!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/backup-config/   drwxr-xr-x
Free 50.94 GB of 127.8 GB (39.86%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     backup.cgi (1.78 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# Do an immediate backup

use strict;
use warnings;
require './backup-config-lib.pl';
our (%in, %text, %config, $module_config_file);
&ReadParse();

# Validate inputs
&error_setup($text{'backup_err'});
my $dest = &parse_backup_destination("dest", \%in);
my ($configfile, $nofiles, $others) = &parse_backup_what("what", \%in);
my @mods = split(/\0/, $in{'mods'});
@mods || ($nofiles && !$configfile) || &error($text{'backup_emods'});

# Go for it
my ($mode, $user, $pass, $server, $path, $port) = &parse_backup_url($dest);
my $err;
if ($mode != 4) {
    # Save somewhere, and tell the user
    &ui_print_header(undef, $text{'backup_title'}, "");
    print &text('backup_doing', &nice_dest($dest, 1)),"<p>\n";
    my $size;
    my @files;
    $err = &execute_backup(\@mods, $dest, \$size, \@files,
                   $configfile, $nofiles,
                   [ split(/\t+/, $others) ]);
    if ($err) {
        print &text('backup_failed', $err),"<p>\n";
        }
    else {
        print &text('backup_done', &nice_size($size),
                scalar(@files)),"<p>\n";
        }
    &ui_print_footer("", $text{'index_return2'});
    }
else {
    # Output file in browser
    my $temp = &transname();
    my $size;
    $err = &execute_backup(\@mods, $temp, \$size, undef,
                   $configfile, $nofiles,
                   [ split(/\t+/, $others) ]);
    if ($err) {
        &unlink_file($temp);
        &error($err);
        }
    print "Content-type: application/octet-stream\n\n";
    my $buf;
    open(TEMP, $temp);
    while(read(TEMP, $buf, 1024)) {
        print $buf;
        }
    close(TEMP);
    &unlink_file($temp);
    }

if (!$err) {
    # Save config
    $config{'dest'} = $dest;
    $config{'mods'} = join(" ", @mods);
    $config{'configfile'} = $in{'configfile'};
    $config{'nofiles'} = $in{'nofiles'};
    &lock_file($module_config_file);
    &save_module_config();
    &unlock_file($module_config_file);
    &webmin_log("backup", undef, $dest, { 'mods' => \@mods });
    }


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0148 ]--