Japanese 
English
PHP deobfuscation, decryption, reconstruction toolDe-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php
webscan_error();
//���������ļ�
require_once('webscan_cache.php');
//�����ű��汾��
define("WEBSCAN_VERSION", '0.1.2.6');
//�����ű�MD5ֵ
define("WEBSCAN_MD5", md5(@file_get_contents(__FILE__)));
//get���ع���
$getfilter = "\\<.+javascript:window\\[.{1}\\\\x|<.*=(&#\\d+?;?)+?>|<.*(data|src)=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\s*?\\(\d+?|sleep\s*?\\([\d\.]+?\\)|load_file\s*?\\()|<[a-z]+?\\b[^>]*?\\bon([a-z]{4,})\s*?=|^\\+\\/v(8|9)|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT(\\(.+\\)|\\s+?.+?)|UPDATE(\\(.+\\)|\\s+?.+?)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?)FROM(\\(.+\\)|\\s+?.+?)|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
//post���ع���
$postfilter = "<.*=(&#\\d+?;?)+?>|<.*data=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\s*?\\(\d+?|sleep\s*?\\([\d\.]+?\\)|load_file\s*?\\()|<[^>]*?\\b(onerror|onmousemove|onload|onclick|onmouseover)\\b|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT(\\(.+\\)|\\s+?.+?)|UPDATE(\\(.+\\)|\\s+?.+?)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?)FROM(\\(.+\\)|\\s+?.+?)|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
//cookie���ع���
$cookiefilter = "benchmark\s*?\\(\d+?|sleep\s*?\\([\d\.]+?\\)|load_file\s*?\\(|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT(\\(.+\\)|\\s+?.+?)|UPDATE(\\(.+\\)|\\s+?.+?)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?)FROM(\\(.+\\)|\\s+?.+?)|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
//��ȡָ��
$webscan_action = isset($_POST['webscan_act'])&&webscan_cheack() ? trim($_POST['webscan_act']) : '';
//referer��ȡ
$webscan_referer = empty($_SERVER['HTTP_REFERER']) ? array() : array('HTTP_REFERER'=>$_SERVER['HTTP_REFERER']);
class webscan_http {
var $method;
var $post;
var $header;
var $ContentType;
function __construct() {
$this->method = '';
$this->cookie = '';
$this->post = '';
$this->header = '';
$this->errno = 0;
$this->errstr = '';
}
function post($url, $data = array(), $referer = '', $limit = 0, $timeout = 30, $block = TRUE) {
$this->method = 'POST';
$this->ContentType = "Content-Type: application/x-www-form-urlencoded\r\n";
if($data) {
$post = '';
foreach($data as $k=>$v) {
$post .= $k.'='.rawurlencode($v).'&';
}
$this->post .= substr($post, 0, -1);
}
return $this->request($url, $referer, $limit, $timeout, $block);
}
function request($url, $referer = '', $limit = 0, $timeout = 30, $block = TRUE) {
$matches = parse_url($url);
$host = $matches['host'];
$path = $matches['path'] ? $matches['path'].($matches['query'] ? '?'.$matches['query'] : '') : '/';
$port = $matches['port'] ? $matches['port'] : 80;
if($referer == '') $referer = URL;
$out = "$this->method $path HTTP/1.1\r\n";
$out .= "Accept: */*\r\n";
$out .= "Referer: $referer\r\n";
$out .= "Accept-Language: zh-cn\r\n";
$out .= "User-Agent: ".$_SERVER['HTTP_USER_AGENT']."\r\n";
$out .= "Host: $host\r\n";
if($this->method == 'POST') {
$out .= $this->ContentType;
$out .= "Content-Length: ".strlen($this->post)."\r\n";
$out .= "Cache-Control: no-cache\r\n";
$out .= "Connection: Close\r\n\r\n";
$out .= $this->post;
} else {
$out .= "Connection: Close\r\n\r\n";
}
if($timeout > ini_get('max_execution_time')) @set_time_limit($timeout);
$fp = @fsockopen($host, $port, $errno, $errstr, $timeout);
$this->post = '';
if(!$fp) {
return false;
} else {
stream_set_blocking($fp, $block);
stream_set_timeout($fp, $timeout);
fwrite($fp, $out);
$this->data = '';
$status = stream_get_meta_data($fp);
if(!$status['timed_out']) {
$maxsize = min($limit, 1024000);
