!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/ldap-useradmin/   drwxr-xr-x
Free 50.93 GB of 127.8 GB (39.85%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     save_group.cgi (9.37 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# save_group.cgi
# Saves or creates a new group

require './ldap-useradmin-lib.pl';
&error_setup($text{'gsave_err'});
&ReadParse();
$ldap = &ldap_connect();
$schema = $ldap->schema();
&lock_user_files();

if (!$in{'new'}) {
    # Get existing group
    $rv = $ldap->search(base => $in{'dn'},
                scope => 'base',
                filter => &group_filter());
    ($ginfo) = $rv->all_entries;
    $ginfo || &error($text{'gsave_egone'});
    $olddesc = $ginfo->get_value('description');
    %ogroup = &dn_to_hash($ginfo);
    &can_edit_group(\%ogroup) || &error($text{'gedit_eedit'});
    }
else {
    # Creating a new one
    $access{'gcreate'} || &error($text{'gedit_ecreate'});
    }

if ($in{'delete'}) {
    # Delete the group, but first check if it is anyone's primary group,
    # and ask first
    &ui_print_header(undef, $text{'gdel_title'}, "");

    if ($in{'confirm'}) {
        # Run the before command
        %ghash = &dn_to_hash($ginfo);
        &set_group_envs(\%ghash, 'DELETE_GROUP', undef);
        $merr = &making_changes();
        &error(&text('gsave_emaking', "<tt>$merr</tt>"))
            if (defined($merr));

        # Delete from other modules
        %group = &dn_to_hash($ginfo);
        if ($in{'others'}) {
            print "$text{'gdel_other'}<br>\n";
            &useradmin::other_modules("useradmin_delete_group",
                          \%group);
            print "$text{'gdel_done'}<p>\n";
            }

        # Delete the LDAP entry
        print "$text{'gdel_group'}<br>\n";
        $rv = $ldap->delete($in{'dn'});
        if ($rv->code) {
            &error(&text('gsave_edelete', $rv->error));
            }
        print "$text{'gdel_done'}<p>\n";

        &made_changes();

        %p = ( %in, %group );
        &webmin_log('delete', 'group', $group{'group'}, \%p);
        }
    else {
        # Check if any user has this group as his primary
        $gid = $ginfo->get_value("gidNumber");
        $group = $ginfo->get_value("cn");
        foreach $u (&list_users()) {
            if ($u->{'gid'} == $gid) {
                $found = $u->{'user'};
                last;
                }
            }

        if ($found) {
            # Cannot delete
            print "<p><b>",&text('gdel_eprimary', $found),
                  "</b> <p>\n";
            }
        else {
            # Ask the user if he is sure
            print &ui_confirmation_form(
                "save_group.cgi",
                &text('gdel_sure', $group),
                [ [ "dn", $in{'dn'} ],
                  [ "delete", 1 ] ],
                [ [ "confirm", $text{'gdel_del'} ] ],
                &ui_checkbox("others", 1,
                    $text{'gdel_dothers'},
                    $mconfig{'default_other'}),
                undef);
            }
        }

    $ldap->unbind();
    &ui_print_footer("index.cgi?mode=groups", $text{'index_greturn'});
    exit;
    }
elsif ($in{'raw'}) {
    # Show all LDAP attributes for user
    &redirect("raw.cgi?group=1&dn=".&urlize($in{'dn'}));
    exit;
    }

# Strip out \n characters in inputs
$in{'group'} =~ s/\r|\n//g;
$in{'pass'} =~ s/\r|\n//g;
$in{'encpass'} =~ s/\r|\n//g;
$in{'gid'} =~ s/\r|\n//g;

# Validate inputs
if ($in{'new'}) {
    $in{'group'} =~ /^[^:\t]+$/ ||
        &error(&text('gsave_ebadname', $in{'group'}));
    $group = $in{'group'};
    &check_group_used($ldap, $group) &&
        &error(&text('gsave_einuse', $group));
    }
else {
    $group = $in{'group'};
    $oldgroup = $ginfo->get_value("cn");
    }
$in{'gid'} =~ /^[0-9]+$/ || &error(&text('gsave_egid', $in{'gid'}));
$gid = $in{'gid'};
$desc = $in{'desc'} || undef;
@members = split(/\r?\n/, $in{members});
if ($in{'new'} || $oldgroup ne $group) {
    # Check for collision
    defined(&all_getgrnam($group)) &&
        &error(&text('gsave_einuse', $group));
    }

