!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/apache/   drwxr-xr-x
Free 50.94 GB of 127.8 GB (39.86%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     manual_save.cgi (2.16 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# manual_save.cgi
# Save manually entered directives

require './apache-lib.pl';
&ReadParseMime();
$access{'types'} eq '*' || &error($text{'manual_ecannot'});
if (defined($in{'virt'})) {
    if (defined($in{'idx'})) {
        # directory within virtual server
        ($vconf, $v) = &get_virtual_config($in{'virt'});
        $d = $vconf->[$in{'idx'}];
        $file = $d->{'file'};
        $return = "dir_index.cgi";
        $start = $d->{'line'}+1; $end = $d->{'eline'}-1;
        $logtype = 'dir';
        $logname = &virtual_name($v, 1).":".$d->{'words'}->[0];
        }
    else {
        # virtual server (which can have multiple files!)
        ($conf, $v) = &get_virtual_config($in{'virt'});
        @files = &unique((map { $_->{'file'} } @$conf), $v->{'file'});
        $return = "virt_index.cgi";
        $file = $in{'editfile'} || $v->{'file'};
        &indexof($file, @files) >= 0 ||
            &error($text{'manual_efile'});
        if ($file eq $v->{'file'}) {
            $start = $v->{'line'}+1; $end = $v->{'eline'}-1;
            }
        else {
            $start = $end = undef;
            }
        $logtype = 'virt'; $logname = &virtual_name($v, 1);
        }
    }
else {
    if (defined($in{'idx'})) {
        # files within .htaccess file
        $hconf = &get_htaccess_config($in{'file'});
        $d = $hconf->[$in{'idx'}];
        $file = $in{'file'};
        $return = "files_index.cgi";
        $start = $d->{'line'}+1; $end = $d->{'eline'}-1;
        $logtype = 'files';
        $logname = "$in{'file'}:$d->{'words'}->[0]";
        }
    else {
        # .htaccess file
        $file = $in{'file'};
        $return = "htaccess_index.cgi";
        $logtype = 'htaccess'; $logname = $in{'file'};
        }
    }

&lock_file($file);
$temp = &transname();
&copy_source_dest($file, $temp);
$in{'directives'} =~ s/\r//g;
$in{'directives'} =~ s/\s+$//;
@dirs = split(/\n/, $in{'directives'});
$lref = &read_file_lines($file);
if (!defined($start)) {
    $start = 0;
    $end = @$lref - 1;
    }
splice(@$lref, $start, $end-$start+1, @dirs);
&flush_file_lines();
if ($config{'test_manual'}) {
    $err = &test_config();
    if ($err) {
        &copy_source_dest($temp, $file);
        &error(&text('manual_etest', "<pre>$err</pre>"));
        }
    }
unlink($temp);
&unlock_file($file);
&webmin_log($logtype, "manual", $logname, \%in);

foreach $h ('virt', 'idx', 'file') {
    push(@args, "$h=$in{$h}") if (defined($in{$h}));
    }
&redirect("$return?".join("&", @args));


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0085 ]--