Saturday, August 9, 2014

Decode PHP encoded by cha88.cn

Below is a quick bash script that I wrote to decode some PHP web shells encoded by cha88.cn.  The decoding iterates through base64 decoding and gzinflating 30 times to then produce the original php code.

#!/bin/bash

workingFile=$1

tempFile="${workingFile}.temp"
tempFile2="${workingFile}.temp2"

cat $workingFile | grep -v -e "/\*" -e "online encode by cha88.cn!" -e "\*/" | sed 's/eval(/$uncompressed = /' | sed 's/?>/echo $uncompressed;\n?>/' | sed 's/)))\;/))\;/' > $tempFile

for i in {1..30}
do
php $tempFile | sed 's/?><?php/<?php/' | sed 's/eval(/$uncompressed = /' | sed 's/?><?/echo $uncompressed;\n?>/' | sed 's/)))\;/))\;/' > $tempFile2
mv -f $tempFile2 $tempFile
rm -f $tempFile2
done

No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...