├── .gitattributes
├── README.md
└── mfb.php


/.gitattributes:
--------------------------------------------------------------------------------
 1 | # Auto detect text files and perform LF normalization
 2 | * text=auto
 3 | 
 4 | # Custom for Visual Studio
 5 | *.cs     diff=csharp
 6 | 
 7 | # Standard to msysgit
 8 | *.doc	 diff=astextplain
 9 | *.DOC	 diff=astextplain
10 | *.docx diff=astextplain
11 | *.DOCX diff=astextplain
12 | *.dot  diff=astextplain
13 | *.DOT  diff=astextplain
14 | *.pdf  diff=astextplain
15 | *.PDF	 diff=astextplain
16 | *.rtf	 diff=astextplain
17 | *.RTF	 diff=astextplain
18 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # PHP-Mini-File-Browser
 2 | 
 3 | [My writeup about this tool](https://smitka.me/2024/04/12/php-mini-file-browser-update/)
 4 | 
 5 | This is really simple&primitive and dangerous script which allows you:
 6 | - iterate throw directory structure and show permissions, it uses 2 methods:
 7 |    - plain PHP which can be limited via open_basedir
 8 |    - shell_exec system function which can be limited by disabled_functions
 9 | - show basic info about PHP configuraion (version, extensions, disable functions, open_basedir, or complete phpinfo)
10 | - download files from the server (if enabled)
11 | - upload files from URL to the server (if enabled)
12 | - read files and show their content (text, images, archives content)
13 | - run system commands via various methods (if enabled)
14 | 
15 | The script will **delete itself after 1 hour** for security reasons (you can configure this behavior). It is also possible to set credentials to use this script, of course.
16 | 
17 | > [!CAUTION]
18 | > Do not grant “MFB” access to untrusted users, as a skilled user could escalate their privileges and do anything to your site and server 😉. The script is full of security threats and can cause FPD, XSS, SQLi, SSRF, LFI, RCE, WTF, etc.
19 | 
20 | ## File browser
21 | ![mfb-file-browser](https://github.com/lynt-smitka/PHP-Mini-File-Browser/assets/3875093/29802d82-7509-463e-b874-5cefd32350d6)
22 | 
23 | ## Dark Mode 😎
24 | ![mfb-file-browser-dark](https://github.com/lynt-smitka/PHP-Mini-File-Browser/assets/3875093/57d9e92f-bb36-4414-a33d-54f145c4977c)
25 | 
26 | 
27 | ## Command executor
28 | ![mfb-command-executor](https://github.com/lynt-smitka/PHP-Mini-File-Browser/assets/3875093/50f782ba-ec29-4099-86cc-b02ab803a097)
29 | 
30 | ## File uploader
31 | ![mfb-file-uploader](https://github.com/lynt-smitka/PHP-Mini-File-Browser/assets/3875093/36438b8e-0609-4ba8-8d09-a42c2cb8a82f)
32 | 
33 | ## File reader
34 | 
35 | View text files content
36 | 
37 | ![mfb-file-reader-text](https://github.com/lynt-smitka/PHP-Mini-File-Browser/assets/3875093/95e5f783-3596-44c0-bb72-67002ad5619b)
38 | 
39 | Show images
40 | 
41 | ![mfb-file-reader-image](https://github.com/lynt-smitka/PHP-Mini-File-Browser/assets/3875093/63455604-b4d5-4d0e-a996-0e56524db465)
42 | 
43 | Show files inside archive (zip, tar, tgz)
44 | 
45 | ![mfb-file-reader-archive](https://github.com/lynt-smitka/PHP-Mini-File-Browser/assets/3875093/82503901-ea23-45de-9fab-dad2920ee0cb)
46 | 
47 | 
48 |         
49 | *Note: this project is still alive :-)*
50 | 


--------------------------------------------------------------------------------
/mfb.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | /* ================= SETTINGS ================= */
  3 | /*
  4 | $aging = 0 disables the auto remove functionality
  5 | */
  6 | $aging = 1 * 3600;
  7 | 
  8 | /*
  9 | HTTP BaseAuth
 10 | name:sha256_hash
 11 | e.g. $pass = 'test:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08'; //(test/test)
 12 | */
 13 | $pass = '';
 14 | $salt = '';
 15 | 
 16 | /*
 17 | IP limit
 18 | e.g. $ips = '192.168.1.1;192.168.1.2'
 19 | */