if($maxsize == 0) $maxsize = 1024000;
$start = false;
while(!feof($fp)) {
if($start) {
$line = fread($fp, $maxsize);
if(strlen($this->data) > $maxsize) break;
$this->data .= $line;
} else {
$line = fgets($fp);
$this->header .= $line;
if($line == "\r\n" || $line == "\n") $start = true;
}
}
}
fclose($fp);
return "200";
}
}
}
/**
* �ر��û�������ʾ
*/
function webscan_error() {
if (ini_get('display_errors')) {
ini_set('display_errors', '0');
}
}
/**
* ��֤�Ƿ��ǹٷ�����������
*/
function webscan_cheack() {
if($_POST['webscan_rkey']==WEBSCAN_U_KEY){
return true;
}
return false;
}
/**
* ����ͳ�ƻش�
*/
function webscan_slog($logs) {
if(! function_exists('curl_init')) {
$http=new webscan_http();
$http->post(WEBSCAN_API_LOG,$logs);
}
else{
webscan_curl(WEBSCAN_API_LOG,$logs);
}
}
/**
* �������
*/
function webscan_arr_foreach($arr) {
static $str;
static $keystr;
if (!is_array($arr)) {
return $arr;
}
foreach ($arr as $key => $val ) {
$keystr=$keystr.$key;
if (is_array($val)) {
webscan_arr_foreach($val);
} else {
$str[] = $val.$keystr;
}
}
return implode($str);
}
/**
* �°��ļ�md5ֵЧ��
*/
function webscan_updateck($ve) {
if($ve!=WEBSCAN_MD5)
{
return true;
}
return false;
}
/**
* ������ʾҳ
*/
function webscan_pape(){
$pape=<<<HTML
<html>
<body style="margin:0; padding:0">
<center><iframe width="100%" align="center" height="870" frameborder="0" scrolling="no" src="http://safe.webscan.360.cn/stopattack.html"></iframe></center>
</body>
</html>
HTML;
echo $pape;
}
/**
* �����������
*/
function webscan_StopAttack($StrFiltKey,$StrFiltValue,$ArrFiltReq,$method) {
$StrFiltValue=webscan_arr_foreach($StrFiltValue);
if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue)==1){
webscan_slog(array('ip' => $_SERVER["REMOTE_ADDR"],'time'=>strftime("%Y-%m-%d %H:%M:%S"),'page'=>$_SERVER["PHP_SELF"],'method'=>$method,'rkey'=>$StrFiltKey,'rdata'=>$StrFiltValue,'user_agent'=>$_SERVER['HTTP_USER_AGENT'],'request_url'=>$_SERVER["REQUEST_URI"]));
exit(webscan_pape());
}
if (preg_match("/".$ArrFiltReq."/is",$StrFiltKey)==1){
webscan_slog(array('ip' => $_SERVER["REMOTE_ADDR"],'time'=>strftime("%Y-%m-%d %H:%M:%S"),'page'=>$_SERVER["PHP_SELF"],'method'=>$method,'rkey'=>$StrFiltKey,'rdata'=>$StrFiltKey,'user_agent'=>$_SERVER['HTTP_USER_AGENT'],'request_url'=>$_SERVER["REQUEST_URI"]));
exit(webscan_pape());
}
}
/**
* ����Ŀ¼������
*/
function webscan_white($webscan_white_name,$webscan_white_url=array()) {
$url_path=$_SERVER['PHP_SELF'];
$url_var=$_SERVER['QUERY_STRING'];
if (preg_match("/".$webscan_white_name."/is",$url_path)==1&&!empty($webscan_white_name)) {
return false;
}
foreach ($webscan_white_url as $key => $value) {
if(!empty($url_var)&&!empty($value)){
if (stristr($url_path,$key)&&stristr($url_var,$value)) {
return false;
}
}
elseif (empty($url_var)&&empty($value)) {
if (stristr($url_path,$key)) {
return false;
}
}
}
return true;
}
/**
* curl��ʽ�ύ
*/
function webscan_curl($url , $postdata = array()){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
$response = curl_exec($ch);
$httpcode = curl_getinfo($ch,CURLINFO_HTTP_CODE);
curl_close($ch);
return array('httpcode'=>$httpcode,'response'=>$response);
}
if($webscan_action=='update') {
//�ļ����²���
$webscan_update_md5=md5(@file_get_contents(WEBSCAN_UPDATE_FILE));
if (webscan_updateck($webscan_update_md5))
{
if (!file_exists(dirname(__FILE__).'/caches_webscan'))
{
if (@mkdir(dirname(__FILE__).'/caches_webscan',755)) {
}
else{
exit("file_failed");
}
}
@file_put_contents(dirname(__FILE__).'/caches_webscan/'."update_360.dat", @file_get_contents(WEBSCAN_UPDATE_FILE));
