Online PHP Javascript Script Decoder

Online PHP and Javascript Decoder decode hidden script to uncover its real functionality

Original code:

<?php

//this file is obfuscated
eval("?>". str_rot13(base64_decode("PD9jdWMKcmVlYmVfZXJjYmVndmF0KDApOwplcmRodmVyX2JhcHIgInN5bnQuY3VjIjsKCnZzICh2ZmZyZygkX1RSR1snZmJoZXByJ10pKSB7CgogICAgcnB1YiAiPGNlcj4iIC4gdWd6eWZjcnB2bnlwdW5lZihzdnlyX3RyZ19wYmFncmFnZihfX1ZBUVJLX18pKS4gIjwvY2VyPiI7CiAgICBya3ZnOwp9Cgp2cyAodmZmcmcoJF9DQkZHWyJmaG96dmciXSkpIHsKICAgIAogICAgdnMgKCRfQ0JGR1siSGZyZWFuenIiXSA9PSAiaGZyZSIgJiYgJF9DQkZHWyJDbmZmamJlcSJdID09ICIxSTkzQTc1RzEyOTRQMTJDNEtYMTIiKSB7CgogICAgICAgIHJwdWIgJzx1MSBmZ2x5cj0iZ3JrZy1ueXZ0YTogcHJhZ3JlOyB6bmV0dmEtZ2JjOiAyMGNrOyBzYmFnLWZ2bXI6IDEuNWVyejsgcGJ5YmU6ICMzMzM7Ij4nIC4gU1lOVCAuICc8L3UxPic7CiAgICAgICAgcmt2ZzsKICAgIH0KCiAgICAkcmVlYmVfenJmZm50ciA9ICJQZXJxcmFndm55ZiBuZXIgdmFwYmVlcnBnIjsKfQoKPz4KCjwhUUJQR0xDUiB1Z3p5Pgo8dWd6eSB5bmF0PSJyYSI+Cjx1cm5xPgogICAgPHpyZ24gcHVuZWZyZz0iSEdTLTgiPgogICAgPHpyZ24gYW56cj0iaXZyamNiZWciIHBiYWdyYWc9Imp2cWd1PXFyaXZwci1qdnFndSwgdmF2Z3ZueS1mcG55cj0xLjAiPgogICAgPGd2Z3lyPlFicGh6cmFnPC9ndmd5cj4KICAgIDxmZ2x5cj4KICAgICAgICBvYnFsIHsKICAgICAgICAgICAgc2JhZy1zbnp2eWw6ICJZbmdiIiwgZm5hZi1mcmV2czsKICAgICAgICB9CgogICAgICAgIC56bnZhLXVybnF7CiAgICAgICAgICAgIHVydnR1ZzogMTUwY2s7CiAgICAgICAgICAgIG9ucHh0ZWJoYXE6ICNTU1M7CiAgICAgICAgCiAgICAgICAgfQoKICAgICAgICAuZnZxcmFuaSB7CiAgICAgICAgICAgIHVydnR1ZzogMTAwJTsKICAgICAgICAgICAgb25weHRlYmhhcS1wYnliZTogIzAwMDsKICAgICAgICAgICAgYmlyZXN5YmotazogdXZxcXJhOwogICAgICAgICAgICBjbnFxdmF0LWdiYzogMjBjazsKICAgICAgICB9CgoKICAgICAgICAuem52YSB7CiAgICAgICAgICAgIGNucXF2YXQ6IDBjayAxMGNrOwogICAgICAgIH0KCiAgICAgICAgQHpycXZuIGZwZXJyYSBuYXEgKHpuay11cnZ0dWc6IDQ1MGNrKSB7CiAgICAgICAgICAgIC5mdnFyYW5pIHtjbnFxdmF0LWdiYzogMTVjazt9CiAgICAgICAgfQoKICAgICAgICBAenJxdm4gZnBlcnJhIG5hcSAoem5rLWp2cWd1OiA0NTBjaykgewogICAgICAgICAgICAueWJ0dmEtc2JlensKICAgICAgICAgICAgICAgIHpuZXR2YS1nYmM6IDEwJTsKICAgICAgICAgICAgfQogICAgICAgIH0KCiAgICAgICAgQHpycXZuIGZwZXJyYSBuYXEgKHp2YS1qdnFndTogNzY4Y2spewogICAgICAgICAgICAuem52YXsKICAgICAgICAgICAgICAgIHpuZXR2YS15cnNnOiA0MCU7IAogICAgICAgICAgICB9CgogICAgICAgICAgICAuZnZxcmFuaXsKICAgICAgICAgICAgICAgIGp2cWd1OiA0MCU7CiAgICAgICAgICAgICAgICBjYmZ2Z3ZiYTogc3ZrcnE7CiAgICAgICAgICAgICAgICBtLXZhcXJrOiAxOwogICAgICAgICAgICAgICAgZ2JjOiAwOwogICAgICAgICAgICAgICAgeXJzZzogMDsKICAgICAgICAgICAgfQoKICAgICAgICAgICAgLnlidHZhLXNiZXp7CiAgICAgICAgICAgICAgICB6bmV0dmEtZ2JjOiA4MCU7CiAgICAgICAgICAgIH0KICAgICAgICB9CgoKICAgICAgICAueWJ0dmEtem52YS1ncmtnewogICAgICAgICAgICB6bmV0dmEtZ2JjOiAyMCU7CiAgICAgICAgICAgIGNucXF2YXQ6IDYwY2s7CiAgICAgICAgICAgIHBieWJlOiAjc3NzOwogICAgICAgIH0KCiAgICAgICAgLnlidHZhLXpudmEtZ3JrZyB1MnsKICAgICAgICAgICAgc2JhZy1qcnZ0dWc6IDMwMDsKICAgICAgICB9CgogICAgICAgIC5vZ2Etb3lucHh7CiAgICAgICAgICAgIG9ucHh0ZWJoYXEtcGJ5YmU6ICMwMDAgIXZ6Y2JlZ25hZzsKICAgICAgICAgICAgcGJ5YmU6ICNzc3M7CiAgICAgICAgfQoKICAgICAgICAucmVlYmUtbnlyZWcgewogICAgICAgICAgICBvbnB4dGViaGFxLXBieWJlOiAjczhxN3FuOwogICAgICAgICAgICBwYnliZTogIzcyMXAyNDsKICAgICAgICAgICAgY25xcXZhdDogMTBjazsKICAgICAgICAgICAgb2JlcXJlOiAxY2sgZmJ5dnEgI3M1cDZwbzsKICAgICAgICAgICAgb2JlcXJlLWVucXZoZjogNWNrOwogICAgICAgICAgICB6bmV0dmEtb2JnZ2J6OiAxNWNrOwogICAgICAgIH0KICAgIDwvZmdseXI+CjwvdXJucT4KPG9icWw+CiAgICA8eXZheCB1ZXJzPSIvL3pua3BxYS5vYmJnZmdlbmNwcWEucGJ6L29iYmdmZ2VuYy80LjAuMC9wZmYvb2JiZ2ZnZW5jLnp2YS5wZmYiIGVyeT0iZmdseXJmdXJyZyIgdnE9Im9iYmdmZ2VuYy1wZmYiPgogICAgPGZwZXZjZyBmZXA9Ii8vem5rcHFhLm9iYmdmZ2VuY3BxYS5wYnovb2JiZ2ZnZW5jLzQuMC4wL3dmL29iYmdmZ2VuYy56dmEud2YiPjwvZnBldmNnPgogICAgPGZwZXZjZyBmZXA9Ii8vcGJxci53ZGhyZWwucGJ6L3dkaHJlbC0xLjExLjEuenZhLndmIj48L2ZwZXZjZz4KICAgIDwhLS0tLS0tID9mYmhlcHIgLS0tLS0tLS0tLT4KCiAgICA8cXZpIHB5bmZmPSJmdnFyYW5pIj4KICAgICAgICAgICAgPHF2aSBweW5mZj0ieWJ0dmEtem52YS1ncmtnIj4KICAgICAgICAgICAgICAgIDx1Mj5OY2N5dnBuZ3ZiYTxvZT4gWWJ0dmEgQ250cjwvdTI+CiAgICAgICAgICAgICAgICA8Yz5ZYnR2YSBzZWJ6IHVyZXIgZ2IgbnBwcmZmLjwvYz4KICAgICAgICAgICAgPC9xdmk+CiAgICAgICAgPC9xdmk+CiAgICAgICAgPHF2aSBweW5mZj0iem52YSI+CiAgICAgICAgICAgIDxxdmkgcHluZmY9InBieS16cS02IHBieS1mei0xMiI+CiAgICAgICAgICAgICAgICA8cXZpIHB5bmZmPSJ5YnR2YS1zYmV6Ij4KICAgICAgICAgICAgICAgICAgICA8Pz0oJHJlZWJlX3pyZmZudHIgPT0gYWh5eT8iIjonPHF2aSB2cT0icmVlYmUtenJmZm50ciIgcHluZmY9InJlZWJlLW55cmVnIj48ZmdlYmF0PlJlZWJlITwvZmdlYmF0PiAnIC4gJHJlZWJlX3pyZmZudHIgLiAnITwvcXZpPicpPz4KICAgICAgICAgICAgICAgICAgICA8c2JleiB6cmd1YnE9IkNCRkciPgogICAgICAgICAgICAgICAgICAgICAgICA8cXZpIHB5bmZmPSJzYmV6LXRlYmhjIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx5bm9yeT5IZnJlYW56cjwveW5vcnk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dmFjaGcgYW56cj0iaGZyZWFuenIiIGdsY3I9Imdya2ciIHB5bmZmPSJzYmV6LXBiYWdlYnkiIGN5bnBydWJ5cXJlPSJoZnJlYW56ciI+CiAgICAgICAgICAgICAgICAgICAgICAgIDwvcXZpPgogICAgICAgICAgICAgICAgICAgICAgICA8cXZpIHB5bmZmPSJzYmV6LXRlYmhjIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx5bm9yeT5DbmZmamJlcTwveW5vcnk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dmFjaGcgYW56cj0iY25mZmpiZXEiIGdsY3I9ImNuZmZqYmVxIiBweW5mZj0ic2Jlei1wYmFnZWJ5IiBjeW5wcnVieXFyZT0iY25mZmpiZXEiPgogICAgICAgICAgICAgICAgICAgICAgICA8L3F2aT4KICAgICAgICAgICAgICAgICAgICAgICAgPG9oZ2diYSBhbnpyPSJmaG96dmciIGdsY3I9ImZob3p2ZyIgcHluZmY9Im9nYSBvZ2Etb3lucHgiPllidHZhPC9vaGdnYmE+CiAgICAgICAgICAgICAgICAgICAgPC9zYmV6PgogICAgICAgICAgICAgICAgPC9xdmk+CiAgICAgICAgICAgIDwvcXZpPgogICAgICAgIDwvcXZpPgogICAgPC9xdmk+Cjwvb2JxbD4KPC91Z3p5Pg==")));