# Check for GID clash
if ($in{'new'} && !$access{'gmultiple'}) {
    &check_gid_used($ldap, $gid) &&
        &error($text{'gsave_egidused2'});
    }

$pfx = $config{'md5'} == 1 || $config{'md5'} == 3 ? "{md5}" :
       $config{'md5'} == 4 ? "{ssha}" :
       $config{'md5'} == 5 ? "{sha}" :
       $config{'md5'} == 0 ? "{crypt}" : "";
if ($in{'passmode'} == 0) {
    $pass = "";
    }
elsif ($in{'passmode'} == 1) {
    $pass = $in{'encpass'};
    $pass = $pfx.$pass if ($pass !~ /^\{[a-z0-9]+\}/i && $pfx);
    }
elsif ($in{'passmode'} == 2) {
    $pass = $pfx.&encrypt_password($in{'pass'});
    }

local %ghash = ( 'group' => $group,
         'gid' => $gid,
         'pass' => $pass,
         'members' => join(",", @members) );

if (!$in{'new'}) {
    # Run the pre-change command
    &set_group_envs(\%ghash, 'MODIFY_GROUP',
               $in{'passmode'} == 3 ? $in{'pass'} : "");
    $merr = &making_changes();
    &error(&text('gsave_emaking', "<tt>$merr</tt>"))
        if (defined($merr));

    # Change GID on files if needed
    $oldgid = $ginfo->get_value("gidNumber");
    if ($gid != $oldgid && $in{'chgid'}) {
        if ($in{'chgid'} == 1) {
            # Do all the home directories of users in this group
            setpwent();
            while(@tmp = getpwent()) {
                                if ($tmp[3] == $oldgid ||
                                    &indexof($tmp[0], @members) >= 0) {
                                        &useradmin::recursive_change(
                                                $tmp[7], -1, $oldgid,
                                                         -1, $gid);
                                        }
                                }
                        endpwent();
            }
        else {
            # Do all files in this group from the root dir
            &useradmin::recursive_change("/", -1, $oldgid,
                             -1, $gid);
            }
        }

    # Work out old settings
    @classes = $ginfo->get_value("objectClass");
    $wassamba = &indexof($samba_group_class, @classes) >= 0;

    if ($wassamba && !$in{'samba'}) {
        # Remove Samba attributes
        @classes = grep { $_ ne $samba_group_class } @classes;
        push(@rprops,
             $samba_group_class eq "sambaGroup" ? ( "rid" )
            : ( "sambaSID", "sambaGrouptype" ));
        }
    elsif (!$wassamba && $in{'samba'}) {
        # Add Samba attributes
        push(@classes, $samba_group_class);
        push(@props, "rid", $gid*2+1001)
            if (&in_schema($schema, "rid") &&
                $samba_group_schema == 2);
        push(@props, "sambaSID",
                 "$config{'samba_domain'}-".($gid*2+1001))
            if (&in_schema($schema, "sambaSID") &&
                $samba_group_schema == 3);
        push(@props, "sambaGrouptype", 2)
            if (&in_schema($schema, "sambaGrouptype") &&
                $samba_group_schema == 3);
        }

    # Add extra fields
    &parse_extra_fields($config{'group_fields'}, \@props, \@rprops, $ldap);

    # Get the properties for modified groups
    push(@props, &split_props($config{'group_mod_props'}, \%ghash));

    # Update the LDAP database
    @classes = &unique(@classes);
    @rprops = grep { defined($ginfo->get_value($_)) } @rprops;

    if ($oldgroup ne $group) {
            # Need to rename the LDAP dn itself, first
            $base = &get_group_base();
            $newdn = "cn=$group,$base";
            $rv = $ldap->moddn($in{'dn'}, newrdn => "cn=$group");
            if ($rv->code) {
                    &error(&text('gsave_emoddn', $rv->error));
                    }
            }
    else {
        $newdn = $in{'dn'};
        }

