!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/ldap-server/   drwxr-xr-x
Free 53.72 GB of 127.8 GB (42.03%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     save_ldif.cgi (2.43 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# Update local LDAP server LDIF file configuration options

require './ldap-server-lib.pl';
&error_setup($text{'slapd_err'});
$access{'slapd'} || &error($text{'slapd_ecannot'});
&local_ldap_server() == 1 || &error($text{'slapd_elocal'});
&ReadParse();

&lock_slapd_files();
$conf = &get_ldif_config();

# Validate and store inputs

# Top-level DN
$defdb = &get_default_db();
$in{'suffix'} =~ /=/ || &error($text{'slapd_esuffix'});
&save_ldif_directive($conf, 'olcSuffix', $defdb, $in{'suffix'});

# Admin login
$in{'rootdn'} =~ /=/ || &error($text{'slapd_erootdn'});
&save_ldif_directive($conf, 'olcRootDN', $defdb, $in{'rootdn'});

# Admin password
if (!$in{'rootchange_def'}) {
    $in{'rootchange'} =~ /\S/ || &error($text{'slapd_erootpw'});
    $crypt = &unix_crypt($in{'rootchange'}, substr(time(), -2));
    &save_ldif_directive($conf, 'olcRootPW', $defdb, "{crypt}".$crypt);
    $config{'pass'} = $in{'rootchange'};
    $save_config = 1;
    }

# Cache sizes
if (!$in{'dbcachesize_def'}) {
    $in{'dbcachesize'} =~ /^\d+$/ || &error($text{'slapd_edbcachesize'});
    &save_ldif_directive($conf, 'olcDbCachesize', $defdb,
                 $in{'dbcachesize'});
    }
else {
    &save_ldif_directive($conf, 'olcDbCachesize', $defdb, undef);
    }

# Size limit
if ($in{'sizelimit_def'}) {
    &save_ldif_directive($conf, 'olcSizeLimit', $defdb, undef);
    }
else {
    $in{'sizelimit'} =~ /^[1-9]\d*$/ || &error($text{'slapd_esizelimit'});
    &save_ldif_directive($conf, 'olcSizeLimit', $defdb, $in{'sizelimit'});
    }

# LDAP protocols
if (&can_get_ldap_protocols()) {
    @newprotos = split(/\0/, $in{'protos'});
    @newprotos || &error($text{'slapd_eprotos'});
    }

# SSL file options
$confdb = &get_config_db();
foreach $s ([ 'olcTLSCertificateFile', 'cert' ],
        [ 'olcTLSCertificateKeyFile', 'key' ],
        [ 'olcTLSCACertificateFile', 'ca' ]) {
    if ($in{$s->[1].'_def'}) {
        &save_ldif_directive($conf, $s->[0], $confdb, undef);
        }
    else {
        &valid_pem_file($in{$s->[1]}, $s->[1]) ||
            &error($text{'slapd_e'.$s->[1]});
        &save_ldif_directive($conf, $s->[0], $confdb, $in{$s->[1]});
        }
    }

# Write out the files
&flush_file_lines();
&unlock_slapd_files();
if ($save_config) {
    &lock_file($module_config_file);
    &save_module_config();
    &unlock_file($module_config_file);
    }
if (&can_get_ldap_protocols()) {
    $protos = &get_ldap_protocols();
    foreach $p (keys %$protos) {
        $protos->{$p} = 0;
        }
    foreach $p (@newprotos) {
        $protos->{$p} = 1;
        }
    &save_ldap_protocols($protos);
    }
&webmin_log('slapd');

&redirect("");

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd
Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 
:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0147 ]--