!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/firewall/   drwxr-xr-x
Free 50.94 GB of 127.8 GB (39.86%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     save_rule.cgi (11.9 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# save_rule.cgi
# Save, create or delete a rule in a chain

require './firewall-lib.pl';
&ReadParse();
&error_setup($text{'save_err'});
@tables = &get_iptables_save();
$table = $tables[$in{'table'}];
&can_edit_table($table->{'name'}) || &error($text{'etable'});
if ($in{'new'}) {
    $rule = { 'chain' => $in{'chain'} };
    }
else {
    $rule = $table->{'rules'}->[$in{'idx'}];
    &can_jump($rule) || &error($text{'ejump'});
    }
if ($in{'clone'}) {
    # Go back to the editing page
    &redirect("edit_rule.cgi?new=1&clone=$in{'idx'}&".
          "table=".&urlize($in{'table'})."&".
          "chain=".&urlize($rule->{'chain'}));
    }

&lock_file($iptables_save_file);
if ($in{'delete'}) {
    # Just delete this rule
    splice(@{$table->{'rules'}}, $in{'idx'}, 1);
    }
else {
    # Validate and store inputs
    if ($config{'comment_mod'}) {
        $in{'cmt'} =~ s/^\s+//;
        $in{'cmt'} =~ s/\s+$//;
        if ($in{'cmt'}) {
            $rule->{'comment'} = [ "", $in{'cmt'} ];
            push(@mods, "comment");
            }
        else {
            delete($rule->{'comment'});
            }
        }
    else {
        $rule->{'cmt'} = $in{'cmt'};
        delete($rule->{'comment'});
        @mods = grep { $_ ne "comment" } @mods;
        }
    if ($in{'jump'} eq '*') {
        $in{'other'} =~ /^\S+$/ || &error($text{'save_echain'});
        $rule->{'j'} = [ "", $in{'other'} ];
        }
    elsif ($in{'jump'}) {
        $rule->{'j'} = [ "", $in{'jump'} ];
        }
    else {
        delete($rule->{'j'});
        }
    &can_jump($rule) || &error($text{'save_ecanjump'});
    if (defined($in{'rwithtype'})) {
        if ($rule->{'j'}->[1] eq 'REJECT' && !$in{'rwithdef'}) {
            $rule->{'reject-with'} = [ "", $in{'rwithtype'} ];
            }
        else {
            delete($rule->{'reject-with'});
            }
        }

