关于查ASP木马的程序，记得半年前在八进制发了一个测试版（具体的URL:http://forum.eviloctal.com/read-htm-tid-19665.html），得到很多朋友的指导，学到了很多东西，非常感谢他们。现在我发的这个升级版，修补了以前的bug，加入了对一些组件写文件函数的检测，更加趋于完美了，个人认为想绕过去有点难度哦。

这回的默认密码是security

当然啦，哈哈，lake2“比武招亲”，欢迎各位朋友提出绕过检测的马马来，一经证实，lake2将把我自己写的某ASP木马“嫁”给他^_^特别有创意的，送你一个我最新弄出来的脚本，具体嘛，嘿嘿，到时候就知道啦。

战书已下，谁来迎战？

源码,另存为asp文件即可使用:

<%@LANGUAGE="VBSCRIPT"CODEPAGE="936"%>

<%

'设置密码

PASSWORD="security"

dimReport

ifrequest.QueryString("act")="login"then

ifrequest.Form("pwd")=PASSWORDthensession("pig")=1

endif

%>

<!DOCTYPEHTMLPUBLIC"-//W3C//DTDHTML4.01Transitional//EN""http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<metahttp-equiv="Content-Type"content="text/html;charset=gb2312">

<title>ScanWebShell--ASPSecurityForHacking</title>

<styletype="text/css">

<>

</style>

</head>

<body>

<%IfSession("pig")<>1then%>

<formname="form1"method="post"action="?act=login">

<divalign="center">Password:

<inputname="pwd"type="password"size="15">

<inputtype="submit"name="Submit"value="提交">

</div>

</form>

<%

else

ifrequest.QueryString("act")<>"scan"then

%>

<formaction="?act=scan"method="post"name="form1">

<p><b>填入你要检查的路径：</b>

<inputname="path"type="text"value="."size="30"/>

<br>

*网站根目录的相对路径，填“”即检查整个网站；“.”为程序所在目录<br>

<br>

你要干什么:

<inputname="radiobutton"type="radio"value="sws"checked>

查ASP木马

<inputtype="radio"name="radiobutton"value="sf">

搜索符合条件之文件<br>

<br>

--------------如果搜索文件需将以下内容填写完整------------------<br>

<br>

查找内容：

<inputname="Search_Content"type="text"id="Search_Content"size="20">

*要查找的字符串，不填就只进行日期检查<br/>

修改日期：

<inputname="Search_Date"type="text"value="<%=Left(Now(),InStr(now(),"")-1)%>"size="20">

*多个日期用;隔开，任意日期填写<ahref="#"onClick="javascript:form1.Search_Date.value='ALL'">ALL</a><br/>

文件类型：

<inputname="Search_FileExt"type="text"value="*"size="20">

*类型之间用,隔开，*表示所有类型<br>

<br>

<inputtype="submit"value="开始扫描"/>

</p>

</form>

<%

else

server.ScriptTimeout=600

ifrequest.Form("path")=""then

response.Write("NoHack")

response.End()

endif

ifrequest.Form("path")=""then

TmpPath=Server.MapPath("")

elseifrequest.Form("path")="."then

TmpPath=Server.MapPath(".")

else

TmpPath=Server.MapPath("")&""&request.Form("path")

endif

timer1=timer

Sun=0

SumFiles=0

SumFolders=1

Ifrequest.Form("radiobutton")="sws"Then

DimFileExt="asp,cer,asa,cdx"

CallShowAllFile(TmpPath)

Else

Ifrequest.Form("path")=""orrequest.Form("Search_Date")=""orrequest.Form("Search_FileExt")=""Then

response.Write("缉捕条件不完全，恕难从命<br><br><ahref='javascript:history.go(-1);'>请返回重新输入</a>")

response.End()

EndIf

DimFileExt=request.Form("Search_fileExt")

CallShowAllFile2(TmpPath)

EndIf

%>

<tablewidth="100%"border="0"cellpadding="0"cellspacing="0"class="CContent">

<tr>

<th>ScanWebShell--ASPSecurityForHacking

</tr>

<tr>

<tdclass="CPanel">

<divid="updateInfo"></div>

扫描完毕！一共检查文件夹<fontcolor="#FF0000"><%=SumFolders%></font>个，文件<fontcolor="#FF0000"><%=SumFiles%></font>个，发现可疑点<fontcolor="#FF0000"><%=Sun%></font>个

