true,
'secure' => true, // Ensure HTTPS is used in production
'samesite' => 'Strict'
]);
session_start();
// --- CSRF Utility Functions ---
function getCsrfToken() {
if (empty($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
return $_SESSION['csrf_token'];
}
function validateCsrfToken($token) {
return isset($_SESSION['csrf_token']) && hash_equals($_SESSION['csrf_token'], $token);
}
// --- Login and Authentication ---
if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true) {
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['username'], $_POST['password'], $_POST['csrf_token'])) {
if (!validateCsrfToken($_POST['csrf_token'])) {
$error = "Invalid CSRF token.";
} else {
$envUser = getenv('user');
$envPass = getenv('pass');
// Using hash_equals for timing attack prevention
if (hash_equals($_POST['username'], $envUser) && hash_equals($_POST['password'], $envPass)) {
$_SESSION['logged_in'] = true;
session_regenerate_id(true);
header("Location: " . $_SERVER['PHP_SELF']);
exit;
} else {
$error = "Invalid credentials.";
}
}
}
$loginToken = getCsrfToken();
?>
Login
Login
" . htmlspecialchars($error) . ""; } ?>
&1';
return trim(shell_exec($cmd));
}
return "Directory not found.";
}
function handleUpdateAction() {
// Only allow updates using a POST request with a valid CSRF token.
if ($_SERVER['REQUEST_METHOD'] !== 'POST' || !isset($_POST['csrf_token']) || !validateCsrfToken($_POST['csrf_token'])) {
return "Unauthorized update request.";
}
$botDir = '/home/server/wdiscordbotserver';
$result = "";
if (is_dir($botDir)) {
$rmCmd = 'rm -rf ' . escapeshellarg($botDir) . ' 2>&1';
$result .= shell_exec($rmCmd);
}
$cloneCmd = 'git clone https://gitlab.com/pancakes1234/wdiscordbotserver.git ' . escapeshellarg($botDir) . ' 2>&1';
$result .= shell_exec($cloneCmd);
return $result;
}
function handleDataAction() {
$baseDir = realpath('/home/server');
$file = $_GET['file'] ?? null;
$response = "";
if ($file) {
$realFile = realpath($file);
if ($realFile === false || strpos($realFile, $baseDir) !== 0) {
$response = "Invalid file.";
} else {
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['content'], $_POST['csrf_token'])) {
if (!validateCsrfToken($_POST['csrf_token'])) {
$response = "Invalid CSRF token.";
} else {
if (file_put_contents($realFile, $_POST['content']) !== false) {
$response = "File updated successfully.";
} else {
$response = "Failed to update file.";
}
}
}
}
}
return $response;
}
// --- Process Request Actions ---
$action = $_GET['action'] ?? ($_POST['action'] ?? "");
switch ($action) {
case "version":
$output = handleVersionAction();
break;
case "update":
$output = handleUpdateAction();
break;
case "data":
$output = handleDataAction();
break;
// Additional action cases (e.g., "terminal") can be handled below.
default:
break;
}
?>
Discord Bot Admin API
Discord Bot Admin API
Files in
Invalid file.
Editing:
Wetty Terminal