<% Dim Report PASSWORD="admin" '密码 VERSION="" ' URL=Request.ServerVariables("URL") FileName=Right(URL,Len(URL)-InStrRev(URL,"/")) ServerName=Request.Servervariables("SERVER_NAME") ServerPort=":"&Request.ServerVariables("SERVER_PORT") WebSiteRoot=Server.MapPath("\") CurrentlyRoot=Server.MapPath(".") RQSact=Request.QueryString("act") RQSFileManager=Request.QueryString("filemanager") RQSFilePath=Request.QueryString("filepath") If RQSact="login" Then If Request.Form("pwd")=PASSWORD Then Session("KOA")=1 End If Set FSO=Server.CreateObject("Scripting.FileSystemObject") %> <%If Session("KOA")<>1 Then%>

<% Else If RQSact<>"scan" And RQSFileManager="" Then %>

KOA ASP类 WebShell扫描工具
输入你要检查的路径：* 三种填写方法,比如“E:\wwwroot”;填“\”为整个网站;“.”为本文件所在目录
请选择扫描方式：查木马(耗资源) 查找IIS解析漏洞的文件搜索符合下面条件的文件
功能说明：查找后缀名为asp,asa,cdx,cer,aspx等木马如果目录下文件过多，容易脚本超时。
版本号:<%=VERSION%> 版权所有:http://tophack.net/ 欢迎传播推广，修改请保留版权。

<% ElseIf RQSFileManager<>"" Then On Error Resume Next If RQSFileManager="delfile" Then Call FSO.DeleteFile(RQSFilePath,True) ChkErr(Err) Response.Write "" ElseIf RQSFileManager="savefile" Then FileContent=Request.Form("fileContent") Set oFile=FSO.OpenTextFile(RQSFilePath,2,True) oFile.Write FileContent oFile.Close ChkErr(Err) Response.Write "" ElseIf RQSFileManager="editfile" Then Set oFile=FSO.OpenTextFile(RQSFilePath) ChkErr(Err) FileTxt=Server.HtmlEncode(oFile.ReadAll()) %>

“<%=RQSFilePath%>”文件代码
删除保存关闭友情提示：如果你看到下面的代码是乱码，请不要使用本程序修改文件。
<%=FileTxt%>
删除保存关闭

<% Else Set oFile=FSO.OpenTextFile(RQSFilePath) ChkErr(Err) FileTxt=Server.HtmlEncode(LCase(oFile.ReadAll())) %>

“<%=RQSFilePath%>”文件代码危险脚本已高亮加大
删除编辑关闭友情提示：如果你看到下面的代码是乱码，请不要使用本程序修改文件。
<%=HeightLightCode(Replace(FileTxt,vbNewLine," "))%>
删除编辑关闭

<% End If Set oFile=Nothing Else Server.ScriptTimeout=9999999 FormRB=Request.Form("radiobutton") FormPath=Request.Form("path") FormSD=Request.Form("Search_Date") FormSFE=Request.Form("Search_FileExt") If FormPath="" Then Response.Write("请输入要扫描的目录

返回重新输入") Response.End End If If FormPath="\" Then TmpPath=WebSiteRoot SearchType=1 ElseIf FormPath="." Then TmpPath=CurrentlyRoot SearchType=2 Else TmpPath=FormPath End If Timer1=Timer Sun=0 SumFiles=0 SumFolders=1 If FormRB="koa" Then DimFileExt="asp,asa,cer,cdx,aspx,cgi,php,php3,php4,php5" Call ShowAllFileKOA(TmpPath) ElseIf FormRB="qt" Then Call ShowAllFileQT(TmpPath) Else If FormPath="" Or FormSD="" Or FormSFE="" Then Response.Write("条件不完全，恕难从命

返回重新输入") Response.End End If DimFileExt=FormSFE Call ShowAllFileSF(TmpPath) End If %> 返回使用其他方式扫描