 20 | $ips = '';
 21 | 
 22 | /* Enables downloading files */
 23 | $download = false;
 24 | 
 25 | /* Enables reading files */
 26 | $read = false;
 27 | 
 28 | /* Enables uploading files - may be dangerous! */
 29 | $upload = false;
 30 | 
 31 | /* Enables console - may be dangerous! */
 32 | $console = false;
 33 | 
 34 | $timezone = 'Europe/Prague';
 35 | 
 36 | /* encode paths in url to bypass some basic WAF rules */
 37 | $base64_paths = false;
 38 | 
 39 | /* =============== END SETTINGS =============== */
 40 | 
 41 | /* authentification */
 42 | if ($pass) {
 43 |   $pass = explode(":", $pass);
 44 |   if (empty($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER'] != $pass[0] ||  hash('sha256', $salt . $_SERVER['PHP_AUTH_PW']) != $pass[1]) {
 45 |     header('WWW-Authenticate: Basic realm="Mini File Browser"');
 46 |     header('HTTP/1.0 401 Unauthorized');
 47 |     die('unauthorized!');
 48 |   }
 49 | }
 50 | 
 51 | /* IP limit */
 52 | if ($ips) {
 53 |   $ips = explode(';', $ips);
 54 |   $client_ip = $_SERVER['REMOTE_ADDR'];
 55 |   //use this (or other appropriate) header if your script is behind proxy
 56 |   //it can be spoofed by attacker 
 57 |   //$client_ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
 58 |   if (!in_array($client_ip, $ips)) {
 59 |     die('IP is not allowed!');
 60 |   }
 61 | }
 62 | 
 63 | /* autoremove */
 64 | if (($aging && time() - filectime(__FILE__) > $aging) || isset($_GET['remove'])) {
 65 |   if (unlink(__FILE__))
 66 |     die('removed!');
 67 |   else
 68 |     die('not removed!');
 69 | }
 70 | 
 71 | date_default_timezone_set($timezone);
 72 | 
 73 | $method = isset($_GET['m']) ? $_GET['m'] : 'php';
 74 | 
 75 | if ($download && isset($_GET['down'])) {
 76 |   download($_GET['down'], $method);
 77 | }
 78 | 
 79 | main(__DIR__, $download, $upload, $read, $console, $method, $base64_paths);
 80 | 
 81 | function main($dir, $download, $upload, $read, $console, $method, $base64_paths)
 82 | {
 83 |   echo "<style>body{font-family:monospace;}td{padding:2px 4px;}tr:nth-child(even),pre{background-color: #f4f4f4;}a:hover{color:#008fff}</style>";
 84 |   echo "<style>@media (prefers-color-scheme: dark){body{background-color: #151619;color: #fff;}a{color:#b6ff00}a:visited{color:#78a900}a:hover{color:#e6f939}tr:nth-child(even),pre{background-color: #333;}}</style>";
 85 |   echo "<h1>Mini File Browser</h1>";
 86 | 
 87 |   if ($console) {
 88 |     echo "<h2>Console</h2>";
 89 |     console();
 90 |   }
 91 | 
 92 |   if ($upload) {
 93 |     echo "<h2>File uploader</h2>";
 94 |     upload();
 95 |   }
 96 | 
 97 | 
 98 |   if ($read && isset($_GET['read'])) {
 99 |     echo "<h2>File reader</h2>";
100 |     read($_GET['read'], $method);
101 |   }
102 | 
103 | 
104 |   $dir = isset($_GET['dir']) ? ($base64_paths?base64_decode($_GET['dir']):$_GET['dir']) : $dir;
105 | 
106 |   echo "<h2>File browser</h2>";
107 | 
108 |   switch ($method) {
109 |     case 'shell_exec':
110 |       $files = list_directory_shell($dir);
111 |       echo "<p>File browsing: <a href='" . modify_url('m', 'php') . "'>switch to php</a></p>";
112 |       break;
113 |     default:
114 |       $files = list_directory_php($dir);
115 |       $r = is_enabled('shell_exec');
116 |       if ($r[1] === 'b')
117 |         echo "<p>File browsing: <a href='" . modify_url('m', 'shell_exec') . "'>switch to shell_exec</a></p>";
118 |       break;
119 |   }
120 | 
121 |   echo "<table border='1' style='border-collapse:collapse'>";
122 | 
123 |   foreach ($files as $file) {
124 | 
125 |     $file_path = $base64_paths?base64_encode($file["path"]):$file["path"];
126 |    
127 |     echo "<tr>";
128 |     echo "<td>";
129 |     if ($file['isDir']) {
130 |       if ($file['name'] === '..')
