!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/cluster-passwd/   drwxr-xr-x
Free 49.58 GB of 127.8 GB (38.8%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     index.cgi (1.65 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# index.cgi
# Show a list of all users whose passwords can be changed

require './cluster-passwd-lib.pl';

# Check if cluster-useradmin is set up
@hosts = &cluster_useradmin::list_useradmin_hosts();
if (!@hosts) {
    &ui_print_header(undef, $text{'index_title'}, "", undef, 1, 1);
    &ui_print_endpage(&text('index_noservers', "../cluster-useradmin/"));
    }
@ulist = grep { &can_edit_passwd($_) } &get_all_users(\@hosts);
if (@ulist == 1) {
    # Can only edit one user, so re-direct to editing form
    &redirect("edit_passwd.cgi?user=$ulist[0]->{'user'}&one=1");
    }

&ui_print_header(undef, $text{'index_title'}, "", undef, 1, 1);
if ($config{'sort_mode'}) {
    @ulist = sort { lc($a->{'user'}) cmp lc($b->{'user'}) } @ulist;
    }

print &text('index_hosts', scalar(@hosts)),"<p>\n";

if ($config{'max_users'} && @ulist > $config{'max_users'}) {
    # Show as form for entering a username
    print "$passwd::text{'index_toomany'}<br>\n";
    print &ui_form_start("edit_passwd.cgi");
    print &ui_submit($passwd::text{'index_user'});
    if ($config{'input_type'}) {
        print &ui_select("user", undef,
                 [ map { [ $_->{'user'} ] } @ulist ]);
        }
    else {
        print &ui_user_textbox("user");
        }
    print &ui_form_end();
    }
else {
    # Show as table of users
    print &ui_table_start($passwd::text{'index_header'}, "width=100%");
    for($i=0; $i<@ulist; $i++) {
        if ($i%4 == 0) { print "<tr>\n"; }
        print "<td width=25%><a href=\"edit_passwd.cgi?",
              "user=$ulist[$i]->{'user'}\">",
              &html_escape($ulist[$i]->{'user'})."</a></td>\n";
        if ($i%4 == 3) { print "</tr>\n"; }
        }
    while($i++ % 4) { print "<td width=25%></td>\n"; }
    print &ui_table_end();
    }

&ui_print_footer("/", $text{'index'});

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd
Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 
:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0055 ]--