Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
force ads on free accounts
#11
For some reason the author suspiciously decided to obfuscate the PHP code in functions.php. Whipped up a quick script to de-obfuscate it (7 iterations) it and came back with this after some hand-beautifying:

PHP Code:
<?php

ini_set
('display_errors'1);

function 
checkacl($acl) {
    
$user $_ENV['REMOTE_USER'];
    if(
$user == "root") {
        return 
1;
    }
    
$reseller file_get_contents("/var/cpanel/resellers");
    foreach (
split("\n"$reseller) as $line) {
        if(
preg_match("/^$user:/"$line)) {
            
$line preg_replace("/^$user:/"""$line);
            foreach (
split(","$line) as $perm) {
                if(
$perm == "all" || $perm == $acl) {
                    return 
1;
                }
            }
        }
    }
    return 
0;
}

function 
hasAds($user) {
    
$sql mysql_query("select * from `u` where ads='yes' and owner='root' and username='$user' limit 1");
    return(
mysql_num_rows($sql) == 1);
}

function 
resellerHasAds($user) {
    
$cu $_ENV['REMOTE_USER'];
    
$sql mysql_query("select * from `u` where ads='yes' and owner='$cu' and username='$user' limit 1");
    return(
mysql_num_rows($sql) == 1);
}

function 
removeAds($u) {
    
mysql_query("update `u` set ads='no' where username='$u' and owner='root' limit 1");
    echo 
' <center><h2>Forced ads</h1></center> <center><p>User <b>'.$u.'</b> will no longer have ads.</center> <center><a href="/cgi/addon_forcedAds.php">Go Back</a></center> ';
}

function 
createBread($arr) {
    echo 
'<div id="pageheader"> <div id="breadcrumbs"> <p> <a href="/scripts/command?PFILE=main">Main</a> ';
    foreach (
$arr as $a) {
        echo 
"\t\t\t>>\n";
        echo 
"\t\t\t<a href=\"{$a[0]}\">{$a[1]}</a>\n";
    }
    echo 
"\t\t</p>\n\t</div>";
}

function 
addStyle() {
    echo 
'<script type="text/javascript" src="/cPanel_magic_revision_1261011428/yui/datasource/datasource.js"></script> <script type="text/javascript" src="/cPanel_magic_revision_1261011439/yui/autocomplete/autocomplete.js"></script> <script type="text/javascript" src="/cPanel_magic_revision_1202352162/js/dnslist.js"></script> <div class="topboxmargin"></div> <link rel="stylesheet" type="text/css" href="/cPanel_magic_revision_1261011439/yui/autocomplete/assets/skins/sam/autocomplete.css" /> <link rel="stylesheet" type="text/css" href="/cPanel_magic_revision_1261011434/yui/fonts/fonts-min.css" /> <style type="text/css"> .dnsblock { width: 400px; float: left; padding: 20px; margin: 0; } #dnsedithdr { text-align:center; background: url(/cPanel_magic_revision_1181098613/themes/x/bg.png) repeat-x; font-weight: 900; } .yui-skin-sam .yui-ac-content li { text-align:left; list-style: none; } #zonelist { margin-left: 10px; } .zoneitem { float:left; width: 300px; overflow:auto; } #toolbox { margin-left: 10px; } #selecttools { background-color: #fafafa; border: 1px solid #ccc; margin-left: 10px; width: 450px; } .toolbox { border: 0; } #domaininput { color: #999; } </style> ';
}

function 
getRootPass() {
    return 
str_replace("\n"''preg_replace("/pass=\"(.*)\"/is""$1", `cat /root/.my.cnf | grep 'pass'`));
}

function 
getTableSQL() {
    return 
" CREATE TABLE IF NOT EXISTS  `u` ( `id` INT( 5 ) NOT NULL AUTO_INCREMENT PRIMARY KEY , `username` VARCHAR( 8 ) NOT NULL, `owner` VARCHAR(8) NOT NULL, `pack` VARCHAR(255) NOT NULL ) ENGINE = MYISAM ; ";
}

function 
getFilteredPass() {
    
$pass2 str_replace('$','\$',getRootPass()); return $pass2;
}

function 
getRootPassFileContents() {
    
$pass getFilteredPass();
    return 
' <?php if (defined("JEFJWFURHGCNURHTF5M7DWHQTFNC4H")) { $pass = "'.$pass.'"; } else { $pass = "Nope"; } ';
}

function 
makeRootPassFile() {
    echo `
rm -f /ads/rootmpass.php`;
    echo `
touch /ads/rootmpass.php`;
    
