Security Researcher 🔓

Vladimir Smitka

PHP Mini File Browser Update

When testing the security of PHP/WordPress sites, I am usually first interested in the environment where the site runs and the structure of the application.

To simplify the initial audit, I wrote a mini PHP file browser for myself in 2014 (I put it on GitHub in 2016). Since then, there have been only few weeks when I haven’t used it. It suited me so well that I haven’t had the need to improve it any further in the last 6 years. Until today 🙂

I can honestly say that it is a very ugly script in terms of appearance and code. However, it is very primitive, working even in very old PHP versions, with no obfuscation attempts and so typically doesn’t trigger any alerts.

So what does it do?

File Browser

The main function is to browse the directory structure. It uses 2 switchable methods to do this – either by using PHP functions (these are affected by the open_basedir setting) and by calling system functions (these can be disabled by disable_functions). For files it also shows permissions, last modified date and size – what you would expect from a file browser.

File Reader

In the configuration options, the functionality can be extended to download files and display them directly in the tool. The file reader distinguishes between general file formats – it lists these textually, images (jpg, png, gif, webp, svg) – it displays these directly, and archives (zip, tar, tar.gz) – it lists what files they contain.

Information

Another standard feature is to display information about PHP version, kernel and SAPI used. The information will also show installed extensions, open_basedir status, disabled_functions and a handy audit of available unsafe functions. If you need to know more, you can expand the phpinfo() function listing.

Code Executor

If the audit shows available unsafe functions, you can enable the dangerous “console” option and execute system commands using one of the available system functions in PHP.

File uploader

When the PHP Mini File Browser options are no longer sufficient, it is possible to use the uploader and download some other tool from the URL to continue with the audit.

Because it is a very dangerous tool, there are several limitations implemented in it – you can set a password for access, restrict access only from some IP address, or use the self-destruct feature. By default, the script will self-destruct in an hour, so that someone on the server doesn’t accidentally forget it. There is also a button in the footer for quick removal.

Settings

At the beginning of the PHP file you can set access restrictions and enable/disable individual features.

<?php
/* ================= SETTINGS ================= */
/*
$aging = 0 disables the auto remove functionality
*/
$aging = 1 * 3600;

/*
HTTP BaseAuth
name:sha256_hash
e.g. $pass = 'test:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08'; //(test/test)
*/
$pass = '';
$salt = '';

/*
IP limit
e.g. $ips = '192.168.1.1;192.168.1.2'
*/
$ips = '';

/* Enables downloading files */
$download = false;

/* Enables reading files */
$read = false;

/* Enables uploading files - may be dangerous! */
$upload = false;

/* Enables console - may be dangerous! */
$console = false;

$timezone = 'Europe/Prague';

/* =============== END SETTINGS =============== */

Conclusion

PHP Mini File Browser is really a primitive tool that helps me to detect forgotten files in web pages, to find out the structure of the application and mostly to detect site isolation issues on webhosts. This is unfortunately a more common problem than it seems, and thanks to my tool I have got non-authorized access to tens of thousands of sites.

You can test for yourself wherever your site has access on the server. If the tool turns out to be useful for others as well, I’d set about completely rewriting it so it’s not such spaghetti code. You can of course express your support by starring it on Github 😉

In the last update:

  • I added the ability to switch file browsing methods using php functions or system functions (extremely useful – I used console option before).
  • Added new option to display file contents (text, images and archive contents).
  • The ability to execute PHP code using eval.
  • Lots of small UX tweaks and design polishing
  • Fixed vulnerabilities by mentioning in the documentation that it should not be used by untrusted users 😁
  • Added dark mode support 😎

Discover more from Vladimir Smitka

Subscribe to get the latest posts to your email.

Leave a comment

About Me

My name is Vladimir Smitka and I’m a security researcher/hobbyist from the Czech Republic. I’m also the owner of Lynt, a PPC Agency. I’m also an active member of the Czech WordPress community and one of the WordCamp Prague organizers.

OPEN .GIT GLOBAL SCAN

  • 230 000 000 sites scanned 🔍
  • 390 000 sites affected 😥
  • 100 000 mail send to the developers 📧
  • 150 000+ sites fixed 
  • 100+ possitive comments 🗨️
  • 3500+ thankyou mails ❤️
  • Thousands and thousands sites with another serious issue found 😑
Read more

For my research I use affordable Virtual Private Servers from Digital Ocean (they have a great infrascruture), Linode (they have a great understanding for my work) and dedicted servers from Hetzner.

If you like my research, you can make a small donation for coffee and VPS – two basic ingredients for my future security scans.

☕ Buy me a Coffee
Donate – PAYPAL

Follow me

Our Projects

Latest Articles

Previous:

Create a website or blog at WordPress.com