!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/qmailadmin/   drwxr-xr-x
Free 50.94 GB of 127.8 GB (39.86%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     save_alias.cgi (2.29 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# save_alias.cgi
# Save or delete a new or existing alias

require './qmail-lib.pl';
&ReadParse();
&error_setup($text{'asave_err'});

@aliases = &list_aliases();
foreach $ex (@aliases) {
    $exists{lc($ex)}++;
    }
$a = &get_alias($in{'old'});

if ($in{'delete'}) {
    # delete some alias
    $loga = $a;
    &delete_alias($a);
    }
else {
    # saving or creating .. check inputs
    $in{'name'} =~ /^[^:@ ]+$/ ||
        &error(&text('asave_eaddr', $in{'name'}));
    local $n = $in{'name'};
    $n =~ s/\./:/g;
    if ($in{'virt'}) {
        $in{'virt'} =~ s/\./:/g;
        $n = $in{'virt'}.'-'.$n;
        }

    if ($in{'new'} || lc($a->{'name'}) ne lc($n)) {
        # is this name taken?
        $exists{$n} &&
            &error(&text('asave_ealready', $in{'name'}));
        }
    for($i=0; defined($t = $in{"type_$i"}); $i++) {
        $v = $in{"val_$i"};
        if ($t == 1 && $v !~ /^(\S+)$/) {
            &error(&text('asave_etype1', $v));
            }
        elsif ($t == 2 && $v !~ /^\/(\S+)[^\/\s]$/) {
            &error(&text('asave_etype2', $v));
            }
        elsif ($t == 3 && $v !~ /^\/(\S+)[^\/\s]$/) {
            &error(&text('asave_etype3', $v));
            }
        elsif ($t == 4) {
            $v =~ /^(\S+)/ || &error($text{'asave_etype4none'});
            -x $1 || &error(&text('asave_etype4', "$1"));
            }
        elsif ($t == 5 && $v !~ /^\/\S+$/) {
            &error(&text('asave_etype5', $v));
            }
        elsif ($t == 6 && $v !~ /^\/\S+$/) {
            &error(&text('asave_etype6', $v));
            }
        if ($t == 1) { push(@values, "&$v"); }
        elsif ($t == 2) { push(@values, "$v/"); }
        elsif ($t == 3) { push(@values, "$v"); }
        elsif ($t == 4) { push(@values, "|$v"); }
        elsif ($t == 5) {
            # Setup autoreply script
            push(@values, "|$module_config_directory/autoreply.pl ".
                      "$v $in{'name'}");
            &system_logged("cp autoreply.pl $module_config_directory");
            &system_logged("chmod 755 $module_config_directory/config");
            }
        elsif ($t == 6) {
            # Setup filter script
            push(@values, "|$module_config_directory/filter.pl ".
                      "$v $in{'name'}");
            &system_logged("cp filter.pl $module_config_directory");
            &system_logged("chmod 755 $module_config_directory/config");
            }
        }

    $newa{'name'} = $n;
    $newa{'values'} = \@values;
    if ($in{'new'}) { &create_alias(\%newa); }
    else { &modify_alias($a, \%newa); }
    $loga = \%newa;
    }
&webmin_log($in{'delete'} ? 'delete' : $in{'new'} ? 'create' : 'modify',
        "alias", $loga->{'name'}, $loga);
&redirect("list_aliases.cgi");


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0309 ]--