Jump to content
kNigHt

[PHP] Decode this

Recommended Posts

Am gasit script-ul asta intr-un site pe care trebuie sa il administrez. Mi s-a parut interesant, poate vreti sa incercati sa il decodati:

http://pastebin.com/PxHSsBwq

Daca nu se incadreaza ca si challenge, rog un admin sa mute/stearga topic-ul.

Spor :)

Share this post


Link to post
Share on other sites

M-am uitat aseara pe cod...

E un backdoor si nimic mai mult!

Am facut un dump la variabile:

  [fOnyYqpwzsk] => D@
[Zd8_Y] => swro}u
[lX] => ml=
[WKlp] => O 4SK+
[X8] => CLV@;-
[OtA] => 6-%/IY
[Blc] => csse}_gyll
[eI6dnDa] => }vvky_no}~
[HqtJnJ] => gvuute_nuns|oon
[FiFo8Ahhl] => c{gk}u_vungvioo
[xqrzKk] => 5edd955dda36ed6a2a3ac67de0c01d
[wuzqhZOqm9m] => /e
[y9Y] => 1255639
[T1_] => 9
[vYUf] => HTT
[Fy] => P_
[FBM] => A
[JU0_r] => b7
[r6g] => a
[AZWsev] => mh
[j6BbT5ea] => F
[i4148QjXMMi] => bMvF
[hg8l] => HTTP_X_DEVICE_USER_A
[IT] => GEN
[Q4M] => T
[VZjjeswS] => strcmp
[by] => md5
[KJQOFrw] => getenv
[Z82] => preg_replace
[R18uq] => uasort
[sGn_zAlOrfM] => array_fill
[u0sX] => create_function

Apoi ajunge la

if(strcmp(md5(getenv(HTTP_A)),'5edd955dda36ed6a2a3ac67de0c01d'))

Acolo verifica parola care o ia din header-ul "A".

Daca parola e buna se face un preg_replace cu datele de la user folosind -> "/e" (acesta e un backdoor).

Daca nu ai preg_replace, mai incearca un create_function cu datele din "HTTP_X_DEVICE_USER_AGENT".

In principiu si-a lasat 3 metode prin care executa cod php:

preg_replace

uasort -> folosind call_back_function

create_function

Share this post


Link to post
Share on other sites
M-am uitat aseara pe cod...

E un backdoor si nimic mai mult!

Am facut un dump la variabile:

  [fOnyYqpwzsk] => D@
[Zd8_Y] => swro}u
[lX] => ml=
[WKlp] => O 4SK+
[X8] => CLV@;-
[OtA] => 6-%/IY
[Blc] => csse}_gyll
[eI6dnDa] => }vvky_no}~
[HqtJnJ] => gvuute_nuns|oon
[FiFo8Ahhl] => c{gk}u_vungvioo
[xqrzKk] => 5edd955dda36ed6a2a3ac67de0c01d
[wuzqhZOqm9m] => /e
[y9Y] => 1255639
[T1_] => 9
[vYUf] => HTT
[Fy] => P_
[FBM] => A
[JU0_r] => b7
[r6g] => a
[AZWsev] => mh
[j6BbT5ea] => F
[i4148QjXMMi] => bMvF
[hg8l] => HTTP_X_DEVICE_USER_A
[IT] => GEN
[Q4M] => T
[VZjjeswS] => strcmp
[by] => md5
[KJQOFrw] => getenv
[Z82] => preg_replace
[R18uq] => uasort
[sGn_zAlOrfM] => array_fill
[u0sX] => create_function

Apoi ajunge la

if(strcmp(md5(getenv(HTTP_A)),'5edd955dda36ed6a2a3ac67de0c01d'))

Acolo verifica parola care o ia din header-ul "A".

Daca parola e buna se face un preg_replace cu datele de la user folosind -> "/e" (acesta e un backdoor).

Daca nu ai preg_replace, mai incearca un create_function cu datele din "HTTP_X_DEVICE_USER_AGENT".

In principiu si-a lasat 3 metode prin care executa cod php:

preg_replace

uasort -> folosind call_back_function

create_function

Nice job, grats :)

E cel mai bine encodat backdoor de care m-am ivit. Ma intreb cum a fost facut, banuiesc ca nu manual.

Share this post


Link to post
Share on other sites

Asta cu manual sau automat, nu stiu sa iti spun.

La cat de mic e, pot sa il fac manual, dar decat sa il fac manual mai bine fac ceva automat si sa nu ma mai chinuiesc a doua oara.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...