<tablewidth="100%"border="0"cellpadding="0"cellspacing="0">

<tr>

<tdvalign="top">

<tablewidth="100%"border="1"cellpadding="0"cellspacing="0">

<tr>

<%Ifrequest.Form("radiobutton")="sws"Then%>

<tdwidth="20%">文件相对路径</td>

<tdwidth="20%">特征码</td>

<tdwidth="40%">描述</td>

<tdwidth="20%">创建/修改时间</td>

<%else%>

<tdwidth="50%">文件相对路径</td>

<tdwidth="25%">文件创建时间</td>

<tdwidth="25%">修改时间</td>

<%endif%>

</tr>

<p>

<%=Report%>

<br/></p>

</table></td>

</tr>

</table>

</td></tr></table>

<%

timer2=timer

thetime=cstr(int(((timer2-timer1)*10000)+0.5)/10)

response.write"<br><fontsize=""2"">本页执行共用了"&thetime&"毫秒</font>"

endif

endif

%>

<hr>

<divalign="center">本程序取自<ahref="http://www.0x54.org"target="_blank">雷客图ASP站长安全助手</a>的ASP木马查找和可疑文件搜索功能<br>

poweredby<ahref="http://lake2.0x54.org"target=_blank>lake2</a>(Build20060615)</div>

</body>

</html>

<%

'遍历处理path及其子目录所有文件

SubShowAllFile(Path)

SetFSO=CreateObject("Scripting.FileSystemObject")

ifnotfso.FolderExists(path)thenexitsub

Setf=FSO.GetFolder(Path)

Setfc2=f.files

ForEachmyfileinfc2

IfCheckExt(FSO.GetExtensionName(path&""&myfile.name))Then

CallScanFile(Path&Temp&""&myfile.name,"")

SumFiles=SumFiles+1

EndIf

Next

Setfc=f.SubFolders

ForEachf1infc

ShowAllFilepath&""&f1.name

SumFolders=SumFolders+1

Next

SetFSO=Nothing

EndSub

'检测文件

SubScanFile(FilePath,InFile)

IfInFile<>""Then

Infiles="<fontcolor=red>该文件被<ahref=""http://"&Request.Servervariables("server_name")&"/"&tURLEncode(InFile)&"""target=_blank>"&InFile&"</a>文件包含执行</font>"

EndIf

SetFSOs=CreateObject("Scripting.FileSystemObject")

onerrorresumenext

setofile=fsos.OpenTextFile(FilePath)

filetxt=Lcase(ofile.readall())

IferrThenExitSubendif

iflen(filetxt)>0then

'特征码检查

filetxt=vbcrlf&filetxt

temp="<ahref=""http://"&Request.Servervariables("server_name")&"/"&tURLEncode(replace(replace(FilePath,server.MapPath("")&"","",1,1,1),"","/"))&"""target=_blank>"&replace(FilePath,server.MapPath("")&"","",1,1,1)&"</a>"

'Check"WScr"&DoMyBest&"ipt.Shell"

Ifinstr(filetxt,Lcase("WScr"&DoMyBest&"ipt.Shell"))orInstr(filetxt,Lcase("clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8"))then

Report=Report&"<tr><td>"&temp&"</td><td>WScr"&DoMyBest&"ipt.Shell或者clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8</td><td><fontcolor=red>危险组件，一般被ASP木马利用</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"

Sun=Sun+1

Endif

'Check"She"&DoMyBest&"ll.Application"

Ifinstr(filetxt,Lcase("She"&DoMyBest&"ll.Application"))orInstr(filetxt,Lcase("clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000"))then

Report=Report&"<tr><td>"&temp&"</td><td>She"&DoMyBest&"ll.Application或者clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000</td><td><fontcolor=red>危险组件，一般被ASP木马利用</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"

Sun=Sun+1

EndIf

'Check.Encode

SetregEx=NewRegExp

regEx.IgnoreCase=True

regEx.Global=True

regEx.Pattern="bLANGUAGEs*=s*[""]?s*(vbscript|jscript|javascript).encodeb"

IfregEx.Test(filetxt)Then

Report=Report&"<tr><td>"&temp&"</td><td>(vbscript|jscript|javascript).Encode</td><td><fontcolor=red>似乎脚本被加密了</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"

Sun=Sun+1

EndIf

'CheckmyASPbackdoor:(

regEx.Pattern="bEv"&"alb"

IfregEx.Test(filetxt)Then

Report=Report&"<tr><td>"&temp&"</td><td>Ev"&"al</td><td>e"&"val()函数可以执行任意ASP代码，被一些后门利用。其形式一般是：ev"&"al(X)<br>但是javascript代码中也可以使用，有可能是误报。"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"

Sun=Sun+1

EndIf

'Checkexe&cutebackdoor

regEx.Pattern="[^.]bExe"&"cuteb"

IfregEx.Test(filetxt)Then

Report=Report&"<tr><td>"&temp&"</td><td>Exec"&"ute</td><td><fontcolor=red>e"&"xecute()函数可以执行任意ASP代码，被一些后门利用。其形式一般是：ex"&"ecute(X)</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"

