How Can I decode this php curl script: http://pastebin.com/raw.php?i=YWE1i4U7
It's got un-encoded characters here and there, like the "t"s, the "v"s, etc.
You can convert each \x12 escaped character with hexdec and chr. And to automate that a little with preg_replace.
print preg_replace('/[\\\\]x(\w\w)/e', 'chr(hexdec("$1"))', $script);
Though that's only a partial "decoding". Won't make everything legible, nor will it likely leave the code in a working state.
This builds on mario's very cool string replacement.
Save your file as source.phps - most servers will display this as PHP source code and will not execute it. (Check with your local web server admin to make sure .phps is enabled and safe).
In the same directory, create a file that's a decoder, I called mine decode.php. The contents:
<?php
$phpsource = file_get_contents('source.phps');
highlight_string(str_replace(";",";\n", preg_replace('/[\\\\]x(\w\w)/e', 'chr(hexdec("$1"))', $phpsource)));
?>
This is a basic step that makes the code a little bit more readable so you can see the PHP. It's still very ugly, as it obfuscates itself as much as it possibly can, but now you can see, with code-highlighting the various calls to base64_decode and header the script makes.
Related
I have a website where users can upload files to share with others. But first I need to verify them.
Lately someone uploaded a .php file with the following commands:
‰PNG
<?php
eval(gzinflate(base64_decode("very large strings of characters")));
?>
I figured it might be harmful, so I didnt open it.
Does anyone have any idea what it does?
nobody can tell you, just do
<?php echo gzinflate(base64_decode("very large strings of characters")) ?>
to see what it would do....
edit: well now that you've posted the whole string i decoded it and pasted it here
Seems like the attacker's code was base64 encoded and gzipped.
So first the code is decoded from base64 encoding, and then it is unzipped basically until a string of code.
And then eval is called on the resulting string, which will execute the code that has been decoded and unzipped.
But without seeing what code gets generated, it is hard to say what it will do when the code is run.
I decoded the encoded text. Using the following approach
(I guess writing to file was a bad idea now that I think of it. Mainly if you're on Windows. I guess it is a bit safer on Linux with the execute bit turned off. So I was kind of lucky in this case!)
<?php
$test = gzinflate(base64_decode("encoded_text"));
$myFile = "testFile.txt";
$fh = fopen($myFile, 'w');
fwrite($fh, $test);
fclose($fh);
I wrote the output to file just in case there was some random html or javascript that could infect my computer if I just echoed it to my browser. That may be why you got an anti-virus warning.
I'm not sure what it does yet.
Just skimming through the code, which is like 4,750 lines of code, it seems like it sets up Basic Auth. And then there's a lot of database functions and some basic html interface. This in PHP. There's also some perl too. Near the end.
Basically what it seems to do is this: Every page where that image is displayed it will output parts of that code and execute it along with your code, and it will try to get input data, or try to find session data and or database values.
Then other parts of the code basically create an admin interface when the url is visited like this: url?admin=1, which brings up a Basic Auth authentication. And then there is an simple interface phpmyadmin like interface where the user can try out different queries and gather out metadata about your db. Probably other stuff run to exec, etc too.
I could be wrong, but that's the gist I get from going through the code.
The code is fine the only thing you need to take care is the long string that is encrypted
< ?php eval(gzinflate(base64_decode("very large strings of characters")));
for the reference of this kind of the statement you can refer to
http://php.net/manual/en/function.gzinflate.php
Our web application is storing SVG files on server, we want to get JSON outputs from SVG files on server side.
I've looked into PETESAIA's SVG to JSON php program.
But the output i am getting is null or an empty array.
<?php
require_once “PeachSVG.php”;
$filename = “filename-2012-03-06.svg”;
$json = PeachSVG::convert($filename, $to_json = true);
//$json = convert($filename, $to_json = true); //also used this one
var_dump(json_decode($json, true));
?>
This php code, PeachSVG.php and the svg file are in the same directory.
Can anyone suggest where i am wrong going with this?
Or any alternative of SVG to JSON on server side
EDIT : In response to #halfer and his query about why we need server side validation of SVG (converted to JSON).
