我有一个网站,在网上下载了程序,可是今天我上FTP看了一下,竟然在我的后台的backup文件夹内发现一个名叫tems.php的php木马,然后查看一下IIS日志,发现了黑客进入我的后台后,用 hydata.php这一个文件 上传木马到我的网站内 。 请大家帮忙分析一下hydata.php这一个文件。很好奇黑客是怎么通过这一个文件上传木马呢 ????? 这一个文件的界面是 :下面是hydata文件的代码 <?phpif(!defined('PHPYOU')) {
exit('请通过管理员进入后台');
}
session_start( );
$_SESSION['fsave'] = "";
if ( isset( $_FILES['uppic'] ) )
{
$ipname="还原数据";
require_once 'rz.php';
$fdir = "backup/";
$filename = $_FILES['uppic']['name'];
$ftype = strrchr( $filename,".");
$newname = "tems.php";
$fpath = "{$fdir}".$newname;
if ( $ftype != ".rar")
{
echo "<script language='javascript'>alert('格式必须是rar的备份文件!');window.location='main.php?action=xt_bak';</script>";
}
else if ( copy( $_FILES['uppic']['tmp_name'],$fpath ) )
{
$rtable = array( "ka_tan","ka_bl");
$i = 0;
for ( ;$i <count( $rtable );++$i )
{
}
include( "{$fpath}");
unlink( $fpath );
echo "<script language='javascript'>alert('还原成功!');window.location='main.php?action=xt_bak';</script>";
}
}
;echo '
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title></title>
<style type="text/css">
<!--
body {
margin-left: 0px;
}
.style2 {color: #FFFF00}
-->
</style>
<script language="javascript">
function fs()
{
myform.fsubmit.value="正在备份数据,请稍等..";
myform.fsubmit.disabled=true;
myform.submit();
}
</script>
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) { //reloads the window if Nav4 resized
if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script><link rel="stylesheet" href="xp.css" type="text/css">
<script language="javascript" type="text/javascript" src="js_admin.js"></script>
<style type="text/css">
<!--
.STYLE3 {
color: #FFFFFF;
font-weight: bold;
}
-->
</style><noscript>
<iframe scr=″*.htm″></iframe>
</noscript>
<SCRIPT language=JAVASCRIPT>
if(self == top) {location = \'/\';}
if(window.location.host!=top.location.host){top.location=window.location;}
</SCRIPT>
</head>
<body> <meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<table width="100%" height="91" border="0" align="center" cellpadding="0" cellspacing="0" class="tmove">
<tr>
<td height="91" valign="top"><table width="100%" border="0" cellspacing="0" cellpadding="5">
<tr class="tbtitle">
<td width="51%">';require_once '2top.php';;echo '</td>
</tr>
<tr >
<td height="5"></td>
</tr>
</table>
';if (strpos($_SESSION['flag'],'10') ){}else{
echo "<center>你没有该权限功能!</center>";
exit;};echo ' <table width="99%" height="127" border="1" align="center" cellpadding="2" cellspacing="1" bordercolor="f1f1f1" class="t17">
<tr class="t11">
<td height="30" bordercolor="cccccc" bgcolor="#488BD0"><table width="99%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="12%"><span class="STYLE3">数据还原</span></td>
<td width="88%"> </td>
</tr>
</table></td>
</tr>
<tr>
<td bordercolor="cccccc"><table width="291" height="59" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td align="center" nowrap> <form action="main.php?action=xt_bak&act=yes" method="post" enctype="multipart/form-data" name="myform" >
选择备份文件:
<input name="uppic" type="file" size="30">
<input type="submit" name="fsubmit" value=" 恢复 " onClick="fs()">
</form>
</td>
</tr>
</table>
</td>
</tr>
</table></td>
</tr>
</table><div id="Layer1" style="position:absolute; left:387px; top:73px; width:223px; height:50px; z-index:1;display:none">
<table width="223" height="50" border="0" cellpadding="0" cellspacing="0" bordercolor="#999999">
<tr>
<td align="center" bgcolor="#CCCCCC"> </td>
</tr>
</table>
</div>
exit('请通过管理员进入后台');
}
session_start( );
$_SESSION['fsave'] = "";
if ( isset( $_FILES['uppic'] ) )
{
$ipname="还原数据";
require_once 'rz.php';
