From da12e25e3ab3b4f94bb16ef6b04c96f2b34242e4 Mon Sep 17 00:00:00 2001 From: Clortox Date: Wed, 10 Feb 2021 11:54:12 -0500 Subject: [PATCH 1/5] Add new config --- var/config.def.php | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/var/config.def.php b/var/config.def.php index 4a41301..205a08e 100644 --- a/var/config.def.php +++ b/var/config.def.php @@ -40,7 +40,7 @@ * * Each variable in $dir_dirs will be a listing * on the main page under "folders" - * I recomend making a folder of symlinks to where the downloadable files are + * I recommend making a folder of symlinks to where the downloadable files are * * Each variable in $dir_names will be the title of the listing * These will appear on the left hand side and will be the name of the @@ -68,6 +68,46 @@ 'dir/books', ); + /* Hidden Directory Variables + * + * WARNING: I can't promise this is 100% secure against something like a brute + * force attack. PLEASE use secure passwords that are a decent length. The + * brute force speed is only limited by your keyspace, and there is no upper + * limit for the size of key that can be used. + * + * All Dirs here will not be available, and will require the user to know + * both the name of the folder, as well as the password. This does not use + * any databases + * + * Each variable in $hid_dir_names will be a folder that will be hidden + * This will need to be known in order to access the folder + * + * Each variable in $hid_dir_dirs is the location of the files for the + * corresponding $hid_dir_names entry. I recommend making sym links to the + * directories + * + * Each variable in $hid_dir_psk is the password for the corresponding + * $hid_dir_names entry. This will need to be know in order to access the folder + * + */ + + $isHidden = false; + $useJavascript = false; + + $hid_dir_names = array( + 'Root Directory', + ); + + $hid_dir_dirs = array( + 'dir/system_root', + ); + + $hid_dir_psk = array( + '$ecr3t', + ); + + + /* Link Tree * * My use case for this program is to be a NAS/Portal Page for my network, From 74d6593cf55da66ebf9da07569badb28b957bb7d Mon Sep 17 00:00:00 2001 From: Clortox Date: Wed, 17 Feb 2021 18:34:07 -0500 Subject: [PATCH 2/5] Add Debug Option to config --- index.php | 46 +++++++++++++++++++++++++++++++++++++--------- listing.php | 14 ++++++-------- var/config.def.php | 15 +++++++++++++++ 3 files changed, 58 insertions(+), 17 deletions(-) diff --git a/index.php b/index.php index d5f2fa3..d836c00 100644 --- a/index.php +++ b/index.php @@ -2,21 +2,18 @@ <?php echo $site_name ?> @@ -67,6 +64,7 @@
cardHead; @@ -96,6 +94,36 @@ echo '
'; } ?> + +
+
+

Access Hidden Directories

+
+
+ cardtop; + + if($useJavascript){ + echo '

The server admin has enabled javascript. Type the name and key and hit enter!

'; + + } else { + echo '

The server admin has disabled javascript. Please type the link in the URL and replace <name> with the directory name, and <password> with the password

'; + echo '

The link to copy is:

'; + echo $_SERVER['HTTP_HOST']; + + + } + + echo <<< cardbottom +
+
+ cardbottom; + } + ?> +
+ diff --git a/listing.php b/listing.php index d2228d7..2ff6f99 100644 --- a/listing.php +++ b/listing.php @@ -2,20 +2,18 @@ <?php echo $site_name ?> diff --git a/var/config.def.php b/var/config.def.php index 205a08e..82f037a 100644 --- a/var/config.def.php +++ b/var/config.def.php @@ -78,6 +78,11 @@ * All Dirs here will not be available, and will require the user to know * both the name of the folder, as well as the password. This does not use * any databases + * + * If you would like to enable the use of javascript for dynamic links, change + * $useJavascript to yes, else keep it disabled. If you keep it disabled, + * users will have to type the url themselves. This keeps the application light, + * but removes some useability. * * Each variable in $hid_dir_names will be a folder that will be hidden * This will need to be known in order to access the folder @@ -167,6 +172,16 @@ ' is asking for help with their homework from ', ); + /* Debug + * + * This is not recomneded for production enviroments. This will display + * information that could be useful to an attacker. Only use this + * if you are developing anything! + * + */ + + $isDebug = false; + //Be safe, check arrays if(empty($nav_names) or empty($nav_links)){ $isNav = false; From fda726abb57f0cafe9dee6d0f5bcc964ad461cea Mon Sep 17 00:00:00 2001 From: Clortox Date: Thu, 18 Feb 2021 15:49:16 -0500 Subject: [PATCH 3/5] Add TODO file --- TODO | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 TODO diff --git a/TODO b/TODO new file mode 100644 index 0000000..dfb2fe1 --- /dev/null +++ b/TODO @@ -0,0 +1,3 @@ +Check if paramters exist before accessing them + +Make the CSS pretty From 50422e28bbce5bc4cd5a521ebd2e4ba6085ac768 Mon Sep 17 00:00:00 2001 From: Clortox Date: Thu, 18 Feb 2021 15:50:30 -0500 Subject: [PATCH 4/5] Add hiddenlisting.php --- hiddenlisting.php | 124 ++++++++++++++++++++++++++++++++++++++++++++++ index.php | 2 +- listing.php | 2 +- 3 files changed, 126 insertions(+), 2 deletions(-) create mode 100644 hiddenlisting.php diff --git a/hiddenlisting.php b/hiddenlisting.php new file mode 100644 index 0000000..0fe5103 --- /dev/null +++ b/hiddenlisting.php @@ -0,0 +1,124 @@ + + + + <?php echo $site_name ?> + "> + + + + + $dir_){ + if($dir_ == $dir){ + $exists = true; + break; + } + } + + $psk = $_GET['psk']; + $psk_correct = false; + if($hid_dir_psk[$hid_dir_index] == $psk){ + $psk_correct = true; + } + + if(!$exists || !$psk_correct){ + echo <<< errorblock +
+