WebShell(木马) 扫描结果

<%If FormRB="koa" Then%> <%Else%> <%End If%> <%=Report%>

文件相对路径

特征码

描述

创建/修改时间

文件相对路径

文件创建时间

修改时间

扫描完毕！一共检查文件夹<%=SumFolders%>个，文件<%=SumFiles%>个，发现可疑点<%=Sun%>个 <% Timer2=Timer TheTime=CStr(Int(((Timer2-Timer1)*10000)+0.5)/10) Response.Write "，本页执行共用了"&TheTime&"毫秒返回使用其他方式扫描" End If End If %> <% '遍历处理path及其子目录所有文件 Sub ShowAllFileKOA(Path) If Not FSO.FolderExists(Path) Then Exit Sub Set f=FSO.GetFolder(Path) Set fc2=f.Files For Each MyFile In fc2 On Error Resume Next If LCase(CurrentlyRoot&"\"&FileName)<>Replace(LCase(Path&"\"&MyFile.Name),"\\","\") And CheckExt(FSO.GetExtensionName(Path&"\"&MyFile.Name)) Then Call ScanFile(Path&"\"&MyFile.Name,"") SumFiles=SumFiles+1 End If Next Set fc=f.SubFolders For Each f1 In fc ShowAllFileKOA Path&"\"&f1.Name SumFolders=SumFolders+1 Next End Sub '检测文件 Sub ScanFile(FilePath,InFile) FilePath=Replace(FilePath,"\\","\") FileCreateDate=GetDateCreate(FilePath) FileModifyDate=GetDateModify(FilePath) If InFile<>"" Then InFile=Replace(InFile,"\\","\") If SearchType=1 Or InStr(LCase(InFile),LCase(WebSiteRoot))>0 Then InFiles="该文件被 "&InFile&" 访问此页查看文件代码文件包含执行" ElseIf SearchType=2 Or InStr(LCase(InFile),LCase(CurrentlyRoot))>0 Then InFiles="该文件被 "&InFile&" 访问此页查看文件代码文件包含执行" Else InFiles="该文件被 "&InFile&" 查看文件代码文件包含执行" End If End If On Error Resume Next Set oFile=FSO.OpenTextFile(FilePath) FileTxt=LCase(oFile.ReadAll()) If Err Then Exit Sub End If If Len(FileTxt)>0 Then '特征码检查 FileTxt=vbcrlf&FileTxt If SearchType=1 Or InStr(LCase(FilePath),LCase(WebSiteRoot))>0 Then Temp=FilePath&"
访问此页查看文件代码" ElseIf SearchType=2 Or InStr(LCase(FilePath),LCase(CurrentlyRoot))>0 Then Temp=FilePath&"
访问此页查看文件代码" Else Temp=FilePath&"
查看文件代码" End If 'Check "WScript.Shell" If InStr(FileTxt,"wscript.shell") Or InStr(FileTxt,"clsid:72c24dd5-d70a-438b-8a42-98424b88afb8") Then Report=Report&""&Temp&"WScript.Shell 或者 clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8危险组件，一般被ASP木马利用"&InFiles&""&FileCreateDate&"
"&FileModifyDate&"" Sun=Sun+1 End If 'Check "Shell.Application" If InStr(FileTxt,"shell.application") Or InStr(FileTxt,"clsid:13709620-c279-11ce-a49e-444553540000") Then Report=Report&""&Temp&"Shell.Application 或者 clsid:13709620-C279-11CE-A49E-444553540000危险组件，一般被ASP木马利用"&InFiles&""&FileCreateDate&"
"&FileModifyDate&"" Sun=Sun+1 End If 'Check .Encode Set regEx=New RegExp regEx.IgnoreCase=True regEx.Global=True regEx.Pattern="\b(?:vbscript|jscript|javascript).encode\b" If regEx.Test(FileTxt) Then Report=Report&""&Temp&"(vbscript|jscript|javascript).Encode似乎脚本被加密了"&InFiles&""&FileCreateDate&"
"&FileModifyDate&"" Sun=Sun+1 End If 'Check eval backdoor regEx.Pattern="\bEval\b" If regEx.Test(FileTxt) Then Report=Report&""&Temp&"Evaleval()函数可以执行任意ASP代码，被一些后门利用。其形式一般是：eval(X)
但是javascript代码中也可以使用，有可能是误报。"&InFiles&""&FileCreateDate&"
"&FileModifyDate&"" Sun=Sun+1 End If 'Check execute backdoor regEx.Pattern="[^.]\bExecute\b" If regEx.Test(FileTxt) Then Report=Report&""&Temp&"Executeexecute()函数可以执行任意ASP代码，被一些后门利用。其形式一般是：execute(X)