131 |         echo "<a href='?m=$method&dir={$file_path}'>[ UP ]</a>";
132 |       elseif ($file['name'] === '.')
133 |         echo $file['path'];
134 |       else
135 |         echo "<a href='?m=$method&dir={$file_path}'>{$file["name"]}</a>";
136 |     } else {
137 |       echo $file["name"];
138 |     }
139 | 
140 |     echo "</td>";
141 |     echo "<td>{$file['perm']} {$file['owner']}</td>";
142 |     echo "<td>{$file['my_perm']}</td>";
143 |     echo "<td>{$file['time']}</td>";
144 |     echo "<td>";
145 |     if ($download && $file['base64'])
146 |       echo "<a href='" . modify_url('down', $file['base64']) . "'>download</a> ";
147 |     if ($read && $file['base64'])
148 |       echo "<a href='" . modify_url('read', $file['base64']) . "'>read</a> ";
149 |     echo $file['size'];
150 |     echo "</tr>";
151 |   }
152 |   echo "</table>";
153 | 
154 |   echo "<h2>Information</h2>";
155 | 
156 |   echo '<p><b>Current script:</b> <a href="?dir=' . ($base64_paths ? base64_encode(__DIR__): __DIR__) . '">'. __FILE__ . '</a></p>';
157 |   echo '<p><b>PHP version:</b> ' . f('phpversion') . ' @ ' . f('php_uname') . ' [' . f('php_sapi_name') . ']</p>';
158 |   echo '<p><b>PHP extensions:</b> ' . implode(', ', f('get_loaded_extensions')) . '</p>';
159 |   echo '<p><b>PHP disable functions:</b> ' . ini_get('disable_functions') . '</p>';
160 |   echo '<p><b>PHP dangerous functions:</b> ';
161 |   echo is_enabled('system') . ' ';
162 |   echo is_enabled('exec') . ' ';
163 |   echo is_enabled('shell_exec') . ' ';
164 |   echo is_enabled('passthru') . ' ';
165 |   echo is_enabled('proc_open') . ' ';
166 |   echo is_enabled('popen') . ' ';
167 |   echo is_enabled('pcntl_exec') . ' ';
168 |   echo is_enabled('putenv') . ' ';
169 |   echo '</p>';
170 |   echo '<p><b>Open Basedir:</b> ';
171 | 
172 |   $basedirs = explode(":", ini_get('open_basedir'));
173 |   $num = sizeof($basedirs);
174 |   for ($i = 0; $i < $num; $i++) {
175 |     echo '<a href="?dir=' . $basedirs[$i] . '">' . $basedirs[$i] . '</a> ';
176 |   }
177 |   echo '</p>';
178 |   if ($read)
179 |     echo '<p><a href="?read=predefined1">Try to read passwd</a></p>';
180 |   echo '<p><a href="?info">PHPinfo()</a></p>';
181 | 
182 | 
183 |   if (isset($_GET['info'])) {
184 |     f('phpinfo');
185 |   }
186 | 
187 |   echo "<p><a href='?remove'>Remove me</a></p>";
188 |   echo "<p>Author: <a href='https://twitter.com/smitka'>Vladimir Smitka</a>, <a href='https://lynt.cz'>Lynt services s.r.o.</a>, <a href='https://smitka.me'>Security Blog</a>, <a href='https://github.com/lynt-smitka/PHP-Mini-File-Browser'>GitHub</a></p>";
189 | }
190 | 
191 | 
192 | 
193 | function list_directory_php($dir)
194 | {
195 |   $files = scandir($dir);
196 |   $fileList = array();
197 |   foreach ($files as $file) {
198 | 
199 |     $real = @realpath($dir . DIRECTORY_SEPARATOR . $file);
200 |     if ($real === false)
201 |       continue;
202 | 
203 | 
204 |     $isDir = is_dir($real);
205 | 
206 |     $perm = get_perms($real);
207 | 
208 |     $my_perm = '';
209 |     if (f('is_readable',$real))
210 |       $my_perm .= 'R';
211 |     if (f('is_writable',$real))
212 |       $my_perm .= 'W';
213 |     if (f('is_executable',$real))
214 |       $my_perm .= 'X';
215 | 
216 |     $owner = '';
217 |     if (function_exists('posix_getpwuid') && function_exists('posix_getgrgid')) {
