110.164.51.230 - phpshell

!c99Shell v. 1.0 pre-release build #16!
Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 EDT 2010 i686 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /usr/bin/ drwxr-xr-x Free 52.24 GB of 127.8 GB (40.88%) Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686

uid=48(apache) gid=48(apache) groups=48(apache)

Safe-mode: OFF (not secure)

/usr/bin/ drwxr-xr-x
Free 52.24 GB of 127.8 GB (40.88%)
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

Viewing file: unix-lpr.sh (3.99 KB) -rwxr-xr-x
Select action/file-type:
(+) | (+) |

(+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |

#!/bin/sh # $Id: unix-lpr.sh,v 1.4 2002/04/22 19:53:23 giles Exp $ # # Unix lpr filter. The default setup sends output directly to a pipe, # which requires the Ghostscript process to fork, and thus may cause # small systems to run out of memory/swap space. An alternative strategy, # based on a suggestion by Andy Fyfe (andy@cs.caltech.edu), uses a named # pipe for output, which avoids the fork and can thus save a lot of memory. # # Unfortunately this approach can cause problems when a print job is aborted, # as the abort can cause one of the processes to die, leaving the process # at the other end of the pipe hanging forever. # # Because of this, the named pipe method has not been made the default, # but it may be restored by commenting out the lines referring to # 'gsoutput' and uncommenting the lines referring to 'gspipe'. # PBMPLUSPATH=/usr/local/bin PSFILTERPATH=/usr/local/lib/ghostscript LOCALPATH=/usr/local/bin X11HOME=/usr/X11R6 PATH=/bin:/usr/bin:/usr/ucb:/usr/etc PATH=${PATH}\:${LOCALPATH}\:${PBMPLUSPATH}\:${PSFILTERPATH} LD_LIBRARY_PATH=${X11HOME}/lib export PATH LD_LIBRARY_PATH acctfile host user user= host= acctfile=/dev/null # # Redirect stdout to stderr (for the logfile) and open a new channel # connected to stdout for the raw data. This enables us to keep the # raw data separate from programmed postscript output and error messages. # exec 3>&1 1>&2 # # Get username and hostname from filter parameters # while [ $# != 0 ] do case "$1" in -n) user=$2 ; shift ;; -h) host=$2 ; shift ;; -*) ;; *) acctfile=$1 ;; esac shift done # # Get the filter, printer device and queue type (direct/indirect) # filter=`basename $0` device=`dirname $0` type=`dirname ${device}` device=`basename ${device}` fdevname=$device type=`basename ${type}` # # Find the bpp and number of colors, if specified # colorspec="`echo ${device} | sed 's/.*\.[0-9][0-9]*\.$[0-9][0-9]*$$/\1/'`" if test "$colorspec" = "${device}" then colorspec="" else device=`basename ${device} .$colorspec` colorspec="-dColors=$colorspec" fi bpp="`echo ${device} | sed 's/.*\.$[0-9][0-9]*$$/\1/'`" if test "$bpp" = "${device}" then bpp=1 else device=`basename ${device} .$bpp` fi # # Information for the logfile # lock=`dirname ${acctfile}`/lock cf=`sed -n '$p' ${lock}` job=`sed -n 's/^J//p' ${cf}` echo "gsbanner: ${host}:${user} Job: ${job} Date: `date`" echo "gsif: ${host}:${user} ${fdevname} start - `date`" # # Set the direct or indirect output destinations # #gspipe=/tmp/gspipe.$$ #mknod ${gspipe} p case "${type}" in direct) gsoutput="cat 1>&3" ;; # cat ${gspipe} 1>&3 & ;; indirect) gsoutput="lpr -P${device}.raw" ;; # cat ${gspipe} | lpr -P${device}.raw & ;; esac ( # # Any setup required may be done here (eg. setting gamma for colour printing) # #echo "{0.333 exp} dup dup currenttransfer setcolortransfer" # # The input data is filtered here, before being passed on to Ghostscript # case "${filter}" in gsif) cat ;; gsnf) psdit ;; gstf) pscat ;; gsgf) psplot ;; gsvf) rasttopnm | pnmtops ;; gsdf) dvi2ps -sqlw ;; gscf|gsrf) echo "${filter}: filter not available" 1>&2 ; exit 0 ;; esac # # This is the postlude which does the accounting # echo "\ (acctfile) getenv { currentdevice /PageCount gsgetdeviceprop dup cvi 0 gt { exch (a) file /acctfile exch def /string 20 string def string cvs dup length dup 4 lt { 4 exch sub { acctfile ( ) writestring } repeat } { pop } ifelse acctfile exch writestring acctfile (.00 ) writestring acctfile (host) getenv { string cvs } { (NOHOST) } ifelse writestring acctfile (:) writestring acctfile (user) getenv { string cvs } { (NOUSER) } ifelse writestring acctfile (\n) writestring acctfile closefile } { pop } ifelse } if quit" ) | gs -q -dNOPAUSE -sDEVICE=${device} -dBitsPerPixel=${bpp} $colorspec \ -sOutputFile=\|"${gsoutput}" - # -sOutputFile=${gspipe} - rm -f ${gspipe} # # End the logfile entry # echo "gsif: end - `date`"

:: Command execute ::
Enter:	Select:

:: Shadow's tricks :D ::
Useful Commands Warning. Kernel may be alerted using higher levels	Kernel Info:

:: Preddy's tricks :D ::
Php Safe-Mode Bypass (Read Files) File: eg: /etc/passwd	Php Safe-Mode Bypass (List Directories): Dir: eg: /etc/

:: Search ::

:: Upload ::

:: Make Dir ::

:: Make File ::

:: Go Dir ::

:: Go File ::

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0049 ]--