Sun=Sun+1

EndIf

'----------------------StartUpdate200605031-----------------------------

'Check.Create&TextFileand.OpenText&File

regEx.Pattern=".(Open|Create)TextFileb"

IfregEx.Test(filetxt)Then

Report=Report&"<tr><td>"&temp&"</td><td>.CreateTextFile|.OpenTextFile</td><td>使用了FSO的CreateTextFile|OpenTextFile函数读写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"

Sun=Sun+1

EndIf

'Check.SaveT&oFile

regEx.Pattern=".SaveToFileb"

IfregEx.Test(filetxt)Then

Report=Report&"<tr><td>"&temp&"</td><td>.SaveToFile</td><td>使用了Stream的SaveToFile函数写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"

Sun=Sun+1

EndIf

'Check.&Save

regEx.Pattern=".Saveb"

IfregEx.Test(filetxt)Then

Report=Report&"<tr><td>"&temp&"</td><td>.Save</td><td>使用了XMLHTTP的Save函数写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"

Sun=Sun+1

EndIf

'------------------End----------------------------

SetregEx=Nothing

'Checkincludefile

SetregEx=NewRegExp

regEx.IgnoreCase=True

regEx.Global=True

regEx.Pattern="<s*#includes*virtuals*=s*"".*"""

SetMatches=regEx.Execute(filetxt)

ForEachMatchinMatches

tFile=Replace(Mid(Match.Value,Instr(Match.Value,"""")+1,Len(Match.Value)-Instr(Match.Value,"""")-1),"/","")

IfNotCheckExt(FSOs.GetExtensionName(tFile))Then

CallScanFile(Server.MapPath("")&""&tFile,replace(FilePath,server.MapPath("")&"","",1,1,1))

SumFiles=SumFiles+1

EndIf

Next

SetMatches=Nothing

SetregEx=Nothing

'CheckServer&.Execute|Transfer

SetregEx=NewRegExp

regEx.IgnoreCase=True

regEx.Global=True

regEx.Pattern="Server.(Exec"&"ute|Transfer)([t]*|()"".*"""

SetMatches=regEx.Execute(filetxt)

ForEachMatchinMatches

tFile=Replace(Mid(Match.Value,Instr(Match.Value,"""")+1,Len(Match.Value)-Instr(Match.Value,"""")-1),"/","")

IfNotCheckExt(FSOs.GetExtensionName(tFile))Then

CallScanFile(Mid(FilePath,1,InStrRev(FilePath,""))&tFile,replace(FilePath,server.MapPath("")&"","",1,1,1))

SumFiles=SumFiles+1

EndIf

Next

SetMatches=Nothing

SetregEx=Nothing

'CheckServer&.Execute|Transfer

SetregEx=NewRegExp

regEx.IgnoreCase=True

regEx.Global=True

regEx.Pattern="Server.(Exec"&"ute|Transfer)([t]*|()[^""])"

IfregEx.Test(filetxt)Then

Report=Report&"<tr><td>"&temp&"</td><td>Server.Exec"&"ute</td><td><fontcolor=red>不能跟踪检查Server.e"&"xecute()函数执行的文件。请管理员自行检查</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"

Sun=Sun+1

EndIf

SetMatches=Nothing

SetregEx=Nothing

'CheckRunatScript

SetXregEx=NewRegExp

XregEx.IgnoreCase=True

XregEx.Global=True

XregEx.Pattern="<scr"&"ipts*(.|n)*?runats*=s*""?server""?(.|n)*?>"

SetXMatches=XregEx.Execute(filetxt)

ForEachMatchinXMatches

tmpLake2=Mid(Match.Value,1,InStr(Match.Value,">"))

srcSeek=InStr(1,tmpLake2,"src",1)

IfsrcSeek>0Then

srcSeek2=instr(srcSeek,tmpLake2,"=")

Fori=1To50

tmp=Mid(tmpLake2,srcSeek2+i,1)

Iftmp<>""andtmp<>chr(9)andtmp<>vbCrLfThen

ExitFor

EndIf

Next

Iftmp=""""Then

tmpName=Mid(tmpLake2,srcSeek2+i+1,Instr(srcSeek2+i+1,tmpLake2,"""")-srcSeek2-i-1)

Else

IfInStr(srcSeek2+i+1,tmpLake2,"")>0ThentmpName=Mid(tmpLake2,srcSeek2+i,Instr(srcSeek2+i+1,tmpLake2,"")-srcSeek2-i)ElsetmpName=tmpLake2

IfInStr(tmpName,chr(9))>0ThentmpName=Mid(tmpName,1,Instr(1,tmpName,chr(9))-1)

IfInStr(tmpName,vbCrLf)>0ThentmpName=Mid(tmpName,1,Instr(1,tmpName,vbcrlf)-1)