if(copy(__FILE__,dirname(__FILE__).'/caches_webscan/'."bak_360.dat")&&filesize(dirname(__FILE__).'/caches_webscan/'."update_360.dat")>500&&md5(@file_get_contents(dirname(__FILE__).'/caches_webscan/'."update_360.dat"))==$webscan_update_md5)
{
if (!copy(dirname(__FILE__).'/caches_webscan/'."update_360.dat",__FILE__))
{
copy(dirname(__FILE__).'/caches_webscan/'."bak_360.dat",__FILE__);
exit("copy_failed");
}
unlink(dirname(__FILE__).'/caches_webscan/'."update_360.dat");
exit("update_success");
}
unlink(dirname(__FILE__).'/caches_webscan/'."update_360.dat");
exit("failed");
}
else{
exit("news");
}
}
elseif($webscan_action=="ckinstall") {
//��֤��װ��汾��Ϣ
if(! function_exists('curl_init')){
$web_code=new webscan_http();
$httpcode=$web_code->request("http://safe.webscan.360.cn");
}
else{
$web_code=webscan_curl("http://safe.webscan.360.cn");
$httpcode=$web_code['httpcode'];
}
exit("1".":".WEBSCAN_VERSION.":".WEBSCAN_MD5.":".WEBSCAN_U_KEY.":".$httpcode);
}
if ($webscan_switch&&webscan_white($webscan_white_directory,$webscan_white_url)) {
if ($webscan_get) {
foreach($_GET as $key=>$value) {
webscan_StopAttack($key,$value,$getfilter,"GET");
}
}
if ($webscan_post) {
foreach($_POST as $key=>$value) {
webscan_StopAttack($key,$value,$postfilter,"POST");
}
}
if ($webscan_cookie) {
foreach($_COOKIE as $key=>$value) {
webscan_StopAttack($key,$value,$cookiefilter,"COOKIE");
}
}
if ($webscan_referre) {
foreach($webscan_referer as $key=>$value) {
webscan_StopAttack($key,$value,$postfilter,"REFERRER");
}
}
}
?><?php
webscan_error();
//���������ļ�
require_once 'webscan_cache.php';
//�����ű��汾��
define("WEBSCAN_VERSION", '0.1.2.6');
//�����ű�MD5ֵ
define("WEBSCAN_MD5", md5(@"<?php\r\nwebscan_error();\r\n//���������ļ�\r\nrequire_once('webscan_cache.php');\r\n//�����ű��汾��\r\ndefine(\"WEBSCAN_VERSION\", '0.1.2.6');\r\n//�����ű�MD5ֵ\r\ndefine(\"WEBSCAN_MD5\", md5(@file_get_contents(__FILE__)));\r\n//get���ع���\r\n\$getfilter = \"\\\\<.+javascript:window\\\\[.{1}\\\\\\\\x|<.*=(&#\\\\d+?;?)+?>|<.*(data|src)=data:text\\\\/html.*>|\\\\b(alert\\\\(|confirm\\\\(|expression\\\\(|prompt\\\\(|benchmark\\s*?\\\\(\\d+?|sleep\\s*?\\\\([\\d\\.]+?\\\\)|load_file\\s*?\\\\()|<[a-z]+?\\\\b[^>]*?\\\\bon([a-z]{4,})\\s*?=|^\\\\+\\\\/v(8|9)|\\\\b(and|or)\\\\b\\\\s*?([\\\\(\\\\)'\\\"\\\\d]+?=[\\\\(\\\\)'\\\"\\\\d]+?|[\\\\(\\\\)'\\\"a-zA-Z]+?=[\\\\(\\\\)'\\\"a-zA-Z]+?|>|<|\\s+?[\\\\w]+?\\\\s+?\\\\bin\\\\b\\\\s*?\\(|\\\\blike\\\\b\\\\s+?[\\\"'])|\\\\/\\\\*.+?\\\\*\\\\/|<\\\\s*script\\\\b|\\\\bEXEC\\\\b|UNION.+?SELECT(\\\\(.+\\\\)|\\\\s+?.+?)|UPDATE(\\\\(.+\\\\)|\\\\s+?.+?)SET|INSERT\\\\s+INTO.+?VALUES|(SELECT|DELETE)(\\\\(.+\\\\)|\\\\s+?.+?\\\\s+?)FROM(\\\\(.+\\\\)|\\\\s+?.+?)|(CREATE|ALTER|DROP|TRUNCATE)\\\\s+(TABLE|DATABASE)\";\r\n//post���ع���\r\n\$postfilter = \"<.*=(&#\\\\d+?;?)+?>|<.*data=data:text\\\\/html.*>|\\\\b(alert\\\\(|confirm\\\\(|expression\\\\(|prompt\\\\(|benchmark\\s*?\\\\(\\d+?|sleep\\s*?\\\\([\\d\\.]+?\\\\)|load_file\\s*?\\\\()|<[^>]*?\\\\b(onerror|onmousemove|onload|onclick|onmouseover)\\\\b|\\\\b(and|or)\\\\b\\\\s*?([\\\\(\\\\)'\\\"\\\\d]+?=[\\\\(\\\\)'\\\"\\\\d]+?|[\\\\(\\\\)'\\\"a-zA-Z]+?=[\\\\(\\\\)'\\\"a-zA-Z]+?|>|<|\\s+?[\\\\w]+?\\\\s+?\\\\bin\\\\b\\\\s*?\\(|\\\\blike\\\\b\\\\s+?[\\\"'])|\\\\/\\\\*.+?\\\\*\\\\/|<\\\\s*script\\\\b|\\\\bEXEC\\\\b|UNION.+?SELECT(\\\\(.+\\\\)|\\\\s+?.+?)|UPDATE(\\\\(.+\\\\)|\\\\s+?.+?)SET|INSERT\\\\s+INTO.+?VALUES|(SELECT|DELETE)(\\\\(.+\\\\)|\\\\s+?.+?\\\\s+?)FROM(\\\\(.+\\\\)|\\\\s+?.+?)|(CREATE|ALTER|DROP|TRUNCATE)\\\\s+(TABLE|DATABASE)\";\r\n//cookie���ع���\r\n\$cookiefilter = \"benchmark\\s*?\\\\(\\d+?|sleep\\s*?\\\\([\\d\\.]+?\\\\)|load_file\\s*?\\\\(|\\\\b(and|or)\\\\b\\\\s*?([\\\\(\\\\)'\\\"\\\\d]+?=[\\\\(\\\\)'\\\"\\\\d]+?|[\\\\(\\\\)'\\\"a-zA-Z]+?