eval()'d code error

**cursed** · 01-27-2007, 09:36 PM

Error:

Warning: fgets(): supplied argument is not a valid stream resource in /user/public_html/decode/unlock.php(49) : eval()'d code on line 1

Warning: fgets(): supplied argument is not a valid stream resource in /user/public_html/decode/unlock.php(49) : eval()'d code on line 1

Warning: fgets(): supplied argument is not a valid stream resource in /user/public_html/decode/unlock.php(49) : eval()'d code on line 1

Code:

PHP Code:


<?php



$input = file_get_contents( $filename = 'index.php');

if (ereg(

"[$]([^=]+)=[_][_]FILE[_][_][;]"

. "[$]([^=]+)=[_][_]LINE[_][_][;]"

. "[$]([^=]+)[=]([0-9]+)[;]"

. "eval.*(base64_decode.['][^']*['].)", $input, $x)) {

// first pass

$ifilename = $x[1];

$ilinenum

= $x[2];

$ioffset

= $x[3];

$offset

= $x[4];

$decoder

= $x[5];

// get the decoder

$decoder = eval("return $decoder;");

// decipher the decoder

ereg("[$]([^=]+)[=].*[$]([^=]+)=.base64",$decoder,$x);

$ihandle = $x[1];

$iout

= $x[2];

$decoder = str_replace($iout

,'output'

,$decoder);

$decoder = str_replace($ihandle

,'handle'

,$decoder);

$decoder = str_replace($ilinenum ,'line'

,$decoder);

$decoder = str_replace($ifilename,'filename',$decoder);

// the decoder is our slave!

$decoder = str_replace('eval($output);','return $output;',$decoder);

$decoder = '$line=2;'.$decoder;

// sandbox

$next

= eval($decoder);

// remove expiration time

$next = ereg_replace("^if[^;]+;",'',$next);

// some more deciphering

ereg('^[$]([^=]+)=',$next,$x);

$next = str_replace($ihandle,

'handle',

$next);

$next = str_replace($ifilename,'filename',$next);

$next = str_replace($x[1]

,

'output',

$next);

$next = str_replace($ioffset,

'offset',

$next);

// the decoder is our slave, again!

$next = str_replace('eval($output)','return $output',$next);

// final pass

$code = eval($next);

// finish

echo '<','?php',$code,'?','>',"\n";

} else die("Failed. No base64_decode anymore.\n");

?>

what am i doing wrong?

**Twey** · 01-27-2007, 09:52 PM

I think the question is more, "what are you doing?"

Print the strings before passing them to eval() to see what you're really evaluating.

**mburt** · 01-27-2007, 10:26 PM

Yes. If the string type isn't a number/integer/float etc, it won't work.

I think the question is more, "what are you doing?"

Heh... I find that quite funny.

Back to the question...
In javascript a simple way to see what type of variable your testing, is to use the typeof construct. It outputs the type, so in PHP all I would assume to do is to echo it or something to see what - as Twey mentioned - your are trying to evaluate.

**Twey** · 01-28-2007, 12:24 AM

No, it's definitely a string, but there's some interpolation going on with data from an external file, so what s/he's evaluating might not be what s/he thinks s/he is.

Nevertheless, this looks to be a completely pointless venture overall, as so many things using eval() are. It's certainly not possible to give a definitive answer without the contents of that file.

**mburt** · 01-28-2007, 12:52 AM

file_get_contents outputs html: using this on a .php file won't output the php. In Firefox the php code shows up like this (devistating if databse info is shown):

<?php
...
?>

**cursed** · 01-30-2007, 12:27 AM

nevermind, my hosting made that problem.

The script is suppose to decode a type of Base64 code if anyone was wondering.

Thread: eval()'d code error

Thread Tools

Search Thread

eval()'d code error

Bookmarks

Bookmarks

Posting Permissions