    # Parse redirect or masquerade input
    if ($table->{'name'} eq 'nat') {
        if ($rule->{'j'}->[1] eq 'REDIRECT' && !$in{'rtodef'}) {
            $in{'rtofrom'} =~ /^\d+$/ ||
                &error($text{'save_ertoports'});
            $in{'rtoto'} =~ /^\d*$/ ||
                &error($text{'save_ertoports'});
            $rule->{'to-ports'} = [ "", $in{'rtoto'} eq '' ?
                $in{'rtofrom'} : $in{'rtofrom'}."-".$in{'rtoto'} ];
            }
        elsif ($rule->{'j'}->[1] eq 'MASQUERADE' && !$in{'mtodef'}) {
            $in{'mtofrom'} =~ /^\d+$/ ||
                &error($text{'save_emtoports'});
            $in{'mtoto'} =~ /^\d*$/ ||
                &error($text{'save_emtoports'});
            $rule->{'to-ports'} = [ "", $in{'mtoto'} eq '' ?
                $in{'mtofrom'} : $in{'mtofrom'}."-".$in{'mtoto'} ];
            }
        else {
            delete($rule->{'to-ports'});
            }
        }
    if ($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'POSTROUTING') {
        if ($rule->{'j'}->[1] eq 'DNAT' && !$in{'dnatdef'}) {
            &check_ipaddress($in{'dipfrom'}) ||
                &error($text{'save_edipfrom'});
            !$in{'dipto'} || &check_ipaddress($in{'dipto'}) ||
                &error($text{'save_edipto'});
            local $v = $in{'dipfrom'};
            $v .= "-".$in{'dipto'} if ($in{'dipto'});
            if ($in{'dpfrom'} ne '') {
                $in{'dpfrom'} =~ /^\d+$/ ||
                    &error($text{'save_edpfrom'});
                $in{'dpto'} =~ /^\d*$/ ||
                    &error($text{'save_edpto'});
                if ($in{'dpto'} eq '') {
                    $v .= ":".$in{'dpfrom'};
                    }
                else {
                    $v .= ":".$in{'dpfrom'}."-".$in{'dpto'};
                    }
                }
            $rule->{'to-destination'} = [ "", $v ];
            }
        else {
            delete($rule->{'to-destination'});
            }
        }
    if ($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'PREROUTING' &&
        $rule->{'chain'} ne 'OUTPUT') {
        if ($rule->{'j'}->[1] eq 'SNAT' && !$in{'snatdef'}) {
            &check_ipaddress($in{'sipfrom'}) ||
                &error($text{'save_esipfrom'});
            !$in{'sipto'} || &check_ipaddress($in{'sipto'}) ||
                &error($text{'save_esipto'});
            local $v = $in{'sipfrom'};
            $v .= "-".$in{'sipto'} if ($in{'sipto'});
            if ($in{'spfrom'} ne '') {
                $in{'spfrom'} =~ /^\d+$/ ||
                    &error($text{'save_espfrom'});
                $in{'spto'} =~ /^\d*$/ ||
                    &error($text{'save_espto'});
                if ($in{'spto'} eq '') {
                    $v .= ":".$in{'spfrom'};
                    }
                else {
                    $v .= ":".$in{'spfrom'}."-".$in{'spto'};
                    }
                }
            $rule->{'to-source'} = [ "", $v ];
            }
        else {
            delete($rule->{'to-source'});
            }
        }
    if (&parse_mode("source", $rule, "s")) {
        &check_ipmask($in{'source'}) || &error($text{'save_esource'});
        $rule->{'s'}->[1] = $in{'source'};
        }
    if (&parse_mode("dest", $rule, "d")) {
        &check_ipmask($in{'dest'}) || &error($text{'save_edest'});
        $rule->{'d'}->[1] = $in{'dest'};
        }
    if (&parse_mode("in", $rule, "i")) {
        $in{'in'} ne '' || $in{'in_other'} =~ /^\S+$/ ||
            &error($text{'save_ein'});
        $rule->{'i'}->[1] = $in{'in'} eq '' || $in{'in'} eq 'other' ?
                    $in{'in_other'} : $in{'in'};
        }
    if (&parse_mode("out", $rule, "o")) {
        $in{'out'} ne '' || $in{'out_other'} =~ /^\S+$/ ||
            &error($text{'save_eout'});
        $rule->{'o'}->[1] = $in{'out'} eq '' || $in{'out'} eq 'other' ?
                    $in{'out_other'} : $in{'out'};
        }
    if ($in{'frag'} == 0) { delete($rule->{'f'}); }
    elsif ($in{'frag'} == 1) { $rule->{'f'} = [ "" ]; }
    else { $rule->{'f'} = [ "!" ]; }
    if (&parse_mode("proto", $rule, "p")) {
        $in{'proto'} || $in{'proto_other'} =~ /^\d+$/ ||
            &error($text{'save_eproto'});
        $rule->{'p'}->[1] = $in{'proto'} || $in{'proto_other'};
        if (!$rule->{'p'}->[0]) {
            $proto = $in{'proto'};
            push(@mods, $in{'proto'})
                if ($proto eq 'tcp' || $proto eq 'udp' ||
                    $proto eq 'icmp' && $in{'icmptype_mode'});
            }
        }