"&InFiles&""&FileCreateDate&"
"&FileModifyDate&"" Sun=Sun+1 End If '查一句话木马（cmdshell） regEx.Pattern="[^.]\bcmdshell\b" If regEx.Test(FileTxt) Then Report=Report&""&Temp&"cmdshellcmdshell
"&InFiles&""&FileCreateDate&"
"&FileModifyDate&"" Sun=Sun+1 End If '查一句话木马（serv-u） regEx.Pattern="[^.]\bserv-u\b" If regEx.Test(FileTxt) Then Report=Report&""&Temp&"serv-userv-u提权一般会包含这个字符
"&InFiles&""&FileCreateDate&"
"&FileModifyDate&"" Sun=Sun+1 End If 'Check .CreateTextFile|.OpenTextFile regEx.Pattern="\.(?:Open|Create)TextFile\b" If regEx.Test(FileTxt) Then Report=Report&""&Temp&".CreateTextFile|.OpenTextFile使用了FSO的CreateTextFile|OpenTextFile函数读写文件"&InFiles&""&FileCreateDate&"
"&FileModifyDate&"" Sun=Sun+1 End If 'Check .SaveToFile regEx.Pattern="\.SaveToFile\b" If regEx.Test(FileTxt) Then Report=Report&""&Temp&".SaveToFile使用了Stream的SaveToFile函数写文件"&InFiles&""&FileCreateDate&"
"&FileModifyDate&"" Sun=Sun+1 End If 'Check .Name= regEx.Pattern="\.Name\s*=\s*(?!=)" If regEx.Test(FileTxt) Then Report=Report&""&Temp&".Name使用了FSO的.GetFile|.GetFolder函数的.Name更改文件或文件夹名称"&InFiles&""&FileCreateDate&"
"&FileModifyDate&"" Sun=Sun+1 End If If InFile<>"" Then MyFileExt=LCase(Right(FilePath,Len(FilePath)-InStrRev(FilePath,"."))) If InStr(MyFileExt,"asp")=0 And InStr(MyFileExt,"asa")=0 And InStr(MyFileExt,"cer")=0 And InStr(MyFileExt,"cdx")=0 And InStr(MyFileExt,"inc")=0 And InStr(MyFileExt,"htm")=0 Then Sun=Sun+1 Report=Report&""&Temp&"Include包含非ASP("&MyFileExt&")文件"&InFiles&""&FileCreateDate&"
"&FileModifyDate&"" End If End If '------------------ End ---------------------------- Set regEx=Nothing 'Check include file|virtual Set regEx=New RegExp regEx.IgnoreCase=True regEx.Global=True regEx.Pattern="" Set Matches=regEx.Execute(FileTxt) For Each Match In Matches tFile=Trim(Replace(regEx.Replace(Match.Value,"$2"),vbCr,"")) If Not CheckExt(FSO.GetExtensionName(tFile)) Then Call ScanFile(Mid(FilePath,1,InStrRev(FilePath,"\"))&tFile,FilePath) SumFiles=SumFiles+1 End If Next Set Matches=Nothing Set regEx=Nothing 'Check Server.Execute|Transfer Set regEx=New RegExp regEx.IgnoreCase=True regEx.Global=True regEx.Pattern="Server.(?:Execute|Transfer)\s*$\s*""(.+)""" Set Matches=regEx.Execute(FileTxt) For Each Match In Matches tFile=Trim(regEx.Replace(Match.Value,"$1")) If Not CheckExt(FSO.GetExtensionName(tFile)) Then Call ScanFile(Mid(FilePath,1,InStrRev(FilePath,"\"))&tFile,FilePath) SumFiles=SumFiles+1 End If Next Set Matches=Nothing Set regEx=Nothing 'Check Server.Execute|Transfer Set regEx=New RegExp regEx.IgnoreCase=True regEx.Global=True regEx.Pattern="Server.(?:Execute|Transfer)\s*\(\s*[^""].+$" If regEx.Test(FileTxt) Then Report=Report&""&Temp&"Server.Execute不能跟踪检查Server.execute()函数执行的文件。请管理员自行检查"&FileCreateDate&"
