!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/mailboxes/   drwxr-xr-x
Free 50.93 GB of 127.8 GB (39.85%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     detachall.cgi (1.69 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# Download all attachments in a ZIP file

require './mailboxes-lib.pl';
&ReadParse();
&error_setup($text{'detachall_err'});
&can_user($in{'user'}) || &error($text{'mail_ecannot'});

@folders = &list_user_folders($in{'user'});
$folder = $folders[$in{'folder'}];
@mail = &mailbox_list_mails($in{'idx'}, $in{'idx'}, $folder);
$mail = $mail[$in{'idx'}];
&parse_mail($mail);
@sub = split(/\0/, $in{'sub'});
foreach $s (@sub) {
        # We are looking at a mail within a mail ..
        local $amail = &extract_mail($mail->{'attach'}->[$s]->{'data'});
        &parse_mail($amail);
        $mail = $amail;
        }

# Save each attachment to a temporary directory
@attach = @{$mail->{'attach'}};
@attach = &remove_body_attachments($mail, \@attach);
@attach = &remove_cid_attachments($mail, \@attach);
$temp = &transname();
&make_dir($temp, 0755) || &error(&text('detachall_emkdir', $!));
$n = 0;
foreach $a (@attach) {
    # Work out a filename
    if (!$a->{'type'} || $a->{'type'} eq 'message/rfc822') {
        $fn = "mail".(++$n).".txt";
        }
    elsif ($a->{'filename'}) {
        $fn = &decode_mimewords($a->{'filename'});
        }
    else {
        $fn = "file".(++$n).".".&type_to_extension($a->{'type'});
        }

    # Write the file
    &open_tempfile(FILE, ">$temp/$fn", 0, 1);
    &print_tempfile(FILE, $a->{'data'});
    &close_tempfile(FILE);
    }

# Make and output the zip
$zip = &transname("$$.zip");
$out = &backquote_command(
    "cd ".quotemeta($temp)." && zip ".quotemeta($zip)." * 2>&1");
if ($?) {
    &error(&text('detachall_ezip', "<tt>".&html_escape($out)."</tt>"));
    }

# Output the ZIP
print "Content-type: application/zip\n\n";
open(ZIP, $zip);
while(read(ZIP, $buf, 1024) > 0) {
    print $buf;
    }
close(ZIP);
&unlink_file($zip);
&unlink_file($temp);


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0142 ]--