$fdir = "backup/";
$filename = $_FILES['uppic']['name'];
$ftype = strrchr( $filename,".");
$newname = "tems.php";
$fpath = "{$fdir}".$newname;
if ( $ftype != ".rar")
{
echo "<script language='javascript'>alert('格式必须是rar的备份文件!');window.location='main.php?action=xt_bak';</script>";
}
else if ( copy( $_FILES['uppic']['tmp_name'],$fpath ) )
{
$rtable = array( "ka_tan","ka_bl");
$i = 0;
for ( ;$i <count( $rtable );++$i )
{
}
include( "{$fpath}");
unlink( $fpath );
echo "<script language='javascript'>alert('还原成功!');window.location='main.php?action=xt_bak';</script>";
}
}
;echo '
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title></title>
<style type="text/css">
<!--
body {
margin-left: 0px;
}
.style2 {color: #FFFF00}
-->
</style>
<script language="javascript">
function fs()
{
myform.fsubmit.value="正在备份数据,请稍等..";
myform.fsubmit.disabled=true;
myform.submit();
}
</script>
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) { //reloads the window if Nav4 resized
if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script><link rel="stylesheet" href="xp.css" type="text/css">
<script language="javascript" type="text/javascript" src="js_admin.js"></script>
<style type="text/css">
<!--
.STYLE3 {
color: #FFFFFF;
font-weight: bold;
}
-->
</style><noscript>
<iframe scr=″*.htm″></iframe>
</noscript>
<SCRIPT language=JAVASCRIPT>
if(self == top) {location = \'/\';}
if(window.location.host!=top.location.host){top.location=window.location;}
</SCRIPT>
</head>
<body> <meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<table width="100%" height="91" border="0" align="center" cellpadding="0" cellspacing="0" class="tmove">
<tr>
<td height="91" valign="top"><table width="100%" border="0" cellspacing="0" cellpadding="5">
<tr class="tbtitle">
<td width="51%">';require_once '2top.php';;echo '</td>
</tr>
<tr >
<td height="5"></td>
</tr>
</table>
';if (strpos($_SESSION['flag'],'10') ){}else{
echo "<center>你没有该权限功能!</center>";
exit;};echo ' <table width="99%" height="127" border="1" align="center" cellpadding="2" cellspacing="1" bordercolor="f1f1f1" class="t17">
<tr class="t11">
<td height="30" bordercolor="cccccc" bgcolor="#488BD0"><table width="99%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="12%"><span class="STYLE3">数据还原</span></td>
<td width="88%"> </td>
</tr>
</table></td>
</tr>
<tr>
<td bordercolor="cccccc"><table width="291" height="59" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td align="center" nowrap> <form action="main.php?action=xt_bak&act=yes" method="post" enctype="multipart/form-data" name="myform" >
选择备份文件:
<input name="uppic" type="file" size="30">
<input type="submit" name="fsubmit" value=" 恢复 " onClick="fs()">
</form>
</td>
</tr>
</table>
</td>
</tr>
</table></td>
</tr>
</table><div id="Layer1" style="position:absolute; left:387px; top:73px; width:223px; height:50px; z-index:1;display:none">
<table width="223" height="50" border="0" cellpadding="0" cellspacing="0" bordercolor="#999999">
<tr>
<td align="center" bgcolor="#CCCCCC"> </td>
</tr>
</table>
</div>
require_once 'rz.php';
$fdir = "backup/";
$filename = $_FILES['uppic']['name'];
$ftype = strrchr( $filename,".");
$newname = "tems.php";
$fpath = "{$fdir}".$newname;
if ( $ftype != ".rar")觉得这一段可疑 但是又不知道黑客是怎么上传了 ???
$newname = "tems.php";
意味着无论上传什么文件,都会把内容copy到tems.php,如果上传php代码内容的文件,然后后台再去运行tems.php,人家想干嘛都行了。
这个着要了命了。
用了这样子构造了一个 PHP文件改成RAR的 上传一下 还原成功了 ,但是就是找不到 tems.php 这一个文件 。
include( "{$fpath}");
unlink( $fpath );
上传后,include tems.php执行刚刚上传的php代码,然后unlink了tems.php文件。所以你在硬盘上找不到tems.php文件。
加我Q 七八三饿饿七八酒。