218 |       $pwuid = posix_getpwuid(fileowner($real));
219 |       $grgid = posix_getgrgid(fileowner($real));
220 |       $owner = $pwuid['name'] . ":" . $grgid['name'];
221 |     }
222 | 
223 |     $time = date('Y-m-d H:i:s', filemtime($real));
224 |     $size = is_dir($real) ? '' : FileSizeConvert(filesize($real));
225 |     $base64 = f('is_readable',$real) && !$isDir ? base64_encode($real) : '';
226 | 
227 |     $fileList[] = array(
228 |       'name' => $file,
229 |       'path' => $real,
230 |       'isDir' => $isDir,
231 |       'perm' => $perm,
232 |       'my_perm' => $my_perm,
233 |       'owner' => $owner,
234 |       'time' => $time,
235 |       'size' => $size,
236 |       'base64' => $base64
237 |     );
238 |   }
239 |   return $fileList;
240 | }
241 | 
242 | function list_directory_shell($dir)
243 | {
244 |   $output = shell_exec("ls -la --time-style=full-iso " . escapeshellarg($dir));
245 |   $lines = explode("\n", trim($output));
246 |   $fileList = array();
247 |   foreach ($lines as $line) {
248 |     $line = trim($line);
249 |     if ($line === '' || strpos($line, 'total ') === 0)
250 |       continue;
251 |     $parts = preg_split('/\s+/', $line, 9);
252 |     if (count($parts) < 9)
253 |       continue;
254 |     $file = $parts[8];
255 |     $real = emul_realpath($dir . DIRECTORY_SEPARATOR . $file);
256 |     $isDir = $parts[0][0] === 'd';
257 |     $perm = substr($parts[0], 1);
258 |     $my_perm = '';
259 |     if (strpos($perm, 'r') !== false)
260 |       $my_perm .= 'R';
261 |     if (strpos($perm, 'w') !== false)
262 |       $my_perm .= 'W';
263 |     if (strpos($perm, 'x') !== false)
264 |       $my_perm .= 'X';
265 |     $owner = $parts[2] . ':' . $parts[3];
266 |     list($timePart) = explode(".", $parts[6]);
267 |     $time = date('Y-m-d H:i:s', strtotime($parts[5] . ' ' . $timePart));
268 |     $size = $isDir ? '' : FileSizeConvert($parts[4]);
269 |     $base64 = strpos($perm, 'r') !== false && !$isDir ? base64_encode($real) : '';
270 | 
271 |     $fileList[] = array(
272 |       'name' => $file,
273 |       'path' => $real,
274 |       'isDir' => $isDir,
275 |       'perm' => $perm,
276 |       'my_perm' => $my_perm,
277 |       'owner' => $owner,
278 |       'time' => $time,
279 |       'size' => $size,
280 |       'base64' => $base64
281 |     );
282 |   }
283 |   return $fileList;
284 | }
285 | 
286 | 
287 | function get_perms($file)
288 | {
289 | 
290 |   $perms = fileperms($file);
291 | 
292 |   switch ($perms & 0xF000) {
293 |     case 0xC000: // socket
294 |       $info = 's';
295 |       break;
296 |     case 0xA000: // symbolic link
297 |       $info = 'l';
298 |       break;
299 |     case 0x8000: // regular
300 |       $info = '-';
301 |       break;
302 |     case 0x6000: // block special
303 |       $info = 'b';
304 |       break;
305 |     case 0x4000: // directory
306 |       $info = 'd';
307 |       break;
308 |     case 0x2000: // character special
309 |       $info = 'c';
310 |       break;
311 |     case 0x1000: // FIFO pipe
312 |       $info = 'p';
313 |       break;
314 |     default: // unknown
315 |       $info = 'u';
316 |   }
317 |   // Owner
318 |   $info .= (($perms & 0x0100) ? 'r' : '-');
319 |   $info .= (($perms & 0x0080) ? 'w' : '-');
320 |   $info .= (($perms & 0x0040) ?
