PHP WebShell
Текущая директория: /var/www/bitcardoApp
Просмотр файла: tron_key_checker.php
<?php
// tron_key_checker.php
// Single-file TRON wallet/key validator (form + response).
// Drop this file anywhere in your project root (same level as /vendor and /config).
//
// What it does:
// - You paste a TRON address (Base58) and a private key (hex).
// - It derives the TRON address from the private key and compares.
// - Returns MATCH (valid for that wallet) or MISMATCH (key does not belong to that wallet).
//
// Security notes:
// - This does NOT store the key anywhere.
// - It does not write logs.
// - It uses a CSRF token.
declare(strict_types=1);
session_start();
require __DIR__ . '/vendor/autoload.php';
use Elliptic\EC;
use kornrunner\Keccak;
if (empty($_SESSION['csrf_tron_key_checker'])) {
$_SESSION['csrf_tron_key_checker'] = bin2hex(random_bytes(32));
}
function h(string $s): string { return htmlspecialchars($s, ENT_QUOTES, 'UTF-8'); }
/**
* Base58 encoding with Bitcoin alphabet (TRON uses same).
*/
function base58encode(string $data): string
{
$alphabet = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
$num = gmp_init(0, 10);
$len = strlen($data);
for ($i = 0; $i < $len; $i++) {
$num = gmp_add(gmp_mul($num, 256), ord($data[$i]));
}
$encoded = '';
while (gmp_cmp($num, 0) > 0) {
$rem = gmp_intval(gmp_mod($num, 58));
$num = gmp_div_q($num, 58);
$encoded = $alphabet[$rem] . $encoded;
}
// Preserve leading zeros as '1'
$i = 0;
while ($i < $len && $data[$i] === "\x00") {
$encoded = '1' . $encoded;
$i++;
}
return $encoded;
}
/**
* Normalize private key input:
* - trim whitespace
* - strip 0x prefix if present
* - lowercase
*/
function normalizePrivateKey(string $hex): string
{
$hex = trim($hex);
if (stripos($hex, '0x') === 0) {
$hex = substr($hex, 2);
}
return strtolower($hex);
}
/**
* Derive TRON address (Base58Check) from private key hex.
* Same method as your earlier checker.
*/
function tronAddressFromPrivateKey(string $privateKeyHex): string
{
$privateKeyHex = normalizePrivateKey($privateKeyHex);
if (!preg_match('/^[0-9a-f]{64}$/', $privateKeyHex)) {
throw new RuntimeException("Invalid private key format. Expected 64 hex characters (32 bytes).");
}
$ec = new EC('secp256k1');
$key = $ec->keyFromPrivate($privateKeyHex, 'hex');
// 1) Uncompressed public key: 0x04 + X(32) + Y(32)
$pubHex = $key->getPublic(false, 'hex'); // "04...."
$pubHex = substr($pubHex, 2); // drop "04"
// 2) Keccak-256 on binary public key
$hashHex = Keccak::hash(hex2bin($pubHex), 256);
// 3) Last 20 bytes
$ethPart = substr($hashHex, -40);
// 4) Tron prefix 0x41
$tronHex = '41' . $ethPart;
$addrBin = hex2bin($tronHex);
// 5) Base58Check
$checksum = substr(hash('sha256', hash('sha256', $addrBin, true), true), 0, 4);
$payload = $addrBin . $checksum;
return base58encode($payload);
}
/**
* Light validation for a TRON Base58 address format (not perfect, but helps UX).
* TRON addresses typically start with 'T' and are 34 chars.