"&FileModifyDate&"" Sun=Sun+1 End If Set regEx=Nothing 'Check RunatScript Set regEx=New RegExp regEx.IgnoreCase=True regEx.Global=True regEx.Pattern="]*?runat\s*=\s*(""|')?server\1[\s\S]*?>" Set Matches=regEx.Execute(FileTxt) For Each Match In Matches MatchValue=Trim(Replace(Match.Value,vbNewLine," ")) TmpLake2=Mid(MatchValue,1,InStr(MatchValue,">")) srcSeek=InStr(1,TmpLake2,"src",1) If srcSeek>0 Then srcSeek2=InStr(srcSeek,TmpLake2,"=") myteststr=Mid(MatchValue,srcSeek,srcSeek2) For i=1 To 50 Tmp=Mid(TmpLake2,srcSeek2+i,1) If Tmp<>" " And Tmp<>chr(9) And Tmp<>vbCrLf Then Exit For End If Next If Tmp="""" Then TmpName=Mid(TmpLake2,srcSeek2+i+1,InStr(srcSeek2+i+1,TmpLake2,"""")-srcSeek2-i-1) Else If InStr(srcSeek2+i+1,TmpLake2," ")>0 Then TmpName=Mid(TmpLake2,srcSeek2+i,InStr(srcSeek2+i+1,TmpLake2," ")-srcSeek2-i) Else TmpName=TmpLake2 If InStr(TmpName,chr(9))>0 Then TmpName=Mid(TmpName,1,InStr(1,TmpName,chr(9))-1) If InStr(TmpName,vbCrLf)>0 Then TmpName=Mid(TmpName,1,InStr(1,TmpName,vbCrlf)-1) If InStr(TmpName,">")>0 Then TmpName=Mid(TmpName,1,InStr(1,TmpName,">")-1) End If Call ScanFile(Mid(FilePath,1,InStrRev(FilePath,"\"))&TmpName,FilePath) SumFiles=SumFiles+1 End If Next Set Matches=Nothing Set regEx=Nothing End If Set oFile=Nothing End Sub '检查文件后缀，如果与预定的匹配即返回TRUE Function CheckExt(FileExt) If DimFileExt="*" Then CheckExt=True Ext=Split(DimFileExt,",") For i=0 To Ubound(Ext) If LCase(FileExt)=Ext(i) Then CheckExt=True Exit Function End If Next End Function Function GetDateModify(FilePath) Set f=FSO.GetFile(FilePath) s=f.DateLastModified Set f=Nothing GetDateModify=s End Function Function GetDateCreate(FilePath) Set f=FSO.GetFile(FilePath) s=f.DateCreated Set f=Nothing GetDateCreate=s End Function Function tURLEncode(Str) Temp=Replace(Str,"%","%25") Temp=Replace(Temp,"#","%23") Temp=Replace(Temp,"&","%26") Temp=Replace(Temp,"+","%2B") tURLEncode=Temp End Function Function HeightLightCode(Str) HLCStr="" Set regEx=New RegExp regEx.IgnoreCase=True regEx.Global=True regEx.Pattern="([^.]\bExecute)\b|\b(Eval)\b|(\.Name\s*=\s*(?!=))" Temp=regEx.replace(Str,HLCStr&"$1$2$3") Set regEx=Nothing Temp=Replace(Temp,"wscript.shell",HLCStr&"wscript.shell") Temp=Replace(Temp,"shell.application",HLCStr&"shell.application") Temp=Replace(Temp,".encode",HLCStr&".encode") Temp=Replace(Temp,"cmdshell",HLCStr&"cmdshell") Temp=Replace(Temp,"serv-u",HLCStr&"serv-u") Temp=Replace(Temp,".createtextfile",HLCStr&".createtextfile") Temp=Replace(Temp,".opentextfile",HLCStr&".opentextfile") Temp=Replace(Temp,".savetofile",HLCStr&".savetofile") Temp=Replace(Temp,"clsid:f935dc22-1cf0-11d0-adb9-00c04fd58a0b",HLCStr&"clsid:f935dc22-1cf0-11d0-adb9-00c04fd58a0b") Temp=Replace(Temp,"clsid:13709620-c279-11ce-a49e-444553540000",HLCStr&"clsid:13709620-c279-11ce-a49e-444553540000") Temp=Replace(Temp,"clsid:0d43fe01-f093-11cf-8940-00a0c9054228",HLCStr&"clsid:0d43fe01-f093-11cf-8940-00a0c9054228") Temp=Replace(Temp,"clsid:72c24dd5-d70a-438b-8a42-98424b88afb8",HLCStr&"clsid:72c24dd5-d70a-438b-8a42-98424b88afb8") HeightLightCode=Temp End Function Sub ChkErr(Err) If Err Then Response.Write"