    if (&parse_mode("sport", $rule, "sport")) {
        $proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" ||
            &error($text{'save_etcpudp'});
        if ($in{"sport_type"} == 0) {
            $in{"sport"} =~ /^\S+$/ ||
                &error($text{'save_esport'});
            if ($in{"sport"} =~ /,/) {
                $rule->{'sports'}->[1] = $in{"sport"};
                $rule->{'sports'}->[0] = $rule->{'sport'}->[0];
                push(@mods, "multiport");
                delete($rule->{'sport'});
                }
            else {
                $rule->{'sport'}->[1] = $in{"sport"};
                delete($rule->{'sports'});
                }
            }
        else {
            $in{"sport_from"} =~ /^\d*$/ ||
                &error($text{'save_esportfrom'});
            $in{"sport_to"} =~ /^\d*$/ ||
                &error($text{'save_esportto'});
            $rule->{'sport'}->[1] = $in{"sport_from"}.":".
                        $in{"sport_to"};
            $rule->{'sport'}->[1] eq ":" &&
                &error($text{'save_esportrange'});
            delete($rule->{'sports'});
            }
        }
    else {
        delete($rule->{'sports'});
        }
    if (&parse_mode("dport", $rule, "dport")) {
        $proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" ||
            &error($text{'save_etcpudp'});
        if ($in{"dport_type"} == 0) {
            $in{"dport"} =~ /^\S+$/ ||
                &error($text{'save_edport'});
            if ($in{"dport"} =~ /,/) {
                $rule->{'dports'}->[1] = $in{"dport"};
                $rule->{'dports'}->[0] = $rule->{'dport'}->[0];
                push(@mods, "multiport");
                delete($rule->{'dport'});
                }
            else {
                $rule->{'dport'}->[1] = $in{"dport"};
                delete($rule->{'dports'});
                }
            }
        else {
            $in{"dport_from"} =~ /^\d*$/ ||
                &error($text{'save_edportfrom'});
            $in{"dport_to"} =~ /^\d*$/ ||
                &error($text{'save_edportto'});
            $rule->{'dport'}->[1] = $in{"dport_from"}.":".
                        $in{"dport_to"};
            $rule->{'dport'}->[1] eq ":" &&
                &error($text{'save_edportrange'});
            delete($rule->{'dports'});
            }
        }
    else {
        delete($rule->{'dports'});
        }
    if (&parse_mode("ports", $rule, "ports")) {
        $proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" ||
            &error($text{'save_etcpudp'});
        $in{"ports"} =~ /^\S+$/ || &error($text{'save_eports'});
        $rule->{'ports'}->[1] = $in{'ports'};
        push(@mods, "multiport");
        }
    if (&parse_mode("tcpflags", $rule, "tcp-flags")) {
        $proto eq "tcp" || &error($text{'save_etcp1'});
        local $tcp0 = join(",", split(/\0/, $in{"tcpflags0"}));
        local $tcp1 = join(",", split(/\0/, $in{"tcpflags1"}));
        #$tcp0 && $tcp1 || &error($text{'save_etcpflags'});
        $tcp0 || &error($text{'save_etcpflags2'});
        $rule->{'tcp-flags'}->[1] = $tcp0;
        $rule->{'tcp-flags'}->[2] = $tcp1 || "NONE";
        }
    if (&parse_mode("tcpoption", $rule, "tcp-option")) {
        $proto eq "tcp" || &error($text{'save_etcp2'});
        $in{"tcpoption"} =~ /^\d+$/ ||
            &error($text{'save_etcpoption'});
        $rule->{'tcp-option'}->[1] = $in{"tcpoption"};
        }
    if (&parse_mode("icmptype", $rule, "icmp-type")) {
        $proto eq "icmp" || &error($text{'save_eicmp'});
        $rule->{'icmp-type'}->[1] = $in{'icmptype'};
        }
    if (&parse_mode("macsource", $rule, "mac-source")) {
        $in{"macsource"} =~ /^([0-9a-z]{2}:){5}[[0-9a-z]{2}$/i ||
            &error($text{'save_emac'});
        $rule->{'mac-source'}->[1] = $in{'macsource'};
        push(@mods, "mac");
        }
    if (&parse_mode("limit", $rule, "limit")) {
        $in{'limit0'} =~ /^\d+$/ || &error($text{'save_elimit'});
        $rule->{'limit'}->[1] = $in{'limit0'}."/".$in{'limit1'};
        push(@mods, "limit");
        }
    if (&parse_mode("limitburst", $rule, "limit-burst")) {
        $in{'limitburst'} =~ /^\d+$/ ||
            &error($text{'save_elimitburst'});
        $rule->{'limit-burst'}->[1] = $in{'limitburst'};
        push(@mods, "limit");
        }

    if ($rule->{'chain'} eq 'OUTPUT') {
        if (&parse_mode("uidowner", $rule, "uid-owner")) {
            defined(getpwnam($in{"uidowner"})) ||
                &error($text{'save_euidowner'});
            $rule->{'uid-owner'}->[1] = $in{"uidowner"};
            push(@mods, "owner");
            }
        if (&parse_mode("gidowner", $rule, "gid-owner")) {
            defined(getgrnam($in{"gidowner"})) ||
                &error($text{'save_egidowner'});
            $rule->{'gid-owner'}->[1] = $in{"gidowner"};
            push(@mods, "owner");
            }
        if (&parse_mode("pidowner", $rule, "pid-owner")) {
            $in{"pidowner"} =~ /^\d+$/ ||
                &error($text{'save_epidowner'});
            $rule->{'pid-owner'}->[1] = $in{"pidowner"};
            push(@mods, "owner");
            }
        if (&parse_mode("sidowner", $rule, "sid-owner")) {
            $in{"sidowner"} =~ /^\d+$/ ||
                &error($text{'save_esidowner'});
            $rule->{'sid-owner'}->[1] = $in{"sidowner"};
            push(@mods, "owner");
            }
        }

