雷客图ASP站长安全助手vbs测试版代码
作者 佚名
来源 ASP编程
浏览
发布时间 2013-07-09
| 雷客图ASP站长安全助手是一个基于ASP的帮助站长维护网站安全的程序。这个版本(vbs测试版)主要用于服务器本地运行以查找ASP木马。此版本为测试版,希望大家提供反馈意见,谢谢。另,正式版将整合到雷客图ASP站长安全助手的下个版本。 使用说明: 在命令提示符下: #用法:CScriptscan.vbs[扫描路径][结果HTM文件路径] #例子:CScriptscan.vbsd:\Webf:\my\report.html 复制代码 代码如下: ''----------------------- ''ScanASPWebShellinvbs ''Author:lake2(http://lake2.0x54.org) ''Date:2006-11-30 ''Version:1.0Beta ''----------------------- DimFileExt="asp,cer,asa,cdx" DimReport,Report2,Sun,SumFiles,SumFolders CallShowInfo() IfWScript.Arguments.Count=2Then CallCheckArg() Sun=0 SumFiles=0 SumFolders=1 IfRight(WScript.Arguments.Item(0),1)="\"Then thePath=Mid(WScript.Arguments.Item(0),1,Len(WScript.Arguments.Item(0))-1) Else thePath=WScript.Arguments.Item(0) EndIf WScript.Echo"开始扫描,请稍候……" WScript.Sleep(1000) StartTime=now() CallShowAllFile(thePath) EndTime=now() WScript.Echovbcrlf&"扫描完成!"&vbcrlf report2=report2&"<html><head><title>雷客图ASP站长安全助手vbs版扫描报告</title>" report2=report2&"<metahttp-equiv=""Content-Type""content=""text/html;charset=gb2312""></head>" report2=report2&"<body><b><fontsize=4>雷客图ASP站长安全助手vbs版扫描报告</font></b><br><br>" report2=report2&"<body><fontsize=2>开始时间:"&StartTime&"</font><br>" report2=report2&"<body><fontsize=2>结束时间:"&EndTime&"</font><br>" report2=report2&"<fontsize=2>扫描完毕!一共检查文件夹<fontcolor=""#FF0000"">"&SumFolders&"</font>个,文件<fontcolor=""#FF0000"">"&SumFiles&"</font>个,发现可疑点<fontcolor=""#FF0000"">"&Sun&"</font>个(<fontcolor=""#FF0000"">红字</font>显示的为严重可疑)</font><br/>" report2=report2&"<tablewidth=""100%""border=""0""style=""padding:5px;line-height:170%;clear:both;font-size:12px;word-break:break-all"">" report2=report2&"<tr>" report2=report2&"<tdwidth=""20%"">文件路径</td>" report2=report2&"<tdwidth=""20%"">特征码</td>" report2=report2&"<tdwidth=""40%"">描述</td>" report2=report2&"<tdwidth=""20%"">创建/修改时间</td>" report2=report2&"</tr>" report2=report2&"<p>" report2=report2&report report2=report2&"</p>" report2=report2&"</table><hr><scriptsrc=http://www.0x54.org/announce.js></script>" report2=report2&"<divalign=center>poweredby<ahref=""http://www.0x54.org""target=_blank>0x54.org</a></div>" report2=report2&"</body></html>" CallWriteToFile() Else CallShowHelp() EndIf SubShowInfo() HelpStr=HelpStr&"=============================="&vbcrlf HelpStr=HelpStr&"=====欢迎使用雷客图ASP站长安全助手vbs版====="&vbcrlf HelpStr=HelpStr&"=====Author:lake2====="&vbcrlf HelpStr=HelpStr&"=====Email:lake2@mail.csdn.net====="&vbcrlf HelpStr=HelpStr&"=====欢迎访问www.0x54.org得到更多信息====="&vbcrlf HelpStr=HelpStr&"=============================="&vbcrlf HelpStr=HelpStr&vbcrlf WScript.EchoHelpStr EndSub SubShowHelp() HelpStr=HelpStr&"#用法:CScriptscan.vbs[扫描路径][结果HTM文件路径]"&vbcrlf HelpStr=HelpStr&"#例子:CScriptscan.vbsd:\Webf:\my\report.html"&vbcrlf HelpStr=HelpStr&vbcrlf WScript.EchoHelpStr EndSub SubCheckArg() tmpPath=Left(WScript.Arguments.Item(1),InStrRev(WScript.Arguments.Item(1),"\")-1) SetobjFSO=WScript.CreateObject("Scripting.FileSystemObject") IfNotobjFSO.FolderExists(WScript.Arguments.Item(0))Then