IfInStr(tmpName,">")>0ThentmpName=Mid(tmpName,1,Instr(1,tmpName,">")-1)

EndIf

CallScanFile(Mid(FilePath,1,InStrRev(FilePath,""))&tmpName,replace(FilePath,server.MapPath("")&"","",1,1,1))

SumFiles=SumFiles+1

EndIf

Next

SetMatches=Nothing

SetregEx=Nothing

'CheckCrea"&"teObject

SetregEx=NewRegExp

regEx.IgnoreCase=True

regEx.Global=True

regEx.Pattern="CreateO"&"bject[|t]*(.*)"

SetMatches=regEx.Execute(filetxt)

ForEachMatchinMatches

IfInstr(Match.Value,"&")orInstr(Match.Value,"+")orInstr(Match.Value,"""")=0orInstr(Match.Value,"(")<>InStrRev(Match.Value,"(")Then

Report=Report&"<tr><td>"&temp&"</td><td>Creat"&"eObject</td><td>Crea"&"teObject函数使用了变形技术。可能是误报"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"

Sun=Sun+1

exitsub

EndIf

Next

SetMatches=Nothing

SetregEx=Nothing

endif

setofile=nothing

setfsos=nothing

EndSub

'检查文件后缀，如果与预定的匹配即返回TRUE

FunctionCheckExt(FileExt)

IfDimFileExt="*"ThenCheckExt=True

Ext=Split(DimFileExt,",")

Fori=0ToUbound(Ext)

IfLcase(FileExt)=Ext(i)Then

CheckExt=True

ExitFunction

EndIf

Next

EndFunction

FunctionGetDateModify(filepath)

Setfso=CreateObject("Scripting.FileSystemObject")

Setf=fso.GetFile(filepath)

s=f.DateLastModified

setf=nothing

setfso=nothing

GetDateModify=s

EndFunction

FunctionGetDateCreate(filepath)

Setfso=CreateObject("Scripting.FileSystemObject")

Setf=fso.GetFile(filepath)

s=f.DateCreated

setf=nothing

setfso=nothing

GetDateCreate=s

EndFunction

FunctiontURLEncode(Str)

temp=Replace(Str,"%","%25")

temp=Replace(temp,"#","%23")

temp=Replace(temp,"&","%26")

tURLEncode=temp

EndFunction

SubShowAllFile2(Path)

SetFSO=CreateObject("Scripting.FileSystemObject")

ifnotfso.FolderExists(path)thenexitsub

Setf=FSO.GetFolder(Path)

Setfc2=f.files

ForEachmyfileinfc2

IfCheckExt(FSO.GetExtensionName(path&""&myfile.name))Then

CallIsFind(Path&""&myfile.name)

SumFiles=SumFiles+1

EndIf

Next

Setfc=f.SubFolders

ForEachf1infc

ShowAllFile2path&""&f1.name

SumFolders=SumFolders+1

Next

SetFSO=Nothing

EndSub

SubIsFind(thePath)

theDate=GetDateModify(thePath)

onerrorresumenext

theTmp=Mid(theDate,1,Instr(theDate,"")-1)

iferrthenexitSub

xDate=Split(request.Form("Search_Date"),";")

Ifrequest.Form("Search_Date")="ALL"ThenALLTime=True

Fori=0ToUbound(xDate)

IftheTmp=xDate(i)orALLTime=TrueThen

Ifrequest("Search_Content")<>""Then

SetFSOs=CreateObject("Scripting.FileSystemObject")

setofile=fsos.OpenTextFile(thePath,1,false,-2)

filetxt=Lcase(ofile.readall())

IfInstr(filetxt,LCase(request.Form("Search_Content")))>0Then

temp="<ahref=""http://"&Request.Servervariables("server_name")&"/"&tURLEncode(Replace(replace(thePath,server.MapPath("")&"","",1,1,1),"","/"))&"""target=_blank>"&replace(thePath,server.MapPath("")&"","",1,1,1)&"</a>"

Report=Report&"<tr><td>"&temp&"</td><td>"&GetDateCreate(thePath)&"</td><td>"&theDate&"</td></tr>"

Sun=Sun+1

ExitSub

EndIf

ofile.close()

Setofile=Nothing

SetFSOs=Nothing

Else

temp="<ahref=""http://"&Request.Servervariables("server_name")&"/"&tURLEncode(Replace(replace(thePath,server.MapPath("")&"","",1,1,1),"","/"))&"""target=_blank>"&replace(thePath,server.MapPath("")&"","",1,1,1)&"</a>"

Report=Report&"<tr><td>"&temp&"</td><td>"&GetDateCreate(thePath)&"</td><td>"&theDate&"</td></tr>"

Sun=Sun+1

ExitSub

EndIf

EndIf

Next

EndSub

%>