Leike diagram ASP webmaster Security Assistant's ASP Trojan search function

Online Search for asp Trojans in a space Copy codeThe Code is as follows: <% @ LANGUAGE = "VBSCRIPT" CODEPAGE = "936" %>
<%
'Set Password
PASSWORD = "jb51net"

Dim Report

If request. QueryString ("act") = "login" then
If request. Form ("pwd") = PASSWORD then session ("pig") = 1
End if
%>
<! Doctype html public "-// W3C // dtd html 4.01 Transitional // EN" "http://www.w3.org/TR/html4/loose.dtd">
<Html>
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312">
<Title> ASPSecurity for Hacking </title>
</Head>

<Body>
<% If Session ("pig") <> 1 then %>
<Form name = "form1" method = "post" action = "? Act = login ">
<Div align = "center"> Password:
<Input name = "pwd" type = "password" size = "15">
<Input type = "submit" name = "Submit" value = "submit">
</Div>
</Form>
<%
Else
If request. QueryString ("act") <> "scan" then
%>
<Form action = "? Act = scan "method =" post ">
<B> enter the path you want to check: </B>
<Input name = "path" type = "text" style = "border: 1px solid #999" value = "." size = "30"/>
<Br>
* For the relative path of the website root directory, enter "\" to check the entire website. "." Is the directory where the program is located.
<Br>
<Br>
<Input type = "submit" value = "start scanning" style = "background: # fff; border: 1px solid #999; padding: 2px 2px 0px 2px; margin: 4px; border-width: 1px 3px 1px 3px "/>
</Form>
<%
Else
Server. ScriptTimeout = 600
DimFileExt = "asp, cer, asa, cdx"
Sun = 0
SumFiles = 0
SumFolders = 1
If request. Form ("path") = "" then
Response. Write ("No Hack ")
Response. End ()
End if
Timer1 = timer
If request. Form ("path") = "\" then
TmpPath = Server. MapPath ("\")
Elseif request. Form ("path") = "." then
TmpPath = Server. MapPath (".")
Else
TmpPath = Server. MapPath ("\") & "\" & request. Form ("path ")
End if
Call ShowAllFile (TmpPath)
%>
<Table width = "100%" border = "0" cellpadding = "0" cellspacing = "0" class = "CContent">
<Tr>
<Th> ASPSecurity For Hacking
</Tr>
<Tr>
<Td class = "CPanel" style = "padding: 5px; line-height: 170%; clear: both; font-size: 12px">
<Div id = "updateInfo" style = "background: ffffe1; border: 1px solid # 89441f; padding: 4px; display: none"> </div>
Scan completed! Check a total of <font color = "# FF0000" ><%= SumFolders %> </font> folders, <font color = "# FF0000"> <% = SumFiles %> </font> files, suspicious <font color = "# FF0000"> <% = Sun %> </font>
<Table width = "100%" border = "0" cellpadding = "0" cellspacing = "0">
<Tr>
<Td valign = "top">
<Table width = "100%" border = "1" cellpadding = "0" cellspacing = "0" style = "padding: 5px; line-height: 170%; clear: both; font-size: 12px ">
<Tr>
<Td width = "20%"> relative file path </td>
<Td width = "20%"> signature </td>
<Td width = "40%" type = "option" text = "option"> description </td type = "option" text = "/option">
<Td width = "20%"> creation/modification time </td>
</Tr>
<P>
<% = Report %>
<Br/> </p>
</Table> </td>
</Tr>
</Table>
</Td> </tr> </table>
<%
Timer2 = timer
Thetime = cstr (int (timer2-timer1) * 10000) + 0.5)/10)
Response. write "<br> <font size =" 2 "> This page is shared" & thetime & "millisecond </font>"
End if
End if

%>
<Hr>
<Div align = "center"> this program is taken from the ASP Trojan search of <a href = "http://www.0x54.org" target = "_ blank"> leike diagram ASP webmaster Security Assistant </a> function <br>
Powered by <a href = "http://lake2.0x54.org" target = _ blank> lake2 </a>
</Div>
</Body>
</Html>
<%

'Process all files in the path and Its subdirectories through Traversal
Sub ShowAllFile (Path)
Set FSO = CreateObject ("Scripting. FileSystemObject ")
If not fso. FolderExists (path) then exit sub
Set f = FSO. GetFolder (Path)
Set fc2 = f. files
For Each myfile in fc2
If CheckExt (FSO. GetExtensionName (path & "\" & myfile. name) Then
Call ScanFile (Path & Temp & "\" & myfile. name ,"")
SumFiles = SumFiles + 1
End If
Next
Set fc = f. SubFolders
For Each f1 in fc
ShowAllFile path & "\" & f1.name
SumFolders = SumFolders + 1
Next
Set FSO = Nothing
End Sub

