110.164.51.230 - phpshell

!c99Shell v. 1.0 pre-release build #16!
Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 EDT 2010 i686 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /usr/bin/ drwxr-xr-x Free 52.29 GB of 127.8 GB (40.92%) Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686

uid=48(apache) gid=48(apache) groups=48(apache)

Safe-mode: OFF (not secure)

/usr/bin/ drwxr-xr-x
Free 52.29 GB of 127.8 GB (40.92%)
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

Viewing file: purple-remote (7.77 KB) -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |

#!/usr/bin/python import dbus import re import urllib import sys import xml.dom.minidom xml.dom.minidom.Element.all = xml.dom.minidom.Element.getElementsByTagName obj = None try: obj = dbus.SessionBus().get_object("im.pidgin.purple.PurpleService", "/im/pidgin/purple/PurpleObject") except: pass purple = dbus.Interface(obj, "im.pidgin.purple.PurpleInterface") class CheckedObject: def __init__(self, obj): self.obj = obj def __getattr__(self, attr): return CheckedAttribute(self, attr) class CheckedAttribute: def __init__(self, cobj, attr): self.cobj = cobj self.attr = attr def __call__(self, *args): result = self.cobj.obj.__getattr__(self.attr)(*args) if result == 0: raise "Error: " + self.attr + " " + str(args) + " returned " + str(result) return result def show_help(requested=False): print """This program uses D-Bus to communicate with purple. Usage: %s "command1" "command2" ... Each command is of one of the three types: [protocol:]commandname?param1=value1¶m2=value2&... FunctionName?param1=value1¶m2=value2&... FunctionName(value1,value2,...) The second and third form are provided for completeness but their use is not recommended; use purple-send or purple-send-async instead. The second form uses introspection to find out the parameter names and their types, therefore it is rather slow. Examples of commands: jabber:goim?screenname=testone@localhost&message=hi jabber:gochat?room=TestRoom&server=conference.localhost jabber:getinfo?screenname=testone@localhost jabber:addbuddy?screenname=my friend setstatus?status=away&message=don't disturb getstatus getstatusmessage quit PurpleAccountsFindConnected?name=&protocol=prpl-jabber PurpleAccountsFindConnected(,prpl-jabber) """ % sys.argv[0] if (requested): sys.exit(0) else: sys.exit(1) cpurple = CheckedObject(purple) urlregexp = r"^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?" def extendlist(list, length, fill): if len(list) < length: return list + [fill] * (length - len(list)) else: return list def convert(value): try: return int(value) except: return value def findaccount(accountname, protocolname): try: # prefer connected accounts account = cpurple.PurpleAccountsFindConnected(accountname, protocolname) return account except: # try to get any account and connect it account = cpurple.PurpleAccountsFindAny(accountname, protocolname) purple.PurpleAccountSetStatusVargs(account, "online", 1) purple.PurpleAccountConnect(account) return account def execute(uri): match = re.match(urlregexp, uri) protocol = match.group(2) if protocol == "xmpp": protocol = "jabber" if protocol is not None: protocol = "prpl-" + protocol command = match.group(5) paramstring = match.group(7) params = {} if paramstring is not None: for param in paramstring.split("&"): key, value = extendlist(param.split("=",1), 2, "") params[key] = urllib.unquote(value) accountname = params.get("account", "") if command == "goim": account = findaccount(accountname, protocol) conversation = cpurple.PurpleConversationNew(1, account, params["screenname"]) if "message" in params: im = cpurple.PurpleConversationGetImData(conversation) purple.PurpleConvImSend(im, params["message"]) return None elif command == "gochat": account = findaccount(accountname, protocol) connection = cpurple.PurpleAccountGetConnection(account) return purple.ServJoinChat(connection, params) elif command == "addbuddy": account = findaccount(accountname, protocol) return cpurple.PurpleBlistRequestAddBuddy(account, params["screenname"], params.get("group", ""), "") elif command == "setstatus": current = purple.PurpleSavedstatusGetCurrent() if "status" in params: status_id = params["status"] status_type = purple.PurplePrimitiveGetTypeFromId(status_id) else: status_type = purple.PurpleSavedstatusGetType(current) status_id = purple.PurplePrimitiveGetIdFromType(status_type) if "message" in params: message = params["message"]; else: message = purple.PurpleSavedstatusGetMessage(current) if "account" in params: accounts = [cpurple.PurpleAccountsFindAny(accountname, protocol)] for account in accounts: status = purple.PurpleAccountGetStatus(account, status_id) type = purple.PurpleStatusGetType(status) purple.PurpleSavedstatusSetSubstatus(current, account, type, message) purple.PurpleSavedstatusActivateForAccount(current, account) else: saved = purple.PurpleSavedstatusNew("", status_type) purple.PurpleSavedstatusSetMessage(saved, message) purple.PurpleSavedstatusActivate(saved) return None elif command == "getstatus": current = purple.PurpleSavedstatusGetCurrent() status_type = purple.PurpleSavedstatusGetType(current) status_id = purple.PurplePrimitiveGetIdFromType(status_type) return status_id elif command == "getstatusmessage": current = purple.PurpleSavedstatusGetCurrent() return purple.PurpleSavedstatusGetMessage(current) elif command == "getinfo": account = findaccount(accountname, protocol) connection = cpurple.PurpleAccountGetConnection(account) return purple.ServGetInfo(connection, params["screenname"]) elif command == "quit": return purple.PurpleCoreQuit() elif command == "uri": return None else: match = re.match(r"(\w+)\s*\(([^)]*)\)", command) if match is not None: name = match.group(1) argstr = match.group(2) if argstr == "": args = [] else: args = argstr.split(",") fargs = [] for arg in args: fargs.append(convert(arg.strip())) return purple.__getattr__(name)(*fargs) else: # introspect the object to get parameter names and types # this is slow because the entire introspection info must be downloaded data = dbus.Interface(obj, "org.freedesktop.DBus.Introspectable").\ Introspect() introspect = xml.dom.minidom.parseString(data).documentElement for method in introspect.all("method"): if command == method.getAttribute("name"): methodparams = [] for arg in method.all("arg"): if arg.getAttribute("direction") == "in": value = params[arg.getAttribute("name")] type = arg.getAttribute("type") if type == "s": methodparams.append(value) elif type == "i": methodparams.append(int(value)) else: raise "Don't know how to handle type \"%s\"" % type return purple.__getattr__(command)(*methodparams) show_help() if len(sys.argv) == 1: show_help() elif (sys.argv[1] == "--help" or sys.argv[1] == "-h"): show_help(True) elif (obj == None): print "No existing libpurple instance detected." sys.exit(1); for arg in sys.argv[1:]: output = execute(arg) if (output != None): print output

:: Command execute ::
Enter:	Select:

:: Shadow's tricks :D ::
Useful Commands Warning. Kernel may be alerted using higher levels	Kernel Info:

:: Preddy's tricks :D ::
Php Safe-Mode Bypass (Read Files) File: eg: /etc/passwd	Php Safe-Mode Bypass (List Directories): Dir: eg: /etc/

:: Search ::

:: Upload ::

:: Make Dir ::

:: Make File ::

:: Go Dir ::

:: Go File ::

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0057 ]--