WScript.Echo"Error:错误的路径“"&WScript.Arguments.Item(0)&"”!" WScript.Quit ElseIfNotobjFSO.FolderExists(tmpPath)Then WScript.Echo"Error:错误的文件路径“"&tmpPath&"”!" WScript.Quit EndIf SetobjFSO=Nothing EndSub ''遍历处理path及其子目录所有文件 SubShowAllFile(Path) WScript.Echo"正在检查目录"&path SetFSO=CreateObject("Scripting.FileSystemObject") Setf=FSO.GetFolder(Path) Setfc2=f.files ForEachmyfileinfc2 IfCheckExt(FSO.GetExtensionName(path&"\"&myfile.name))Then ''WScript.Echo"正在检查文件"&path&"\"&myfile.name CallScanFile(Path&Temp&"\"&myfile.name,"") SumFiles=SumFiles+1 EndIf Next Setfc=f.SubFolders ForEachf1infc ShowAllFilepath&"\"&f1.name SumFolders=SumFolders+1 Next SetFSO=Nothing EndSub ''检查文件后缀,如果与预定的匹配即返回TRUE FunctionCheckExt(FileExt) IfDimFileExt="*"ThenCheckExt=True Ext=Split(DimFileExt,",") Fori=0ToUbound(Ext) IfLcase(FileExt)=Ext(i)Then CheckExt=True ExitFunction EndIf Next EndFunction ''检测文件 SubScanFile(FilePath,InFile) IfInFile<>""Then Infiles="<fontcolor=red>该文件被"&InFile&"文件包含执行</font>" EndIf temp=FilePath OnErrorResumeNext SettStream=WScript.CreateObject("ADODB.Stream") tStream.type=1 tStream.mode=3 tStream.open tStream.Position=0 tStream.LoadFromFileFilePath IferrThenExitSubendif tStream.type=2 tStream.charset="GB2312" DoUntiltStream.EOS filetxt=filetxt&LCase(replace(tStream.ReadText(102400),Chr(0),"")) Loop tStream.close() SettStream=Nothing SetFSOs=WScript.CreateObject("Scripting.FileSystemObject") iflen(filetxt)>0then ''特征码检查 filetxt=vbcrlf&filetxt ''Check"WScr"&DoMyBest&"ipt.Shell" IfInstr(filetxt,Lcase("WScr"&DoMyBest&"ipt.Shell"))orInstr(filetxt,Lcase("clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8"))then Report=Report&"<tr><td>"&temp&"</td><td>WScr"&DoMyBest&"ipt.Shell或者clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8</td><td><fontcolor=red>危险组件,一般被ASP木马利用</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>" Sun=Sun+1 Endif ''Check"She"&DoMyBest&"ll.Application" IfInstr(filetxt,Lcase("She"&DoMyBest&"ll.Application"))orInstr(filetxt,Lcase("clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000"))then Report=Report&"<tr><td>"&temp&"</td><td>She"&DoMyBest&"ll.Application或者clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000</td><td><fontcolor=red>危险组件,一般被ASP木马利用</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>" Sun=Sun+1 EndIf ''CheckUnicode Ifinstr(filetxt,chr(-22048))then Report=Report&"<tr><td>"&temp&"</td><td>无</td><td><fontcolor=red>使用Unicode编码ASP代码</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>" Sun=Sun+1 EndIf ''Check.Encode SetregEx=NewRegExp regEx.IgnoreCase=True regEx.Global=True regEx.Pattern="\bLANGUAGE\s*=\s*[""]?\s*(vbscript|jscript|javascript).encode\b" IfregEx.Test(filetxt)Then Report=Report&"<tr><td>"&temp&"</td><td>(vbscript|jscript|javascript).Encode</td><td><fontcolor=red>似乎脚本被加密了,一般ASP文件是不会加密的</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>" Sun=Sun+1 EndIf ''CheckmyASPbackdoor:( regEx.Pattern="\bEv"&"al\b" IfregEx.Test(filetxt)Then Report=Report&"<tr><td>"&temp&"</td><td>Ev"&"al</td><td>e"&"val()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ev"&"al(X)<br>但是javascript代码中也可以使用,有可能是误报。"