关于查找ASP木马的程序你了解多少呢?对于ASP木马感兴趣的朋友们现在就跟错新小编去看看具体内容吧,希望对你有所帮助。
源码,另存为asp文件即可使用:
<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<%
'设置密码
PASSWORD = "security"
dim Report
if request.QueryString("act")="login" then
if request.Form("pwd") = PASSWORD then session("pig")=1
end if
%>
<%If Session("pig") <> 1 then%>
Password:
<%
else
if request.QueryString("act")<>"scan" then
%>
填入你要检查的路径:
* 网站根目录的相对路径,填“/”即检查整个网站;“.”为程序所在目录
你要干什么:
查ASP木马
搜索符合条件之文件
-------------- 如果搜索文件需将以下内容填写完整 ------------------
查找内容:
* 要查找的字符串,不填就只进行日期检查
修改日期:
" size="20">
* 多个日期用;隔开,任意日期填写ALL
文件类型:
* 类型之间用,隔开,*表示所有类型
<%
else
server.ScriptTimeout = 600
if request.Form("path")="" then
response.Write("No Hack")
response.End()
end if
if request.Form("path")="/" then
TmpPath = Server.MapPath("/")
elseif request.Form("path")="." then
TmpPath = Server.MapPath(".")
else
TmpPath = Server.MapPath("/")&"/"&request.Form("path")
end if
timer1 = timer
Sun = 0
SumFiles = 0
SumFolders = 1
If request.Form("radiobutton") = "sws" Then
DimFileExt = "asp,cer,asa,cdx"
Call ShowAllFile(TmpPath)
Else
If request.Form("path") = "" or request.Form("Search_Date") = "" or request.Form("Search_FileExt") = "" Then
response.Write("缉捕条件不完全,恕难从命
请返回重新输入")
response.End()
End If
DimFileExt = request.Form("Search_fileExt")
Call ShowAllFile2(TmpPath)
End If
%>
Scan WebShell -- ASPSecurity For Hacking
扫描完毕!一共检查文件夹<%=SumFolders%>个,文件<%=SumFiles%>个,发现可疑点<%=Sun%>个
<%If request.Form("radiobutton") = "sws" Then%>
文件相对路径
特征码
描述
创建/修改时间
<%else%>
文件相对路径
文件创建时间
修改时间
<%end if%>
<%=Report%>
<%
timer2 = timer
thetime=cstr(int(((timer2-timer1)*10000 )+0.5)/10)
response.write "
本页执行共用了"&thetime&"毫秒"
end if
end if
%>
本程序取自雷客图ASP站长安全助手的ASP木马查找和可疑文件搜索功能
powered by lake2 ( Build 20060615 )
<%
'遍历处理path及其子目录所有文件
Sub ShowAllFile(Path)
Set FSO = CreateObject("Scripting.FileSystemObject")
if not fso.FolderExists(path) then exit sub
Set f = FSO.GetFolder(Path)
Set fc2 = f.files
For Each myfile in fc2
If CheckExt(FSO.GetExtensionName(path&"/"&myfile.name)) Then
Call ScanFile(Path&Temp&"/"&myfile.name, "")
SumFiles = SumFiles + 1
End If
Next
Set fc = f.SubFolders
For Each f1 in fc
ShowAllFile path&"/"&f1.name
SumFolders = SumFolders + 1
Next
Set FSO = Nothing
End Sub
'检测文件
Sub ScanFile(FilePath, InFile)
If InFile <> "" Then
Infiles = "该文件被"& InFile & "文件包含执行"
End If
Set FSOs = CreateObject("Scripting.FileSystemObject")
on error resume next
set ofile = fsos.OpenTextFile(FilePath)
filetxt = Lcase(ofile.readall())
If err Then Exit Sub end if
if len(filetxt)>0 then
'特征码检查
filetxt = vbcrlf & filetxt
temp = ""&replace(FilePath,server.MapPath("/")&"/","",1,1,1)&""
'Check "WScr"&DoMyBest&"ipt.Shell"
If instr( filetxt, Lcase("WScr"&DoMyBest&"ipt.Shell") ) or Instr( filetxt, Lcase("clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8") ) then
Report = Report&""&temp&"WScr"&DoMyBest&"ipt.Shell 或者 clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8危险组件,一般被ASP木马利用"&infiles&""&GetDateCreate(filepath)&"
"&GetDateModify(filepath)&""
Sun = Sun + 1
End if
'Check "She"&DoMyBest&"ll.Application"
If instr( filetxt, Lcase("She"&DoMyBest&"ll.Application") ) or Instr( filetxt, Lcase("clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000") ) then
Report = Report&""&temp&"She"&DoMyBest&"ll.Application 或者 clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000危险组件,一般被ASP木马利用"&infiles&""&GetDateCreate(filepath)&"
"&GetDateModify(filepath)&""
Sun = Sun + 1
End If
'Check .Encode
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "/bLANGUAGE/s*=/s*[""]?/s*(vbscript|jscript|javascript).encode/b"
If regEx.Test(filetxt) Then
Report = Report&""&temp&"(vbscript|jscript|javascript).Encode似乎脚本被加密了"&infiles&""&GetDateCreate(filepath)&"
"&GetDateModify(filepath)&""
Sun = Sun + 1
End If
'Check my ASP backdoor :(
regEx.Pattern = "/bEv"&"al/b"
If regEx.Test(filetxt) Then
Report = Report&""&temp&"Ev"&"ale"&"val()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ev"&"al(X)
但是javascript代码中也可以使用,有可能是误报。"&infiles&""&GetDateCreate(filepath)&"
"&GetDateModify(filepath)&""
Sun = Sun + 1
End If
'Check exe&cute backdoor
regEx.Pattern = "[^.]/bExe"&"cute/b"
If regEx.Test(filetxt) Then
Report = Report&""&temp&"Exec"&"utee"&"xecute()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ex"&"ecute(X)
"&infiles&""&GetDateCreate(filepath)&"
"&GetDateModify(filepath)&""
Sun = Sun + 1
End If
'----------------------Start Update 200605031-----------------------------
'Check .Create&TextFile and .OpenText&File
regEx.Pattern = "/.(Open|Create)TextFile/b"
If regEx.Test(filetxt) Then
Report = Report&""&temp&".CreateTextFile|.OpenTextFile使用了FSO的CreateTextFile|OpenTextFile函数读写文件"&infiles&""&GetDateCreate(filepath)&"
"&GetDateModify(filepath)&""
Sun = Sun + 1
End If
'Check .SaveT&oFile
regEx.Pattern = "/.SaveToFile/b"
If regEx.Test(filetxt) Then
Report = Report&""&temp&".SaveToFile使用了Stream的SaveToFile函数写文件"&infiles&""&GetDateCreate(filepath)&"
"&GetDateModify(filepath)&""
Sun = Sun + 1
End If
'Check .&Save
regEx.Pattern = "/.Save/b"
If regEx.Test(filetxt) Then
Report = Report&""&temp&".Save使用了XMLHTTP的Save函数写文件"&infiles&""&GetDateCreate(filepath)&"
"&GetDateModify(filepath)&""
Sun = Sun + 1
End If
'------------------ End ----------------------------
Set regEx = Nothing
'Check include file
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "
以上就是查找ASP木马的程序,你学会了吗?
新闻热点
疑难解答