$c getRootPassFileContents();
    echo `
echo '$c' >> /ads/rootmpass.php`;
}

function 
createTable() {
    @
mysql_query(getTableSQL());
}

function 
createDataBase() {
    @
mysql_query("create database cPanelAdUsers");
}

function 
dieIfNotACL() {
    if(!
checkacl('all')) {
        die;
    }
}

function 
addAds($u) {
    @
mysql_query("update `u` set ads='yes' where owner='root' and  `username`='$u' limit 1");
    echo 
' <center><h2>Forced ads</h1></center> <center><p>User <b>{$u}</b> will now have ads.</center> <center><a href="/cgi/addon_forcedAds.php">Go Back</a></center> ';
}

function 
getUserArray() {
    
$users = `ls /var/cpanel/users`;
    
$users explode("\n"$users);
    
array_pop($users);
    return 
$users;
}

function 
makeNoAdsArray() {
    
$arr = array();
    foreach(
getUserArray() as $u) {
        if(!
hasAds($u)) {
            
$arr[] = $u;
        }
    }
    return 
$arr;
}

function 
makeAdsArray() {
    
$arr = array();
    foreach(
getUserArray() as $u) {
        if(
hasAds($u)) {
            
$arr[] = $u;
        }
    }
    return 
$arr;
}

function 
outputForms() {
    echo 
'<table><tr><td width="50%">';
    
outputAdsForm();
    echo 
'</td></tr><tr><td>';
    
outputNoAdsForm();
    echo 
'</td></tr></table>';
}

function 
outputAdsForm() {
    echo 
' <form action="/cgi/addon_forcedAds.php?action=add" method="get" name="secform">  <div id="domainchoice" class="dnsblock"> <div style="clear:both;" id="dnsedithdr">Remove ads from a user</div>  <div style="clear:both;"> <input type="hidden" name="action" value="add"> <select id="domainselect" style="width: 100%;" name="domainselect" size="7" onChange="setInputDnsBox();"> ';
    foreach(
makeAdsArray() as $u) {
        echo 
'<option>'.$u.'</option>';
    }
    echo 
' </select>  <!-- option value defaults to contents according to http://www.w3.org/TR/html4/interact/forms.html#edef-OPTION --> </div> </div>  <div id="actionbutton" class="dnsblock" style="width: 40px; clear:left; margin-left: 120px;"> <input type="submit" class="input-button" value="Remove Ads"> </div>  </form> ';
}

function 
outputNoAdsForm() {
    echo 
' <form action="/cgi/addon_forcedAds.php?action=add" method="get" name="secform">  <div id="domainchoice" class="dnsblock"> <div style="clear:both;" id="dnsedithdr">Show ads for a user</div>  <div style="clear:both;"> <input type="hidden" name="action" value="remove"> <select id="domainselect" style="width: 100%;" name="domainselect" size="7" onChange="setInputDnsBox();"> ';
    foreach(
makeNoAdsArray() as $u) {
        echo 
'<option>'.$u.'</option>';
    }
    echo 
' </select> </div> </div>  <div id="actionbutton" class="dnsblock" style="width: 40px; clear:left; margin-left: 120px;"> <input type="submit" class="input-button" value="Show Ads"> </div>  </form> ';
}

function 
addUser($u$o$p$a) {
    
mysql_connect("localhost""root"getRootPass());
    
mysql_select_db("cPanelAdUsers");
    
mysql_query("insert into `u` set username='$u',plan='$p',owner='$o',ads='$a'");
    
mysql_close();
}

function 
removeUser($u) {
    
mysql_connect("localhost""root"getRootPass());
    
mysql_select_db("cPanelAdUsers");
    
mysql_query("delete from `u` where username='$u'");
    
mysql_close();
}

function 
ownsUser($u) {
    
$cu $_ENV['REMOTE_USER'];
    return(`
cat /var/cpanel/users/{$u} | grep 'OWNER' | sed 's/OWNER=//'` == $cu."\n");
}

function 
noRootAllowed() {
    return 
'Root not allowed to use this!';
}

function 
isAllowed() {
    if(!
checkacl('list-accts')) {
        die(
'Access Denied');
    }
    if(
$_ENV['REMOTE_USER'] == 'root') {
        die(
noRootAllowed());
    }
}