'Detection File
Sub ScanFile (FilePath, InFile)
If InFile <> "" Then
Infiles = "this file is <a href =" "http: //" & Request. servervariables ("server_name") & "\" & InFile & "target = _ blank>" & InFile & "</a> File Inclusion execution"
End If
Set FSOs = CreateObject ("Scripting. FileSystemObject ")
On error resume next
Set ofile = fsos. OpenTextFile (FilePath)
Filetxt = Lcase (ofile. readall ())
If err Then Exit Sub end if
If len (filetxt)> 0 then
'Signature check
Temp = "<a href =" "http: //" & Request. servervariables ("server_name") & "\" & replace (FilePath, server. mapPath ("\") & "\", "", 1, 1) & "" target = _ blank> "& replace (FilePath, server. mapPath ("\") & "\", "", 1, 1) & "</a>"
'Check "WScr" & DoMyBest & "ipt. Shell"
If instr (filetxt, Lcase ("WScr" & DoMyBest & "ept. shell ") or Instr (filetxt, Lcase (" clsid: 72C24DD5-D70A "& DoMyBest &"-438b-8a42-98366b88afb8 ") then
Report = Report & "<tr> <td>" & temp & "</td> <td> WScr" & DoMyBest & "ept. shell or clsid: 72C24DD5-D70A "& DoMyBest &"-438b-8a42-98417b88afb8 </td> <td> dangerous components, which are generally used by ASP Trojans. "& Infiles &" </td> <td> "& GetDateCreate (filepath) &" <br> "& GetDateModify (filepath) &" </td> </tr>"
Sun = Sun + 1
End if
'Check "She" & DoMyBest & "ll. Application"
If instr (filetxt, Lcase ("She" & DoMyBest & "ll. application ") or Instr (filetxt, Lcase (" clsid: 13709620-C27 "& DoMyBest &" 9-11CE-A49E-444553540000 ") then
Report = Report & "<tr> <td>" & temp & "</td> <td> She" & DoMyBest & "ll. application or clsid: 13709620-C27 "& DoMyBest &" 9-11CE-A49E-444553540000 </td> <td> dangerous components, which are generally used by ASP Trojans. "& Infiles &" </td> <td> "& GetDateCreate (filepath) &" <br> "& GetDateModify (filepath) &" </td> </tr>"
Sun = Sun + 1
End If
'Check. Encode
Set regEx = New RegExp
RegEx. IgnoreCase = True
RegEx. Global = True
RegEx. Pattern = "@ \ s * LANGUAGE \ s * = \ s * [" "]? \ S * (vbscript | jscript | javascript). encode \ B"
If regEx. Test (filetxt) Then
Report = Report & "<tr> <td>" & temp & "</td> <td> (vbscript | jscript | javascript ). encode </td> <td> the script is encrypted. Generally, ASP files are not encrypted. "& Infiles &" </td> <td> "& GetDateCreate (filepath) &" <br> "& GetDateModify (filepath) &" </td> </tr>"
Sun = Sun + 1
End If
'Check my ASP backdoor
RegEx. Pattern = "\ bEv" & "al \ B"
If regEx. Test (filetxt) Then
Report = Report & "<tr> <td>" & temp & "</td> <td> Ev" & "al </td> <td> e" & "val () the function can execute arbitrary ASP code and be exploited by some backdoors. The format is ev "&" al (X) <br> but it can also be used in javascript code, which may be a false positive. "& Infiles &" </td> <td> "& GetDateCreate (filepath) &" <br> "& GetDateModify (filepath) &" </td> </tr>"
Sun = Sun + 1
End If
'Check exe & cute backdoor
RegEx. Pattern = "[^.] \ bExe" & "cute \ B"
If regEx. Test (filetxt) Then
Report = Report & "<tr> <td>" & temp & "</td> <td> Exec" & "ute </td> <td> e" & "xecute () the function can execute arbitrary ASP code and be exploited by some backdoors. The format is: ex "&" ecute (X ). <Br> "& infiles &" </td> <td> "& GetDateCreate (filepath) &" <br> "& GetDateModify (filepath) & "</td> </tr>"
Sun = Sun + 1
End If
Set regEx = Nothing