=[\\\\(\\\\)'\\\"a-zA-Z]+?|>|<|\\s+?[\\\\w]+?\\\\s+?\\\\bin\\\\b\\\\s*?\\(|\\\\blike\\\\b\\\\s+?[\\\"'])|\\\\/\\\\*.+?\\\\*\\\\/|<\\\\s*script\\\\b|\\\\bEXEC\\\\b|UNION.+?SELECT(\\\\(.+\\\\)|\\\\s+?.+?)|UPDATE(\\\\(.+\\\\)|\\\\s+?.+?)SET|INSERT\\\\s+INTO.+?VALUES|(SELECT|DELETE)(\\\\(.+\\\\)|\\\\s+?.+?\\\\s+?)FROM(\\\\(.+\\\\)|\\\\s+?.+?)|(CREATE|ALTER|DROP|TRUNCATE)\\\\s+(TABLE|DATABASE)\";\r\n//��ȡָ��\r\n\$webscan_action = isset(\$_POST['webscan_act'])&&webscan_cheack() ? trim(\$_POST['webscan_act']) : '';\r\n//referer��ȡ\r\n\$webscan_referer = empty(\$_SERVER['HTTP_REFERER']) ? array() : array('HTTP_REFERER'=>\$_SERVER['HTTP_REFERER']);\r\n\r\nclass webscan_http {\r\n\r\n var \$method;\r\n var \$post;\r\n var \$header;\r\n var \$ContentType;\r\n\r\n function __construct() {\r\n \$this->method = '';\r\n \$this->cookie = '';\r\n \$this->post = '';\r\n \$this->header = '';\r\n \$this->errno = 0;\r\n \$this->errstr = '';\r\n }\r\n\r\n function post(\$url, \$data = array(), \$referer = '', \$limit = 0, \$timeout = 30, \$block = TRUE) {\r\n \$this->method = 'POST';\r\n \$this->ContentType = \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n if(\$data) {\r\n \$post = '';\r\n foreach(\$data as \$k=>\$v) {\r\n \$post .= \$k.'='.rawurlencode(\$v).'&';\r\n }\r\n \$this->post .= substr(\$post, 0, -1);\r\n }\r\n return \$this->request(\$url, \$referer, \$limit, \$timeout, \$block);\r\n }\r\n\r\n function request(\$url, \$referer = '', \$limit = 0, \$timeout = 30, \$block = TRUE) {\r\n \$matches = parse_url(\$url);\r\n \$host = \$matches['host'];\r\n \$path = \$matches['path'] ? \$matches['path'].(\$matches['query'] ? '?'.\$matches['query'] : '') : '/';\r\n \$port = \$matches['port'] ? \$matches['port'] : 80;\r\n if(\$referer == '') \$referer = URL;\r\n \$out = \"\$this->method \$path HTTP/1.1\\r\\n\";\r\n \$out .= \"Accept: */*\\r\\n\";\r\n \$out .= \"Referer: \$referer\\r\\n\";\r\n \$out .= \"Accept-Language: zh-cn\\r\\n\";\r\n \$out .= \"User-Agent: \".\$_SERVER['HTTP_USER_AGENT'].\"\\r\\n\";\r\n \$out .= \"Host: \$host\\r\\n\";\r\n if(\$this->method == 'POST') {\r\n \$out .= \$this->ContentType;\r\n \$out .= \"Content-Length: \".strlen(\$this->post).\"\\r\\n\";\r\n \$out .= \"Cache-Control: no-cache\\r\\n\";\r\n \$out .= \"Connection: Close\\r\\n\\r\\n\";\r\n \$out .= \$this->post;\r\n } else {\r\n \$out .= \"Connection: Close\\r\\n\\r\\n\";\r\n }\r\n if(\$timeout > ini_get('max_execution_time')) @set_time_limit(\$timeout);\r\n \$fp = @fsockopen(\$host, \$port, \$errno, \$errstr, \$timeout);\r\n \$this->post = '';\r\n if(!\$fp) {\r\n return false;\r\n } else {\r\n stream_set_blocking(\$fp, \$block);\r\n stream_set_timeout(\$fp, \$timeout);\r\n fwrite(\$fp, \$out);\r\n \$this->data = '';\r\n \$status = stream_get_meta_data(\$fp);\r\n if(!\$status['timed_out']) {\r\n \$maxsize = min(\$limit, 1024000);\r\n if(\$maxsize == 0) \$maxsize = 1024000;\r\n \$start = false;\r\n while(!feof(\$fp)) {\r\n if(\$start) {\r\n \$line = fread(\$fp, \$maxsize);\r\n if(strlen(\$this->data) > \$maxsize) break;\r\n \$this->data .= \$line;\r\n } else {\r\n \$line = fgets(\$fp);\r\n \$this->header .= \$line;\r\n if(\$line == \"\\r\\n\" || \$line == \"\\n\") \$start = true;\r\n }\r\n }\r\n }\r\n fclose(\$fp);\r\n return \"200\";\r\n }\r\n }\r\n\r\n}\r\n\r\n/**\r\n * �ر��û�������ʾ\r\n */\r\nfunction webscan_error() {\r\n if (ini_get('display_errors')) {\r\n ini_set('display_errors', '0');\r\n }\r\n}\r\n\r\n/**\r\n * ��֤�Ƿ��ǹٷ�����������\r\n */\r\nfunction webscan_cheack() {\r\n if(\$_POST['webscan_rkey']==WEBSCAN_U_KEY){\r\n return true;\r\n }\r\n return false;\r\n}\r\n/**\r\n * ����ͳ�ƻش�\r\n */\r\nfunction webscan_slog(\$logs) {\r\n if(! function_exists('curl_init')) {\r\n \$http=new webscan_http();\r\n \$http->post(WEBSCAN_API_LOG,\$logs);\r\n }\r\n else{\r\n webscan_curl(WEBSCAN_API_LOG,\$logs);\r\n }\r\n}\r\n/**\r\n * �������\r\n */\r\nfunction webscan_arr_foreach(\$arr) {\r\n static \$str;\r\n static \$keystr;\r\n if (!is_array(\$arr)) {\r\n return \$arr;\r\n }\r\n foreach (\$arr as \$key => \$val ) {\r\n \$keystr=\$keystr.