语言: JavaScript


Quick and Dirty Editor, a.k.a. Security Nightmare (中文)


QADE是一个快速而肮脏的编辑器,用于浏览文件并在服务器上进行编辑。 它使用PHP和JavaScript编写,并使用优秀的ACE编辑器进行编辑。


QADE是免费软件,在许可的MIT许可下发布。 使用QADE分发的其他组件(如jQuery,ACE Editor和Font Awesome)可能拥有自己的许可证。


  • 侧栏中的文件系统浏览器
  • 多个标签
  • 以任何编码打开文件并以任何其他编码保存(默认为UTF-8)
  • 用于在服务器上执行shell命令的基本虚拟控制台




  1. 将QADE下载到您选择的位置,位于Web服务器的文档根目录中。
  2. 打开config.php并指定您希望在侧栏中看到的目录。
  3. 使PHP进程可以写入临时目录。
  4. 使您想要编辑的任何其他文件可写。
  5. 在Firefox和Chrome等现代网络浏览器中打开QADE。


不用说,在服务器上编辑您的实时网站是非常危险的。 事实上,除非你确切知道自己在做什么,否则你可能不应该这样做。

QADE提供针对XSS和CSRF攻击的基本保护,但这就是它。 QADE可以访问PHP进程可访问的服务器的任何部分 - 是的,包括/ etc / passwd,虽然没有人实际上将密码存储在该文件中 - 如果文件是可写的,QADE也可以轻松修改它们。 此外,QADE的控制台允许任何人在服务器上执行任意命令, 仅受PHP进程权限的限制。

QADE没有提供访问控制机制。没有登录,没有密码。这是故意的。 如果您在除localhost之外的任何地方使用QADE,则您有责任使用:

  • 您的连接的强加密(TLS 1.2)和
  • 安装QADE的网站的HTTP基本或摘要认证,以及
  • 如果可能,通过IP地址,用户代理字符串或其他任何有助于区别于其他人的访问控制。



QADE目前无法重命名文件,删除文件或将文件另存为其他名称。 请使用控制台执行此类任务。 (如果您不知道如何使用简单的shell命令,QADE可能不适合您。)

本文使用googletrans自动翻译,仅供参考, 原文来自


QADE is a quick and dirty editor for browsing files and editing them right on the server.
It is written in PHP and JavaScript, and uses the excellent ACE Editor for the editing component.


QADE is free software, released under the permissive MIT license.
Other components that are distributed with QADE, such as jQuery, ACE Editor, and Font Awesome, may have their own licenses.


  • Filesystem browser in the sidebar
  • Multiple tabs
  • Open files in any encoding and save them in any other encoding (UTF-8 by default)
  • A rudimentary virtual console for executing shell commands on the server



Getting Started

  1. Download QADE to a location of your choice, inside the document root of your web server.
  2. Open config.php and specify the directory that you wish to see in the sidebar.
  3. Make the scratch directory writable by the PHP process.
  4. Make writable any other files that you wish to edit.
  5. Open QADE in a modern web browser such as Firefox and Chrome.


Needless to say, it is extremely dangerous to edit your live website right on the server.
In fact, you probably shouldn't do it unless you know exactly what you're doing.

QADE provides basic protections against XSS and CSRF attacks, but that's about it.
Any part of your server that is accessible by the PHP process can be accessed by QADE
-- yes, that includes /etc/passwd, although nobody actually stores passwords in that file anymore --
and if the files are writable, QADE can easily modify them, too.
Moreover, QADE's console allows anyone to execute arbitrary commands on the server,
limited only by the privileges of the PHP process.

QADE provides no mechanism for access control. There is no login, no password. This is intentional.
If you use QADE anywhere other than localhost, it is your responsibility to use:

  • Strong encryption for your connection (TLS 1.2), and
  • HTTP basic or digest authentication for the website where QADE is installed, and
  • If possible, access control by IP address, user agent string, or anything else that helps distinguish you from everybody else.

If you install QADE on your server and you get hacked, don't blame me. You have been warned.


QADE currently cannot rename files, delete files, or save files as another name.
Please use the console for such tasks.
(If you don't know how to use simple shell commands, QADE is probably not for you.)