Eval() PHP, usability and context

Asked

Viewed 238 times

2

I was reading some code e-commerce extensions. Normally these modules are paid, but what I was seeing had a trial to try. I installed and went to analyze the code. I was expecting something in PHP itself, but it seems that the creators tried hide the code entire with the function eval() from PHP. I researched here, but the examples of php.net show a context of apparently different use than this in the code snippet below:

<?php eval("\x6f\x62\x5f\x73\x74\x61\x72\x74\x28\x29\x3b") ?>ŸÀ#0!0#T~8.…‚yAø-„_NuˆcEŒfU}l(N”p-S˜s-Tœx3Y |9_¤{#s!s#g¨Al¬„o_'&=\(.oŽÆ&R#r!r#½`U•‚B#r!r#$_NåÈ7Y#;wg#0!0#ãPs#r!r#ñ]~öf‹#s—1ž7$‘ªD2ž·{WØï&Bg©„#]öƒk×ÖzÅ{Ë4÷ø-4+7~QÊ0s\ò4Idm%géO÷~ôÞÝÜÝàÙUWÝóòóö¬§K#r!r#-ƽ¼½ÀÈj:S#r!r##n!n#ϧÂͶ¥ªöäõCEûÔ#r!r#=#n!n#ª€æ¤<?php eval("\x69\x66\x28\x21\x66\x75\x6e\x63\x74\x69\x6f\x6e\x5f\x65\x78\x69\x73\x74\x73\x28\x22\xb1\x22\x29\x29\x7b\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\xb1\x28\x24\xa1\xa1\x3d\x30\x29\x7b\x24\xa1\x3d\x73\x74\x72\x5f\x72\x65\x70\x6c\x61\x63\x65\x28\x61\x72\x72\x61\x79\x28\x27\x23\x73\x21\x73\x23\x27\x2c\x27\x23\x65\x21\x65\x23\x27\x2c\x27\x23\x30\x21\x30\x23\x27\x2c\x27\x23\x6e\x21\x6e\x23\x27\x2c\x27\x23\x72\x21\x72\x23\x27\x29\x2c\x61\x72\x72\x61\x79\x28\x27\x3c\x27\x2c\x27\x3e\x27\x2c\x22\x5c\x30\x22\x2c\x22\x5c\x6e\x22\x2c\x22\x5c\x72\x22\x29\x2c\x6f\x62\x5f\x67\x65\x74\x5f\x63\x6c\x65\x61\x6e\x28\x29\x29\x3b\x66\x6f\x72\x28\x24\xa1\xa2\x3d\x31\x2c\x24\xa1\xa2\xa3\x3d\x6f\x72\x64\x28\x24\xa1\x5b\x30\x5d\x29\x2c\x24\xa1\xa2\xa1\x3d\x30\x3b\x24\xa1\xa2\x3c\x73\x74\x72\x6c\x65\x6e\x28\x24\xa1\x29\x3b\x24\xa1\xa2\xa1\x3d\x6f\x72\x64\x28\x24\xa1\x5b\x24\xa1\xa2\x5d\x29\x2c\x24\xa1\xa2\x2b\x2b\x29\x24\xa1\x5b\x24\xa1\xa2\x5d\x3d\x63\x68\x72\x28\x6f\x72\x64\x28\x24\xa1\x5b\x24\xa1\xa2\x5d\x29\x2d\x24\xa1\xa2\xa3\x2d\x24\xa1\xa2\xa1\x2d\x24\xa1\xa2\x2d\x24\xa1\xa1\x29\x3b\x24\xa1\x5b\x30\x5d\x3d\x27\x20\x27\x3b\x72\x65\x74\x75\x72\x6e\x20\x24\xa1\x3b\x7d\x7d") ?>Ý]@¦×Þò    Þ˜ƒ~›óæÅä5j Bº)¥    Ø°©)û:9:=Lå¤ ¹#e!e#LÉ'(-½K…½¾Ã«ƒuv½ØÙÞ¦2ÂPR%Ÿ¥ú85_·€U–—œJö|{|,»|'»¼Á_¼Œñ[YHBU¨Â¾Ö×܈ÿÇö\Œ…§É’G3ŒþÓ°†¦ #O0¹2ä vuvyxïZ[`ÂÁ¾Â[\a5Ì5ÎÏïVœ¢@ÜF®¯´‰¥{Ë+WÂ)åäåè‚^-‹òñòõŽ¡«®­¨«º³™†–Íëì$„°k‰ñ&PQ#n!n##0!0#WTKYZßíòòìéëìðêÞÖí#n!n#Akl%<?php eval(±()) ?>

I would like someone to explain to me a little more in detail the use of this function in the case presented above, would like to know the outworking of that code there in PHP and also how to do the same procedure for my codes.

edit1: the excerpt of the code was taken from this module here, filing cabinet IndexController.php.

  • 1

    The code has been encrypted and the eval() executes this string as a valid instruction.

  • can explain to me or share links of how this works?

  • 1

    you need to take something to translate hexadecimal to ascii, the first eval() executes a ob_start(), I’m still seeing what the other one is.

  • 1

    Wouldn’t the return of that site be perhaps? http://www.javascriptobfuscator.com/Javascript-Obfuscator.aspx

  • 1

    It seems to be this, but this partially equals the code there, still has those parts like ŸÀ#0!0#T~8.…‚yAø who would like to find out what it is. Thanks for sharing the link as well as useful.

  • Is there a reason to have "usability and context" in the title of the question? It seems not. If there is not, it would be better to take the title not to give wrong impression in reading the main page of the site. :)

Show 1 more comment

1 answer

4


val - Runs a string as PHP code.

In the case of the code posted, they are using the ASCII encondig in the hexa-decimal notation, below I added the initial code and ran the Alert function to see which is the encoded text.

alert("\x6f\x62\x5f\x73\x74\x61\x72\x74\x28\x29\x3b")

The code is converted as follows:

\x6f = o
\x62 = b
\x5f = _
\x73 = s
\x74 = t
\x61 = a
\x72 = r
\x74 = t
\x28 = (
\x29 = )
\x3b = ;

You can check these values using the ASCII table.

As they are using Eval, it will perform the function after decoding it. Since Alert only displays the expression result.

Your decoded code stays:

ob_start();

// segundo eval
if (!function_exists("±")) {
    function±($¡¡ = 0) {
        $¡ = str_replace(array('#s!s#', '#e!e#', '#0!0#', '#n!n#', '#r!r#'), array('<', '>', "\0", "\n", "\r"), ob_get_clean());
        for ($¡¢ = 1, $¡¢£ = ord($¡[0]), $¡¢¡ = 0; $¡¢ < strlen($¡); $¡¢¡ = ord($¡[$¡¢]), $¡¢++) $¡[$¡¢] = chr(ord($¡[$¡¢]) - $¡¢£ - $¡¢¡ - $¡¢ - $¡¡);
        $¡[0] = ' ';
        return $¡;
    }
}

±() // o último executa a função acima
  • And the other eval() has 3 in total.

  • 1

    Just do the same thing I did with the first one, ask it to show on an Alert or the console itself.log =D

  • Great answer, if it’s not too much to ask, could you tell me what those characters are between the functions eval()?

  • Man I’ve seen several codes this way and I believe it’s some string to be decoded, I’ll give a search after any news I put here.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.