PHP Malware Analysis

command.php

md5: 1cad53921bd4f89c221cb1cdad0d9584

Jump to:

Screenshot


Attributes

Execution

Input


Deobfuscated PHP code

<html>
<body>

<form method="post" action="<?php 
echo $_SERVER['PHP_SELF'];
?>">
  Name: <input type="text" name="fname">
  <input type="submit">
</form>

<?php 
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    // collect value of input field
    $command = $_POST['fname'];
    echo $command;
    // if (empty($command)) {
    //   echo "Name is empty";
    // } else {
    //   $output=null;
    //   $retval=null;
    //   exec($command, $output, $retval);
    //   print_r($output);
    // }
}
?>

</body>
</html>

Execution traces

data/traces/1cad53921bd4f89c221cb1cdad0d9584_trace-1676250374.5574.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 23:06:40.455199]
1	0	1	0.000165	393528
1	3	0	0.000223	394920	{main}	1		/var/www/html/uploads/command.php	0	0
1	3	1	0.000245	394920
			0.000274	314240
TRACE END   [2023-02-12 23:06:40.455339]


Generated HTML code

<html><head></head><body>

<form method="post" action="/command.php">
  Name: <input type="text" name="fname">
  <input type="submit">
</form>



</body></html>

Original PHP code

<html>
<body>

<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
  Name: <input type="text" name="fname">
  <input type="submit">
</form>

<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
  // collect value of input field
  $command = $_POST['fname'];
  echo $command;
  // if (empty($command)) {
  //   echo "Name is empty";
  // } else {
  //   $output=null;
  //   $retval=null;
  //   exec($command, $output, $retval);
  //   print_r($output);
  // }
}
?>

</body>
</html>