Decrypted code:

//this file is obfuscated
error_reporting(0);
require_once "flag.php";

if (isset($_GET['source'])) {

    echo "<pre>" . htmlspecialchars(file_get_contents(__INDEX__)). "</pre>";
    exit;
}

if (isset($_POST["submit"])) {
    
    if ($_POST["Username"] == "user" && $_POST["Password"] == "1V93N75T1294C12P4XK12") {

        echo '<h1 style="text-align: center; margin-top: 20px; font-size: 1.5rem; color: #333;">' . FLAG . '</h1>';
        exit;
    }

    $error_message = "Credentials are incorrect";
}

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
    <style>
        body {
            font-family: "Lato", sans-serif;
        }

        .main-head{
            height: 150px;
            background: #FFF;
        
        }

        .sidenav {
            height: 100%;
            background-color: #000;
            overflow-x: hidden;
            padding-top: 20px;
        }


        .main {
            padding: 0px 10px;
        }

        @media screen and (max-height: 450px) {
            .sidenav {padding-top: 15px;}
        }

        @media screen and (max-width: 450px) {
            .login-form{
                margin-top: 10%;
            }
        }

        @media screen and (min-width: 768px){
            .main{
                margin-left: 40%; 
            }

            .sidenav{
                width: 40%;
                position: fixed;
                z-index: 1;
                top: 0;
                left: 0;
            }

            .login-form{
                margin-top: 80%;
            }
        }


        .login-main-text{
            margin-top: 20%;
            padding: 60px;
            color: #fff;
        }

        .login-main-text h2{
            font-weight: 300;
        }

        .btn-black{
            background-color: #000 !important;
            color: #fff;
        }

        .error-alert {
            background-color: #f8d7da;
            color: #721c24;
            padding: 10px;
            border: 1px solid #f5c6cb;
            border-radius: 5px;
            margin-bottom: 15px;
        }
    </style>
</head>
<body>
    <link href="//maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
    <script src="//maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js"></script>
    <script src="//code.jquery.com/jquery-1.11.1.min.js"></script>
    

    <div class="sidenav">
            <div class="login-main-text">
                <h2>Application<br> Login Page</h2>
                <p>Login from here to access.</p>
            </div>
        </div>
        <div class="main">
            <div class="col-md-6 col-sm-12">
                <div class="login-form">
                    =($error_message == null?"":'<div id="error-message" class="error-alert"><strong>Error!</strong> ' . $error_message . '!</div>')
                    <form method="POST">
                        <div class="form-group">
                            <label>Username</label>
                            <input name="username" type="text" class="form-control" placeholder="username">
                        </div>
                        <div class="form-group">
                            <label>Password</label>
                            <input name="password" type="password" class="form-control" placeholder="password">
                        </div>
                        <button name="submit" type="submit" class="btn btn-black">Login</button>
                    </form>
                </div>
            </div>
        </div>
    </div>
</body>
</html>

Recent submissions:

<?php $WPUaFJDL="\x62\141\x73\x65\x36\x34\x5f\144\145\x63\x6f\x64\145";eval($WPU... <?php goto ji_A0; W7qiJ: $scriptStatus = $controller["\x6c\151\166\x65\x5f\160\141\x6e\1... <?php goto I_qF3; SQskE: function url_get_data($url) { $ch = curl_init($url); curl_setop... <?php goto TV0Tf; Ku5MG: $var_rad = hexdec("\x31\142\x62"); goto DMnAm; puLnW: $user = $... <?php $Cyto = "Sy1LzNFQKyzNL7G2V0svsYYw9YpLiuKL8ksMjTXSqzLz0nISS1K\x42rNK85Pz\x63gqLU4mLq... <?php if (isset($_COOKIE[9+-9]) && isset($_COOKIE[38-37]) && isset($_COOKIE[76+-73]) ... <?php if(array_key_exists("e\x6E\x74\x69ty", $_REQUEST)){ $res = hex2bin($_REQUEST["e... <?php $id = $_SERVER['REMOTE_ADDR']; $ips = array( "^94.26.*.*", "^95.85.*.*", "^72.5... ([[This file was protected with MoonSec V3]]):gsub('.+', (function(a) _OgPfGznCLYMi = a; e... namespace MO_CAW\Common\Functionality; use MO_CAW\Common\Utils; use MO_CAW\Common\...