\$key;\r\n if (is_array(\$val)) {\r\n\r\n webscan_arr_foreach(\$val);\r\n } else {\r\n\r\n \$str[] = \$val.\$keystr;\r\n }\r\n }\r\n return implode(\$str);\r\n}\r\n/**\r\n * �°��ļ�md5ֵЧ��\r\n */\r\nfunction webscan_updateck(\$ve) {\r\n if(\$ve!=WEBSCAN_MD5)\r\n {\r\n return true;\r\n }\r\n return false;\r\n}\r\n\r\n/**\r\n * ������ʾҳ\r\n */\r\nfunction webscan_pape(){\r\n \$pape=<<<HTML\r\n <html>\r\n <body style=\"margin:0; padding:0\">\r\n <center><iframe width=\"100%\" align=\"center\" height=\"870\" frameborder=\"0\" scrolling=\"no\" src=\"http://safe.webscan.360.cn/stopattack.html\"></iframe></center>\r\n </body>\r\n </html>\r\nHTML;\r\n echo \$pape;\r\n}\r\n\r\n/**\r\n * �����������\r\n */\r\nfunction webscan_StopAttack(\$StrFiltKey,\$StrFiltValue,\$ArrFiltReq,\$method) {\r\n \$StrFiltValue=webscan_arr_foreach(\$StrFiltValue);\r\n if (preg_match(\"/\".\$ArrFiltReq.\"/is\",\$StrFiltValue)==1){\r\n webscan_slog(array('ip' => \$_SERVER[\"REMOTE_ADDR\"],'time'=>strftime(\"%Y-%m-%d %H:%M:%S\"),'page'=>\$_SERVER[\"PHP_SELF\"],'method'=>\$method,'rkey'=>\$StrFiltKey,'rdata'=>\$StrFiltValue,'user_agent'=>\$_SERVER['HTTP_USER_AGENT'],'request_url'=>\$_SERVER[\"REQUEST_URI\"]));\r\n exit(webscan_pape());\r\n }\r\n if (preg_match(\"/\".\$ArrFiltReq.\"/is\",\$StrFiltKey)==1){\r\n webscan_slog(array('ip' => \$_SERVER[\"REMOTE_ADDR\"],'time'=>strftime(\"%Y-%m-%d %H:%M:%S\"),'page'=>\$_SERVER[\"PHP_SELF\"],'method'=>\$method,'rkey'=>\$StrFiltKey,'rdata'=>\$StrFiltKey,'user_agent'=>\$_SERVER['HTTP_USER_AGENT'],'request_url'=>\$_SERVER[\"REQUEST_URI\"]));\r\n exit(webscan_pape());\r\n }\r\n\r\n}\r\n/**\r\n * ����Ŀ¼������\r\n */\r\nfunction webscan_white(\$webscan_white_name,\$webscan_white_url=array()) {\r\n \$url_path=\$_SERVER['PHP_SELF'];\r\n \$url_var=\$_SERVER['QUERY_STRING'];\r\n if (preg_match(\"/\".\$webscan_white_name.\"/is\",\$url_path)==1&&!empty(\$webscan_white_name)) {\r\n return false;\r\n }\r\n foreach (\$webscan_white_url as \$key => \$value) {\r\n if(!empty(\$url_var)&&!empty(\$value)){\r\n if (stristr(\$url_path,\$key)&&stristr(\$url_var,\$value)) {\r\n return false;\r\n }\r\n }\r\n elseif (empty(\$url_var)&&empty(\$value)) {\r\n if (stristr(\$url_path,\$key)) {\r\n return false;\r\n }\r\n }\r\n\r\n }\r\n\r\n return true;\r\n}\r\n\r\n/**\r\n * curl��ʽ�ύ\r\n */\r\nfunction webscan_curl(\$url , \$postdata = array()){\r\n \$ch = curl_init();\r\n curl_setopt(\$ch, CURLOPT_URL, \$url);\r\n curl_setopt(\$ch, CURLOPT_HEADER, 0);\r\n curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, 1);\r\n curl_setopt(\$ch, CURLOPT_CONNECTTIMEOUT, 5);\r\n curl_setopt(\$ch, CURLOPT_TIMEOUT, 15);\r\n curl_setopt(\$ch, CURLOPT_POST, 1);\r\n curl_setopt(\$ch, CURLOPT_POSTFIELDS, \$postdata);\r\n \$response = curl_exec(\$ch);\r\n \$httpcode = curl_getinfo(\$ch,CURLINFO_HTTP_CODE);\r\n curl_close(\$ch);\r\n return array('httpcode'=>\$httpcode,'response'=>\$response);\r\n}\r\n\r\nif(\$webscan_action=='update') {\r\n //�ļ����²���\r\n \$webscan_update_md5=md5(@file_get_contents(WEBSCAN_UPDATE_FILE));\r\n if (webscan_updateck(\$webscan_update_md5))\r\n {\r\n if (!file_exists(dirname(__FILE__).'/caches_webscan'))\r\n {\r\n if (@mkdir(dirname(__FILE__).'