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>" Sun=Sun+1 EndIf ''Checkexe&cutebackdoor regEx.Pattern="[^.]\bExe"&"cute\b" IfregEx.Test(filetxt)Then Report=Report&"<tr><td>"&temp&"</td><td>Exec"&"ute</td><td><fontcolor=red>e"&"xecute()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ex"&"ecute(X)</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>" Sun=Sun+1 EndIf ''Check.(Open|Create)TextFile regEx.Pattern="\.(Open|Create)TextFile\b" IfregEx.Test(filetxt)Then Report=Report&"<tr><td>"&temp&"</td><td>.Crea"&"teTextFile|.O"&"penTextFile</td><td>使用了FSO的CreateTextFile|OpenTextFile函数读写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>" Sun=Sun+1 EndIf ''Check.SaveT&oFile regEx.Pattern="\.SaveT"&"oFile\b" IfregEx.Test(filetxt)Then Report=Report&"<tr><td>"&temp&"</td><td>.Sa"&"veToFile</td><td>使用了Stream或者JMail的SaveToFile函数写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>" Sun=Sun+1 EndIf ''Check.&Save regEx.Pattern="\.Sa"&"ve\b" IfregEx.Test(filetxt)Then Report=Report&"<tr><td>"&temp&"</td><td>.Sa"&"ve</td><td>使用了XMLHTTP的Save函数写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>" Sun=Sun+1 EndIf ''ChecksetServer regEx.Pattern="set\s*.*\s*=\s*server\s" IfregEx.Test(filetxt)Then Report=Report&"<tr><td>"&temp&"</td><td>Setxxx=Se"&"rver</td><td><fontcolor=red>发现Setxxx=Ser"&jj&"ver,请管理员仔细检查是否调用.execute</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>" Sun=Sun+1 EndIf ''CheckServer.(Transfer|Ex&ecute) regEx.Pattern="Server.(Ex"&"ecute|Transfer)([\t]*|\()[^""]\)" IfregEx.Test(filetxt)Then Report=Report&"<tr><td>"&temp&"</td><td>Server.Ex"&"ecute</td><td><fontcolor=red>不能跟踪检查Server.e"&"xecute()函数执行的文件。请管理员自行检查</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>" Sun=Sun+1 EndIf ''Check.Ru&n regEx.Pattern="\.R"&"un\b" IfregEx.Test(filetxt)Then Report=Report&"<tr><td>"&temp&"</td><td>.Ru"&"n</td><td><fontcolor=red>发现WScript的Run函数</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>" Sun=Sun+1 EndIf ''Check.Exe&c regEx.Pattern="\.Ex"&"ec\b" IfregEx.Test(filetxt)Then Report=Report&"<tr><td>"&temp&"</td><td>.Ex"&"ec</td><td><fontcolor=red>发现WScript的Exec函数</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>" Sun=Sun+1 EndIf ''Check.Shel&lExecute regEx.Pattern="\.Shel"&"lExecute\b" IfregEx.Test(filetxt)Then Report=Report&"<tr><td>"&temp&"</td><td>.ShellE"&"xecute</td><td><fontcolor=red>发现Application的ShellExecute函数</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>" Sun=Sun+1 EndIf SetregEx=Nothing ''Checkincludefilenotwith"&'' SetregEx=NewRegExp regEx.IgnoreCase=True regEx.Global=True regEx.Pattern="<!--\s*#include\s+(file|virtual)\s*=\s*.