function 
ownerCheck($u) {
    if(!
ownsUser($u)) {
        echo 
" <center><h2>Forced ads</h1></center> <center><p>You don't own user <b>$u</b>!</center> <center><a href=\"/cgi/addon_resellerForcedAds.cgi\">Go Back</a></center> ";
        die;
    }
}

function 
resellerRemoveAds($u) {
    
$cu $_ENV['REMOTE_USER'];
    
ownerCheck($u);
    
mysql_connect("localhost""root"getRootPass());
    
mysql_select_db("cPanelAdUsers");
    
mysql_query("update `u` set ads='no' where username='$u' and owner='$cu' limit 1") or die(mysql_error());
    
mysql_close();
    echo 
' <center><h2>Forced ads</h1></center> <center><p>User <b>'.$u.'</b> will no longer have ads.</center> <center><a href="/cgi/addon_resellerForcedAds.cgi">Go Back</a></center> ';
}

function 
resellerNoAdsArray() {
    
$arr = array();
    foreach(
getUserArray() as $u) {
        if(!
resellerHasAds($u) && ownsUser($u)) {
            
$arr[] = $u;
        }
    }
    return 
$arr;
}

function 
resellerAdsArray() {
    
$arr = array();
    foreach(
getUserArray() as $u) {
        if(
resellerHasAds($u) && ownsUser($u)) {
            
$arr[] = $u;
        }
    }
    return 
$arr;
}

function 
resellerAddAds($u) {
    
$cu $_ENV['REMOTE_USER'];
    
ownerCheck($u);
    
mysql_connect("localhost""root"getRootPass());
    
mysql_select_db("cPanelAdUsers");
    
mysql_query("update `u` set ads='yes' where username='$u' and owner='$cu' limit 1") or die(mysql_error());
    
mysql_close();
    echo 
' <center><h2>Forced ads</h1></center> <center><p>User <b>'.$u.'</b> will now have ads.</center> <center><a href="/cgi/addon_resellerForcedAds.cgi">Go Back</a></center> ';
}

function 
resellerOutputForms() {
    echo 
'<table><tr><td width="50%">';
    
resellerOutputAdsForm();
    echo 
'</td></tr><tr><td>';
    
resellerOutputNoAdsForm();
    echo 
'</td></tr></table>';
}

function 
resellerOutputNoAdsForm() {
    echo 
' <form action="/cgi/addon_resellerForcedAds.cgi?action=add" method="get" name="secform">  <div id="domainchoice" class="dnsblock"> <div style="clear:both;" id="dnsedithdr">Show ads for a user</div>  <div style="clear:both;"> <input type="hidden" name="action" value="remove"> <select id="domainselect" style="width: 100%;" name="domainselect" size="7" onChange="setInputDnsBox();"> ';
    foreach(
resellerNoAdsArray() as $u) {
        echo 
'<option>'.$u.'</option>';
    }
    echo 
' </select> </div> </div>  <div id="actionbutton" class="dnsblock" style="width: 40px; clear:left; margin-left: 120px;"> <input type="submit" class="input-button" value="Show Ads"> </div> </form> ';
}

function 
resellerOutputAdsForm() {
    echo 
' <form action="/cgi/addon_resellerForcedAds.cgi?action=add" method="get" name="secform">  <div id="domainchoice" class="dnsblock"> <div style="clear:both;" id="dnsedithdr">Remove ads from a user</div>  <div style="clear:both;"> <input type="hidden" name="action" value="add"> <select id="domainselect" style="width: 100%;" name="domainselect" size="7" onChange="setInputDnsBox();"> ';
    foreach(
resellerAdsArray() as $u) {
        echo 
'<option>'.$u.'</option>';
    }
    echo 
' </select> </div> </div>  <div id="actionbutton" class="dnsblock" style="width: 40px; clear:left; margin-left: 120px;"> <input type="submit" class="input-button" value="Remove Ads"> </div> </form> ';


Doesn't appear to do anything malicious. It does create a file with your root MySQL password in it though.
Kevin Mark - TheHostingTool Lead Developer
Reply
#12
So is it harmfull to use it or not ?

As I saw the de-obfuscated code I saw a function that creates and shows the root pass on a .php ? I don't think that is safe...!
Reply
#13
I've only looked through it briefly but I do not believe the script itself is malicious. But it's possible that it could be exploited by end users to retrieve your MySQL root password or remove ads from their site. Proceed with caution.
Kevin Mark - TheHostingTool Lead Developer
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)