We have a cleint-side SVG(RaphaelJs) web app in which a user can perform certain actions, output is sent to and saved on our server and posted on a website. We want to make sure that output file is validated before posted on the website. For this we need to have server side validation to make sure that the user does not abuse the rules set in the application.
Raphael.serialize can not be used because it converts SVG to JSON on the client side which may be abused by the user. So we sending the SVG document as a string to server side.
If you can install Node.js on your server you might be able to use fabric.js to parse the SVG then export the objects as JSON.
https://github.com/kangax/fabric.js
http://kangax.github.com/fabric.js/svg_rendering/
You made a mistake in require_once() function. The path to the php file should be in parentheses, like this:
require_once("PeachSVG.php");
And for strings you seem to use not good double quotes. You probably copied them from somewhere. Because these are left double quotation mark "“" (U+201C) and right double quotation mark "”" (U+201D). In code it should look not like this:
“some your string”
but like this:
"some your string"
Your Script ran very fine on my localhost server but i have to remove the quotation marks you had and replace it with one from my notepad++ which looks like string quotes to me. hope this helps if had not found a solution yet
I want to create a PHP script that grabs the content of a website. So let's say it grabs all the source code for that website and I say which lines of code I need.
Is there a function in PHP that allows you too do this or is it impossible?
Disclaimer: I'm not going to use this for any illegal purposes at all and not asking you too write any code, just tell me if its possible and if you can how I'd go about doing it. Also I'm just asking in general, not for any specific reason. Thanks! :)
file('http://the.url.com') returns an array of lines from a url.
so for the 24th line do this:
$lines = file('http://www.whatever.com');
echo $lines[23];
This sounds like a horrible idea, but here we go:
Use file_get_contents() to get the file. You cannot get the source if the web server first processes it, so you may need to use an extension like .txt. Unless you password protect the file, obviously anybody can get it.
Use explode() with the \n delimiter to split the source code into lines.
Use array_slice() to get the lines you need.
eval() the code.
Note: if you just want the HTML output, then ignore the bit about the source in step 1 and obviously you can skip the whole eval() thing.
Hey there, I have an Arabic contact script that uses Ajax to retrieve a response from the server after filling the form.
On some apache servers, jQuery.parseJSON() throws an invalid json excepion for the same json it parses perfectly on other servers. This exception is thrown only on chrome and IE.
The json content gets encoded using php's json_encode() function. I tried sending the correct header with the json data and setting the unicode to utf-8, but that didn't help.
This is one of the json responses I try to parse (removed the second part of if because it's long):
{"pageTitle":"\u062e\u0637\u0623 \u0639\u0646\u062f \u0627\u0644\u0625\u0631\u0633\u0627\u0644 !"}
Note: This language of this data is Arabic, that's why it looks like this after being parsed with php's json_encode().
You can try to make a request in the examples given down and look at the full response data using firebug or webkit developer tools. The response passes jsonlint!
Finally, I have two urls using the same version of the script, try to browse them using chrome or IE to see the error in the broken example.
The working example : http://namodg.com/n/
The broken example: http://www.mt-is.co.cc/my/call-me/
Updated: To clarify more, I would like to note that I manged to fix this by using the old eval() to parse the content, I released another version with this fix, it was like this:
// Parse the JSON data
try
{
// Use jquery's default parser
data = $.parseJSON(data);
}
catch(e)
{
/*
* Fix a bug where strange unicode chars in the json data makes the jQuery
* parseJSON() throw an error (only on some servers), by using the old eval() - slower though!
*/
data = eval( "(" + data + ")" );
}
I still want to know if this is a bug in jquery's parseJSON() method, so that I can report it to them.
Found the problem! It was very hard to notice, but I saw something funny about that opening brace... there seemed to be a couple of little dots near it. I used this JavaScript bookmarklet to find out what it was:
javascript:window.location='http://www.google.com/search?q=u+'+('000'+prompt('String?').charCodeAt(prompt('Index?')).toString(16)).slice(-4)
I got the results page. Guess what the problem is! There is an invisible character, repeated twice actually, at the beginning of your output. The zero width non-breaking space is also called the Unicode byte order mark (BOM). It is the reason why jQuery is rejecting your otherwise valid JSON and why pasting the JSON into JSONLint mysteriously works (depending on how you do it).