错误:"&Err.Description&"

错误源:"&Err.Source&"

" Err.Clear Set oFile=Nothing Set FSO=Nothing Response.End End If End Sub Sub ShowAllFileSF(Path) If Not FSO.FolderExists(Path) Then Exit Sub Set f=FSO.GetFolder(Path) Set fc2=f.Files For Each MyFile In fc2 On Error Resume Next If LCase(CurrentlyRoot&"\"&FileName)<>Replace(LCase(Path&"\"&MyFile.Name),"\\","\") And CheckExt(FSO.GetExtensionName(Path&"\"&MyFile.Name)) Then Call IsFind(Path&"\"&MyFile.Name) SumFiles=SumFiles+1 End If Next Set fc=f.SubFolders For Each f1 In fc ShowAllFileSF Path&"\"&f1.Name SumFolders=SumFolders+1 Next Set fc=Nothing Set fc2=Nothing Set f=Nothing End Sub Sub IsFind(ThePath) TheDate=GetDateModify(ThePath) On Error Resume Next TheTmp=Mid(TheDate,1,InStr(TheDate," ")-1) If Err Then Exit Sub xDate=Split(FormSD,";") If FormSD="ALL" Then ALLTime=True For i=0 To Ubound(xDate) If InStr(TheTmp,xDate(i))>0 Or ALLTime=True Then If SearchType=1 Or InStr(Replace(LCase(ThePath),"\\","\"),LCase(WebSiteRoot))>0 Then Temp=ThePath&"
访问此页查看文件代码" ElseIf SearchType=2 Or InStr(Replace(LCase(ThePath),"\\","\"),LCase(CurrentlyRoot))>0 Then Temp=ThePath&"
访问此页查看文件代码" Else Temp=ThePath&"
查看文件代码" End If If Request.Form("Search_Content")<>"" Then Set oFile=FSO.OpenTextFile(ThePath,1,false,-2) FileTxt=LCase(oFile.ReadAll()) If InStr(FileTxt,LCase(Request.Form("Search_Content")))>0 Then Report=Report&""&Temp&""&GetDateCreate(ThePath)&""&TheDate&"" Sun=Sun+1 Exit Sub End If oFile.close() Set oFile=Nothing Else Report=Report&""&Temp&""&GetDateCreate(ThePath)&""&TheDate&"" Sun=Sun+1 Exit Sub End If End If Next End Sub Sub ShowAllFileQT(Path) If Not FSO.FolderExists(Path) Then Exit Sub Set f=FSO.GetFolder(Path) Set fc2=f.Files For Each MyFile In fc2 On Error Resume Next TmpDot=InStrRev(Path&"\"&MyFile.Name,".") TmpBackSlash=InStrRev(Path&"\"&MyFile.Name,"\") TmpSlash=InStrRev(Path&"\"&MyFile.Name,"/") If TmpBackSlash>TmpDot Or TmpSlash>TmpDot Then TempFile=LCase(Path&"\"&MyFile.Name) Else TempFile=LCase(Left(Path&"\"&MyFile.Name,InStrRev(Path&"\"&MyFile.Name,".")-1)) End If If InStr(TempFile,".asp")<>0 Or InStr(TempFile,".asa")<>0 Or InStr(TempFile,".cer")<>0 Or InStr(TempFile,".cdx")<>0 Then Call IsFindAsp(Path&"\"&MyFile.Name) End If SumFiles=SumFiles+1 Next Set fc=f.SubFolders For Each f1 In fc ShowAllFileQT Path&"\"&f1.Name SumFolders=SumFolders+1 Next Set fc=Nothing Set fc2=Nothing Set f=Nothing End Sub Sub IsFindAsp(ThePath) TheDate=GetDateModify(ThePath) On Error Resume Next If SearchType=1 Or InStr(Replace(LCase(ThePath),"\\","\"),LCase(WebSiteRoot))>0 Then Temp=ThePath&"
访问此页查看文件代码" ElseIf SearchType=2 Or InStr(Replace(LCase(ThePath),"\\","\"),LCase(CurrentlyRoot))>0 Then Temp=ThePath&"
访问此页查看文件代码" Else Temp=ThePath&"
查看文件代码" End If Report=Report&""&Temp&""&GetDateCreate(ThePath)&""&TheDate&"" Sun=Sun+1 End Sub Set FSO=Nothing %>

KOA ASP类 WebShell扫描工具