PHP Malware Analysis
command.php
md5: 1cad53921bd4f89c221cb1cdad0d9584
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Execution
- exec (Deobfuscated, Original)
Input
- _POST (Deobfuscated, Original)
Deobfuscated PHP code
<html>
<body>
<form method="post" action="<?php
echo $_SERVER['PHP_SELF'];
?>">
Name: <input type="text" name="fname">
<input type="submit">
</form>
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// collect value of input field
$command = $_POST['fname'];
echo $command;
// if (empty($command)) {
// echo "Name is empty";
// } else {
// $output=null;
// $retval=null;
// exec($command, $output, $retval);
// print_r($output);
// }
}
?>
</body>
</html>Execution traces
data/traces/1cad53921bd4f89c221cb1cdad0d9584_trace-1676250374.5574.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 23:06:40.455199]
1 0 1 0.000165 393528
1 3 0 0.000223 394920 {main} 1 /var/www/html/uploads/command.php 0 0
1 3 1 0.000245 394920
0.000274 314240
TRACE END [2023-02-12 23:06:40.455339]
Generated HTML code
<html><head></head><body>
<form method="post" action="/command.php">
Name: <input type="text" name="fname">
<input type="submit">
</form>
</body></html>Original PHP code
<html>
<body>
<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
Name: <input type="text" name="fname">
<input type="submit">
</form>
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// collect value of input field
$command = $_POST['fname'];
echo $command;
// if (empty($command)) {
// echo "Name is empty";
// } else {
// $output=null;
// $retval=null;
// exec($command, $output, $retval);
// print_r($output);
// }
}
?>
</body>
</html>