321 |     (($perms & 0x0800) ? 's' : 'x') :
322 |     (($perms & 0x0800) ? 'S' : '-'));
323 |   // Group
324 |   $info .= (($perms & 0x0020) ? 'r' : '-');
325 |   $info .= (($perms & 0x0010) ? 'w' : '-');
326 |   $info .= (($perms & 0x0008) ?
327 |     (($perms & 0x0400) ? 's' : 'x') :
328 |     (($perms & 0x0400) ? 'S' : '-'));
329 |   // World
330 |   $info .= (($perms & 0x0004) ? 'r' : '-');
331 |   $info .= (($perms & 0x0002) ? 'w' : '-');
332 |   $info .= (($perms & 0x0001) ?
333 |     (($perms & 0x0200) ? 't' : 'x') :
334 |     (($perms & 0x0200) ? 'T' : '-'));
335 | 
336 |   return $info;
337 | 
338 | 
339 | }
340 | 
341 | function upload()
342 | {
343 | 
344 |   $defaultFilePath = __DIR__ . '/mfb-file.php';
345 | 
346 |   echo '<form method="POST">';
347 |   echo '<input type="text" name="fileUrl" size="56" placeholder="URL"><br>';
348 |   echo '<input type="text" name="filePath" size="56" value="' . htmlspecialchars($defaultFilePath) . '"><br>';
349 |   echo '<input type="submit" name="fileUpload" value="Upload from URL">';
350 |   echo '</form>';
351 | 
352 |   if (isset($_POST['fileUpload'])) {
353 | 
354 |     $fileUrl = $_POST['fileUrl'];
355 |     $filePath = $_POST['filePath'];
356 |     $fileContent = file_get_contents($fileUrl);
357 |     if ($fileContent !== false) {
358 |       file_put_contents($filePath, $fileContent);
359 |     }
360 |   }
361 | 
362 | 
363 | }
364 | function console()
365 | {
366 | 
367 |   $method = isset($_POST['method']) ? $_POST['method'] : 'system';
368 | 
369 |   echo '<form method="POST">';
370 |   echo '<input type="radio" name="method" value="system" ' . ($method == "system" ? 'checked' : '') . '> system()<br>';
371 |   echo '<input type="radio" name="method" value="backtick" ' . ($method == "backtick" ? 'checked' : '') . '> backtick<br>';
372 |   echo '<input type="radio" name="method" value="exec" ' . ($method == "exec" ? 'checked' : '') . '> exec()<br>';
373 |   echo '<input type="radio" name="method" value="shell_exec" ' . ($method == "shell_exec" ? 'checked' : '') . '> shell_exec()<br>';
374 |   echo '<input type="radio" name="method" value="passthru" ' . ($method == "passthru" ? 'checked' : '') . '> passthru()<br>';
375 |   echo '<input type="radio" name="method" value="proc_open" ' . ($method == "proc_open" ? 'checked' : '') . '> proc_open()<br>';
376 |   echo '<input type="radio" name="method" value="popen" ' . ($method == "popen" ? 'checked' : '') . '> popen()<br>';
377 |   echo '<input type="radio" name="method" value="pcntl_exec" ' . ($method == "pcntl_exec" ? 'checked' : '') . '> pcntl_exec() (/bin/sh -c cmd > outfile)<br>';
378 |   echo '<input type="radio" name="method" value="eval" ' . ($method == "eval" ? 'checked' : '') . '> eval()<br>';
379 |   echo '<input name="command" value="' . (isset($_POST['command']) ? htmlspecialchars($_POST['command']) : '') . '">';
380 |   echo '<button type="submit">RUN</button>';
381 |   echo '</form>';
382 | 
383 |   if (isset($_POST['command'])) {
384 |     $command = escapeshellcmd($_POST['command']);
385 |     echo '<h3>Result:</h3><pre>';
386 |     switch ($_POST['method']) {
387 | 
388 |       case 'system':
389 |         echo system($command);
390 |         break;
391 | 
392 |       case 'backtick':
393 |         echo `$command`;
394 |         break;
395 | 
396 |       case 'exec':
397 |         exec($command, $tmp);
398 |         print_r($tmp);
399 |         break;
400 | 