*-->" SetMatches=regEx.Execute(filetxt) ForEachMatchinMatches tFile=Replace(Trim(Mid(Match.Value,Instr(Match.Value,"=")+1,Len(Match.Value)-Instr(Match.Value,"=")-1)),"/","\") IfLeft(tFile,1)="''"Then tFile=Mid(tFile,2,InStr(2,tFile,"''",1)-2) ElseIfLeft(tFile,1)=""""Then tFile=Mid(tFile,2,InStr(2,tFile,"""",1)-2) Else tFile=Replace(tFile,Chr(9),"") IfInStr(tFile,"")<>0Then tFile=Left(tFile,InStr(tFile,"")-1) Else tFile=Left(tFile,InStr(tFile,"-")-1) EndIf EndIf IfNotCheckExt(FSOs.GetExtensionName(tFile))Then CallScanFile(Mid(FilePath,1,InStrRev(FilePath,"\"))&tFile,FilePath) SumFiles=SumFiles+1 EndIf Next SetMatches=Nothing SetregEx=Nothing ''CheckServer&.Execute|Transfer SetregEx=NewRegExp regEx.IgnoreCase=True regEx.Global=True regEx.Pattern="Server.(Exec"&"ute|Transfer)([\t]*|\()"".*?""" SetMatches=regEx.Execute(filetxt) ForEachMatchinMatches tFile=Replace(Mid(Match.Value,Instr(Match.Value,"""")+1,Len(Match.Value)-Instr(Match.Value,"""")-1),"/","\") IfNotCheckExt(FSOs.GetExtensionName(tFile))Then CallScanFile(Mid(FilePath,1,InStrRev(FilePath,"\"))&tFile,FilePath) SumFiles=SumFiles+1 EndIf Next SetMatches=Nothing SetregEx=Nothing ''CheckRunatScript SetXregEx=NewRegExp XregEx.IgnoreCase=True XregEx.Global=True XregEx.Pattern="<scr"&"ipt\s*(.|\n)*?runat\s*=\s*""?server""?(.|\n)*?>" SetXMatches=XregEx.Execute(filetxt) ForEachMatchinXMatches tmpLake2=Mid(Match.Value,1,InStr(Match.Value,">")) srcSeek=InStr(1,tmpLake2,"src",1) IfsrcSeek>0Then srcSeek2=instr(srcSeek,tmpLake2,"=") Fori=1To50 tmp=Mid(tmpLake2,srcSeek2+i,1) Iftmp<>""andtmp<>chr(9)andtmp<>vbCrLfThen ExitFor EndIf Next Iftmp=""""Then tmpName=Mid(tmpLake2,srcSeek2+i+1,Instr(srcSeek2+i+1,tmpLake2,"""")-srcSeek2-i-1) Else IfInStr(srcSeek2+i+1,tmpLake2,"")>0ThentmpName=Mid(tmpLake2,srcSeek2+i,Instr(srcSeek2+i+1,tmpLake2,"")-srcSeek2-i)ElsetmpName=tmpLake2 IfInStr(tmpName,chr(9))>0ThentmpName=Mid(tmpName,1,Instr(1,tmpName,chr(9))-1) IfInStr(tmpName,vbCrLf)>0ThentmpName=Mid(tmpName,1,Instr(1,tmpName,vbcrlf)-1) IfInStr(tmpName,">")>0ThentmpName=Mid(tmpName,1,Instr(1,tmpName,">")-1) EndIf CallScanFile(Mid(FilePath,1,InStrRev(FilePath,"\"))&tmpName,FilePath) SumFiles=SumFiles+1 EndIf Next SetMatches=Nothing SetregEx=Nothing endif setfsos=nothing EndSub FunctionGetDateModify(filepath) Setfso=CreateObject("Scripting.FileSystemObject") Setf=fso.GetFile(filepath) s=f.DateLastModified setf=nothing setfso=nothing GetDateModify=s EndFunction FunctionGetDateCreate(filepath) Setfso=CreateObject("Scripting.FileSystemObject") Setf=fso.GetFile(filepath) s=f.DateCreated setf=nothing setfso=nothing GetDateCreate=s EndFunction SubWriteToFile() SetFSO=CreateObject("Scripting.FileSystemObject") SettheFile=FSO.OpenTextFile(WScript.Arguments.Item(1),2,True) theFile.Write(Report2) theFile.Close SetFSO=Nothing WScript.Echo"扫描结果已经写入文件“"&WScript.Arguments.Item(1)&"”,请查看之!" EndSub |
凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务,公司网站:http://www.lingzhong.cn 为了给广大客户了解更多的技术信息,本技术文章收集来源于网络,凌众科技尊重文章作者的版权,如果有涉及你的版权有必要删除你的文章,请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢! |
你可能对下面的文章感兴趣
上一篇: 提供个可以显示农历的VBS代码下一篇: 让批处理被wsh解析的优点
关于雷客图ASP站长安全助手vbs测试版代码的所有评论
