limit fstBC to 30bp in Python3 ver.

[GalaxyCodeBases.git] / php / browse.php-payload / README.md

# browse.php Payload\r
\r
*[browse.php - Remote payload](https://github.com/bytecode-77/browse.php-payload), single file directory browser & downloader <https://bytecode77.com/hacking/payloads/browse>*\r
\r
**browse.php** is a PHP single-file script providing an HTML based directory\r
browser. Once arbitrary write access is granted to a directory, deploying this\r
file will yield comprehensive insights in the directory structure of the server.\r
\r
The script allows to...\r
\r
* ... browse the file system with the privileges of the executing user\r
* ... download files using PHP's `readfile()`\r
* ... dictionary traversal, i.e. attempting paths, like `"..\..\..\"` *(if possible)*\r
\r
## Demonstration\r
\r
Let's have a look at some comprehensive screenshots. For demonstration purposes,\r
I deployed this script on my own server, which I obviously *have* write access\r
to. While taking the screenshots, I have picked a non-guessible name in order to\r
avoid "accidents" in the time beeing. After I was finished, I deleted the file -\r
**don't forget this if you test the script!**\r
\r
### 1. Starting the script\r
\r
You have done 99% of the work by acquiring write access remotely.\r
Congratulations, you are a genious! ;) Now, browse.php will list the current\r
directory. From there, navigation is a simple & UI based task.\r
\r
![](https://bytecode77.com/images/sites/hacking/payloads/browse/001.png)\r
\r
### 2. View & download files\r
\r
You can view or download any file. Especially PHP files - and we all know which\r
ones are particularly interesting. This is a lot more convenient than the\r
`readfile("[...]\config.php")` code is that usually deployed in multiple trial\r
and error attempts until the correct path is hit.\r
\r
![](https://bytecode77.com/images/sites/hacking/payloads/browse/002.png)\r
\r
Any file you care about is accessible and can be downloaded. Note, that this is\r
a simple and therefore deployable & compatible script, not a feature complete\r
"remote cloud solution payload".\r
\r
![](https://bytecode77.com/images/sites/hacking/payloads/browse/003.png)\r
\r
Directory traversal attacks, like `"..\..\..\..\file.txt"` are possible, as we\r
can specify any path to the script. Here, I have deliberately weakened the\r
server configuration to demonstrate how a user that is not jailed could cause\r
you harm.\r
\r
Please note, that I'm using **my own** server for this demonstration. I really\r
hope I didn't forget to delete the file afterwards...\r
\r
![](https://bytecode77.com/images/sites/hacking/payloads/browse/004.png)\r
\r
## Use cases\r
\r
I have actually developed this while testing suphp, Apache MPM and similar, not\r
in an actual pentest. This helped me to debug through the web server\r
implementation. However, the main purpose primarily suits pentesting.\r
\r
## Project Page\r
\r
[![](https://bytecode77.com/images/shared/favicon16.png) bytecode77.com/hacking/payloads/browse](https://bytecode77.com/hacking/payloads/browse)