401 |       case 'shell_exec':
402 |         echo shell_exec($command);
403 |         break;
404 | 
405 |       case 'passthru':
406 |         passthru($command);
407 |         break;
408 | 
409 |       case 'eval':
410 |         echo eval_code($_POST['command']);
411 |         break;
412 | 
413 |       case 'proc_open':
414 |         $pr = proc_open($command, array(0 => array('pipe', 'r'), 1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $pipes);
415 |         echo stream_get_contents($pipes[1]);
416 |         fclose($pipes[0]);
417 |         fclose($pipes[1]);
418 |         fclose($pipes[2]);
419 |         break;
420 | 
421 |       case 'popen':
422 |         $fp = popen($command, "r");
423 |         echo stream_get_contents($fp);
424 |         fclose($fp);
425 |         break;
426 | 
427 |       case 'pcntl_exec':
428 |         header("Refresh:1");
429 |         pcntl_exec('/bin/sh', array('-c', $command . ' > this_is_pcntl_exec_outfile.txt'));
430 |         break;
431 |     }
432 | 
433 |     echo '</pre><br>';
434 |   }
435 |   if (file_exists('this_is_pcntl_exec_outfile.txt')) {
436 |     echo '<h3>Result:</h3><pre>';
437 |     echo file_get_contents('this_is_pcntl_exec_outfile.txt');
438 |     echo "</pre>";
439 |     unlink('this_is_pcntl_exec_outfile.txt');
440 |   }
441 | 
442 | }
443 | 
444 | 
445 | function eval_code($code)
446 | {
447 |   if (!preg_match('/\breturn\b/', $code)) {
448 |     $code = 'return ' . $code;
449 |   }
450 |   if (substr(trim($code), -1) !== ';') {
451 |     $code .= ';';
452 |   }
453 |   try {
454 |     $result = eval ($code);
455 |   } catch (ParseError $e) {
456 |     return 'Parse error: ' . $e->getMessage();
457 |   }
458 |   return $result;
459 | }
460 | 
461 | function emul_realpath($path)
462 | {
463 |   $folders = explode('/', $path);
464 |   $stack = array();
465 |   foreach ($folders as $folder) {
466 |     if ($folder === '..') {
467 |       array_pop($stack);
468 |     } elseif ($folder !== '' && $folder !== '.') {
469 |       array_push($stack, $folder);
470 |     }
471 |   }
472 |   $result = '/' . implode('/', $stack);
473 |   if (substr($path, -1) === '/') {
474 |     $result .= '/';
475 |   }
476 |   return $result;
477 | }
478 | 
479 | function modify_url($key, $value)
480 | {
481 |   $parts = parse_url($_SERVER['REQUEST_URI']);
482 |   parse_str(isset($parts['query']) ? $parts['query'] : '', $query);
483 |   $query[$key] = $value;
484 |   $parts['query'] = http_build_query($query);
485 |   return $parts['path'] . '?' . $parts['query'];
486 | }
487 | 
488 | function FileSizeConvert($bytes)
489 | {
490 |   $units = array("TB" => pow(1024, 4), "GB" => pow(1024, 3), "MB" => pow(1024, 2), "kB" => 1024, "B" => 1);
491 |   foreach ($units as $unit => $value) {
492 |     if ($bytes >= $value) {
493 |       return str_replace(".", ",", round($bytes / $value, 2)) . " " . $unit;
494 |     }
495 |   }
496 |   return '0 B';
497 | }
498 | 
499 | 
500 | function is_enabled($func)
501 | {
502 |   if (!function_exists($func)) {
503 |     return "<s>$func</s>";
504 |   }
505 | 
506 |   $disabledFunctions = array_map('trim', explode(',', ini_get('disable_functions')));
507 | 
508 |   if (in_array($func, $disabledFunctions)) {
509 |     return "<s>$func</s>";
510 |   }
511 | 
512 |   return "<b>$func</b>";
513 | 
514 | }
515 | 
516 | function download($file, $method)
517 | {
518 |   $file = base64_decode($file);
519 |   header("Content-Type: application/octet-stream");
