![]() |
|
Message-Id: <B69F2391-C578-4DB8-A312-059979DB349E@m.patpro.net> Date: Mon, 8 Aug 2022 08:18:05 +0200 From: p+password@...atpro.net To: john-users@...ts.openwall.com Subject: extract password/hash from a piece of php malware Hello, My question is not totally related to JtR. I've found a PHP webshell on a web site and I'm trying to de-obfuscate it and learn how it works on the attacker side. For reference, the file is https://www.virustotal.com/gui/file/312ee17ec9bed4278579443b805c0eb75283f54483d12f9add7d7d9e5f9f6105 It's highly obfuscated and the only thing I've managed to do is access its GUI over a simple php web server (php -S localhost:8000, then curl). It's a JS generated web page all blank except for a single password field in the middle. I'm pretty sure the password is hardcoded in the webshell file but I have absolutely no clue where it is and how to retrieve it. Any idea? Thanks, patpro
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.