<?php
// READ-ONLY : détecte contenu injecté (scripts/spam) en base. Usage: php _audit_db_content.php /site/dir
error_reporting(0);
$dir = rtrim($argv[1] ?? '', '/'); $cfg = $dir.'/wp-config.php';
if (!is_file($cfg)) { echo basename($dir)." : no wp-config\n"; exit; }
$s = file_get_contents($cfg);
function gc($s,$k){return preg_match('/define\(\s*[\x27\x22]'.$k.'[\x27\x22]\s*,\s*[\x27\x22]([^\x27\x22]*)/',$s,$m)?$m[1]:'';}
$pfx = preg_match('/\$table_prefix\s*=\s*[\x27\x22]([^\x27\x22]+)/',$s,$m) ? $m[1] : 'wp_';
$h=gc($s,'DB_HOST');$port=0; if(strpos($h,':')!==false){list($h,$port)=explode(':',$h,2);$port=(int)$port;}
$m=@new mysqli($h,gc($s,'DB_USER'),gc($s,'DB_PASSWORD'),gc($s,'DB_NAME'),$port?:3306);
$site=basename($dir);
if($m->connect_errno){echo str_pad($site,18)." DBERR: ".$m->connect_error."\n";exit;}
function cnt($m,$sql){$r=$m->query($sql);return $r?(int)$r->fetch_row()[0]:-1;}
$p=cnt($m,"SELECT COUNT(*) FROM {$pfx}posts WHERE post_status IN('publish','inherit','draft') AND (post_content LIKE '%eval(%' OR post_content LIKE '%String.fromCharCode%' OR post_content LIKE '%document.write(unescape%' OR post_content LIKE '%<script%.top/%' OR post_content LIKE '%<script%.ru/%' OR post_content LIKE '%<script%.icu/%' OR post_content LIKE '%<script%.xyz/%')");
$o=cnt($m,"SELECT COUNT(*) FROM {$pfx}options WHERE autoload='yes' AND (option_value LIKE '%eval(base64%' OR option_value LIKE '%gzinflate(base64%' OR option_value LIKE '%<script%eval(%' OR option_value LIKE '%bsc-testnet%')");
$spam=cnt($m,"SELECT COUNT(*) FROM {$pfx}posts WHERE post_status='publish' AND (post_content LIKE '%viagra%' OR post_content LIKE '%casino%' OR post_content LIKE '%payday loan%' OR post_content LIKE '%cheap%pills%')");
$u=cnt($m,"SELECT COUNT(*) FROM {$pfx}users WHERE user_registered>'2025-01-01'");
$flag=($p>0||$o>0)?'!! SUSPECT':'OK  ';
printf("%s| %-18s posts_inj:%d options_inj:%d spam:%d users>2025:%d\n",$flag,$site,$p,$o,$spam,$u);
$m->close();