    # Add or remove description
    if ($desc) {
        push(@props, "description" => $desc);
        }
    elsif ($olddesc) {
        push(@rprops, "description");
        }
    if (!$pass && $ginfo->get_value("userPassword")) {
        push(@rprops, "userPassword");
        }

    # Update group properties
    $rv = $ldap->modify($newdn, replace =>
                { "gidNumber" => $gid,
                  "cn" => $group,
                  $pass ? ( "userPassword" => $pass ) : ( ),
                  @members ? ( "memberUid" => \@members ) : ( ),
                  @props,
                  "objectClass" => \@classes },
                'delete' => \@rprops);
    if ($rv->code) {
        &error(&text('gsave_emod', $rv->error))
        }
    if (!@members && $ginfo->get_value("memberUid")) {
        $rv = $ldap->modify($in{'dn'}, delete => [ "memberUid" ] );
        if ($rv->code) {
            &error(&text('gsave_emod', $rv->error))
            }
        }

    }
else {
    # Run the pre-change command
    &set_group_envs(\%ghash, 'CREATE_GROUP',
               $in{'passmode'} == 3 ? $in{'pass'} : "");
    $merr = &making_changes();
    &error(&text('gsave_emaking', "<tt>$merr</tt>"))
        if (defined($merr));

    # Parse extra fields
    &parse_extra_fields($config{'group_fields'}, \@props, \@rprops,
                $ldap, $in{'dn'});

    # Get the properties for new groups
    push(@props, &split_props($config{'group_props'}, \%ghash));

    # Add to the LDAP database
    $base = &get_group_base();
    $newdn = "cn=$group,$base";
    @classes = ( "posixGroup" );
    push(@classes, split(/\s+/, $config{'gother_class'}));
    if ($in{'samba'}) {
        push(@classes, $samba_group_class);
        push(@props, "rid", $gid*2+1001)
            if (&in_schema($schema, "rid") &&
                $samba_group_class eq 'sambaGroup');
        push(@props, "sambaSID",
                 "$config{'samba_domain'}-".($gid*2+1001))
            if (&in_schema($schema, "sambaSID") &&
                $samba_group_schema == 3);
        push(@props, "sambaGrouptype", 2)
            if (&in_schema($schema, "sambaGrouptype") &&
                $samba_group_schema == 3);
        }
    if ($desc) {
        push(@props, "description" => $desc);
        }
    $rv = $ldap->add($newdn, attr =>
             [ "cn" => $group,
               "gidNumber" => $gid,
               $pass ? ( "userPassword" => $pass ) : ( ),
               @members ? ( "memberUid" => \@members ) : ( ),
               @props,
               "objectClass" => \@classes ] );
    if ($rv->code) {
        &error(&text('gsave_eadd', $rv->error));
        }
    }

&made_changes();

# Run other module's scripts
if ($in{'others'}) {
    if (!$in{'new'}) {
        &useradmin::other_modules("useradmin_modify_group", \%group, \%ogroup);
        }
    else {
        &useradmin::other_modules("useradmin_create_group", \%group);
        }
    }

delete($in{'pass'});
delete($in{'encpass'});
$ldap->unbind();
&unlock_user_files();
&webmin_log(!$in{'new'} ? 'modify' : 'create', 'group', $group, \%in);

# Bounce back to the list
&redirect("index.cgi?mode=groups");

# dn_to_hash(&ldap-object)
sub dn_to_hash
{
local %group = ( 'group' => $_[0]->get_value("cn"),
                 'gid' => $_[0]->get_value("gidNumber"),
                 'pass' => $_[0]->get_value("userPassword"),
         'members' => join(",", $_[0]->get_value("memberUid")) );
$group{'pass'} =~ s/^{[a-z0-9]+}//i;
return %group;
}


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0178 ]--