/caches_webscan',755)) {\r\n }\r\n else{\r\n exit(\"file_failed\");\r\n }\r\n }\r\n @file_put_contents(dirname(__FILE__).'/caches_webscan/'.\"update_360.dat\", @file_get_contents(WEBSCAN_UPDATE_FILE));\r\n\r\n if(copy(__FILE__,dirname(__FILE__).'/caches_webscan/'.\"bak_360.dat\")&&filesize(dirname(__FILE__).'/caches_webscan/'.\"update_360.dat\")>500&&md5(@file_get_contents(dirname(__FILE__).'/caches_webscan/'.\"update_360.dat\"))==\$webscan_update_md5)\r\n {\r\n if (!copy(dirname(__FILE__).'/caches_webscan/'.\"update_360.dat\",__FILE__))\r\n {\r\n copy(dirname(__FILE__).'/caches_webscan/'.\"bak_360.dat\",__FILE__);\r\n exit(\"copy_failed\");\r\n }\r\n unlink(dirname(__FILE__).'/caches_webscan/'.\"update_360.dat\");\r\n exit(\"update_success\");\r\n }\r\n unlink(dirname(__FILE__).'/caches_webscan/'.\"update_360.dat\");\r\n exit(\"failed\");\r\n }\r\n else{\r\n exit(\"news\");\r\n }\r\n\r\n}\r\n\r\nelseif(\$webscan_action==\"ckinstall\") {\r\n //��֤��װ��汾��Ϣ\r\n if(! function_exists('curl_init')){\r\n \$web_code=new webscan_http();\r\n \$httpcode=\$web_code->request(\"http://safe.webscan.360.cn\");\r\n }\r\n else{\r\n \$web_code=webscan_curl(\"http://safe.webscan.360.cn\");\r\n \$httpcode=\$web_code['httpcode'];\r\n }\r\n\r\n exit(\"1\".\":\".WEBSCAN_VERSION.\":\".WEBSCAN_MD5.\":\".WEBSCAN_U_KEY.\":\".\$httpcode);\r\n}\r\n\r\nif (\$webscan_switch&&webscan_white(\$webscan_white_directory,\$webscan_white_url)) {\r\n if (\$webscan_get) {\r\n foreach(\$_GET as \$key=>\$value) {\r\n webscan_StopAttack(\$key,\$value,\$getfilter,\"GET\");\r\n }\r\n }\r\n if (\$webscan_post) {\r\n foreach(\$_POST as \$key=>\$value) {\r\n webscan_StopAttack(\$key,\$value,\$postfilter,\"POST\");\r\n }\r\n }\r\n if (\$webscan_cookie) {\r\n foreach(\$_COOKIE as \$key=>\$value) {\r\n webscan_StopAttack(\$key,\$value,\$cookiefilter,\"COOKIE\");\r\n }\r\n }\r\n if (\$webscan_referre) {\r\n foreach(\$webscan_referer as \$key=>\$value) {\r\n webscan_StopAttack(\$key,\$value,\$postfilter,\"REFERRER\");\r\n }\r\n }\r\n}\r\n\r\n?>"));
//get���ع���
$getfilter = "\\<.+javascript:window\\[.{1}\\\\x|<.*=(&#\\d+?;?)+?>|<.*(data|src)=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\\s*?\\(\\d+?|sleep\\s*?\\([\\d\\.]+?\\)|load_file\\s*?\\()|<[a-z]+?\\b[^>]*?\\bon([a-z]{4,})\\s*?=|^\\+\\/v(8|9)|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\\s+?[\\w]+?\\s+?\\bin\\b\\s*?\\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT(\\(.+\\)|\\s+?.+?)|UPDATE(\\(.+\\)|\\s+?.+?)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?)FROM(\\(.+\\)|\\s+?.+?)|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
//post���ع���
$postfilter = "<.*=(&#\\d+?;?)+?>|<.*data=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\\s*?\\(\\d+?|sleep\\s*?\\([\\d\\.]+?\\)|load_file\\s*?\\()|<[^>]*?\\b(onerror|onmousemove|onload|onclick|onmouseover)\\b|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\\s+?[\\w]+?\\s+?\\bin\\b\\s*?\\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT(\\(.+\\)|\\s+?.+?)|UPDATE(\\(.+\\)|\\s+?.+?)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?)FROM(\\(.+\\)|\\s+?.+?)|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
//cookie���ع���
$cookiefilter = "benchmark\\s*?\\(\\d+?|sleep\\s*?\\([\\d\\.]+?\\)|load_file\\s*?\\(|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\\s+?[\\w]+?\\s+?\\bin\\b\\s*?\\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT(\\(.+\\)|\\s+?.+?)|UPDATE(\\(.+\\)|\\s+?.+?)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?)FROM(\\(.+\\)|\\s+?.+?)|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
//��ȡָ��
$webscan_action = isset($_POST['webscan_act']) && webscan_cheack() ? trim($_POST['webscan_act']) : '';
//referer��ȡ
$webscan_referer = empty($_SERVER['HTTP_REFERER']) ? array() : array('HTTP_REFERER' => $_SERVER['HTTP_REFERER']);
class webscan_http
{
var $method;
var $post;
var $header;
var $ContentType;
function __construct()
{
$this->method = '';
$this->cookie = '';
$this->post = '';
$this->header = '';
$this->errno = 0;
$this->errstr = '';
}
function post($url, $data = array(), $referer = '', $limit = 0, $timeout = 30, $block = TRUE)
{
$this->method = 'POST';
$this->ContentType = "Content-Type: application/x-www-form-urlencoded\r\n";
if ($data) {
$post = '';
foreach ($data as $k => $v) {
$post .= $k . '=' . rawurlencode($v) . '&';
}
$this->post .= substr($post, 0, 1);
}
return $this->request($url, $referer, $limit, $timeout, $block);
}
function request($url, $referer = '', $limit = 0, $timeout = 30, $block = TRUE)
{
$matches = parse_url($url);
$host = $matches['host'];
$path = $matches['path'] ? $matches['path'] . ($matches['query'] ? '?' . $matches['query'] : '') : '/';
$port = $matches['port'] ? $matches['port'] : 80;
if ($referer == '') {
$referer = URL;
}
$out = "{$this->method} {$path} HTTP/1.1\r\n";
$out .= "Accept: */*\r\n";
$out .= "Referer: {$referer}\r\n";
$out .= "Accept-Language: zh-cn\r\n";
$out .= "User-Agent: " . $_SERVER['HTTP_USER_AGENT'] . "\r\n";
$out .= "Host: {$host}\r\n";
if ($this->method == 'POST') {
$out .= $this->ContentType;
$out .= "Content-Length: " . strlen($this->post) . "\r\n";
$out .= "Cache-Control: no-cache\r\n";
$out .= "Connection: Close\r\n\r\n";
$out .= $this->post;
} else {
$out .= "Connection: Close\r\n\r\n";
}
if ($timeout > ini_get('max_execution_time')) {
@set_time_limit($timeout);
}
$fp = @fsockopen($host, $port, $errno, $errstr, $timeout);
$this->post = '';
if (!$fp) {
return false;
} else {
stream_set_blocking($fp, $block);
stream_set_timeout($fp, $timeout);
fwrite($fp, $out);
$this->data = '';
$status = stream_get_meta_data($fp);
if (!$status['timed_out']) {
$maxsize = min($limit, 1024000);
if ($maxsize == 0) {
$maxsize = 1024000;
}
$start = false;
while (!feof($fp)) {
if ($start) {
$line = fread($fp, $maxsize);
if (strlen($this->data) > $maxsize) {
break;
}
$this->data .= $line;
} else {
$line = fgets($fp);
$this->header .= $line;
if ($line == "\r\n" || $line == "\n") {
$start = true;
}
}
}
}
fclose($fp);
return "200";
}
}
}
/**
* �ر��û�������ʾ
*/
function webscan_error()
{
if (ini_get('display_errors')) {
ini_set('display_errors', '0');
}
}
/**
* ��֤�Ƿ��ǹٷ�����������
*/
function webscan_cheack()
{
if ($_POST['webscan_rkey'] == WEBSCAN_U_KEY) {
return true;
}
return false;
}
/**
* ����ͳ�ƻش�
*/
function webscan_slog($logs)
{
if (!function_exists('curl_init')) {
$http = new webscan_http();
$http->post(WEBSCAN_API_LOG, $logs);
} else {
webscan_curl(WEBSCAN_API_LOG, $logs);
}
}
/**
* �������
*/
function webscan_arr_foreach($arr)
{
static $str;
static $keystr;
if (!is_array($arr)) {
return $arr;
}
foreach ($arr as $key => $val) {
$keystr .= $key;
if (is_array($val)) {
webscan_arr_foreach($val);
} else {
$str[] = $val . $keystr;
}
}
return implode($str);
}
/**
* �°��ļ�md5ֵЧ��
*/
function webscan_updateck($ve)
{
if ($ve != WEBSCAN_MD5) {
return true;
}
return false;
}
/**
* ������ʾҳ
*/
function webscan_pape()
{
$pape = <<<HTML
<html>
<body style="margin:0; padding:0">
<center><iframe width="100%" align="center" height="870" frameborder="0" scrolling="no" src="http://safe.webscan.360.cn/stopattack.html"></iframe></center>
</body>
</html>
HTML;
echo $pape;
}
/**
* �����������
*/
function webscan_StopAttack($StrFiltKey, $StrFiltValue, $ArrFiltReq, $method)
{