'Check include file
Set regEx = New RegExp
RegEx. IgnoreCase = True
RegEx. Global = True
RegEx. Pattern = "<! -- \ S * # include \ s * file \ s * = \ s *"".*"""
Set Matches = regEx. Execute (filetxt)
For Each Match in Matches
TFile = Replace (Mid (Match. value, Instr (Match. value, ") + 1, Len (Match. value)-Instr (Match. value, ")-1 ),"/","\")
If Not CheckExt (FSOs. GetExtensionName (tFile) Then
Call ScanFile (Mid (FilePath, 1, faster Rev (FilePath, "\") & tFile, replace (FilePath, server. mapPath ("\") & "\", "", 1, 1 ))
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing

'Check include virtual
Set regEx = New RegExp
RegEx. IgnoreCase = True
RegEx. Global = True
RegEx. Pattern = "<! -- \ S * # include \ s * virtual \ s * = \ s *"".*"""
Set Matches = regEx. Execute (filetxt)
For Each Match in Matches
TFile = Replace (Mid (Match. value, Instr (Match. value, ") + 1, Len (Match. value)-Instr (Match. value, ")-1 ),"/","\")
If Not CheckExt (FSOs. GetExtensionName (tFile) Then
Call ScanFile (Server. mapPath ("\") & "\" & tFile, replace (FilePath, server. mapPath ("\") & "\", "", 1, 1 ))
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing

'Check Server &. Execute | Transfer
Set regEx = New RegExp
RegEx. IgnoreCase = True
RegEx. Global = True
RegEx. Pattern = "Server. (Exec" & "ute | Transfer) ([\ t] * | \()"".*"""
Set Matches = regEx. Execute (filetxt)
For Each Match in Matches
TFile = Replace (Mid (Match. value, Instr (Match. value, ") + 1, Len (Match. value)-Instr (Match. value, ")-1 ),"/","\")
If Not CheckExt (FSOs. GetExtensionName (tFile) Then
Call ScanFile (Mid (FilePath, 1, faster Rev (FilePath, "\") & tFile, replace (FilePath, server. mapPath ("\") & "\", "", 1, 1 ))
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing

'Check Server &. Execute | Transfer
Set regEx = New RegExp
RegEx. IgnoreCase = True
RegEx. Global = True
RegEx. Pattern = "Server. (Exec" & "ute | Transfer) ([\ t] * | \ () [^" "] \)"
If regEx. Test (filetxt) Then
Report = Report & "<tr> <td>" & temp & "</td> <td> Server. exec "&" ute </td> <td> the Server cannot be tracked and checked. e "&" xecute () function execution file. Ask the Administrator to check the vulnerability. <Br> "& infiles &" </td> <td> "& GetDateCreate (filepath) &" <br> "& GetDateModify (filepath) & "</td> </tr>"
Sun = Sun + 1
End If
Set Matches = Nothing
Set regEx = Nothing

'Check Crea "&" teObject
Set regEx = New RegExp
RegEx. IgnoreCase = True
RegEx. Global = True
RegEx. Pattern = "CreateO" & "bject [| \ t] * \ (. * \)"
Set Matches = regEx. Execute (filetxt)
For Each Match in Matches
If Instr (Match. value, "&") or Instr (Match. value, "+") or Instr (Match. value, ") = 0 or Instr (Match. value, "(") <> limit Rev (Match. value, "(") Then
Report = Report & "<tr> <td>" & temp & "</td> <td> Creat" & "eObject </td> <td> Crea" & "teObject the function uses the deformation technology, review carefully. "& Infiles &" </td> <td> "& GetDateCreate (filepath) &" <br> "& GetDateModify (filepath) &" </td> </tr>"
Sun = Sun + 1
Exit sub
End If
Next
Set Matches = Nothing
Set regEx = Nothing
End if
Set ofile = nothing
Set fsos = nothing
End Sub

'Check the file suffix. If it matches the predefined one, TRUE is returned.
Function CheckExt (FileExt)
If DimFileExt = "*" Then CheckExt = True
Ext = Split (DimFileExt ,",")
For I = 0 To Ubound (Ext)
If Lcase (FileExt) = Ext (I) Then
CheckExt = True
Exit Function
End If
Next
End Function

Function GetDateModify (filepath)
Set fso = CreateObject ("Scripting. FileSystemObject ")
Set f = fso. GetFile (filepath)
S = f. DateLastModified
Set f = nothing
Set fso = nothing
GetDateModify = s
End Function

Function GetDateCreate (filepath)
Set fso = CreateObject ("Scripting. FileSystemObject ")
Set f = fso. GetFile (filepath)
S = f. DateCreated
Set f = nothing
Set fso = nothing
GetDateCreate = s
End Function

%>