Kevin Froman's blog

Blog on security, programming, & other musings

How a Random Github Repo Led To a Shell Access Google Dork


Developers often publicly release code that is barely tested, or meant for personal reasons, such as quick scripts or weekend experiments.

Often times they assume that no one will have any interest, only to later discover dozens, perhaps hundreds of stars and users.

This isn't so bad for some, but it can be disastrous if the code is, for example, a PHP script.

Forgotten scripts

This was the case with a tiny script called "simple file manager" - a 1 file project that was just that, a light weight file management software written in PHP.

Little did the author realize, people would be putting this unauthenticated script on their public websites.

simple file manager screenshot

Not only could random people upload content to a site, but this script did nothing to prevent .php files from being uploaded, meaning hackers could easily gain shell access to servers using this software.

Don't be a dork

Since this script contains a unique string "simple php filemanager by jcampbell1", it is an applicable Google dork to find websites who thought their upload area would never be discovered. Some didn't realize that PHP scripts could be uploaded, as I even found a few deepweb sites with this script enabled.


If you build it, they will come. This includes fools.

I contacted jcampbell1, who quickly patched the script to prevent .php uploads.

Be careful with what code you decide to make public.

Written by anonymous