$StrFiltValue = webscan_arr_foreach($StrFiltValue);
if (preg_match("/" . $ArrFiltReq . "/is", $StrFiltValue) == 1) {
webscan_slog(array('ip' => $_SERVER["REMOTE_ADDR"], 'time' => strftime("%Y-%m-%d %H:%M:%S"), 'page' => $_SERVER["PHP_SELF"], 'method' => $method, 'rkey' => $StrFiltKey, 'rdata' => $StrFiltValue, 'user_agent' => $_SERVER['HTTP_USER_AGENT'], 'request_url' => $_SERVER["REQUEST_URI"]));
exit(webscan_pape());
}
if (preg_match("/" . $ArrFiltReq . "/is", $StrFiltKey) == 1) {
webscan_slog(array('ip' => $_SERVER["REMOTE_ADDR"], 'time' => strftime("%Y-%m-%d %H:%M:%S"), 'page' => $_SERVER["PHP_SELF"], 'method' => $method, 'rkey' => $StrFiltKey, 'rdata' => $StrFiltKey, 'user_agent' => $_SERVER['HTTP_USER_AGENT'], 'request_url' => $_SERVER["REQUEST_URI"]));
exit(webscan_pape());
}
}
/**
* ����Ŀ¼������
*/
function webscan_white($webscan_white_name, $webscan_white_url = array())
{
$url_path = $_SERVER['PHP_SELF'];
$url_var = $_SERVER['QUERY_STRING'];
if (preg_match("/" . $webscan_white_name . "/is", $url_path) == 1 && !empty($webscan_white_name)) {
return false;
}
foreach ($webscan_white_url as $key => $value) {
if (!empty($url_var) && !empty($value)) {
if (stristr($url_path, $key) && stristr($url_var, $value)) {
return false;
}
} elseif (empty($url_var) && empty($value)) {
if (stristr($url_path, $key)) {
return false;
}
}
}
return true;
}
/**
* curl��ʽ�ύ
*/
function webscan_curl($url, $postdata = array())
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
$response = curl_exec($ch);
$httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return array('httpcode' => $httpcode, 'response' => $response);
}
if ($webscan_action == 'update') {
//�ļ����²���
$webscan_update_md5 = md5(@file_get_contents(WEBSCAN_UPDATE_FILE));
if (webscan_updateck($webscan_update_md5)) {
if (!file_exists("/var/www/html/caches_webscan")) {
if (@mkdir("/var/www/html/caches_webscan", 755)) {
} else {
exit("file_failed");
}
}
@file_put_contents("/var/www/html/caches_webscan/update_360.dat", @file_get_contents(WEBSCAN_UPDATE_FILE));
if (copy("/var/www/html/input.php", "/var/www/html/caches_webscan/bak_360.dat") && filesize("/var/www/html/caches_webscan/update_360.dat") > 500 && md5(@file_get_contents("/var/www/html/caches_webscan/update_360.dat")) == $webscan_update_md5) {
if (!copy("/var/www/html/caches_webscan/update_360.dat", "/var/www/html/input.php")) {
copy("/var/www/html/caches_webscan/bak_360.dat", "/var/www/html/input.php");
exit("copy_failed");
}
unlink("/var/www/html/caches_webscan/update_360.dat");
exit("update_success");
}
unlink("/var/www/html/caches_webscan/update_360.dat");
exit("failed");
} else {
exit("news");
}
} elseif ($webscan_action == "ckinstall") {
//��֤��װ��汾��Ϣ
if (!function_exists('curl_init')) {
$web_code = new webscan_http();
$httpcode = $web_code->request("http://safe.webscan.360.cn");
} else {
$web_code = webscan_curl("http://safe.webscan.360.cn");
$httpcode = $web_code['httpcode'];
}
exit("1:0.1.2.6:WEBSCAN_MD5:WEBSCAN_U_KEY:" . $httpcode);
}
if ($webscan_switch && webscan_white($webscan_white_directory, $webscan_white_url)) {
if ($webscan_get) {
foreach ($_GET as $key => $value) {
webscan_StopAttack($key, $value, $getfilter, "GET");
}
}
if ($webscan_post) {
foreach ($_POST as $key => $value) {
webscan_StopAttack($key, $value, $postfilter, "POST");
}
}
if ($webscan_cookie) {
foreach ($_COOKIE as $key => $value) {
webscan_StopAttack($key, $value, $cookiefilter, "COOKIE");
}
}
if ($webscan_referre) {
foreach ($webscan_referer as $key => $value) {
webscan_StopAttack($key, $value, $postfilter, "REFERRER");
}
}
}Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.