1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
<?php
// SPDX-FileCopyrightText: 2024 Eilertsens Kodeknekkeri
// SPDX-FileCopyrightText: 2024 Harald Eilertsen
//
// SPDX-License-Identifier: AGPL-3.0-or-later
use VolseNet\Webtrap\XmlRpcMethod;
function save_credentials(string $ts, string $addr, string $user, string $pass): void
{
$file_name = dirname(__DIR__) . '/payloads/credentials.txt';
$file = new SplFileObject($file_name, 'a');
$file->fwrite("{$ts}|{$addr}|{$user}|{$pass}\n");
}
$data = [
'SERVER_NAME' => $_SERVER['SERVER_NAME'],
'REMOTE_ADDR' => $_SERVER['REMOTE_ADDR'],
'REMOTE_PORT' => $_SERVER['REMOTE_PORT'],
'REQUEST_METHOD' => $_SERVER['REQUEST_METHOD'],
'REQUEST_URI' => $_SERVER['REQUEST_URI'],
'QUERY_STRING' => $_SERVER['QUERY_STRING'],
'REQUEST_TIME' => $_SERVER['REQUEST_TIME'],
'REQUEST_HEADERS' => getallheaders(),
'POST' => $_POST,
'COOKIES' => $_COOKIE,
'BODY' => file_get_contents('php://input'),
];
if (preg_match('/xmlrpc\.php/i', $data['REQUEST_URI']) && $data['REQUEST_METHOD'] === 'POST') {
$method = XmlRpcMethod::parse($data['BODY']);
if ($method->name === 'wp.getUsersBlogs') {
save_credentials($data['REQUEST_TIME'], $data['REMOTE_ADDR'], $method->params[0], $method->params[1]);
error_log("Trapped XML-RPC request: saved credentials");
header("HTTP/1.1 404 Not Found");
die();
}
}
$file_name = dirname(__DIR__) . "/payloads/{$data['REQUEST_TIME']}-{$data['SERVER_NAME']}.json";
error_log("Trapped request, saving to {$file_name}");
file_put_contents($file_name, json_encode($data));
header("HTTP/1.1 404 Not Found");
|