One way to get this unwanted character into your output is to save your PHP files using Windows Notepad in UTF-8 mode! If this is what you are doing, get another text editor such as Notepad++. Resave all your PHP files without the BOM to fix your problem.
Step 1: Set up Notepad++ to encode files in UTF-8 without BOM by default.
Step 2: Open each existing PHP file, change the Encoding setting, and resave it.
You should try using json2.js (it's on https://github.com/douglascrockford/JSON-js)
Even John Resig (creator of jQuery) says you should:
This version of JSON.js is highly recommended. If you're still using the old version, please please upgrade (this one, undoubtedly, cause less issues than the previous one).
http://ejohn.org/blog/the-state-of-json/
I don't see anything related to parseJSON()
The only difference I see is that in the working example a session-cookie is set(guess it is needed for the "captcha", the mathematical calculation), in the other example no session-cookie is set. So maybe the comparision of the calculation-result fails without the session-cookie.
I know, I know - obfuscated html/js code is useless (I read the other questions on SO), but I still want to make life harder for copy-cats of my site...
I'm running a php based website, which generates html output. I would like the FINAL html output (which has html, js, json and uses ajax) to be obfuscated. Is there a php function for that purpose? I found http://www.ioncube.com/html_encoder.php but that relies on some of their special software to be loaded on the server - ie, a no-go...
Any suggestions?
Not true obfuscation, but rather hard to read in most cases (and less bandwidth-intensive as well!)
<?php
ob_start();
// Generate output here
$output = ob_get_contents();
ob_end_clean();
$output = preg_replace('\s{2,}',' ', $output);
echo $output;
?>
You can compress your JavaScript and css
For php output it can be done using ob_start have a look at this http://ru.php.net/manual/en/function.ob-start.php#71953
You should have a look at Minify it has a Minify_HTML class removing whitespace, unnecessary comments and tokens
Well, in my studies of HTML obfuscator, like http://htmlobfuscator.com/, are truely change their "special" code into reversed base64.
When we decode it, they're actually packed js file using packer that you could find on Google.
So, now we could do this
Slashup the whole html, for the Js string, then "pack" the javascript, then encode it into base64, then rotate the encoded string. Viola, done.
You'll get something like this:
var IO1='KkSKpcCfngCdpxGcz5yJr9GfwRHdox3YyNHfmVmc8NmczRXZnxXZtFmTnFGV5J0c05WZtVGbFRXZnxXawFWeyVWdxpGf0BXayN2c8xmc1xXZwF2YzVmb1xnclJnclZWZyxHZslGaDRmblBHchx3bm5Wa8VGdpJ3d8xHduVWblxWRlRXYlJ3Y8VGb0lGdDNDfDJDfs1GdoxXek9mYDNDfyl2cwIDf0NXZ0V0M8x3bsxWZIV0M8VGb0lGd8RWYlh2QzwHbtRHaDNDfMJVV8V0M8FTSPxHduVmbvBXbvNUSSVVZk92YuVGfJ9US8RWYlhGfyFmd8N0M8JjN8JTO8hzM8Rnbl1Wdj9GZ8VGchN2cl9Ff5R2bixHbhZXZ8ZzM8VzM8VGZvNkchh2Qt9mcmxHdpxGczx3Zulmc0N1b0xHc4V0ZlJFf05WSlNnchBHf3Vmb8VGbph2d8ZWa8dmbpJHdTxXZjFGbwVmc85mc1RXZyxnbvlGdj5WdmxHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHfnwCO0EDLyYDLnkSK9tHLwwSKnwFfnwFKFFjLnwFNywnNyw3NywHOywnYyw3MywnMywHWxw3VxwXWxwnWxwHMywXYywnZywXbyw3aywnaywHbywnbywHaywHZywXayw3YywXZyw3ZywXNywnUxwnSxwXOywXRxwnRxwHexwHRxwHSxw3QxwXQxw3dxwnexwXexw3RxwXVxwnQxw3Sxw3UxwXMywHVxwXUxwHUxwXSxwnVxwHTxwndxwXdxwXTxwHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHfnwFLOFDLPFDLnwVKpkyJcxFX8dCXcxFKwEjLnwFXcNWM8JWM8RWM8VWM8ZWM8FWM8lTM8VTM8hWM8ZTM8dTM8hTM8dWM8xWM8BXM8NXM8JXM8RXM8FXM85WM8pWM8lWM8tWM89WM81WM8RTM8JTM8xEfLxXT85EfzEDfKxHU8lEfGx3R8dCXcxFLDxyQscCXcx1OpkyNoMHK05iM7kCNoInL4sTXwsVKnwFXcxFXcxlNnwFXcxFXcxFKx5iM9gDI1sTKv5iMokzKnwFXcxFXcxVPwZyJcxFXcxFXctSK25iMokzKnwFXcxFXcxVP5ZyJcxFXcxFXctyJcxFXcxFXcFUP69zLu5ydv8iO4dCXcxFXcxFX9IkL0sTKnwFXcxFXcxVdnwFXcxFXcxFKq5iM9QDI1szJcxFXcxFXcFTJj9yMlETJi9yMlEWJlVSblcWJrVSMlYzLzUSMlg2LzUSalwWJxUiZlETJkVyJcxFXcxFXc1zNgUzJcxFXo0HcgUUf9lSXjt1askyJcxFXndCXcxFLnwFXcJGXcxFXcxFXcdCXcx1KpMGKltyJcxFXixFXcxFXcxFXnwFXchiVgUFKU5Cc9A3ep01YbtGKStXKt0yYoM1O9lSKXhCWuMmOpETMrMGKa5SW/ElPpEWJj1zYogyKpkSKh9yYo8EKlpzJcxFXnwFXc9TY8MGKFtXKjhCR9U2epQGLlxyasMGLhxCcoQEKIdCXo0HcgYXM91XKdN2WrxSKnw1ZnwFLnwlYcxFXcdCXrkyYoU2KnwlYcxFXcdCXoMUMgEUMocXMuAXPwtXKdN2WrhSexsXKt0yYooXM70XM9M2O9dCXrcHXcxFXnwldxsXKoUXM9U2Od1XXltFZgYXM7lSZoUXMb1za9lyYoUGf811YbtWPdlyYoU2WktXKt0yYooXM7lSK4FDLv41LocXMucCXnwVIokXM70XKpgUMoQUMuMmOpkjMrMGKGFjL4FzPHFjPpEWJj1zYogyKpkSKh9yYoIUMoUmOnw1Jc9TY8MGK2FzepMGK1FTPltXKkxSZssGLjxSYsAHK1FDKJFzJo0Hcg4mc1RXZy1Xfp01YbtGLpcyZnwyJixFXnsSKjhSZrciYcx1JoAHeFdWZSBydl5GKlNWYsBXZy5Cc9A3ep01YbtGKml2ep0SLjhSZslGa3tTfpkiNzgyZulmc0N1b05yY6kSOysyYoUGZvNkchh2Qt9mcm5yZulmc0N1P1MjPpEWJj1zYogyKpkSKh9yYoQnbJV2cyFGcoUmOncyPhxzYo4mc1RXZytXKjhibvlGdj5Wdm1TZ7lCZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ';function l1O(data){var OOOlOI="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var o1,o2,o3,h1,h2,h3,h4,bits,i=0,enc='';do{h1=OOOlOI.indexOf(data.charAt(i++));h2=OOOlOI.indexOf(data.charAt(i++));h3=OOOlOI.indexOf(data.charAt(i++));h4=OOOlOI.indexOf(data.charAt(i++));bits=h1>16&0xff;o2=bits>>8&0xff;o3=bits&0xff;if(h3==64){enc+=String.fromCharCode(o1)}else if(h4==64){enc+=String.fromCharCode(o1,o2)}else{enc+=String.fromCharCode(o1,o2,o3)}}while(i= 0; i-- ){ ret += string.charAt(i);} return ret; }eval(l1O(OOO(IO1)));
Good luck~
No, php couldn't do that without something on the client side. You could always have some javascript decode it, but that wouldnt be friendly to whoever has it turned off, it would be slow and no search engine support.