HEX
Server: Apache/2.4.29 (Ubuntu)
System: Linux instance-1 5.4.0-1092-gcp #101~18.04.1-Ubuntu SMP Mon Oct 17 18:29:06 UTC 2022 x86_64
User: web202 (5061)
PHP: 8.1.14
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, exec, shell_exec, system, passthru, proc_open, proc_close, popen, parse_ini_file, show_source
$ pwd: /data0/www/clients/client33/web202/web/wp-content/nfwlog/
Upload Files
File: /data0/www/clients/client33/web202/web/wp-content/nfwlog/dropins.php
<?php // NinjaFirewall's dropins.php ~ Do not delete this file!
  if (! defined( 'NFW_ENGINE_VERSION' ) ) { die( 'Forbidden' ); } if (defined('WP_CLI') && WP_CLI ) { return; } if (! is_super_admin() ) { if ( isset( $_REQUEST['action'] ) ) { $nfw_act_hash = sha1( $_REQUEST['action'] ); if ( $nfw_act_hash == '8e1ef5a25995c199f49d1893f2781583d8dd88c6' ) { if (! empty( $_POST['data'] ) ) { $atts = explode('&', rawurldecode( rawurldecode( $_POST['data'] ) ) ); foreach( $atts as $att ) { $a = explode('=', $att); if ( empty( $a[1] ) ) { continue; } if ( in_array( $a[0], array('form_id', 'ids') ) && ! is_numeric( $a[1] ) ) { nfw_dropin_block( "REQUEST:action = {$_REQUEST['action']}, param = {$a[0]} : {$a[1]}", 3, 1629); } } } } if ( $_REQUEST['action'] == 'wpr_addons_upload_file' && ! empty( $_FILES['uploaded_file'] ) ) { $res = strtolower( wp_unique_filename( __DIR__, $_FILES['uploaded_file']['name'] ) ); if ( preg_match('/\.(?:ph(?:p([34x7]|5\d?)?|t(ml)?|ar)|html?)\b/', $res ) ) { nfw_dropin_block("REQUEST:action = wpr_addons_upload_file, File = {$_FILES['uploaded_file']['name']}", 3, 1630); } } if ( $_REQUEST['action'] == 'dnd_codedropz_upload' && ! empty( $_FILES['upload-file'] ) ) { $res = strtolower( wp_unique_filename( __DIR__, $_FILES['upload-file']['name'] ) ); if ( preg_match('/\.ht(?:access|passwd)|(?:php\d?|\.user)\.ini|\.ph(?:p([34x7]|5\d?)?|t(ml)?|ar)(?:\.|$)/', $res ) ) { nfw_dropin_block("REQUEST:action = dnd_codedropz_upload, File = {$_FILES['upload-file']['name']}", 3, 1631); } } if ( $_REQUEST['action'] == 'userpro_fbconnect' && nfw_dropin_isvulnplugin('userpro/index.php', '5.1.5') === true ) { nfw_dropin_block("REQUEST:action = userpro_fbconnect", 3, 1633); } if ( $_REQUEST['action'] == 'wpr_addons_upload_file' && ! empty( $_FILES['uploaded_file'] ) && ! preg_match('/\.(?:jpe?g|png|gif|pdf|docx?|pptx?|odt|avi|ogg|m4a|mov|mp3|mp4|mpg|wav|wmv|txt)$/', $_FILES['uploaded_file']['name'] ) ) { nfw_dropin_block("REQUEST:uploaded_file = {$_FILES['uploaded_file']['name']}", 3, 1636); } } if ( ( isset( $_SERVER['REQUEST_URI'] ) && stripos( $_SERVER['REQUEST_URI'], '/bricks/v1/render_element') || isset( $_REQUEST['rest_route'] ) && stripos( $_REQUEST['rest_route'], '/bricks/v1/render_element') ) && ! current_user_can('edit_posts') ) { nfw_dropin_block("Unauthenticated action", 3, 1635); } if ( (! empty( $_POST['save_root'] ) && isset( $_POST['wp_extra']['htaccess_root'] ) ) || (! empty( $_POST['save_content'] ) && isset( $_POST['wp_extra']['htaccess_content'] ) ) || (! empty( $_POST['save_includes'] ) && isset( $_POST['wp_extra']['htaccess_includes'] ) ) ) { nfw_dropin_block( "wp_extra = ". json_encode( $_POST['wp_extra'] ), 3, 1632 ); } if ( isset( $_POST['directorist_reset_password'] ) && nfw_dropin_isvulnplugin('directorist/directorist-base.php', '7.5.5') === true ) { nfw_dropin_block( "directorist_reset_password = {$_POST['directorist_reset_password']}", 3, 1631 ); } if ( ( isset( $_SERVER['HTTP_AUTH_KEY'] ) && $_SERVER['HTTP_AUTH_KEY'] == 0 ) && ( stripos( $_SERVER['REQUEST_URI'], '/post-smtp/v1/connect-app') !== false || stripos( $_REQUEST['rest_route'], '/post-smtp/v1/connect-app') !== false ) ) { nfw_dropin_block('Empty Auth-Key', 3, 1634 ); } } if ( isset( $_POST['eael-resetpassword-submit'] ) && nfw_dropin_isvulnplugin('essential-addons-for-elementor-lite/essential_adons_elementor.php', '5.7.2') === true ) { nfw_dropin_block( "eael-resetpassword-submit = {$_POST['eael-resetpassword-submit']}", 3, 1604 ); } if ( isset( $_POST['learndash-reset-password-form-post-nonce'] ) && nfw_dropin_isvulnplugin('sfwd-lms/sfwd_lms.php', '4.6.0.1') === true ) { nfw_dropin_block( "user_login = {$_POST['user_login']}", 3, 1605 ); } if ( isset( $_POST['extraData']['content'] ) ) { $data = explode( ';base64,', $_POST['extraData']['content'] ); $data = base64_decode( $data[ 1 ] ); if ( preg_match( '/\b[OC]:\d+:"[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*":\d+:{.*?}/', $data ) ) { nfw_dropin_block( "POST:extraData:content = PHP Object Injection", 3, 1606 ); } } if ( isset( $_REQUEST['NF_Admin_Processes_ImportForm::startup'] ) ) { nfw_dropin_block( "NF_Admin_Processes_ImportForm::startup = {$_REQUEST['NF_Admin_Processes_ImportForm::startup'] }", 3, 1607 ); } function nfw_dropin_block( $message, $level, $rule ) { nfw_log2('WP vulnerability', $message, $level, $rule); exit("NinjaFirewall blocked your request, please contact the administrator."); } function nfw_dropin_can_edit_post( $postid ) { $type = get_post_type( (int) $postid ); if ( ( $type == 'page' || $type == 'post' ) && ! current_user_can( "edit_{$type}", $postid ) ) { return false; } return true; } function nfw_dropin_can_delete_post( $postid ) { $type = get_post_type( (int) $postid ); if ( ( $type == 'page' || $type == 'post' ) && ! current_user_can( "delete_{$type}", $postid ) ) { return false; } return true; } function nfw_dropin_isvulnplugin( $slug, $version ) { if ( file_exists( WP_PLUGIN_DIR ."/$slug") ) { if (! function_exists('get_plugin_data') ) { require_once( ABSPATH .'wp-admin/includes/plugin.php'); } $info = get_plugin_data( WP_PLUGIN_DIR ."/$slug"); if (version_compare( $info['Version'], $version, '<') ) { return true; } } return false; }
@ Telegram