Original filename: zt.php
If you just executed the file, you simply see a password prompt – this indicates that it’s more than likely some type of php shell. To find out what it does, we have to de-obfuscate it.
Code in page:
First pass with str_rot13 returns the following:
So to get a little further, we do a dump of the gzinflate(base64_decode(str_rot13($code))) and get this:
The good ole Web Shell by oRb is hidden in this mess. You can see the password is just a simple md5 hash and a run through any md5 decrypter will provided you with “syurga”.