INCORRECT FOLDER OR PASSKEY, PLEASE CONTACT THE SYSTEM ADMINISTRATOR

+
+ errorblock; + exit(); + } + + if(!array_key_exists('path', $_GET)){ + $path = '/'; + } else { + $path = $_GET['path']; + } + + $elements = []; + if($handle = opendir($hid_dir_dirs[$hid_dir_index] . $path)){ + while(false !== ($entry = readdir($handle))){ + //exclude . and .. + if($entry != '.' && $entry != '..'){ + $elements[] = $entry; + } + } + } else { + echo <<< erroropendir +
+

ERROR OPENING DIRECTORY, PLEASE RELOAD THE PAGE

+

IF THE ISSUE PERSISTS, PLEASE CONTACT YOUR SYSTEM ADMINISTRATOR

+
+ erroropendir; + exit(); + } + + ?> +
+
+

+
+
+

Select a file to download, or a folder to view its contents

+ + + + + + + + + + + + + + + emptylisting; + } + foreach($elements as $i=>$currentfile){ + echo ""; + echo ""; + $fulldir = $hid_dir_dirs[$hid_dir_index] . $path . "/" . $currentfile; + if(is_dir($fulldir)){ + echo ""; + echo ""; + } else { + echo ""; + echo ""; + } + echo ""; + } + ?> + +
File NameLinkSize
Oops! This folder is empty...0
" . $currentfile . "View Directory" . foldersize($fulldir) . "Download" . listingsize($fulldir) . "
+
+
+ + + diff --git a/index.php b/index.php index d836c00..29fc2c7 100644 --- a/index.php +++ b/index.php @@ -7,7 +7,7 @@ include 'www/include.php'; include 'helpers/files.php'; - //if this is a session inside the local connection + //if debug is enabled if($isDebug){ ini_set('display_errors',1); ini_set('display_startup_errors',1); diff --git a/listing.php b/listing.php index 2ff6f99..c7f9f20 100644 --- a/listing.php +++ b/listing.php @@ -7,7 +7,7 @@ include 'www/include.php'; include 'helpers/files.php'; - //if this is a session inside the local connection + //if debug is enabled if($isDebug){ ini_set('display_errors',1); ini_set('display_startup_errors',1); From 85cf6e309f5732fb6a451ab89b9a3d2f80aff9e1 Mon Sep 17 00:00:00 2001 From: Clortox Date: Mon, 8 Mar 2021 15:18:28 -0500 Subject: [PATCH 5/5] Add javascript for hidden folders --- index.php | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/index.php b/index.php index 29fc2c7..67b7d52 100644 --- a/index.php +++ b/index.php @@ -18,6 +18,20 @@ <?php echo $site_name ?> + + The server admin has enabled javascript. Type the name and key and hit enter!

'; + echo <<< javascriptbox +

The server admin has enabled javascript. Type the name and password and click Goto Folder!

+
+ Folder Name:  + Password :  + +
+ + javascriptbox; } else { - echo '

The server admin has disabled javascript. Please type the link in the URL and replace <name> with the directory name, and <password> with the password

'; + echo '

The server admin has disabled javascript, therefore this is not dynamic. Please type the link in the URL and replace <name> with the directory name, and <password> with the password

'; echo '

The link to copy is:

'; - echo $_SERVER['HTTP_HOST']; - + echo $_SERVER['HTTP_HOST'] . "/hiddenlisting.php?folder=<name>&psk=<password>"; }