*/
function looksLikeTronAddress(string $addr): bool
{
$addr = trim($addr);
if ($addr === '') return false;
if ($addr[0] !== 'T') return false;
if (strlen($addr) < 30 || strlen($addr) > 40) return false;
// Base58 charset check (no 0,O,I,l)
return (bool)preg_match('/^[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]+$/', $addr);
}
$inputAddress = '';
$inputPrivKey = '';
$result = null; // array|null
$error = null;
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$csrf = $_POST['csrf'] ?? '';
if (!hash_equals($_SESSION['csrf_tron_key_checker'], (string)$csrf)) {
$error = "Security check failed (CSRF). Please refresh and try again.";
} else {
$inputAddress = trim((string)($_POST['wallet_add'] ?? ''));
$inputPrivKey = trim((string)($_POST['private_key'] ?? ''));
if ($inputAddress === '' || $inputPrivKey === '') {
$error = "Both Wallet Address and Private Key are required.";
} elseif (!looksLikeTronAddress($inputAddress)) {
$error = "Wallet Address does not look like a valid TRON Base58 address.";
} else {
try {
$derived = tronAddressFromPrivateKey($inputPrivKey);
$isMatch = hash_equals($derived, $inputAddress);
$result = [
'db_address' => $inputAddress,
'derived' => $derived,
'match' => $isMatch,
];
} catch (Throwable $e) {
$error = $e->getMessage();
}
}
}
}
?>
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>TRON Wallet Key Checker</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- Bootstrap (CDN). If your project already includes Bootstrap locally, swap this. -->
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/css/bootstrap.min.css" rel="stylesheet">
<style>
body { background: #0b1220; }
.card { background: #0f1a2d; border: 1px solid rgba(255,255,255,.08); }
.muted { color: rgba(255,255,255,.65); }
label { color: rgba(255,255,255,.85); }
.form-control { background: #0b1426; border: 1px solid rgba(255,255,255,.12); color: #fff; }
.form-control:focus { background: #0b1426; color: #fff; }
.mono { font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace; }
.small-note { font-size: .9rem; color: rgba(255,255,255,.6); }
.badge-ok { background: #198754; }
.badge-bad { background: #dc3545; }
</style>
</head>
<body>
<div class="container py-5">
<div class="row justify-content-center">
<div class="col-lg-8 col-xl-7">
<div class="mb-4 text-center">
<h3 class="text-white mb-2">TRON Wallet & Private Key Validator</h3>
<div class="muted">
Paste a TRON address + private key. We derive the address from the key and compare.
</div>
</div>
<div class="card rounded-4 shadow-sm">
<div class="card-body p-4 p-md-5">
<?php if ($error): ?>
<div class="alert alert-danger">
<strong>Error:</strong> <?= h($error) ?>
</div>
<?php endif; ?>
<?php if ($result): ?>
<div class="alert <?= $result['match'] ? 'alert-success' : 'alert-warning' ?>">
<div class="d-flex align-items-center justify-content-between flex-wrap gap-2">
<div>
<strong>Result:</strong>
<?php if ($result['match']): ?>
<span class="badge badge-ok text-white">MATCH (Key is valid for this wallet)</span>
<?php else: ?>
<span class="badge badge-bad text-white">MISMATCH (Key is NOT for this wallet)</span>
<?php endif; ?>
</div>
<div class="small-note">No data is stored.</div>
</div>
<hr>
<div class="mb-2">
<div class="muted">Wallet Address (Input)</div>
<div class="mono text-white"><?= h($result['db_address']) ?></div>
</div>
<div>
<div class="muted">Derived Address (From Key)</div>
<div class="mono text-white"><?= h($result['derived']) ?></div>
</div>
</div>
<?php endif; ?>
<form method="post" autocomplete="off">
<input type="hidden" name="csrf" value="<?= h($_SESSION['csrf_tron_key_checker']) ?>">
<div class="mb-3">
<label class="form-label">Wallet Address (Base58)</label>
<input
type="text"
name="wallet_add"
class="form-control mono"
placeholder="Example: TNkKD9KGes1YzLRcp21CESrNPyk4H1hk5R"
value="<?= h($inputAddress) ?>"
required
>
<div class="small-note mt-1">
Must be a TRON Base58 address (usually starts with <span class="mono">T</span>).
</div>
</div>
<div class="mb-3">
<label class="form-label">Private Key (Hex)</label>
<input
type="password"
name="private_key"
class="form-control mono"
placeholder="64 hex chars (32 bytes). 0x prefix allowed."
value="<?= h($inputPrivKey) ?>"
required
>
<div class="small-note mt-1">
Example format: <span class="mono">9f1c... (64 hex chars)</span>. We strip <span class="mono">0x</span> if included.
</div>
</div>
<div class="d-grid gap-2">
<button class="btn btn-primary btn-lg" type="submit">Check Key</button>
</div>
<div class="mt-3 small-note">
Recommendation: use this checker only in a secure admin/dev environment. Do not expose it publicly.
</div>
</form>
</div>
</div>
<div class="text-center mt-4 muted small-note">
If you want the checker to also look up the wallet in your <span class="mono">wallet_keys</span> table (by address) and compare against the stored key, tell me and I’ll extend this same one-file page.
</div>
</div>
</div>
</div>
</body>
</html>
Выполнить команду
Для локальной разработки. Не используйте в интернете!