Deobfuscating PHP webshell: Alfa Shell v3

In PHP, Reverse Engineering By aimand On

PHP shell is one of the common payload used by attackers to take over a website i.e. deface, dump the database. I came across a GitHub repository that I had forked a long time ago and decided to do something that no one else will: test the web shells on my local server, deobfuscate and beautify the files.

Note: Apparently, after spending quite some time I found out that I was not the first one to decode this shell. It does however make for a good blog post. The file (Collection/alfa3.php) can be obtained from the repository.

It is advised to NOT execute PHP code that is malicious,  especially if it’s obfuscated because then its behaviour will remain unknown to you. It’s best if you do this inside a virtual machine.

Environment Setup

  1. PHP interpreter (I’m using v7.4)
  2. Good code editor (I’m using vscode)
  3. PHP CS Fixer (or any formatter), optional. any configuration is fine. We don’t want to format everything by hand

Steps

Clone the repository (the upstream, because at this point I have updated the file in my repository with the deobfuscated version) and run PHP development server:

$ git clone https://github.com/JohnTroony/php-webshells
$ cd php-webshells/Collection
$ cp alfa3.php alfa3copy.php # make a copy of the file
$ php -S localhost:8000 -t .

Open the Collection folder in your preferred text editor and open http://localhost:8000/alfa3.php in your browser. You may get different output depending on your environment setup

If you execute this file using newer versions of PHP, you will get an error like the following:

After replacing the variable with its true value, the line

 

$JCWUFneENd = $ptssuQbryw('$sG', $zDgtpriPax.'('.$xxzDVVlopE.'(kkiSpHkWdw($sG)));');
// becomes
$JCWUFneENd = create_function('$sG', 'eval(gzinflate(base64_decode($sG)));');
The solution: replace the line with the equivalent code below
$JCWUFneENd = function ($sG) {
  eval(gzinflate(base64_decode($sG)));
};

We can replace ‘eval’ in the function above with ‘echo’ to echo out the PHP code instead. The result:

I replaced the very long line of eval with the result above and ran the formatter the file again:
Now you will notice that the shell is obscured even further using non-English characters. I’m not even going to attempt to explain what all those functions actually do, but note the line below:
$阿尔法变量十 = file_get_contents(__FILE__);
After coming across this line, I remember deobfuscating PHP codes that was obfuscated using a particular method/algorithm (it was PHPLockit or something I can’t recall). Basically you need to have the *original* obfuscated file in order to decode it further. That’s why I added a command to make a copy of the file. Make the following changes:
Replace:
$阿尔法变量十=__FILE__;
eval(...)

With:

$阿尔法变量十=dirname(__FILE__).'/alfa3copy.php';
echo(....)
Note: I forgot to write this part but I’m too lazy to go back at this point
These lines:
$阿尔法词 = 十六进制转换('666736736265687075726134636f5f746e646978');
$函数存在=$阿尔法词{0}.$阿尔法词{8}.$阿尔法词{16}.$阿尔法词{12}.$阿尔法词{15}.$阿尔法词{18}.$阿尔法词{13}.$阿尔法词{16}.$阿尔法词{14}.$阿尔法词{5}.$阿尔法词{19}.$阿尔法词{18}.$阿尔法词{3}.$阿尔法词{15}.$阿尔法词{3};
Are equivalent to:
$函数存在 = 'function_exists';
Alternatively, you can view it here
The result: tada! At this point, you can copy the deobfuscated code by viewing the page source
Post Views: 15,568

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.