replace(temp, "&", "%26")
turlencode = temp
end function
sub showallfile2(path)
set fso = createobject("scripting.filesystemobject")
if not fso.folderexists(path) then exit sub
set f = fso.getfolder(path)
set fc2 = f.files
for each myfile in fc2
if checkext(fso.getextensionname(path&"\"&myfile.name)) then
call isfind(path&"\"&myfile.name)
sumfiles = sumfiles + 1
end if
next
set fc = f.subfolders
for each f1 in fc
showallfile2 path&"\"&f1.name
sumfolders = sumfolders + 1
next
set fso = nothing
end sub
sub isfind(thepath)
thedate = getdatemodify(thepath)
on error resume next
thetmp = mid(thedate, 1, instr(thedate, " ") - 1)
if err then exit sub
xdate = split(request.form("search_date"),";")
if request.form("search_date") = "all" then alltime = true
for i = 0 to ubound(xdate)
if thetmp = xdate(i) or alltime = true then
if request("search_content") <> "" then
set fsos = createobject("scripting.filesystemobject")
set ofile = fsos.opentextfile(thepath, 1, false, -2)
filetxt = lcase(ofile.readall())
if instr( filetxt, lcase(request.form("search_content"))) > 0 then
temp = "<a href=""http://"&request.servervariables("server_name")&"/"&turlencode(replace(replace(thepath,server.mappath("\")&"\","",1,1,1),"\","/"))&""" target=_blank>"&replace(thepath,server.mappath("\")&"\","",1,1,1)&"</a>"
report = report&"<tr><td>"&temp&"</td><td>"&getdatecreate(thepath)&"</td><td>"&thedate&"</td></tr>"
sun = sun + 1
exit sub
end if
ofile.close()
set ofile = nothing
set fsos = nothing
else
temp = "<a href=""http://"&request.servervariables("server_name")&"/"&turlencode(replace(replace(thepath,server.mappath("\")&"\","",1,1,1),"\","/"))&""" target=_blank>"&replace(thepath,server.mappath("\")&"\","",1,1,1)&"</a>"
report = report&"<tr><td>"&temp&"</td><td>"&getdatecreate(thepath)&"</td><td>"&thedate&"</td></tr>"
sun = sun + 1
exit sub
end if
end if
next
end sub
%>
推荐阅读