T.ME/BIBIL_0DAY
CasperSecurity


Server : Apache/2
System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64
User : gositeme ( 1004)
PHP Version : 8.2.29
Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Directory :  /home/gositeme/domains/soundstudiopro.com/public_html/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /home/gositeme/domains/soundstudiopro.com/public_html/admin_actions.php
<?php
session_start();
require_once 'includes/db.php';

// Check if user is admin
if (!isset($_SESSION['user_id']) || !isset($_SESSION['is_admin']) || !$_SESSION['is_admin']) {
    http_response_code(403);
    echo json_encode(['error' => 'Unauthorized']);
    exit;
}

if ($_POST['action'] === 'make_admin' && isset($_POST['user_id'])) {
    $user_id = (int)$_POST['user_id'];
    
    try {
        $stmt = $pdo->prepare("UPDATE users SET is_admin = 1 WHERE id = ?");
        $stmt->execute([$user_id]);
        
        // Log the action
        $stmt = $pdo->prepare("INSERT INTO admin_logs (admin_id, action, target_user_id, details, created_at) VALUES (?, ?, ?, ?, NOW())");
        $stmt->execute([$_SESSION['user_id'], 'make_admin', $user_id, "User promoted to admin"]);
        
        echo json_encode(['success' => true, 'message' => 'User promoted to admin successfully']);
    } catch (Exception $e) {
        echo json_encode(['error' => 'Database error: ' . $e->getMessage()]);
    }
    
} elseif ($_POST['action'] === 'remove_admin' && isset($_POST['user_id'])) {
    $user_id = (int)$_POST['user_id'];
    
    // Prevent admin from removing their own admin status
    if ($user_id === $_SESSION['user_id']) {
        echo json_encode(['error' => 'You cannot remove your own admin privileges']);
        exit;
    }
    
    try {
        $stmt = $pdo->prepare("UPDATE users SET is_admin = 0 WHERE id = ?");
        $stmt->execute([$user_id]);
        
        // Log the action
        $stmt = $pdo->prepare("INSERT INTO admin_logs (admin_id, action, target_user_id, details, created_at) VALUES (?, ?, ?, ?, NOW())");
        $stmt->execute([$_SESSION['user_id'], 'remove_admin', $user_id, "User admin privileges removed"]);
        
        echo json_encode(['success' => true, 'message' => 'Admin privileges removed successfully']);
    } catch (Exception $e) {
        echo json_encode(['error' => 'Database error: ' . $e->getMessage()]);
    }
    
} elseif ($_POST['action'] === 'delete_user' && isset($_POST['user_id'])) {
    $user_id = (int)$_POST['user_id'];
    
    // Prevent admin from deleting themselves
    if ($user_id === $_SESSION['user_id']) {
        echo json_encode(['error' => 'You cannot delete your own account']);
        exit;
    }
    
    try {
        // Start transaction
        $pdo->beginTransaction();
        
        // Get user info for logging
        $stmt = $pdo->prepare("SELECT username, email FROM users WHERE id = ?");
        $stmt->execute([$user_id]);
        $user = $stmt->fetch();
        
        if (!$user) {
            throw new Exception('User not found');
        }
        
        // Delete user's tracks
        $stmt = $pdo->prepare("DELETE FROM music_tracks WHERE user_id = ?");
        $stmt->execute([$user_id]);
        
        // Delete user's purchases
        $stmt = $pdo->prepare("DELETE FROM track_purchases WHERE user_id = ?");
        $stmt->execute([$user_id]);
        
        // Delete user's credit transactions
        $stmt = $pdo->prepare("DELETE FROM credit_transactions WHERE user_id = ?");
        $stmt->execute([$user_id]);
        
        // Delete user's profile
        $stmt = $pdo->prepare("DELETE FROM user_profiles WHERE user_id = ?");
        $stmt->execute([$user_id]);
        
        // Finally delete the user
        $stmt = $pdo->prepare("DELETE FROM users WHERE id = ?");
        $stmt->execute([$user_id]);
        
        // Log the action
        $stmt = $pdo->prepare("INSERT INTO admin_logs (admin_id, action, target_user_id, details, created_at) VALUES (?, ?, ?, ?, NOW())");
        $stmt->execute([$_SESSION['user_id'], 'delete_user', $user_id, "User deleted: {$user['username']} ({$user['email']})"]);
        
        $pdo->commit();
        echo json_encode(['success' => true, 'message' => 'User deleted successfully']);
        
    } catch (Exception $e) {
        $pdo->rollBack();
        echo json_encode(['error' => 'Database error: ' . $e->getMessage()]);
    }
    
} elseif ($_POST['action'] === 'edit_user' && isset($_POST['user_id'])) {
    $user_id = (int)$_POST['user_id'];
    $username = trim($_POST['username'] ?? '');
    $email = trim($_POST['email'] ?? '');
    $credits = (int)($_POST['credits'] ?? 0);
    $plan = $_POST['plan'] ?? 'free';
    
    if (empty($username) || empty($email)) {
        echo json_encode(['error' => 'Username and email are required']);
        exit;
    }
    
    try {
        $stmt = $pdo->prepare("UPDATE users SET username = ?, email = ?, credits = ?, plan = ? WHERE id = ?");
        $stmt->execute([$username, $email, $credits, $plan, $user_id]);
        
        // Log the action
        $stmt = $pdo->prepare("INSERT INTO admin_logs (admin_id, action, target_user_id, details, created_at) VALUES (?, ?, ?, ?, NOW())");
        $stmt->execute([$_SESSION['user_id'], 'edit_user', $user_id, "User edited: {$username}"]);
        
        echo json_encode(['success' => true, 'message' => 'User updated successfully']);
    } catch (Exception $e) {
        echo json_encode(['error' => 'Database error: ' . $e->getMessage()]);
    }
    
} else {
    echo json_encode(['error' => 'Invalid action']);
}
?>

CasperSecurity Mini