520 |   header("Content-Transfer-Encoding: Binary");
521 |   header("Content-disposition: attachment; filename=\"" . basename($file) . "\"");
522 |   switch ($method) {
523 |     case "php":
524 |       readfile($file);
525 |       break;
526 |     case "shell_exec":
527 |       echo shell_exec("cat " . escapeshellarg($file) . " 2>&1");
528 |       break;
529 |   }
530 | 
531 |   exit();
532 | }
533 | 
534 | function read($file, $method)
535 | {
536 |   switch ($file) {
537 |     case 'predefined1':
538 |       $file = "/etc/passwd";
539 |       break;
540 |     default:
541 |       $file = base64_decode($file);
542 |   }
543 | 
544 |   echo "<p>File: $file</p>";
545 | 
546 |   $ext = pathinfo($file, PATHINFO_EXTENSION);
547 |   $file_name = pathinfo($file, PATHINFO_BASENAME);
548 |   echo "<pre>";
549 |   ob_start();
550 | 
551 |   switch ($method) {
552 |     case "php":
553 |       readfile($file);
554 |       break;
555 |     case "shell_exec":
556 |       echo shell_exec("cat " . escapeshellarg($file) . " 2>&1");
557 |       break;
558 |   }
559 | 
560 |   $content = ob_get_clean();
561 |   $is_img = false;
562 |   $is_archive = false;
563 |   $mime = 'text/plain';
564 | 
565 |   switch ($ext) {
566 |     case "jpg":
567 |       $is_img = true;
568 |       $mime = 'image/jpeg';
569 |       break;
570 |     case "jpeg":
571 |       $is_img = true;
572 |       $mime = 'image/jpeg';
573 |       break;
574 |     case "png":
575 |       $is_img = true;
576 |       $mime = 'image/png';
577 |       break;
578 |     case "gif":
579 |       $is_img = true;
580 |       $mime = 'image/gif';
581 |       break;
582 |     case "webp":
583 |       $is_img = true;
584 |       $mime = 'image/webp';
585 |       break;
586 |     case "svg":
587 |       $is_img = true;
588 |       $mime = 'image/svg+xml';
589 |       break;
590 |     case "zip":
591 |       $is_archive = true;
592 |       break;
593 |     case "tgz":
594 |       $is_archive = true;
595 |       break;
596 |     case "tar":
597 |       $is_archive = true;
598 |       break;
599 |     case "gz":
600 |       $is_archive = true;
601 |       break;
602 | 
603 |     default:
604 |       $is_img = false;
605 |   }
606 | 
607 |   if ($is_img) {
608 |     echo '<img src="' . 'data:' . $mime . ';base64,' . base64_encode($content) . '">';
609 |   } elseif ($is_archive) {
610 |     read_archive($content, $file_name);
611 |   } else {
612 |     echo htmlspecialchars($content);
613 |   }
614 |   echo "</pre>";
615 | 
616 | }
617 | 
618 | 
619 | function read_archive($content, $file_name)
620 | {
621 |   if (class_exists("PharData")) {
622 |     $temp = sys_get_temp_dir() . '/mfb-archive-' . $file_name;
623 |     file_put_contents($temp, $content);
624 |     $phar = new PharData($temp);
625 |     echo "Archive files:<br>";
626 |     foreach (new RecursiveIteratorIterator($phar) as $file) {
627 |       echo $file->getFilename() . "<br>";
628 |     }
629 |     unlink($temp);
630 |   }
631 | }
632 | 
633 | function f($function) {
634 |   $params = func_get_args();
635 |   array_shift($params);
636 |   
637 |   if (function_exists($function)) {
638 |       try {
639 |           return call_user_func_array($function, $params);
640 |       } catch (Throwable $e) {
641 |           return null;
642 |       }
643 |   }
644 |   return null;
645 | }


--------------------------------------------------------------------------------