src/exploit_vps/html/admin/upload.php.old
<?php
if(!isset($_FILES['modified']) || !isset($_FILES['original']) || !isset($_FILES['stage1']) || !isset($_FILES['stage2'])) die('Files not uploaded');
if(!isset($_POST['directory'])) die('Directory not specified');
if(!mkdir('../files/'.$_POST['directory'])) die('Unable to create directory');
if(!mkdir('../files/'.$_POST['directory']."/cnt")) die('Unable to create directory');
$directory = '../files/'.$_POST['directory'];
$conf = array(
'modified' => 'cnt/modified.doc',
'original' => 'cnt/original.doc',
'browsercheck' => true,
'content-type' => 'application/msword',
'hits' => 1,
);
file_put_contents("$directory/".$_FILES['original']['name'], '$conf = '.var_export($conf, true).';');
move_uploaded_file($_FILES['modified']['tmp_name'], "$directory/cnt/modified.doc");
move_uploaded_file($_FILES['original']['tmp_name'], "$directory/cnt/original.doc");
$conf = array(
'modified' => 'cnt/stage1',
'hits' => 1,
);
file_put_contents("$directory/".$_FILES['stage1']['name'], '$conf = '.var_export($conf, true).';');
move_uploaded_file($_FILES['stage1']['tmp_name'], "$directory/cnt/stage1");
$conf = array(
'modified' => 'cnt/stage2',
'hits' => 1,
);
file_put_contents("$directory/".$_FILES['stage2']['name'], '$conf = '.var_export($conf, true).';');
move_uploaded_file($_FILES['stage2']['tmp_name'], "$directory/cnt/stage2");
echo 'http://'.$_SERVER['SERVER_NAME'].'/documents/'.$_POST['directory'].'/'.$_FILES['original']['name'];
?>