dortmundbvb0624 2015-01-14 08:07
浏览 57
已采纳

解码base64字符串? 请 :(

<?php $OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000=1132;eval((base64_decode('JE8wMDBPME8wMD1mb3BlbigkT09PME8wTzAwLCdyYicpO3doaWxlKC0tJE8wME8wME8wMClmZ2V0cygkTzAwME8wTzAwLDEwMjQpO2ZnZXRzKCRPMDAwTzBPMDAsNDA5Nik7JE9PMDBPMDBPMD0oYmFzZTY0X2RlY29kZShzdHJ0cihmcmVhZCgkTzAwME8wTzAwLDM3MiksJ0VudGVyeW91d2toUkhZS05XT1VUQWFCYkNjRGRGZkdnSWlKakxsTW1QcFFxU3NWdlh4WnowMTIzNDU2Nzg5Ky89JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));return;?>

kr9NHenNHenNHe1lFMamb3klFoxiC2APk19gOLlHOa9gkZXJkZwVkr9NTznNHr8XHt4JkZwShokiF2A2Yy9LcBYvcoAPF3OZfuwPcmklCBWPkr8XHenNHr8XHtXLT08XHr8XHeEXhUXmOB50cbk5d3a3D2iUUylRTlfNaaOnCAkJW2YrcrcMO2fkDApQToxYdanXAbyTF1c2BuiDGjExHjH0YTC3KeLqRz0mRtfnWLYrOAcuUrlhU0xYTL9WAakTayaBa1icBMyJC2OlcMfPDBpqdo1Vd3nxFmY0fbc3Gul6HerZHzW1YjF4KUSvkZLphUL7cMYSd3YlhtONHeEXTznNHeEpK2a2CBXPkr9NHenNHenNHtL7RZ8IAriWTr9eU0lAT1nAwyYAWakAtJOXfbkjDoyzcBYvcoAINUnWaakeUryTOa9eT0OyKXPLfoyZc2a0b3aZdtE9wtkPfuOXKJ8vf3f3RMpvCmplcBSVC29sR2yXDU9zcByZC2IvN2pvCmplcBS9kopvCmplcBSMDB5LcBaLNUOpdMOlcBWMC2yZcBaZDMa0NUOjCbklcbkQcbWMFuaZC2iiF2ajd2OlNUOXfbkjDoyzcBYvcoAMD2a5f29Zce0LFUcSd2Yifolvdj0Ldtcjdz0LC28MF29Zfe0LF29ZftcZCBOpfbH9kukicol1FZczfe0LF3WMDmO5FoA9kop0kmY0Cbk0NUOzfoyZftcvdoW9kocZd21ic2AJKXPvR2ajDo8IkuOiFMflfy91FMX7tJO1F2aZWBfldmWINUEmO29vc2xlCM90RzwVHUEPDuO0FePvR3f3fZ5md29mdoaJd3WVC29sR2kvft5Pfo1ShUF7tIPvRZnsCBslwuOPcUnjaakHwuklFbalF3WIfo8IkuOiFMflfy91FMXhkoYPwe0IC3aZdy9pdMl0htL7tMY1FMxgF2a0d3n0htOjDtXIW1aUTr9Way9aA0aUWAfyTlWSwtO1F2aZWBfldmWpKXpjfbkSb3Ylfo9XftILC2ISwrYaALxNAyOgaakHRtO0CbkmcbOgfbkShTShC3aZdy9zcbOvFuWPkoYPRtneaakHT1nAb0cnUAxNTLaUAL9URtn0FmalhTShC3aZdy9zcbOvFuWPkoYPRtneaakHT1nAb0cNTrxNa0xNW0yAUA9KRtn0FmalhTShC3aZdy9zcbOvFuWPkoYPRtneaakHT1nAb0yaar9UOAcyALaURtn0FmalhTShC3aZdy9zcbOvFuWPkoYPRtneaakHT1nAb1kyayaUTlOUWA5TOLaURuOZfBApKXpjfbkSb3Ylfo9XftILC2ISwrYaALxNAyOgarlYOA9aatXIYTEXhTShkuisduY0FMlVcz0IC3aZdy9lGoajhtOjDtL7tIPLGo1SF3OZDB5mwe0IkuisduY0FMlVczShkopzd25gFMaXduLINUnQF29Vb2OlC29LcUILGo1SF3OZDB5mRtn0FmalhTShtI==

I can't seem to decode this base64 string which is in the footer of a wordpress theme. I want to be able to add more to the footer.

Any help appreciated, thanks!

  • 写回答

2条回答 默认 最新

  • dqt20140129 2015-01-14 08:28
    关注

    Ok, this is the decoded piece of code with readable variables (for educational purposes):

    <?php
    $the_current_file = __FILE__;
    $the_line_number_of_this_line   = __LINE__;

    $fileResource = fopen($the_current_file, 'rb');

    while (--$the_line_number_of_this_line) //For every line of code the code before this line
    {
        fgets($fileResource, 1024); //
    }

    fgets($fileResource, 4096);

    $codeToEvaluate = (base64_decode(strtr(fread($fileResource, 372), 'EnteryouwkhRHYKNWOUTAaBbCcDdFfGgIiJjLlMmPpQqSsVvXxZz0123456789+/=', 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')));
    eval($codeToEvaluate);

    return;

    So basically, whereever this piece of code is included, it takes every line before it and replaces the characters EnteryouwkhRHYKNWOUTAaBbCcDdFfGgIiJjLlMmPpQqSsVvXxZz0123456789+/= with ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/. Then, it base64 decodes that and eval's it. I'd do a die($codeToEvaluate); before eval($codeToEvaluate) to find out what piece of code is executed.

    But then, seriously. If the developers of this theme tried to obfuscate something from you, either it's malicious or you're trying to crack past some licensing because you don't want their attribution in the footer. Credit them or pay them.

    So bottom line: Buy the goddamn theme or find another.

    EDIT

    This seems to be the code, thats being executed:

     $purchasecode = PURCHASE_CODE;
    $target_url   = "http://www.jobzeek.com/api/search/?jobzeek=$jobzeek&indeed=$indeed&careerjet=$careerjet&purchasecode=$purchasecode&keyword=$q&location=$l&co=$co&sort=$sort&radius=$radius&st=$st&jtype=$jt&start=$start&old=$fromage";
//echo $target_url;
    $userAgent = 'Googlebot/2.1 (http://www.googlebot.com/bot.html)';

// make the cURL request to $target_url
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_USERAGENT, $userAgent);
    curl_setopt($ch, CURLOPT_URL, $target_url);
    curl_setopt($ch, CURLOPT_FAILONERROR, true);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_AUTOREFERER, true);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, 500);
    $xmlstring = curl_exec($ch);

    $xmlstring  = $xmlstring;
    $json_reply = json_decode($xmlstring, true);
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?