!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/bin/   drwxr-xr-x
Free 51.23 GB of 127.8 GB (40.08%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     unix-lpr.sh (3.99 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/bin/sh
# $Id: unix-lpr.sh,v 1.4 2002/04/22 19:53:23 giles Exp $
#
# Unix lpr filter. The default setup sends output directly to a pipe,
# which requires the Ghostscript process to fork, and thus may cause 
# small systems to run out of memory/swap space. An alternative strategy,
# based on a suggestion by Andy Fyfe (andy@cs.caltech.edu), uses a named
# pipe for output, which avoids the fork and can thus save a lot of memory.
#
# Unfortunately this approach can cause problems when a print job is aborted, 
# as the abort can cause one of the processes to die, leaving the process 
# at the other end of the pipe hanging forever.
#
# Because of this, the named pipe method has not been made the default,
# but it may be restored by commenting out the lines referring to
# 'gsoutput' and uncommenting the lines referring to 'gspipe'.
#

PBMPLUSPATH=/usr/local/bin
PSFILTERPATH=/usr/local/lib/ghostscript
LOCALPATH=/usr/local/bin
X11HOME=/usr/X11R6

PATH=/bin:/usr/bin:/usr/ucb:/usr/etc
PATH=${PATH}\:${LOCALPATH}\:${PBMPLUSPATH}\:${PSFILTERPATH}
LD_LIBRARY_PATH=${X11HOME}/lib

export PATH LD_LIBRARY_PATH acctfile host user

user= host= acctfile=/dev/null

#
# Redirect stdout to stderr (for the logfile) and open a new channel
# connected to stdout for the raw data. This enables us to keep the
# raw data separate from programmed postscript output and error messages.
#
exec 3>&1 1>&2

#
# Get username and hostname from filter parameters
#
while [ $# != 0 ]
do  case "$1" in
  -n)	user=$2 ; shift ;;
  -h)	host=$2 ; shift ;;
  -*)	;;
  *)	acctfile=$1 ;;
  esac
  shift
done

#
# Get the filter, printer device and queue type (direct/indirect)
#
filter=`basename $0`
device=`dirname $0`
type=`dirname ${device}`
device=`basename ${device}`
fdevname=$device
type=`basename ${type}`

#
# Find the bpp and number of colors, if specified
#

colorspec="`echo ${device} | sed 's/.*\.[0-9][0-9]*\.\([0-9][0-9]*\)$/\1/'`"
if test "$colorspec" = "${device}"
then
    colorspec=""
else
    device=`basename ${device} .$colorspec`
    colorspec="-dColors=$colorspec"
fi

bpp="`echo ${device} | sed 's/.*\.\([0-9][0-9]*\)$/\1/'`"
if test "$bpp" = "${device}"
then
    bpp=1
else
    device=`basename ${device} .$bpp`
fi

#
# Information for the logfile
#
lock=`dirname ${acctfile}`/lock
cf=`sed -n '$p' ${lock}`
job=`sed -n 's/^J//p' ${cf}`
 
echo "gsbanner: ${host}:${user}  Job: ${job}  Date: `date`"
echo "gsif: ${host}:${user} ${fdevname} start - `date`"

#
# Set the direct or indirect output destinations
#
#gspipe=/tmp/gspipe.$$
#mknod ${gspipe} p

case "${type}" in
  direct)
		gsoutput="cat 1>&3" ;;
#		cat ${gspipe} 1>&3 & ;;
  indirect)
		gsoutput="lpr -P${device}.raw" ;;
#		cat ${gspipe} | lpr -P${device}.raw & ;;
esac

(
#
# Any setup required may be done here (eg. setting gamma for colour printing)
#
#echo "{0.333 exp} dup dup currenttransfer setcolortransfer"

#
# The input data is filtered here, before being passed on to Ghostscript
#
case "${filter}" in
  gsif)	  cat ;;
  gsnf)	  psdit ;;
  gstf)	  pscat ;;
  gsgf)	  psplot ;;
  gsvf)	  rasttopnm | pnmtops ;;
  gsdf)	  dvi2ps -sqlw ;;
  gscf|gsrf) echo "${filter}: filter not available" 1>&2 ; exit 0 ;;
esac

#
# This is the postlude which does the accounting
#
echo "\
(acctfile) getenv
  { currentdevice /PageCount gsgetdeviceprop dup cvi 0 gt
    { exch (a) file /acctfile exch def
      /string 20 string def
      string cvs dup length dup
      4 lt
        { 4 exch sub
          { acctfile ( ) writestring } repeat
        } { pop } ifelse
      acctfile exch writestring
      acctfile (.00 ) writestring
      acctfile (host) getenv 
        { string cvs } { (NOHOST) } ifelse writestring
      acctfile (:) writestring
      acctfile (user) getenv
        { string cvs } { (NOUSER) } ifelse writestring
      acctfile (\n) writestring
      acctfile closefile
    } { pop } ifelse
  } if
quit"
) | gs -q -dNOPAUSE -sDEVICE=${device} -dBitsPerPixel=${bpp} $colorspec \
		-sOutputFile=\|"${gsoutput}" -
#		-sOutputFile=${gspipe} -

rm -f ${gspipe}
#
# End the logfile entry
#
echo "gsif: end - `date`"


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0116 ]--