是这行有错吗?view_times+1是字段吗?
首先解密eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='))
结果为:
eval('$_X=base64_decode($_X)$_X=strtr($_X,'123456aouie','aouie123456')$_R=ereg_replace('__FILE__',"'".$_F."'",$_X)eval($_R)$_R=0$_X=0')
运行上述代码
$_X=base64_decode($_X)//执行后$_X的值为
?><d4v cl1ss="cl51r"></d4v><d4v 4d="f22t5r">
<d4v 4d="f22t5rm14n">
<1 4d="f22t5rl2g2" hr5f="<?php bl2g4nf2('3rl') ?>" t4tl5="<?php bl2g4nf2('n1m5') ?>"></1>
<?php 5ch2 str4psl1sh5s(g5t_2pt42n('cr55k22_f22t5rl4nkc2d5')) ?></br><?php 5ch2 c2m4cpr5ss_c2pyr4ght() ?> <1 hr5f="<?php 5ch2 h2m5_3rl( '/' ) ?>" t4tl5="<?php 5ch2 5sc_1ttr( g5t_bl2g4nf2( 'n1m5', 'd4spl1y' ) ) ?>" r5l="h2m5" t1rg5t="_bl1nk"><?php 5ch2 5sc_1ttr( g5t_bl2g4nf2( 'n1m5', 'd4spl1y' ) ) ?></1> - P2w5r5d by <1 hr5f="http://www.w2rdpr5ss.2rg/" r5l="n2f2ll2w" t1rg5t="_bl1nk">W2rdPr5ss</1> 1nd <1 hr5f="http://www.cr55k22.c2m/" t1rg5t="_bl1nk">Cr55K22</1><?php 4f (g5t_2pt42n('cr55k22_b541n') == 'D4spl1y') { ?> - <?php 5ch2 str4psl1sh5s(g5t_2pt42n('cr55k22_b541nh12')) ?><?php } 5ls5 { } ?><?php 4f (g5t_2pt42n('cr55k22_tj') == 'D4spl1y') { ?> - <?php 5ch2 str4psl1sh5s(g5t_2pt42n('cr55k22_tjc2d5')) ?><?php } 5ls5 { } ?>
</d4v>
</d4v>
<?php wp_f22t5r() ?>
<scr4pt typ5="t5xt/j1v1scr4pt" src="<?php bl2g4nf2('t5mpl1t5_d4r5ct2ry') ?>/c2mm5nts-1j1x.js"></scr4pt>
<scr4pt typ5="t5xt/j1v1scr4pt" src="<?php bl2g4nf2('t5mpl1t5_d4r5ct2ry') ?>/cr55k22.m4n.js?v6.o"></scr4pt>
</b2dy>
</html>
$_X=strtr($_X,'123456aouie','aouie123456')//执行后$_X的值为
?><div class="clear"></div><div id="footer">
<div id="footermain">
<a id="footerlogo" href="<?php bloginfo('url') ?>" title="<?php bloginfo('name') ?>"></a>
<?php echo stripslashes(get_option('creekoo_footerlinkcode')) ?></br><?php echo comicpress_copyright() ?> <a href="<?php echo home_url( '/' ) ?>" title="<?php echo esc_attr( get_bloginfo( 'name', 'display' ) ) ?>" rel="home" target="_blank"><?php echo esc_attr( get_bloginfo( 'name', 'display' ) ) ?></a> - Powered by <a href="http://www.wordpress.org/" rel="nofollow" target="_blank">WordPress</a> and <a href="http://www.creekoo.com/" target="_blank">CreeKoo</a><?php if (get_option('creekoo_beian') == 'Display') { ?> - <?php echo stripslashes(get_option('creekoo_beianhao')) ?><?php } else { } ?><?php if (get_option('creekoo_tj') == 'Display') { ?> - <?php echo stripslashes(get_option('creekoo_tjcode')) ?><?php } else { } ?>
</div>
</div>
<?php wp_footer() ?>
<script type="text/javascript" src="<?php bloginfo('template_directory') ?>/comments-ajax.js"></script>
<script type="text/javascript" src="<?php bloginfo('template_directory') ?>/creekoo.min.js?v1.3"></script>
</body>
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X)//将$_X中的字符串__FILE__替换为当前文件的路径,并用单引号引起来,原字符串并无可替换内容,故不变
eval($_R)//将上述替换后的内容执行
$_R=0
$_X=0
加密的代码等价于如下代码
<div class="clear"></div><div id="footer">
<div id="footermain">
<a id="footerlogo" href="<?php bloginfo('url') ?>" title="<?php bloginfo('name') ?>"></a>
<?php echo stripslashes(get_option('creekoo_footerlinkcode')) ?></br><?php echo comicpress_copyright() ?> <a href="<?php echo home_url( '/' ) ?>" title="<?php echo esc_attr( get_bloginfo( 'name', 'display' ) ) ?>" rel="home" target="_blank"><?php echo esc_attr( get_bloginfo( 'name', 'display' ) ) ?></a> - Powered by <a href="http://www.wordpress.org/" rel="nofollow" target="_blank">WordPress</a> and <a href="http://www.creekoo.com/" target="_blank">CreeKoo</a><?php if (get_option('creekoo_beian') == 'Display') { ?> - <?php echo stripslashes(get_option('creekoo_beianhao')) ?><?php } else { } ?><?php if (get_option('creekoo_tj') == 'Display') { ?> - <?php echo stripslashes(get_option('creekoo_tjcode')) ?><?php } else { } ?>
</div>
</div>
<?php wp_footer() ?>
<script type="text/javascript" src="<?php bloginfo('template_directory') ?>/comments-ajax.js"></script>
<script type="text/javascript" src="<?php bloginfo('template_directory') ?>/creekoo.min.js?v1.3"></script>
</body>
欢迎分享,转载请注明来源:优选云
微信扫一扫
支付宝扫一扫
