diff --git a/apps/home/controller/ParserController.php b/apps/home/controller/ParserController.php index 73fb995..2da77b4 100644 --- a/apps/home/controller/ParserController.php +++ b/apps/home/controller/ParserController.php @@ -265,8 +265,8 @@ public function parserSiteLabel($content) $content = str_replace($matches[0][$i], '', $content); } default: - if (strpos(file_get_contents(CORE_PATH . base64_decode('L2Jhc2ljL0tlcm5lbC5waHA=')), base64_decode('S2VybmVs'))) - exit(); + // 安全加固:核心文件完整性校验(替代原来有缺陷的字符串包含检查) + $this->checkCoreFileIntegrity(); if (isset($data->{$matches[1][$i]})) { $content = str_replace($matches[0][$i], $this->adjustLabelData($params, $data->{$matches[1][$i]}), $content); } else { @@ -3332,6 +3332,56 @@ private function validateIfCondition($condition) return ($test === ''); } + // 核心文件完整性检查(替代原来有缺陷的字符串包含检查) + // 检查核心文件是否被植入可疑代码 + private function checkCoreFileIntegrity() + { + static $checked = false; + if ($checked) { + return; + } + $checked = true; + + $coreFiles = array( + CORE_PATH . '/basic/Kernel.php', + CORE_PATH . '/basic/Check.php', + CORE_PATH . '/start.php' + ); + + // 可疑代码模式:用于检测 webshell、跳转劫持、后门等 + $suspiciousPatterns = array( + // eval + base64_decode 组合(典型 webshell) + '/eval\s*\(\s*base64_decode\s*\(/i', + // file_put_contents 写入 PHP 文件 + '/file_put_contents\s*\([^)]*\.php/i', + // 页面跳转劫持 + '/