    # Save connection states and TOS
    if (&parse_mode("state", $rule, "state")) {
        @states = split(/\0/, $in{'state'});
        @states || &error($text{'save_estates'});
        $rule->{'state'}->[1] = join(",", @states);
        push(@mods, "state");
        }
    if (&parse_mode("tos", $rule, "tos")) {
        $rule->{'tos'}->[1] = $in{'tos'};
        push(@mods, "tos");
        }

    # Parse physical input and output interfaces
    if (&parse_mode("physdevin", $rule, "physdev-in")) {
        $in{'physdevin'} ne '' || $in{'physdevin_other'} =~ /^\S+$/ ||
            &error($text{'save_ephysdevin'});
        $rule->{'physdev-in'}->[1] =
          $in{'physdevin'} eq '' || $in{'physdevin'} eq 'other' ?
            $in{'physdevin_other'} : $in{'physdevin'};
        push(@mods, "physdev");
        }
    if (&parse_mode("physdevout", $rule, "physdev-out")) {
        $in{'physdevout'} ne '' || $in{'physdevout_other'} =~ /^\S+$/ ||
            &error($text{'save_ephysdevout'});
        $rule->{'physdev-out'}->[1] =
          $in{'physdevout'} eq '' || $in{'physdevout'} eq 'other' ?
            $in{'physdevout_other'} : $in{'physdevout'};
        push(@mods, "physdev");
        }

    # Parse physdev match modes
    if (&parse_mode("physdevisin", $rule, "physdev-is-in")) {
        push(@mods, "physdev");
        }
    if (&parse_mode("physdevisout", $rule, "physdev-is-out")) {
        push(@mods, "physdev");
        }
    if (&parse_mode("physdevisbridged", $rule, "physdev-is-bridged")) {
        push(@mods, "physdev");
        }

    # Add custom paramters and modules
    $rule->{'args'} = $in{'args'};
    push(@mods, split(/\s+/, $in{'mods'}));

    # Save the rule
    if (@mods) {
        $rule->{'m'} = [ map { [ "", $_ ] } &unique(@mods) ];
        }
    else {
        delete($rule->{'m'});
        }
    delete($rule->{'j'}) if (!$in{'jump'});
    if ($in{'new'}) {
        if ($in{'before'} ne '') {
            splice(@{$table->{'rules'}}, $in{'before'}, 0, $rule);
            }
        elsif ($in{'after'} ne '') {
            splice(@{$table->{'rules'}}, $in{'after'}+1, 0, $rule);
            }
        else {
            push(@{$table->{'rules'}}, $rule);
            }
        }
    }

# Write out the new save file
&run_before_command();
&save_table($table);
&run_after_command();
&copy_to_cluster();
&unlock_file($iptables_save_file);
&webmin_log($in{'delete'} ? "delete" : $in{'new'} ? "create" : "modify",
        "rule", undef, { 'chain' => $rule->{'chain'},
                 'table' => $table->{'name'} });
&redirect("index.cgi?table=$in{'table'}");

# parse_mode(name, &rule, option)
sub parse_mode
{
if ($in{"$_[0]_mode"} == 0) {
    delete($_[1]->{$_[2]});
    return 0;
    }
elsif ($in{"$_[0]_mode"} == 1) {
    $_[1]->{$_[2]} = [ "" ];
    return 1;
    }
else {
    $_[1]->{$_[2]} = [ "!" ];
    return 1;
    }
}

sub check_ipmask
{
return &to_ipaddress($_[0]) ||
    $_[0] =~ /^([0-9\.]+)\/([0-9\.]+)$/ &&
        &to_ipaddress("$1") &&
        (&check_ipaddress("$2") || ($2 =~ /^\d+$/ && $2 <= 32));
}


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0117 ]--